All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.opensaml.saml.security.impl.InlineSelfEncryptionParametersStrategy Maven / Gradle / Ivy

There is a newer version: 4.0.1
Show newest version
/*
 * Licensed to the University Corporation for Advanced Internet Development,
 * Inc. (UCAID) under one or more contributor license agreements.  See the
 * NOTICE file distributed with this work for additional information regarding
 * copyright ownership. The UCAID licenses this file to You under the Apache
 * License, Version 2.0 (the "License"); you may not use this file except in
 * compliance with the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.opensaml.saml.security.impl;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

import javax.annotation.Nonnull;
import javax.annotation.Nullable;

import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;

import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.EncryptionParametersResolver;
import org.opensaml.xmlsec.SecurityConfigurationSupport;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.google.common.base.Function;
import com.google.common.collect.Iterables;

/**
 * Strategy function for resolving {@link EncryptionParameters} used to encrypt to oneself.
 */
public class InlineSelfEncryptionParametersStrategy 
        implements Function, List> {
    
    /** Logger. */
    private Logger log = LoggerFactory.getLogger(InlineSelfEncryptionParametersStrategy.class);
    
    /** Credential resolver for self-encryption. */
    @Nonnull private CredentialResolver credentialResolver;
    
    /** Encryption parameters resolver for self-encryption. */
    @Nonnull private EncryptionParametersResolver encParamsresolver;
    
    /** Strategy function for resolving the list of effective base encryption configurations to use. */
    @Nullable private Function> configurationLookupStrategy;
    
    /**
     * Constructor.
     * 
     * @param credResolver resolver for self-encryption credentials
     * @param paramsResolver resolver for self-encryption parameters
     */
    public InlineSelfEncryptionParametersStrategy(@Nonnull final CredentialResolver credResolver, 
            @Nonnull final EncryptionParametersResolver paramsResolver) {
        this(credResolver, paramsResolver, null);
    }
    
    /**
     * Constructor.
     *
     * @param credResolver resolver for self-encryption credentials
     * @param paramsResolver resolver for self-encryption parameters
     * @param configStrategy strategy for resolving the list of effective base encryption configurations
     */
    public InlineSelfEncryptionParametersStrategy(@Nonnull final CredentialResolver credResolver, 
            @Nonnull final EncryptionParametersResolver paramsResolver,
            @Nullable final Function> configStrategy) {
        credentialResolver = Constraint.isNotNull(credResolver, "CredentialResolver was null");
        encParamsresolver = Constraint.isNotNull(paramsResolver, "EncryptionParametersResolver was null");
        configurationLookupStrategy = configStrategy;
    }

    /** {@inheritDoc} */
    @Nullable
    public List apply(@Nullable final Pair input) {
        if (input == null || input.getFirst() == null) {
            log.debug("Input Pair or ProfileRequestContext was null, skipping");
            return Collections.emptyList();
        }
        
        final List credentials = resolveCredentials(input.getFirst());
        if (credentials.isEmpty()) {
            log.debug("No self-encryption credentials were resolved, skipping further processing");
            return Collections.emptyList();
        }
        log.debug("Resolved {} self-encryption credentials", credentials.size());
        
        final List baseConfigs = resolveBaseConfigurations(input.getFirst());
        log.debug("Resolved {} base EncryptionConfigurations", baseConfigs.size());
        
        final ArrayList encParams = new ArrayList<>();
        
        for (final Credential cred : credentials) {
            final BasicEncryptionConfiguration selfConfig = new BasicEncryptionConfiguration();
            selfConfig.setKeyTransportEncryptionCredentials(Collections.singletonList(cred));
            if (input.getSecond() != null && input.getSecond().getDataEncryptionAlgorithm() != null) {
                selfConfig.setDataEncryptionAlgorithms(Collections.singletonList(
                        input.getSecond().getDataEncryptionAlgorithm()));
            }
            
            final ArrayList configs = new ArrayList<>();
            configs.add(selfConfig);
            configs.addAll(baseConfigs);
            
            try {
                Iterables.addAll(encParams, encParamsresolver.resolve(
                        new CriteriaSet(new EncryptionConfigurationCriterion(configs))));
            } catch (final ResolverException e) {
                log.error("Error resolving self-encryption parameters for Credential '{}', " 
                        + "params from other Credentials may still succeed", cred, e);
            }
        }
        
        log.debug("Resolved {} self-encryption EncryptionParameters", encParams.size());
        
        return encParams;
    }
    
    /**
     * Resolve the list of self-encryption credentials.
     * 
     * @param profileRequestContext the current profile request context
     * 
     * @return the resolved credentials
     */
    @Nonnull protected List resolveCredentials(
            @Nonnull final ProfileRequestContext profileRequestContext) {
        try {
            final ArrayList credentials = new ArrayList<>();
            Iterables.addAll(credentials, credentialResolver.resolve(
                    new CriteriaSet(new UsageCriterion(UsageType.ENCRYPTION))));
            return credentials;
        } catch (final ResolverException e) {
            log.error("Error resolving IdP encryption credentials", e);
            return Collections.emptyList();
        }
    }

    /**
     * Resolve the list of effective base {@link EncryptionConfiguration} for self-encryption.
     * 
     * @param profileRequestContext the current profile request context
     * 
     * @return the resolved configurations
     */
    @Nonnull protected List resolveBaseConfigurations(
            @Nonnull final ProfileRequestContext profileRequestContext) {
        List baseConfigs = null;
        if (configurationLookupStrategy != null) {
            log.debug("Self-encryption EncryptionConfiguration lookup strategy was non-null");
            baseConfigs = configurationLookupStrategy.apply(profileRequestContext);
        } else {
            log.debug("Self-encryption EncryptionConfiguration lookup strategy was null");
        }
        if (baseConfigs != null) {
            return baseConfigs;
        } else {
            log.debug("No self-encryption EncryptionConfigurations were resolved, returning global configuration");
            return Collections.singletonList(SecurityConfigurationSupport.getGlobalEncryptionConfiguration());
        }
    }
    
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy