Repository: cxf-fediz Updated Branches: refs/heads/master 807c00235 -> 3eaac56a8
Some more OAuthDataManager cleanup Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/3eaac56a Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/3eaac56a Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/3eaac56a Branch: refs/heads/master Commit: 3eaac56a8093fda8d0c130b0fb7a2ee6a49bef8c Parents: 807c002 Author: Sergey Beryozkin <[email protected]> Authored: Wed Dec 9 10:48:04 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Dec 9 10:48:04 2015 +0000 ---------------------------------------------------------------------- .../service/oidc/LocalSamlTokenConverter.java | 119 ------------------- .../fediz/service/oidc/OAuthDataManager.java | 36 +++--- .../fediz/service/oidc/SamlTokenConverter.java | 97 +++++++++++++-- .../src/main/webapp/WEB-INF/data-manager.xml | 2 +- 4 files changed, 107 insertions(+), 147 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java deleted file mode 100644 index 82505a8..0000000 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/LocalSamlTokenConverter.java +++ /dev/null @@ -1,119 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.fediz.service.oidc; - -import org.w3c.dom.Element; -import org.apache.cxf.fediz.core.Claim; -import org.apache.cxf.fediz.core.ClaimCollection; -import org.apache.cxf.fediz.core.ClaimTypes; -import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; -import org.apache.cxf.rs.security.oidc.common.IdToken; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.opensaml.saml.saml2.core.Assertion; -import org.opensaml.saml.saml2.core.Issuer; - - - - -public class LocalSamlTokenConverter implements SamlTokenConverter { - - private String issuer; - - @Override - public IdToken convertToIdToken(Element samlToken, - String subjectName, - ClaimCollection claims, - String clientId, - String nonce) { - IdToken idToken = new IdToken(); - idToken.setSubject(subjectName); - idToken.setAudience(clientId); - - long currentTimeInSeconds = System.currentTimeMillis() / 1000L; - idToken.setIssuedAt(currentTimeInSeconds); - idToken.setExpiryTime(currentTimeInSeconds + 60000L); - - Assertion saml2Assertion = null; - // Set the authInstant - try { - SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); - saml2Assertion = wrapper.getSaml2(); - if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) { - long authInstant = - saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis(); - idToken.setAuthenticationTime(authInstant / 1000L); - } - } catch (WSSecurityException ex) { - throw new OAuthServiceException("Error converting SAML token", ex); - } - - // Map claims - if (claims != null) { - String firstName = null; - String lastName = null; - for (Claim c : claims) { - if (!(c.getValue() instanceof String)) { - continue; - } - if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) { - idToken.setGivenName((String)c.getValue()); - firstName = (String)c.getValue(); - } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) { - idToken.setFamilyName((String)c.getValue()); - lastName = (String)c.getValue(); - } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) { - idToken.setEmail((String)c.getValue()); - } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) { - idToken.setBirthDate((String)c.getValue()); - } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) { - idToken.setPhoneNumber((String)c.getValue()); - } else if (ClaimTypes.GENDER.equals(c.getClaimType())) { - idToken.setGender((String)c.getValue()); - } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) { - idToken.setWebsite((String)c.getValue()); - } - } - - if (firstName != null && lastName != null) { - idToken.setName(firstName + " " + lastName); - } - } - - if (nonce != null) { - idToken.setNonce(nonce); - } - if (issuer != null) { - idToken.setIssuer(issuer); - } else if (saml2Assertion != null) { - Issuer assertionIssuer = saml2Assertion.getIssuer(); - if (assertionIssuer != null) { - idToken.setIssuer(assertionIssuer.getValue()); - } - } - - return idToken; - } - - - public void setIssuer(String issuer) { - this.issuer = issuer; - } - -} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java index 5c373b4..51c5296 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java @@ -38,7 +38,7 @@ import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject; import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OAuthDataManager extends DefaultEHCacheCodeDataProvider { - private SamlTokenConverter tokenConverter = new LocalSamlTokenConverter(); + private SamlTokenConverter tokenConverter = new SamlTokenConverter(); public OAuthDataManager() { } @@ -76,30 +76,26 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider { } protected OidcUserSubject createOidcSubject(Client client, UserSubject subject, String nonce) { - IdToken idToken = getIdToken(client, nonce); - if (idToken != null) { - OidcUserSubject oidcSub = new OidcUserSubject(subject); - oidcSub.setIdToken(idToken); - return oidcSub; - } - return null; - } - - protected IdToken getIdToken(Client client, String nonce) { Principal principal = getMessageContext().getSecurityContext().getUserPrincipal(); - if (principal instanceof FedizPrincipal) { - FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; - return tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(), - fedizPrincipal.getName(), - fedizPrincipal.getClaims(), - client.getClientId(), - nonce); - } else { + if (!(principal instanceof FedizPrincipal)) { throw new OAuthServiceException("Unsupported Principal"); } + FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; + IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(), + fedizPrincipal.getName(), + fedizPrincipal.getClaims(), + client.getClientId(), + nonce); + + //TODO: Consider populating UserInfo at this point too, with UserInfo having few more claims + // from the claims collection, and setting it on OidcUserSubject + + OidcUserSubject oidcSub = new OidcUserSubject(subject); + oidcSub.setIdToken(idToken); + return oidcSub; } - + public void setTokenConverter(SamlTokenConverter tokenConverter) { this.tokenConverter = tokenConverter; } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java index 2ef225b..5e4a363 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java @@ -19,14 +19,97 @@ package org.apache.cxf.fediz.service.oidc; import org.w3c.dom.Element; +import org.apache.cxf.fediz.core.Claim; import org.apache.cxf.fediz.core.ClaimCollection; +import org.apache.cxf.fediz.core.ClaimTypes; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oidc.common.IdToken; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.opensaml.saml.saml2.core.Assertion; +import org.opensaml.saml.saml2.core.Issuer; + +public class SamlTokenConverter { + + private String issuer; + + public IdToken convertToIdToken(Element samlToken, + String subjectName, + ClaimCollection claims, + String clientId, + String nonce) { + IdToken idToken = new IdToken(); + idToken.setSubject(subjectName); + idToken.setAudience(clientId); + + long currentTimeInSeconds = System.currentTimeMillis() / 1000L; + idToken.setIssuedAt(currentTimeInSeconds); + idToken.setExpiryTime(currentTimeInSeconds + 60000L); + + Assertion saml2Assertion = null; + // Set the authInstant + try { + SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); + saml2Assertion = wrapper.getSaml2(); + if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) { + long authInstant = + saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis(); + idToken.setAuthenticationTime(authInstant / 1000L); + } + } catch (WSSecurityException ex) { + throw new OAuthServiceException("Error converting SAML token", ex); + } + + // Map claims + if (claims != null) { + String firstName = null; + String lastName = null; + for (Claim c : claims) { + if (!(c.getValue() instanceof String)) { + continue; + } + if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) { + idToken.setGivenName((String)c.getValue()); + firstName = (String)c.getValue(); + } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) { + idToken.setFamilyName((String)c.getValue()); + lastName = (String)c.getValue(); + } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) { + idToken.setEmail((String)c.getValue()); + } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) { + idToken.setBirthDate((String)c.getValue()); + } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) { + idToken.setPhoneNumber((String)c.getValue()); + } else if (ClaimTypes.GENDER.equals(c.getClaimType())) { + idToken.setGender((String)c.getValue()); + } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) { + idToken.setWebsite((String)c.getValue()); + } + } + + if (firstName != null && lastName != null) { + idToken.setName(firstName + " " + lastName); + } + } + + if (nonce != null) { + idToken.setNonce(nonce); + } + if (issuer != null) { + idToken.setIssuer(issuer); + } else if (saml2Assertion != null) { + Issuer assertionIssuer = saml2Assertion.getIssuer(); + if (assertionIssuer != null) { + idToken.setIssuer(assertionIssuer.getValue()); + } + } + + return idToken; + } + + + public void setIssuer(String issuer) { + this.issuer = issuer; + } - -public interface SamlTokenConverter { - IdToken convertToIdToken(Element samlToken, - String subjectName, - ClaimCollection claims, - String audience, - String nonce); } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/3eaac56a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml index 33789ee..da299c0 100644 --- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml +++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml @@ -26,7 +26,7 @@ <bean id="applicationContextProvider" class="org.apache.cxf.fediz.service.oidc.ApplicationContextProvider"/> - <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.LocalSamlTokenConverter"> + <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter"> <property name="issuer" value="accounts.fediz.com"/> </bean> <bean id="oauthProvider" class="org.apache.cxf.fediz.service.oidc.OAuthDataManager"
