samltest/security/AbstractPKIXTrustEngineTest.h

   1 /*
   2  *  Copyright 2001-2007 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include "internal.h"
  18 #include <saml/SAMLConfig.h>
  19 #include <saml/saml2/metadata/Metadata.h>
  20 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
  21 #include <saml/saml2/metadata/MetadataProvider.h>
  22 #include <xmltooling/security/AbstractPKIXTrustEngine.h>
  23 #include <xmltooling/security/X509Credential.h>
  24
  25 using namespace opensaml::saml2;
  26 using namespace opensaml::saml2md;
  27 using namespace xmlsignature;
  28
  29 namespace {
  30     class SampleTrustEngine : public AbstractPKIXTrustEngine {
  31     public:
  32         SampleTrustEngine() {}
  33         ~SampleTrustEngine() {}
  34
  35         class SampleIterator : public PKIXValidationInfoIterator {
  36             CredentialResolver* m_resolver;
  37             mutable vector<XSECCryptoX509CRL*> m_crls;
  38             bool m_done;
  39         public:
  40             SampleIterator() : m_resolver(NULL), m_done(false) {
  41                 string config = data_path + "security/FilesystemCredentialResolver.xml";
  42                 ifstream in(config.c_str());
  43                 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  44                 XercesJanitor<DOMDocument> janitor(doc);
  45                 m_resolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(
  46                     FILESYSTEM_CREDENTIAL_RESOLVER,doc->getDocumentElement()
  47                     );
  48                 m_resolver->lock();
  49             }
  50
  51             ~SampleIterator() {
  52                 m_resolver->unlock();
  53                 delete m_resolver;
  54             }
  55
  56             bool next() {
  57                 if (m_done)
  58                     return false;
  59                 m_done = true;
  60                 return true;
  61             }
  62
  63             int getVerificationDepth() const {
  64                 return 0;
  65             }
  66
  67             const vector<XSECCryptoX509*>& getTrustAnchors() const {
  68                 return dynamic_cast<const X509Credential*>(m_resolver->resolve())->getEntityCertificateChain();
  69             }
  70
  71             const vector<XSECCryptoX509CRL*>& getCRLs() const {
  72                 XSECCryptoX509CRL* crl = dynamic_cast<const X509Credential*>(m_resolver->resolve())->getCRL();
  73                 if (crl)
  74                     m_crls.push_back(crl);
  75                 return m_crls;
  76             }
  77         };
  78
  79         PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
  80             const CredentialResolver& credResolver, CredentialCriteria* criteria=NULL, const KeyInfoResolver* keyInfoResolver=NULL
  81             ) const {
  82             dynamic_cast<const MetadataCredentialCriteria*>(criteria);
  83             return new SampleIterator();
  84         }
  85     };
  86 };
  87
  88 class AbstractPKIXTrustEngineTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase {
  89 public:
  90     void setUp() {
  91         SAMLObjectBaseTestCase::setUp();
  92     }
  93
  94     void tearDown() {
  95         SAMLObjectBaseTestCase::tearDown();
  96     }
  97
  98     void testAbstractPKIXTrustEngine() {
  99         string config = data_path + "security/XMLMetadataProvider.xml";
 100         ifstream in(config.c_str());
 101         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
 102         XercesJanitor<DOMDocument> janitor(doc);
 103
 104         auto_ptr_XMLCh path("path");
 105         string s = data_path + "security/example-metadata.xml";
 106         auto_ptr_XMLCh file(s.c_str());
 107         doc->getDocumentElement()->setAttributeNS(NULL,path.get(),file.get());
 108
 109         // Build metadata provider.
 110         auto_ptr<MetadataProvider> metadataProvider(
 111             opensaml::SAMLConfig::getConfig().MetadataProviderManager.newPlugin(XML_METADATA_PROVIDER,doc->getDocumentElement())
 112             );
 113         try {
 114             metadataProvider->init();
 115         }
 116         catch (XMLToolingException& ex) {
 117             TS_TRACE(ex.what());
 118             throw;
 119         }
 120
 121         // Build trust engine.
 122         auto_ptr<TrustEngine> trustEngine(new SampleTrustEngine());
 123
 124         // Get signed assertion.
 125         config = data_path + "signature/SAML2Assertion.xml";
 126         ifstream in2(config.c_str());
 127         DOMDocument* doc2=XMLToolingConfig::getConfig().getParser().parse(in2);
 128         XercesJanitor<DOMDocument> janitor2(doc2);
 129         auto_ptr<Assertion> assertion(dynamic_cast<Assertion*>(XMLObjectBuilder::getBuilder(doc2->getDocumentElement())->buildFromDocument(doc2)));
 130         janitor2.release();
 131
 132         Locker locker(metadataProvider.get());
 133         const EntityDescriptor* descriptor = metadataProvider->getEntityDescriptor("https://idp.example.org");
 134         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 135
 136         RoleDescriptor* role=descriptor->getIDPSSODescriptors().front();
 137         TSM_ASSERT("Role not present", role!=NULL);
 138
 139         Signature* sig=assertion->getSignature();
 140         TSM_ASSERT("Signature not present", sig!=NULL);
 141
 142         MetadataCredentialCriteria cc(*role);
 143         cc.setPeerName("https://idp.example.org");
 144         TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *metadataProvider, &cc));
 145
 146         descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
 147         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 148
 149         role=descriptor->getIDPSSODescriptors().front();
 150         TSM_ASSERT("Role not present", role!=NULL);
 151
 152         MetadataCredentialCriteria cc2(*role);
 153         cc2.setPeerName("https://idp2.example.org");
 154         TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *metadataProvider, &cc2));
 155     }
 156 };