Search in sources :

Example 1 with STSInstanceConfig

use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testRSAOpenIdConnectTokenGeneration.

@Test
public void testRSAOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildRSAOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    OpenIdConnectTokenPKIProviderImpl tokenCryptoProvider = new OpenIdConnectTokenPKIProviderImpl(openIdConnectTokenConfig);
    when(mockSTSInstanceState.getOpenIdConnectTokenPKIProvider()).thenReturn(tokenCryptoProvider);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyRSASignature(signedJwt, openIdConnectTokenConfig));
}
Also used : JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory) SSOToken(com.iplanet.sso.SSOToken) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig) TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity) OpenIdConnectTokenPKIProviderImpl(org.forgerock.openam.sts.tokengeneration.oidc.crypto.OpenIdConnectTokenPKIProviderImpl) OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) Test(org.testng.annotations.Test)

Example 2 with STSInstanceConfig

use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.

the class RestSTSInstanceConfig method fromJson.

public static RestSTSInstanceConfig fromJson(JsonValue json) {
    if (json == null) {
        throw new NullPointerException("JsonValue cannot be null!");
    }
    STSInstanceConfig baseConfig = STSInstanceConfig.fromJson(json);
    RestSTSInstanceConfigBuilderBase<?> builder = RestSTSInstanceConfig.builder().saml2Config(baseConfig.getSaml2Config()).oidcIdTokenConfig(baseConfig.getOpenIdConnectTokenConfig()).persistIssuedTokensInCTS(baseConfig.persistIssuedTokensInCTS()).deploymentConfig(DeploymentConfig.fromJson(json.get(DEPLOYMENT_CONFIG)));
    JsonValue supportedTranslations = json.get(SUPPORTED_TOKEN_TRANSFORMS);
    if (!supportedTranslations.isNull()) {
        if (!supportedTranslations.isList()) {
            throw new IllegalStateException("Unexpected value for the " + SUPPORTED_TOKEN_TRANSFORMS + " field: " + supportedTranslations.asString());
        }
        List<TokenTransformConfig> transformConfigList = new ArrayList<>();
        for (Object translation : supportedTranslations.asList()) {
            transformConfigList.add(TokenTransformConfig.fromJson(new JsonValue(translation)));
        }
        builder.setSupportedTokenTransforms(transformConfigList);
    }
    JsonValue customTranslations = json.get(CUSTOM_TOKEN_TRANSFORMS);
    if (!customTranslations.isNull()) {
        if (!customTranslations.isList()) {
            throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_TRANSFORMS + " field: " + customTranslations.asString());
        }
        List<TokenTransformConfig> transformConfigList = new ArrayList<>();
        for (Object translation : customTranslations.asList()) {
            transformConfigList.add(TokenTransformConfig.fromJson(new JsonValue(translation)));
        }
        builder.setCustomTokenTransforms(transformConfigList);
    }
    JsonValue customValidators = json.get(CUSTOM_TOKEN_VALIDATORS);
    if (!customValidators.isNull()) {
        if (!customValidators.isList()) {
            throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_VALIDATORS + " field: " + customValidators.asString());
        }
        List<CustomTokenOperation> customValidatorsList = new ArrayList<>();
        for (Object translation : customValidators.asList()) {
            customValidatorsList.add(CustomTokenOperation.fromJson(new JsonValue(translation)));
        }
        builder.setCustomValidators(customValidatorsList);
    }
    JsonValue customProviders = json.get(CUSTOM_TOKEN_PROVIDERS);
    if (!customProviders.isNull()) {
        if (!customProviders.isList()) {
            throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_PROVIDERS + " field: " + customProviders.asString());
        }
        List<CustomTokenOperation> customProvidersList = new ArrayList<>();
        for (Object translation : customProviders.asList()) {
            customProvidersList.add(CustomTokenOperation.fromJson(new JsonValue(translation)));
        }
        builder.setCustomProviders(customProvidersList);
    }
    return builder.build();
}
Also used : JsonValue(org.forgerock.json.JsonValue) CustomTokenOperation(org.forgerock.openam.sts.config.user.CustomTokenOperation) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig)

Example 3 with STSInstanceConfig

use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.

the class SoapSTSInstanceConfig method fromJson.

/**
     * @param json the json representation of an existing soap sts instance, usually emitted by the toJson method of this class.
     *             The JsonValue parameter cannot be null, or a NullPointerException will be thrown.
     * @return Returns a SoapSTSInstanceConfig instance if the json could be successfully marshaled. A NullPointerException
     * is thrown if the json is null, and an IllegalStateException is thrown if the json is mal-formed.
     */
public static SoapSTSInstanceConfig fromJson(JsonValue json) {
    if (json == null) {
        throw new NullPointerException("JsonValue cannot be null!");
    }
    STSInstanceConfig baseConfig = STSInstanceConfig.fromJson(json);
    SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder().saml2Config(baseConfig.getSaml2Config()).oidcIdTokenConfig(baseConfig.getOpenIdConnectTokenConfig()).persistIssuedTokensInCTS(baseConfig.persistIssuedTokensInCTS()).deploymentConfig(SoapDeploymentConfig.fromJson(json.get(DEPLOYMENT_CONFIG)));
    JsonValue validatedTokenConfiguration = json.get(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
    if (!validatedTokenConfiguration.isNull()) {
        if (!validatedTokenConfiguration.isList()) {
            throw new IllegalStateException("Unexpected value for the " + SECURITY_POLICY_VALIDATED_TOKEN_CONFIG + " field: " + validatedTokenConfiguration.asString());
        }
        Set<TokenValidationConfig> validationConfigs = new HashSet<>();
        for (Object obj : validatedTokenConfiguration.asList()) {
            validationConfigs.add(TokenValidationConfig.fromJson(new JsonValue(obj)));
        }
        builder.setSecurityPolicyValidatedTokenConfiguration(validationConfigs);
    }
    builder.soapSTSKeystoreConfig(SoapSTSKeystoreConfig.fromJson(json.get(SOAP_KEYSTORE_CONFIG)));
    if (!json.get(ISSUE_TOKEN_TYPES).isNull()) {
        for (Object obj : json.get(ISSUE_TOKEN_TYPES).asCollection()) {
            builder.addIssueTokenType(TokenType.valueOf(obj.toString()));
        }
    }
    builder.delegationRelationshipsSupported(Boolean.valueOf(json.get(DELEGATION_RELATIONSHIP_SUPPORTED).asString()));
    if (!json.get(SOAP_DELEGATION_CONFIG).isNull()) {
        builder.soapDelegationConfig(SoapDelegationConfig.fromJson(json.get(SOAP_DELEGATION_CONFIG)));
    }
    return builder.build();
}
Also used : JsonValue(org.forgerock.json.JsonValue) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) HashSet(java.util.HashSet)

Example 4 with STSInstanceConfig

use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.

@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyHMACSignature(signedJwt));
}
Also used : JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory) SSOToken(com.iplanet.sso.SSOToken) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig) TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity) OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) Test(org.testng.annotations.Test)

Aggregations

STSInstanceConfig (org.forgerock.openam.sts.config.user.STSInstanceConfig)4 SSOToken (com.iplanet.sso.SSOToken)2 JsonValue (org.forgerock.json.JsonValue)2 JwtBuilderFactory (org.forgerock.json.jose.builders.JwtBuilderFactory)2 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)2 JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)2 OpenIdConnectTokenConfig (org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)2 OpenIdConnectTokenGenerationState (org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState)2 TokenGenerationServiceInvocationState (org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState)2 SSOTokenIdentity (org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity)2 STSInstanceState (org.forgerock.openam.sts.tokengeneration.state.STSInstanceState)2 Test (org.testng.annotations.Test)2 HashSet (java.util.HashSet)1 CustomTokenOperation (org.forgerock.openam.sts.config.user.CustomTokenOperation)1 OpenIdConnectTokenPKIProviderImpl (org.forgerock.openam.sts.tokengeneration.oidc.crypto.OpenIdConnectTokenPKIProviderImpl)1