This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push: new 46984c3 FEDIZ-224 - Adding SAML SSO Spring system tests 46984c3 is described below commit 46984c3d10d218eea6f5c40f381e7303aec9ce33 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Mon Aug 27 12:57:55 2018 +0100 FEDIZ-224 - Adding SAML SSO Spring system tests --- systests/samlsso/pom.xml | 28 ++++ .../cxf/fediz/systests/samlsso/SpringTest.java | 183 +++++++++++++++++++++ .../samlsso/src/test/resources/fediz_config.xml | 36 ++++ .../src/test/resources/realma/entities-realma.xml | 34 ++++ 4 files changed, 281 insertions(+) diff --git a/systests/samlsso/pom.xml b/systests/samlsso/pom.xml index 08eb8b3..ccd3e06 100644 --- a/systests/samlsso/pom.xml +++ b/systests/samlsso/pom.xml @@ -86,6 +86,24 @@ </dependencies> <build> + <testResources> + <testResource> + <directory>src/test/resources</directory> + <filtering>true</filtering> + <includes> + <include>**/*.xml</include> + </includes> + </testResource> + <testResource> + <directory>src/test/resources</directory> + <filtering>false</filtering> + <includes> + <include>**/*.jks</include> + <include>**/*.cert</include> + <include>**/*.properties</include> + </includes> + </testResource> + </testResources> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> @@ -101,6 +119,7 @@ <portNames> <portName>idp.https.port</portName> <portName>rp.https.port</portName> + <portName>rp.spring.https.port</portName> </portNames> </configuration> </execution> @@ -152,6 +171,14 @@ <outputDirectory>target/test-classes</outputDirectory> <includes>**/*.jks</includes> </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz.systests.webapps</groupId> + <artifactId>fediz-systests-webapps-spring</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/rp/webapps/fediz-systests-webapps-spring</outputDirectory> + </artifactItem> </artifactItems> <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> <overWriteSnapshots>true</overWriteSnapshots> @@ -202,6 +229,7 @@ <wt.headless>true</wt.headless> <idp.https.port>${idp.https.port}</idp.https.port> <rp.https.port>${rp.https.port}</rp.https.port> + <rp.spring.https.port>${rp.spring.https.port}</rp.spring.https.port> <java.util.logging.config.file>${basedir}/target/test-classes/logging.properties</java.util.logging.config.file> </systemPropertyVariables> <includes> diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/SpringTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/SpringTest.java new file mode 100644 index 0000000..4a6458c --- /dev/null +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/SpringTest.java @@ -0,0 +1,183 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.systests.samlsso; + +import java.io.File; +import java.io.IOException; + +import javax.servlet.ServletException; + +import org.apache.catalina.LifecycleException; +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.cxf.fediz.systests.common.AbstractTests; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Ignore; + +/** + * Some tests for SAML SSO with the Spring (4) plugin, invoking on the Fediz IdP configured for SAML SSO. + */ +public class SpringTest extends AbstractTests { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + private static Tomcat rpServer; + + @BeforeClass + public static void init() throws Exception { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "debug"); + + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "debug"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.spring.https.port"); + Assert.assertNotNull("Property 'rp.spring.https.port' null", rpHttpsPort); + + idpServer = startServer(true, idpHttpsPort); + rpServer = startServer(false, rpHttpsPort); + } + + @AfterClass + public static void cleanup() { + shutdownServer(idpServer); + shutdownServer(rpServer); + } + + private static void shutdownServer(Tomcat server) { + try { + if (server != null && server.getServer() != null + && server.getServer().getState() != LifecycleState.DESTROYED) { + if (server.getServer().getState() != LifecycleState.STOPPED) { + server.stop(); + } + server.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + private static Tomcat startServer(boolean idp, String port) + throws ServletException, LifecycleException, IOException { + Tomcat server = new Tomcat(); + server.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + String baseDir = currentDir + File.separator + "target"; + server.setBaseDir(baseDir); + + if (idp) { + server.getHost().setAppBase("tomcat/idp/webapps"); + } else { + server.getHost().setAppBase("tomcat/rp/webapps"); + } + server.getHost().setAutoDeploy(true); + server.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(port)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + httpsConnector.setAttribute("keyAlias", "mytomidpkey"); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + server.getService().addConnector(httpsConnector); + + if (idp) { + File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts"); + server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath()); + + File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp"); + server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath()); + } else { + File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), + "fediz-systests-webapps-spring"); + server.addWebapp("/fedizhelloworldspring", rpWebapp.getAbsolutePath()); + } + + server.start(); + + return server; + } + + @Override + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + @Override + public String getRpHttpsPort() { + return rpHttpsPort; + } + + @Override + public String getServletContextName() { + return "fedizhelloworldspring"; + } + + @Override + protected boolean isWSFederation() { + return false; + } + + @Ignore("This tests is currently failing on Spring") + @Override + public void testConcurrentRequests() throws Exception { + // super.testConcurrentRequests(); + } + + @Ignore("This tests is currently failing on Spring") + public void testRPLogout() throws Exception { + // + } + + @Override + @org.junit.Test + public void testCSRFAttack() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest(url); + } + + @Override + @org.junit.Test + public void testCSRFAttack2() throws Exception { + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/j_spring_fediz_security_check"; + csrfAttackTest2(url); + } + +} diff --git a/systests/samlsso/src/test/resources/fediz_config.xml b/systests/samlsso/src/test/resources/fediz_config.xml index 232ee80..c0f7da2 100644 --- a/systests/samlsso/src/test/resources/fediz_config.xml +++ b/systests/samlsso/src/test/resources/fediz_config.xml @@ -57,5 +57,41 @@ <logoutURL>/secure/logout</logoutURL> <logoutRedirectTo>/index.html</logoutRedirectTo> </contextConfig> + <contextConfig name="/fedizhelloworldspring"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="test-classes/clienttrust.jks" password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="realma" keyPassword="realma"> + <keyStore file="test-classes/stsrealm_a.jks" password="storepass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:type="samlProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworldspring</realm> + <signRequest>true</signRequest> + <issuer>https://localhost:${idp.https.port}/fediz-idp/saml</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <reply>/j_spring_fediz_security_check</reply> + <disableDeflateEncoding>true</disableDeflateEncoding> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" /> + </claimTypesRequested> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> </FedizConfig> diff --git a/systests/samlsso/src/test/resources/realma/entities-realma.xml b/systests/samlsso/src/test/resources/realma/entities-realma.xml index 8d9623b..9989758 100644 --- a/systests/samlsso/src/test/resources/realma/entities-realma.xml +++ b/systests/samlsso/src/test/resources/realma/entities-realma.xml @@ -118,6 +118,7 @@ <property name="applications"> <util:list> <ref bean="srv-fedizhelloworld" /> + <ref bean="srv-spring-fedizhelloworld" /> </util:list> </property> <!-- @@ -164,6 +165,18 @@ <property name="validatingCertificate" value="realma.cert" /> </bean> + <bean id="srv-spring-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworldspring" /> + <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate SAML SSO" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" value="https://localhost:?(\d)*/.*" /> + <property name="validatingCertificate" value="realma.cert" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> <property name="application" ref="srv-fedizhelloworld" /> <property name="claim" ref="claim_role" /> @@ -185,6 +198,27 @@ <property name="optional" value="false" /> </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-spring-fedizhelloworld" /> + <property name="claim" ref="claim_role" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-spring-fedizhelloworld" /> + <property name="claim" ref="claim_givenname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-spring-fedizhelloworld" /> + <property name="claim" ref="claim_surname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-spring-fedizhelloworld" /> + <property name="claim" ref="claim_email" /> + <property name="optional" value="false" /> + </bean> + <bean id="claim_role" class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> <property name="claimType"