Refactor JdbcAssertingPartyMetadataRepository to remove metadata_uri handling and clean up unused code

Author: chao.wang

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java

@@ -16,19 +16,11 @@
 
 package org.springframework.security.saml2.provider.service.registration;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.io.Serializable;
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.function.Consumer;
 
-import org.opensaml.saml.common.xml.SAMLConstants;
-import org.opensaml.saml.saml2.metadata.EntityDescriptor;
-import org.springframework.core.io.DefaultResourceLoader;
-import org.springframework.core.io.ResourceLoader;
-import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 
 /**
@@ -39,8 +31,6 @@
  */
 public interface AssertingPartyMetadata extends Serializable {
 
-	ResourceLoader resourceLoader = new DefaultResourceLoader();
-
 	/**
 	 * Get the asserting party's <a href=
 	 * "https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf#2.9%20EntityDescriptor">EntityID</a>.
@@ -284,70 +274,4 @@ interface Builder<B extends Builder<B>> {
 
 	}
 
-	/**
-	 * Return a {@link Collection} of {@link Builder}s based off
-	 * of the given SAML 2.0 Asserting Party (IDP) metadata location.
-	 *
-	 * Valid locations can be classpath- or file-based or they can be HTTPS endpoints.
-	 * Some valid endpoints might include:
-	 *
-	 * <pre>
-	 *   metadataLocation = "classpath:asserting-party-metadata.xml";
-	 *   metadataLocation = "file:asserting-party-metadata.xml";
-	 *   metadataLocation = "https://ap.example.org/metadata";
-	 * </pre>
-	 *
-	 * @param location The classpath- or file-based locations or HTTPS endpoints of the
-	 * asserting party metadata file
-	 * @return the {@link Collection} of {@link Builder}s for
-	 * further configuration
-	 * @since 7.0
-	 */
-	 static Collection<Builder<?>> collectionFromMetadataLocation(String location) {
-		try (InputStream source = resourceLoader.getResource(location).getInputStream()) {
-			return collectionFromMetadata(source);
-		}
-		catch (IOException ex) {
-			if (ex.getCause() instanceof Saml2Exception) {
-				throw (Saml2Exception) ex.getCause();
-			}
-			throw new Saml2Exception(ex);
-		}
-	}
-
-	/**
-	 * Return a {@link Collection} of {@link Builder}s based off
-	 * of the given SAML 2.0 Asserting Party (IDP) metadata.
-	 *
-	 * <p>
-	 * This method is intended for scenarios when the metadata is looked up by a separate
-	 * mechanism. One such example is when the metadata is stored in a database.
-	 * </p>
-	 *
-	 * <p>
-	 * <strong>The callers of this method are accountable for closing the
-	 * {@code InputStream} source.</strong>
-	 * </p>
-	 *
-	 * @param source the {@link InputStream} source containing the asserting party
-	 * metadata
-	 * @return the {@link Collection} of {@link Builder}s for
-	 * further configuration
-	 * @since 7.0
-	 */
-	 static Collection<Builder<?>> collectionFromMetadata(InputStream source) {
-		Collection<Builder<?>> builders = new ArrayList<>();
-		for (EntityDescriptor descriptor : OpenSamlMetadataUtils.descriptors(source)) {
-			if (descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) != null) {
-				OpenSamlAssertingPartyDetails.Builder builder = OpenSamlAssertingPartyDetails
-						.withEntityDescriptor(descriptor);
-				builders.add(builder);
-			}
-		}
-		if (builders.isEmpty()) {
-			throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
-		}
-		return builders;
-	}
-
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepository.java

@@ -22,7 +22,6 @@
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
-import java.util.function.Consumer;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -37,7 +36,6 @@
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 
 /**
  * A JDBC implementation of {@link AssertingPartyMetadataRepository}.
@@ -54,7 +52,6 @@ public final class JdbcAssertingPartyMetadataRepository implements AssertingPart
 
 	// @formatter:off
 	static final String COLUMN_NAMES = "entity_id, "
-			+ "metadata_uri, "
 			+ "singlesignon_url, "
 			+ "singlesignon_binding, "
 			+ "singlesignon_sign_request, "
@@ -141,7 +138,6 @@ private final static class AssertingPartyMetadataRowMapper implements RowMapper<
 		@Override
 		public AssertingPartyMetadata mapRow(ResultSet rs, int rowNum) throws SQLException {
 			String entityId = rs.getString("entity_id");
-			String metadataUri = rs.getString("metadata_uri");
 			String singleSignOnUrl = rs.getString("singlesignon_url");
 			Saml2MessageBinding singleSignOnBinding = Saml2MessageBinding.from(rs.getString("singlesignon_binding"));
 			boolean singleSignOnSignRequest = rs.getBoolean("singlesignon_sign_request");
@@ -152,57 +148,41 @@ public AssertingPartyMetadata mapRow(ResultSet rs, int rowNum) throws SQLExcepti
 			byte[] verificationCredentialsBytes = this.getBytes.getBytes(rs, "verification_credentials");
 			byte[] encryptionCredentialsBytes = this.getBytes.getBytes(rs, "encryption_credentials");
 
-			boolean usingMetadata = StringUtils.hasText(metadataUri);
-			AssertingPartyMetadata.Builder<?> builder = (!usingMetadata) ? new AssertingPartyDetails.Builder().entityId(entityId)
-					: createBuilderUsingMetadata(entityId, metadataUri);
+			AssertingPartyMetadata.Builder<?> builder = new AssertingPartyDetails.Builder();
 			try {
 				if (signingAlgorithmsBytes != null) {
-					List<String> signingAlgorithms = (List<String>) deserializer.deserializeFromByteArray(signingAlgorithmsBytes);
+					List<String> signingAlgorithms = (List<String>)
+							this.deserializer.deserializeFromByteArray(signingAlgorithmsBytes);
 					builder.signingAlgorithms(algorithms -> algorithms.addAll(signingAlgorithms));
 				}
 				if (verificationCredentialsBytes != null) {
-					Collection<Saml2X509Credential> verificationCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(verificationCredentialsBytes);
-					builder.verificationX509Credentials(credentials -> credentials.addAll(verificationCredentials));
+					Collection<Saml2X509Credential> verificationCredentials = (Collection<Saml2X509Credential>)
+							this.deserializer.deserializeFromByteArray(verificationCredentialsBytes);
+					builder.verificationX509Credentials(
+							credentials -> credentials.addAll(verificationCredentials));
 				}
 				if (encryptionCredentialsBytes != null) {
-					Collection<Saml2X509Credential> encryptionCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(encryptionCredentialsBytes);
-					builder.encryptionX509Credentials(credentials -> credentials.addAll(encryptionCredentials));
+					Collection<Saml2X509Credential> encryptionCredentials = (Collection<Saml2X509Credential>)
+							this.deserializer.deserializeFromByteArray(encryptionCredentialsBytes);
+					builder.encryptionX509Credentials(
+							credentials -> credentials.addAll(encryptionCredentials));
 				}
 			} catch (Exception ex) {
 				this.logger.debug(
 						LogMessage.format("Parsing serialized credentials for entity %s failed", entityId), ex);
 				return null;
 			}
 
-			applyingWhenNonNull(singleSignOnUrl, builder::singleSignOnServiceLocation);
-			applyingWhenNonNull(singleSignOnBinding, builder::singleSignOnServiceBinding);
-			applyingWhenNonNull(singleSignOnSignRequest, builder::wantAuthnRequestsSigned);
-			applyingWhenNonNull(singleLogoutUrl, builder::singleLogoutServiceLocation);
-			applyingWhenNonNull(singleLogoutResponseUrl, builder::singleLogoutServiceResponseLocation);
-			applyingWhenNonNull(singleLogoutBinding, builder::singleLogoutServiceBinding);
+			builder
+					.entityId(entityId)
+					.wantAuthnRequestsSigned(singleSignOnSignRequest)
+					.singleSignOnServiceLocation(singleSignOnUrl)
+					.singleSignOnServiceBinding(singleSignOnBinding)
+					.singleLogoutServiceLocation(singleLogoutUrl)
+					.singleLogoutServiceBinding(singleLogoutBinding)
+					.singleLogoutServiceResponseLocation(singleLogoutResponseUrl);
 			return builder.build();
 		}
-
-		private <T> void applyingWhenNonNull(T value, Consumer<T> consumer) {
-			if (value != null) {
-				consumer.accept(value);
-			}
-		}
-
-		private AssertingPartyMetadata.Builder<?> createBuilderUsingMetadata(String entityId, String metadataUri) {
-			Collection<AssertingPartyMetadata.Builder<?>> candidates = AssertingPartyMetadata
-					.collectionFromMetadataLocation(metadataUri);
-			for (AssertingPartyMetadata.Builder<?> candidate : candidates) {
-				if (entityId == null || entityId.equals(getEntityId(candidate))) {
-					return candidate;
-				}
-			}
-			throw new IllegalStateException("No asserting party metadata with Entity ID '" + entityId + "' found");
-		}
-
-		private Object getEntityId(AssertingPartyMetadata.Builder<?> candidate) {
-			return candidate.build().getEntityId();
-		}
 	}
 
 	private interface GetBytes {

saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema-postgres.sql

@@ -1,15 +1,14 @@
 CREATE TABLE saml2_asserting_party_metadata
 (
     entity_id                 VARCHAR(1000) NOT NULL,
-    metadata_uri              VARCHAR(1000),
-    singlesignon_url          VARCHAR(1000),
-    singlesignon_binding      VARCHAR(200),
-    singlesignon_sign_request VARCHAR(1000),
+    singlesignon_url          VARCHAR(1000) NOT NULL,
+    singlesignon_binding      VARCHAR(100),
+    singlesignon_sign_request boolean,
     signing_algorithms        BYTEA,
-    verification_credentials  BYTEA,
+    verification_credentials  BYTEA         NOT NULL,
     encryption_credentials    BYTEA,
     singlelogout_url          VARCHAR(1000),
     singlelogout_response_url VARCHAR(1000),
-    singlelogout_binding      VARCHAR(200),
+    singlelogout_binding      VARCHAR(100),
     PRIMARY KEY (entity_id)
 );

saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema.sql

@@ -1,15 +1,14 @@
 CREATE TABLE saml2_asserting_party_metadata
 (
     entity_id                 VARCHAR(1000) NOT NULL,
-    metadata_uri              VARCHAR(1000),
-    singlesignon_url          VARCHAR(1000),
-    singlesignon_binding      VARCHAR(200),
-    singlesignon_sign_request VARCHAR(1000),
+    singlesignon_url          VARCHAR(1000) NOT NULL,
+    singlesignon_binding      VARCHAR(100),
+    singlesignon_sign_request boolean,
     signing_algorithms        blob,
-    verification_credentials  blob,
+    verification_credentials  blob          NOT NULL,
     encryption_credentials    blob,
     singlelogout_url          VARCHAR(1000),
     singlelogout_response_url VARCHAR(1000),
-    singlelogout_binding      VARCHAR(200),
+    singlelogout_binding      VARCHAR(100),
     PRIMARY KEY (entity_id)
 );