c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Copyright (c) 2016 ForgeRock AS. All Rights Reserved
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * The contents of this file are subject to the terms
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * of the Common Development and Distribution License
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * (the License). You may not use this file except in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * compliance with the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * You can obtain a copy of the License at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * See the License for the specific language governing
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * permission and limitations under the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * When distributing Covered Code, include this CDDL
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Header Notice in each file and include the License file at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * If applicable, add the following below the CDDL Header,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * with the fields enclosed by brackets [] replaced by
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * your own identifying information:
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * "Portions Copyrighted [year] [name of copyright owner]"
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithpackage com.forgerock.openam.functionaltest.sts.frmwk.rest;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport com.forgerock.openam.functionaltest.sts.frmwk.common.CommonConstants;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.AMSTSConstants;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.AuthTargetMapping;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.DeploymentConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.OpenIdConnectTokenPublicKeyReferenceType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.SAML2Config;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.rest.config.user.RestSTSInstanceConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport static com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext.publishOIDC;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport static com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext.publishSAML2;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * This class allows for the generation of RestSTSInstanceConfig state used to publish rest-sts instances. It is intended
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * to allow for the convenient generation of RestSTSInstanceConfig instances used to publish rest-sts instances. It is
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * guided by STSPublishContext state, but hard-codes many of the options for caller convenience. If any of the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * currently-hard-coded options need to be configurable, they can be added to the STSPublishContext class, and referenced
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * from there. The point is to be able to generate a reasonably small set of RestSTSInstanceConfig instances to be used
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * in the functional tests, while encapsulating all of the myriad configuration options for caller convenience.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public RestSTSInstanceConfig createRestSTSInstanceConfig(String urlElement, String realm,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith STSPublishContext stsPublishContext) throws IOException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return createRestSTSInstanceConfig(urlElement, realm, stsPublishContext, CustomTokenOperationContext.builder().build());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * This method creates the RestSTSInstanceConfig instance which determines the nature of the published rest sts
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * instance. Note that this method does not take parameters corresponding to all options. It is there only to demonstrate
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * some of the options which could be set.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @param urlElement The deployment url of the rest-sts instance.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @param realm The realm in which the rests-sts instance will be deployed. Note that the url of the published rest-sts
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * instance will be composed of the OpenAM deploymentUrl + realm + /urlElement.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @param stsPublishContext Determines what sort of tokens the published sts instance will produce
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @param customTokenOperationContext encapsulates custom token operation state - usually the custom operation definitions will simply be
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * empty lists.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @return A RestSTSInstanceConfig configuring the published rest-sts instance
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * @throws Exception If something goes wrong
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public RestSTSInstanceConfig createRestSTSInstanceConfig(String urlElement, String realm,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith CustomTokenOperationContext customTokenOperationContext) throws IOException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if you want to target a specific module or service for a particular token type, add it via the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith addMapping call below. See org.forgerock.openam.forgerockrest.authn.core.AuthIndexType for the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith list of valid authIndexType values (the second parameter in addMapping). The third parameter is
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith simply the name of the specified module, service, etc. If you want to target the default service,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith don't add a mapping, or add a mapping corresponding to the default service, as below.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Build the context necessary for the OIDC token validation. The value in the map must correspond to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith header which the OIDC module will consult to obtain the oidc id token.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Map<String, String> oidcContext = new HashMap<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith oidcContext.put(AMSTSConstants.OPEN_ID_CONNECT_ID_TOKEN_AUTH_TARGET_HEADER_KEY, CommonConstants.DEFAULT_OIDC_TOKEN_HEADER_NAME);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Build the context necessary for Cert validation. The value in the map must correspond to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith header which the Cert module will consult to obtain the client's Certificate.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Map<String, String> certContext = new HashMap<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith certContext.put(AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY, CommonConstants.DEFAULT_CERT_MODULE_TOKEN_HEADER_NAME);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AuthTargetMapping mapping = AuthTargetMapping.builder()
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addMapping(TokenType.USERNAME, "service", "ldapService")
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addMapping(TokenType.OPENIDCONNECT, "module", CommonConstants.DEFAULT_OIDC_BEARER_TOKEN_MODULE_NAME, oidcContext)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addMapping(TokenType.X509, "module", CommonConstants.DEFAULT_CERT_MODULE_NAME, certContext)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith DeploymentConfig.DeploymentConfigBuilderBase<?> deploymentConfigBuilder =
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith If the clientCertHeader field is specified, this implies that the client cert for x509 transformations should
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith be specified in a header field. If this is the case, then the set of IP addrs corresponding to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith tls offload engines must also be specified. I will simply specify the ip addr of this client, as it will be
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith the one invoking token transformation functionality. If all hosts should be trusted, add 'any' to the list.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (stsPublishContext.getClientCertHeaderName() != null) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Set<String> offloadHostsSet = new HashSet<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith offloadHostsSet.add(InetAddress.getLocalHost().getHostAddress());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .offloadedTwoWayTLSHeaderKey(stsPublishContext.getClientCertHeaderName())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .tlsOffloadEngineHostIpAddrs(offloadHostsSet);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith DeploymentConfig deploymentConfig = deploymentConfigBuilder.build();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Map<String, String> attributeMapping = new HashMap<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith saml2Config = buildSAML2Config(stsPublishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith OpenIdConnectTokenConfig oidcIdTokenConfig = null;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (STSPublishContext.OIDCSigningAlgorithmType.RSA.equals(stsPublishContext.getOidcSigningAlgorithmType())) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith oidcIdTokenConfig = buildRSATokenConfig(stsPublishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith oidcIdTokenConfig = buildHMACTokenConfig(stsPublishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith RestSTSInstanceConfig.RestSTSInstanceConfigBuilder builder =
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .persistIssuedTokensInCTS(stsPublishContext.persistIssuedTokensInCTS())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setCustomProviders(customTokenOperationContext.getCustomProviders())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setCustomValidators(customTokenOperationContext.getCustomValidators())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setCustomTokenTransforms(customTokenOperationContext.getCustomTransforms());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith !AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AMSTSConstants.INVALIDATE_INTERIM_OPENAM_SESSION);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private OpenIdConnectTokenConfig buildHMACTokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .clientSecret(publishContext.getOidcClientSecret().getBytes())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setAudience(publishContext.getOidcAudiences())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private OpenIdConnectTokenConfig buildRSATokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) throws UnsupportedEncodingException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystoreLocation(publishContext.getAmKeystorePath())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystorePassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyPassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setAudience(publishContext.getOidcAudiences())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //due to CREST-273, the JwtReconstruction class, used in functional test verification, will throw an exception when
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //reconstituting an RSA-signed OIDC token which encapsulates a JWK reference to the key which can be used to verify the signature -
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //so publish with a reference of NONE
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .publicKeyReferenceType(OpenIdConnectTokenPublicKeyReferenceType.NONE)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private SAML2Config buildSAML2Config(STSPublishContext publishContext, Map<String, String> attributeMapping) throws IOException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystoreFile(publishContext.getAmKeystorePath())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystorePassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyPassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc")
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //custom statement providers could also be specified.