/** * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 2016 ForgeRock AS. All Rights Reserved * * The contents of this file are subject to the terms * of the Common Development and Distribution License * (the License). You may not use this file except in * compliance with the License. * * You can obtain a copy of the License at legal/CDDLv1.0.txt. * See the License for the specific language governing * permission and limitations under the License. * * When distributing Covered Code, include this CDDL * Header Notice in each file and include the License file at legal/CDDLv1.0.txt. * If applicable, add the following below the CDDL Header, * with the fields enclosed by brackets [] replaced by * your own identifying information: * "Portions Copyrighted [year] [name of copyright owner]" * */ package com.forgerock.openam.functionaltest.sts.frmwk.common; import java.util.ArrayList; import java.util.List; /** * State to guide the publication of sts instances. */ public class STSPublishContext { public static class STSPublishContextBuilder { GeneratedTokenType generatedTokenType; OIDCSigningAlgorithmType oidcSigningAlgorithmType; boolean persistIssuedTokensInCTS; List oidcAudiences; String oidcIssuer; String oidcClientSecret; //for hmac-signed oidc tokens String idpEntityId; String spEntityId; String spAcsUrl; String amKeystorePath; //signed or encrypted SAML2/OIDC tokens need path to OpenAM keystore with test private-key-entry /* If x509->SAML2/OIDC token transformations are being provided in a tls-offloaded context, this value specifies the header name that these offload engines will place the client's certificate, and where the STS instance expects to find this certificate. */ String clientCertHeaderName; private STSPublishContextBuilder() { oidcAudiences = new ArrayList<>(); } public STSPublishContextBuilder generatedTokenType(GeneratedTokenType generatedTokenType) { this.generatedTokenType = generatedTokenType; return this; } public STSPublishContextBuilder oidcSigningAlgorithmType(OIDCSigningAlgorithmType oidcSigningAlgorithmType) { this.oidcSigningAlgorithmType = oidcSigningAlgorithmType; return this; } public STSPublishContextBuilder persistIssuedTokensInCTS(boolean persistIssuedTokensInCTS) { this.persistIssuedTokensInCTS = persistIssuedTokensInCTS; return this; } public STSPublishContextBuilder addOidcAudience(String oidcAudience) { oidcAudiences.add(oidcAudience); return this; } public STSPublishContextBuilder oidcIssuer(String oidcIssuer) { this.oidcIssuer = oidcIssuer; return this; } public STSPublishContextBuilder oidcClientSecret(String oidcClientSecret) { this.oidcClientSecret = oidcClientSecret; return this; } public STSPublishContextBuilder idpEntityId(String idpEntityId) { this.idpEntityId = idpEntityId; return this; } public STSPublishContextBuilder spEntityId(String spEntityId) { this.spEntityId = spEntityId; return this; } public STSPublishContextBuilder spAcsUrl(String spAcsUrl) { this.spAcsUrl = spAcsUrl; return this; } public STSPublishContextBuilder amKeystorePath(String amKeystorePath) { this.amKeystorePath = amKeystorePath; return this; } public STSPublishContextBuilder clientCertHeaderName(String clientCertHeaderName) { this.clientCertHeaderName = clientCertHeaderName; return this; } public STSPublishContext build() { return new STSPublishContext(this) ; } } public enum GeneratedTokenType { SAML2, OIDC, BOTH; public boolean generateSAML2() { return (BOTH.ordinal() == ordinal()) || (SAML2.ordinal() == ordinal()); } public boolean generateOIDC() { return (BOTH.ordinal() == ordinal()) || (OIDC.ordinal() == ordinal()); } } public enum OIDCSigningAlgorithmType {HMAC, RSA} private final GeneratedTokenType generatedTokenType; private final OIDCSigningAlgorithmType oidcSigningAlgorithmType; private final boolean persistIssuedTokensInCTS; private final List oidcAudiences; private final String oidcIssuer; private final String oidcClientSecret; private final String idpEntityId; private final String spEntityId; private final String spAcsUrl; private final String amKeystorePath; private final String clientCertHeaderName; private STSPublishContext(STSPublishContextBuilder builder) { this.generatedTokenType = builder.generatedTokenType; this.oidcSigningAlgorithmType = builder.oidcSigningAlgorithmType; this.persistIssuedTokensInCTS = builder.persistIssuedTokensInCTS; this.oidcAudiences = builder.oidcAudiences; this.oidcIssuer = builder.oidcIssuer; this.oidcClientSecret = builder.oidcClientSecret; this.idpEntityId = builder.idpEntityId; this.spEntityId = builder.spEntityId; this.spAcsUrl = builder.spAcsUrl; this.amKeystorePath = builder.amKeystorePath; this.clientCertHeaderName = builder.clientCertHeaderName; } public static STSPublishContextBuilder builder() { return new STSPublishContextBuilder(); } public GeneratedTokenType getGeneratedTokenType() { return generatedTokenType; } public OIDCSigningAlgorithmType getOidcSigningAlgorithmType() { return oidcSigningAlgorithmType; } public boolean persistIssuedTokensInCTS() { return persistIssuedTokensInCTS; } public List getOidcAudiences() { return oidcAudiences; } public String getOidcIssuer() { return oidcIssuer; } public String getOidcClientSecret() { return oidcClientSecret; } public String getIdpEntityId() { return idpEntityId; } public String getSpEntityId() { return spEntityId; } public String getSpAcsUrl() { return spAcsUrl; } public String getAmKeystorePath() { return amKeystorePath; } public String getClientCertHeaderName() { return clientCertHeaderName; } public static boolean publishSAML2(STSPublishContext stsPublishContext) { return stsPublishContext.generatedTokenType.generateSAML2(); } public static boolean publishOIDC(STSPublishContext stsPublishContext) { return stsPublishContext.generatedTokenType.generateOIDC(); } public static STSPublishContext buildDefaultPublishContext(String openAMKeystorePath, STSPublishContext.GeneratedTokenType generatedTokenType, STSPublishContext.OIDCSigningAlgorithmType oidcSigningAlgorithmType) { STSPublishContext.STSPublishContextBuilder builder = STSPublishContext.builder(); builder .persistIssuedTokensInCTS(true) .generatedTokenType(generatedTokenType) .amKeystorePath(openAMKeystorePath) //under what header will the sts expect to find the client cert. .clientCertHeaderName(CommonConstants.DEFAULT_STS_CERT_TOKEN_HEADER_NAME); if (generatedTokenType.generateOIDC()) { builder .addOidcAudience(CommonConstants.DEFAULT_OIDC_AUDIENCE) .oidcIssuer(CommonConstants.DEFAULT_OIDC_ISSUER) .oidcSigningAlgorithmType(oidcSigningAlgorithmType); if (STSPublishContext.OIDCSigningAlgorithmType.HMAC.equals(oidcSigningAlgorithmType)) { builder.oidcClientSecret(CommonConstants.DEFAULT_OIDC_CLIENT_SECRET); } // no else - if we are signing with RSA, then we just set state corresponding to the default OpenAM client cert. } if (generatedTokenType.generateSAML2()) { builder .idpEntityId(CommonConstants.DEFAULT_SAML2_IDP_ENTITY_ID) .spEntityId(CommonConstants.DEFAULT_SAML2_SP_ENTITY_ID) .spAcsUrl(CommonConstants.DEFAULT_SAML2_SP_ACS_URL); } return builder.build(); } }