Remove save method in JdbcAssertingPartyMetadataRepository

Author: chao.wang

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java

@@ -39,6 +39,8 @@
  */
 public interface AssertingPartyMetadata extends Serializable {
 
+	ResourceLoader resourceLoader = new DefaultResourceLoader();
+
 	/**
 	 * Get the asserting party's <a href=
 	 * "https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf#2.9%20EntityDescriptor">EntityID</a>.
@@ -282,8 +284,25 @@ interface Builder<B extends Builder<B>> {
 
 	}
 
-	 static final ResourceLoader resourceLoader = new DefaultResourceLoader();
-
+	/**
+	 * Return a {@link Collection} of {@link Builder}s based off
+	 * of the given SAML 2.0 Asserting Party (IDP) metadata location.
+	 *
+	 * Valid locations can be classpath- or file-based or they can be HTTPS endpoints.
+	 * Some valid endpoints might include:
+	 *
+	 * <pre>
+	 *   metadataLocation = "classpath:asserting-party-metadata.xml";
+	 *   metadataLocation = "file:asserting-party-metadata.xml";
+	 *   metadataLocation = "https://ap.example.org/metadata";
+	 * </pre>
+	 *
+	 * @param location The classpath- or file-based locations or HTTPS endpoints of the
+	 * asserting party metadata file
+	 * @return the {@link Collection} of {@link Builder}s for
+	 * further configuration
+	 * @since 7.0
+	 */
 	 static Collection<Builder<?>> collectionFromMetadataLocation(String location) {
 		try (InputStream source = resourceLoader.getResource(location).getInputStream()) {
 			return collectionFromMetadata(source);
@@ -296,6 +315,26 @@ static Collection<Builder<?>> collectionFromMetadataLocation(String location) {
 		}
 	}
 
+	/**
+	 * Return a {@link Collection} of {@link Builder}s based off
+	 * of the given SAML 2.0 Asserting Party (IDP) metadata.
+	 *
+	 * <p>
+	 * This method is intended for scenarios when the metadata is looked up by a separate
+	 * mechanism. One such example is when the metadata is stored in a database.
+	 * </p>
+	 *
+	 * <p>
+	 * <strong>The callers of this method are accountable for closing the
+	 * {@code InputStream} source.</strong>
+	 * </p>
+	 *
+	 * @param source the {@link InputStream} source containing the asserting party
+	 * metadata
+	 * @return the {@link Collection} of {@link Builder}s for
+	 * further configuration
+	 * @since 7.0
+	 */
 	 static Collection<Builder<?>> collectionFromMetadata(InputStream source) {
 		Collection<Builder<?>> builders = new ArrayList<>();
 		for (EntityDescriptor descriptor : OpenSamlMetadataUtils.descriptors(source)) {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepository.java

@@ -16,26 +16,19 @@
 
 package org.springframework.security.saml2.provider.service.registration;
 
-import java.io.IOException;
-import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Types;
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
-import java.util.function.Function;
+import java.util.function.Consumer;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.core.log.LogMessage;
 import org.springframework.core.serializer.DefaultDeserializer;
-import org.springframework.core.serializer.DefaultSerializer;
 import org.springframework.core.serializer.Deserializer;
-import org.springframework.core.serializer.Serializer;
 import org.springframework.jdbc.core.ArgumentPreparedStatementSetter;
 import org.springframework.jdbc.core.JdbcOperations;
 import org.springframework.jdbc.core.PreparedStatementSetter;
@@ -44,6 +37,7 @@
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * A JDBC implementation of {@link AssertingPartyMetadataRepository}.
@@ -58,13 +52,9 @@ public final class JdbcAssertingPartyMetadataRepository implements AssertingPart
 	private RowMapper<AssertingPartyMetadata> assertingPartyMetadataRowMapper =
 			new AssertingPartyMetadataRowMapper(ResultSet::getBytes);
 
-	private Function<AssertingPartyMetadata, List<SqlParameterValue>> assertingPartyMetadataParametersMapper =
-			new AssertingPartyMetadataParametersMapper();
-
-	private final SetBytes setBytes = PreparedStatement::setBytes;
-
 	// @formatter:off
 	static final String COLUMN_NAMES = "entity_id, "
+			+ "metadata_uri, "
 			+ "singlesignon_url, "
 			+ "singlesignon_binding, "
 			+ "singlesignon_sign_request, "
@@ -87,26 +77,6 @@ public final class JdbcAssertingPartyMetadataRepository implements AssertingPart
 
 	private static final String LOAD_ALL_SQL = "SELECT " + COLUMN_NAMES
 			+ " FROM " + TABLE_NAME;
-
-	private static final String SAVE_SQL = "INSERT INTO " + TABLE_NAME + " ("
-			+ COLUMN_NAMES
-			+ ") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
-	// @formatter:on
-
-	private static final String DELETE_SQL = "DELETE FROM " + TABLE_NAME + " WHERE " + ENTITY_ID_FILTER;
-
-	// @formatter:off
-	private static final String UPDATE_SQL = "UPDATE " + TABLE_NAME
-			+ " SET singlesignon_url = ?, " +
-			"singlesignon_binding = ?, " +
-			"singlesignon_sign_request = ?, " +
-			"signing_algorithms = ?, " +
-			"verification_credentials = ?, " +
-			"encryption_credentials = ?, " +
-			"singlelogout_url = ? ," +
-			"singlelogout_response_url = ?, " +
-			"singlelogout_binding = ?"
-			+ " WHERE " + ENTITY_ID_FILTER;
 	// @formatter:on
 
 	/**
@@ -134,41 +104,6 @@ public void setAssertingPartyMetadataRowMapper(
 		this.assertingPartyMetadataRowMapper = assertingPartyMetadataRowMapper;
 	}
 
-	public void setAssertingPartyMetadataParametersMapper(Function<AssertingPartyMetadata, List<SqlParameterValue>> assertingPartyMetadataParametersMapper) {
-		Assert.notNull(assertingPartyMetadataParametersMapper, "assertingPartyMetadataParametersMapper cannot be null");
-		this.assertingPartyMetadataParametersMapper = assertingPartyMetadataParametersMapper;
-	}
-
-	public void save(AssertingPartyMetadata metadata) {
-		Assert.notNull(metadata, "metadata cannot be null");
-		int rows = update(metadata);
-		if (rows == 0) {
-			insert(metadata);
-		}
-	}
-
-	private void insert(AssertingPartyMetadata metadata) {
-		List<SqlParameterValue> parameters = this.assertingPartyMetadataParametersMapper.apply(metadata);
-		PreparedStatementSetter pss = new BlobArgumentPreparedStatementSetter(this.setBytes, parameters.toArray());
-		this.jdbcOperations.update(SAVE_SQL, pss);
-	}
-
-	private int update(AssertingPartyMetadata metadata) {
-		List<SqlParameterValue> parameters = this.assertingPartyMetadataParametersMapper.apply(metadata);
-		SqlParameterValue credentialId = parameters.remove(0);
-		parameters.add(credentialId);
-		PreparedStatementSetter pss = new BlobArgumentPreparedStatementSetter(this.setBytes, parameters.toArray());
-		return this.jdbcOperations.update(UPDATE_SQL, pss);
-	}
-
-	public void delete(String entityId) {
-		Assert.notNull(entityId, "entityId cannot be null");
-		SqlParameterValue[] parameters = new SqlParameterValue[]{
-				new SqlParameterValue(Types.VARCHAR, entityId),};
-		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters);
-		this.jdbcOperations.update(DELETE_SQL, pss);
-	}
-
 	@Override
 	public AssertingPartyMetadata findByEntityId(String entityId) {
 		Assert.hasText(entityId, "entityId cannot be empty");
@@ -187,75 +122,6 @@ public Iterator<AssertingPartyMetadata> iterator() {
 		return result.iterator();
 	}
 
-	private static class AssertingPartyMetadataParametersMapper
-			implements Function<AssertingPartyMetadata, List<SqlParameterValue>> {
-
-		private final Logger logger = LoggerFactory.getLogger(AssertingPartyMetadataParametersMapper.class);
-
-		private final Serializer<Object> serializer = new DefaultSerializer();
-
-		@Override
-		public List<SqlParameterValue> apply(AssertingPartyMetadata record) {
-			List<SqlParameterValue> parameters = new ArrayList<>();
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getEntityId()));
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getSingleSignOnServiceLocation()));
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getSingleSignOnServiceBinding().getUrn()));
-			parameters.add(new SqlParameterValue(Types.BOOLEAN, record.getWantAuthnRequestsSigned()));
-			try {
-				parameters.add(new SqlParameterValue(Types.BLOB,
-						this.serializer.serializeToByteArray(record.getSigningAlgorithms())));
-			} catch (IOException ex) {
-				this.logger.debug("Failed to serialize signing algorithms", ex);
-				throw new IllegalArgumentException(ex);
-			}
-			try {
-				parameters.add(new SqlParameterValue(Types.BLOB,
-						this.serializer.serializeToByteArray(record.getVerificationX509Credentials())));
-			} catch (IOException ex) {
-				this.logger.debug("Failed to serialize verification credentials", ex);
-				throw new IllegalArgumentException(ex);
-			}
-			try {
-				parameters.add(new SqlParameterValue(Types.BLOB,
-						this.serializer.serializeToByteArray(record.getEncryptionX509Credentials())));
-			} catch (IOException ex) {
-				this.logger.debug("Failed to serialize encryption credentials", ex);
-				throw new IllegalArgumentException(ex);
-			}
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getSingleLogoutServiceLocation()));
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getSingleLogoutServiceResponseLocation()));
-			parameters.add(new SqlParameterValue(Types.VARCHAR, record.getSingleLogoutServiceBinding().getUrn()));
-			return parameters;
-		}
-	}
-
-	private static final class BlobArgumentPreparedStatementSetter extends ArgumentPreparedStatementSetter {
-
-		private final SetBytes setBytes;
-
-		private BlobArgumentPreparedStatementSetter(SetBytes setBytes, Object[] args) {
-			super(args);
-			this.setBytes = setBytes;
-		}
-
-		@Override
-		protected void doSetValue(PreparedStatement ps, int parameterPosition, Object argValue) throws SQLException {
-			if (argValue instanceof SqlParameterValue paramValue) {
-				if (paramValue.getSqlType() == Types.BLOB) {
-					if (paramValue.getValue() != null) {
-						Assert.isInstanceOf(byte[].class, paramValue.getValue(),
-								"Value of blob parameter must be byte[]");
-					}
-					byte[] valueBytes = (byte[]) paramValue.getValue();
-					this.setBytes.setBytes(ps, parameterPosition, valueBytes);
-					return;
-				}
-			}
-			super.doSetValue(ps, parameterPosition, argValue);
-		}
-
-	}
-
 	/**
 	 * The default {@link RowMapper} that maps the current row in
 	 * {@code java.sql.ResultSet} to {@link AssertingPartyMetadata}.
@@ -275,61 +141,68 @@ private final static class AssertingPartyMetadataRowMapper implements RowMapper<
 		@Override
 		public AssertingPartyMetadata mapRow(ResultSet rs, int rowNum) throws SQLException {
 			String entityId = rs.getString("entity_id");
+			String metadataUri = rs.getString("metadata_uri");
 			String singleSignOnUrl = rs.getString("singlesignon_url");
-			Saml2MessageBinding singleSignOnBinding = Saml2MessageBinding
-					.from(rs.getString("singlesignon_binding"));
+			Saml2MessageBinding singleSignOnBinding = Saml2MessageBinding.from(rs.getString("singlesignon_binding"));
 			boolean singleSignOnSignRequest = rs.getBoolean("singlesignon_sign_request");
-			List<String> signingAlgorithms;
-			try {
-				signingAlgorithms = (List<String>) deserializer.deserializeFromByteArray(
-						this.getBytes.getBytes(rs, "signing_algorithms"));
-			} catch (IOException ex) {
-				this.logger.debug(
-						LogMessage.format("Verification credentials of %s could not be parsed.", entityId), ex);
-				return null;
-			}
-			Collection<Saml2X509Credential> verificationCredentials;
-			try {
-				verificationCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(
-						this.getBytes.getBytes(rs, "verification_credentials"));
-			} catch (IOException ex) {
-				this.logger.debug(
-						LogMessage.format("Verification credentials of %s could not be parsed.", entityId), ex);
-				return null;
-			}
-			Collection<Saml2X509Credential> encryptionCredentials;
+			String singleLogoutUrl = rs.getString("singlelogout_url");
+			String singleLogoutResponseUrl = rs.getString("singlelogout_response_url");
+			Saml2MessageBinding singleLogoutBinding = Saml2MessageBinding.from(rs.getString("singlelogout_binding"));
+			byte[] signingAlgorithmsBytes = this.getBytes.getBytes(rs, "signing_algorithms");
+			byte[] verificationCredentialsBytes = this.getBytes.getBytes(rs, "verification_credentials");
+			byte[] encryptionCredentialsBytes = this.getBytes.getBytes(rs, "encryption_credentials");
+
+			boolean usingMetadata = StringUtils.hasText(metadataUri);
+			AssertingPartyMetadata.Builder<?> builder = (!usingMetadata) ? new AssertingPartyDetails.Builder().entityId(entityId)
+					: createBuilderUsingMetadata(entityId, metadataUri);
 			try {
-				encryptionCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(
-						this.getBytes.getBytes(rs, "encryption_credentials"));
-			} catch (IOException ex) {
+				if (signingAlgorithmsBytes != null) {
+					List<String> signingAlgorithms = (List<String>) deserializer.deserializeFromByteArray(signingAlgorithmsBytes);
+					builder.signingAlgorithms(algorithms -> algorithms.addAll(signingAlgorithms));
+				}
+				if (verificationCredentialsBytes != null) {
+					Collection<Saml2X509Credential> verificationCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(verificationCredentialsBytes);
+					builder.verificationX509Credentials(credentials -> credentials.addAll(verificationCredentials));
+				}
+				if (encryptionCredentialsBytes != null) {
+					Collection<Saml2X509Credential> encryptionCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(encryptionCredentialsBytes);
+					builder.encryptionX509Credentials(credentials -> credentials.addAll(encryptionCredentials));
+				}
+			} catch (Exception ex) {
 				this.logger.debug(
-						LogMessage.format("Encryption credentials of %s could not be parsed.", entityId), ex);
+						LogMessage.format("Parsing serialized credentials for entity %s failed", entityId), ex);
 				return null;
 			}
-			String singleLogoutUrl = rs.getString("singlelogout_url");
-			String singleLogoutResponseUrl = rs.getString("singlelogout_response_url");
-			Saml2MessageBinding singleLogoutBinding = Saml2MessageBinding
-					.from(rs.getString("singlelogout_binding"));
 
-			return new AssertingPartyDetails.Builder()
-					.entityId(entityId)
-					.wantAuthnRequestsSigned(singleSignOnSignRequest)
-					.signingAlgorithms(algorithms -> algorithms.addAll(signingAlgorithms))
-					.verificationX509Credentials(credentials -> credentials.addAll(verificationCredentials))
-					.encryptionX509Credentials(credentials -> credentials.addAll(encryptionCredentials))
-					.singleSignOnServiceLocation(singleSignOnUrl)
-					.singleSignOnServiceBinding(singleSignOnBinding)
-					.singleLogoutServiceLocation(singleLogoutUrl)
-					.singleLogoutServiceBinding(singleLogoutBinding)
-					.singleLogoutServiceResponseLocation(singleLogoutResponseUrl)
-					.build();
+			applyingWhenNonNull(singleSignOnUrl, builder::singleSignOnServiceLocation);
+			applyingWhenNonNull(singleSignOnBinding, builder::singleSignOnServiceBinding);
+			applyingWhenNonNull(singleSignOnSignRequest, builder::wantAuthnRequestsSigned);
+			applyingWhenNonNull(singleLogoutUrl, builder::singleLogoutServiceLocation);
+			applyingWhenNonNull(singleLogoutResponseUrl, builder::singleLogoutServiceResponseLocation);
+			applyingWhenNonNull(singleLogoutBinding, builder::singleLogoutServiceBinding);
+			return builder.build();
 		}
-	}
 
-	private interface SetBytes {
+		private <T> void applyingWhenNonNull(T value, Consumer<T> consumer) {
+			if (value != null) {
+				consumer.accept(value);
+			}
+		}
 
-		void setBytes(PreparedStatement ps, int index, byte[] bytes) throws SQLException;
+		private AssertingPartyMetadata.Builder<?> createBuilderUsingMetadata(String entityId, String metadataUri) {
+			Collection<AssertingPartyMetadata.Builder<?>> candidates = AssertingPartyMetadata
+					.collectionFromMetadataLocation(metadataUri);
+			for (AssertingPartyMetadata.Builder<?> candidate : candidates) {
+				if (entityId == null || entityId.equals(getEntityId(candidate))) {
+					return candidate;
+				}
+			}
+			throw new IllegalStateException("No asserting party metadata with Entity ID '" + entityId + "' found");
+		}
 
+		private Object getEntityId(AssertingPartyMetadata.Builder<?> candidate) {
+			return candidate.build().getEntityId();
+		}
 	}
 
 	private interface GetBytes {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrations.java

@@ -128,10 +128,6 @@ public static RelyingPartyRegistration.Builder fromMetadata(InputStream source)
 		return collectionFromMetadata(source).iterator().next();
 	}
 
-	public static RelyingPartyRegistration.Builder fromMetadata(AssertingPartyMetadata metadata) {
-		return  RelyingPartyRegistration.withAssertingPartyMetadata(metadata);
-	}
-
 	/**
 	 * Return a {@link Collection} of {@link RelyingPartyRegistration.Builder}s based off
 	 * of the given SAML 2.0 Asserting Party (IDP) metadata location.

saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema.sql

@@ -1,6 +1,7 @@
 CREATE TABLE saml2_asserting_party_metadata
 (
     entity_id                 VARCHAR(1000) NOT NULL,
+    metadata_uri              VARCHAR(1000),
     singlesignon_url          VARCHAR(1000),
     singlesignon_binding      VARCHAR(200),
     singlesignon_sign_request VARCHAR(1000),