first stable version that uses OpenSAML 3.x

1 files changed, 725 insertions, 0 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java
new file mode 100644
index 00000000..f40fbc74
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java
@@ -0,0 +1,725 @@
+package at.gv.egiz.eaaf.modules.pvp2.test.metadata;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.transform.TransformerException;
+
+import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
+
+import org.apache.commons.io.IOUtils;
+import org.joda.time.DateTime;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.core.config.ConfigurationService;
+import org.opensaml.core.criterion.EntityIdCriterion;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.core.xml.util.XMLObjectSupport;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.criterion.EntityRoleCriterion;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
+import org.opensaml.saml.metadata.resolver.filter.impl.RequiredValidUntilFilter;
+import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml.security.impl.MetadataCredentialResolver;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.credential.UsageType;
+import org.opensaml.security.criteria.UsageCriterion;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.SignatureValidationConfiguration;
+import org.opensaml.xmlsec.SignatureValidationParameters;
+import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
+import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider;
+import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
+import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
+import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
+import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.w3c.dom.Element;
+
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
+import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.utilities.java.support.xml.SerializeSupport;
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+import okhttp3.HttpUrl;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml" })
+@TestPropertySource(locations = { "/config/config_1.props" })
+public class MetadataResolverTest {
+
+  private static MockWebServer mockWebServer;
+  private static HttpUrl mockServerUrl;
+
+  @Autowired
+  private PvpMetadataResolverFactory metadataResolverFactory;
+  @Autowired
+  private IHttpClientFactory httpClientFactory;
+  @Autowired private DummyCredentialProvider credentialProvider;
+
+  /**
+   * JUnit class initializer.
+   *
+   * @throws Exception In case of an OpenSAML3 initialization error
+   */
+  @BeforeClass
+  public static void classInitializer() throws Exception {
+    EaafOpenSaml3xInitializer.eaafInitialize();
+    mockWebServer = new MockWebServer();
+    mockServerUrl = mockWebServer.url("/sp/metadata");
+
+  }
+
+  /**
+   * Single test initializer.
+   *
+   */
+  @Before
+  public void testInitializer() {
+
+  }
+
+  @Test
+  public void wrongSchema() {
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          "classpath:/data/pvp_metadata_wrong_schema.xml",
+          filterChain, "jUnit test", null);
+      Assert.fail("Wrong XML Schema not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong ErrorCode", "internal.pvp.08", e.getErrorId());
+      Assert.assertNotNull("params null", e.getParams());
+      Assert.assertEquals("Params size", 2, e.getParams().length);
+      Assert.assertEquals("Param[0] wrong",
+          "classpath:/data/pvp_metadata_wrong_schema.xml", e.getParams()[0]);
+
+    }
+
+  }
+
+  @Test
+  public void simpleClasspathMetadataWithoutSigValidation()
+      throws Pvp2MetadataException, ComponentInitializationException, ResolverException,
+      Pvp2InternalErrorException {
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        "classpath:/data/pvp_metadata_wrong_sig.xml",
+        filterChain, "jUnit test", null);
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/notExtist/");
+    Assert.assertNull("No EntityDescripter", entityIdNotExists);
+
+    final EntityDescriptor entityId = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/demoportal_demologin/");
+    Assert.assertNotNull("No EntityDescripter", entityId);
+
+    Assert.assertNotNull("Metadata provider is null", mdResolver);
+    final MetadataCredentialResolver resolver = createKeyInfoResolver(mdResolver);
+
+    final CriteriaSet criteriaSet = new CriteriaSet();
+    criteriaSet.add(new EntityIdCriterion("https://demo.egiz.gv.at/demoportal_demologin/"));
+    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
+    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
+    final SignatureValidationParameters sigValCrit = new SignatureValidationParameters();
+    sigValCrit.setBlacklistedAlgorithms(
+        ConfigurationService.get(SignatureValidationConfiguration.class)
+            .getBlacklistedAlgorithms());
+    sigValCrit.setSignatureTrustEngine(
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(mdResolver));
+    criteriaSet.add(new SignatureValidationParametersCriterion(sigValCrit));
+
+    final Iterable<Credential> keyInfos = resolver.resolve(criteriaSet);
+    Assert.assertNotNull("KeyInfos null", keyInfos);
+
+  }
+
+  @Test
+  public void noCredentials() {
+    final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml";
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        metadataUrl));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          metadataUrl,
+          filterChain, "jUnit test", null);
+      Assert.fail("Untrusted signature not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.07", e.getErrorId());
+
+    }
+
+  }
+
+  @Test
+  public void wrongCredentials() throws CertificateException {
+    final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml";
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    final BasicX509Credential credential = new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")));
+    credentials.add(credential);
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        metadataUrl));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          metadataUrl,
+          filterChain, "jUnit test", null);
+      Assert.fail("Untrusted signature not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.07", e.getErrorId());
+
+    }
+
+  }
+
+  @Test
+  public void validCredentialsInvalidSig() throws CertificateException, Pvp2MetadataException,
+      ResolverException {
+    final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml";
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        metadataUrl));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          metadataUrl,
+          filterChain, "jUnit test", null);
+      Assert.fail("Untrusted signature not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.07", e.getErrorId());
+
+    }
+
+  }
+
+  @Test
+  public void metadataSignatureValidCredentials() throws CertificateException, Pvp2MetadataException,
+      ResolverException, XMLParserException, UnmarshallingException, SamlSigningException,
+      CredentialsNotAvailableException, MarshallingException, TransformerException, IOException {
+
+    final String metadataUrl = "classpath:/data/pvp_metadata_valid.xml";
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        metadataUrl));
+    filterList.add(new PvpEntityCategoryFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        metadataUrl,
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eid/metadata");
+    Assert.assertNotNull("No EntityDescripter", entityIdNotExists);
+
+  }
+
+  @Test
+  public void metadataSignatureValidCredentialsSecond() throws CertificateException, Pvp2MetadataException,
+      ResolverException, XMLParserException, UnmarshallingException, SamlSigningException,
+      CredentialsNotAvailableException, MarshallingException, TransformerException, IOException {
+
+    final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid_with_entityCategory.xml"));
+    metadata.setValidUntil(DateTime.now().plusDays(1));
+    metadata.setSignature(null);
+    Saml2Utils.signSamlObject(metadata, credentialProvider.getIdpMetaDataSigningCredential(), true);
+    final Element metadataElement = XMLObjectSupport.marshall(metadata);
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(SerializeSupport.nodeToString(metadataElement))
+        .setHeader("Content-Type", "text/html;charset=utf-8"));
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        mockServerUrl.url().toString()));
+    filterList.add(new PvpEntityCategoryFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        mockServerUrl.url().toString(),
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+
+
+    final EntityDescriptor descr = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eid/metadata");
+    Assert.assertNotNull("No EntityDescripter", descr);
+
+    final List<RequestedAttribute> reqAttr = descr.getSPSSODescriptor(SAMLConstants.SAML20P_NS)
+        .getAttributeConsumingServices().get(0).getRequestAttributes();
+    Assert.assertNotNull("Req. attributes are null", reqAttr);
+    Assert.assertEquals("# of req. attributes", 20, reqAttr.size());
+
+  }
+
+  @Test
+  public void metadataSignatureValidCredentialsThird() throws CertificateException, Pvp2MetadataException,
+      ResolverException, XMLParserException, UnmarshallingException, SamlSigningException,
+      CredentialsNotAvailableException, MarshallingException, TransformerException, IOException {
+
+    final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid_with_entityCategory_egov.xml"));
+    metadata.setValidUntil(DateTime.now().plusDays(1));
+    metadata.setSignature(null);
+    Saml2Utils.signSamlObject(metadata, credentialProvider.getIdpMetaDataSigningCredential(), true);
+    final Element metadataElement = XMLObjectSupport.marshall(metadata);
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(SerializeSupport.nodeToString(metadataElement))
+        .setHeader("Content-Type", "text/html;charset=utf-8"));
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        mockServerUrl.url().toString()));
+    filterList.add(new PvpEntityCategoryFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        mockServerUrl.url().toString(),
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+
+
+    final EntityDescriptor descr = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eid/metadata");
+    Assert.assertNotNull("No EntityDescripter", descr);
+
+    final List<RequestedAttribute> reqAttr = descr.getSPSSODescriptor(SAMLConstants.SAML20P_NS)
+        .getAttributeConsumingServices().get(0).getRequestAttributes();
+    Assert.assertNotNull("Req. attributes are null", reqAttr);
+    Assert.assertEquals("# of req. attributes", 9, reqAttr.size());
+
+  }
+
+  @Test
+  public void metadataExpired() throws CertificateException, Pvp2MetadataException,
+      ResolverException, XMLParserException, UnmarshallingException, SamlSigningException,
+      CredentialsNotAvailableException, MarshallingException, TransformerException, IOException {
+
+    final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid.xml"));
+    metadata.setValidUntil(DateTime.now().minusDays(2));
+    metadata.setSignature(null);
+    Saml2Utils.signSamlObject(metadata, credentialProvider.getIdpMetaDataSigningCredential(), true);
+    final Element metadataElement = XMLObjectSupport.marshall(metadata);
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(SerializeSupport.nodeToString(metadataElement))
+        .setHeader("Content-Type", "text/html;charset=utf-8"));
+
+    final List<BasicX509Credential> credentials = new ArrayList<>();
+    final CertificateFactory fact = CertificateFactory.getInstance("X.509");
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))));
+    credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate(
+        MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+    filterList.add(new SimpleMetadataSignatureVerificationFilter(
+        credentials,
+        mockServerUrl.url().toString()));
+    filterList.add(new RequiredValidUntilFilter());
+    filterList.add(new PvpEntityCategoryFilter(false));
+
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          mockServerUrl.url().toString(),
+          filterChain, "jUnit test", httpClientFactory.getHttpClient());
+      Assert.fail("Expired metadata not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.09", e.getErrorId());
+
+    }
+
+
+  }
+
+  @Test
+  public void simpleClasspathMetadataWithoutSigValidationMoaidTwoSigKeys()
+      throws Pvp2MetadataException, ComponentInitializationException, ResolverException,
+      Pvp2InternalErrorException {
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final String entityIdToResolve = "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata";
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        "classpath:/data/pvp_metadata_moaid_test.xml",
+        filterChain, "jUnit test", null);
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/notExtist/");
+    Assert.assertNull("No EntityDescripter", entityIdNotExists);
+
+    final EntityDescriptor entityId = mdResolver.getEntityDescriptor(entityIdToResolve);
+    Assert.assertNotNull("No EntityDescripter", entityId);
+
+    Assert.assertNotNull("Metadata provider is null", mdResolver);
+    final MetadataCredentialResolver resolver = createKeyInfoResolver(mdResolver);
+
+    final CriteriaSet sigCriteriaSet = new CriteriaSet();
+    sigCriteriaSet.add(new EntityIdCriterion(entityIdToResolve));
+    sigCriteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
+    sigCriteriaSet.add(new UsageCriterion(UsageType.SIGNING));
+    final SignatureValidationParameters sigValCrit = new SignatureValidationParameters();
+    sigValCrit.setBlacklistedAlgorithms(
+        ConfigurationService.get(SignatureValidationConfiguration.class)
+            .getBlacklistedAlgorithms());
+    sigValCrit.setSignatureTrustEngine(
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(mdResolver));
+    sigCriteriaSet.add(new SignatureValidationParametersCriterion(sigValCrit));
+
+    final Iterable<Credential> singingKeyInfos = resolver.resolve(sigCriteriaSet);
+    Assert.assertNotNull("Signing KeyInfos null", singingKeyInfos);
+    Assert.assertTrue("First Credential resolved", singingKeyInfos.iterator().hasNext());
+    Assert.assertTrue("Second Credential resolved", singingKeyInfos.iterator().hasNext());
+
+    final CriteriaSet encCriteriaSet = new CriteriaSet();
+    encCriteriaSet.add(new EntityIdCriterion(entityIdToResolve));
+    encCriteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
+    encCriteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
+    final Iterable<Credential> encKeyInfos = resolver.resolve(encCriteriaSet);
+    Assert.assertNotNull("Encryption KeyInfos null", encKeyInfos);
+    Assert.assertTrue("No Credential resolved", encKeyInfos.iterator().hasNext());
+
+  }
+
+  @Test
+  public void httpMetadataLoading() throws UnsupportedEncodingException,
+      IOException, ResolverException, Pvp2MetadataException {
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final String entityIdToResolve = "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata";
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        mockServerUrl.url().toString(),
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/notExtist/");
+    Assert.assertNull("No EntityDescripter", entityIdNotExists);
+
+    final EntityDescriptor entityId = mdResolver.getEntityDescriptor(entityIdToResolve);
+    Assert.assertNotNull("No EntityDescripter", entityId);
+
+  }
+
+  @Test
+  public void httpMetadataLoadingRefeshFailed() throws UnsupportedEncodingException,
+      IOException, ResolverException, Pvp2MetadataException {
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final String entityIdToResolve = "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata";
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        mockServerUrl.url().toString(),
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/notExtist/");
+    Assert.assertNull("No EntityDescripter", entityIdNotExists);
+
+    final EntityDescriptor entityId = mdResolver.getEntityDescriptor(entityIdToResolve);
+    Assert.assertNotNull("No EntityDescripter", entityId);
+
+    final DateTime lastRefreshSucess = mdResolver.getLastSuccessfulRefresh();
+
+    try {
+      mdResolver.refresh();
+      Assert.fail("Refesh possible without available metadata");
+
+    } catch (final ResolverException e) {
+      Assert.assertFalse("Wrong Refesh success flag", mdResolver.wasLastRefreshSuccess());
+      Assert.assertEquals("Wrong refresh success date", lastRefreshSucess, mdResolver
+          .getLastSuccessfulRefresh());
+
+    }
+
+  }
+
+  @Test
+  public void httpMetadataLoadingWithRefeshSuccess() throws UnsupportedEncodingException,
+      IOException, ResolverException, Pvp2MetadataException {
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    final String entityIdToResolve = "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata";
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        mockServerUrl.url().toString(),
+        filterChain, "jUnit test", httpClientFactory.getHttpClient());
+
+    final EntityDescriptor entityIdNotExists = mdResolver.getEntityDescriptor(
+        "https://demo.egiz.gv.at/notExtist/");
+    Assert.assertNull("No EntityDescripter", entityIdNotExists);
+
+    final EntityDescriptor entityId = mdResolver.getEntityDescriptor(entityIdToResolve);
+    Assert.assertNotNull("No EntityDescripter", entityId);
+
+    final DateTime lastRefresh = mdResolver.getLastRefresh();
+
+    // refresh metadata
+    mdResolver.refresh();
+
+    Assert.assertTrue("Refresh not sucessful", mdResolver.wasLastRefreshSuccess());
+    Assert.assertTrue("Wrong last refresh date", lastRefresh.isBefore(mdResolver.getLastRefresh()));
+
+  }
+
+  @Test
+  public void httpMetadataLoadingWithoutHttpClient() throws UnsupportedEncodingException,
+      IOException, ResolverException, Pvp2MetadataException {
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          mockServerUrl.url().toString(),
+          filterChain, "jUnit test", null);
+      Assert.fail("No httpclient not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.09", e.getErrorId());
+      Assert.assertNotNull("No error params", e.getParams());
+      Assert.assertEquals("Wrong params size", 2, e.getParams().length);
+
+    }
+  }
+
+  @Test
+  public void httpMetadataLoadingWrongUrl() throws UnsupportedEncodingException,
+      IOException, ResolverException, Pvp2MetadataException {
+
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody(new String(IOUtils.toByteArray(
+            MetadataResolverTest.class.getResourceAsStream(
+                "/data/pvp_metadata_moaid_test.xml")), "UTF-8"))
+        .setHeader("Content-Type", "text/xml"));
+
+    final List<MetadataFilter> filterList = new ArrayList<>();
+    filterList.add(new SchemaValidationFilter(true));
+
+    final MetadataFilterChain filterChain = new MetadataFilterChain();
+    filterChain.setFilters(filterList);
+
+    try {
+      metadataResolverFactory.createMetadataProvider(
+          "http://127.0.0.1/notexist",
+          filterChain, "jUnit test", httpClientFactory.getHttpClient());
+      Assert.fail("No httpclient not detected");
+
+    } catch (final Pvp2MetadataException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.09", e.getErrorId());
+      Assert.assertNotNull("No error params", e.getParams());
+      Assert.assertEquals("Wrong params size", 2, e.getParams().length);
+
+    }
+
+  }
+
+  private MetadataCredentialResolver createKeyInfoResolver(IPvp2MetadataProvider mdResolver)
+      throws ComponentInitializationException {
+    final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
+    keyInfoProvider.add(new DSAKeyValueProvider());
+    keyInfoProvider.add(new RSAKeyValueProvider());
+    keyInfoProvider.add(new InlineX509DataProvider());
+    final KeyInfoCredentialResolver keyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver(
+        keyInfoProvider);
+
+    final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver(
+        mdResolver);
+    roleDescriptorResolver.setRequireValidMetadata(true);
+    roleDescriptorResolver.initialize();
+
+    final MetadataCredentialResolver resolver = new MetadataCredentialResolver();
+    resolver.setRoleDescriptorResolver(roleDescriptorResolver);
+    resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver);
+    resolver.initialize();
+
+    return resolver;
+  }
+}