View Javadoc

1   /*
2    * The MIT License
3    *
4    * Original work sponsored and donated by National Board of e-Health (NSI), Denmark (http://www.nsi.dk)
5    *
6    * Copyright (C) 2011 National Board of e-Health (NSI), Denmark (http://www.nsi.dk)
7    *
8    * Permission is hereby granted, free of charge, to any person obtaining a copy of
9    * this software and associated documentation files (the "Software"), to deal in
10   * the Software without restriction, including without limitation the rights to
11   * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
12   * of the Software, and to permit persons to whom the Software is furnished to do
13   * so, subject to the following conditions:
14   *
15   * The above copyright notice and this permission notice shall be included in all
16   * copies or substantial portions of the Software.
17   *
18   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24   * SOFTWARE.
25   *
26   * $HeadURL$
27   * $Id$
28   */
29  
30  package dk.sosi.seal.model;
31  
32  import static junit.framework.Assert.assertEquals;
33  import static junit.framework.Assert.assertFalse;
34  import static junit.framework.Assert.assertNotNull;
35  import static junit.framework.Assert.assertTrue;
36  
37  import java.text.ParseException;
38  import java.util.Date;
39  import java.util.UUID;
40  
41  import org.apache.xml.security.exceptions.XMLSecurityException;
42  import org.junit.After;
43  import org.junit.Before;
44  import org.junit.Rule;
45  import org.junit.Test;
46  import org.junit.rules.ExpectedException;
47  import org.w3c.dom.Document;
48  import org.w3c.dom.Element;
49  import org.w3c.dom.Node;
50  
51  import dk.sosi.seal.model.constants.DSTags;
52  import dk.sosi.seal.model.constants.IDValues;
53  import dk.sosi.seal.model.constants.LibertyAttributes;
54  import dk.sosi.seal.model.constants.LibertyTags;
55  import dk.sosi.seal.model.constants.NameSpaces;
56  import dk.sosi.seal.model.constants.SAMLTags;
57  import dk.sosi.seal.model.constants.SOAPTags;
58  import dk.sosi.seal.model.constants.WSATags;
59  import dk.sosi.seal.model.constants.WSSE11Attributes;
60  import dk.sosi.seal.model.constants.WSSEAttributes;
61  import dk.sosi.seal.model.constants.WSSETags;
62  import dk.sosi.seal.model.constants.WSUAttributes;
63  import dk.sosi.seal.model.constants.WSUTags;
64  import dk.sosi.seal.modelbuilders.ModelBuildException;
65  import dk.sosi.seal.vault.EmptyCredentialVault;
66  import dk.sosi.seal.xml.XmlUtil;
67  
68  /**
69   * @author $LastChangedBy:$ $LastChangedDate:$
70   * @version $Revision:$
71   */
72  public class LibertyRequestDOMEnhancerTest extends AbstractModelTest {
73  
74      @Rule
75      public ExpectedException expectedException = ExpectedException.none();
76  
77      private Document document;
78      private Element envelope;
79      private Element header;
80      private Element body;
81      private IdentityToken identityToken;
82  
83      @Before
84      public void setUp() {
85          document = XmlUtil.createEmptyDocument();
86          envelope = document.createElementNS(NameSpaces.SOAP_SCHEMA, SOAPTags.ENVELOPE_PREFIXED);
87          document.appendChild(envelope);
88          header = document.createElementNS(NameSpaces.SOAP_SCHEMA, SOAPTags.HEADER_PREFIXED);
89          envelope.appendChild(header);
90          body = document.createElementNS(NameSpaces.SOAP_SCHEMA, SOAPTags.BODY_PREFIXED);
91          envelope.appendChild(body);
92          identityToken = createBuilder().build();
93      }
94  
95      @After
96      public void tearDown() {
97          document = null;
98          envelope = null;
99          header = null;
100         body = null;
101         identityToken = null;
102     }
103 
104     @Test
105     public void testNullCredentialVault() {
106         expectedException.expect(IllegalArgumentException.class);
107         expectedException.expectMessage("CredentialVault cannot be null");
108 
109         new LibertyRequestDOMEnhancer(null, document);
110     }
111 
112     @Test
113     public void testNullDocument() {
114         expectedException.expect(IllegalArgumentException.class);
115         expectedException.expectMessage("Document cannot be null");
116 
117         new LibertyRequestDOMEnhancer(new EmptyCredentialVault(), null);
118     }
119 
120     @Test
121     public void testNullWSAddressingMessageID() {
122         expectedException.expect(IllegalArgumentException.class);
123         expectedException.expectMessage("'wsAddressingMessageID' cannot be null or empty");
124 
125         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
126         enhancer.setWSAddressingMessageID(null);
127     }
128 
129     @Test
130     public void testEmptyWSAddressingMessageID() {
131         expectedException.expect(IllegalArgumentException.class);
132         expectedException.expectMessage("'wsAddressingMessageID' cannot be null or empty");
133 
134         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
135         enhancer.setWSAddressingMessageID("");
136     }
137 
138     @Test
139     public void testNullWSAddressingAction() {
140         expectedException.expect(IllegalArgumentException.class);
141         expectedException.expectMessage("'wsAddressingAction' cannot be null or empty");
142 
143         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
144         enhancer.setWSAddressingAction(null);
145     }
146 
147     @Test
148     public void testEmptyWSAddressingAction() {
149         expectedException.expect(IllegalArgumentException.class);
150         expectedException.expectMessage("'wsAddressingAction' cannot be null or empty");
151 
152         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
153         enhancer.setWSAddressingAction("");
154     }
155 
156     @Test
157     public void testNullWSAddressingTo() {
158         expectedException.expect(IllegalArgumentException.class);
159         expectedException.expectMessage("'wsAddressingTo' cannot be null or empty");
160 
161         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
162         enhancer.setWSAddressingTo(null);
163     }
164 
165     @Test
166     public void testEmptyWSAddressingTo() {
167         expectedException.expect(IllegalArgumentException.class);
168         expectedException.expectMessage("'wsAddressingTo' cannot be null or empty");
169 
170         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
171         enhancer.setWSAddressingTo("");
172     }
173 
174     @Test
175     public void testNullIdentityToken() {
176         expectedException.expect(IllegalArgumentException.class);
177         expectedException.expectMessage("'identityToken' cannot be null");
178 
179         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
180         enhancer.setIdentityToken(null);
181     }
182 
183     @Test
184     public void testSchemaValidationOK() {
185         new LibertyRequestDOMEnhancer(credentialVault, document);
186     }
187 
188     @Test
189     public void testSchemaValidationIdAttributeOnEnvelope() {
190         envelope.setAttribute(IDValues.id, "envelope");
191         new LibertyRequestDOMEnhancer(credentialVault, document);
192     }
193 
194     @Test(expected = ModelBuildException.class)
195     public void testSchemaValidationMissingBody() {
196         envelope.removeChild(body);
197 
198         new LibertyRequestDOMEnhancer(credentialVault, document);
199     }
200 
201     @Test
202     public void testMissingRequiredWSAddressingAction() {
203         expectedException.expect(ModelBuildException.class);
204         expectedException.expectMessage("Required element 'Action' in namespace 'http://www.w3.org/2005/08/addressing' not present in document. Failed to set it as no value has been provided for it.");
205 
206         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
207         enhancer.setIdentityToken(identityToken);
208         enhancer.enhanceAndSign();
209     }
210 
211     @Test
212     public void testMissingRequiredIdentityToken() {
213         expectedException.expect(ModelBuildException.class);
214 
215         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
216         enhancer.setWSAddressingAction("http://foo.com#bar");
217         enhancer.enhanceAndSign();
218     }
219 
220     @Test
221     public void testSetIdAttributesAndRequiredHeaders() {
222         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
223         enhancer.setWSAddressingAction("http://foo.com#bar");
224         enhancer.setIdentityToken(identityToken);
225         enhancer.enhanceAndSign();
226 
227         assertEquals("body", body.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
228 
229         final Element messageID = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID);
230         assertNotNull(messageID);
231         assertTrue(messageID.getTextContent().startsWith("urn:uuid:"));
232         assertNotNull(UUID.fromString(messageID.getTextContent().substring("urn:uuid:".length())));
233         final String messageIDWsuId = messageID.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED);
234         assertEquals("messageID", messageIDWsuId);
235 
236         final Element action = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION);
237         assertNotNull(action);
238         assertEquals("http://foo.com#bar", action.getTextContent());
239         final String actionWsuId = action.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED);
240         assertEquals("action", actionWsuId);
241 
242         final Element framework = XmlUtil.getFirstChildElementNS(header, NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK);
243         assertNotNull(framework);
244         assertEquals("2.0", framework.getAttribute(LibertyAttributes.VERSION));
245         assertEquals("urn:liberty:sb:profile:basic", framework.getAttributeNS(NameSpaces.LIBERTY_SBF_PROFILE_SCHEMA, LibertyAttributes.PROFILE));
246         final String frameworkWsuId = framework.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED);
247         assertEquals("sbf", frameworkWsuId);
248     }
249 
250     @Test
251     public void testSetOptionalHeaders() {
252         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
253         enhancer.setWSAddressingAction("http://foo.com#bar");
254         enhancer.setIdentityToken(identityToken);
255 
256         enhancer.setWSAddressingMessageID("1234");
257         enhancer.setWSAddressingTo("http://bar.com");
258 
259         enhancer.enhanceAndSign();
260 
261         final Element messageID = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID);
262         assertEquals("1234", messageID.getTextContent());
263 
264         final Element to = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.TO);
265         assertEquals("http://bar.com", to.getTextContent());
266 
267     }
268 
269     @Test
270     public void testIdAttributesAndHeadersAlreadyPresent() {
271         body.setAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_PREFIXED, "fooBody");
272 
273         final Element messageID = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID_PREFIXED);
274         messageID.setAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_PREFIXED, "fooMessageID");
275         messageID.setTextContent("2345");
276         header.appendChild(messageID);
277 
278         final Element action = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION_PREFIXED);
279         action.setAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_PREFIXED, "fooAction");
280         action.setTextContent("http://foo.com#bar");
281         header.appendChild(action);
282 
283         final Element to = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.TO_PREFIXED);
284         to.setAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_PREFIXED, "fooTo");
285         to.setTextContent("http://foo.com");
286         header.appendChild(to);
287 
288         final Element framework = document.createElementNS(NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK_PREFIXED);
289         framework.setAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_PREFIXED, "fooSBF");
290         header.appendChild(framework);
291 
292         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
293         enhancer.setIdentityToken(identityToken);
294         enhancer.enhanceAndSign();
295 
296         assertEquals("fooBody", body.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
297         assertEquals("fooMessageID", messageID.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
298         assertEquals("fooAction", action.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
299         assertEquals("fooTo", to.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
300         assertEquals("fooSBF", framework.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
301 
302         assertEquals("2345", messageID.getTextContent());
303         assertEquals("http://foo.com#bar", action.getTextContent());
304         assertEquals("http://foo.com", to.getTextContent());
305     }
306 
307     @Test
308     public void testReplaceExistingHeaders() {
309         final Element messageID = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID_PREFIXED);
310         messageID.setTextContent("3456");
311         header.appendChild(messageID);
312 
313         final Element action = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION_PREFIXED);
314         action.setTextContent("http://foo.com#bar");
315         header.appendChild(action);
316 
317         final Element to = document.createElementNS(NameSpaces.WSA_1_0_SCHEMA, WSATags.TO_PREFIXED);
318         to.setTextContent("http://bar.dk");
319         header.appendChild(to);
320 
321         final Element framework = document.createElementNS(NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK_PREFIXED);
322         framework.setAttribute(LibertyAttributes.VERSION, "1.0");
323         framework.setAttributeNS(NameSpaces.LIBERTY_SBF_PROFILE_SCHEMA, LibertyAttributes.PROFILE_PREFIXED, "foo");
324         header.appendChild(framework);
325 
326         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
327         enhancer.setWSAddressingMessageID("1234");
328         enhancer.setWSAddressingAction("http://bar.com#Issue");
329         enhancer.setWSAddressingTo("http://foo.dk");
330         enhancer.setIdentityToken(identityToken);
331         enhancer.enhanceAndSign();
332 
333         assertEquals("1234", messageID.getTextContent());
334         assertEquals("http://bar.com#Issue", action.getTextContent());
335         assertEquals("http://foo.dk", to.getTextContent());
336         assertEquals("2.0", framework.getAttribute(LibertyAttributes.VERSION));
337         assertEquals("urn:liberty:sb:profile:basic", framework.getAttributeNS(NameSpaces.LIBERTY_SBF_PROFILE_SCHEMA, LibertyAttributes.PROFILE));
338     }
339 
340     @Test
341     public void testOldWSAddressingVersion() {
342         expectedException.expect(ModelException.class);
343         expectedException.expectMessage("Document contains WS-Addressing headers in 'http://schemas.xmlsoap.org/ws/2004/08/addressing' namespace. " + "Only WS-Addressing 1.0 (namespace 'http://www.w3.org/2005/08/addressing') supported as required by the Liberty Basic SOAP Binding is supported.");
344 
345         final Element action = document.createElementNS(NameSpaces.WSA_SCHEMA, WSATags.ACTION_PREFIXED);
346         action.setTextContent("http://foo.dk#Revoke");
347         header.appendChild(action);
348 
349         minimalEnhanceAndSign();
350     }
351 
352     @Test
353     public void testExistingWSSecurityHeader() {
354         expectedException.expect(ModelException.class);
355         expectedException.expectMessage("Document already contains a WS-Security header!");
356 
357         final Element security = document.createElementNS(NameSpaces.WSSE_SCHEMA, WSSETags.SECURITY);
358         header.appendChild(security);
359 
360         minimalEnhanceAndSign();
361     }
362 
363     @Test
364     public void testWSSecurityHeader() throws ParseException {
365         minimalEnhanceAndSign();
366 
367         final Element securityHeader = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSSE_SCHEMA, WSSETags.SECURITY);
368         assertNotNull(securityHeader);
369         assertEquals("1", securityHeader.getAttribute("mustUnderstand"));
370 
371         final Element timestamp = XmlUtil.getFirstChildElementNS(securityHeader, NameSpaces.WSU_SCHEMA, WSUTags.TIMESTAMP);
372         assertNotNull(timestamp);
373         assertEquals("ts", timestamp.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
374         final Element created = XmlUtil.getFirstChildElementNS(timestamp, NameSpaces.WSU_SCHEMA, WSUTags.CREATED);
375         assertNotNull(created);
376         assertNotNull(XmlUtil.fromXMLTimeStamp(created.getTextContent()));
377 
378         final Element samlAssertion = XmlUtil.getFirstChildElementNS(securityHeader, NameSpaces.SAML2ASSERTION_SCHEMA, SAMLTags.ASSERTION);
379         assertNotNull(samlAssertion);
380         // TODO assertEquals on identityTokens, but we need a method to deserialize an identitytoken ....
381 
382         final Element securityTokenReference = XmlUtil.getFirstChildElementNS(securityHeader, NameSpaces.WSSE_SCHEMA, WSSETags.SECURITY_TOKEN_REFERENCE);
383         assertNotNull(securityTokenReference);
384         assertEquals("str", securityTokenReference.getAttributeNS(NameSpaces.WSU_SCHEMA, WSUAttributes.ID_UNPREFIXED));
385         assertEquals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0", securityTokenReference.getAttributeNS(NameSpaces.WSSE_1_1_SCHEMA, WSSE11Attributes.TOKEN_TYPE));
386 
387         final Element keyIdentifier = XmlUtil.getFirstChildElementNS(securityTokenReference, NameSpaces.WSSE_SCHEMA, WSSETags.KEY_IDENTIFIER);
388         assertNotNull(keyIdentifier);
389         assertEquals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID", keyIdentifier.getAttribute(WSSEAttributes.VALUE_TYPE));
390         assertEquals(identityToken.getID(), keyIdentifier.getTextContent());
391 
392     }
393 
394     @Test
395     public void testSignatureOnIdentityToken() {
396         final Element libertySignature = minimalEnhanceAndSign();
397 
398         final Element assertion = (Element)header.getElementsByTagNameNS(NameSpaces.SAML2ASSERTION_SCHEMA, SAMLTags.ASSERTION).item(0);
399         final Element tokenSignature = XmlUtil.getFirstChildElementNS(assertion, NameSpaces.DSIG_SCHEMA, DSTags.SIGNATURE);
400 
401         final Node digestValueNode = libertySignature.getElementsByTagNameNS(NameSpaces.DSIG_SCHEMA, "DigestValue").item(0);
402         final String digest = digestValueNode.getTextContent();
403 
404         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
405         assertTrue(SignatureUtil.validate(tokenSignature, getMockFederation(), null, true));
406 
407         digestValueNode.setTextContent("FOO");
408         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
409         assertTrue(SignatureUtil.validate(tokenSignature, getMockFederation(), null, true));
410 
411         digestValueNode.setTextContent(digest);
412         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
413 
414         header.getElementsByTagNameNS(NameSpaces.SAML2ASSERTION_SCHEMA, "Audience").item(0).setTextContent("BAR");
415         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
416         assertFalse(SignatureUtil.validate(tokenSignature, getMockFederation(), null, true));
417 
418     }
419 
420     @Test
421     public void testSignatureOnWSAddressingMessageID() {
422         final Element libertySignature = minimalEnhanceAndSign();
423 
424         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
425 
426         final Element messageID = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID);
427         messageID.setTextContent(messageID.getTextContent() + "XXX");
428 
429         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
430     }
431 
432     @Test
433     public void testSignatureOnWSAddressingAction() {
434         final Element libertySignature = minimalEnhanceAndSign();
435 
436         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
437 
438         final Element action = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION);
439         action.setTextContent(action.getTextContent() + "XXX");
440 
441         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
442     }
443 
444     @Test
445     public void testSignatureOnWSAddressingTo() {
446         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
447         enhancer.setWSAddressingAction("http://foo.com#bar");
448         enhancer.setWSAddressingTo("http://foo.com");
449         enhancer.setIdentityToken(identityToken);
450         enhancer.enhanceAndSign();
451 
452         final Element security = (Element)header.getLastChild();
453         final Element libertySignature = (Element)security.getLastChild();
454 
455         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
456 
457         final Element to = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.TO);
458         to.setTextContent(to.getTextContent() + "XXX");
459 
460         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
461     }
462 
463     @Test
464     public void testSignatureOnLibertyFrameworkHeader() {
465         final Element libertySignature = minimalEnhanceAndSign();
466 
467         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
468 
469         final Element framework = XmlUtil.getFirstChildElementNS(header, NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK);
470         framework.setTextContent(framework.getTextContent() + "XXX");
471 
472         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
473     }
474 
475     @Test
476     public void testSignatureOnTimestamp() throws ParseException {
477         final Element libertySignature = minimalEnhanceAndSign();
478 
479         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
480 
481         final Node wsuCreated = XmlUtil.getFirstChildElementNS(header, NameSpaces.WSSE_SCHEMA, WSSETags.SECURITY).getFirstChild().getFirstChild();
482         final Date date = XmlUtil.fromXMLTimeStamp(wsuCreated.getTextContent());
483         wsuCreated.setTextContent(XmlUtil.toXMLTimeStamp(new Date(date.getTime() + 1000), true));
484 
485         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
486     }
487 
488     @Test
489     public void testSignatureOnBody() {
490         final Element libertySignature = minimalEnhanceAndSign();
491 
492         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
493 
494         body.setAttribute("foo", "bar");
495 
496         assertFalse(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
497     }
498 
499     @Test
500     public void testSerializeToString() throws XMLSecurityException {
501         minimalEnhanceAndSign();
502         final String xml = XmlUtil.node2String(document);
503         final Document doc = XmlUtil.readXml(System.getProperties(), xml, false);
504 
505         final String c14NStringMessageIDBefore = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID));
506         final String c14NStringMessageIDAfter = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS((Element)doc.getDocumentElement().getFirstChild(), NameSpaces.WSA_1_0_SCHEMA, WSATags.MESSAGE_ID));
507         assertEquals(c14NStringMessageIDBefore, c14NStringMessageIDAfter);
508 
509         final String c14NStringActionBefore = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS(header, NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION));
510         final String c14NStringActionAfter = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS((Element)doc.getDocumentElement().getFirstChild(), NameSpaces.WSA_1_0_SCHEMA, WSATags.ACTION));
511         assertEquals(c14NStringActionBefore, c14NStringActionAfter);
512 
513         final String c14NStringLibertyFrameworkBefore = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS(header, NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK));
514         final String c14NStringLibertyFrameworkAfter = SignatureUtil.getC14NString(XmlUtil.getFirstChildElementNS((Element)doc.getDocumentElement().getFirstChild(), NameSpaces.LIBERTY_SBF_SCHEMA, LibertyTags.FRAMEWORK));
515         assertEquals(c14NStringLibertyFrameworkBefore, c14NStringLibertyFrameworkAfter);
516 
517         final Node libertySignature = doc.getDocumentElement().getFirstChild().getLastChild().getLastChild();
518 
519         final Element assertion = (Element)doc.getElementsByTagNameNS(NameSpaces.SAML2ASSERTION_SCHEMA, SAMLTags.ASSERTION).item(0);
520         final Element tokenSignature = XmlUtil.getFirstChildElementNS(assertion, NameSpaces.DSIG_SCHEMA, DSTags.SIGNATURE);
521 
522         assertTrue(SignatureUtil.validate(libertySignature, getMockFederation(), null, true));
523         assertTrue(SignatureUtil.validate(tokenSignature, getMockFederation(), null, true));
524 
525     }
526 
527     private Element minimalEnhanceAndSign() {
528         final LibertyRequestDOMEnhancer enhancer = new LibertyRequestDOMEnhancer(credentialVault, document);
529         enhancer.setWSAddressingAction("http://foo.com#bar");
530         enhancer.setIdentityToken(identityToken);
531         enhancer.enhanceAndSign();
532 
533         final Element security = (Element)header.getLastChild();
534         return (Element)security.getLastChild();
535     }
536 
537 }