Merge pull request #13 from walkIT-nl/feature/12-add-xua-x-service-pr…

…ovider-support

implement #12 add-xua-x-service-provider-support

pom.xml

@@ -28,13 +28,15 @@
                 <scope>import</scope>
                 <version>${ipf.version}</version>
             </dependency>
+            <!-- force-upgrade to 6.1.13 fixes ClassNotFound org.springframework.web.client.NoOpResponseErrorHandler -->
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-web</artifactId>
+                <version>6.1.13</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.apache.camel.springboot</groupId>
             <artifactId>camel-spring-boot-starter</artifactId>
@@ -108,6 +110,10 @@
             <groupId>org.openehealth.ipf.commons</groupId>
             <artifactId>ipf-commons-ihe-xua</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.mock-server</groupId>
             <artifactId>mockserver-junit-jupiter-no-dependencies</artifactId>

src/main/java/org/openehealth/app/xdstofhir/registry/XdsSpringContext.java

@@ -13,6 +13,7 @@
 import org.apache.cxf.bus.spring.SpringBus;
 import org.apache.cxf.ext.logging.LoggingFeature;
 import org.openehealth.app.xdstofhir.registry.common.MappingSupport;
+import org.openehealth.app.xdstofhir.registry.common.RegistryConfiguration;
 import org.openehealth.app.xdstofhir.registry.common.fhir.MhdFolder;
 import org.openehealth.app.xdstofhir.registry.common.fhir.MhdSubmissionSet;
 import org.openehealth.ipf.commons.spring.map.config.CustomMappings;
@@ -23,6 +24,9 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
 
+import static org.openehealth.app.xdstofhir.registry.common.Wss4jConfigurator.createWss4jInterceptor;
+import static org.openehealth.app.xdstofhir.registry.common.Wss4jConfigurator.createWss4jProperties;
+
 @Configuration
 public class XdsSpringContext {
 
@@ -65,6 +69,16 @@ CustomMappings customMapping() {
         mapping.setMappingResource(hl7v2fhirMapping);
         return mapping;
     }
+
+    @ConditionalOnProperty(value = "xds.xua.enabled", havingValue = "true")
+    @Bean
+    SmartInitializingSingleton applyXuaConfiguration(SpringBus springBus, RegistryConfiguration registryConfiguration) {
+    	return () -> {
+	        springBus.setProperties(createWss4jProperties(registryConfiguration.getXua()));
+	        springBus.getInInterceptors().add(createWss4jInterceptor());
+    	};
+    }
+
 
     /**
      * Verify after startup that the FHIR Server contain the required MHD FHIR profile and create them if not present.

src/main/java/org/openehealth/app/xdstofhir/registry/common/RegistryConfiguration.java

@@ -1,9 +1,13 @@
 package org.openehealth.app.xdstofhir.registry.common;
 
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Map;
 
+import jakarta.validation.constraints.NotBlank;
 import lombok.Getter;
 import lombok.Setter;
+import org.cryptacular.util.CertUtil;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
@@ -12,11 +16,12 @@
 @Getter
 @Setter
 public class RegistryConfiguration {
-
     private static final String DOCUMENT_UNIQUE_ID_PLACEHOLDER = "$documentUniqueId";
     private Map<String, String> repositoryEndpoint;
     private String unknownRepositoryId;
     private String defaultHash;
+    private XuaConfiguration xua;
+
 
     /**
      * Take a repositoryUniqueId and document uniqueid to build download URL where a client
@@ -43,4 +48,17 @@ public String repositoryFromUrl(String url) {
                 .map(Map.Entry::getKey).findFirst().orElse(unknownRepositoryId);
     }
 
+    @Getter
+    @Setter
+    public static class XuaConfiguration {
+        private boolean enabled;
+        @NotBlank
+        private String audienceRestriction = "https://xua.audien.ce";
+        private String[] trustedIdentityProviderCertificates = new String[0];
+
+        public X509Certificate[] getTrustedIdentityProviderCertificates() {
+            return Arrays.stream(trustedIdentityProviderCertificates).map(CertUtil::readCertificate)
+                    .toArray(X509Certificate[]::new);
+        }
+    }
 }

src/main/java/org/openehealth/app/xdstofhir/registry/common/Wss4jConfigurator.java

@@ -0,0 +1,23 @@
+package org.openehealth.app.xdstofhir.registry.common;
+
+import java.util.Map;
+
+import org.apache.cxf.rt.security.SecurityConstants;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.wss4j.common.ConfigurationConstants;
+import org.apache.wss4j.common.crypto.CertificateStore;
+
+import lombok.experimental.UtilityClass;
+
+@UtilityClass
+public class Wss4jConfigurator {
+    public static Map<String, Object> createWss4jProperties(RegistryConfiguration.XuaConfiguration xua) {
+        return Map.of(SecurityConstants.AUDIENCE_RESTRICTIONS, xua.getAudienceRestriction(), SecurityConstants.SIGNATURE_CRYPTO,
+                new CertificateStore(xua.getTrustedIdentityProviderCertificates()));
+    }
+
+    public static WSS4JInInterceptor createWss4jInterceptor() {
+        return new WSS4JInInterceptor(Map.of(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED));
+    }
+}
+

src/main/resources/application.properties

@@ -24,6 +24,11 @@ xds.endpoint.iti42=xds-iti42:registry/iti42
 xds.endpoint.iti62=rmd-iti62:registry/iti62
 xds.endpoint.iti8=xds-iti8:0.0.0.0:2575
 
+# Enable will verify SAML assertion
+xds.xua.enabled=false
+# If XUA is enabled, configure the path to 1 or more trusted certificated in PEM format
+#xds.xua.trusted-identity-provider-certificates=F:/git/xds-registry-to-fhir/src/main/resources/xds.cer
+
 fhir.server.profile.bootstrap=false
 
 ipf.atna.auditEnabled=true

src/test/java/org/openehealth/app/xdstofhir/registry/XdsToFhirApplicationWebServiceTestIT.java

@@ -0,0 +1,66 @@
+package org.openehealth.app.xdstofhir.registry;
+
+import jakarta.xml.ws.Dispatch;
+import jakarta.xml.ws.Service;
+import jakarta.xml.ws.soap.SOAPFaultException;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+import org.springframework.boot.test.system.CapturedOutput;
+import org.springframework.boot.test.system.OutputCaptureExtension;
+import org.springframework.boot.test.web.server.LocalServerPort;
+import org.springframework.test.context.TestPropertySource;
+
+import javax.xml.namespace.QName;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.springframework.test.util.AssertionErrors.assertEquals;
+
+@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
+@TestPropertySource(properties = {"xds.xua.enabled=true"})
+@ExtendWith(OutputCaptureExtension.class)
+class XdsToFhirApplicationWebServiceTestIT {
+    @LocalServerPort
+    private int port;
+
+    private void callWebServiceExpectingSoapFault(String testSoapMessageResource) throws MalformedURLException, URISyntaxException {
+        URL wsdlURL = new URI(String.format("http://localhost:%d/services/registry/iti42?wsdl", port)).toURL();
+        Service service = Service.create(wsdlURL, new QName("urn:ihe:iti:xds-b:2007", "DocumentRegistry_Service"));
+        Dispatch<Source> dispatch = service.createDispatch(new QName("urn:ihe:iti:xds-b:2007", "DocumentRegistry_Port_Soap12"), Source.class, Service.Mode.PAYLOAD);
+
+        Source request = new StreamSource(getClass().getResourceAsStream(testSoapMessageResource));
+
+        SOAPFaultException soapFaultException = Assertions.assertThrowsExactly(SOAPFaultException.class, () -> {
+            assertNull(dispatch.invoke(request));
+        });
+
+        assertEquals("should raise security error", "A security error was encountered when verifying the message",
+                soapFaultException.getMessage());
+    }
+
+    @Test
+    void testShallRejectRequestsWithoutAssertion(CapturedOutput output) throws IOException, URISyntaxException {
+        callWebServiceExpectingSoapFault("/messages/iti-42.xml");
+
+        assertThat(output.getOut(), containsString("An error was discovered processing the <wsse:Security> header"));
+    }
+
+    @Test
+    void testShallRejectRequestsWithAssertionContainingInvalidCertAndSignature(CapturedOutput output) throws IOException,
+            URISyntaxException {
+        callWebServiceExpectingSoapFault("/messages/iti-42-invalid-token.xml");
+
+        assertThat(output.getOut(), containsString("Could not parse certificate: java.io.IOException: Empty input"));
+    }
+}