first stable version that uses OpenSAML 3.x

1 files changed, 244 insertions, 46 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java
index 6adce26e..87073e81 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java
@@ -3,6 +3,7 @@ package at.gv.egiz.eaaf.modules.pvp2.test.binding;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
 import java.util.Base64;
 import java.util.Map;
 
@@ -13,23 +14,30 @@ import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration;
 import at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
+import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
 import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface;
 import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
 import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare;
 import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.test.metadata.MetadataResolverTest;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.joda.time.DateTime;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 import org.opensaml.core.xml.io.Unmarshaller;
 import org.opensaml.core.xml.io.UnmarshallerFactory;
@@ -40,6 +48,7 @@ import org.opensaml.messaging.encoder.MessageEncodingException;
 import org.opensaml.saml.common.SignableSAMLObject;
 import org.opensaml.saml.saml2.core.RequestAbstractType;
 import org.opensaml.saml.saml2.core.StatusResponseType;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -49,9 +58,11 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
-import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 import net.shibboleth.utilities.java.support.net.URIComparator;
 import net.shibboleth.utilities.java.support.xml.XMLParserException;
+import okhttp3.HttpUrl;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
 
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration({"/spring/test_eaaf_pvp.beans.xml"})
@@ -65,15 +76,27 @@ public class PostBindingTest {
   @Autowired private PostBinding bindingImpl;
   @Autowired private DummyCredentialProvider credentialProvider;
   @Autowired private DummyGuiBuilderConfigurationFactory guiBuilderFactory;
+  @Autowired private PvpMetadataResolverFactory metadataResolverFactory;
+  @Autowired private IHttpClientFactory httpClientFactory;
+
+  private static MockWebServer mockWebServer;
+  private static HttpUrl mockServerUrl;
 
   protected MockHttpServletRequest httpReq;
   protected MockHttpServletResponse httpResp;
   protected IRequest pendingReq;
 
+  /**
+   * JUnit class initializer.
+   *
+   * @throws Exception In case of an OpenSAML3 initialization error
+   */
   @BeforeClass
-  public static void classInitializer() throws InitializationException, ComponentInitializationException {
+  public static void classInitializer() throws Exception {
     EaafOpenSaml3xInitializer.eaafInitialize();
 
+    mockWebServer = new MockWebServer();
+    mockServerUrl = mockWebServer.url("/sp/metadata");
   }
 
   /**
@@ -101,12 +124,14 @@ public class PostBindingTest {
   }
 
   @Test
-  public void decodeRequestSuccess() throws MessageDecodingException, SecurityException, IOException, Pvp2Exception {
-    final String serviceUrl = "http://testservice.org";
+  public void decodeRequestWrongEndpoint() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2MetadataException {
+    final String serviceUrl = "https://wrongEndpoint/pvp2/post";
 
-    final IPvp2MetadataProvider metadataProvider = null;
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_wrong_sig.xml", null, "jUnit metadata resolver", null);
 
-    final boolean isSpEndPoint = false;
     final URIComparator comparator = new EaafUriCompare(serviceUrl);
 
     final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
@@ -114,39 +139,169 @@ public class PostBindingTest {
     httpReq.setMethod("POST");
     httpReq.addParameter("SAMLRequest", b64AuthnReq);
 
+    try {
+      bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
+      Assert.fail("Wrong http end-point not detected");
+
+    } catch (final Pvp2Exception e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.11", e.getErrorId());
+      Assert.assertNotNull("Parameters null", e.getParams());
+      Assert.assertEquals("Wrong numer of parameters", 1, e.getParams().length);
+
+
+    }
+
+  }
+
+  @Test
+  public void decodeRequestMissingSignature() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2MetadataException {
+    final String serviceUrl = "https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post";
+
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_wrong_sig.xml", null, "jUnit metadata resolver", null);
+
+    final URIComparator comparator = new EaafUriCompare(serviceUrl);
+
+    final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
+        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml")));
+    httpReq.setMethod("POST");
+    httpReq.addParameter("SAMLRequest", b64AuthnReq);
+
+    try {
+      bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
+      Assert.fail("Missing signature not detected");
+
+    } catch (final Pvp2Exception e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.02", e.getErrorId());
+
+    }
+
+  }
+
+  @Test
+  public void decodeRequestWrongSignature() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2Exception {
+    final String serviceUrl = "https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post";
+
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_wrong_sig.xml", null, "jUnit metadata resolver", null);
+
+    final URIComparator comparator = new EaafUriCompare(serviceUrl);
+
+    final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
+        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_with_sig_1.xml")));
+    httpReq.setMethod("POST");
+    httpReq.addParameter("SAMLRequest", b64AuthnReq);
+
+    try {
+      bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
+      Assert.fail("Invalid signature not detected");
+
+    } catch (final Pvp2Exception e) {
+      org.springframework.util.Assert.isInstanceOf(SamlSigningException.class, e, "Wrong Exception type");
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.10", e.getErrorId());
+      Assert.assertNotNull("No error params", e.getParams());
+      Assert.assertEquals("Wrong param size", 1, e.getParams().length);
+
+    }
+
+  }
+
+  @Test
+  public void decodeRequestMsgExpired() throws MessageDecodingException, SecurityException, IOException, Pvp2Exception {
+    final String serviceUrl = "https://eidas-test.bmi.gv.at/ms_connector/pvp/post";
+
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_moaid_test.xml", null, "jUnit metadata resolver", null);
+
+    final URIComparator comparator = new EaafUriCompare(serviceUrl);
+
+    final String b64AuthnReq = new String(IOUtils.toByteArray(
+        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_withsig_expired.b64")), "UTF-8");
+    httpReq.setMethod("POST");
+    httpReq.addParameter("SAMLRequest", b64AuthnReq);
+
+
+    try {
+      bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
+      Assert.fail("Expired msg not detected");
+
+    } catch (final Pvp2Exception e) {
+      org.springframework.util.Assert.isInstanceOf(SamlMessageValidationException.class, e, "Wrong Exception type");
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.11", e.getErrorId());
+      Assert.assertNotNull("No error params", e.getParams());
+      Assert.assertEquals("Wrong param size", 1, e.getParams().length);
+
+    }
+
+  }
+
+  @Test
+  public void decodeRequestSuccessMetadataReloadRequired() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, UnmarshallingException {
+    final String serviceUrl = "http://testservice.org";
+
+    final String b64AuthnReq = generateSaml2AuthnRequest(
+        credentialProvider.getIdpMetaDataSigningCredential());
+    httpReq.setMethod("POST");
+    httpReq.addParameter("SAMLRequest", b64AuthnReq);
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_wrong_sig.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_junit_keystore.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            mockServerUrl.url().toString(),
+            null, "jUnit test", httpClientFactory.getHttpClient());
+
+    final URIComparator comparator = new EaafUriCompare(serviceUrl);
+
 
     final InboundMessageInterface msg =
-        bindingImpl.decode(httpReq, httpResp, metadataProvider, isSpEndPoint, comparator);
+        bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
 
     Assert.assertNotNull("PVP msg is null", msg);
-    Assert.assertNull("RelayState is not null", msg.getRelayState());
+    Assert.assertNull("RelayState not null", msg.getRelayState());
     Assert.assertNotNull("AuthnReq is null", msg.getInboundMessage());
     Assert.assertNotNull("EntityId is null", msg.getEntityID());
     Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_demologin/", msg.getEntityID());
-    Assert.assertFalse("Wrong isVerified flag", msg.isVerified());
+    Assert.assertTrue("Wrong isVerified flag", msg.isVerified());
 
   }
 
   @Test
-  public void decodeRequestSuccessWithRelayState() throws MessageDecodingException, SecurityException,
-      IOException, Pvp2Exception {
+  public void decodeRequestSuccessWithRelayStateRsaSig() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, UnmarshallingException {
     final String serviceUrl = "http://testservice.org";
     final String relayState = RandomStringUtils.randomAlphanumeric(10);
 
-    final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
-        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_with_sig_1.xml")));
+    final String b64AuthnReq = generateSaml2AuthnRequest(
+        credentialProvider.getIdpMetaDataSigningCredential());
     httpReq.setMethod("POST");
     httpReq.addParameter("SAMLRequest", b64AuthnReq);
     httpReq.addParameter("RelayState", relayState);
 
-    final IPvp2MetadataProvider metadataProvider = null;
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_junit_keystore.xml", null, "jUnit metadata resolver", null);
 
-    final boolean isSpEndPoint = false;
     final URIComparator comparator = new EaafUriCompare(serviceUrl);
 
-
     final InboundMessageInterface msg =
-        bindingImpl.decode(httpReq, httpResp, metadataProvider, isSpEndPoint, comparator);
+        bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
 
     Assert.assertNotNull("PVP msg is null", msg);
     Assert.assertNotNull("RelayState is not null", msg.getRelayState());
@@ -154,64 +309,63 @@ public class PostBindingTest {
     Assert.assertNotNull("AuthnReq is null", msg.getInboundMessage());
     Assert.assertNotNull("EntityId is null", msg.getEntityID());
     Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_demologin/", msg.getEntityID());
-    Assert.assertFalse("Wrong isVerified flag", msg.isVerified());
+    Assert.assertTrue("Wrong isVerified flag", msg.isVerified());
 
   }
 
   @Test
-  public void decodeResponseSuccess() throws MessageDecodingException, SecurityException, IOException, Pvp2Exception {
+  public void decodeRequestSuccessWithoutRelayStateEcdsaSig() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, UnmarshallingException {
     final String serviceUrl = "http://testservice.org";
 
-    final IPvp2MetadataProvider metadataProvider = null;
-
-    final boolean isSpEndPoint = false;
-    final URIComparator comparator = new EaafUriCompare(serviceUrl);
-
-    final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
-        PostBindingTest.class.getResourceAsStream("/data/Response_with_sig_1.xml")));
+    final String b64AuthnReq = generateSaml2AuthnRequest(
+        credentialProvider.getIdpAssertionSigningCredential());
     httpReq.setMethod("POST");
     httpReq.addParameter("SAMLRequest", b64AuthnReq);
 
 
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_junit_keystore.xml", null, "jUnit metadata resolver", null);
+
+    final URIComparator comparator = new EaafUriCompare(serviceUrl);
+
     final InboundMessageInterface msg =
-        bindingImpl.decode(httpReq, httpResp, metadataProvider, isSpEndPoint, comparator);
+        bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
 
     Assert.assertNotNull("PVP msg is null", msg);
     Assert.assertNull("RelayState is not null", msg.getRelayState());
-    Assert.assertNotNull("Response is null", msg.getInboundMessage());
+    Assert.assertNotNull("AuthnReq is null", msg.getInboundMessage());
     Assert.assertNotNull("EntityId is null", msg.getEntityID());
-    Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata", msg.getEntityID());
-    Assert.assertFalse("Wrong isVerified flag", msg.isVerified());
+    Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_demologin/", msg.getEntityID());
+    Assert.assertTrue("Wrong isVerified flag", msg.isVerified());
 
   }
 
   @Test
-  public void decodeResponseSuccessWithRelayState() throws MessageDecodingException, SecurityException, IOException, Pvp2Exception {
+  public void decodeResponseSuccess() throws MessageDecodingException, SecurityException,
+      IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, UnmarshallingException {
     final String serviceUrl = "http://testservice.org";
-    final String relayState = RandomStringUtils.randomAlphanumeric(10);
 
-    final String b64AuthnReq = Base64.getEncoder().encodeToString(IOUtils.toByteArray(
-        PostBindingTest.class.getResourceAsStream("/data/Response_with_sig_1.xml")));
-    httpReq.setMethod("POST");
-    httpReq.addParameter("SAMLRequest", b64AuthnReq);
-    httpReq.addParameter("RelayState", relayState);
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_junit_keystore.xml", null, "jUnit metadata resolver", null);
 
-    final IPvp2MetadataProvider metadataProvider = null;
-
-    final boolean isSpEndPoint = false;
     final URIComparator comparator = new EaafUriCompare(serviceUrl);
 
+    final String b64AuthnReq = generateSaml2Response(credentialProvider.getIdpMetaDataSigningCredential());
+    httpReq.setMethod("POST");
+    httpReq.addParameter("SAMLRequest", b64AuthnReq);
 
     final InboundMessageInterface msg =
-        bindingImpl.decode(httpReq, httpResp, metadataProvider, isSpEndPoint, comparator);
+        bindingImpl.decode(httpReq, httpResp, metadataProvider, SPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator);
 
     Assert.assertNotNull("PVP msg is null", msg);
-    Assert.assertNotNull("RelayState is not null", msg.getRelayState());
-    Assert.assertEquals("RelayState not match", relayState, msg.getRelayState());
+    Assert.assertNull("RelayState is not null", msg.getRelayState());
     Assert.assertNotNull("Response is null", msg.getInboundMessage());
     Assert.assertNotNull("EntityId is null", msg.getEntityID());
-    Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata", msg.getEntityID());
-    Assert.assertFalse("Wrong isVerified flag", msg.isVerified());
+    Assert.assertEquals("EntityId not match", "https://demo.egiz.gv.at/demoportal_demologin/", msg.getEntityID());
+    Assert.assertTrue("Wrong isVerified flag", msg.isVerified());
 
   }
 
@@ -445,4 +599,48 @@ public class PostBindingTest {
 
   }
 
+  private String generateSaml2AuthnRequest(EaafX509Credential credentials)
+      throws XMLParserException, UnmarshallingException, Pvp2Exception, CredentialsNotAvailableException,
+      UnsupportedEncodingException {
+    final MockHttpServletRequest intHttpReq = new MockHttpServletRequest();
+    final MockHttpServletResponse intHttpResp = new MockHttpServletResponse();
+    guiBuilderFactory.setVelocityBuilderConfig(createDummyGuiConfig());
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml"));
+    authnReq.setIssueInstant(DateTime.now());
+
+    bindingImpl.encodeRequest(intHttpReq, intHttpResp, authnReq, "http://testservice.org", null,
+        credentials, pendingReq);
+
+    Assert.assertEquals("http StatusCode", 200, intHttpResp.getStatus());
+    final String http = intHttpResp.getContentAsString();
+    Assert.assertNotNull("http body is null", http);
+    Assert.assertTrue("SAMLRequest parameter", http.contains(HTTP_FORM_SAMLREQ));
+    return extractParamFromHttpForm(http, HTTP_FORM_SAMLREQ);
+
+  }
+
+  private String generateSaml2Response(EaafX509Credential credentials)
+      throws XMLParserException, UnmarshallingException, Pvp2Exception, CredentialsNotAvailableException,
+      UnsupportedEncodingException {
+    final MockHttpServletRequest intHttpReq = new MockHttpServletRequest();
+    final MockHttpServletResponse intHttpResp = new MockHttpServletResponse();
+    guiBuilderFactory.setVelocityBuilderConfig(createDummyGuiConfig());
+    final StatusResponseType response = (StatusResponseType)  XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        PostBindingTest.class.getResourceAsStream("/data/Response_without_sig_1.xml"));
+    response.setIssueInstant(DateTime.now());
+
+    bindingImpl.encodeResponse(intHttpReq, intHttpResp, response, "http://testservice.org", null,
+        credentials, pendingReq);
+
+    Assert.assertEquals("http StatusCode", 200, intHttpResp.getStatus());
+    final String http = intHttpResp.getContentAsString();
+    Assert.assertNotNull("http body is null", http);
+    Assert.assertTrue("SAMLRequest parameter", http.contains(HTTP_FORM_SAMLRESP));
+    return extractParamFromHttpForm(http, HTTP_FORM_SAMLRESP);
+
+  }
+
 }