View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition;
19  
20  import org.slf4j.Logger;
21  import org.slf4j.LoggerFactory;
22  
23  import edu.internet2.middleware.shibboleth.common.attribute.BaseAttribute;
24  import edu.internet2.middleware.shibboleth.common.attribute.provider.BasicAttribute;
25  import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException;
26  import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethResolutionContext;
27  import edu.internet2.middleware.shibboleth.common.profile.provider.SAMLProfileRequestContext;
28  import edu.internet2.middleware.shibboleth.common.util.DataSealer;
29  import edu.internet2.middleware.shibboleth.common.util.DataSealerException;
30  
31  /**
32   * An attribute definition that generates integrity protected,
33   * encrypted identifiers useful for stateless transient subject IDs.
34   */
35  public class CryptoTransientIdAttributeDefinition extends BaseAttributeDefinition {
36  
37      /** Class logger. */
38      private static Logger log = LoggerFactory.getLogger(CryptoTransientIdAttributeDefinition.class);
39      
40      /** Object used to protect and encrypt the data. */
41      private DataSealer dataSealer;
42  
43      /** Length, in milliseconds, tokens are valid. */
44      private long idLifetime;
45  
46      /**
47       * Constructor.
48       * 
49       * @param sealer object used to protect and encrypt the data
50       */
51      public CryptoTransientIdAttributeDefinition(DataSealer sealer) {
52          if (sealer == null) {
53              throw new IllegalArgumentException("DataSealer may not be null.");
54          }
55          dataSealer = sealer;
56          idLifetime = 1000 * 60 * 60 * 4;
57      }
58  
59      /** {@inheritDoc} */
60      protected BaseAttribute<String> doResolve(ShibbolethResolutionContext resolutionContext)
61              throws AttributeResolutionException {
62  
63          SAMLProfileRequestContext<?, ?, ?, ?> requestContext = resolutionContext.getAttributeRequestContext();
64  
65          StringBuilder principalTokenIdBuilder = new StringBuilder();
66          principalTokenIdBuilder.append(requestContext.getOutboundMessageIssuer()).append("!").append(
67                  requestContext.getInboundMessageIssuer()).append("!").append(requestContext.getPrincipalName());
68          String transientId;
69          try {
70              transientId = dataSealer.wrap(principalTokenIdBuilder.toString(), System.currentTimeMillis() + idLifetime);
71          } catch (DataSealerException e) {
72              throw new AttributeResolutionException("Caught exception wrapping principal identifier.", e);
73          }
74  
75          BasicAttribute<String> attribute = new BasicAttribute<String>();
76          attribute.setId(getId());
77          attribute.getValues().add(transientId);
78  
79          return attribute;
80      }
81  
82      /**
83       * Gets the time, in milliseconds, ids are valid.
84       * 
85       * @return time, in milliseconds, ids are valid
86       */
87      public long getIdLifetime() {
88          return idLifetime;
89      }
90  
91      /**
92       * Sets the time, in milliseconds, ids are valid.
93       * 
94       * @param lifetime time, in milliseconds, ids are valid
95       */
96      public void setIdLifetime(long lifetime) {
97          idLifetime = lifetime;
98      }
99  
100     /** {@inheritDoc} */
101     public void validate() throws AttributeResolutionException {
102         if (dataSealer == null) {
103             log.error("CryptoTransientIdAttributeDefinition (" + getId()
104                     + ") must have a DataSealer object set.");
105             throw new AttributeResolutionException("CryptoTransientIdAttributeDefinition (" + getId()
106                     + ") must have a DataSealer object set.");
107         }
108     }
109 }