Package org.forgerock.openig.tools.jwt.validation

Class Constraints

java.lang.Object

org.forgerock.openig.tools.jwt.validation.Constraints

public final class Constraints
extends Object

Constraints defined for JWT validation. Constraint evaluation results in a promise of a Result.

Method Summary

Modifier and Type	Method	Description
static JwtConstraint	canBeDecrypted(SecretsProvider secretsProvider, Purpose<DataDecryptionKey> purpose)	Provides a JwtConstraint configured with the supplied SecretsProvider that contain a secret capable of decrypting and verifying a JWT's encryption.
static <T> JwtClaimConstraint<Collection<T>>	contains(T expected)	Returns empty if the list contains the expected value.
static <T> JwtClaimConstraint<Collection<T>>	containsOnly(T expected)	Returns empty if the list contains only the expected value.
static JwtConstraint	hasClaims()	Returns empty if the JWT does contain claims.
static JwtConstraint	hasValidSignature(JwsSignatureVerifier verifier)	Validates the signature of this SignedJwt.
static JwtConstraint	hasValidSignatureAndEncryption(JwtConstraint signatureConstraint, JwtConstraint decryptionConstraint)	Provides a JwtConstraint configured with the supplied JwtConstraints verifying both signature and encryption.
static <T> JwtClaimConstraint<T>	isEqualTo(T expected)	Returns empty if the value is equal to the one expected and fulfill the Violation with the custom error message.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isGreaterOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)	Returns a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isGreaterOrEqualTo(T limit)	A shorter version of isGreaterOrEqualTo(constant(limit)).
static <T extends Comparable<T>> JwtClaimConstraint<T>	isGreaterThan(Function<ValidatorConstraintContext,T> limitSupplier)	Returns a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isGreaterThan(T limit)	A shorter version of isGreaterThan(constant(limit)).
static JwtClaimConstraint<Instant>	isInTheFuture()	Returns a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail.
static JwtClaimConstraint<Instant>	isInThePast()	Returns a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isLessOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)	Returns a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isLessOrEqualTo(T limit)	A shorter version of isLessOrEqualTo(constant(limit)).
static <T extends Comparable<T>> JwtClaimConstraint<T>	isLessThan(Function<ValidatorConstraintContext,T> limitSupplier)	Returns a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.
static <T extends Comparable<T>> JwtClaimConstraint<T>	isLessThan(T limit)	A shorter version of isLessThan(constant(limit)).
static JwtClaimConstraint<JsonValue>	isNotNull()	Returns empty if the value is present.
static JwtClaimConstraint<String>	matches(Pattern pattern)	Build and returns a new `Constraint` that checks if the claim's value is matched (as per Matcher.matches()) by the given regex.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

isEqualTo

public static <T> JwtClaimConstraint<T> isEqualTo(T expected)

Returns empty if the value is equal to the one expected and fulfill the Violation with the custom error message.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is equal to the one expected or a Violation corresponding to this constraint.

contains

public static <T> JwtClaimConstraint<Collection<T>> contains(T expected)

Returns empty if the list contains the expected value.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is contained in the list or a Violation corresponding to this constraint.

containsOnly

public static <T> JwtClaimConstraint<Collection<T>> containsOnly(T expected)

Returns empty if the list contains only the expected value.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is contained in the singletonlist or a Violation corresponding to this constraint.

isInTheFuture

public static JwtClaimConstraint<Instant> isInTheFuture()

Returns a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorConstraintContext.

Returns:

a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail.

isInThePast

public static JwtClaimConstraint<Instant> isInThePast()

Returns a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorConstraintContext.

Returns:

a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail.

isGreaterOrEqualTo

public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)

Returns a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.

Type Parameters:

T - The type of the compared value.

Parameters:

limitSupplier - A supplier of the limit to be greater than or equal to.

Returns:

a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.

isGreaterOrEqualTo

public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterOrEqualTo(T limit)

A shorter version of isGreaterOrEqualTo(constant(limit)).

Type Parameters:

T - The type of the compared value.

Parameters:

limit - The limit to be greater than or equal to.

Returns:

a JwtClaimConstraint that will succeed if the value is greater than or equal to the given value, otherwise it will fail.

isGreaterThan

public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterThan(Function<ValidatorConstraintContext,T> limitSupplier)

Returns a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.

Type Parameters:

T - The type of the compared value.

Parameters:

limitSupplier - A supplier of the limit to be greater than.

Returns:

a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.

isGreaterThan

public static <T extends Comparable<T>> JwtClaimConstraint<T> isGreaterThan(T limit)

A shorter version of isGreaterThan(constant(limit)).

Type Parameters:

T - The type of the compared value.

Parameters:

limit - The limit to be greater than.

Returns:

a JwtClaimConstraint that will succeed if the value is greater than the given value, otherwise it will fail.

isLessOrEqualTo

public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessOrEqualTo(Function<ValidatorConstraintContext,T> limitSupplier)

Returns a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.

Type Parameters:

T - The type of the compared value.

Parameters:

limitSupplier - A supplier of the limit to be less than or equal to.

Returns:

a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.

isLessOrEqualTo

public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessOrEqualTo(T limit)

A shorter version of isLessOrEqualTo(constant(limit)).

Type Parameters:

T - The type of the compared value.

Parameters:

limit - The limit to be less than or equal to.

Returns:

a JwtClaimConstraint that will succeed if the value is less than or equal to the given value, otherwise it will fail.

isLessThan

public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessThan(Function<ValidatorConstraintContext,T> limitSupplier)

Returns a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.

Type Parameters:

T - The type of the compared value.

Parameters:

limitSupplier - A supplier of the limit to be less than.

Returns:

a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.

isLessThan

public static <T extends Comparable<T>> JwtClaimConstraint<T> isLessThan(T limit)

A shorter version of isLessThan(constant(limit)).

Type Parameters:

T - The type of the compared value.

Parameters:

limit - The limit to be less than.

Returns:

a JwtClaimConstraint that will succeed if the value is less than the given value, otherwise it will fail.

isNotNull

public static JwtClaimConstraint<JsonValue> isNotNull()

Returns empty if the value is present.

Returns:

empty if the value is present in the list or a Violation corresponding to this constraint.

matches

public static JwtClaimConstraint<String> matches(Pattern pattern)

Build and returns a new `Constraint` that checks if the claim's value is matched (as per Matcher.matches()) by the given regex.

The Constraint fails with a Violation otherwise.

Parameters:

pattern - The regex pattern to match.

Returns:

a new Constraint for Pattern matching

See Also:

for the supported pattern format

hasClaims

public static JwtConstraint hasClaims()

Returns empty if the JWT does contain claims.

Returns:

empty if the JWT does contain claims or a Violation corresponding to this constraint.

hasValidSignature

public static JwtConstraint hasValidSignature(JwsSignatureVerifier verifier)

Validates the signature of this SignedJwt.

Parameters:

verifier - The JwsSignatureVerifier used to verify the signature.

Returns:

empty if the JWT has a valid signature or a Violation corresponding to this constraint.

canBeDecrypted

public static JwtConstraint canBeDecrypted(SecretsProvider secretsProvider,
                                           Purpose<DataDecryptionKey> purpose)

Provides a JwtConstraint configured with the supplied SecretsProvider that contain a secret capable of decrypting and verifying a JWT's encryption. Fails if the supplied JWT is not encrypted or cannot be decrypted with the secrets available in the SecretsProvider.

Parameters:

secretsProvider - the instance from where to get the keys.

purpose - the Purpose of the decryption.

Returns:

empty if the JWT has a valid encryption or a Violation corresponding to this constraint.

hasValidSignatureAndEncryption

public static JwtConstraint hasValidSignatureAndEncryption(JwtConstraint signatureConstraint,
                                                           JwtConstraint decryptionConstraint)

Provides a JwtConstraint configured with the supplied JwtConstraints verifying both signature and encryption. Fails if the supplied JWT is either :

• Not encrypted and signed (both orders are accepted)
• Not decipherable
• Signed with an invalid signature

Parameters:

signatureConstraint - the constraint on signature.

decryptionConstraint - the constraint on decryption.

Returns:

the combined JwtConstraint.