View Javadoc

1   /*
2    * Copyright 2011 The Ohio State University
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition;
18  
19  import org.slf4j.Logger;
20  import org.slf4j.LoggerFactory;
21  
22  import edu.internet2.middleware.shibboleth.common.attribute.BaseAttribute;
23  import edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute;
24  import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException;
25  import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethResolutionContext;
26  import edu.internet2.middleware.shibboleth.common.profile.provider.SAMLProfileRequestContext;
27  import edu.internet2.middleware.shibboleth.common.util.DataSealer;
28  import edu.internet2.middleware.shibboleth.common.util.DataSealerException;
29  
30  /**
31   * An attribute definition that generates integrity protected,
32   * encrypted identifiers useful for stateless transient subject IDs.
33   */
34  public class CryptoTransientIdAttributeDefinition extends BaseAttributeDefinition {
35  
36      /** Class logger. */
37      private static Logger log = LoggerFactory.getLogger(CryptoTransientIdAttributeDefinition.class);
38      
39      /** Object used to protect and encrypt the data. */
40      private DataSealer dataSealer;
41  
42      /** Length, in milliseconds, tokens are valid. */
43      private long idLifetime;
44  
45      /**
46       * Constructor.
47       * 
48       * @param sealer object used to protect and encrypt the data
49       */
50      public CryptoTransientIdAttributeDefinition(DataSealer sealer) {
51          if (sealer == null) {
52              throw new IllegalArgumentException("DataSealer may not be null.");
53          }
54          dataSealer = sealer;
55          idLifetime = 1000 * 60 * 60 * 4;
56      }
57  
58      /** {@inheritDoc} */
59      protected BaseAttribute<String> doResolve(ShibbolethResolutionContext resolutionContext)
60              throws AttributeResolutionException {
61  
62          SAMLProfileRequestContext<?, ?, ?, ?> requestContext = resolutionContext.getAttributeRequestContext();
63  
64          StringBuilder principalTokenIdBuilder = new StringBuilder();
65          principalTokenIdBuilder.append(requestContext.getOutboundMessageIssuer()).append("!").append(
66                  requestContext.getInboundMessageIssuer()).append("!").append(requestContext.getPrincipalName());
67          String transientId;
68          try {
69              transientId = dataSealer.wrap(principalTokenIdBuilder.toString(), System.currentTimeMillis() + idLifetime);
70          } catch (DataSealerException e) {
71              throw new AttributeResolutionException("Caught exception wrapping principal identifier.", e);
72          }
73  
74          BasicAttribute<String> attribute = new BasicAttribute<String>();
75          attribute.setId(getId());
76          attribute.getValues().add(transientId);
77  
78          return attribute;
79      }
80  
81      /**
82       * Gets the time, in milliseconds, ids are valid.
83       * 
84       * @return time, in milliseconds, ids are valid
85       */
86      public long getIdLifetime() {
87          return idLifetime;
88      }
89  
90      /**
91       * Sets the time, in milliseconds, ids are valid.
92       * 
93       * @param lifetime time, in milliseconds, ids are valid
94       */
95      public void setIdLifetime(long lifetime) {
96          idLifetime = lifetime;
97      }
98  
99      /** {@inheritDoc} */
100     public void validate() throws AttributeResolutionException {
101         if (dataSealer == null) {
102             log.error("CryptoTransientIdAttributeDefinition (" + getId()
103                     + ") must have a DataSealer object set.");
104             throw new AttributeResolutionException("CryptoTransientIdAttributeDefinition (" + getId()
105                     + ") must have a DataSealer object set.");
106         }
107     }
108 }