Refactor SamlVerificationEngine

add some more jUnit tests

4 files changed, 88 insertions, 17 deletions

diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
index 565f28fb..482a2a09 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java
@@ -31,6 +31,10 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
 
 import org.joda.time.DateTime;
 import org.opensaml.core.criterion.EntityIdCriterion;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.MarshallingException;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.core.xml.util.XMLObjectSupport;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.criterion.EntityRoleCriterion;
 import org.opensaml.saml.criterion.ProtocolCriterion;
@@ -61,6 +65,7 @@ import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
 import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.w3c.dom.Element;
 
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
@@ -158,9 +163,14 @@ public class AuthResponseBuilder {
       final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
       samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
 
-      return samlEncrypter.encrypt(assertion);
+      final Element assertionElement = XMLObjectProviderRegistrySupport.getMarshallerFactory()
+          .getMarshaller(assertion).marshall(assertion);
+      assertionElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xs", "http://www.w3.org/2001/XMLSchema");
 
-    } catch (final EncryptionException | SamlSigningException e1) {
+      return samlEncrypter.encrypt((Assertion)
+          XMLObjectSupport.getUnmarshaller(assertionElement).unmarshall(assertionElement));
+
+    } catch (final EncryptionException | SamlSigningException | MarshallingException | UnmarshallingException e1) {
       log.warn("Can not encrypt the PVP2 assertion", e1);
       throw new InvalidAssertionEncryptionException();
 
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java
index 98cf5f40..b2e528c4 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java
@@ -7,12 +7,16 @@ import javax.xml.transform.TransformerException;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfig;
 import at.gv.egiz.eaaf.core.impl.utils.DomUtils;
 import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
 import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException;
 import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder;
 import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
 import at.gv.egiz.eaaf.modules.pvp2.test.binding.PostBindingTest;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
 
 import org.apache.commons.lang3.RandomStringUtils;
 import org.joda.time.DateTime;
@@ -43,6 +47,8 @@ public class AuthnResponseBuilderTest {
 
   @Autowired private DummyAuthConfig authConfig;
   @Autowired private PvpMetadataResolverFactory metadataResolverFactory;
+  @Autowired private SamlVerificationEngine verifyEngine;
+  @Autowired private DummyCredentialProvider credentialProvider;
 
   /**
    * JUnit class initializer.
@@ -99,4 +105,52 @@ public class AuthnResponseBuilderTest {
 
   }
 
+  @Test
+  public void encryptedAssertionWithDecryption() throws InvalidAssertionEncryptionException, Pvp2MetadataException,
+      XMLParserException, UnmarshallingException, MarshallingException, TransformerException, IOException,
+      SamlAssertionValidationExeption, CredentialsNotAvailableException {
+    final String issuerEntityID = RandomStringUtils.randomAlphabetic(15);
+
+    final IPvp2MetadataProvider metadataProvider =
+        metadataResolverFactory.createMetadataProvider(
+            "classpath:/data/pvp_metadata_junit_keystore.xml", null, "jUnit metadata resolver", null);
+
+    final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        PostBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml"));
+    authnReq.setID("_" + RandomStringUtils.randomAlphanumeric(10));
+
+    final Assertion assertion = (Assertion) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml"));
+
+    //build response
+    final DateTime now = DateTime.now();
+    final Response response = AuthResponseBuilder.buildResponse(
+        metadataProvider, issuerEntityID, authnReq,
+        now, assertion, authConfig);
+
+
+    //validate
+    Assert.assertNotNull("SAML2 response is null", response);
+    Assert.assertTrue("Assertion not null", response.getAssertions().isEmpty());
+    Assert.assertNotNull("Enc. assertion is null", response.getEncryptedAssertions());
+    Assert.assertFalse("Enc. assertion is empty", response.getEncryptedAssertions().isEmpty());
+    Assert.assertEquals("# enc. assertions wrong", 1, response.getEncryptedAssertions().size());
+
+    Assert.assertEquals("InResponseTo", authnReq.getID(), response.getInResponseTo());
+    Assert.assertEquals("Issuer EntityId", issuerEntityID, response.getIssuer().getValue());
+    Assert.assertNotNull("ResponseId is null", response.getID());
+    Assert.assertFalse("ResponseId is emptry", response.getID().isEmpty());
+
+    final Element responseElement = XMLObjectSupport.getMarshaller(response).marshall(response);
+    final String xmlResp = DomUtils.serializeNode(responseElement);
+    Assert.assertNotNull("XML response is null", xmlResp);
+    Assert.assertFalse("XML response is empty", xmlResp.isEmpty());
+
+    verifyEngine.validateAssertion(response, credentialProvider.getMetaDataSigningCredential(),
+        "https://demo.egiz.gv.at/demoportal_demologin/", "jUnitTest", false);
+
+  }
+
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/data/pvp_metadata_junit_keystore.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/data/pvp_metadata_junit_keystore.xml
index 96560960..7fdbef90 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/data/pvp_metadata_junit_keystore.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/data/pvp_metadata_junit_keystore.xml
@@ -71,21 +71,22 @@ ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L
 		<md:KeyDescriptor use="encryption">
 			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 				<ds:X509Data>
-					<ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH
-SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W
-ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w
-CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ
-RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq
-UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+
-M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F
-Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt
-1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq
-nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC
-VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq
-itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc
-2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O
-fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy
-4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate>
+					<ds:X509Certificate>MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJB
+VDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFk
+YXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMC
+QVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRh
+ZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYA
+O5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6H
+rp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+
+WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7
+/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONb
+f+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3l
+PIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9
+YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NX
+zh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWS
+YI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW
+9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZi
+purO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A==</ds:X509Certificate>
 				</ds:X509Data>
 			</ds:KeyInfo>
 		</md:KeyDescriptor>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
index aac94041..e3060b04 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
@@ -15,6 +15,12 @@
 
   <bean id="dummyCredentialProvider"
         class="at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider" />
+        
+  <bean id="dummyChainingMetadataResolver"
+        class="at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider"/>
+
+  <bean id="samlVerificationEngine"
+        class="at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine"/>
 
  
 </beans>
\ No newline at end of file