/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.sts.operation;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import javax.xml.bind.JAXBElement;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.jaxws.context.WrappedMessageContext;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.sts.QNameConstants;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.StaticSTSProperties;
import org.apache.cxf.sts.common.PasswordCallbackHandler;
import org.apache.cxf.sts.common.TestUtils;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.service.ServiceMBean;
import org.apache.cxf.sts.service.StaticService;
import org.apache.cxf.sts.token.provider.TokenProvider;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.dom.WSConstants;
/**
* Some unit tests for issuing encrypted tokens.
*/
public class IssueEncryptedUnitTest extends org.junit.Assert {
private static boolean unrestrictedPoliciesInstalled;
static {
unrestrictedPoliciesInstalled = TestUtils.checkUnrestrictedPoliciesInstalled();
};
/**
* Test to successfully issue a (dummy) encrypted token.
*/
@org.junit.Test
public void testIssueEncryptedToken() throws Exception {
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setEncryptionUsername("myservicekey");
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
}
/**
* Test for various options relating to specifying a name for encryption
*/
@org.junit.Test
public void testEncryptionName() throws Exception {
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
if (!unrestrictedPoliciesInstalled) {
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token - as no encryption name has been specified the token will not be encrypted
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
encryptionProperties.setEncryptionName("myservicekey");
service.setEncryptionProperties(encryptionProperties);
// Issue a (encrypted) token
response = issueOperation.issue(request, null, msgCtx);
securityTokenResponse = response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
}
/**
* Test for various options relating to configuring an algorithm for encryption
*/
@org.junit.Test
public void testConfiguredEncryptionAlgorithm() throws Exception {
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token - this should use a (new) default encryption algorithm as configured
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
encryptionProperties.setEncryptionAlgorithm(WSConstants.KEYTRANSPORT_RSA15);
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad encryption algorithm");
} catch (STSException ex) {
// expected
}
}
/**
* Test for various options relating to receiving an algorithm for encryption
*/
@org.junit.Test
public void testReceivedEncryptionAlgorithm() throws Exception {
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
JAXBElement<String> encryptionAlgorithmType =
new JAXBElement<String>(
QNameConstants.ENCRYPTION_ALGORITHM, String.class, WSConstants.AES_128
);
request.getAny().add(encryptionAlgorithmType);
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
// Now specify a non-supported algorithm
List<String> acceptedAlgorithms = Collections.singletonList(WSConstants.KEYTRANSPORT_RSA15);
encryptionProperties.setAcceptedEncryptionAlgorithms(acceptedAlgorithms);
request.getAny().remove(request.getAny().size() - 1);
encryptionAlgorithmType =
new JAXBElement<String>(
QNameConstants.ENCRYPTION_ALGORITHM, String.class, WSConstants.KEYTRANSPORT_RSA15
);
request.getAny().add(encryptionAlgorithmType);
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad encryption algorithm");
} catch (STSException ex) {
// expected
}
}
/**
* Test for various options relating to configuring a key-wrap algorithm
*/
@org.junit.Test
public void testConfiguredKeyWrapAlgorithm() throws Exception {
//
// This test fails (sometimes) with the IBM JDK
// See https://www-304.ibm.com/support/docview.wss?uid=swg1IZ76737
//
if ("IBM Corporation".equals(System.getProperty("java.vendor"))) {
return;
}
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
}
encryptionProperties.setKeyWrapAlgorithm(WSConstants.KEYTRANSPORT_RSAOAEP);
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token - this should use a (new) default key-wrap algorithm as configured
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
encryptionProperties.setKeyWrapAlgorithm(WSConstants.AES_128);
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad key-wrap algorithm");
} catch (STSException ex) {
// expected
}
}
/**
* Test for various options relating to configuring a key-wrap algorithm
*/
@org.junit.Test
public void testSpecifiedKeyWrapAlgorithm() throws Exception {
//
// This test fails (sometimes) with the IBM JDK
// See https://www-304.ibm.com/support/docview.wss?uid=swg1IZ76737
//
if ("IBM Corporation".equals(System.getProperty("java.vendor"))) {
return;
}
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
}
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
JAXBElement<String> encryptionAlgorithmType =
new JAXBElement<String>(
QNameConstants.KEYWRAP_ALGORITHM, String.class, WSConstants.KEYTRANSPORT_RSAOAEP
);
request.getAny().add(encryptionAlgorithmType);
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
// Now specify a non-supported algorithm
String aesKw = "http://www.w3.org/2001/04/xmlenc#kw-aes128";
List<String> acceptedAlgorithms = Collections.singletonList(aesKw);
encryptionProperties.setAcceptedKeyWrapAlgorithms(acceptedAlgorithms);
request.getAny().remove(request.getAny().size() - 1);
encryptionAlgorithmType =
new JAXBElement<String>(
QNameConstants.KEYWRAP_ALGORITHM, String.class, aesKw
);
request.getAny().add(encryptionAlgorithmType);
try {
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad key-wrap algorithm");
} catch (STSException ex) {
// expected
}
}
/**
* Test for various options relating to configuring a KeyIdentifier
*/
@org.junit.Test
public void testConfiguredKeyIdentifiers() throws Exception {
TokenIssueOperation issueOperation = new TokenIssueOperation();
issueOperation.setEncryptIssuedToken(true);
// Add Token Provider
List<TokenProvider> providerList = new ArrayList<>();
providerList.add(new DummyTokenProvider());
issueOperation.setTokenProviders(providerList);
// Add Service
ServiceMBean service = new StaticService();
service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
EncryptionProperties encryptionProperties = new EncryptionProperties();
encryptionProperties.setEncryptionName("myservicekey");
if (!unrestrictedPoliciesInstalled) {
encryptionProperties.setEncryptionAlgorithm(WSConstants.AES_128);
}
encryptionProperties.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
service.setEncryptionProperties(encryptionProperties);
issueOperation.setServices(Collections.singletonList(service));
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto encryptionCrypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(encryptionCrypto);
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
issueOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(
QNameConstants.TOKEN_TYPE, String.class, DummyTokenProvider.TOKEN_TYPE
);
request.getAny().add(tokenType);
request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
// Issue a token - use various KeyIdentifiers
RequestSecurityTokenResponseCollectionType response =
issueOperation.issue(request, null, msgCtx);
List<RequestSecurityTokenResponseType> securityTokenResponse =
response.getRequestSecurityTokenResponse();
assertTrue(!securityTokenResponse.isEmpty());
encryptionProperties.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
issueOperation.issue(request, null, msgCtx);
encryptionProperties.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
issueOperation.issue(request, null, msgCtx);
encryptionProperties.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
issueOperation.issue(request, null, msgCtx);
try {
encryptionProperties.setKeyIdentifierType(WSConstants.BST);
issueOperation.issue(request, null, msgCtx);
fail("Failure expected on a bad key identifier");
} catch (STSException ex) {
// expected
}
}
/*
* Mock up an AppliesTo element using the supplied address
*/
private Element createAppliesToElement(String addressUrl) {
Document doc = DOMUtils.createDocument();
Element appliesTo = doc.createElementNS(STSConstants.WSP_NS, "wsp:AppliesTo");
appliesTo.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsp", STSConstants.WSP_NS);
Element endpointRef = doc.createElementNS(STSConstants.WSA_NS_05, "wsa:EndpointReference");
endpointRef.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsa", STSConstants.WSA_NS_05);
Element address = doc.createElementNS(STSConstants.WSA_NS_05, "wsa:Address");
address.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsa", STSConstants.WSA_NS_05);
address.setTextContent(addressUrl);
endpointRef.appendChild(address);
appliesTo.appendChild(endpointRef);
return appliesTo;
}
private Properties getEncryptionProperties() {
Properties properties = new Properties();
properties.put(
"org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin"
);
properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass");
if (unrestrictedPoliciesInstalled) {
properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "keys/stsstore.jks");
} else {
properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "restricted/stsstore.jks");
}
return properties;
}
}