View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import org.apache.wss4j.common.ext.WSSecurityException;
22  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
23  import org.apache.wss4j.common.WSSPolicyException;
24  import org.apache.xml.security.stax.securityEvent.SecurityEvent;
25  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
26  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
27  import org.apache.wss4j.stax.test.InboundWSSecurityContextImplTest;
28  import org.junit.jupiter.api.Test;
29  
30  import java.nio.charset.StandardCharsets;
31  import java.util.List;
32  
33  import static org.junit.jupiter.api.Assertions.assertEquals;
34  import static org.junit.jupiter.api.Assertions.assertTrue;
35  import static org.junit.jupiter.api.Assertions.fail;
36  
37  public class WSP13SpecTest extends AbstractPolicyTestBase {
38  
39      private InboundWSSecurityContextImplTest inboundWSSecurityContextImplTest = new InboundWSSecurityContextImplTest();
40  
41      @Test
42      public void testTransportBindingC11a() throws Exception {
43          {
44              String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", StandardCharsets.UTF_8);
45  
46              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
47  
48              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
49              applyPolicy(null, null, null, policyEnforcer, securityEventList);
50          }
51          {
52              String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", StandardCharsets.UTF_8);
53  
54              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
55  
56              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
57              applyPolicy(WSSecurityEventConstants.HTTPS_TOKEN, 2, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken not satisfied", policyEnforcer, securityEventList);
58          }
59          {
60              String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", StandardCharsets.UTF_8);
61  
62              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
63  
64              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
65              applyPolicy(WSSecurityEventConstants.REQUIRED_ELEMENT, 4, "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present", policyEnforcer, securityEventList);
66              }
67          {
68              String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", StandardCharsets.UTF_8);
69  
70              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
71  
72              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
73              applyPolicy(WSSecurityEventConstants.USERNAME_TOKEN, 0, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied", policyEnforcer, securityEventList);
74          }
75          {
76              String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", StandardCharsets.UTF_8);
77  
78              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
79  
80              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
81              applyPolicy(SecurityEventConstants.X509Token, 1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied", policyEnforcer, securityEventList);
82          }
83      }
84  
85      @Test
86      public void testAsymmetricBindingC31a() throws Exception {
87          {
88              String policyString = loadResourceAsString("testdata/policy/asymmetricBindingPolicyC31.xml", StandardCharsets.UTF_8);
89  
90              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
91  
92              List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateAsymmetricBindingSecurityEvents();
93              applyPolicy(null, null, null, policyEnforcer, securityEventList);
94          }
95          {
96              String policyString = loadResourceAsString("testdata/policy/asymmetricBindingPolicyC31.xml", StandardCharsets.UTF_8);
97  
98              PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
99  
100             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateAsymmetricBindingSecurityEvents();
101             applyPolicy(WSSecurityEventConstants.REQUIRED_ELEMENT, 8, "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present", policyEnforcer, securityEventList);
102         }
103         {
104             String policyString = loadResourceAsString("testdata/policy/asymmetricBindingPolicyC31.xml", StandardCharsets.UTF_8);
105 
106             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
107 
108             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateAsymmetricBindingSecurityEvents();
109             applyPolicy(SecurityEventConstants.X509Token, 0, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied", policyEnforcer, securityEventList);
110         }
111         {
112             String policyString = loadResourceAsString("testdata/policy/asymmetricBindingPolicyC31.xml", StandardCharsets.UTF_8);
113 
114             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
115 
116             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateAsymmetricBindingSecurityEvents();
117             applyPolicy(WSSecurityEventConstants.USERNAME_TOKEN, 1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied", policyEnforcer, securityEventList);
118         }
119     }
120 
121     @Test
122     public void testSymmetricBindingC21a() throws Exception {
123         {
124             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", StandardCharsets.UTF_8);
125 
126             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
127 
128             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
129             applyPolicy(null, null, null, policyEnforcer, securityEventList);
130         }
131         {
132             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", StandardCharsets.UTF_8);
133 
134             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
135 
136             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
137             applyPolicy(WSSecurityEventConstants.REQUIRED_ELEMENT, 4, "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present", policyEnforcer, securityEventList);
138         }
139         {
140             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", StandardCharsets.UTF_8);
141 
142             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
143 
144             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
145             applyPolicy(WSSecurityEventConstants.SAML_TOKEN, -1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken not satisfied", policyEnforcer, securityEventList);
146         }
147         {
148             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", StandardCharsets.UTF_8);
149 
150             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
151 
152             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
153             applyPolicy(WSSecurityEventConstants.USERNAME_TOKEN, 0, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied", policyEnforcer, securityEventList);
154         }
155         {
156             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", StandardCharsets.UTF_8);
157 
158             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
159 
160             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
161             applyPolicy(SecurityEventConstants.X509Token, 2, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied", policyEnforcer, securityEventList);
162         }
163     }
164 
165     @Test
166     public void testSymmetricBindingC21b() throws Exception {
167         {
168             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", StandardCharsets.UTF_8);
169 
170             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
171 
172             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
173             applyPolicy(null, null, null, policyEnforcer, securityEventList);
174         }
175         {
176             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", StandardCharsets.UTF_8);
177 
178             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
179 
180             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
181             applyPolicy(WSSecurityEventConstants.REQUIRED_ELEMENT, 4, "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present", policyEnforcer, securityEventList);
182         }
183         {
184             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", StandardCharsets.UTF_8);
185 
186             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
187 
188             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
189             applyPolicy(WSSecurityEventConstants.SAML_TOKEN, -1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken not satisfied", policyEnforcer, securityEventList);
190         }
191         {
192             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", StandardCharsets.UTF_8);
193 
194             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
195 
196             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
197             applyPolicy(WSSecurityEventConstants.USERNAME_TOKEN, 0, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied", policyEnforcer, securityEventList);
198         }
199         {
200             String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", StandardCharsets.UTF_8);
201 
202             PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
203 
204             List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
205             applyPolicy(SecurityEventConstants.X509Token, 2, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied", policyEnforcer, securityEventList);
206         }
207     }
208 
209     private void applyPolicy(SecurityEventConstants.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage, PolicyEnforcer policyEnforcer, List<SecurityEvent> securityEventList) throws WSSecurityException {
210         try {
211             for (int i = 0; i < securityEventList.size(); i++) {
212                 SecurityEvent securityEvent = securityEventList.get(i);
213                 if (eventIndex != null && eventIndex == -1 && securityEvent.getSecurityEventType() == ignoreEvent) {
214                     continue;
215                 }
216                 if (eventIndex != null && i == eventIndex && securityEvent.getSecurityEventType() != ignoreEvent) {
217                     for (int j = 0; j < securityEventList.size(); j++) {
218                         System.out.println(j + " " + securityEventList.get(j));
219                     }
220                     fail("Event at index " + eventIndex + " is not of type " + ignoreEvent);
221                 }
222                 if (ignoreEvent == null || i != eventIndex) {
223                     policyEnforcer.registerSecurityEvent(securityEvent);
224                 }
225             }
226 
227             policyEnforcer.doFinal();
228             if (ignoreEvent != null) {
229                 fail("Expected WSSPolicyException");
230             }
231         } catch (WSSPolicyException e) {
232             //Exception for policyEnforcer.doFinal();
233             if (ignoreEvent == null) {
234                 fail("Unexpected WSSPolicyException: " + e.getMessage());
235             }
236             assertEquals(e.getMessage(), expectedErrorMessage);
237         } catch (WSSecurityException e) {
238             //Exception for policyEnforcer.registerSecurityEvent(securityEvent);
239             if (ignoreEvent == null) {
240                 fail("Unexpected WSSPolicyException: " + e.getMessage());
241             }
242             assertTrue(e.getCause() instanceof WSSPolicyException);
243             assertEquals(e.getCause().getMessage(), expectedErrorMessage);
244         }
245     }
246 }