View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import org.apache.wss4j.common.ext.WSSecurityException;
22  import org.apache.wss4j.common.util.DateUtil;
23  import org.apache.wss4j.policy.stax.PolicyViolationException;
24  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
25  import org.apache.wss4j.stax.ext.WSSConstants;
26  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
27  import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
28  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
29  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
30  import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
31  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
32  import org.apache.xml.security.stax.impl.util.IDGenerator;
33  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
34  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
35  import org.junit.jupiter.api.Test;
36  
37  import javax.xml.namespace.QName;
38  
39  import java.time.ZoneOffset;
40  import java.time.ZonedDateTime;
41  import java.util.LinkedList;
42  import java.util.List;
43  
44  import static org.junit.jupiter.api.Assertions.assertEquals;
45  import static org.junit.jupiter.api.Assertions.assertTrue;
46  import static org.junit.jupiter.api.Assertions.fail;
47  
48  public class UsernameTokenTest extends AbstractPolicyTestBase {
49  
50      @Test
51      public void testPolicy() throws Exception {
52          String policyString =
53                  "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
54                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
55                          "<sp:EncryptionToken>\n" +
56                          "   <wsp:Policy>\n" +
57                          "       <sp:UsernameToken>\n" +
58                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
59                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
60                          "               <sp:HashPassword/>\n" +
61                          "               <sp:WssUsernameToken11/>\n" +
62                          "           </wsp:Policy>\n" +
63                          "       </sp:UsernameToken>\n" +
64                          "   </wsp:Policy>\n" +
65                          "</sp:EncryptionToken>\n" +
66                          "<sp:SignatureToken>\n" +
67                          "   <wsp:Policy>\n" +
68                          "       <sp:UsernameToken>\n" +
69                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
70                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
71                          "               <sp:HashPassword/>\n" +
72                          "               <sp:WssUsernameToken11/>\n" +
73                          "           </wsp:Policy>\n" +
74                          "       </sp:UsernameToken>\n" +
75                          "   </wsp:Policy>\n" +
76                          "</sp:SignatureToken>\n" +
77                          "   <sp:AlgorithmSuite>\n" +
78                          "       <wsp:Policy>\n" +
79                          "           <sp:Basic256/>\n" +
80                          "       </wsp:Policy>\n" +
81                          "   </sp:AlgorithmSuite>\n" +
82                          "</wsp:Policy>\n" +
83                          "</sp:SymmetricBinding>";
84  
85          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
86          UsernameTokenSecurityEvent initiatorTokenSecurityEvent = new UsernameTokenSecurityEvent();
87          initiatorTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
88          ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
89          String created = DateUtil.getDateTimeFormatter(true).format(now);
90          UsernameSecurityTokenImpl securityToken = new UsernameSecurityTokenImpl(
91                  WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST,
92                  "username", "password", created, null, new byte[10], 10L,
93                  null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
94          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
95          initiatorTokenSecurityEvent.setSecurityToken(securityToken);
96          policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
97  
98          UsernameTokenSecurityEvent recipientTokenSecurityEvent = new UsernameTokenSecurityEvent();
99          recipientTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
100         securityToken = new UsernameSecurityTokenImpl(
101                 WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST,
102                 "username", "password", created, null, new byte[10], 10L,
103                 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
104         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
105         recipientTokenSecurityEvent.setSecurityToken(securityToken);
106         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
107 
108         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
109         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
110         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
111         SignedPartSecurityEvent signedPartSecurityEvent =
112                 new SignedPartSecurityEvent(
113                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
114         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
115         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
116 
117         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
118                 new ContentEncryptedElementSecurityEvent(
119                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
120         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
121         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
122 
123         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
124         operationSecurityEvent.setOperation(new QName("definitions"));
125         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
126 
127         policyEnforcer.doFinal();
128     }
129 
130     @Test
131     public void testPolicyNegative() throws Exception {
132         String policyString =
133                 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
134                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
135                         "<sp:EncryptionToken>\n" +
136                         "   <wsp:Policy>\n" +
137                         "       <sp:UsernameToken>\n" +
138                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
139                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
140                         "               <sp:HashPassword/>\n" +
141                         "               <sp:WssUsernameToken11/>\n" +
142                         "           </wsp:Policy>\n" +
143                         "       </sp:UsernameToken>\n" +
144                         "   </wsp:Policy>\n" +
145                         "</sp:EncryptionToken>\n" +
146                         "<sp:SignatureToken>\n" +
147                         "   <wsp:Policy>\n" +
148                         "       <sp:UsernameToken>\n" +
149                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
150                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
151                         "               <sp:HashPassword/>\n" +
152                         "               <sp:WssUsernameToken11/>\n" +
153                         "           </wsp:Policy>\n" +
154                         "       </sp:UsernameToken>\n" +
155                         "   </wsp:Policy>\n" +
156                         "</sp:SignatureToken>\n" +
157                         "   <sp:AlgorithmSuite>\n" +
158                         "       <wsp:Policy>\n" +
159                         "           <sp:Basic256/>\n" +
160                         "       </wsp:Policy>\n" +
161                         "   </sp:AlgorithmSuite>\n" +
162                         "</wsp:Policy>\n" +
163                         "</sp:SymmetricBinding>";
164 
165         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
166         UsernameTokenSecurityEvent usernameTokenSecurityEvent = new UsernameTokenSecurityEvent();
167         usernameTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
168         ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
169         String created = DateUtil.getDateTimeFormatter(true).format(now);
170         UsernameSecurityTokenImpl securityToken = new UsernameSecurityTokenImpl(
171                 WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT,
172                 "username", "password", created, null, new byte[10], 10L,
173                 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
174         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
175         usernameTokenSecurityEvent.setSecurityToken(securityToken);
176         policyEnforcer.registerSecurityEvent(usernameTokenSecurityEvent);
177 
178         UsernameTokenSecurityEvent recipientTokenSecurityEvent = new UsernameTokenSecurityEvent();
179         recipientTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
180         securityToken = new UsernameSecurityTokenImpl(
181                 WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT,
182                 "username", "password", created, null, new byte[10], 10L,
183                 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
184         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
185         recipientTokenSecurityEvent.setSecurityToken(securityToken);
186         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
187 
188         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
189         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
190         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
191         SignedPartSecurityEvent signedPartSecurityEvent =
192                 new SignedPartSecurityEvent(
193                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
194         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
195         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
196 
197         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
198                 new ContentEncryptedElementSecurityEvent(
199                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
200         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
201         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
202 
203         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
204         operationSecurityEvent.setOperation(new QName("definitions"));
205 
206         try {
207             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
208             fail("Exception expected");
209         } catch (WSSecurityException e) {
210             assertTrue(e.getCause() instanceof PolicyViolationException);
211             assertEquals(e.getCause().getMessage(),
212                     "UsernameToken does not contain a hashed password");
213             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
214         }
215     }
216 }