[picketlink-commits] Picketlink SVN: r1351 - product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow.

picketlink-commits at lists.jboss.org picketlink-commits at lists.jboss.org
Tue Jan 31 16:33:58 EST 2012 

Author: anil.saldhana at jboss.com
Date: 2012-01-31 16:33:56 -0500 (Tue, 31 Jan 2012)
New Revision: 1351

Added:
   product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java
Modified:
   product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/
Log:
merge in -r1324


Property changes on: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow
___________________________________________________________________
Modified: svn:mergeinfo
   - /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1140-1173,1307-1318
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1152-1154,1159-1173,1192-1228
   + /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1140-1173,1307-1318,1321-1324
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1152-1154,1159-1173,1192-1228

Copied: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java (from rev 1324, federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java)
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java	                        (rev 0)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java	2012-01-31 21:33:56 UTC (rev 1351)
@@ -0,0 +1,259 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors. 
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.workflow;
+
+
+import static org.junit.Assert.assertNotNull;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletException;
+
+import junit.framework.Assert;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.junit.Test;
+import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve;
+import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaLoginConfig;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRealm;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
+
+/**
+ * <p>
+ *  This {@code TestCase} tests the interaction between the SP and the IDP in a scenario where token signature is used. 
+ * </p>
+ * <p>
+ *  This class also tests the use of the {@code SPRedirectSignatureFormAuthenticator.idpAddress} and the {@code IDPWebBrowserSSOValve.validatingAliasToTokenIssuer} properties.
+ *  <br/>
+ *  The objective is test the following scenarios:
+ *  <br/><br/>
+ *      1) User's machine is the same of the SP and the IDP. (testSAML2RedirectWithSameConsumerAndProvider)
+ *      <br/>
+ *      2) User's machine is different of the SP and the IDP. (testSAML2RedirectWithSifferentConsumerAndProvider)
+ *          192.168.1.1 -> IDP Address (IDP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ *          192.168.1.2 -> SP Address (SP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ *          192.168.1.3 -> End User Address
+ * </p>
+ * 
+ * @author <a href="mailto:psilva at redhat.com">Pedro Igor</a>
+ * @since Nov 14, 2011
+ */
+public class SAML2RedirectSignatureTomcatWorkflowUnitTestCase
+{
+   private static final String profile = "saml2/redirect";
+
+   private static final String IDP_PROFILE = profile + "/idp-sig/";
+
+   private static final String SP_PROFILE = profile + "/sp/employee-sig";
+
+   private final ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+   
+   private String SAML_REQUEST_KEY = "SAMLRequest=";
+
+   private String SAML_RESPONSE_KEY = "SAMLResponse=";
+   
+   /**
+    * Tests the token's signatures validations when the requester and the SP/IDP as on the same host.
+    * The keyprovider is configured with the same ValidatingAlias for all of them.
+    * 
+    * @throws Exception
+    */
+   @Test
+   public void testSAML2RedirectWithSameConsumerAndProvider() throws Exception
+   {
+      testWorkflow("192.168.1.1", "192.168.1.1", false);
+   }
+   
+   /**
+    * Tests the token's signatures validations when the requester is in a differente host than the SP and IDP.
+    * The keyprovider is configured with a ValidatingAlias for specific for the SP (192.168.1.2) that is different from the IDP (localhost) and the user (192.168.1.1).
+    */
+   @Test
+   public void testSAML2RedirectWithSifferentConsumerAndProvider() throws Exception
+   {
+      testWorkflow("192.168.1.3", "192.168.1.1", true);
+   }
+
+   private void testWorkflow(String userAddress, String idpAddress, boolean validatingAliasToTokenIssuer) throws LifecycleException, IOException, ServletException
+   {
+      MockCatalinaRequest request = createRequest(userAddress);
+      
+      // Sends a initial request to the SP. Requesting a resource ...
+      MockCatalinaResponse idpAuthRequest = sendSPRequest(request, false, idpAddress);
+      
+      assertNotNull("Redirect String can not be null.", idpAuthRequest.redirectString);
+      
+      // Sends a auth request to the IDP
+      request = createRequest(userAddress);
+      
+      request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(getSAMLRequest(idpAuthRequest)));
+      request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthRequest)));
+      request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthRequest)));
+      request.setQueryString(SAML_REQUEST_KEY + getSAMLRequest(idpAuthRequest) + "&SigAlg=" + getSAMLSigAlg(idpAuthRequest) + "&Signature=" + getSAMLSignature(idpAuthRequest));
+      
+      request.setUserPrincipal(new GenericPrincipal(createRealm(), "user", "user", getRoles()) );
+      
+      MockCatalinaResponse idpAuthResponse = sendIDPRequest(request, validatingAliasToTokenIssuer); 
+      
+      assertNotNull("Redirect String can not be null.", idpAuthResponse.redirectString);
+      
+      // Sends the IDP response to the SP. Now the user is succesfully authenticated and access for the requested resource is granted...    
+      request = createRequest(userAddress);
+      request.getContext().setRealm(createRealm());
+      
+      request.setParameter("SAMLResponse", RedirectBindingUtil.urlDecode(getSAMLResponse(idpAuthResponse)));
+      request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthResponse)));
+      request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthResponse)));
+      request.setQueryString(SAML_RESPONSE_KEY + getSAMLResponse(idpAuthResponse) + "&SigAlg=" + getSAMLSigAlg(idpAuthResponse) + "&Signature=" + getSAMLSignature(idpAuthResponse));
+      
+      sendSPRequest(request, true, idpAddress);
+   }
+
+   private MockCatalinaRequest createRequest(String userAddress)
+   {
+      MockCatalinaRequest request = new MockCatalinaRequest();
+      
+      request = new MockCatalinaRequest();
+      request.setMethod("GET");
+      request.setRemoteAddr(userAddress);
+      request.setSession(new MockCatalinaSession());
+      request.setContext(new MockCatalinaContext());
+      
+      return request;
+   }
+
+   private String getSAMLResponse(MockCatalinaResponse response)
+   {
+      return response.redirectString.substring(response.redirectString.indexOf(SAML_RESPONSE_KEY) +
+            SAML_RESPONSE_KEY.length(), response.redirectString.indexOf("&SigAlg="));
+   }
+
+   private String getSAMLSignature(MockCatalinaResponse response)
+   {
+      return response.redirectString.substring(response.redirectString.indexOf("&Signature=") +
+            "&Signature=".length());
+   }
+
+   private String getSAMLSigAlg(MockCatalinaResponse response)
+   {
+      return response.redirectString.substring(response.redirectString.indexOf("&SigAlg=") +
+            "&SigAlg=".length(), response.redirectString.lastIndexOf("&Signature="));
+   }
+
+   private String getSAMLRequest(MockCatalinaResponse response)
+   {
+      return response.redirectString.substring(response.redirectString.indexOf(SAML_REQUEST_KEY) +
+            SAML_REQUEST_KEY.length(), response.redirectString.indexOf("&SigAlg="));
+   }
+
+   private List<String> getRoles()
+   {
+      List<String> roles = new ArrayList<String>();
+      roles.add("manager");
+      roles.add("employee");
+      return roles;
+   }
+
+   private MockCatalinaRealm createRealm()
+   {
+      return new MockCatalinaRealm("user", "user", new Principal()
+      {   
+         public String getName()
+         { 
+            return "user";
+         }
+      });
+   }
+
+   private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request, boolean validatingAliasToTokenIssuer)
+         throws LifecycleException, IOException, ServletException
+   {
+      MockCatalinaContextClassLoader mclIDP = setupTCL(IDP_PROFILE);
+      Thread.currentThread().setContextClassLoader(mclIDP);
+
+      IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve();
+      
+      idp.setSignOutgoingMessages(true);
+      idp.setIgnoreIncomingSignatures(false);
+      idp.setValidatingAliasToTokenIssuer(validatingAliasToTokenIssuer);
+      
+      idp.setContainer(request.getContext());
+      idp.start();
+      
+      MockCatalinaResponse response = new MockCatalinaResponse();
+      
+      idp.invoke(request, response);
+      
+      return response;
+   }
+
+   private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, boolean validateAuthentication, String idpAddress)
+         throws LifecycleException, IOException
+   {
+      MockCatalinaContextClassLoader mclSPEmp = setupTCL(SP_PROFILE);
+      Thread.currentThread().setContextClassLoader(mclSPEmp); 
+      
+      SPRedirectSignatureFormAuthenticator sp = new SPRedirectSignatureFormAuthenticator();
+      
+      sp.setIdpAddress(idpAddress);
+      
+      request.setParameter(GeneralConstants.RELAY_STATE, null);
+      
+      MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig();
+      
+      sp.setContainer(request.getContext());
+      sp.testStart();
+      
+      MockCatalinaResponse response = new MockCatalinaResponse();
+      
+      if (validateAuthentication) {
+         Assert.assertTrue("Employee app succesfully authenticated.", sp.authenticate(request, response, loginConfig));
+      } else {
+         sp.authenticate(request, response, loginConfig);
+      }
+      
+      return response;
+   }
+   
+   private MockCatalinaContextClassLoader setupTCL(String resource)
+   {
+      URL[] urls = new URL[] {tcl.getResource(resource)};
+      
+      MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls);
+      mcl.setDelegate(tcl);
+      mcl.setProfile(resource);
+      return mcl;
+   }
+   
+}

More information about the picketlink-commits mailing list