Adding SAML + JWT Bearer Grant tests
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d34ba6da Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d34ba6da Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d34ba6da Branch: refs/heads/3.0.x-fixes Commit: d34ba6da8912ccad276d9c6432fb5f00b663ecc5 Parents: 3257af6 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Dec 8 15:09:02 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Dec 8 15:38:07 2015 +0000 ---------------------------------------------------------------------- .../oauth2/grants/AuthorizationGrantTest.java | 129 +++++++++++++++++++ .../security/oauth2/grants/grants-server.xml | 20 +++ 2 files changed, 149 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d34ba6da/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java index f42c709..5b757f6 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java @@ -21,18 +21,33 @@ package org.apache.cxf.systest.jaxrs.security.oauth2.grants; import java.net.URL; import java.util.ArrayList; +import java.util.Calendar; import java.util.Collections; +import java.util.Date; import java.util.List; +import java.util.Properties; import javax.ws.rs.core.Form; import javax.ws.rs.core.Response; +import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.jaxrs.provider.json.JSONProvider; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; +import org.apache.cxf.rs.security.jose.jwt.JwtClaims; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData; import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider; +import org.apache.cxf.systest.jaxrs.security.oauth2.SamlCallbackHandler; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SAMLCallback; +import org.apache.wss4j.common.saml.SAMLUtil; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.junit.BeforeClass; /** @@ -253,7 +268,57 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); } + + @org.junit.Test + public void testSAMLAuthorizationGrant() throws Exception { + URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/services/"; + WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString()); + + // Create the SAML Assertion + String assertion = createToken(address + "token", true); + + // Get Access Token + client.type("application/x-www-form-urlencoded").accept("application/json"); + client.path("token"); + + Form form = new Form(); + form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer"); + form.param("assertion", Base64UrlUtility.encode(assertion)); + form.param("client_id", "consumer-id"); + Response response = client.post(form); + + ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); + assertNotNull(accessToken.getTokenKey()); + assertNotNull(accessToken.getRefreshToken()); + } + @org.junit.Test + public void testJWTAuthorizationGrant() throws Exception { + URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/services/"; + WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString()); + + // Create the JWT Token + String token = createToken("DoubleItSTSIssuer", "consumer-id", + "https://localhost:"; + PORT + "/services/token", true, true); + + // Get Access Token + client.type("application/x-www-form-urlencoded").accept("application/json"); + client.path("token"); + + Form form = new Form(); + form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"); + form.param("assertion", token); + form.param("client_id", "consumer-id"); + Response response = client.post(form); + + ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); + assertNotNull(accessToken.getTokenKey()); + assertNotNull(accessToken.getRefreshToken()); + } private String getAuthorizationCode(WebClient client) { return getAuthorizationCode(client, null); } @@ -315,4 +380,68 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { return providers; } + private String createToken(String audRestr, boolean sign) throws WSSecurityException { + SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler(true); + samlCallbackHandler.setAudience(audRestr); + + SAMLCallback samlCallback = new SAMLCallback(); + SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback); + + SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); + if (samlCallback.isSignAssertion()) { + samlAssertion.signAssertion( + samlCallback.getIssuerKeyName(), + samlCallback.getIssuerKeyPassword(), + samlCallback.getIssuerCrypto(), + samlCallback.isSendKeyValue(), + samlCallback.getCanonicalizationAlgorithm(), + samlCallback.getSignatureAlgorithm() + ); + } + + return samlAssertion.assertionToString(); + } + + private String createToken(String issuer, String subject, String audience, + boolean expiry, boolean sign) { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject(subject); + if (issuer != null) { + claims.setIssuer(issuer); + } + claims.setIssuedAt(new Date().getTime() / 1000L); + if (expiry) { + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.SECOND, 60); + claims.setExpiryTime(cal.getTimeInMillis() / 1000L); + } + if (audience != null) { + claims.setAudiences(Collections.singletonList(audience)); + } + + if (sign) { + // Sign the JWT Token + Properties signingProperties = new Properties(); + signingProperties.put("rs.security.keystore.type", "jks"); + signingProperties.put("rs.security.keystore.password", "password"); + signingProperties.put("rs.security.keystore.alias", "alice"); + signingProperties.put("rs.security.keystore.file", + "org/apache/cxf/systest/jaxrs/security/certs/alice.jks"); + signingProperties.put("rs.security.key.password", "password"); + signingProperties.put("rs.security.signature.algorithm", "RS256"); + + JwsHeaders jwsHeaders = new JwsHeaders(signingProperties); + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims); + + JwsSignatureProvider sigProvider = + JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders); + + return jws.signWith(sigProvider); + } + + JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE); + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims); + return jws.getSignedEncodedJws(); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/d34ba6da/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server.xml index 74a8fcd..3ef86fb 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server.xml @@ -89,6 +89,14 @@ under the License. <property name="dataProvider" ref="oauthProvider"/> </bean> + <bean id="samlGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="jwtGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> <property name="dataProvider" ref="oauthProvider"/> <property name="grantHandlers"> @@ -96,6 +104,8 @@ under the License. <ref bean="refreshGrantHandler"/> <ref bean="passwordGrantHandler"/> <ref bean="clientCredsGrantHandler"/> + <ref bean="samlGrantHandler"/> + <ref bean="jwtGrantHandler"/> </list> </property> </bean> @@ -116,6 +126,16 @@ under the License. <jaxrs:providers> <ref bean="basicAuthFilter"/> </jaxrs:providers> + <jaxrs:properties> + <entry key="security.signature.properties" + value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.keystore.file" + value="org/apache/cxf/systest/jaxrs/security/certs/alice.jks" /> + <entry key="rs.security.signature.algorithm" value="RS256" /> + </jaxrs:properties> </jaxrs:server>
