View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import org.apache.wss4j.common.ext.WSSecurityException;
22  import org.apache.wss4j.policy.stax.PolicyViolationException;
23  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
24  import org.apache.wss4j.stax.ext.WSSConstants;
25  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
26  import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
27  import org.apache.wss4j.stax.securityEvent.*;
28  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
29  import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
30  import org.junit.jupiter.api.Test;
31  
32  import javax.xml.namespace.QName;
33  
34  import java.util.ArrayList;
35  import java.util.LinkedList;
36  import java.util.List;
37  
38  import static org.junit.jupiter.api.Assertions.assertEquals;
39  import static org.junit.jupiter.api.Assertions.assertTrue;
40  import static org.junit.jupiter.api.Assertions.fail;
41  
42  public class TransportBindingTest extends AbstractPolicyTestBase {
43  
44      @Test
45      public void testPolicy() throws Exception {
46          String policyString =
47                  "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
48                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
49                          "   <sp:AlgorithmSuite>\n" +
50                          "       <wsp:Policy>\n" +
51                          "           <sp:Basic256/>\n" +
52                          "       </wsp:Policy>\n" +
53                          "   </sp:AlgorithmSuite>\n" +
54                          "<sp:IncludeTimestamp/>\n" +
55                          "</wsp:Policy>\n" +
56                          "</sp:TransportBinding>";
57          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
58          TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
59          policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
60  
61          RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
62          List<QName> headerPath = new ArrayList<>();
63          headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
64          headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
65          requiredElementSecurityEvent.setElementPath(headerPath);
66          policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
67  
68          HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
69          HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
70          httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
71          httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
72          policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
73  
74          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
75          operationSecurityEvent.setOperation(new QName("definitions"));
76          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
77  
78          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
79          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
80          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
81          EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
82          headerPath = new ArrayList<>();
83          headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
84          headerPath.add(WSSConstants.TAG_dsig_Signature);
85          requiredElementSecurityEvent.setElementPath(headerPath);
86          policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
87  
88          encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
89          headerPath = new ArrayList<>();
90          headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
91          headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
92          requiredElementSecurityEvent.setElementPath(headerPath);
93          policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
94  
95          SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
96          signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
97          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
98  
99          policyEnforcer.doFinal();
100     }
101 
102     @Test
103     public void testPolicyNotIncludeTimestamp() throws Exception {
104         String policyString =
105                 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
106                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
107                         "   <sp:AlgorithmSuite>\n" +
108                         "       <wsp:Policy>\n" +
109                         "           <sp:Basic256/>\n" +
110                         "       </wsp:Policy>\n" +
111                         "   </sp:AlgorithmSuite>\n" +
112                         "</wsp:Policy>\n" +
113                         "</sp:TransportBinding>";
114         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
115 
116         HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
117         HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
118         httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
119         httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
120         policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
121 
122         TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
123         policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
124 
125         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126         operationSecurityEvent.setOperation(new QName("definitions"));
127 
128         try {
129             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
130             fail("Exception expected");
131         } catch (WSSecurityException e) {
132             assertTrue(e.getCause() instanceof PolicyViolationException);
133             assertEquals(e.getCause().getMessage(),
134                     "Timestamp must not be present");
135             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
136         }
137     }
138 
139     @Test
140     public void testPolicySignatureNotEncrypted() throws Exception {
141         String policyString =
142                 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
143                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
144                         "   <sp:AlgorithmSuite>\n" +
145                         "       <wsp:Policy>\n" +
146                         "           <sp:Basic256/>\n" +
147                         "       </wsp:Policy>\n" +
148                         "   </sp:AlgorithmSuite>\n" +
149                         "<sp:IncludeTimestamp/>\n" +
150                         "</wsp:Policy>\n" +
151                         "</sp:TransportBinding>";
152         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
153 
154         TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
155         policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
156 
157         RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
158         List<QName> headerPath = new ArrayList<>();
159         headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
160         headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
161         requiredElementSecurityEvent.setElementPath(headerPath);
162         policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
163 
164         HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
165         HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
166         httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
167         httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
168         policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
169 
170         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
171         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
172         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
173         EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, false, protectionOrder);
174         headerPath = new ArrayList<>();
175         headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
176         headerPath.add(WSSConstants.TAG_dsig_Signature);
177         encryptedElementSecurityEvent.setElementPath(headerPath);
178         policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
179 
180         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
181         operationSecurityEvent.setOperation(new QName("definitions"));
182         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
183 
184         policyEnforcer.doFinal();
185     }
186 
187     @Test
188     public void testPolicyNotWholeBodySigned() throws Exception {
189         String policyString =
190                 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
191                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
192                         "   <sp:AlgorithmSuite>\n" +
193                         "       <wsp:Policy>\n" +
194                         "           <sp:Basic256/>\n" +
195                         "       </wsp:Policy>\n" +
196                         "   </sp:AlgorithmSuite>\n" +
197                         "<sp:IncludeTimestamp/>\n" +
198                         "</wsp:Policy>\n" +
199                         "</sp:TransportBinding>";
200         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
201         TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
202         policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
203 
204         RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
205         List<QName> headerPath = new ArrayList<>();
206         headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
207         headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
208         requiredElementSecurityEvent.setElementPath(headerPath);
209         policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
210 
211         HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
212         HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
213         httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
214         httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
215         policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
216 
217         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
218         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
219         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
220         EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
221         headerPath = new ArrayList<>();
222         headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
223         headerPath.add(WSSConstants.TAG_dsig_Signature);
224         encryptedElementSecurityEvent.setElementPath(headerPath);
225         policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
226 
227         encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
228         headerPath = new ArrayList<>();
229         headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
230         headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
231         encryptedElementSecurityEvent.setElementPath(headerPath);
232         policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
233 
234         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
235         operationSecurityEvent.setOperation(new QName("definitions"));
236         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
237 
238         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, protectionOrder);
239         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
240         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
241 
242         policyEnforcer.doFinal();
243     }
244 }