1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.principalConnector;
18
19 import org.opensaml.common.SAMLObject;
20 import org.opensaml.saml1.core.NameIdentifier;
21 import org.opensaml.saml2.core.NameID;
22 import org.opensaml.util.storage.StorageService;
23
24 import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException;
25 import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethResolutionContext;
26 import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdEntry;
27 import edu.internet2.middleware.shibboleth.common.profile.provider.SAMLProfileRequestContext;
28
29
30
31
32 public class TransientPrincipalConnector extends BasePrincipalConnector {
33
34
35 private StorageService<String, TransientIdEntry> identifierStore;
36
37
38 private String partition;
39
40
41
42
43
44
45 public TransientPrincipalConnector(StorageService<String, TransientIdEntry> store) {
46 if (store == null) {
47 throw new IllegalArgumentException("Identifier store may not be null");
48 }
49 identifierStore = store;
50 partition = "transientId";
51 }
52
53
54 public String resolve(ShibbolethResolutionContext resolutionContext) throws AttributeResolutionException {
55 SAMLProfileRequestContext requestContext = resolutionContext.getAttributeRequestContext();
56
57 String transientId = null;
58 SAMLObject subjectId = requestContext.getSubjectNameIdentifier();
59 if (subjectId instanceof NameIdentifier) {
60 NameIdentifier nameId = (NameIdentifier) requestContext.getSubjectNameIdentifier();
61 if (nameId != null) {
62 transientId = nameId.getNameIdentifier();
63 }
64 } else if (requestContext.getSubjectNameIdentifier() instanceof NameID) {
65 NameID nameId = (NameID) requestContext.getSubjectNameIdentifier();
66 if (nameId != null) {
67 transientId = nameId.getValue();
68 }
69 } else {
70 throw new AttributeResolutionException("Subject name identifier is not of a supported type");
71 }
72
73 if (transientId == null) {
74 throw new AttributeResolutionException("Invalid subject name identifier");
75 }
76
77 TransientIdEntry idToken = identifierStore.get(partition, transientId);
78 if (idToken == null || idToken.isExpired()) {
79 throw new AttributeResolutionException("No information associated with transient identifier: "
80 + transientId);
81 }
82
83 if (!idToken.getRelyingPartyId().equals(requestContext.getInboundMessageIssuer())) {
84 throw new AttributeResolutionException("Transient identifier was issued to " + idToken.getRelyingPartyId()
85 + " but is being used by " + requestContext.getInboundMessageIssuer());
86 }
87
88 return idToken.getPrincipalName();
89 }
90
91
92 public void validate() throws AttributeResolutionException {
93
94 }
95 }