samltest/security/AbstractPKIXTrustEngineTest.h

   1 /*
   2  *  Copyright 2001-2006 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include "internal.h"
  18 #include <saml/SAMLConfig.h>
  19 #include <saml/saml2/metadata/Metadata.h>
  20 #include <saml/saml2/metadata/MetadataProvider.h>
  21 #include <xmltooling/security/AbstractPKIXTrustEngine.h>
  22
  23 using namespace opensaml::saml2;
  24 using namespace opensaml::saml2md;
  25 using namespace xmlsignature;
  26
  27 namespace {
  28     class SampleTrustEngine : public AbstractPKIXTrustEngine {
  29     public:
  30         SampleTrustEngine() {}
  31         ~SampleTrustEngine() {}
  32
  33         class SampleIterator : public PKIXValidationInfoIterator {
  34             vector<XSECCryptoX509CRL*> m_crls;
  35             KeyResolver::ResolvedCertificates m_certs;
  36             KeyResolver* m_resolver;
  37             bool m_done;
  38         public:
  39             SampleIterator() : m_resolver(NULL), m_done(false) {
  40                 string config = data_path + "security/FilesystemKeyResolver.xml";
  41                 ifstream in(config.c_str());
  42                 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  43                 XercesJanitor<DOMDocument> janitor(doc);
  44                 m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(
  45                     FILESYSTEM_KEY_RESOLVER,doc->getDocumentElement()
  46                     );
  47                 m_resolver->resolveCertificates((KeyInfo*)NULL,m_certs);
  48             }
  49
  50             ~SampleIterator() {
  51                 delete m_resolver;
  52             }
  53
  54             bool next() {
  55                 if (m_done)
  56                     return false;
  57                 m_done = true;
  58                 return true;
  59             }
  60
  61             int getVerificationDepth() const {
  62                 return 0;
  63             }
  64
  65             const vector<XSECCryptoX509*>& getTrustAnchors() const {
  66                 return m_certs.v();
  67             }
  68
  69             const vector<XSECCryptoX509CRL*>& getCRLs() const {
  70                 return m_crls;
  71             }
  72         };
  73
  74         PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const KeyInfoSource& keyInfoSource) const {
  75             dynamic_cast<const RoleDescriptor&>(keyInfoSource);
  76             return new SampleIterator();
  77         }
  78     };
  79 };
  80
  81 class AbstractPKIXTrustEngineTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase {
  82 public:
  83     void setUp() {
  84         SAMLObjectBaseTestCase::setUp();
  85     }
  86
  87     void tearDown() {
  88         SAMLObjectBaseTestCase::tearDown();
  89     }
  90
  91     void testExplicitKeyTrustEngine() {
  92         string config = data_path + "security/FilesystemMetadataProvider.xml";
  93         ifstream in(config.c_str());
  94         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  95         XercesJanitor<DOMDocument> janitor(doc);
  96
  97         auto_ptr_XMLCh path("path");
  98         string s = data_path + "security/example-metadata.xml";
  99         auto_ptr_XMLCh file(s.c_str());
 100         doc->getDocumentElement()->setAttributeNS(NULL,path.get(),file.get());
 101
 102         // Build metadata provider.
 103         auto_ptr<MetadataProvider> metadataProvider(
 104             SAMLConfig::getConfig().MetadataProviderManager.newPlugin(FILESYSTEM_METADATA_PROVIDER,doc->getDocumentElement())
 105             );
 106         try {
 107             metadataProvider->init();
 108         }
 109         catch (XMLToolingException& ex) {
 110             TS_TRACE(ex.what());
 111             throw;
 112         }
 113
 114         // Build trust engine.
 115         auto_ptr<TrustEngine> trustEngine(new SampleTrustEngine());
 116
 117         // Get signed assertion.
 118         config = data_path + "signature/SAML2Assertion.xml";
 119         ifstream in2(config.c_str());
 120         DOMDocument* doc2=XMLToolingConfig::getConfig().getParser().parse(in2);
 121         XercesJanitor<DOMDocument> janitor2(doc2);
 122         auto_ptr<Assertion> assertion(dynamic_cast<Assertion*>(XMLObjectBuilder::getBuilder(doc2->getDocumentElement())->buildFromDocument(doc2)));
 123         janitor2.release();
 124
 125         Locker locker(metadataProvider.get());
 126         const EntityDescriptor* descriptor = metadataProvider->getEntityDescriptor("https://idp.example.org");
 127         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 128
 129         RoleDescriptor* role=descriptor->getIDPSSODescriptors().front();
 130         TSM_ASSERT("Role not present", role!=NULL);
 131
 132         Signature* sig=assertion->getSignature();
 133         TSM_ASSERT("Signature not present", sig!=NULL);
 134         TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
 135
 136         descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
 137         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 138
 139         role=descriptor->getIDPSSODescriptors().front();
 140         TSM_ASSERT("Role not present", role!=NULL);
 141
 142         TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
 143     }
 144 };