RestSTSInstanceConfigFactory.java revision c1bef59b02d89a84c23d29663cc4e6d46148ebd2
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2016 ForgeRock AS. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt.
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file at legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
*/
/**
* This class allows for the generation of RestSTSInstanceConfig state used to publish rest-sts instances. It is intended
* to allow for the convenient generation of RestSTSInstanceConfig instances used to publish rest-sts instances. It is
* guided by STSPublishContext state, but hard-codes many of the options for caller convenience. If any of the
* currently-hard-coded options need to be configurable, they can be added to the STSPublishContext class, and referenced
* from there. The point is to be able to generate a reasonably small set of RestSTSInstanceConfig instances to be used
* in the functional tests, while encapsulating all of the myriad configuration options for caller convenience.
*
*
*/
public class RestSTSInstanceConfigFactory {
return createRestSTSInstanceConfig(urlElement, realm, stsPublishContext, CustomTokenOperationContext.builder().build());
}
/**
* This method creates the RestSTSInstanceConfig instance which determines the nature of the published rest sts
* instance. Note that this method does not take parameters corresponding to all options. It is there only to demonstrate
* some of the options which could be set.
* @param urlElement The deployment url of the rest-sts instance.
* @param realm The realm in which the rests-sts instance will be deployed. Note that the url of the published rest-sts
* instance will be composed of the OpenAM deploymentUrl + realm + /urlElement.
* @param stsPublishContext Determines what sort of tokens the published sts instance will produce
* @param customTokenOperationContext encapsulates custom token operation state - usually the custom operation definitions will simply be
* empty lists.
* @return A RestSTSInstanceConfig configuring the published rest-sts instance
* @throws Exception If something goes wrong
*/
/*
if you want to target a specific module or service for a particular token type, add it via the
addMapping call below. See org.forgerock.openam.forgerockrest.authn.core.AuthIndexType for the
list of valid authIndexType values (the second parameter in addMapping). The third parameter is
simply the name of the specified module, service, etc. If you want to target the default service,
don't add a mapping, or add a mapping corresponding to the default service, as below.
*/
/*
Build the context necessary for the OIDC token validation. The value in the map must correspond to the
header which the OIDC module will consult to obtain the oidc id token.
*/
oidcContext.put(AMSTSConstants.OPEN_ID_CONNECT_ID_TOKEN_AUTH_TARGET_HEADER_KEY, CommonConstants.DEFAULT_OIDC_TOKEN_HEADER_NAME);
/*
Build the context necessary for Cert validation. The value in the map must correspond to the
header which the Cert module will consult to obtain the client's Certificate.
*/
certContext.put(AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY, CommonConstants.DEFAULT_CERT_MODULE_TOKEN_HEADER_NAME);
.addMapping(TokenType.OPENIDCONNECT, "module", CommonConstants.DEFAULT_OIDC_BEARER_TOKEN_MODULE_NAME, oidcContext)
.build();
/*
If the clientCertHeader field is specified, this implies that the client cert for x509 transformations should
be specified in a header field. If this is the case, then the set of IP addrs corresponding to the
tls offload engines must also be specified. I will simply specify the ip addr of this client, as it will be
the one invoking token transformation functionality. If all hosts should be trusted, add 'any' to the list.
*/
}
if (publishSAML2(stsPublishContext)) {
}
if (publishOIDC(stsPublishContext)) {
if (STSPublishContext.OIDCSigningAlgorithmType.RSA.equals(stsPublishContext.getOidcSigningAlgorithmType())) {
} else {
}
}
if (publishSAML2(stsPublishContext)) {
}
if (publishOIDC(stsPublishContext)) {
}
}
private OpenIdConnectTokenConfig buildHMACTokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) {
return OpenIdConnectTokenConfig.builder()
.signatureAlgorithm("HS256")
.build();
}
private OpenIdConnectTokenConfig buildRSATokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) throws UnsupportedEncodingException {
return OpenIdConnectTokenConfig.builder()
.signatureKeyAlias("test")
.signatureAlgorithm("RS256")
//due to CREST-273, the JwtReconstruction class, used in functional test verification, will throw an exception when
//reconstituting an RSA-signed OIDC token which encapsulates a JWK reference to the key which can be used to verify the signature -
//so publish with a reference of NONE
.build();
}
private SAML2Config buildSAML2Config(STSPublishContext publishContext, Map<String, String> attributeMapping) throws IOException {
try {
return SAML2Config.builder()
.encryptionKeyAlias("test")
.signatureKeyAlias("test")
.signAssertion(true)
.encryptAssertion(false)
.encryptAttributes(false)
.encryptNameID(false)
.encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc")
.nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
//custom statement providers could also be specified.
.build();
} catch (UnsupportedEncodingException e) {
throw new IOException(e);
}
}
}