samltest/security/AbstractPKIXTrustEngineTest.h

   1 /*
   2  *  Copyright 2001-2006 Internet2
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include "internal.h"
  18 #include <saml/SAMLConfig.h>
  19 #include <saml/security/AbstractPKIXTrustEngine.h>
  20 #include <saml/saml2/metadata/MetadataProvider.h>
  21
  22 using namespace opensaml::saml2;
  23 using namespace opensaml::saml2md;
  24 using namespace xmlsignature;
  25
  26 namespace {
  27     class SampleTrustEngine : public AbstractPKIXTrustEngine {
  28     public:
  29         SampleTrustEngine() {}
  30         ~SampleTrustEngine() {}
  31
  32         class SampleIterator : public PKIXValidationInfoIterator {
  33             vector<XSECCryptoX509CRL*> m_crls;
  34             KeyResolver::ResolvedCertificates m_certs;
  35             KeyResolver* m_resolver;
  36             bool m_done;
  37         public:
  38             SampleIterator() : m_resolver(NULL), m_done(false) {
  39                 string config = data_path + "security/FilesystemKeyResolver.xml";
  40                 ifstream in(config.c_str());
  41                 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  42                 XercesJanitor<DOMDocument> janitor(doc);
  43                 m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(
  44                     FILESYSTEM_KEY_RESOLVER,doc->getDocumentElement()
  45                     );
  46                 m_resolver->resolveCertificates((KeyInfo*)NULL,m_certs);
  47             }
  48
  49             ~SampleIterator() {
  50                 delete m_resolver;
  51             }
  52
  53             bool next() {
  54                 if (m_done)
  55                     return false;
  56                 m_done = true;
  57                 return true;
  58             }
  59
  60             int getVerificationDepth() const {
  61                 return 0;
  62             }
  63
  64             const vector<XSECCryptoX509*>& getTrustAnchors() const {
  65                 return m_certs.v();
  66             }
  67
  68             const vector<XSECCryptoX509CRL*>& getCRLs() const {
  69                 return m_crls;
  70             }
  71         };
  72
  73         PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const RoleDescriptor& role) const {
  74             return new SampleIterator();
  75         }
  76     };
  77 };
  78
  79 class AbstractPKIXTrustEngineTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase {
  80 public:
  81     void setUp() {
  82         SAMLObjectBaseTestCase::setUp();
  83     }
  84
  85     void tearDown() {
  86         SAMLObjectBaseTestCase::tearDown();
  87     }
  88
  89     void testExplicitKeyTrustEngine() {
  90         string config = data_path + "security/FilesystemMetadataProvider.xml";
  91         ifstream in(config.c_str());
  92         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  93         XercesJanitor<DOMDocument> janitor(doc);
  94
  95         auto_ptr_XMLCh path("path");
  96         string s = data_path + "security/example-metadata.xml";
  97         auto_ptr_XMLCh file(s.c_str());
  98         doc->getDocumentElement()->setAttributeNS(NULL,path.get(),file.get());
  99
 100         // Build metadata provider.
 101         auto_ptr<MetadataProvider> metadataProvider(
 102             SAMLConfig::getConfig().MetadataProviderManager.newPlugin(FILESYSTEM_METADATA_PROVIDER,doc->getDocumentElement())
 103             );
 104         try {
 105             metadataProvider->init();
 106         }
 107         catch (XMLToolingException& ex) {
 108             TS_TRACE(ex.what());
 109             throw;
 110         }
 111
 112         // Build trust engine.
 113         auto_ptr<opensaml::TrustEngine> trustEngine(new SampleTrustEngine());
 114
 115         // Get signed assertion.
 116         config = data_path + "signature/SAML2Assertion.xml";
 117         ifstream in2(config.c_str());
 118         DOMDocument* doc2=XMLToolingConfig::getConfig().getParser().parse(in2);
 119         XercesJanitor<DOMDocument> janitor2(doc2);
 120         auto_ptr<Assertion> assertion(dynamic_cast<Assertion*>(XMLObjectBuilder::getBuilder(doc2->getDocumentElement())->buildFromDocument(doc2)));
 121         janitor2.release();
 122
 123         Locker locker(metadataProvider.get());
 124         const EntityDescriptor* descriptor = metadataProvider->getEntityDescriptor("https://idp.example.org");
 125         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 126
 127         RoleDescriptor* role=descriptor->getIDPSSODescriptors().front();
 128         TSM_ASSERT("Role not present", role!=NULL);
 129
 130         Signature* sig=assertion->getSignature();
 131         TSM_ASSERT("Signature not present", sig!=NULL);
 132         TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
 133
 134         descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
 135         TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
 136
 137         role=descriptor->getIDPSSODescriptors().front();
 138         TSM_ASSERT("Role not present", role!=NULL);
 139
 140         TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
 141     }
 142 };