Repository: cxf Updated Branches: refs/heads/3.1.x-fixes b0ccc3f87 -> a75df553a
Adding renew/validate tests for the REST STS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a75df553 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a75df553 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a75df553 Branch: refs/heads/3.1.x-fixes Commit: a75df553a2bb0cee94b96fababa723d7d0f45d90 Parents: b0ccc3f Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Feb 9 17:52:28 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Feb 9 17:54:01 2016 +0000 ---------------------------------------------------------------------- .../cxf/systest/sts/rest/RESTUnitTest.java | 249 +++++++++++++------ .../cxf/systest/sts/rest/cxf-rest-sts.xml | 20 +- 2 files changed, 187 insertions(+), 82 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a75df553/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java index 9c98bd6..946809f 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java @@ -35,11 +35,13 @@ import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.rt.security.claims.Claim; import org.apache.cxf.rt.security.claims.ClaimCollection; import org.apache.cxf.rt.security.saml.utils.SAMLUtils; +import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.staxutils.W3CDOMStreamWriter; import org.apache.cxf.systest.sts.common.SecurityTestUtil; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType; import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType; +import org.apache.cxf.ws.security.sts.provider.model.StatusType; import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoFactory; @@ -418,28 +420,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { RequestSecurityTokenResponseType securityResponse = response.readEntity(RequestSecurityTokenResponseType.class); - RequestedSecurityTokenType requestedSecurityToken = null; - for (Object obj : securityResponse.getAny()) { - if (obj instanceof JAXBElement<?>) { - JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; - if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { - requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); - break; - } - } - } - assertNotNull(requestedSecurityToken); - - // Process the token - List<WSSecurityEngineResult> results = - processToken((Element)requestedSecurityToken.getAny()); - - assertTrue(results != null && results.size() == 1); - SamlAssertionWrapper assertion = - (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - assertTrue(assertion != null); - assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); - assertTrue(assertion.isSigned()); + validateSAMLSecurityTokenResponse(securityResponse, true); bus.shutdown(true); } @@ -479,28 +460,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { RequestSecurityTokenResponseType securityResponse = response.readEntity(RequestSecurityTokenResponseType.class); - RequestedSecurityTokenType requestedSecurityToken = null; - for (Object obj : securityResponse.getAny()) { - if (obj instanceof JAXBElement<?>) { - JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; - if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { - requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); - break; - } - } - } - assertNotNull(requestedSecurityToken); - - // Process the token - List<WSSecurityEngineResult> results = - processToken((Element)requestedSecurityToken.getAny()); - - assertTrue(results != null && results.size() == 1); - SamlAssertionWrapper assertion = - (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - assertTrue(assertion != null); - assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); - assertTrue(assertion.isSigned()); + validateSAMLSecurityTokenResponse(securityResponse, true); bus.shutdown(true); } @@ -541,28 +501,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { RequestSecurityTokenResponseType securityResponse = response.readEntity(RequestSecurityTokenResponseType.class); - RequestedSecurityTokenType requestedSecurityToken = null; - for (Object obj : securityResponse.getAny()) { - if (obj instanceof JAXBElement<?>) { - JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; - if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { - requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); - break; - } - } - } - assertNotNull(requestedSecurityToken); - - // Process the token - List<WSSecurityEngineResult> results = - processToken((Element)requestedSecurityToken.getAny()); - - assertTrue(results != null && results.size() == 1); - SamlAssertionWrapper assertion = - (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - assertTrue(assertion != null); - assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); - assertTrue(assertion.isSigned()); + validateSAMLSecurityTokenResponse(securityResponse, true); bus.shutdown(true); } @@ -603,28 +542,147 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { RequestSecurityTokenResponseType securityResponse = response.readEntity(RequestSecurityTokenResponseType.class); - RequestedSecurityTokenType requestedSecurityToken = null; + validateSAMLSecurityTokenResponse(securityResponse, false); + + bus.shutdown(true); + } + + @org.junit.Test + public void testValidateSAML2Token() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = RESTUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:"; + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.type("application/xml").accept("application/xml"); + client.path("saml2.0"); + + // 1. Get a token via GET + Response response = client.get(); + Document assertionDoc = response.readEntity(Document.class); + assertNotNull(assertionDoc); + + // 2. Now validate it in the STS using POST + client = WebClient.create(address, busFile.toString()); + + client.type("application/xml").accept("application/xml"); + client.query("action", "validate"); + + // Create RequestSecurityToken + W3CDOMStreamWriter writer = new W3CDOMStreamWriter(); + String namespace = STSUtils.WST_NS_05_12; + writer.writeStartElement("wst", "RequestSecurityToken", namespace); + writer.writeNamespace("wst", namespace); + + writer.writeStartElement("wst", "RequestType", namespace); + writer.writeCharacters(namespace + "/Validate"); + writer.writeEndElement(); + + writer.writeStartElement("wst", "TokenType", namespace); + String tokenType = namespace + "/RSTR/Status"; + writer.writeCharacters(tokenType); + writer.writeEndElement(); + + writer.writeStartElement("wst", "ValidateTarget", namespace); + StaxUtils.copy(assertionDoc.getDocumentElement(), writer); + writer.writeEndElement(); + + writer.writeEndElement(); + + response = client.post(new DOMSource(writer.getDocument().getDocumentElement())); + + RequestSecurityTokenResponseType securityResponse = + response.readEntity(RequestSecurityTokenResponseType.class); + + StatusType status = null; for (Object obj : securityResponse.getAny()) { if (obj instanceof JAXBElement<?>) { JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; - if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { - requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); + if ("Status".equals(jaxbElement.getName().getLocalPart())) { + status = (StatusType)jaxbElement.getValue(); break; } } } - assertNotNull(requestedSecurityToken); + assertNotNull(status); - // Process the token - List<WSSecurityEngineResult> results = - processToken((Element)requestedSecurityToken.getAny()); + // Check the token was valid + String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";; + assertEquals(validCode, status.getCode()); - assertTrue(results != null && results.size() == 1); - SamlAssertionWrapper assertion = - (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - assertTrue(assertion != null); - assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); - assertTrue(assertion.isSigned()); + bus.shutdown(true); + } + + @org.junit.Test + public void testRenewSAML2Token() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = RESTUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:"; + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.type("application/xml").accept("application/xml"); + client.query("action", "issue"); + + // 1. Get a token via POST + + // Create RequestSecurityToken + W3CDOMStreamWriter writer = new W3CDOMStreamWriter(); + String namespace = STSUtils.WST_NS_05_12; + writer.writeStartElement("wst", "RequestSecurityToken", namespace); + writer.writeNamespace("wst", namespace); + + writer.writeStartElement("wst", "RequestType", namespace); + writer.writeCharacters(namespace + "/Issue"); + writer.writeEndElement(); + + writer.writeStartElement("wst", "TokenType", namespace); + writer.writeCharacters(SAML2_TOKEN_TYPE); + writer.writeEndElement(); + + writer.writeEndElement(); + + Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement())); + + RequestSecurityTokenResponseType securityResponse = + response.readEntity(RequestSecurityTokenResponseType.class); + Element token = validateSAMLSecurityTokenResponse(securityResponse, true); + + // 2. Now validate it in the STS using POST + client = WebClient.create(address, busFile.toString()); + + client.type("application/xml").accept("application/xml"); + client.query("action", "renew"); + + // Create RequestSecurityToken + writer = new W3CDOMStreamWriter(); + writer.writeStartElement("wst", "RequestSecurityToken", namespace); + writer.writeNamespace("wst", namespace); + + writer.writeStartElement("wst", "RequestType", namespace); + writer.writeCharacters(namespace + "/Renew"); + writer.writeEndElement(); + + writer.writeStartElement("wst", "RenewTarget", namespace); + StaxUtils.copy(token, writer); + writer.writeEndElement(); + + writer.writeEndElement(); + + response = client.post(new DOMSource(writer.getDocument().getDocumentElement())); + + securityResponse = response.readEntity(RequestSecurityTokenResponseType.class); + + validateSAMLSecurityTokenResponse(securityResponse, true); bus.shutdown(true); } @@ -648,6 +706,39 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { client.get(); } + private Element validateSAMLSecurityTokenResponse( + RequestSecurityTokenResponseType securityResponse, boolean saml2 + ) throws Exception { + RequestedSecurityTokenType requestedSecurityToken = null; + for (Object obj : securityResponse.getAny()) { + if (obj instanceof JAXBElement<?>) { + JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; + if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { + requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); + break; + } + } + } + assertNotNull(requestedSecurityToken); + + // Process the token + List<WSSecurityEngineResult> results = + processToken((Element)requestedSecurityToken.getAny()); + + assertTrue(results != null && results.size() == 1); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(assertion != null); + if (saml2) { + assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); + } else { + assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null); + } + assertTrue(assertion.isSigned()); + + return (Element)results.get(0).get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); + } + private List<WSSecurityEngineResult> processToken(Element assertionElement) throws Exception { RequestData requestData = new RequestData(); http://git-wip-us.apache.org/repos/asf/cxf/blob/a75df553/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml index 106bca4..501b8af 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml @@ -43,10 +43,20 @@ <property name="stsProperties" ref="transportSTSProperties"/> <property name="delegationHandlers" ref="delegationHandlers"/> <property name="claimsManager" ref="claimsManager"/> + <property name="tokenStore" ref="defaultTokenStore"/> </bean> <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> <property name="tokenValidators" ref="transportTokenValidators"/> <property name="stsProperties" ref="transportSTSProperties"/> + <property name="tokenStore" ref="defaultTokenStore"/> + </bean> + <bean id="transportRenewDelegate" class="org.apache.cxf.sts.operation.TokenRenewOperation"> + <property name="tokenRenewers" ref="transportTokenRenewers"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="stsProperties" ref="transportSTSProperties"/> + <property name="tokenStore" ref="defaultTokenStore"/> + </bean> + <bean id="defaultTokenStore" class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore"> </bean> <bean id="transportUTTokenValidator" class="org.apache.cxf.sts.token.validator.UsernameTokenValidator"> </bean> @@ -58,15 +68,18 @@ <ref bean="transportSamlTokenProvider"/> <ref bean="transportJWTTokenProvider"/> </util:list> + <util:list id="transportTokenRenewers"> + <ref bean="transportSamlTokenRenewer"/> + </util:list> <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> </bean> <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> </bean> <bean id="transportJWTTokenProvider" class="org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider"> </bean> - <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> - <property name="issueOperation" ref="transportIssueDelegate"/> - <property name="validateOperation" ref="transportValidateDelegate"/> + <bean id="transportSamlTokenRenewer" class="org.apache.cxf.sts.token.renewer.SAMLTokenRenewer"> + <property name="verifyProofOfPossession" value="false"/> + <property name="allowRenewalAfterExpiry" value="true"/> </bean> <bean id="transportService" class="org.apache.cxf.sts.service.StaticService"> <property name="endpoints" ref="transportEndpoints"/> @@ -93,6 +106,7 @@ <bean id="restSTS" class="org.apache.cxf.sts.rest.RESTSecurityTokenServiceImpl"> <property name="issueSingleOperation" ref="transportIssueDelegate" /> <property name="validateOperation" ref="transportValidateDelegate" /> + <property name="renewOperation" ref="transportRenewDelegate"/> </bean> <bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
