Search in sources :

Example 1 with CTSTokenPersistenceException

use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.

the class CTSTokenPersistenceImpl method persistToken.

@Override
public void persistToken(String stsId, TokenType tokenType, String tokenString, String subjectId, long issueInstantMillis, long tokenLifetimeSeconds) throws CTSTokenPersistenceException {
    try {
        final String tokenId = ctsTokenIdGenerator.generateTokenId(tokenType, tokenString);
        final Token ctsToken = generateToken(stsId, tokenString.getBytes(AMSTSConstants.UTF_8_CHARSET_ID), tokenId, subjectId, issueInstantMillis, tokenLifetimeSeconds, tokenType);
        ctsPersistentStore.create(ctsToken);
    } catch (TokenIdGenerationException e) {
        throw new CTSTokenPersistenceException(e.getCode(), "Exception caught generating id for CTS-persisted " + tokenType + "  token: " + e.getMessage(), e);
    } catch (UnsupportedEncodingException e) {
        throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Exception caught getting byte[] " + "representation of issued " + tokenType + " token for CTS persistence: " + e, e);
    } catch (CoreTokenException e) {
        throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Exception caught persisting issued " + tokenType + " token in the CTS: " + e.getMessage(), e);
    }
}
Also used : TokenIdGenerationException(org.forgerock.openam.sts.TokenIdGenerationException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException) Token(org.forgerock.openam.cts.api.tokens.Token) PartialToken(org.forgerock.openam.sm.datalayer.api.query.PartialToken) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException)

Example 2 with CTSTokenPersistenceException

use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method generate.

@Override
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
    final OpenIdConnectTokenConfig tokenConfig = stsInstanceState.getConfig().getOpenIdConnectTokenConfig();
    final long issueInstant = System.currentTimeMillis();
    final String subject = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
    STSOpenIdConnectToken openIdConnectToken = buildToken(subjectToken, tokenConfig, invocationState.getOpenIdConnectTokenGenerationState(), issueInstant / 1000, subject);
    final JwsAlgorithm jwsAlgorithm = tokenConfig.getSignatureAlgorithm();
    final JwsAlgorithmType jwsAlgorithmType = jwsAlgorithm.getAlgorithmType();
    String tokenString;
    if (JwsAlgorithmType.HMAC.equals(jwsAlgorithmType)) {
        final SignedJwt signedJwt = symmetricSign(openIdConnectToken, jwsAlgorithm, tokenConfig.getClientSecret());
        tokenString = signedJwt.build();
    } else if (JwsAlgorithmType.RSA.equals(jwsAlgorithmType)) {
        final SignedJwt signedJwt = asymmetricSign(openIdConnectToken, jwsAlgorithm, getKeyPair(stsInstanceState.getOpenIdConnectTokenPKIProvider(), tokenConfig.getSignatureKeyAlias(), tokenConfig.getSignatureKeyPassword()), determinePublicKeyReferenceType(tokenConfig));
        tokenString = signedJwt.build();
    } else {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Unknown JwsAlgorithmType: " + jwsAlgorithmType);
    }
    if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
        try {
            ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.OPENIDCONNECT, tokenString, subject, issueInstant, tokenConfig.getTokenLifetimeInSeconds());
        } catch (CTSTokenPersistenceException e) {
            throw new TokenCreationException(e.getCode(), e.getMessage(), e);
        }
    }
    return tokenString;
}
Also used : JwsAlgorithm(org.forgerock.json.jose.jws.JwsAlgorithm) JwsAlgorithmType(org.forgerock.json.jose.jws.JwsAlgorithmType) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)

Example 3 with CTSTokenPersistenceException

use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method generate.

public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
    final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
    if (saml2Config == null) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
    }
    final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
    final Assertion assertion = AssertionFactory.getInstance().createAssertion();
    setVersionAndId(assertion);
    setIssuer(assertion, saml2Config);
    final Date issueInstant = new Date();
    setIssueInstant(assertion, issueInstant);
    final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
    setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
    setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
    setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
    setAttributeStatements(assertion, subjectToken, saml2Config);
    setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
    /*
        entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
        proceeded by signing.
         */
    String assertionString;
    if (saml2Config.encryptAssertion()) {
        EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
        try {
            assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    } else {
        if (saml2Config.encryptAttributes()) {
            encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.encryptNameID()) {
            encryptNameID(assertion, saml2Config, stsInstanceState);
        }
        if (saml2Config.signAssertion()) {
            signAssertion(assertion, stsInstanceState);
        }
        try {
            assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
        }
    }
    if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
        try {
            ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
        } catch (CTSTokenPersistenceException e) {
            throw new TokenCreationException(e.getCode(), e.getMessage(), e);
        }
    }
    return assertionString;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) SAML2Config(org.forgerock.openam.sts.config.user.SAML2Config) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) EncryptedAssertion(com.sun.identity.saml2.assertion.EncryptedAssertion) Assertion(com.sun.identity.saml2.assertion.Assertion) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException) Date(java.util.Date) SAML2TokenGenerationState(org.forgerock.openam.sts.service.invocation.SAML2TokenGenerationState)

Example 4 with CTSTokenPersistenceException

use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.

the class CTSTokenPersistenceImpl method listTokens.

@Override
public List<STSIssuedTokenState> listTokens(QueryFilter<CoreTokenField> queryFilter) throws CTSTokenPersistenceException {
    Collection<PartialToken> partialTokens;
    try {
        partialTokens = ctsPersistentStore.attributeQuery(buildTokenFilter(queryFilter));
    } catch (CoreTokenException e) {
        throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, e.getMessage(), e);
    }
    List<STSIssuedTokenState> issuedTokens = new ArrayList<>(partialTokens.size());
    for (PartialToken partialToken : partialTokens) {
        issuedTokens.add(marshalIssuedTokenState(partialToken));
    }
    return issuedTokens;
}
Also used : PartialToken(org.forgerock.openam.sm.datalayer.api.query.PartialToken) ArrayList(java.util.ArrayList) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException) STSIssuedTokenState(org.forgerock.openam.sts.user.invocation.STSIssuedTokenState) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException)

Example 5 with CTSTokenPersistenceException

use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.

the class CTSTokenPersistenceImpl method marshalIssuedTokenState.

private STSIssuedTokenState marshalIssuedTokenState(PartialToken partialToken) throws CTSTokenPersistenceException {
    try {
        final Calendar timestamp = partialToken.getValue(CoreTokenField.EXPIRY_DATE);
        final long unixTime = TimeUtils.toUnixTime(timestamp);
        final String userId = partialToken.getValue(CoreTokenField.USER_ID);
        final String tokenType = partialToken.getValue(CTS_TOKEN_FIELD_STS_TOKEN_TYPE);
        final String stsId = partialToken.getValue(CTS_TOKEN_FIELD_STS_ID);
        final String tokenId = partialToken.getValue(CoreTokenField.TOKEN_ID);
        return STSIssuedTokenState.builder().tokenId(tokenId).stsId(stsId).expirationTimeInSecondsFromEpoch(unixTime).tokenType(tokenType).principalName(userId).build();
    } catch (NullPointerException e) {
        throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Null field encountered in CTS " + "token query results: " + e.getMessage(), e);
    }
}
Also used : Calendar(java.util.Calendar) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException)

Aggregations

CTSTokenPersistenceException (org.forgerock.openam.sts.CTSTokenPersistenceException)6 CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)2 PartialToken (org.forgerock.openam.sm.datalayer.api.query.PartialToken)2 TokenCreationException (org.forgerock.openam.sts.TokenCreationException)2 STSIssuedTokenState (org.forgerock.openam.sts.user.invocation.STSIssuedTokenState)2 Assertion (com.sun.identity.saml2.assertion.Assertion)1 EncryptedAssertion (com.sun.identity.saml2.assertion.EncryptedAssertion)1 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 ArrayList (java.util.ArrayList)1 Calendar (java.util.Calendar)1 Date (java.util.Date)1 JsonPointer (org.forgerock.json.JsonPointer)1 JwsAlgorithm (org.forgerock.json.jose.jws.JwsAlgorithm)1 JwsAlgorithmType (org.forgerock.json.jose.jws.JwsAlgorithmType)1 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)1 BadRequestException (org.forgerock.json.resource.BadRequestException)1 Token (org.forgerock.openam.cts.api.tokens.Token)1 TokenIdGenerationException (org.forgerock.openam.sts.TokenIdGenerationException)1 OpenIdConnectTokenConfig (org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)1