This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push: new e42fea3 FEDIZ-222 - Added some more unit tests e42fea3 is described below commit e42fea3a428487886d6036f8f0df2cb27ddb4f5d Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Fri Jul 20 17:44:41 2018 +0100 FEDIZ-222 - Added some more unit tests --- .../fediz/core/processor/SAMLProcessorImpl.java | 6 + .../cxf/fediz/core/samlsso/SAMLResponseTest.java | 125 ++++++++++++++++++++- 2 files changed, 130 insertions(+), 1 deletion(-) diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java index 03b1b6b..93020d7 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java @@ -278,6 +278,12 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor { // Validate the Response validateSamlResponseProtocol(logoutResponse, config); + // Enforce that the LogoutResponse is signed - we don't support a separate signature for now + if (!logoutResponse.isSigned()) { + LOG.debug("The LogoutResponse is not signed"); + throw new ProcessingException(TYPE.INVALID_REQUEST); + } + Instant issueInstant = logoutResponse.getIssueInstant().toDate().toInstant(); FedizResponse fedResponse = new FedizResponse( diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java index e0de355..69fd12e 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java @@ -64,7 +64,6 @@ import org.apache.cxf.fediz.core.processor.FedizProcessor; import org.apache.cxf.fediz.core.processor.FedizRequest; import org.apache.cxf.fediz.core.processor.FedizResponse; import org.apache.cxf.fediz.core.processor.SAMLProcessorImpl; -import org.apache.cxf.fediz.core.util.CertsUtils; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoFactory; import org.apache.wss4j.common.crypto.CryptoType; @@ -1277,6 +1276,130 @@ public class SAMLResponseTest { FedizProcessor wfProc = new SAMLProcessorImpl(); wfProc.processRequest(wfReq, config); } + + @org.junit.Test + public void validateUnsignedLogoutResponse() throws Exception { + // Mock up a LogoutResponse + FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); + + String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + + String status = "urn:oasis:names:tc:SAML:2.0:status:Success"; + Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, false, requestId); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); + EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); + EasyMock.replay(req); + + FedizRequest wfReq = new FedizRequest(); + wfReq.setResponseToken(encodeResponse(logoutResponse)); + String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + wfReq.setState(relayState); + wfReq.setRequest(req); + wfReq.setSignOutRequest(true); + + FedizProcessor wfProc = new SAMLProcessorImpl(); + try { + wfProc.processRequest(wfReq, config); + fail("Failure expected on an unsigned response"); + } catch (ProcessingException ex) { + // expected + } + } + + @org.junit.Test + public void validateUntrustedLogoutResponse() throws Exception { + // Mock up a LogoutResponse + FedizContext config = getFederationConfigurator().getFedizContext("CLIENT_TRUST"); + + String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + + String status = "urn:oasis:names:tc:SAML:2.0:status:Success"; + Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); + EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); + EasyMock.replay(req); + + FedizRequest wfReq = new FedizRequest(); + wfReq.setResponseToken(encodeResponse(logoutResponse)); + String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + wfReq.setState(relayState); + wfReq.setRequest(req); + wfReq.setSignOutRequest(true); + + FedizProcessor wfProc = new SAMLProcessorImpl(); + try { + wfProc.processRequest(wfReq, config); + fail("Failure expected on an untrusted response"); + } catch (ProcessingException ex) { + // expected + } + } + + @org.junit.Test + public void validateBadStatusInLogoutResponse() throws Exception { + // Mock up a LogoutResponse + FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); + + String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + + String status = "urn:oasis:names:tc:SAML:2.0:status:Requester"; + Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); + EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); + EasyMock.replay(req); + + FedizRequest wfReq = new FedizRequest(); + wfReq.setResponseToken(encodeResponse(logoutResponse)); + String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + wfReq.setState(relayState); + wfReq.setRequest(req); + wfReq.setSignOutRequest(true); + + FedizProcessor wfProc = new SAMLProcessorImpl(); + try { + wfProc.processRequest(wfReq, config); + fail("Failure expected on a a bad status code"); + } catch (ProcessingException ex) { + // expected + } + } + + @org.junit.Test + public void validateBadDestinationLogoutResponse() throws Exception { + // Mock up a LogoutResponse + FedizContext config = getFederationConfigurator().getFedizContext("ROOT"); + + String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + + String status = "urn:oasis:names:tc:SAML:2.0:status:Success"; + Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL + "_", false, requestId); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL)); + EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS); + EasyMock.replay(req); + + FedizRequest wfReq = new FedizRequest(); + wfReq.setResponseToken(encodeResponse(logoutResponse)); + String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8"); + wfReq.setState(relayState); + wfReq.setRequest(req); + wfReq.setSignOutRequest(true); + + FedizProcessor wfProc = new SAMLProcessorImpl(); + try { + wfProc.processRequest(wfReq, config); + fail("Failure expected on a bad destination"); + } catch (ProcessingException ex) { + // expected + } + } private String createSamlResponseStr(String requestId) throws Exception { // Create SAML Assertion