STSPublishContext.java revision c1bef59b02d89a84c23d29663cc4e6d46148ebd2
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Copyright (c) 2016 ForgeRock AS. All Rights Reserved
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * The contents of this file are subject to the terms
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * of the Common Development and Distribution License
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * (the License). You may not use this file except in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * compliance with the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * You can obtain a copy of the License at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * See the License for the specific language governing
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * permission and limitations under the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * When distributing Covered Code, include this CDDL
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Header Notice in each file and include the License file at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * If applicable, add the following below the CDDL Header,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * with the fields enclosed by brackets [] replaced by
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * your own identifying information:
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * "Portions Copyrighted [year] [name of copyright owner]"
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithpackage com.forgerock.openam.functionaltest.sts.frmwk.common;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * State to guide the publication of sts instances.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static class STSPublishContextBuilder {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith OIDCSigningAlgorithmType oidcSigningAlgorithmType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith String oidcClientSecret; //for hmac-signed oidc tokens
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith String amKeystorePath; //signed or encrypted SAML2/OIDC tokens need path to OpenAM keystore with test private-key-entry
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith If x509->SAML2/OIDC token transformations are being provided in a tls-offloaded context,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this value specifies the header name that these offload engines will place the client's
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith certificate, and where the STS instance expects to find this certificate.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder generatedTokenType(GeneratedTokenType generatedTokenType) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.generatedTokenType = generatedTokenType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder oidcSigningAlgorithmType(OIDCSigningAlgorithmType oidcSigningAlgorithmType) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.oidcSigningAlgorithmType = oidcSigningAlgorithmType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder persistIssuedTokensInCTS(boolean persistIssuedTokensInCTS) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.persistIssuedTokensInCTS = persistIssuedTokensInCTS;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder addOidcAudience(String oidcAudience) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder oidcIssuer(String oidcIssuer) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder oidcClientSecret(String oidcClientSecret) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder idpEntityId(String idpEntityId) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder spEntityId(String spEntityId) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder spAcsUrl(String spAcsUrl) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder amKeystorePath(String amKeystorePath) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public STSPublishContextBuilder clientCertHeaderName(String clientCertHeaderName) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.clientCertHeaderName = clientCertHeaderName;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return new STSPublishContext(this) ;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public boolean generateSAML2() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return (BOTH.ordinal() == ordinal()) || (SAML2.ordinal() == ordinal());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public boolean generateOIDC() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return (BOTH.ordinal() == ordinal()) || (OIDC.ordinal() == ordinal());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public enum OIDCSigningAlgorithmType {HMAC, RSA}
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private final GeneratedTokenType generatedTokenType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private final OIDCSigningAlgorithmType oidcSigningAlgorithmType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private final boolean persistIssuedTokensInCTS;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private STSPublishContext(STSPublishContextBuilder builder) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.generatedTokenType = builder.generatedTokenType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.oidcSigningAlgorithmType = builder.oidcSigningAlgorithmType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.persistIssuedTokensInCTS = builder.persistIssuedTokensInCTS;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.oidcClientSecret = builder.oidcClientSecret;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.amKeystorePath = builder.amKeystorePath;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith this.clientCertHeaderName = builder.clientCertHeaderName;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static STSPublishContextBuilder builder() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public GeneratedTokenType getGeneratedTokenType() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public OIDCSigningAlgorithmType getOidcSigningAlgorithmType() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public boolean persistIssuedTokensInCTS() {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static boolean publishSAML2(STSPublishContext stsPublishContext) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return stsPublishContext.generatedTokenType.generateSAML2();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static boolean publishOIDC(STSPublishContext stsPublishContext) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return stsPublishContext.generatedTokenType.generateOIDC();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static STSPublishContext buildDefaultPublishContext(String openAMKeystorePath, STSPublishContext.GeneratedTokenType generatedTokenType,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith STSPublishContext.OIDCSigningAlgorithmType oidcSigningAlgorithmType) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith STSPublishContext.STSPublishContextBuilder builder = STSPublishContext.builder();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //under what header will the sts expect to find the client cert.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .clientCertHeaderName(CommonConstants.DEFAULT_STS_CERT_TOKEN_HEADER_NAME);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addOidcAudience(CommonConstants.DEFAULT_OIDC_AUDIENCE)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .oidcIssuer(CommonConstants.DEFAULT_OIDC_ISSUER)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .oidcSigningAlgorithmType(oidcSigningAlgorithmType);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (STSPublishContext.OIDCSigningAlgorithmType.HMAC.equals(oidcSigningAlgorithmType)) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith builder.oidcClientSecret(CommonConstants.DEFAULT_OIDC_CLIENT_SECRET);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith // no else - if we are signing with RSA, then we just set state corresponding to the default OpenAM client cert.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .idpEntityId(CommonConstants.DEFAULT_SAML2_IDP_ENTITY_ID)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .spEntityId(CommonConstants.DEFAULT_SAML2_SP_ENTITY_ID)