Package net.shibboleth.oidc.metadata.policy.impl

Class DefaultMetadataPolicyValidator

java.lang.Object

net.shibboleth.oidc.metadata.policy.impl.DefaultMetadataPolicyValidator

All Implemented Interfaces:

Predicate<Map<String,MetadataPolicy>>

public class DefaultMetadataPolicyValidator
extends Object
implements Predicate<Map<String,MetadataPolicy>>

A function that verifies that the map of MetadataPolicy entries meets the restrictions defined in the OIDC federation specification 1.0 (draft 17 / September 2021):

A policy entry can contain one or more operators. Not all operators are allowed to appear together in a policy entry.

• subset_of and superset_of applies to parameters that can have more than one value (for instance, contacts) while one_of applies to parameters that can only have one value (for instance, id_token_signed_response_alg). This means that one_of cannot appear beside subset_of/ superset_of in a policy entry.
• value overrides everything else. So having value together with any other operator (except for essential) does not make sense.
• If subset_of and superset_of both appear as operators, then the list of values in subset_of MUST be a superset of the values in superset_of.
• If add appears in a policy entry together with subset_of then the value/values of add MUST be a subset of subset_of.
• If add appears in a policy entry together with superset_of then the values of add MUST be a superset of superset_of.
• If default appears in a policy entry together with subset_of then the values of default MUST be a subset of subset_of.
• If default appears in a policy entry together with superset_of then the values of default MUST be a superset of superset_of.
• If add appears in a policy entry together with one_of then the value of add MUST be a member of one_of.
• If default appears in a policy entry together with one_of then the value default MUST be a member of one_of.

Field Summary

Fields

Modifier and Type	Field	Description
private org.slf4j.Logger	log	Class logger.

Constructor Summary

Constructors

Constructor	Description
DefaultMetadataPolicyValidator()

Method Summary

Modifier and Type	Method	Description
boolean	test(Map<String,MetadataPolicy> map)
protected boolean	verifyValue(String claim, Pair<String,Object> value, List<Object> subsetOfValues, List<Object> supersetOfValues, List<Object> oneOfValues)	Verifies the value against the following rules:

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.function.Predicate

and, negate, or

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

Constructor Detail

DefaultMetadataPolicyValidator

public DefaultMetadataPolicyValidator()

Method Detail

test

public boolean test(@Nullable
                    Map<String,MetadataPolicy> map)

Specified by:

test in interface Predicate<Map<String,MetadataPolicy>>

verifyValue

protected boolean verifyValue(String claim,
                              Pair<String,Object> value,
                              List<Object> subsetOfValues,
                              List<Object> supersetOfValues,
                              List<Object> oneOfValues)

Verifies the value against the following rules:

• If it appears in a policy entry together with subset_of then the value/values of add MUST be a subset of subset_of.
• If it appears in a policy entry together with superset_of then the values of add MUST be a superset of superset_of.
• If it appears in a policy entry together with one_of then the value of add MUST be a member of one_of.

Parameters:

claim - The claim whose metadata policy is being verified, used in logging.

value - The value to be verified against the rules.

subsetOfValues - The contents of subset_of.

supersetOfValues - The contents of superset_of.

oneOfValues - The contents of one_of.

Returns:

true if the value meets the rules, false otherwise.