SAML2MetaManager.java revision e99c5132fdbbe07880893fa1f7d7afb2767261be
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SAML2MetaManager.java,v 1.18 2009/10/28 23:58:58 exu Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* The <code>SAML2MetaManager</code> provides methods to manage both the
* standard entity descriptor and the extended entity configuration.
*/
public class SAML2MetaManager {
private static final String ATTR_ENTITY_CONFIG =
"sun-fm-saml2-entityconfig";
private static final int SUBCONFIG_PRIORITY = 0;
private static CircleOfTrustManager cotmStatic;
private static ConfigurationInstance configInstStatic;
private CircleOfTrustManager cotm;
private ConfigurationInstance configInst;
/**
* Constant used to identify meta alias.
*/
static {
try {
SAML2);
} catch (ConfigurationException ce) {
}
if (configInstStatic != null) {
try {
} catch (ConfigurationException ce) {
"SAML2MetaManager.static: Unable to add " +
"ConfigurationListener for SAML2COT service.",
ce);
}
}
try {
cotmStatic = new CircleOfTrustManager();
} catch (COTException se) {
}
}
/**
* Constructor for <code>SAML2MetaManager</code>.
* @throws SAML2MetaException if unable to construct
* <code>SAML2MetaManager</code>
*/
public SAML2MetaManager() throws SAML2MetaException {
if (configInst == null) {
}
cotm = cotmStatic;
}
/**
* Constructor for <code>SAML2MetaManager</code>.
* @param callerToken session token for the caller.
* @throws SAML2MetaException if unable to construct
* <code>SAML2MetaManager</code>
*/
try {
SAML2, callerToken);
} catch (ConfigurationException ex) {
} catch (COTException cx) {
}
}
/**
* Returns the standard metadata entity descriptor under the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>EntityDescriptorElement</code> for the entity or null if
* not found.
* @throws SAML2MetaException if unable to retrieve the entity descriptor.
*/
) throws SAML2MetaException {
return null;
}
realm = "/";
}
if (callerSession == null) {
if (descriptor != null) {
if (debug.messageEnabled()) {
+ "descriptor from SAML2MetaCache " + entityId);
}
return descriptor;
}
}
try {
return null;
}
return null;
}
if (obj instanceof EntityDescriptorElement) {
if (debug.messageEnabled()) {
+ "descriptor from SMS " + entityId);
}
return descriptor;
}
"SAML2MetaManager.getEntityDescriptor: invalid descriptor");
} catch (ConfigurationException e) {
throw new SAML2MetaException(e);
} catch (JAXBException jaxbe) {
}
}
/**
* Returns first service provider's SSO descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>SPSSODescriptorElement</code> for the entity or null if
* not found.
* @throws SAML2MetaException if unable to retrieve the first service
* provider's SSO descriptor.
*/
throws SAML2MetaException {
}
/**
* Returns attribute authority descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return an <code>AttributeAuthorityDescriptorElement</code> object for
* the entity or null if not found.
* @throws SAML2MetaException if unable to retrieve attribute authority
* descriptor.
*/
throws SAML2MetaException {
}
/**
* Returns attribute query descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return an <code>AttributeQueryDescriptorElement</code> object for
* the entity or null if not found.
* @throws SAML2MetaException if unable to retrieve attribute query
* descriptor.
*/
throws SAML2MetaException {
}
/**
* Returns authentication authority descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return an <code>AuthnAuthorityDescriptorElement</code> object for
* the entity or null if not found.
* @throws SAML2MetaException if unable to retrieve authentication
* authority descriptor.
*/
}
/**
* Returns first policy decision point descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return policy decision point descriptor.
* @throws SAML2MetaException if unable to retrieve the descriptor.
*/
) throws SAML2MetaException {
}
/**
* Returns first policy enforcement point descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return policy enforcement point descriptor.
* @throws SAML2MetaException if unable to retrieve the descriptor.
*/
) throws SAML2MetaException {
}
/**
* Returns first identity provider's SSO descriptor in an entity under the
* realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>IDPSSODescriptorElement</code> for the entity or null if
* not found.
* @throws SAML2MetaException if unable to retrieve the first identity
* provider's SSO descriptor.
*/
throws SAML2MetaException {
entityId);
}
/**
* Returns affiliation descriptor in an entity under the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>AffiliationDescriptorType</code> for the entity or
* null if not found.
* @throws SAML2MetaException if unable to retrieve the affiliation
* descriptor.
*/
throws SAML2MetaException {
entityId);
}
/**
* Sets the standard metadata entity descriptor under the realm.
* @param realm The realm under which the entity resides.
* @param descriptor The standard entity descriptor object to be set.
* @throws SAML2MetaException if unable to set the entity descriptor.
*/
public void setEntityDescriptor(
throws SAML2MetaException {
"SAML2MetaManager.setEntityDescriptor: entity ID is null");
}
realm = "/";
}
try {
if (debug.messageEnabled()) {
+ "entity descriptor for " + entityId);
}
} catch (ConfigurationException e) {
throw new SAML2MetaException(e);
} catch (JAXBException jaxbe) {
}
}
/**
* Creates the standard metadata entity descriptor under the realm.
* @param realm The realm under which the entity descriptor will be
* created.
* @param descriptor The standard entity descriptor object to be created.
* @throws SAML2MetaException if unable to create the entity descriptor.
*/
public void createEntityDescriptor(
) throws SAML2MetaException {
}
/**
* Creates the standard and extended metadata under the realm.
* @param realm The realm under which the entity descriptor will be
* created.
* @param descriptor The standard entity descriptor object to be created.
* @param config The extended entity config object to be created.
* @throws SAML2MetaException if unable to create the entity.
*/
public void createEntity(
) throws SAML2MetaException {
"SAML2metaManager.createEntity: no meta to import.");
return;
}
if (descriptor != null) {
} else {
}
realm = "/";
}
"SAML2MetaManager.createEntity: entity ID is null");
}
if (debug.messageEnabled()) {
}
try {
boolean isCreate = true;
// get the entity descriptor if any
if (obj instanceof EntityDescriptorElement) {
if (debug.messageEnabled()) {
+ "got descriptor from SMS " + entityId);
}
}
}
// get the entity config if any
if (obj instanceof EntityConfigElement) {
if (debug.messageEnabled()) {
+ "got entity config from SMS " + entityId);
}
}
}
}
if (oldDescriptor != null) {
if (descriptor != null) {
{
+ " descriptor contains role "
+ " already");
throw new SAML2MetaException("role_already_exists",
param);
}
}
isCreate = false;
}
} else {
if (descriptor != null) {
}
}
+ "descriptor is null: " + entityId);
null);
throw new SAML2MetaException("entity_descriptor_not_exist",
objs);
}
{
+ " entity config contains role "
+ " already");
throw new SAML2MetaException("role_already_exists",
param);
}
}
isCreate = false;
} else {
isCreate = false;
}
}
}
if (isCreate) {
if (descriptor != null) {
}
// Add the entity to cot
}
} else {
if (descriptor != null) {
}
}
}
} catch (ConfigurationException e) {
throw new SAML2MetaException(e);
} catch (JAXBException jaxbe) {
}
}
}
return types;
}
/**
* Deletes the standard metadata entity descriptor under the realm.
* @param realm The realm under which the entity resides.
* @param entityId The ID of the entity for whom the standard entity
* descriptor will be deleted.
* @throws SAML2MetaException if unable to delete the entity descriptor.
*/
throws SAML2MetaException {
return;
}
realm = "/";
}
try {
// Remove the entity from cot
// end of remove entity from cot
objs,
null);
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
}
}
/**
* Returns extended entity configuration under the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>EntityConfigElement</code> object for the entity or null
* if not found.
* @throws SAML2MetaException if unable to retrieve the entity
* configuration.
*/
throws SAML2MetaException {
return null;
}
realm = "/";
}
if (callerSession == null) {
if (debug.messageEnabled()) {
+ " config from SAML2MetaCache: " + entityId);
}
objs,
null);
return config;
}
}
try {
return null;
}
return null;
}
if (obj instanceof EntityConfigElement) {
if (debug.messageEnabled()) {
+ "entity config from SMS: " + entityId);
}
objs,
null);
return config;
}
objs,
null);
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
} catch (JAXBException jaxbe) {
objs,
null);
}
}
/**
* Returns first service provider's SSO configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>SPSSOConfigElement</code> for the entity or null if not
* found.
* @throws SAML2MetaException if unable to retrieve the first service
* provider's SSO configuration.
*/
throws SAML2MetaException {
return null;
}
if (obj instanceof SPSSOConfigElement) {
return (SPSSOConfigElement)obj;
}
}
return null;
}
/**
* Returns first policy decision point configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return policy decision point configuration or null if it is not found.
* @throws SAML2MetaException if unable to retrieve the configuration.
*/
) throws SAML2MetaException {
if (obj instanceof XACMLPDPConfigElement) {
}
}
}
return elm;
}
/**
* Returns first policy enforcement point configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return policy decision point configuration or null if it is not found.
* @throws SAML2MetaException if unable to retrieve the configuration.
*/
) throws SAML2MetaException {
if (obj instanceof XACMLAuthzDecisionQueryConfigElement) {
}
}
}
return elm;
}
/**
* Returns first identity provider's SSO configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>IDPSSOConfigElement</code> for the entity or null if not
* found.
* @throws SAML2MetaException if unable to retrieve the first identity
* provider's SSO configuration.
*/
throws SAML2MetaException {
return null;
}
if (obj instanceof IDPSSOConfigElement) {
return (IDPSSOConfigElement)obj;
}
}
return null;
}
/**
* Returns first attribute authority configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>AttributeAuthorityConfigElement</code> for the entity or
* null if not found.
* @throws SAML2MetaException if unable to retrieve the first attribute
* authority configuration.
*/
return null;
}
if (obj instanceof AttributeAuthorityConfigElement) {
return (AttributeAuthorityConfigElement)obj;
}
}
return null;
}
/**
* Returns first attribute query configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>AttributeQueryConfigElement</code> for the entity or
* null if not found.
* @throws SAML2MetaException if unable to retrieve the first attribute
* query configuration.
*/
return null;
}
if (obj instanceof AttributeQueryConfigElement) {
return (AttributeQueryConfigElement)obj;
}
}
return null;
}
/**
* Returns first authentication authority configuration in an entity under
* the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>AuthnAuthorityConfigElement</code> for the entity or
* null if not found.
* @throws SAML2MetaException if unable to retrieve the first authentication
* authority configuration.
*/
return null;
}
if (obj instanceof AuthnAuthorityConfigElement) {
return (AuthnAuthorityConfigElement)obj;
}
}
return null;
}
/**
* Returns affiliation configuration in an entity under the realm.
* @param realm The realm under which the entity resides.
* @param entityId ID of the entity to be retrieved.
* @return <code>AffiliationConfigElement</code> for the entity or
* null if not found.
* @throws SAML2MetaException if unable to retrieve the affiliation
* configuration.
*/
return null;
}
}
/**
* Sets the extended entity configuration under the realm.
* @param realm The realm under which the entity resides.
* @param config The extended entity configuration object to be set.
* @throws SAML2MetaException if unable to set the entity configuration.
*/
throws SAML2MetaException {
"entity ID is null");
data,
null);
}
realm = "/";
}
try {
config);
if (debug.messageEnabled()) {
+ "entity config for " + entityId);
}
objs,
null);
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
} catch (JAXBException jaxbe) {
objs,
null);
}
}
/**
* Creates the extended entity configuration under the realm.
* @param realm The realm under which the entity configuration will be
* created.
* @param config The extended entity configuration object to be created.
* @throws SAML2MetaException if unable to create the entity configuration.
*/
throws SAML2MetaException {
if (debug.messageEnabled()) {
}
}
private void addToCircleOfTrust(
{
try {
// use first one to add the entity to COT
}
}
}
}
} catch (Exception e) {
}
}
/**
* Deletes the extended entity configuration under the realm.
* @param realm The realm under which the entity resides.
* @param entityId The ID of the entity for whom the extended entity
* configuration will be deleted.
* @throws SAML2MetaException if unable to delete the entity descriptor.
*/
throws SAML2MetaException {
return;
}
realm = "/";
}
try {
objs,
null);
}
// Remove the entity from cot
objs,
null);
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
}
}
try {
boolean isAffiliation = false;
isAffiliation = true;
}
if (debug.messageEnabled()) {
+ " an affiliation? " + isAffiliation);
}
if (isAffiliation) {
} else {
}
// use first one to delete the entity from COT
}
}
}
}
} catch (Exception e) {
}
}
/**
* Returns all hosted entities under the realm.
* @param realm The realm under which the hosted entities reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
try {
}
}
}
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
}
objs,
null);
return hostedEntityIds;
}
/**
* Returns all hosted service provider entities under the realm.
* @param realm The realm under which the hosted service provider entities
* reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
}
}
return hostedSPEntityIds;
}
/**
* Returns all hosted policy decision point entities under the realm.
*
* @param realm The realm under which the hosted policy decision point
* entities reside.
* @return a list of entity ID.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
return getHostedPolicyDecisionPointEntities(realm, true);
}
/**
* Returns all remote policy decision point entities under the realm.
*
* @param realm The realm under which the remote policy decision point
* entities reside.
* @return a list of entity ID.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
return getHostedPolicyDecisionPointEntities(realm, false);
}
private List getHostedPolicyDecisionPointEntities(
boolean hosted
) throws SAML2MetaException {
}
}
return hostedPDPEntityIds;
}
/**
* Returns all hosted policy enforcement point entities under the realm.
*
* @param realm The realm under which the hosted policy enforcement point
* entities reside.
* @return a list of entity ID.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
return getAllPolicyEnforcementPointEntities(realm, true);
}
/**
* Returns all remote policy enforcement point entities under the realm.
*
* @param realm The realm under which the remote policy enforcement point
* entities reside.
* @return a list of entity ID.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
return getAllPolicyEnforcementPointEntities(realm, false);
}
private List getAllPolicyEnforcementPointEntities(
boolean hosted
) throws SAML2MetaException {
}
}
return hostedPEPEntityIds;
}
/**
* Returns all hosted identity provider entities under the realm.
* @param realm The realm under which the hosted identity provider entities
* reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
}
}
return hostedIDPEntityIds;
}
/**
* Returns all remote entities under the realm.
* @param realm The realm under which the hosted entities reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
try {
}
}
}
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
}
objs,
null);
return remoteEntityIds;
}
/**
* Returns all remote service provider entities under the realm.
* @param realm The realm under which the remote service provider entities
* reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
}
}
return remoteSPEntityIds;
}
/**
* Returns all remote identity provider entities under the realm.
* @param realm The realm under which the remote identity provider entities
* reside.
* @return a <code>List</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
}
}
return remoteIDPEntityIds;
}
/**
* Returns entity ID associated with the metaAlias.
* @param metaAlias The metaAlias.
* @return entity ID associated with the metaAlias or null if not found.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
try {
return null;
}
continue;
}
return entityId;
}
}
}
} catch (ConfigurationException e) {
throw new SAML2MetaException(e);
}
return null;
}
/**
* Returns all the hosted entity metaAliases for a realm.
*
* @param realm The given realm.
* @return all the hosted entity metaAliases for a realm or an empty arrayList if not found.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
try {
return metaAliases;
}
continue;
}
}
}
}
} catch (ConfigurationException e) {
throw new SAML2MetaException(e);
}
return metaAliases;
}
/**
* Returns role of an entity based on its metaAlias.
*
* @param metaAlias Meta alias of the entity.
* @return role of an entity either <code>SAML2Constants.IDP_ROLE</code>; or
* <code>SAML2Constants.SP_ROLE</code> or
* <code>SAML2Constants.UNKNOWN_ROLE</code>
* @throws SAML2MetaException if there are issues in getting the entity
* profile from the meta alias.
*/
throws SAML2MetaException {
}
}
}
}
}
}
return role;
}
/**
* Returns metaAliases of all hosted identity providers under the realm.
* @param realm The realm under which the identity provider metaAliases
* reside.
* @return a <code>List</code> of metaAliases <code>String</code>.
* @throws SAML2MetaException if unable to retrieve meta aliases.
*/
throws SAML2MetaException {
}
}
return metaAliases;
}
/**
* Returns metaAliases of all hosted service providers under the realm.
* @param realm The realm under which the service provider metaAliases
* reside.
* @return a <code>List</code> of metaAliases <code>String</code>.
* @throws SAML2MetaException if unable to retrieve meta aliases.
*/
throws SAML2MetaException {
}
}
return metaAliases;
}
/**
* Returns meta aliases of all hosted policy decision point under the realm.
* @param realm The realm under which the policy decision point resides.
* @return list of meta aliases
* @throws SAML2MetaException if unable to retrieve meta aliases.
*/
throws SAML2MetaException {
}
}
return metaAliases;
}
/**
* Returns meta aliases of all hosted policy enforcement point under the
* realm.
*
* @param realm The realm under which the policy enforcement point resides.
* @return list of meta aliases
* @throws SAML2MetaException if unable to retrieve meta aliases.
*/
throws SAML2MetaException {
realm);
}
}
return metaAliases;
}
/**
* Determines whether two entities are in the same circle of trust
* under the realm.
* @param realm The realm under which the entity resides.
* @param entityId The ID of the entity
* @param trustedEntityId The ID of the entity
* @throws SAML2MetaException if unable to determine the trusted
* relationship.
*/
throws SAML2MetaException {
boolean result=false;
entityId);
}
if (result) {
return true;
}
entityId);
}
return false;
}
/**
* Determines whether two entities are in the same circle of trust
* under the realm. Returns true if entities are in same
* circle of trust. The entity can be a PDP or a PEP. If an entity
* role other then PEP or PDP is specified then a false will be
* returned.
*
* @param realm The realm under which the entity resides.
* @param entityId the hosted entity Identifier (PEP or PDP).
* @param trustedEntityId the remote entity identifier (PEP or PDP).
* @param role the role of the hosted entity.
* @throws SAML2MetaException if unable to determine the trusted
* relationship.
*/
throws SAML2MetaException {
boolean result=false;
}
}
}
return result;
}
try {
return true;
}
}
}
}
return false;
} catch (Exception e) {
" while determining two entities are in the same COT.");
return false;
}
}
/**
* Returns all entities under the realm.
* @param realm The realm under which the entities reside.
* @return a <code>Set</code> of entity ID <code>String</code>.
* @throws SAML2MetaException if unable to retrieve the entity ids.
*/
throws SAML2MetaException {
try {
}
} catch (ConfigurationException e) {
data,
null);
throw new SAML2MetaException(e);
}
objs,
null);
return ret;
}
/**
* Checks that the provided metaAliases are valid for a new hosted entity in the specified realm.
* Will verify that the metaAliases do not already exist in the realm and that no duplicates are provided.
*
* @param realm The realm in which we are validating the metaAliases.
* @param newMetaAliases values we are using to create the new metaAliases.
* @throws SAML2MetaException if duplicate values found.
*/
public void validateMetaAliasForNewEntity(String realm, List<String> newMetaAliases) throws SAML2MetaException {
" metaAlias values provided in list:\n"
+ newMetaAliases);
}
}
// only check if we have existing aliases
if (!allRealmMetaAliaes.isEmpty()) {
}
}
if (!duplicateMetaAliases.isEmpty()) {
}
+ " already exists in the realm: " + realm);
}
}
}
}
}