/*
* JBoss, Home of Professional Open Source
*
* Copyright 2013 Red Hat, Inc. and/or its affiliates.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.picketlink.identity.federation.core.sts.registry;
import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
/**
* <p>
* {@code FileBasedRevocationRegistry} is a revocation registry implementation that uses a file to store the ids of the
* revoked
* (canceled) security tokens. By default all ids are stored in $HOME/picketlink-store/sts/revoked.ids but a different
* location
* can be specified through the constructor that takes the file name as a parameter.
* </p>
* <p>
* NOTE: this implementation use a local cache to avoid reading the file system every time a revocation check is made,
* making
* this registry a bad choice for distributed scenarios. Even though the registry file is updated whenever a new id is
* revoked,
* each node in the cluster will have its own cached view and thus a token that has been canceled by one node may be
* accepted by
* another live node as the caches are not refreshed or synchronized.
* </p>
*
* @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
*/
public class FileBasedRevocationRegistry extends FileBasedSTSOperations implements RevocationRegistry {
protected static final String FILE_NAME = "revoked.ids";
// this set contains the ids of the revoked security tokens.
protected static Set<String> revokedIds = new HashSet<String>();
// the file that stores the revoked ids.
protected File registryFile;
/**
* <p>
* Creates an instance of {@code RevocationRegistryFile} that stores the canceled ids in the default
* {@code $HOME/picketlink-store/sts/revoked.ids} file.
* </p>
*/
public FileBasedRevocationRegistry() {
this(FILE_NAME);
}
/**
* <p>
* Creates an instance of {@code RevocationRegistryFile} that stores the canceled ids in specified file.
* </p>
*
* @param registryFile a {@code String} that indicates the file that must be used to store revoked ids.
*/
public FileBasedRevocationRegistry(String registryFileName) {
super();
this.registryFile = create(registryFileName);
// load the revoked ids cache.
this.loadRevokedIds();
}
/*
* (non-Javadoc)
*
* @see org.picketlink.identity.federation.core.wstrust.plugins.RevocationRegistry#isRevoked(java.lang.String,
* java.lang.String)
*/
public boolean isRevoked(String tokenType, String id) {
return revokedIds.contains(id);
}
/*
* (non-Javadoc)
*
* @see org.picketlink.identity.federation.core.wstrust.plugins.RevocationRegistry#revokeToken(java.lang.String,
* java.lang.String)
*/
public synchronized void revokeToken(String tokenType, String id) {
SecurityManager sm = System.getSecurityManager();
if (sm != null)
sm.checkPermission(PicketLinkCoreSTS.rte);
try {
// write a new line with the revoked id at the end of the file.
BufferedWriter writer = new BufferedWriter(new FileWriter(this.registryFile, true));
writer.write(id + "\n");
writer.close();
} catch (IOException ioe) {
logger.debug("Error appending content to registry file: " + ioe.getMessage());
ioe.printStackTrace();
}
// add the revoked id to the local cache.
revokedIds.add(id);
}
/**
* <p>
* This method loads the ids of the revoked assertions from the registry file. All retrieved ids are set in the
* local cache
* of revoked ids.
* </p>
*/
private void loadRevokedIds() {
try {
// read the file contents and populate the local cache.
BufferedReader reader = new BufferedReader(new FileReader(this.registryFile));
String id = reader.readLine();
while (id != null) {
revokedIds.add(id);
id = reader.readLine();
}
reader.close();
} catch (IOException ioe) {
logger.debug("Error opening registry file: " + ioe.getMessage());
ioe.printStackTrace();
}
}
}