Package net.shibboleth.idp.attribute.impl

Class ComputedPairwiseIdStore

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.idp.attribute.impl.ComputedPairwiseIdStore
All Implemented Interfaces:
PairwiseIdStore, Component, DestructableComponent, InitializableComponent
public class ComputedPairwiseIdStore extends AbstractInitializableComponent implements PairwiseIdStore
A PairwiseIdStore that generates a pairwise ID by computing the hash of a given attribute value, the entity ID of the recipient, and a salt.

The salt may be global, or produced by a lookup function, and an exception map may be injected to override those values. The precedence is [map, function, global], and either a global value or function must be supplied.

In this version of the software, the first argument to the salt strategy function will always be null. Future versions will change this.

The original implementation and values in common use relied on base64 encoding of the result, but due to discovery of the lack of appropriate case handling of identifiers by applications, the ability to use base32 has been added to eliminate the possibility of case conflicts.

Since:
4.0.0

  • Field Details

  • Constructor Details

    • ComputedPairwiseIdStore

      public ComputedPairwiseIdStore()
      Constructor.

  • Method Details

    • getSalt

      @NonnullAfterInit public byte[] getSalt()
      Get the salt used when computing the ID.
      Returns:
      salt used when computing the ID

    • setSalt

      public void setSalt(@Nullable byte[] newValue)
      Set the salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID

    • setSalt

      public void setSalt(@Nullable String newValue)
      Set the salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID

    • setEncodedSalt

      public void setEncodedSalt(@Nullable String newValue)
      Set the base64-encoded salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID

    • getAlgorithm

      @Nonnull @NotEmpty public String getAlgorithm()
      Get the JCE algorithm name of the digest algorithm to use (default is SHA).
      Returns:
      JCE message digest algorithm

    • setAlgorithm

      public void setAlgorithm(@Nonnull @NotEmpty String alg)
      Set the JCE algorithm name of the digest algorithm to use (default is SHA).
      Parameters:
      alg - JCE message digest algorithm

    • getEncoding

      @Nonnull public ComputedPairwiseIdStore.Encoding getEncoding()
      Get the post-digest encoding to use.
      Returns:
      encoding

    • setEncoding

      public void setEncoding(@Nonnull ComputedPairwiseIdStore.Encoding enc)
      Set the post-digest encoding to use.
      Parameters:
      enc - encoding

    • setExceptionMap

      public void setExceptionMap(@Nullable @NotEmpty Map<String,Map<String,String>> map)
      Install map of exceptions that override standard generation.

      The map is keyed by principal name (or '*' for all), and the values are a map of relying party to salt overrides. A relying party of '*' applies to all parties. A null mapped value implies that no value should be generated, while a string value is fed into the computation in place of the default salt. Specific rules trump wildcarded rules.

      Parameters:
      map - exceptions to apply

    • setSaltLookupStrategy

      public void setSaltLookupStrategy(@Nullable BiFunction<ProfileRequestContext,PairwiseId,String> strategy)
      Sets an optional function to use to obtain the salt for the request.
      Parameters:
      strategy - lookup strategy
      Since:
      4.3.0

    • setHttpServletRequestSupplier

      public void setHttpServletRequestSupplier(@Nullable NonnullSupplier<javax.servlet.http.HttpServletRequest> supplier)
      Sets a supplier for the servlet request by which the ProfileRequestContext can be obtained.
      Parameters:
      supplier - request supplier
      Since:
      4.3.0

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException

    • getBySourceValue

      @Nullable public PairwiseId getBySourceValue(@Nonnull PairwiseId pid, boolean allowCreate) throws IOException
      Populate the pairwise ID field for the input object based on the supplied values.

      The input object must contain values for issuer and recipient entityIDs and the principal name, and the pairwise ID will be populated as applicable on output.

      The object returned, if non-null, may be, but does not have to be, the same physical object used as input. The original input object should not be referenced further.

      Specified by:
      getBySourceValue in interface PairwiseIdStore
      Parameters:
      pid - object to populate
      allowCreate - true iff the caller is authorizing the issuance of a new identifier
      Returns:
      object for the given inputs or null if none exists
      Throws:
      IOException - if an error occurs accessing the store

    • getEffectiveSalt

      @Nullable private byte[] getEffectiveSalt(@Nonnull PairwiseId pid)
      Get the effective salt to apply for a particular principal/RP pair, or null to refuse to generate one.
      Parameters:
      pid - pairwise ID input
      Returns:
      salt to use