Repository: cxf-fediz Updated Branches: refs/heads/master 4d9c688e1 -> 61f6c7e6e
Merging SamlTokenConverter into FedizSubjectCreator given this conversion is a temp solution until OIDC starts managing the auth itself Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/61f6c7e6 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/61f6c7e6 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/61f6c7e6 Branch: refs/heads/master Commit: 61f6c7e6e090c3df3bf0e64ce5d87aaf69d894e2 Parents: 4d9c688 Author: Sergey Beryozkin <[email protected]> Authored: Mon Feb 8 14:13:30 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Mon Feb 8 14:13:30 2016 +0000 ---------------------------------------------------------------------- .../fediz/service/oidc/FedizSubjectCreator.java | 135 +++++++++++++++- .../fediz/service/oidc/SamlTokenConverter.java | 153 ------------------- .../src/main/webapp/WEB-INF/data-manager.xml | 6 +- 3 files changed, 129 insertions(+), 165 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java index f030f06..4502816 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java @@ -20,6 +20,11 @@ package org.apache.cxf.fediz.service.oidc; import java.security.Principal; +import org.w3c.dom.Element; + +import org.apache.cxf.fediz.core.Claim; +import org.apache.cxf.fediz.core.ClaimCollection; +import org.apache.cxf.fediz.core.ClaimTypes; import org.apache.cxf.fediz.core.FedizPrincipal; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.rs.security.oauth2.common.Client; @@ -28,10 +33,17 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.joda.time.DateTime; +import org.opensaml.saml.saml2.core.Assertion; +import org.opensaml.saml.saml2.core.Issuer; + public class FedizSubjectCreator implements SubjectCreator { - private SamlTokenConverter tokenConverter = new SamlTokenConverter(); + private String issuer; + private long defaultTimeToLive = 3600L; @Override @@ -46,10 +58,10 @@ public class FedizSubjectCreator implements SubjectCreator { // In the future FedizPrincipal will likely have JWT claims already prepared, // with IdToken being initialized here from those claims + client id - IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(), - fedizPrincipal.getName(), - fedizPrincipal.getClaims(), - client.getClientId()); + IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(), + fedizPrincipal.getName(), + fedizPrincipal.getClaims(), + client.getClientId()); OidcUserSubject oidcSub = new OidcUserSubject(); oidcSub.setLogin(fedizPrincipal.getName()); @@ -59,8 +71,117 @@ public class FedizSubjectCreator implements SubjectCreator { return oidcSub; } - public void setTokenConverter(SamlTokenConverter tokenConverter) { - this.tokenConverter = tokenConverter; + public IdToken convertToIdToken(Element samlToken, + String subjectName, + ClaimCollection claims, + String clientId) { + // The current SAML Assertion represents anauthentication record. + // It has to be translated into IdToken (JWT) so that it can be returned + // to client applications participating in various OIDC flows. + + IdToken idToken = new IdToken(); + // Subject name is provided by FedizPrincipal which is initialized from the current SAML token + idToken.setSubject(subjectName); + // SAML assertion audiences might be added if needed given that JWT can hold an array of audiences + idToken.setAudience(clientId); + + Assertion saml2Assertion = getSaml2Assertion(samlToken); + if (saml2Assertion != null) { + // issueInstant + DateTime issueInstant = saml2Assertion.getIssueInstant(); + if (issueInstant != null) { + idToken.setIssuedAt(issueInstant.getMillis() / 1000); + } + + // expiryTime + if (saml2Assertion.getConditions() != null) { + DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter(); + if (expires != null) { + idToken.setExpiryTime(expires.getMillis() / 1000); + } + } + + // authInstant + if (!saml2Assertion.getAuthnStatements().isEmpty()) { + DateTime authInstant = + saml2Assertion.getAuthnStatements().get(0).getAuthnInstant(); + idToken.setAuthenticationTime(authInstant.getMillis() / 1000L); + } + } + // Check if default issuer, issuedAt and expiryTime values have to be set + if (issuer != null) { + idToken.setIssuer(issuer); + } else if (saml2Assertion != null) { + Issuer assertionIssuer = saml2Assertion.getIssuer(); + if (assertionIssuer != null) { + idToken.setIssuer(assertionIssuer.getValue()); + } + } + + long currentTimeInSecs = System.currentTimeMillis() / 1000; + if (idToken.getIssuedAt() == null) { + idToken.setIssuedAt(currentTimeInSecs); + } + if (idToken.getExpiryTime() == null) { + idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive); + } + + // Map claims + if (claims != null) { + String firstName = null; + String lastName = null; + for (Claim c : claims) { + if (!(c.getValue() instanceof String)) { + continue; + } + if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) { + idToken.setGivenName((String)c.getValue()); + firstName = (String)c.getValue(); + } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) { + idToken.setFamilyName((String)c.getValue()); + lastName = (String)c.getValue(); + } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) { + idToken.setEmail((String)c.getValue()); + } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) { + idToken.setBirthDate((String)c.getValue()); + } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) { + idToken.setPhoneNumber((String)c.getValue()); + } else if (ClaimTypes.GENDER.equals(c.getClaimType())) { + idToken.setGender((String)c.getValue()); + } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) { + idToken.setWebsite((String)c.getValue()); + } + + } + if (firstName != null && lastName != null) { + idToken.setName(firstName + " " + lastName); + } + + } + + return idToken; + } + + + private Assertion getSaml2Assertion(Element samlToken) { + // Should a null assertion lead to the exception ? + try { + SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); + return wrapper.getSaml2(); + } catch (WSSecurityException ex) { + throw new OAuthServiceException("Error converting SAML token", ex); + } + + } + + + public void setIdTokenIssuer(String idTokenIssuer) { + this.issuer = idTokenIssuer; + } + + + public void setIdTokenTimeToLive(long idTokenTimeToLive) { + this.defaultTimeToLive = idTokenTimeToLive; } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java deleted file mode 100644 index fe55736..0000000 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java +++ /dev/null @@ -1,153 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.fediz.service.oidc; - -import org.w3c.dom.Element; - -import org.apache.cxf.fediz.core.Claim; -import org.apache.cxf.fediz.core.ClaimCollection; -import org.apache.cxf.fediz.core.ClaimTypes; -import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; -import org.apache.cxf.rs.security.oidc.common.IdToken; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.joda.time.DateTime; -import org.opensaml.saml.saml2.core.Assertion; -import org.opensaml.saml.saml2.core.Issuer; - - -public class SamlTokenConverter { - - private String issuer; - private long defaultTimeToLive = 3600L; - - public IdToken convertToIdToken(Element samlToken, - String subjectName, - ClaimCollection claims, - String clientId) { - // The current SAML Assertion represents an authentication record. - // It has to be translated into IdToken (JWT) so that it can be returned - // to client applications participating in various OIDC flows. - - IdToken idToken = new IdToken(); - // Subject name is provided by FedizPrincipal which is initialized from the current SAML token - idToken.setSubject(subjectName); - // SAML assertion audiences might be added if needed given that JWT can hold an array of audiences - idToken.setAudience(clientId); - - Assertion saml2Assertion = getSaml2Assertion(samlToken); - if (saml2Assertion != null) { - // issueInstant - DateTime issueInstant = saml2Assertion.getIssueInstant(); - if (issueInstant != null) { - idToken.setIssuedAt(issueInstant.getMillis() / 1000); - } - - // expiryTime - if (saml2Assertion.getConditions() != null) { - DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter(); - if (expires != null) { - idToken.setExpiryTime(expires.getMillis() / 1000); - } - } - - // authInstant - if (!saml2Assertion.getAuthnStatements().isEmpty()) { - DateTime authInstant = - saml2Assertion.getAuthnStatements().get(0).getAuthnInstant(); - idToken.setAuthenticationTime(authInstant.getMillis() / 1000L); - } - } - // Check if default issuer, issuedAt and expiryTime values have to be set - if (issuer != null) { - idToken.setIssuer(issuer); - } else if (saml2Assertion != null) { - Issuer assertionIssuer = saml2Assertion.getIssuer(); - if (assertionIssuer != null) { - idToken.setIssuer(assertionIssuer.getValue()); - } - } - - long currentTimeInSecs = System.currentTimeMillis() / 1000; - if (idToken.getIssuedAt() == null) { - idToken.setIssuedAt(currentTimeInSecs); - } - if (idToken.getExpiryTime() == null) { - idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive); - } - - - // Map claims - if (claims != null) { - String firstName = null; - String lastName = null; - for (Claim c : claims) { - if (!(c.getValue() instanceof String)) { - continue; - } - if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) { - idToken.setGivenName((String)c.getValue()); - firstName = (String)c.getValue(); - } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) { - idToken.setFamilyName((String)c.getValue()); - lastName = (String)c.getValue(); - } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) { - idToken.setEmail((String)c.getValue()); - } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) { - idToken.setBirthDate((String)c.getValue()); - } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) { - idToken.setPhoneNumber((String)c.getValue()); - } else if (ClaimTypes.GENDER.equals(c.getClaimType())) { - idToken.setGender((String)c.getValue()); - } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) { - idToken.setWebsite((String)c.getValue()); - } - } - - if (firstName != null && lastName != null) { - idToken.setName(firstName + " " + lastName); - } - } - - return idToken; - } - - - private Assertion getSaml2Assertion(Element samlToken) { - // Should a null assertion lead to the exception ? - try { - SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); - return wrapper.getSaml2(); - } catch (WSSecurityException ex) { - throw new OAuthServiceException("Error converting SAML token", ex); - } - - } - - - public void setIssuer(String issuer) { - this.issuer = issuer; - } - - - public void setDefaultTimeToLive(long defaultTimeToLive) { - this.defaultTimeToLive = defaultTimeToLive; - } - -} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/61f6c7e6/services/oidc/src/main/webapp/WEB-INF/data-manager.xml ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml index d6e06af..9bd2c38 100644 --- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml +++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml @@ -53,12 +53,8 @@ --> </bean> - <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter"> - <property name="issuer" value="accounts.fediz.com"/> - </bean> - <bean id="subjectCreator" class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator"> - <property name="tokenConverter" ref="samlTokenConverter"/> + <property name="idTokenIssuer" value="accounts.fediz.com"/> </bean> </beans>
