Package org.opensaml.saml.saml2.profile.impl

Class DefaultAssertionValidationContextBuilder

java.lang.Object
org.opensaml.saml.saml2.profile.impl.DefaultAssertionValidationContextBuilder
All Implemented Interfaces:
Function<ValidateAssertions.AssertionValidationInput,ValidationContext>
public class DefaultAssertionValidationContextBuilder extends Object implements Function<ValidateAssertions.AssertionValidationInput,ValidationContext>
Function which implements default behavior for building an instance of ValidationContext from an instance of ValidateAssertions.AssertionValidationInput.

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Logger.

    • clockSkew

      @Nullable private Function<ProfileRequestContext,Duration> clockSkew
      A function for resolving the clock skew to apply.

    • lifetime

      @Nullable private Function<ProfileRequestContext,Duration> lifetime
      A function for resolving the lifetime to apply.

    • signatureCriteriaSetFunction

      @Nullable private Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> signatureCriteriaSetFunction
      A function for resolving the signature validation CriteriaSet for a particular function.

    • signatureRequired

      @Nonnull private Predicate<ProfileRequestContext> signatureRequired
      Predicate for determining whether an Assertion signature is required.

    • checkAddress

      @Nonnull private Predicate<ProfileRequestContext> checkAddress
      Predicate for determining whether an Assertion's network address(es) should be checked.

    • maximumTimeSinceAuthn

      @Nullable private Function<ProfileRequestContext,Duration> maximumTimeSinceAuthn
      Function for determining the max allowed time since authentication.

    • includeSelfEntityIDAsRecipient

      @Nonnull private Predicate<ProfileRequestContext> includeSelfEntityIDAsRecipient
      Predicate for determining whether to include the self entityID as a valid Recipient.

    • additionalAudiences

      @Nullable private Function<ProfileRequestContext,Set<String>> additionalAudiences
      Function for determining additional valid audience values.

    • validIssuers

      @Nonnull private Function<ProfileRequestContext,Set<String>> validIssuers
      Function for determining additional valid Issuer values.

    • inResponseTo

      @Nullable private Function<ProfileRequestContext,String> inResponseTo
      Function for determining the valid InResponseTo value.

    • inResponseToRequired

      @Nonnull private Predicate<ProfileRequestContext> inResponseToRequired
      Predicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.

    • recipientRequired

      @Nonnull private Predicate<ProfileRequestContext> recipientRequired
      Predicate for determining whether an Assertion SubjectConfirmationData Recipient is required.

    • notBeforeRequired

      @Nonnull private Predicate<ProfileRequestContext> notBeforeRequired
      Predicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.

    • notOnOrAfterRequired

      @Nonnull private Predicate<ProfileRequestContext> notOnOrAfterRequired
      Predicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

    • addressRequired

      @Nonnull private Predicate<ProfileRequestContext> addressRequired
      Predicate for determining whether an Assertion SubjectConfirmationData Address is required.

    • requiredConditions

      @Nonnull private Set<QName> requiredConditions
      The set of required Conditions.

    • securityParametersLookupStrategy

      @Nonnull private Function<ProfileRequestContext,SecurityParametersContext> securityParametersLookupStrategy
      Resolver for security parameters context.

  • Constructor Details

    • DefaultAssertionValidationContextBuilder

      public DefaultAssertionValidationContextBuilder()
      Constructor.

  • Method Details

    • getClockSkew

      @Nullable public Function<ProfileRequestContext,Duration> getClockSkew()
      Get the strategy by which to resolve the clock skew.
      Returns:
      lookup strategy
      Since:
      4.1.0

    • setClockSkew

      public void setClockSkew(@Nullable Duration skew)
      Set the clock skew.
      Parameters:
      skew - clock skew
      Since:
      4.1.0

    • setClockSkewLookupStrategy

      public void setClockSkewLookupStrategy(@Nullable Function<ProfileRequestContext,Duration> strategy)
      Set the strategy by which to resolve the clock skew.
      Parameters:
      strategy - lookup strategy
      Since:
      4.1.0

    • getLifetime

      @Nullable public Function<ProfileRequestContext,Duration> getLifetime()
      Get the strategy by which to resolve the lifetime.
      Returns:
      lookup strategy
      Since:
      4.2.0

    • setLifetime

      public void setLifetime(@Nullable Duration duration)
      Set the lifetime.
      Parameters:
      duration - lifetime
      Since:
      4.2.0

    • setLifetimeLookupStrategy

      public void setLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext,Duration> strategy)
      Set the strategy by which to resolve the lifetime.
      Parameters:
      strategy - lookup strategy
      Since:
      4.2.0

    • getSecurityParametersLookupStrategy

      @Nonnull public Function<ProfileRequestContext,SecurityParametersContext> getSecurityParametersLookupStrategy()
      Get the strategy by which to resolve a SecurityParametersContext.
      Returns:
      the lookup strategy

    • setSecurityParametersLookupStrategy

      public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext,SecurityParametersContext> strategy)
      Set the strategy by which to resolve a SecurityParametersContext.
      Parameters:
      strategy - the strategy function

    • getRequiredConditions

      @Nonnull public Set<QName> getRequiredConditions()
      Get the set of required Conditions.
      Returns:
      the required conditions, may be null

    • setRequiredConditions

      public void setRequiredConditions(@Nullable Set<QName> conditions)
      Set the set of required Conditions.
      Parameters:
      conditions - the required conditions

    • getIncludeSelfEntityIDAsRecipient

      @Nonnull public Predicate<ProfileRequestContext> getIncludeSelfEntityIDAsRecipient()
      Get the predicate which determines whether to include the self entityID as a valid Recipient.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setIncludeSelfEntityIDAsRecipient

      public void setIncludeSelfEntityIDAsRecipient(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether to include the self entityID as a valid Recipient.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getSignatureRequired

      @Nonnull public Predicate<ProfileRequestContext> getSignatureRequired()
      Get the predicate which determines whether an Assertion signature is required.

      Defaults to an always true predicate;

      Returns:
      the predicate

    • setSignatureRequired

      public void setSignatureRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion signature is required.

      Defaults to an always true predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • setInResponseTo

      public void setInResponseTo(@Nullable Function<ProfileRequestContext,String> function)
      Set the function for determining the valid InResponseTo.

      Defaults to null.

      Parameters:
      function - the function, may be null

    • getInResponseTo

      @Nullable public Function<ProfileRequestContext,String> getInResponseTo()
      Get the function for determining the valid InResponseTo.

      Defaults to null.

      Returns:
      the function

    • getInResponseToRequired

      @Nonnull public Predicate<ProfileRequestContext> getInResponseToRequired()
      Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setInResponseToRequired

      public void setInResponseToRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getRecipientRequired

      @Nonnull public Predicate<ProfileRequestContext> getRecipientRequired()
      Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setRecipientRequired

      public void setRecipientRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getNotBeforeRequired

      @Nonnull public Predicate<ProfileRequestContext> getNotBeforeRequired()
      Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setNotBeforeRequired

      public void setNotBeforeRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getNotOnOrAfterRequired

      @Nonnull public Predicate<ProfileRequestContext> getNotOnOrAfterRequired()
      Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setNotOnOrAfterRequired

      public void setNotOnOrAfterRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getAddressRequired

      @Nonnull public Predicate<ProfileRequestContext> getAddressRequired()
      Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

      Defaults to an always false predicate;

      Returns:
      the predicate

    • setAddressRequired

      public void setAddressRequired(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.

      Defaults to an always false predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getCheckAddress

      @Nonnull public Predicate<ProfileRequestContext> getCheckAddress()
      Get the predicate which determines whether an Assertion's network address(es) should be checked.

      Defaults to an always true predicate;

      Returns:
      the predicate

    • setCheckAddress

      public void setCheckAddress(@Nonnull Predicate<ProfileRequestContext> predicate)
      Set the predicate which determines whether an Assertion's network address(es) should be checked.

      Defaults to an always true predicate.

      Parameters:
      predicate - the predicate, must be non-null

    • getAdditionalAudiences

      @Nullable public Function<ProfileRequestContext,Set<String>> getAdditionalAudiences()
      Get the function for determining additional audience values.

      Defaults to null.

      Returns:
      the function

    • setAdditionalAudiences

      public void setAdditionalAudiences(@Nullable Function<ProfileRequestContext,Set<String>> function)
      Set the function for determining additional audience values.

      Defaults to null.

      Parameters:
      function - the function, may be null

    • getValidIssuers

      @Nonnull public Function<ProfileRequestContext,Set<String>> getValidIssuers()
      Get the function for determining the valid Issuer values

      Defaults to an implementation which resolves the outbound SAML peer entityID.

      Returns:
      the function

    • setValidIssuers

      public void setValidIssuers(@Nonnull Function<ProfileRequestContext,Set<String>> function)
      Set the function for determining the valid Issuer values

      Defaults to an implementation which resolves the outbound SAML peer entityID.

      Parameters:
      function - the function, may be null

    • getMaximumTimeSinceAuthn

      @Nullable public Function<ProfileRequestContext,Duration> getMaximumTimeSinceAuthn()
      Get the function for determining the max allowed time since authentication.

      Defaults to null.

      Returns:
      the function

    • setMaximumTimeSinceAuthn

      public void setMaximumTimeSinceAuthn(@Nullable Function<ProfileRequestContext,Duration> function)
      Set the function for determining the max allowed time since authentication.

      Defaults to null.

      Parameters:
      function - the function, may be null

    • getSignatureCriteriaSetFunction

      @Nullable public Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> getSignatureCriteriaSetFunction()
      Get the function for resolving the signature validation CriteriaSet for a particular function.

      Defaults to: null.

      Returns:
      a criteria set instance, or null

    • setSignatureCriteriaSetFunction

      public void setSignatureCriteriaSetFunction(@Nullable Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> function)
      Set the function for resolving the signature validation CriteriaSet for a particular function.

      Defaults to: null.

      Parameters:
      function - the resolving function, may be null

    • apply

      @Nullable public ValidationContext apply(@Nullable ValidateAssertions.AssertionValidationInput input)
      Specified by:
      apply in interface Function<ValidateAssertions.AssertionValidationInput,ValidationContext>

    • buildStaticParameters

      @Nonnull protected Map<String,Object> buildStaticParameters(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Build the static parameters map for input to the ValidationContext.
      Parameters:
      input - the assertion validation input
      Returns:
      the static parameters map

    • populateSignatureParameters

      private void populateSignatureParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input)
      Populate the static signature parameters.
      Parameters:
      staticParams - the parameters being populated
      input - validation input

    • populateConditionsParameters

      private void populateConditionsParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input)
      Populate the static Conditions parameters.
      Parameters:
      staticParams - the parameters being populated
      input - validation input

    • populateSubjectConfirmationParameters

      private void populateSubjectConfirmationParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input, @Nonnull Set<InetAddress> validAddresses, @Nonnull Boolean checkAddressEnabled)
      Populate the static SubjectConfirmation parameters.
      Parameters:
      staticParams - the parameters being populated
      input - validation input
      validAddresses - the valid addresses
      checkAddressEnabled - whether address checking is enabled

    • populateStatementParams

      private void populateStatementParams(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input, @Nonnull Set<InetAddress> validAddresses, @Nonnull Boolean checkAddressEnabled)
      Populate the static Statement params.
      Parameters:
      staticParams - the parameters being populated
      input - validation input
      validAddresses - the valid addresses
      checkAddressEnabled - whether address checking is enabled

    • getRequiredConditions

      @Nonnull protected Set<QName> getRequiredConditions(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the set of required Conditions.

      The default behavior is to return the locally-configured data via getRequiredConditions().

      Parameters:
      input - the assertion validation input
      Returns:
      the set of required Condition names, may be null

    • getSignatureCriteriaSet

      @Nonnull protected CriteriaSet getSignatureCriteriaSet(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the signature validation criteria set.

      This implementation first evaluates the result of applying the function getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce an EntityIdCriterion, one is added based on the issuer of the Assertion. If that evaluation did not produce an instance of UsageCriterion, one is added with the value of UsageType.SIGNING.

      Finally the following criteria are added if not already present and if the corresponding data is available in the inbound MessageContext:

      Parameters:
      input - the assertion validation input
      Returns:
      the criteria set based on the message context data

    • populateSignatureCriteriaFromInboundContext

      protected void populateSignatureCriteriaFromInboundContext(@Nonnull CriteriaSet criteriaSet, @Nonnull MessageContext inboundContext)
      Populate signature criteria from the specified MessageContext.
      Parameters:
      criteriaSet - the criteria set to populate
      inboundContext - the inbound message context

    • getAttesterCertificate

      @Nullable protected X509Certificate getAttesterCertificate(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the attesting entity's X509Certificate.

      This implementation returns the client TLS certificate present in the HttpServletRequest, or null if one is not present.

      Parameters:
      input - the assertion validation input
      Returns:
      the entity certificate, or null

    • getAttesterPublicKey

      @Nullable protected PublicKey getAttesterPublicKey(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the attesting entity's PublicKey.

      This implementation returns null. Subclasses should override to implement specific logic.

      Parameters:
      input - the assertion validation input
      Returns:
      the entity public key, or null

    • getValidRecipients

      @Nonnull @Unmodifiable @NotLive protected Set<String> getValidRecipients(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the valid recipient endpoints for attestation.

      This implementation returns a set containing the 2 values;

      1. the result of evaluating SAMLBindingSupport.getActualReceiverEndpointURI(MessageContext, HttpServletRequest)
      2. if enabled via the eval of getIncludeSelfEntityIDAsRecipient(), the value from evaluating getSelfEntityID(AssertionValidationInput) if non-null
      Parameters:
      input - the assertion validation input
      Returns:
      set of recipient endpoint URI's

    • getValidAddresses

      @Nonnull @Unmodifiable @NotLive protected Set<InetAddress> getValidAddresses(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the set of addresses which are valid for subject confirmation.

      This implementation simply returns the set based on getAttesterIPAddress(AssertionValidationInput), if that produces a value. Otherwise an empty set is returned.

      Parameters:
      input - the assertion validation input
      Returns:
      the set of valid addresses

    • getAttesterIPAddress

      @Nullable protected String getAttesterIPAddress(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the attester's IP address.

      This implementation returns the value of ServletRequest.getRemoteAddr().

      Parameters:
      input - the assertion validation input
      Returns:
      the IP address of the attester

    • getValidAudiences

      @Nonnull @Unmodifiable @NotLive protected Set<String> getValidAudiences(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the valid audiences for attestation.

      This implementation returns a set containing the union of:

      1. the result of getSelfEntityID(AssertionValidationInput), if non-null
      2. the result of evaluating getAdditionalAudiences(), if non-null
      Parameters:
      input - the assertion validation input
      Returns:
      set of audience URI's

    • getSelfEntityID

      @Nullable protected String getSelfEntityID(@Nonnull ValidateAssertions.AssertionValidationInput input)
      Get the self entityID.
      Parameters:
      input - the assertion validation input
      Returns:
      the self entityID, or null if could not be resolved