diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 17:03:28 +0100 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 17:03:28 +0100 |
| commit | 7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (patch) | |
| tree | 41fb7aeb440982fc3c25f8fa91cd2d7186471a1b | |
| parent | 3b7eb43b0df868e492ccd7ad2daca5e4c0053bb2 (diff) | |
| download | EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.gz EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.bz2 EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.zip | |
add jUnit tests for HSM Facade integration.
17 files changed, 839 insertions, 307 deletions
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java index b5727015..01c3d6f1 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java @@ -42,7 +42,7 @@ import io.grpc.StatusRuntimeException; public class EaafKeyStoreFactoryTest { private static final String HSM_FACASE_HOST = "eid.a-sit.at"; - private static final String HSM_FACASE_PORT = "9000"; + private static final String HSM_FACASE_PORT = "9050"; private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String HSM_FACASE_USERNAME = "authhandler-junit"; private static final String HSM_FACASE_PASSWORD = "supersecret123"; @@ -57,6 +57,8 @@ public class EaafKeyStoreFactoryTest { private static final String PATH_TO_HSM_FACADE_TRUST_CERT = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String SOFTWARE_KEYSTORE_PASSWORD = "password"; + private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign"; + @Autowired private DummyAuthConfigMap mapConfig; @Autowired @@ -604,7 +606,7 @@ public class EaafKeyStoreFactoryTest { @Test @DirtiesContext - public void hsmFacadeKeyStoreSuccessASitTestFacade() throws EaafException { + public void hsmFacadeKeyStoreSuccessASitTestFacade() throws EaafException, KeyStoreException { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); @@ -619,6 +621,34 @@ public class EaafKeyStoreFactoryTest { final KeyStore keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); + //read trusted certs + final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore); + Assert.assertNotNull("Trusted certs", trustedCerts); + Assert.assertEquals("Trusted certs size", 0, trustedCerts.size()); + + //read priv. key + final Pair<Key, X509Certificate[]> privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore, HSM_FACADE_KEY_ALIAS, null, true, "jUnit test"); + Assert.assertNotNull("Credential 1", privCred1); + Assert.assertNotNull("Credential 1 priv. key", privCred1.getFirst()); + Assert.assertNotNull("Credential 1 certificate", privCred1.getSecond()); + + //read priv. key + final Pair<Key, X509Certificate[]> privCred2 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore, HSM_FACADE_KEY_ALIAS, "shouldBeIgnord".toCharArray(), true, "jUnit test"); + Assert.assertNotNull("Credential 2", privCred2); + Assert.assertNotNull("Credential 2 priv. key", privCred2.getFirst()); + Assert.assertNotNull("Credential 2 certificate", privCred2.getSecond()); + + try { + EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore, "notExist", "wrong".toCharArray(), true, "jUnit test"); + Assert.fail("Wrong password not detected"); + + } catch (final EaafKeyAccessException e) { + Assert.assertEquals("wrong errorcode", "internal.keystore.09", e.getErrorId()); + } + } private void configureHsmFacade() { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java new file mode 100644 index 00000000..d5186857 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -0,0 +1,328 @@ +package at.gv.egiz.eaaf.modules.pvp2.test; + +import java.util.ArrayList; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; + +import org.joda.time.DateTime; +import org.junit.BeforeClass; +import org.junit.Test; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.Assertion; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.EncryptedAssertion; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.encryption.Encrypter; +import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement; +import org.opensaml.security.x509.X509Credential; +import org.opensaml.xmlsec.SecurityConfigurationSupport; +import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters; +import org.opensaml.xmlsec.encryption.support.EncryptionException; +import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters; +import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.util.Assert; + +import net.shibboleth.utilities.java.support.xml.XMLParserException; + + +public abstract class AbstractSamlVerificationEngine { + + @Autowired + private PvpMetadataResolverFactory metadataResolverFactory; + @Autowired + private SamlVerificationEngine verifyEngine; + @Autowired + protected DummyCredentialProvider credentialProvider; + + @Autowired DummyMetadataProvider metadataProvider; + @Autowired IConfiguration authConfig; + + /** + * JUnit class initializer. + * + * @throws Exception In case of an OpenSAML3 initialization error + */ + @BeforeClass + public static void classInitializer() throws Exception { + EaafOpenSaml3xInitializer.eaafInitialize(); + + } + protected abstract String getMetadataJunitJKeystore(); + + protected abstract String getMetadataClassPathEntityPath(); + + protected abstract String getAuthnRequestWithoutSigPath(); + + protected abstract String getResponseWithSigPath(); + + protected abstract String getResponseWithoutSigPath(); + + + @Test + public void validateSamlRequestSuccess() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); + msg.setEntityID(spEntityId); + + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void validateSamlRequestWrongSignature() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); + + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("Wrong signature not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + + } + } + + @Test + public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception { + metadataProvider.runGarbageCollector(); + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifyResponseSuccessSecondTest() + throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + verifyEngine.verifyIdpResponse(inputMsg.getFirst(), + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifySpResponse() + throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + verifyEngine.verifySloResponse(inputMsg.getFirst(), + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("Wrong XML schema not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId()); + + } + } + + @Test + public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("No TrustedCert not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + + } + } + + protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, + String authnReqPath, EaafX509Credential credential) + throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { + final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( + metadataPath, null, "jUnit metadata resolver", null); + + final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + authnReq.setIssueInstant(DateTime.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + authnReq.setIssuer(issuer); + + return Pair.newInstance( + Saml2Utils.signSamlObject(authnReq, credential, true), + mdResolver); + } + + protected Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId, + String metadataPath, String authnReqPath, EaafX509Credential credential) + throws SamlSigningException, CredentialsNotAvailableException, + XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException { + + final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( + metadataPath, null, "jUnit metadata resolver", null); + + final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + authnReq.setIssueInstant(DateTime.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + authnReq.setIssuer(issuer); + + return Pair.newInstance( + Saml2Utils.signSamlObject(authnReq, credential, true), + mdResolver); + + } + + protected static EncryptedAssertion doEncryption(Assertion assertion, + X509Credential encryptionCredentials, IConfiguration authConfig) + throws Exception { + try { + final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential( + encryptionCredentials, + authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA), + authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC)); + + final DataEncryptionParameters dataEncParams = new DataEncryptionParameters(); + dataEncParams.setAlgorithm(authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE)); + + final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>(); + final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(keyEncAlg); + + final KeyInfoGeneratorFactory kigf = + SecurityConfigurationSupport.getGlobalEncryptionConfiguration() + .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + return samlEncrypter.encrypt(assertion); + + } catch (final EncryptionException | SamlSigningException e1) { + throw new Exception(e1); + + } + + } + + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java index be3f9a8f..3ba4c962 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java @@ -6,6 +6,7 @@ import java.util.List; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; @@ -34,10 +35,11 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; public class CredentialProviderTest { private static final String HSM_FACASE_HOST = "eid.a-sit.at"; - private static final String HSM_FACASE_PORT = "9000"; + private static final String HSM_FACASE_PORT = "9050"; + private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String HSM_FACASE_USERNAME = "authhandler-junit"; private static final String HSM_FACASE_PASSWORD = "supersecret123"; - private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; + private static final String HSM_FACASE_HSM_NAME = "software"; private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks"; private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks"; @@ -50,6 +52,8 @@ public class CredentialProviderTest { private static final String PASSWORD = "password"; + private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign"; + @Autowired private ApplicationContext context; @Autowired private DummyAuthConfigMap config; @@ -61,9 +65,10 @@ public class CredentialProviderTest { public void initialize() { config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, HSM_FACASE_HOST); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, HSM_FACASE_PORT); + config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, HSM_FACASE_USERNAME); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, HSM_FACASE_PASSWORD); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST); + config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HSM_NAME, HSM_FACASE_HSM_NAME); config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); @@ -505,6 +510,91 @@ public class CredentialProviderTest { } } + @Test + @DirtiesContext + public void hasFacadeMissingKeyStoreName() { + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.removeConfigValue(DummyCredentialProvider.KEYSTORE_NAME); + + try { + context.getBean(DummyCredentialProvider.class); + Assert.fail("No KeyStore not detected"); + + } catch (final BeansException e) { + org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, + e.getCause(), "Wrong exception"); + + } + + } + + @Test + @DirtiesContext + public void hasFacadeWrongAlias() { + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); + + final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class); + + Assert.assertNotNull("Credetialprovider", credential); + Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS, + RandomStringUtils.randomAlphabetic(5)); + + try { + checkCredential(credential.getMetaDataSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + Assert.fail("Wrong 'alias' not detected"); + + } catch (final CredentialsNotAvailableException e) { + Assert.assertEquals("Wrong errorCode", "internal.pvp.01", e.getErrorId()); + + } + + } + + @Test + @DirtiesContext + public void validConfigurationHsmFacade() throws CredentialsNotAvailableException { + + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); + + final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class); + + Assert.assertNotNull("Credetialprovider", credential); + Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS, + HSM_FACADE_KEY_ALIAS); + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_PASSWORD, + PASSWORD); + + + checkCredential(credential.getMetaDataSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + + config.putConfigValue(DummyCredentialProvider.KEY_SIGNING_ALIAS, + HSM_FACADE_KEY_ALIAS); + + checkCredential(credential.getMessageSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + + + final List<X509Certificate> trustCerts = credential.getTrustedCertificates(); + Assert.assertNotNull("TrustCerts are null", trustCerts); + Assert.assertTrue("TrustCerts not empty", trustCerts.isEmpty()); + + } + + private void checkCredential(EaafX509Credential metaDataSigningCredential, String sigAlg, String keyEncAlg) { Assert.assertNotNull("No metadata signing credentials", metaDataSigningCredential); Assert.assertNotNull("SigAlg is null", diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java index 66e87537..bc0084f7 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java @@ -1,53 +1,33 @@ package at.gv.egiz.eaaf.modules.pvp2.test; -import java.util.ArrayList; -import java.util.List; - import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; import org.joda.time.DateTime; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.core.xml.io.UnmarshallingException; import org.opensaml.core.xml.util.XMLObjectSupport; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.AuthnRequest; import org.opensaml.saml.saml2.core.EncryptedAssertion; -import org.opensaml.saml.saml2.core.Issuer; import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.StatusCode; -import org.opensaml.saml.saml2.encryption.Encrypter; -import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement; -import org.opensaml.security.x509.X509Credential; -import org.opensaml.xmlsec.SecurityConfigurationSupport; -import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters; -import org.opensaml.xmlsec.encryption.support.EncryptionException; -import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters; -import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.ContextConfiguration; @@ -62,11 +42,9 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException; @ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", "/spring/test_eaaf_core_spring_config.beans.xml" }) @TestPropertySource(locations = { "/config/config_1.props" }) -public class SamlVerificationEngineTest { +public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { @Autowired - private PvpMetadataResolverFactory metadataResolverFactory; - @Autowired private SamlVerificationEngine verifyEngine; @Autowired private DummyCredentialProvider credentialProvider; @@ -74,103 +52,38 @@ public class SamlVerificationEngineTest { @Autowired DummyMetadataProvider metadataProvider; @Autowired IConfiguration authConfig; - /** - * JUnit class initializer. - * - * @throws Exception In case of an OpenSAML3 initialization error - */ - @BeforeClass - public static void classInitializer() throws Exception { - EaafOpenSaml3xInitializer.eaafInitialize(); + @Override + protected String getMetadataClassPathEntityPath() { + return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; } - @Test - public void validateSamlRequestSuccess() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - + @Override + protected String getMetadataJunitJKeystore() { + return "classpath:/data/pvp_metadata_junit_keystore.xml"; } - @Test - public void validateSamlRequestWrongSignature() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("Wrong signature not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + @Override + protected String getAuthnRequestWithoutSigPath() { + return "/data/AuthRequest_without_sig_1.xml"; - } } - @Test - public void validateSamlInvalidRequest() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("invalid request not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId()); + @Override + protected String getResponseWithSigPath() { + return "/data/Response_with_sig_1.xml"; + } - } + @Override + protected String getResponseWithoutSigPath() { + return "/data/Response_without_sig_1.xml"; } @Test public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception { - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = metadataPath; metadataProvider.runGarbageCollector(); @@ -199,79 +112,27 @@ public class SamlVerificationEngineTest { } @Test - public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception { - metadataProvider.runGarbageCollector(); - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); - msg.setEntityID(spEntityId); - - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifyResponseSuccessSecondTest() - throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - verifyEngine.verifyIdpResponse(inputMsg.getFirst(), - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifySpResponse() - throws Pvp2InternalErrorException, SecurityException, Exception { + public void validateSamlInvalidRequest() throws SecurityException, Exception { - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; + final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = metadataPath; - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, credentialProvider.getMetaDataSigningCredential()); - verifyEngine.verifySloResponse(inputMsg.getFirst(), - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_with_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); + metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); msg.setEntityID(spEntityId); try { verifyEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("Wrong XML schema not detected"); + org.junit.Assert.fail("invalid request not detected"); } catch (final Exception e) { Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); @@ -281,37 +142,10 @@ public class SamlVerificationEngineTest { } @Test - public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("No TrustedCert not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); - - } - } - - @Test public void verifyAssertionSucessNotEncrypted() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -328,7 +162,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongAudiency() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -349,7 +183,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongStatusCode() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -374,7 +208,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongIssueInstant() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -399,7 +233,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionNoContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -424,7 +258,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -448,7 +282,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsAudienceRestrictions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -475,7 +309,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsNotBefore() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -501,7 +335,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsNotOnOrAfter() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -527,7 +361,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionValidContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -548,7 +382,7 @@ public class SamlVerificationEngineTest { public void verifyEncAssertionWrongKey() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Asserion_enc_no_key.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://eid.a-sit.at/Shibboleth.sso/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -569,7 +403,7 @@ public class SamlVerificationEngineTest { @Test public void verifyEncAssertion() throws Exception { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -602,7 +436,7 @@ public class SamlVerificationEngineTest { @Test public void verifyEncAssertionWrongSchema() throws Exception { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -636,85 +470,4 @@ public class SamlVerificationEngineTest { } - private Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, - String authnReqPath, EaafX509Credential credential) - throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { - final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( - metadataPath, null, "jUnit metadata resolver", null); - - final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), - mdResolver); - } - - private Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId, - String metadataPath, String authnReqPath, EaafX509Credential credential) - throws SamlSigningException, CredentialsNotAvailableException, - XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException { - - final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( - metadataPath, null, "jUnit metadata resolver", null); - - final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), - mdResolver); - - } - - private static EncryptedAssertion doEncryption(Assertion assertion, - X509Credential encryptionCredentials, IConfiguration authConfig) - throws Exception { - try { - final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential( - encryptionCredentials, - authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG, - PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA), - authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG, - PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC)); - - final DataEncryptionParameters dataEncParams = new DataEncryptionParameters(); - dataEncParams.setAlgorithm(authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE)); - - final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>(); - final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); - keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(keyEncAlg); - - final KeyInfoGeneratorFactory kigf = - SecurityConfigurationSupport.getGlobalEncryptionConfiguration() - .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials); - keyEncParam.setKeyInfoGenerator(kigf.newInstance()); - keyEncParamList.add(keyEncParam); - - final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); - samlEncrypter.setKeyPlacement(KeyPlacement.PEER); - - return samlEncrypter.encrypt(assertion); - - } catch (final EncryptionException | SamlSigningException e1) { - throw new Exception(e1); - - } - - } - } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java new file mode 100644 index 00000000..95f63003 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java @@ -0,0 +1,69 @@ +package at.gv.egiz.eaaf.modules.pvp2.test; + +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.xmlsec.signature.support.SignatureConstants; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", + "/spring/test_eaaf_core_spring_config.beans.xml" }) +@TestPropertySource(locations = { "/config/config_3.props" }) +public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerificationEngine { + + @Override + protected String getMetadataClassPathEntityPath() { + return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; + + } + + @Override + protected String getMetadataJunitJKeystore() { + return "classpath:/data/pvp_metadata_junit_keystore.xml"; + } + + @Override + protected String getAuthnRequestWithoutSigPath() { + return "/data/AuthRequest_without_sig_1.xml"; + + } + + @Override + protected String getResponseWithSigPath() { + return "/data/Response_with_sig_1.xml"; + } + + @Override + protected String getResponseWithoutSigPath() { + return "/data/Response_without_sig_1.xml"; + } + + @Test + public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + metadataProvider.runGarbageCollector(); + + final EaafX509Credential cred = credentialProvider.getMetaDataSigningCredential(); + cred.setSignatureAlgorithmForSigning(SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5); + try { + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + cred); + org.junit.Assert.fail("Wrong SigAlg not detected"); + + } catch (final SamlSigningException e) { + org.junit.Assert.assertEquals("Wrong errorCode", "internal.pvp.96", e.getErrorId()); + + } + } + + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props index 164b8807..6177b738 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props @@ -1,3 +1,10 @@ +security.hsmfacade.host=eid.a-sit.at +security.hsmfacade.port=9050 +security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt +security.hsmfacade.username=authhandler-junit +security.hsmfacade.password=supersecret123 +security.hsmfacade.hsmname=software + keystore.path=classpath:/data/junit.jks keystore.pass=password key.metadata.alias=meta diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props new file mode 100644 index 00000000..abc8f591 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props @@ -0,0 +1,18 @@ +security.hsmfacade.host=eid.a-sit.at +security.hsmfacade.port=9050 +security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt +security.hsmfacade.username=authhandler-junit +security.hsmfacade.password=supersecret123 +security.hsmfacade.hsmname=software + +keystore.type=hsmfacade +keystore.name=authhandler +key.metadata.alias=authhandler-sign +key.sig.alias=authhandler-sign +key.sig.pass=password +key.enc.alias= +key.enc.pass= + +client.http.connection.timeout.socket=2 +client.http.connection.timeout.connection=2 +client.http.connection.timeout.request=2
\ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml index cfc334a6..67eed2ac 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml @@ -66,6 +66,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L </ds:X509Certificate> </ds:X509Data> + <ds:X509Data> + <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC +YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE +AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB +THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i +I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv +w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp +i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+ +jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE +umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd +330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u +6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ +bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0 +j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate> + </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post"/> @@ -145,6 +161,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L </ds:X509Certificate> </ds:X509Data> + <ds:X509Data> + <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC +YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE +AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB +THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i +I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv +w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp +i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+ +jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE +umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd +330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u +6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ +bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0 +j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate> + </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> diff --git a/eaaf_modules/eaaf_module_pvp2_sp/pom.xml b/eaaf_modules/eaaf_module_pvp2_sp/pom.xml index 5b16a151..d5faede5 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_sp/pom.xml @@ -32,11 +32,23 @@ <scope>provided</scope> </dependency> + <!-- Only for testing --> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-test</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_utils</artifactId> + <scope>test</scope> + <type>test-jar</type> + </dependency> </dependencies> <build> diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/Pvp2SProfileSpSpringResourceProvider.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/Pvp2SProfileSpSpringResourceProvider.java new file mode 100644 index 00000000..7535e013 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/Pvp2SProfileSpSpringResourceProvider.java @@ -0,0 +1,48 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.sp; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +public class Pvp2SProfileSpSpringResourceProvider implements SpringResourceProvider { + + @Override + public String getName() { + return "EAAF PVP2 S-Profile Service-Provider SpringResourceProvider"; + } + + @Override + public String[] getPackagesToScan() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Resource[] getResourcesToLoad() { + final ClassPathResource sl20AuthConfig = + new ClassPathResource("/eaaf_pvp_sp.beans.xml", Pvp2SProfileSpSpringResourceProvider.class); + + return new Resource[] { sl20AuthConfig }; + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java index c906ca43..752386a0 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java @@ -24,6 +24,18 @@ import java.util.List; import javax.servlet.http.HttpServletResponse; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestExtensionBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; + import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.messaging.encoder.MessageEncodingException; @@ -48,19 +60,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; -import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; -import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestExtensionBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; -import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy; /** @@ -69,7 +69,6 @@ import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGene * @author tlenz * */ -@Service("pvpAuthnRequestBuilder") public class PvpAuthnRequestBuilder { private static final Logger log = LoggerFactory.getLogger(PvpAuthnRequestBuilder.class); diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/logging/PvpSpModuleMessageSource.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/logging/PvpSpModuleMessageSource.java new file mode 100644 index 00000000..7fbd2daf --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/logging/PvpSpModuleMessageSource.java @@ -0,0 +1,16 @@ +package at.gv.egiz.eaaf.modules.pvp2.sp.impl.logging; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +public class PvpSpModuleMessageSource implements IMessageSourceLocation { + + @Override + public List<String> getMessageSourceLocation() { + return Arrays.asList("classpath:messages/pvp_sp_messages"); + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider new file mode 100644 index 00000000..9a6cb2d2 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider @@ -0,0 +1 @@ +at.gv.egiz.eaaf.modules.pvp2.sp.Pvp2SProfileSpSpringResourceProvider
\ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/eaaf_pvp_sp.beans.xml b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/eaaf_pvp_sp.beans.xml new file mode 100644 index 00000000..439ad005 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/eaaf_pvp_sp.beans.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:tx="http://www.springframework.org/schema/tx" + xmlns:aop="http://www.springframework.org/schema/aop" + xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + <bean id="pvpSpLogMessageSource" + class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.logging.PvpSpModuleMessageSource" /> + + <bean id="pvpAuthnRequestBuilder" + class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PvpAuthnRequestBuilder" /> + +</beans>
\ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/messages/pvp_sp_messages.properties b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/messages/pvp_sp_messages.properties new file mode 100644 index 00000000..682c3f18 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/resources/messages/pvp_sp_messages.properties @@ -0,0 +1,17 @@ +sp.pvp2.00=Can not build PVP AuthnRequest for {0} {1}. No valid SingleSignOnService endpoint found. +sp.pvp2.01=Can not build PVP AuthnRequest for {0}. IDP is not allowed for federated authentication. +sp.pvp2.02=Can not build PVP AuthnRequest for {0}. IDP has no (valid) metadata. +sp.pvp2.03=Receive PVP Response from {0} with unsupported Binding. +sp.pvp2.04=Receive invalid PVP Response from {0}. No PVP metadata found. +sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode:{2} Msg:{3}. +sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all required attributes. +sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid. +sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed. +sp.pvp2.09=Receive invalid PVP Response from {0} {1}. StatusCodes:{2} {3} Msg:{4} +sp.pvp2.10=Receive invalid PVP Response from {0}. No valid assertion included. +sp.pvp2.11=Receive invalid PVP Response from {0}. Assertion decryption FAILED. +sp.pvp2.12=Receive invalid PVP Response from {0}. Msg:{1} +sp.pvp2.13=Can not build PVP AuthnRequest for {0}. Internal processing error. + + + diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/Pvp2SProfileSpSpringResourceProviderTest.java b/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/Pvp2SProfileSpSpringResourceProviderTest.java new file mode 100644 index 00000000..4a132c3f --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/Pvp2SProfileSpSpringResourceProviderTest.java @@ -0,0 +1,57 @@ +package at.gv.egiz.eaaf.modules.pvp2.sp.test; + +import java.io.IOException; +import java.io.InputStream; + +import at.gv.egiz.eaaf.core.test.TestConstants; +import at.gv.egiz.eaaf.modules.pvp2.Pvp2SProfileCoreSpringResourceProvider; +import at.gv.egiz.eaaf.modules.pvp2.sp.Pvp2SProfileSpSpringResourceProvider; + +import org.apache.commons.io.IOUtils; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; +import org.springframework.core.io.Resource; + + + +@RunWith(BlockJUnit4ClassRunner.class) +public class Pvp2SProfileSpSpringResourceProviderTest { + + @Test + public void testSpringConfig() { + final Pvp2SProfileCoreSpringResourceProvider test = + new Pvp2SProfileCoreSpringResourceProvider(); + for (final Resource el : test.getResourcesToLoad()) { + try { + IOUtils.toByteArray(el.getInputStream()); + + } catch (final IOException e) { + Assert.fail("Ressouce: " + el.getFilename() + " not found"); + } + + } + + Assert.assertNotNull("no Name", test.getName()); + Assert.assertNull("Find package definitions", test.getPackagesToScan()); + + } + + @Test + public void testSpILoaderConfig() { + final InputStream el = this.getClass().getResourceAsStream(TestConstants.TEST_SPI_LOADER_PATH); + try { + final String spiFile = IOUtils.toString(el, "UTF-8"); + + Assert.assertEquals("Wrong classpath in SPI file", + Pvp2SProfileSpSpringResourceProvider.class.getName(), spiFile); + + + } catch (final IOException e) { + Assert.fail("Ressouce: " + TestConstants.TEST_SPI_LOADER_PATH + " not found"); + + } + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/PvpSpMessageSourceTest.java b/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/PvpSpMessageSourceTest.java new file mode 100644 index 00000000..34ac9b5a --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/sp/test/PvpSpMessageSourceTest.java @@ -0,0 +1,36 @@ +package at.gv.egiz.eaaf.modules.pvp2.sp.test; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ "/eaaf_pvp_sp.beans.xml"}) +public class PvpSpMessageSourceTest { + + @Autowired + private ResourceLoader loader; + @Autowired(required = false) + private IMessageSourceLocation messageSource; + + @Test + public void simpleTests() { + Assert.assertNotNull("No messageSource", messageSource); + + Assert.assertNotNull("No sourcePath", messageSource.getMessageSourceLocation()); + + for (final String el : messageSource.getMessageSourceLocation()) { + final Resource messages = loader.getResource(el + ".properties"); + Assert.assertTrue("Source not exist", messages.exists()); + + } + + } +} |