c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Copyright (c) 2016 ForgeRock AS. All Rights Reserved
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * The contents of this file are subject to the terms
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * of the Common Development and Distribution License
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * (the License). You may not use this file except in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * compliance with the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * You can obtain a copy of the License at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * See the License for the specific language governing
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * permission and limitations under the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * When distributing Covered Code, include this CDDL
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Header Notice in each file and include the License file at legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * If applicable, add the following below the CDDL Header,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * with the fields enclosed by brackets [] replaced by
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * your own identifying information:
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * "Portions Copyrighted [year] [name of copyright owner]"
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithpackage com.forgerock.openam.functionaltest.sts.frmwk.soap;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport com.forgerock.openam.functionaltest.sts.frmwk.common.CommonConstants;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.AMSTSConstants;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.AuthTargetMapping;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.OpenIdConnectTokenPublicKeyReferenceType;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.config.user.SAML2Config;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.soap.EndpointSpecification;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.soap.config.user.SoapDelegationConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.soap.config.user.SoapDeploymentConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.soap.config.user.SoapSTSInstanceConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport org.forgerock.openam.sts.soap.config.user.SoapSTSKeystoreConfig;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport static com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext.publishOIDC;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmithimport static com.forgerock.openam.functionaltest.sts.frmwk.common.STSPublishContext.publishSAML2;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * This class allows for the generation of SoapSTSInstanceConfig state used to publish soap-sts instances. It is intended
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * to allow for the convenient generation of SoapSTSInstanceConfig instances used to publish soap-sts instances. It is
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * guided by STSPublishContext state, but hard-codes many of the options for caller convenience. If any of the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * currently-hard-coded options need to be configurable, they can be added to the STSPublishContext class, and referenced
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * from there. The point is to be able to generate a reasonably small set of SoapSTSInstanceConfig instances to be used
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * in the functional tests, while encapsulating all of the myriad configuration options for caller convenience.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String AM_BARE_WSDL = "sts_am_bare.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String AM_TRANSPORT_WSDL = "sts_am_transport.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String UT_ASYM_WSDL = "sts_ut_asymmetric.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String UT_SYM_WSDL = "sts_ut_symmetric.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String UT_TRANSPORT_WSDL = "sts_ut_transport.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String X509_SYM_WSDL = "sts_x509_symmetric.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public static final String X509_ASYM_WSDL = "sts_x509_asymmetric.wsdl";
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith public SoapSTSInstanceConfig createSoapSTSInstanceConfig(String urlElement, String realm,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith EndpointSpecification endpointSpecification,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapSTSServerCryptoState soapSTSServerCryptoState) throws IOException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if you want to target a specific module or service for a particular token type, add it via the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith addMapping call below. See org.forgerock.openam.forgerockrest.authn.core.AuthIndexType for the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith list of valid authIndexType values (the second parameter in addMapping). The third parameter is
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith simply the name of the specified module, service, etc. If you want to target the default service,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith don't add a mapping, or add a mapping corresponding to the default service, as below.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith AuthTargetMapping.AuthTargetMappingBuilder mappingBuilder = AuthTargetMapping.builder();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith mappingBuilder.addMapping(TokenType.USERNAME, "service", "ldapService");
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Build the context necessary for Cert validation. The value in the map must correspond to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith header which the Cert module will consult to obtain the client's Certificate.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Map<String, String> certContext = new HashMap<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith certContext.put(AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY, CommonConstants.DEFAULT_CERT_MODULE_TOKEN_HEADER_NAME);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith mappingBuilder.addMapping(TokenType.X509, "module", CommonConstants.DEFAULT_CERT_MODULE_NAME, certContext);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapDeploymentConfig.SoapDeploymentConfigBuilder deploymentConfigBuilder =
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .portQName(endpointSpecification.getPortQName())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .serviceQName(endpointSpecification.getServiceQName())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith If the clientCertHeader field is specified, this implies that the client cert for x509 transformations should
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith be specified in a header field. If this is the case, then the set of IP addrs corresponding to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith tls offload engines must also be specified. I will simply specify the ip addr of this client, as it will be
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith the one invoking token transformation functionality. If all hosts should be trusted, add 'any' to the list.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (publishContext.getClientCertHeaderName() != null) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Set<String> offloadHostsSet = new HashSet<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith offloadHostsSet.add(InetAddress.getLocalHost().getHostAddress());
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .offloadedTwoWayTLSHeaderKey(publishContext.getClientCertHeaderName())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .tlsOffloadEngineHostIpAddrs(offloadHostsSet);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapDeploymentConfig deploymentConfig = deploymentConfigBuilder.build();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapDelegationConfig soapDelegationConfig = SoapDelegationConfig.builder()
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addValidatedDelegationTokenType(TokenType.USERNAME, true)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addValidatedDelegationTokenType(TokenType.OPENAM, false)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Map<String, String> attributeMapping = new HashMap<>();
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //put in a faux mapping to see if it appears
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith attributeMapping.put("faux_claim", "faux_attribute");
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith OpenIdConnectTokenConfig oidcIdTokenConfig = null;
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (STSPublishContext.OIDCSigningAlgorithmType.RSA.equals(publishContext.getOidcSigningAlgorithmType())) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith oidcIdTokenConfig = buildRSATokenConfig(publishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith oidcIdTokenConfig = buildHMACTokenConfig(publishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Note that the SAML2Config keystore state must reference a keystore available to the home OpenAM .war file,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith as this keystore state will be referenced by the TokenGenerationService in order to generate a SAML2 assertion
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith on the OpenAM home server. To repeat: the soap-sts consumes the TokenGenerationService, hosted on OpenAM, in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith order to obtain a SAML2 assertion. Thus the SAML2Config state must reference a keystore file available to the
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith consumed OpenAM deployment.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith saml2Config = buildSAML2Config(publishContext, attributeMapping);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith Note that the SoapSTSKeystoreConfig will reference state deployed in the soap-sts .war file, remote
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith from the OpenAM home deployment. As such, it must reference a keystore available (via the classpath or
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith the filesystem) in the remote soap-sts deployment. Also note the mismatch between decryption and encryption.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith The bottom line is that the CXF CallbackHandler registered with the CXF STSClient, or registered with a published
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith soap-sts instance, will identify a callback with a DECRYPT constant on both the STSClient and sts instance, sides.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith This is because, in an asymmetric binding, messages between client and server are encrypted with the peer's public
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith key, and thus the recipient's private key must be used to decrypt this message. Thus the encryption fields in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapSTSKeystoreConfig should really be called decryption.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapSTSKeystoreConfig soapSTSKeystoreConfig = SoapSTSKeystoreConfig.builder()
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystoreFileName(soapSTSServerCryptoState.getKeystoreLocation())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystorePassword(soapSTSServerCryptoState.getKeystorePassword().getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .encryptionKeyAlias(soapSTSServerCryptoState.getDecryptionKeyAlias())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .encryptionKeyPassword(soapSTSServerCryptoState.getDecryptionKeyPassword().getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyAlias(soapSTSServerCryptoState.getSignatureKeyAlias())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyPassword(soapSTSServerCryptoState.getSignatureKeyPassword().getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith TokenType securityPolicyTokenValidationTokenType = getSecurityPolicyTokenValidationConfigurationFromWsdlFile(wsdlFile);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith SoapSTSInstanceConfig.SoapSTSInstanceConfigBuilder builder = SoapSTSInstanceConfig.builder()
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .soapSTSKeystoreConfig(soapSTSKeystoreConfig)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .persistIssuedTokensInCTS(publishContext.persistIssuedTokensInCTS())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .addSecurityPolicyTokenValidationConfiguration(securityPolicyTokenValidationTokenType, true);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private TokenType getSecurityPolicyTokenValidationConfigurationFromWsdlFile(String wsdlFile) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith if (X509_ASYM_WSDL.equals(wsdlFile) || X509_SYM_WSDL.equals(wsdlFile)) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith } else if (UT_ASYM_WSDL.equals(wsdlFile) || UT_SYM_WSDL.equals(wsdlFile) || UT_TRANSPORT_WSDL.equals(wsdlFile)) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith } else if (AM_BARE_WSDL.equals(wsdlFile) || AM_TRANSPORT_WSDL.equals(wsdlFile)) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith throw new IllegalArgumentException("Unexpected wsdl file specifcation: " + wsdlFile);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private boolean x509MappingNecessary(String wsdlFile) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith return X509_ASYM_WSDL.equals(wsdlFile) || X509_SYM_WSDL.equals(wsdlFile);
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private OpenIdConnectTokenConfig buildHMACTokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .clientSecret(publishContext.getOidcClientSecret().getBytes())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setAudience(publishContext.getOidcAudiences())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private OpenIdConnectTokenConfig buildRSATokenConfig(STSPublishContext publishContext, Map<String, String> claimMapping) throws UnsupportedEncodingException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystoreLocation(publishContext.getAmKeystorePath())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystorePassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyPassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .setAudience(publishContext.getOidcAudiences())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //due to CREST-273, the JwtReconstruction class, used in functional test verification, will throw an exception when
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //reconstituting an RSA-signed OIDC token which encapsulates a JWK reference to the key which can be used to verify the signature -
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //so publish with a reference of NONE
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .publicKeyReferenceType(OpenIdConnectTokenPublicKeyReferenceType.NONE)
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith private SAML2Config buildSAML2Config(STSPublishContext publishContext, Map<String, String> attributeMapping) throws IOException {
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystoreFile(publishContext.getAmKeystorePath())
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .keystorePassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .signatureKeyPassword("changeit".getBytes(AMSTSConstants.UTF_8_CHARSET_ID))
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .encryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc")
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith .nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith //custom statement providers could also be specified.