BSTDelegationHandler.java

/**
 * Copyright (c) Codice Foundation
 * <p>
 * This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
 * General Public License as published by the Free Software Foundation, either version 3 of the
 * License, or any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details. A copy of the GNU Lesser General Public License
 * is distributed along with this program and can be found at
 * <http://www.gnu.org/licenses/lgpl.html>.
 */
package org.codice.ddf.security.delegation;

import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.delegation.TokenDelegationHandler;
import org.apache.cxf.sts.token.delegation.TokenDelegationParameters;
import org.apache.cxf.sts.token.delegation.TokenDelegationResponse;
import org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType;
import org.apache.wss4j.dom.WSConstants;
import org.codice.ddf.security.handler.api.BSTAuthenticationToken;
import org.slf4j.LoggerFactory;

/**
 * The SAML TokenDelegationHandler implementation. It disallows ActAs or OnBehalfOf for
 * all cases apart from the case of a Bearer SAML Token. In addition, the AppliesTo
 * address (if supplied) must match an AudienceRestriction address (if in token), if the
 * "checkAudienceRestriction" property is set to "true".
 */
public class BSTDelegationHandler implements TokenDelegationHandler {

    public static final String X509_PKI_PATH = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";

    public static final String X509_V3 = WSConstants.X509TOKEN_NS + "#X509v3";

    public static final String BASE64_ENCODING = WSConstants.SOAPMESSAGE_NS + "#Base64Binary";

    public static final String BST_VALUE_TYPE =
            BSTAuthenticationToken.BST_NS + "#" + BSTAuthenticationToken.BST_LN;

    private static final org.slf4j.Logger LOGGER =
            LoggerFactory.getLogger(BSTDelegationHandler.class);

    //private boolean checkAudienceRestriction;

    public boolean canHandleToken(ReceivedToken delegateTarget) {
        Object token = delegateTarget.getToken();
        if (token instanceof BinarySecurityTokenType) {
            BinarySecurityTokenType bstt = (BinarySecurityTokenType) token;
            if (BST_VALUE_TYPE.equals(bstt.getValueType())
                    && BASE64_ENCODING.equals(bstt.getEncodingType())) {
                return true;
            }
        }
        return false;
    }

    public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
        TokenDelegationResponse response = new TokenDelegationResponse();
        ReceivedToken delegateTarget = tokenParameters.getToken();
        response.setToken(delegateTarget);

        Object token = delegateTarget.getToken();
        if (token instanceof BinarySecurityTokenType) {
            response.setDelegationAllowed(true);
        }

        return response;
    }
}