Package org.forgerock.macaroons

Class JsonCaveatSet

java.lang.Object

org.forgerock.json.JsonValue

org.forgerock.macaroons.JsonCaveatSet

All Implemented Interfaces:

Cloneable, Iterable<JsonValue>

public class JsonCaveatSet
extends JsonValue

Convenience class for constructing a set of JSON-based 1st-party caveats for use with Macaroon.addFirstPartyCaveat(JsonValue). Multiple caveats can be added to a single JSON object and appended as one unit. A JSON caveat set is a JSON object where each field in the object represent a separate caveat to be verified. For example, the JSON object

 {
     "exp": 12345,
     "aud": ["https://api.example.com/"]
 }
 

represents a caveat set containing two caveats: one that restricts the expiry time and another that restricts the audience.

Constructor Summary

Constructors

Constructor	Description
JsonCaveatSet()	Constructs an empty set of caveats.

Method Summary

Modifier and Type	Method	Description
JsonCaveatSet	audience(String... allowedAudience)	Specifies that the macaroon should only be accepted by endpoints listed in the given audience.
JsonCaveatSet	audience(Collection<String> allowedAudience)	Specifies that the macaroon should only be accepted by endpoints listed in the given audience.
JsonCaveatSet	certificateBound(X509Certificate certificate)	Binds the macaroon to the given TLS client certificate.
JsonCaveatSet	certificateBoundSha512(X509Certificate certificate)	Binds the macaroon to the given TLS client certificate.
JsonCaveatSet	confirmationKey(JsonValue confirmationKey)	Binds the macaroon to only be usable by a client that can prove possession of the key indicated in the given JSON object.
JsonCaveatSet	expiresAt(Instant expiryTime)	Specifies that the macaroon should expire at the given time.
JsonCaveatSet	notBefore(Instant notBeforeTime)	Specifies that the macaroon should be considered invalid before the given time.

Methods inherited from class org.forgerock.json.JsonValue

add, add, add, add, addIfNotNull, addPermissive, array, as, asAsync, asBoolean, asCollection, asCollection, asDouble, asInteger, asList, asList, asLong, asMap, asMap, asMapOfList, asNumber, asString, clear, clone, contains, copy, defaultTo, diff, expect, field, fieldIfNotNull, get, get, get, getObject, getPointer, isBoolean, isCollection, isDefined, isEqualTo, isList, isMap, isNotNull, isNull, isNumber, isString, iterator, json, keys, merge, object, object, patch, put, put, put, putIfNotNull, putPermissive, remove, remove, remove, required, setObject, size, stream, toIndex, toString

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.lang.Iterable

forEach, spliterator

Constructor Details

JsonCaveatSet

public JsonCaveatSet()

Constructs an empty set of caveats.

Method Details

expiresAt

public JsonCaveatSet expiresAt(Instant expiryTime)

Specifies that the macaroon should expire at the given time.

Parameters:

expiryTime - the expiry time. Not null.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyExpiryTime(Instant, java.time.Duration)

notBefore

public JsonCaveatSet notBefore(Instant notBeforeTime)

Specifies that the macaroon should be considered invalid before the given time.

Parameters:

notBeforeTime - the not-before time. Not null.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyNotBeforeTime(Instant, java.time.Duration)

audience

public JsonCaveatSet audience(Collection<String> allowedAudience)

Specifies that the macaroon should only be accepted by endpoints listed in the given audience.

Parameters:

allowedAudience - the allowed audience for the macaroon. Not null or empty.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyAudience(Collection)

audience

public JsonCaveatSet audience(String... allowedAudience)

Specifies that the macaroon should only be accepted by endpoints listed in the given audience.

Parameters:

allowedAudience - the allowed audience for the macaroon. Not null or empty.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyAudience(Collection)

confirmationKey

public JsonCaveatSet confirmationKey(JsonValue confirmationKey)

Binds the macaroon to only be usable by a client that can prove possession of the key indicated in the given JSON object. The format of the JSON object depends on the confirmation method being used. See certificateBound(X509Certificate) for one example.

Parameters:

confirmationKey - the confirmation key. Not null.

Returns:

this caveat set.

certificateBound

public JsonCaveatSet certificateBound(X509Certificate certificate)

Binds the macaroon to the given TLS client certificate. The client is required to only use the macaroon over a TLS channel that has been authenticated using the given client certificate. This method will use a SHA-256 fingerprint of the certificate.

Parameters:

certificate - the TLS client certificate. Not null.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyClientCertificate(X509Certificate)

certificateBoundSha512

public JsonCaveatSet certificateBoundSha512(X509Certificate certificate)

Binds the macaroon to the given TLS client certificate. The client is required to only use the macaroon over a TLS channel that has been authenticated using the given client certificate. This method will use a SHA-512 fingerprint of the certificate.

Parameters:

certificate - the TLS client certificate. Not null.

Returns:

this caveat set.

See Also:

• JsonCaveatVerifier.satisfyClientCertificate(X509Certificate)