net.shibboleth.metadata.dom.saml

Class EntityRoleFilterStage

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

net.shibboleth.metadata.pipeline.BaseStage<T>

net.shibboleth.metadata.pipeline.BaseIteratingStage<Element>

net.shibboleth.metadata.dom.saml.EntityRoleFilterStage

All Implemented Interfaces:

Stage<Element>, net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.IdentifiableComponent, net.shibboleth.utilities.java.support.component.IdentifiedComponent, net.shibboleth.utilities.java.support.component.InitializableComponent

@ThreadSafe
public class EntityRoleFilterStage
extends BaseIteratingStage<Element>

A pipeline stage that will filter SAML role descriptors from EntityDescriptors. This filter will work on Element items that are entity or entities descriptors. In the case of EntitiesDescriptors the role filter will effect all descendant EntityDescriptors.

Field Summary

Fields

Modifier and Type	Field and Description
static QName	ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME QName of the AttributeAuthorityDescriptor element.
static QName	AUTHN_AUTHORITY_DESCRIPTOR_NAME QName of the AuthnAuthorityDescriptor element.
private Collection<QName>	designatedRoles Role element or type names which are white/black listed depending on the value of whitelistingRoles.
static QName	IDP_SSO_DESCRIPTOR_NAME QName of the IDPSSODescriptor element.
private Logger	log Class logger.
private Set<QName>	namedRoles Set containing the SAML-defined, named role descriptors: IDP_SSO_DESCRIPTOR_NAME, SP_SSO_DESCRIPTOR_NAME, AUTHN_AUTHORITY_DESCRIPTOR_NAME, ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME, PDP_DESCRIPTOR_NAME.
static QName	PDP_DESCRIPTOR_NAME QName of the PDPDescriptor element.
private boolean	removingEntitylessEntitiesDescriptor Whether EntitiesDescriptor that do not contain EntityDescriptors should be removed.
private boolean	removingRolelessEntities Whether EntityDescriptor elements that do not contain roles, after filtering, should be removed.
static QName	ROLE_DESCRIPTOR_NAME QName of the RoleDescriptor element.
static QName	SP_SSO_DESCRIPTOR_NAME QName of the SPSSODescriptor element.
private boolean	whitelistingRoles Whether designatedRoles should be considered a whitelist or a blacklist.

Constructor Summary

Constructors

Constructor and Description
EntityRoleFilterStage()

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doDestroy()
protected boolean	doExecute(Item<Element> item) Processes a given Item.
Collection<QName>	getDesignatedRoles() Gets the list of designated entity roles.
protected List<Element>	getFilteredRoles(String entityId, Element entityDescriptor) Iterates over the roles of a EntitiesDescriptor, filters out the appropriate ones and returns the rest.
boolean	isRemovingEntitylessEntitiesDescriptor() Gets whether EntitiesDescriptor that do not contain EntityDescriptors should be removed.
boolean	isRemovingRolelessEntities() Gets whether EntityDescriptor elements without roles (after filtering) should be removed altogether.
boolean	isWhitelistingRoles() Gets whether the list of designated roles should be considered a whitelist.
protected boolean	processEntitiesDescriptor(Element entitiesDescriptor) Iterates over all child EntitiesDescriptor, passing each to processEntitiesDescriptor(Element), and EntityDescriptor, passing each to processEntityDescriptor(Element).
protected boolean	processEntityDescriptor(Element entityDescriptor) Processes an EntityDescriptor.
void	setDesignatedRoles(Collection<QName> roles) Sets the list of designated entity roles.
void	setRemoveRolelessEntities(boolean remove) Sets whether EntityDescriptor elements without roles (after filtering) should be removed altogether.
void	setRemovingEntitylessEntitiesDescriptor(boolean remove) Sets whether EntitiesDescriptor that do not contain EntityDescriptors should be removed.
void	setWhitelistingRoles(boolean whitelisting) Sets whether the list of designated roles should be considered a whitelist.

Methods inherited from class net.shibboleth.metadata.pipeline.BaseIteratingStage

doExecute

Methods inherited from class net.shibboleth.metadata.pipeline.BaseStage

execute, getCollectionPredicate, setCollectionPredicate

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

doInitialize, getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.DestructableComponent

destroy, isDestroyed

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

ROLE_DESCRIPTOR_NAME

public static final QName ROLE_DESCRIPTOR_NAME

QName of the RoleDescriptor element.

IDP_SSO_DESCRIPTOR_NAME

public static final QName IDP_SSO_DESCRIPTOR_NAME

QName of the IDPSSODescriptor element.

SP_SSO_DESCRIPTOR_NAME

public static final QName SP_SSO_DESCRIPTOR_NAME

QName of the SPSSODescriptor element.

AUTHN_AUTHORITY_DESCRIPTOR_NAME

public static final QName AUTHN_AUTHORITY_DESCRIPTOR_NAME

QName of the AuthnAuthorityDescriptor element.

ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME

public static final QName ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME

QName of the AttributeAuthorityDescriptor element.

PDP_DESCRIPTOR_NAME

public static final QName PDP_DESCRIPTOR_NAME

QName of the PDPDescriptor element.

log

private final Logger log

Class logger.

namedRoles

private final Set<QName> namedRoles

Set containing the SAML-defined, named role descriptors: IDP_SSO_DESCRIPTOR_NAME, SP_SSO_DESCRIPTOR_NAME, AUTHN_AUTHORITY_DESCRIPTOR_NAME, ATTRIBUTE_AUTHORITY_DESCRIPTOR_NAME, PDP_DESCRIPTOR_NAME.

designatedRoles

private Collection<QName> designatedRoles

Role element or type names which are white/black listed depending on the value of whitelistingRoles.

whitelistingRoles

private boolean whitelistingRoles

Whether designatedRoles should be considered a whitelist or a blacklist. Default value: false

removingRolelessEntities

private boolean removingRolelessEntities

Whether EntityDescriptor elements that do not contain roles, after filtering, should be removed. Default value: true

removingEntitylessEntitiesDescriptor

private boolean removingEntitylessEntitiesDescriptor

Whether EntitiesDescriptor that do not contain EntityDescriptors should be removed. Default value: true

Constructor Detail

EntityRoleFilterStage

public EntityRoleFilterStage()

Method Detail

getDesignatedRoles

@Nonnull
@NonnullElements
@Unmodifiable
public Collection<QName> getDesignatedRoles()

Gets the list of designated entity roles. The list may contain either role element names or schema types.

Returns:

list of designated entity roles, never null

setDesignatedRoles

public void setDesignatedRoles(@Nullable@NullableElements
                      Collection<QName> roles)

Sets the list of designated entity roles. The list may contain either role element names or schema types.

Parameters:

roles - list of designated entity roles

isWhitelistingRoles

public boolean isWhitelistingRoles()

Gets whether the list of designated roles should be considered a whitelist.

Returns:

true if the designated roles should be considered a whitelist, false otherwise

setWhitelistingRoles

public void setWhitelistingRoles(boolean whitelisting)

Sets whether the list of designated roles should be considered a whitelist.

Parameters:

whitelisting - true if the designated entities should be considered a whitelist, false otherwise

isRemovingRolelessEntities

public boolean isRemovingRolelessEntities()

Gets whether EntityDescriptor elements without roles (after filtering) should be removed altogether.

Returns:

true if EntityDescriptors without roles (after filtering) should be removed, false otherwise

setRemoveRolelessEntities

public void setRemoveRolelessEntities(boolean remove)

Sets whether EntityDescriptor elements without roles (after filtering) should be removed altogether.

Parameters:

remove - whether EntityDescriptor elements without roles (after filtering) should be removed altogether

isRemovingEntitylessEntitiesDescriptor

public boolean isRemovingEntitylessEntitiesDescriptor()

Gets whether EntitiesDescriptor that do not contain EntityDescriptors should be removed.

Returns:

whether EntitiesDescriptor that do not contain EntityDescriptors should be removed

setRemovingEntitylessEntitiesDescriptor

public void setRemovingEntitylessEntitiesDescriptor(boolean remove)

Sets whether EntitiesDescriptor that do not contain EntityDescriptors should be removed.

Parameters:

remove - whether EntitiesDescriptor that do not contain EntityDescriptors should be removed

doDestroy

protected void doDestroy()

Overrides:

doDestroy in class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

doExecute

protected boolean doExecute(@Nonnull
                Item<Element> item)

Processes a given Item.

Specified by:

doExecute in class BaseIteratingStage<Element>

Parameters:

item - Item on which to operate

Returns:

true if the Item should be retained in the collection, false if not

processEntitiesDescriptor

protected boolean processEntitiesDescriptor(@Nonnull
                                Element entitiesDescriptor)

Iterates over all child EntitiesDescriptor, passing each to processEntitiesDescriptor(Element), and EntityDescriptor, passing each to processEntityDescriptor(Element). If isRemovingEntitylessEntitiesDescriptor() is true and the EntitiesDescriptor contains no child EntitiesDescriptors or EntityDescriptors it is removed.

Parameters:

entitiesDescriptor - EntitiesDescriptor being processed

Returns:

true if the descriptor should be removed, false otherwise

processEntityDescriptor

protected boolean processEntityDescriptor(@Nonnull
                              Element entityDescriptor)

Processes an EntityDescriptor. First, all filtered out roles are removed. Then, if no roles are left and isRemovingRolelessEntities() is true the EntityDescriptor is marked to be removed.

Parameters:

entityDescriptor - entity descriptor being processed

Returns:

true if the entity descriptor should be removed, false otherwise

getFilteredRoles

protected List<Element> getFilteredRoles(@Nonnull
                             String entityId,
                             @Nonnull
                             Element entityDescriptor)

Iterates over the roles of a EntitiesDescriptor, filters out the appropriate ones and returns the rest.

Parameters:

entityId - ID of the entity whose roles are being processed

entityDescriptor - descriptor of entity whose roles are being processed

Returns:

the list of roles remaining after processing