Package net.shibboleth.oidc.metadata.policy.impl

Class DefaultMetadataPolicyEnforcer

  • All Implemented Interfaces:
    BiFunction<Object,​MetadataPolicy,​Pair<Object,​Boolean>>
    public class DefaultMetadataPolicyEnforcer
extends Object
implements BiFunction<Object,​MetadataPolicy,​Pair<Object,​Boolean>>

    A function that applies the given MetadataPolicy to the given object. The input is given as a Pair of the object and the policy. The policy is applied to the incoming object in the following way, as specified in the OIDC federation federation specification 1.0 (draft 17 / September 2021):

    • If there is a value operator in the policy, apply that and you are done.
    • Add whatever value is specified in an add operator.
    • If the parameter still has no value apply the default if there is one.
    • Do the essential check. If essential is missing as an operator essential is to be treated as if set to false. If essential is defined to be true, then the claim MUST have a value by now. Otherwise applying the operator MUST fail.
    • Do the other checks. Verified that the value is one_of or that the values are subset_of/superset_of. If the parameter values do not fall within the allowed boundaries, applying the operator MUST fail.

    In addition to the checks above, we also support regular expression validation.

    The function returns a Pair of the object for which the value modifiers of the metadata policy have been applied to, and a flag indicating if the object was compatible with the value checks of the metadata policy.

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

    • Constructor Detail

      • DefaultMetadataPolicyEnforcer

        public DefaultMetadataPolicyEnforcer()

    • Method Detail

      • applyAddOperator

        @Nonnull
protected Object applyAddOperator​(@Nullable
                                  Object candidate,
                                  @Nonnull
                                  Object add)
                           throws ConstraintViolationException
        Applies the given add value modifier for the given candidate and returns the result of the operation.
        Parameters:
        candidate - The candidate for which the add operation is applied.
        add - The value(s) to be added to the claim.
        Returns:
        An object containing the candidate for which the add operation has been applied.
        Throws:
        ConstraintViolationException - If the add operator is not compliant with the given candidate.

      • doValueChecks

        protected boolean doValueChecks​(@Nullable
                                Object candidate,
                                @Nonnull
                                MetadataPolicy policy)
        Runs the value check operators for the candidate.
        Parameters:
        candidate - The candidate to be verified.
        policy - The metadata policy whose value check operators are used.
        Returns:
        true if the candidate is compliant with the metadata policy, false otherwise.

      • verifyRegexp

        protected boolean verifyRegexp​(@Nonnull
                               Object candidate,
                               @Nullable
                               String regexp)
        Verifies that the given candidate meets the regular expression.
        Parameters:
        candidate - The candidate to be verified.
        regexp - The regular expression.
        Returns:
        true if the candidate is compliant with regex, false otherwise.