Search in sources :

Example 1 with TokenGenerationServiceInvocationState

use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.

the class TokenGenerationService method createInstance.

@Override
public Promise<ResourceResponse, ResourceException> createInstance(Context context, CreateRequest request) {
    TokenGenerationServiceInvocationState invocationState;
    try {
        invocationState = TokenGenerationServiceInvocationState.fromJson(request.getContent());
    } catch (Exception e) {
        logger.error("Exception caught marshalling json into TokenGenerationServiceInvocationState instance: " + e);
        return new BadRequestException(e.getMessage(), e).asPromise();
    }
    SSOToken subjectToken;
    try {
        subjectToken = validateAssertionSubjectSession(invocationState);
    } catch (ForbiddenException e) {
        return e.asPromise();
    }
    STSInstanceState stsInstanceState;
    try {
        stsInstanceState = getSTSInstanceState(invocationState);
    } catch (ResourceException e) {
        return e.asPromise();
    }
    if (TokenType.SAML2.equals(invocationState.getTokenType())) {
        try {
            final String assertion = saml2TokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
            return newResultPromise(issuedTokenResource(assertion));
        } catch (TokenCreationException e) {
            logger.error("Exception caught generating saml2 token: " + e, e);
            return e.asPromise();
        } catch (Exception e) {
            logger.error("Exception caught generating saml2 token: " + e, e);
            return new InternalServerErrorException(e.toString(), e).asPromise();
        }
    } else if (TokenType.OPENIDCONNECT.equals(invocationState.getTokenType())) {
        try {
            final String assertion = openIdConnectTokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
            return newResultPromise(issuedTokenResource(assertion));
        } catch (TokenCreationException e) {
            logger.error("Exception caught generating OpenIdConnect token: " + e, e);
            return e.asPromise();
        } catch (Exception e) {
            logger.error("Exception caught generating OpenIdConnect token: " + e, e);
            return new InternalServerErrorException(e.toString(), e).asPromise();
        }
    } else {
        String message = "Bad request: unexpected token type:" + invocationState.getTokenType();
        logger.error(message);
        return new BadRequestException(message).asPromise();
    }
}
Also used : TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) ForbiddenException(org.forgerock.json.resource.ForbiddenException) SSOToken(com.iplanet.sso.SSOToken) BadRequestException(org.forgerock.json.resource.BadRequestException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException) ResourceException(org.forgerock.json.resource.ResourceException) RestSTSInstanceState(org.forgerock.openam.sts.tokengeneration.state.RestSTSInstanceState) SoapSTSInstanceState(org.forgerock.openam.sts.tokengeneration.state.SoapSTSInstanceState) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) CTSTokenPersistenceException(org.forgerock.openam.sts.CTSTokenPersistenceException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException) ForbiddenException(org.forgerock.json.resource.ForbiddenException) SSOException(com.iplanet.sso.SSOException) NotFoundException(org.forgerock.json.resource.NotFoundException) BadRequestException(org.forgerock.json.resource.BadRequestException) IdRepoException(com.sun.identity.idm.IdRepoException) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) ResourceException(org.forgerock.json.resource.ResourceException) STSPublishException(org.forgerock.openam.sts.STSPublishException)

Example 2 with TokenGenerationServiceInvocationState

use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testRSAOpenIdConnectTokenGeneration.

@Test
public void testRSAOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildRSAOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    OpenIdConnectTokenPKIProviderImpl tokenCryptoProvider = new OpenIdConnectTokenPKIProviderImpl(openIdConnectTokenConfig);
    when(mockSTSInstanceState.getOpenIdConnectTokenPKIProvider()).thenReturn(tokenCryptoProvider);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyRSASignature(signedJwt, openIdConnectTokenConfig));
}
Also used : JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory) SSOToken(com.iplanet.sso.SSOToken) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig) TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity) OpenIdConnectTokenPKIProviderImpl(org.forgerock.openam.sts.tokengeneration.oidc.crypto.OpenIdConnectTokenPKIProviderImpl) OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) Test(org.testng.annotations.Test)

Example 3 with TokenGenerationServiceInvocationState

use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.

@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyHMACSignature(signedJwt));
}
Also used : JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory) SSOToken(com.iplanet.sso.SSOToken) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig) TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity) OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) Test(org.testng.annotations.Test)

Aggregations

SSOToken (com.iplanet.sso.SSOToken)3 TokenGenerationServiceInvocationState (org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState)3 STSInstanceState (org.forgerock.openam.sts.tokengeneration.state.STSInstanceState)3 JwtBuilderFactory (org.forgerock.json.jose.builders.JwtBuilderFactory)2 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)2 JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)2 OpenIdConnectTokenConfig (org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig)2 STSInstanceConfig (org.forgerock.openam.sts.config.user.STSInstanceConfig)2 OpenIdConnectTokenGenerationState (org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState)2 SSOTokenIdentity (org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity)2 Test (org.testng.annotations.Test)2 SSOException (com.iplanet.sso.SSOException)1 IdRepoException (com.sun.identity.idm.IdRepoException)1 BadRequestException (org.forgerock.json.resource.BadRequestException)1 ForbiddenException (org.forgerock.json.resource.ForbiddenException)1 InternalServerErrorException (org.forgerock.json.resource.InternalServerErrorException)1 NotFoundException (org.forgerock.json.resource.NotFoundException)1 ResourceException (org.forgerock.json.resource.ResourceException)1 CTSTokenPersistenceException (org.forgerock.openam.sts.CTSTokenPersistenceException)1 STSPublishException (org.forgerock.openam.sts.STSPublishException)1