refactor: centralize repeated string constants

Author: TomiBelan

andrvotr-impl/src/main/java/io/github/fmfi_svt/andrvotr/Constants.java

@@ -1,7 +1,31 @@
 package io.github.fmfi_svt.andrvotr;
 
 public final class Constants {
-    public static final String AUTHORITY_TOKEN_INNER_PREFIX = "ANDRVOTR_AUTHORITY_TOKEN_V1";
+    private Constants() {}
 
+    // Strings used in Andrvotr Authority Tokens. Produced by AuthorityTokenGenerator and consumed by HttpController.
+    public static final String AUTHORITY_TOKEN_INNER_PREFIX = "ANDRVOTR_AUTHORITY_TOKEN_V1";
     public static final String AUTHORITY_TOKEN_OUTER_PREFIX = "A1:";
+
+    // HTTP header names used for internal communication between HttpController and FabricationWebflowListener.
+    public static final String HEADER_ANDRVOTR_INTERNAL_FABRICATION_TOKEN = "Andrvotr-Internal-Fabrication-Token";
+    public static final String HEADER_ANDRVOTR_INTERNAL_FABRICATION_FRONT = "Andrvotr-Internal-Fabrication-Front";
+    public static final String HEADER_ANDRVOTR_INTERNAL_FABRICATION_TRACE = "Andrvotr-Internal-Fabrication-Trace";
+
+    // Token value used for internal communication between HttpController and FabricationWebflowListener.
+    public static final String ANDRVOTR_FABRICATION_TOKEN_VALUE = "andrvotr-fabrication-token";
+
+    // State and event names defined in the Shibboleth flow "SAML2/Redirect/SSO". Arguably an internal implementation
+    // detail of Shibboleth. See class doc of FabricationWebflowListener.
+    public static final String STATE_DECODE_MESSAGE = "DecodeMessage";
+    public static final String STATE_HANDLE_OUTBOUND_MESSAGE = "HandleOutboundMessage";
+    public static final String STATE_END = "end";
+    public static final String EVENT_PROCEED = "proceed";
+
+    // Pseudo state names written in the fabrication trace. Used for internal communication between HttpController and
+    // FabricationWebflowListener, and occasionally returned to the client on errors.
+    public static final String TRACE_START = "@Start";
+    public static final String TRACE_ALLOWED_CONNECTION_CHECK = "@AllowedConnectionCheck";
+    public static final String TRACE_ALLOWED_CONNECTION_CHECK_SUCCESS = "@AllowedConnectionCheckSuccess";
+    public static final String TRACE_ALLOWED_CONNECTION_CHECK_FAILURE = "@AllowedConnectionCheckFailure";
 }

andrvotr-impl/src/main/java/io/github/fmfi_svt/andrvotr/FabricationWebflowListener.java

@@ -37,6 +37,8 @@
 /// java-identity-provider/idp-conf-impl/src/main/resources/net/shibboleth/idp/flows/saml/saml-abstract-flow.xml.
 public final class FabricationWebflowListener extends AbstractInitializableComponent implements FlowExecutionListener {
 
+    private static final String ANDRVOTR_FABRICATION_TOKEN_OK = "andrvotr_fabrication_token_ok";
+
     private final @Nonnull Logger log = LoggerFactory.getLogger(FabricationWebflowListener.class);
 
     private Config config;
@@ -71,7 +73,7 @@ public void requestSubmitted(RequestContext context) {
                 (HttpServletRequest) context.getExternalContext().getNativeRequest();
 
         // If the request does not have the Andrvotr-Internal-Fabrication-Token header, do nothing.
-        String token = request.getHeader("Andrvotr-Internal-Fabrication-Token");
+        String token = request.getHeader(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_TOKEN);
         if (token == null) {
             log.debug("no Andrvotr-Internal-Fabrication-Token - ignoring request");
             return;
@@ -82,7 +84,7 @@ public void requestSubmitted(RequestContext context) {
         // info in Andrvotr-Internal-Fabrication-Trace. But just in case.)
         try {
             String content = dataSealer.unwrap(token);
-            if (!"andrvotr-fabrication-token".equals(content)) {
+            if (!Constants.ANDRVOTR_FABRICATION_TOKEN_VALUE.equals(content)) {
                 throw new Exception("wrong unwrapped value");
             }
         } catch (Exception e) {
@@ -93,8 +95,8 @@ public void requestSubmitted(RequestContext context) {
         }
 
         log.info("started {} as a nested request inside andrvotr/fabricate", request.getRequestURI());
-        context.getRequestScope().put("andrvotr_fabrication_token_ok", new Object());
-        addTrace(context, "@Start");
+        context.getRequestScope().put(ANDRVOTR_FABRICATION_TOKEN_OK, new Object());
+        addTrace(context, Constants.TRACE_START);
     }
 
     @Override
@@ -103,15 +105,16 @@ public void eventSignaled(RequestContext context, Event event) {
                 (HttpServletRequest) context.getExternalContext().getNativeRequest();
 
         // If the request does not have the Andrvotr-Internal-Fabrication-Token header, do nothing.
-        if (!context.getRequestScope().contains("andrvotr_fabrication_token_ok")) return;
+        if (!context.getRequestScope().contains(ANDRVOTR_FABRICATION_TOKEN_OK)) return;
 
         // If we're leaving the "DecodeMessage" state with the "proceed" event (not an error), check whether our
         // configuration allows connections from the front entity ID (sent by HttpController in a header) to the back
         // entity ID (found in the decoded SAML message).
-        if ("DecodeMessage".equals(context.getCurrentState().getId()) && "proceed".equals(event.getId())) {
-            addTrace(context, "@AllowedConnectionCheck");
+        if (Constants.STATE_DECODE_MESSAGE.equals(context.getCurrentState().getId())
+                && Constants.EVENT_PROCEED.equals(event.getId())) {
+            addTrace(context, Constants.TRACE_ALLOWED_CONNECTION_CHECK);
 
-            String frontID = request.getHeader("Andrvotr-Internal-Fabrication-Front");
+            String frontID = request.getHeader(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_FRONT);
 
             // RelyingPartyContext is created by the "InitializeRelyingPartyContextFromSAMLPeer" action which runs
             // during the "DecodeMessage" state.
@@ -123,23 +126,23 @@ public void eventSignaled(RequestContext context, Event event) {
                     || Strings.isNullOrEmpty(backID)
                     || !config.isAllowedConnection(frontID, backID)) {
                 log.error("forbidden andrvotr connection: front={} back={}", frontID, backID);
-                addTrace(context, "@AllowedConnectionCheckFail");
+                addTrace(context, Constants.TRACE_ALLOWED_CONNECTION_CHECK_FAILURE);
                 throw new RuntimeException("Andrvotr fabricate failed - this connection is not allowed");
             }
 
             log.info("allowed andrvotr connection: front={} back={}", frontID, backID);
-            addTrace(context, "@AllowedConnectionCheckSuccess");
+            addTrace(context, Constants.TRACE_ALLOWED_CONNECTION_CHECK_SUCCESS);
         }
     }
 
     @Override
     public void stateEntered(RequestContext context, StateDefinition previousState, StateDefinition state) {
         // If the request does not have the Andrvotr-Internal-Fabrication-Token header, do nothing.
-        if (!context.getRequestScope().contains("andrvotr_fabrication_token_ok")) return;
+        if (!context.getRequestScope().contains(ANDRVOTR_FABRICATION_TOKEN_OK)) return;
 
         // When moving from "HandleOutboundMessage" to "end", it is expected that the response is already sent, and we
         // can't add response headers anymore. Avoid the warning in addTrace.
-        if ("end".equals(state.getId())) return;
+        if (Constants.STATE_END.equals(state.getId())) return;
 
         // Save all entered states in a response header for troubleshooting.
         addTrace(context, state.getId());
@@ -151,7 +154,7 @@ private void addTrace(RequestContext context, String value) {
 
         if (!response.isCommitted()) {
             log.debug("adding Andrvotr-Internal-Fabrication-Trace: {}", value);
-            response.addHeader("Andrvotr-Internal-Fabrication-Trace", value);
+            response.addHeader(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_TRACE, value);
         } else {
             log.warn("response already committed, cannot add trace '{}'", value);
         }

andrvotr-impl/src/main/java/io/github/fmfi_svt/andrvotr/HttpController.java

@@ -163,7 +163,7 @@ public void fabricate(@Nonnull HttpServletRequest httpRequest, @Nonnull HttpServ
         try {
             // Expiration just for the sake of it. The exact length doesn't really matter.
             Instant expiration = Instant.now().plus(Duration.ofMinutes(10));
-            fabricationToken = dataSealer.wrap("andrvotr-fabrication-token", expiration);
+            fabricationToken = dataSealer.wrap(Constants.ANDRVOTR_FABRICATION_TOKEN_VALUE, expiration);
         } catch (Exception e) {
             log.error("DataSealer.wrap failed", e);
             sendError(httpResponse, 500, "DataSealer.wrap failed");
@@ -172,15 +172,16 @@ public void fabricate(@Nonnull HttpServletRequest httpRequest, @Nonnull HttpServ
 
         HttpGet nestedRequest = new HttpGet(targetUrl);
         nestedRequest.addHeader("Cookie", cookies);
-        nestedRequest.addHeader("Andrvotr-Internal-Fabrication-Token", fabricationToken);
-        nestedRequest.addHeader("Andrvotr-Internal-Fabrication-Front", frontEntityID);
+        nestedRequest.addHeader(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_TOKEN, fabricationToken);
+        nestedRequest.addHeader(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_FRONT, frontEntityID);
 
         httpClient.execute(nestedRequest, (nestedResponse) -> {
             int statusCode = nestedResponse.getCode();
             String contentType = nestedResponse.getEntity().getContentType();
             long contentLength = nestedResponse.getEntity().getContentLength();
 
-            List<String> trace = Arrays.stream(nestedResponse.getHeaders("Andrvotr-Internal-Fabrication-Trace"))
+            List<String> trace = Arrays.stream(
+                            nestedResponse.getHeaders(Constants.HEADER_ANDRVOTR_INTERNAL_FABRICATION_TRACE))
                     .map(Header::getValue)
                     .collect(Collectors.toList());
 
@@ -193,9 +194,9 @@ public void fabricate(@Nonnull HttpServletRequest httpRequest, @Nonnull HttpServ
                     && contentType != null
                     && contentType.startsWith("text/html")
                     && !trace.isEmpty()
-                    && "@Start".equals(trace.get(0))
-                    && trace.contains("@AllowedConnectionCheckSuccess")
-                    && "HandleOutboundMessage".equals(trace.get(trace.size() - 1));
+                    && Constants.TRACE_START.equals(trace.get(0))
+                    && trace.contains(Constants.TRACE_ALLOWED_CONNECTION_CHECK_SUCCESS)
+                    && Constants.STATE_HANDLE_OUTBOUND_MESSAGE.equals(trace.get(trace.size() - 1));
 
             if (!success) {
                 String message = String.format(