Example 1 with STSInstanceConfig
use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImplTest method testRSAOpenIdConnectTokenGeneration.
@Test
public void testRSAOpenIdConnectTokenGeneration() throws TokenCreationException {
SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
SSOToken mockSSOToken = mock(SSOToken.class);
STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
OpenIdConnectTokenConfig openIdConnectTokenConfig = buildRSAOpenIdConnectTokenConfig();
when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
OpenIdConnectTokenPKIProviderImpl tokenCryptoProvider = new OpenIdConnectTokenPKIProviderImpl(openIdConnectTokenConfig);
when(mockSTSInstanceState.getOpenIdConnectTokenPKIProvider()).thenReturn(tokenCryptoProvider);
TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
long authTime = System.currentTimeMillis() / 1000;
OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
assertEquals(ISSUER, jwtClaimsSet.getIssuer());
assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
assertTrue(verifyRSASignature(signedJwt, openIdConnectTokenConfig));
}
Also used :
JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory)
SSOToken(com.iplanet.sso.SSOToken)
STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState)
SignedJwt(org.forgerock.json.jose.jws.SignedJwt)
OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)
TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState)
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity)
OpenIdConnectTokenPKIProviderImpl(org.forgerock.openam.sts.tokengeneration.oidc.crypto.OpenIdConnectTokenPKIProviderImpl)
OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState)
STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig)
Test(org.testng.annotations.Test)
Example 2 with STSInstanceConfig
use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.
the class RestSTSInstanceConfig method fromJson.
public static RestSTSInstanceConfig fromJson(JsonValue json) {
if (json == null) {
throw new NullPointerException("JsonValue cannot be null!");
}
STSInstanceConfig baseConfig = STSInstanceConfig.fromJson(json);
RestSTSInstanceConfigBuilderBase<?> builder = RestSTSInstanceConfig.builder().saml2Config(baseConfig.getSaml2Config()).oidcIdTokenConfig(baseConfig.getOpenIdConnectTokenConfig()).persistIssuedTokensInCTS(baseConfig.persistIssuedTokensInCTS()).deploymentConfig(DeploymentConfig.fromJson(json.get(DEPLOYMENT_CONFIG)));
JsonValue supportedTranslations = json.get(SUPPORTED_TOKEN_TRANSFORMS);
if (!supportedTranslations.isNull()) {
if (!supportedTranslations.isList()) {
throw new IllegalStateException("Unexpected value for the " + SUPPORTED_TOKEN_TRANSFORMS + " field: " + supportedTranslations.asString());
}
List<TokenTransformConfig> transformConfigList = new ArrayList<>();
for (Object translation : supportedTranslations.asList()) {
transformConfigList.add(TokenTransformConfig.fromJson(new JsonValue(translation)));
}
builder.setSupportedTokenTransforms(transformConfigList);
}
JsonValue customTranslations = json.get(CUSTOM_TOKEN_TRANSFORMS);
if (!customTranslations.isNull()) {
if (!customTranslations.isList()) {
throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_TRANSFORMS + " field: " + customTranslations.asString());
}
List<TokenTransformConfig> transformConfigList = new ArrayList<>();
for (Object translation : customTranslations.asList()) {
transformConfigList.add(TokenTransformConfig.fromJson(new JsonValue(translation)));
}
builder.setCustomTokenTransforms(transformConfigList);
}
JsonValue customValidators = json.get(CUSTOM_TOKEN_VALIDATORS);
if (!customValidators.isNull()) {
if (!customValidators.isList()) {
throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_VALIDATORS + " field: " + customValidators.asString());
}
List<CustomTokenOperation> customValidatorsList = new ArrayList<>();
for (Object translation : customValidators.asList()) {
customValidatorsList.add(CustomTokenOperation.fromJson(new JsonValue(translation)));
}
builder.setCustomValidators(customValidatorsList);
}
JsonValue customProviders = json.get(CUSTOM_TOKEN_PROVIDERS);
if (!customProviders.isNull()) {
if (!customProviders.isList()) {
throw new IllegalStateException("Unexpected value for the " + CUSTOM_TOKEN_PROVIDERS + " field: " + customProviders.asString());
}
List<CustomTokenOperation> customProvidersList = new ArrayList<>();
for (Object translation : customProviders.asList()) {
customProvidersList.add(CustomTokenOperation.fromJson(new JsonValue(translation)));
}
builder.setCustomProviders(customProvidersList);
}
return builder.build();
}
Also used :
JsonValue(org.forgerock.json.JsonValue)
CustomTokenOperation(org.forgerock.openam.sts.config.user.CustomTokenOperation)
STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig)
Example 3 with STSInstanceConfig
use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.
the class SoapSTSInstanceConfig method fromJson.
/**
* @param json the json representation of an existing soap sts instance, usually emitted by the toJson method of this class.
* The JsonValue parameter cannot be null, or a NullPointerException will be thrown.
* @return Returns a SoapSTSInstanceConfig instance if the json could be successfully marshaled. A NullPointerException
* is thrown if the json is null, and an IllegalStateException is thrown if the json is mal-formed.
*/
public static SoapSTSInstanceConfig fromJson(JsonValue json) {
if (json == null) {
throw new NullPointerException("JsonValue cannot be null!");
}
STSInstanceConfig baseConfig = STSInstanceConfig.fromJson(json);
SoapSTSInstanceConfigBuilderBase<?> builder = SoapSTSInstanceConfig.builder().saml2Config(baseConfig.getSaml2Config()).oidcIdTokenConfig(baseConfig.getOpenIdConnectTokenConfig()).persistIssuedTokensInCTS(baseConfig.persistIssuedTokensInCTS()).deploymentConfig(SoapDeploymentConfig.fromJson(json.get(DEPLOYMENT_CONFIG)));
JsonValue validatedTokenConfiguration = json.get(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
if (!validatedTokenConfiguration.isNull()) {
if (!validatedTokenConfiguration.isList()) {
throw new IllegalStateException("Unexpected value for the " + SECURITY_POLICY_VALIDATED_TOKEN_CONFIG + " field: " + validatedTokenConfiguration.asString());
}
Set<TokenValidationConfig> validationConfigs = new HashSet<>();
for (Object obj : validatedTokenConfiguration.asList()) {
validationConfigs.add(TokenValidationConfig.fromJson(new JsonValue(obj)));
}
builder.setSecurityPolicyValidatedTokenConfiguration(validationConfigs);
}
builder.soapSTSKeystoreConfig(SoapSTSKeystoreConfig.fromJson(json.get(SOAP_KEYSTORE_CONFIG)));
if (!json.get(ISSUE_TOKEN_TYPES).isNull()) {
for (Object obj : json.get(ISSUE_TOKEN_TYPES).asCollection()) {
builder.addIssueTokenType(TokenType.valueOf(obj.toString()));
}
}
builder.delegationRelationshipsSupported(Boolean.valueOf(json.get(DELEGATION_RELATIONSHIP_SUPPORTED).asString()));
if (!json.get(SOAP_DELEGATION_CONFIG).isNull()) {
builder.soapDelegationConfig(SoapDelegationConfig.fromJson(json.get(SOAP_DELEGATION_CONFIG)));
}
return builder.build();
}
Also used :
JsonValue(org.forgerock.json.JsonValue)
STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig)
HashSet(java.util.HashSet)
Example 4 with STSInstanceConfig
use of org.forgerock.openam.sts.config.user.STSInstanceConfig in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.
@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
SSOToken mockSSOToken = mock(SSOToken.class);
STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
long authTime = System.currentTimeMillis() / 1000;
OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
assertEquals(ISSUER, jwtClaimsSet.getIssuer());
assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
assertTrue(verifyHMACSignature(signedJwt));
}
Also used :
JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory)
SSOToken(com.iplanet.sso.SSOToken)
STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState)
SignedJwt(org.forgerock.json.jose.jws.SignedJwt)
OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)
TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState)
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity)
OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState)
STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig)
Test(org.testng.annotations.Test)
Aggregations
STSInstanceConfig (org.forgerock.openam.sts.config.user.STSInstanceConfig)4
SSOToken (com.iplanet.sso.SSOToken)2
JsonValue (org.forgerock.json.JsonValue)2
JwtBuilderFactory (org.forgerock.json.jose.builders.JwtBuilderFactory)2
SignedJwt (org.forgerock.json.jose.jws.SignedJwt)2
JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)2
OpenIdConnectTokenConfig (org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)2
OpenIdConnectTokenGenerationState (org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState)2
TokenGenerationServiceInvocationState (org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState)2
SSOTokenIdentity (org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity)2
STSInstanceState (org.forgerock.openam.sts.tokengeneration.state.STSInstanceState)2
Test (org.testng.annotations.Test)2
HashSet (java.util.HashSet)1
CustomTokenOperation (org.forgerock.openam.sts.config.user.CustomTokenOperation)1
OpenIdConnectTokenPKIProviderImpl (org.forgerock.openam.sts.tokengeneration.oidc.crypto.OpenIdConnectTokenPKIProviderImpl)1
