Package org.forgerock.openig.tools.jwt.validation

Class Constraints

java.lang.Object
org.forgerock.openig.tools.jwt.validation.Constraints
public final class Constraints extends Object
Constraints defined for JWT validation. Constraint evaluation results in a promise of a Result.

  • Method Details

    • isEqualTo

      public static <T> JwtClaimConstraint<T> isEqualTo(T expected)
      Returns empty if the value is equal to the one expected and fulfill the Violation with the custom error message.
      Type Parameters:
      T - The type on which the constraint applies.
      Parameters:
      expected - The expected value.
      Returns:
      empty if the value is equal to the one expected or a Violation corresponding to this constraint.

    • contains

      public static <T> JwtClaimConstraint<Collection<T>> contains(T expected)
      Returns empty if the list contains the expected value.
      Type Parameters:
      T - The type on which the constraint applies.
      Parameters:
      expected - The expected value.
      Returns:
      empty if the value is contained in the list or a Violation corresponding to this constraint.

    • containsOnly

      public static <T> JwtClaimConstraint<Collection<T>> containsOnly(T expected)
      Returns empty if the list contains only the expected value.
      Type Parameters:
      T - The type on which the constraint applies.
      Parameters:
      expected - The expected value.
      Returns:
      empty if the value is contained in the singletonlist or a Violation corresponding to this constraint.

    • isInTheFuture

      public static JwtClaimConstraint<Instant> isInTheFuture()
      Returns a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorConstraintContext.
      Returns:
      a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail.

    • isInThePast

      public static JwtClaimConstraint<Instant> isInThePast()
      Returns a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorConstraintContext.
      Returns:
      a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail.

    • isGreaterOrEqualTo

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)
      Returns a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limitSupplier - A supplier of the limit to be greater than or equal to.
      Returns:
      a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.

    • isGreaterOrEqualTo

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterOrEqualTo(T limit)
      A shorter version of isGreaterOrEqualTo(constant(limit)).
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limit - The limit to be greater than or equal to.
      Returns:
      a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.

    • isGreaterThan

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterThan(Function<ValidatorConstraintContext,T> limitSupplier)
      Returns a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limitSupplier - A supplier of the limit to be greater than.
      Returns:
      a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.

    • isGreaterThan

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterThan(T limit)
      A shorter version of isGreaterThan(constant(limit)).
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limit - The limit to be greater than.
      Returns:
      a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.

    • isLessOrEqualTo

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)
      Returns a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limitSupplier - A supplier of the limit to be less than or equal to.
      Returns:
      a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.

    • isLessOrEqualTo

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessOrEqualTo(T limit)
      A shorter version of isLessOrEqualTo(constant(limit)).
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limit - The limit to be less than or equal to.
      Returns:
      a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.

    • isLessThan

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessThan(Function<ValidatorConstraintContext,T> limitSupplier)
      Returns a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limitSupplier - A supplier of the limit to be less than.
      Returns:
      a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.

    • isLessThan

      public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessThan(T limit)
      A shorter version of isLessThan(constant(limit)).
      Type Parameters:
      T - The type of the compared value.
      Parameters:
      limit - The limit to be less than.
      Returns:
      a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.

    • isNotNull

      public static JwtClaimConstraint<JsonValue> isNotNull()
      Returns empty if the value is present.
      Returns:
      empty if the value is present in the list or a Violation corresponding to this constraint.

    • matches

      public static JwtClaimConstraint<String> matches(Pattern pattern)
      Build and returns a new `Constraint` that checks if the claim's value is matched (as per Matcher.matches()) by the given regex.

      The Constraint fails with a Violation otherwise.

      Parameters:
      pattern - The regex pattern to match.
      Returns:
      a new Constraint for Pattern matching
      See Also:

    • hasClaims

      public static JwtConstraint hasClaims()
      Returns empty if the JWT does contain claims.
      Returns:
      empty if the JWT does contain claims or a Violation corresponding to this constraint.

    • hasValidSignature

      public static JwtConstraint hasValidSignature(JwsSignatureVerifier verifier)
      Validates the signature of this SignedJwt.
      Parameters:
      verifier - The JwsSignatureVerifier used to verify the signature.
      Returns:
      empty if the JWT has a valid signature or a Violation corresponding to this constraint.

    • hasValidSignature

      public static JwtConstraint hasValidSignature(SecretsProvider secretsProvider, Purpose<VerificationKey> purpose)
      Validates the signature of this SignedJwt.
      Parameters:
      secretsProvider - the secretsProvider containing the validation key
      purpose - the purpose used to retieve the signature validation key
      Returns:
      empty if the JWT has a valid signature or a Violation corresponding to this constraint.

    • canBeDecrypted

      public static JwtConstraint canBeDecrypted(SecretsProvider secretsProvider, Purpose<DataDecryptionKey> purpose)
      Provides a JwtConstraint configured with the supplied SecretsProvider that contain a secret capable of decrypting and verifying a JWT's encryption. Fails if the supplied JWT is not encrypted or cannot be decrypted with the secrets available in the SecretsProvider.
      Parameters:
      secretsProvider - the instance from where to get the keys.
      purpose - the Purpose of the decryption.
      Returns:
      empty if the JWT has a valid encryption or a Violation corresponding to this constraint.

    • hasValidSignatureAndEncryption

      public static JwtConstraint hasValidSignatureAndEncryption(JwtConstraint signatureConstraint, JwtConstraint decryptionConstraint)
      Provides a JwtConstraint configured with the supplied JwtConstraints verifying both signature and encryption. Fails if the supplied JWT is either :
      • Not encrypted and signed (both orders are accepted)
      • Not decipherable
      • Signed with an invalid signature
      Parameters:
      signatureConstraint - the constraint on signature.
      decryptionConstraint - the constraint on decryption.
      Returns:
      the combined JwtConstraint.

    • equalsAttributeUsingKey

      public static <T> JwtClaimConstraint<T> equalsAttributeUsingKey()
      Returns a JwtClaimConstraint that will succeed if the expected value is equal to the value looked up in the context attributes using the key, otherwise it will fail.
      Type Parameters:
      T - The type of the value being checked.
      Returns:
      a JwtClaimConstraint that will succeed if the expected value is equal to the value looked up in the context attributes using the key, otherwise it will fail.

    • isExpectedType

      public static <T> JwtClaimConstraint<T> isExpectedType(Class<?> expectedType)
      Returns a JwtClaimConstraint that will succeed if the claim exists and is of the expected type, otherwise it will fail.
      Type Parameters:
      T - The type on which the constraint applies.
      Parameters:
      expectedType - The expected type of the claim.
      Returns:
      a JwtClaimConstraint that will succeed if the claim exists and is of the expected type, otherwise it will fail.