Merge pull request #6 from sailpoint-oss/sse-fixes-202103

Sse fixes 202103

DCO.txt

@@ -0,0 +1,37 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+1 Letterman Drive
+Suite D4700
+San Francisco, CA, 94129
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.

README.md

@@ -1,58 +1,67 @@
 # sse-openid-model
 
 An implementation of the Shared Signals and Events (SSE) data model for the Continuous 
-Access Evaluation Protocol (CAEP) standard.
+Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination (RISC) event profiles.
 
-This library provides serialize-able POJOs and classes to implement SSE and CAEP under
+This library provides classes implementing SSE (both CAEP and RISC profiles) under
 a Java environment. It includes the following dependences:
 
 - com.nimbusds nimbus-jose-jwt for JSONObject and JWTClaimsSet
-- SLF4J for logging and exception printing and integrating with surrounding applications.
-
+
 
 ## Examples
 
 Producing a Security Event Token using this library involves constructing the objects
-representing the `SubjectIdentifier`, the `SSEvent` (Shared Signals Event), and the JWTClaimsSet (Security 
-Event Token) that will carry the event.
+representing the Subject Identifier, the Shared Signals Event, and the Security 
+Event Token that will carry the event.  There are specific event classes for each defined RISC and CAEP event.
+Construction follows the builder pattern. Events each have a validate() method to verify mandatory fields. 
+
+        SubjectIdentifier user = new SubjectIdentifier.Builder()
+                .subjectType(SubjectIdentifierTypes.ISSUER_SUBJECT)
+                .issuer("https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/")
+                .subject("jane.smith@example.com")
+                .build();
 
-```java
-        SubjectIdentifier subj = new SubjectIdentifier.Builder()
-                .subjectType(SubjectIdentifier.EMAIL_SUBJECT_IDENTIFIER_TYPE)
-                .email("foo@example.com")
+        SubjectIdentifier device = new SubjectIdentifier.Builder()
+                .subjectType(SubjectIdentifierTypes.ISSUER_SUBJECT)
+                .issuer("https://idp.example.com/3957ea72-1b66-44d6-a044-d805712b9288/")
+                .subject("e9297990-14d2-42ec-a4a9-4036db86509a")
                 .build();
 
-        SSEvent evt = new SSEvent.Builder()
-                .eventType(SSEventTypes.CAEP_IPADDR_CHANGED)
-                .subject(subj)
-                .ipAddress("123.45.67.89")
+        SubjectIdentifier userDevice = new SubjectIdentifier.Builder()
+                .subjectType(SubjectIdentifierTypes.USER_DEVICE_SESSION)
+                .user(user)
+                .device(device)
                 .build();
 
+        CAEPSessionRevoked evt = new CAEPSessionRevoked.Builder()
+               .subject(userDevice)
+               .build();
+        evt.validate(); /* throws ValidationException */
+
         JWTClaimsSet set = new JWTClaimsSet.Builder()
-                .issuer("https://sp.example2.com/")
+                .issuer("https://idp.example.com/")
                 .jwtID("756E69717565206964656E746966696572")
-                .issueTime(DateUtils.fromSecondsSinceEpoch(1520364019))
+                .issueTime(DateUtils.fromSecondsSinceEpoch(System.currentTimeMillis()/1000))
                 .audience("636C69656E745F6964")
                 .claim(SEToken.EVENTS_CLAIM, evt)
                 .build();
-```
 
-See more code examples in `OpenIDSSEProfileTest.java`.
+See more usage examples in `src/test`.
 
 ## Compiling
 
- This library is implemented as a Gradle based java library.  Running:
+ This library is implemented as a Gradle based java library.  Java 9+ is required.  Running:
 
-	./gradlew assemble
+	./gradlew build
 
-Produces a versions .jar file in the build/libs directory:
+produces a versioned .jar file in the build/libs directory:
 
 	ls -latr build/libs
-	...  13308 Jul 29 12:33 sse-openid-model-0.1.0.jar
+	...  13308 Jul 29 12:33 openid-sse-model-0.1.0-SNAPSHOT.jar
 
 ## Testing 
 
 The library has tests implemented in `/src/test/java/` and are run with Gradle:
 
 	./gradlew test
-

build.gradle

@@ -19,7 +19,6 @@ dependencies {
     // Nimbus JOSE JWT
     // https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt
     api group: 'com.nimbusds', name: 'nimbus-jose-jwt', version: '9.7'
-    implementation 'org.jetbrains:annotations:20.1.0'
 
     // Use JUnit test framework
     testImplementation 'junit:junit:4.12'
@@ -97,7 +96,7 @@ signing {
     sign publishing.publications.model
 }
 
-group = 'net.openid'
+group = 'com.sailpoint'
 version = '0.1.0-SNAPSHOT'
 
 

gradle/verification-metadata.xml

@@ -7,7 +7,6 @@
          <trusted-key id="042b29e928995b9db963c636c7ca19b7b620d787" group="com.github.stephenc.jcip" name="jcip-annotations" version="1.0-1"/>
          <trusted-key id="4db1a49729b053caf015cee9a6adfc93ef34893e" group="org.hamcrest"/>
          <trusted-key id="82f0964816ad7319cb0cccf93efd9d223d715e9a" group="com.nimbusds" name="nimbus-jose-jwt" version="9.7"/>
-         <trusted-key id="8756c4f765c9ac3cb6b85d62379ce192d401ab61" group="org.jetbrains" name="annotations" version="20.1.0"/>
          <trusted-key id="d4c89ea4aaf455fd88b22087efe8086f9e93774e" group="junit" name="junit" version="4.12"/>
       </trusted-keys>
    </configuration>

src/main/java/net/openid/sse/model/AssuranceLevelChangeDirection.java → src/main/java/com/sailpoint/sse/model/AssuranceLevelChangeDirection.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/net/openid/sse/model/CAEPAssuranceLevelChange.java → src/main/java/com/sailpoint/sse/model/CAEPAssuranceLevelChange.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 public class CAEPAssuranceLevelChange extends CAEPBaseEvent {
 

src/main/java/net/openid/sse/model/CAEPBaseEvent.java → src/main/java/com/sailpoint/sse/model/CAEPBaseEvent.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import com.nimbusds.jose.shaded.json.JSONObject;
 
@@ -18,12 +18,12 @@ public abstract static class Builder<T extends CAEPBaseEvent, B extends CAEPBase
         protected static final String INITIATING_ENTITY_MEMBER = "initiating_entity";
         protected static final String REASON_ADMIN_MEMBER      = "reason_admin";
         protected static final String REASON_USER_MEMBER       = "reason_user";
-        protected static final String TENANT_ID_MEMBER         = "tenant_id";
 
         protected Builder(final SSEventTypes eventType) {
             super(eventType);
         }
 
+        // Timestamp in milliseconds from epoch
         public B eventTimestamp(final long eventTimestamp) {
             members.put(EVENT_TIMESTAMP_MEMBER, eventTimestamp);
             return thisObj;
@@ -44,28 +44,30 @@ public B reasonUser(final String s) {
             return thisObj;
         }
 
-        public B tenantID(final String id) {
-            members.put(TENANT_ID_MEMBER, id);
-            return thisObj;
-        }
-
     }
 
-    public void validateEventTimestamp() throws ValidationException {
+    public JSONObject getEventMembers() throws ValidationException {
         final SSEventTypes eventType = getEventType();
         if (null == eventType) {
             /* Unknown event type, not instantiated via a normal constructor. */
-            return;
+            throw new ValidationException("CAEP Events must set eventType in their constructor");
         }
+
         JSONObject members = (JSONObject) get(eventType.toString());
         if (null == members) {
             throw new ValidationException("CAEP Events must have a container Map whose key is the event type URI");
         }
+        return members;
+    }
+
+
+    public void validateEventTimestamp() throws ValidationException {
+        JSONObject members = getEventMembers();
 
-        if (!members.containsKey(Builder.EVENT_TIMESTAMP_MEMBER)) {
-            return;
-        }
         Object eventTimestamp = members.get(Builder.EVENT_TIMESTAMP_MEMBER);
+        if (null == eventTimestamp) {
+            throw new ValidationException("CAEP Events must have an event_timestamp member");
+        }
 
         if (!(eventTimestamp instanceof Long)) {
             throw new ValidationException("CAEP Events event_timestamp must be of type Long.");

src/main/java/net/openid/sse/model/CAEPChangeType.java → src/main/java/com/sailpoint/sse/model/CAEPChangeType.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/net/openid/sse/model/CAEPComplianceStatus.java → src/main/java/com/sailpoint/sse/model/CAEPComplianceStatus.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/net/openid/sse/model/CAEPCredentialChange.java → src/main/java/com/sailpoint/sse/model/CAEPCredentialChange.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 public class CAEPCredentialChange extends CAEPBaseEvent {
 

src/main/java/net/openid/sse/model/CAEPCredentialType.java → src/main/java/com/sailpoint/sse/model/CAEPCredentialType.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/net/openid/sse/model/CAEPDeviceComplianceChange.java → src/main/java/com/sailpoint/sse/model/CAEPDeviceComplianceChange.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 public class CAEPDeviceComplianceChange extends CAEPBaseEvent {
 

src/main/java/net/openid/sse/model/CAEPIPAddrChanged.java → src/main/java/com/sailpoint/sse/model/CAEPIPAddrChanged.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 public class CAEPIPAddrChanged extends CAEPBaseEvent {
     private static final String IPADDRESS_MEMBER   = "ip_address";

src/main/java/net/openid/sse/model/CAEPInitiatingEntity.java → src/main/java/com/sailpoint/sse/model/CAEPInitiatingEntity.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/net/openid/sse/model/CAEPSessionRevoked.java → src/main/java/com/sailpoint/sse/model/CAEPSessionRevoked.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 public class CAEPSessionRevoked extends CAEPBaseEvent {
 

src/main/java/com/sailpoint/sse/model/CAEPStreamUpdated.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2021 SailPoint Technologies, Inc.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.sailpoint.sse.model;
+
+public class CAEPStreamUpdated extends CAEPBaseEvent {
+
+    public static class Builder extends CAEPBaseEvent.Builder<CAEPStreamUpdated, CAEPStreamUpdated.Builder> {
+
+        protected CAEPStreamUpdated createObj() {return new CAEPStreamUpdated();}
+        protected CAEPStreamUpdated.Builder getThis() { return this; }
+
+        public Builder() {
+            super(SSEventTypes.SSE_STREAM_UPDATED);
+        }
+    }
+}

src/main/java/com/sailpoint/sse/model/CAEPTokenClaimsChange.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2021 SailPoint Technologies, Inc.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package com.sailpoint.sse.model;
+
+import com.nimbusds.jose.shaded.json.JSONObject;
+
+public class CAEPTokenClaimsChange extends CAEPBaseEvent {
+
+    private static final String CLAIMS = "claims";
+
+    public static class Builder extends CAEPBaseEvent.Builder<CAEPTokenClaimsChange, CAEPTokenClaimsChange.Builder> {
+
+        protected CAEPTokenClaimsChange createObj() {return new CAEPTokenClaimsChange();}
+        protected CAEPTokenClaimsChange.Builder getThis() { return this; }
+
+        public Builder() {
+            super(SSEventTypes.CAEP_TOKEN_CLAIMS_CHANGE);
+        }
+
+        public CAEPTokenClaimsChange.Builder claims(final JSONObject newClaims) {
+            members.put(CLAIMS, newClaims);
+            return thisObj;
+        }
+
+
+    }
+
+    @Override
+    public void validate() throws ValidationException {
+        super.validate();
+        JSONObject members = getEventMembers();
+        final Object o = members.get(CLAIMS);
+        if (null == o) {
+            throw new ValidationException(this.getClass().getName() + " member " + CLAIMS + " is missing or null.");
+        }
+    }
+
+
+}

src/main/java/net/openid/sse/model/DeliveryMethods.java → src/main/java/com/sailpoint/sse/model/DeliveryMethods.java

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-package net.openid.sse.model;
+package com.sailpoint.sse.model;
 
 import java.util.HashMap;
 import java.util.Map;