# added support for OpenIdConnectDiscoveryDocument in TokenRestrictionTemplate

# added support for Widevine (WIP)

Author: Mariano Converti

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/implementation/templates/tokenrestriction/ErrorMessages.java

@@ -0,0 +1,16 @@
+package com.microsoft.windowsazure.services.media.implementation.templates.tokenrestriction;
+
+public final class ErrorMessages {
+
+    public static final String PRIMARY_VERIFICATIONKEY_AND_OPENIDCONNECTDISCOVERYDOCUMENT_ARE_NULL 
+        = "Both PrimaryVerificationKey and OpenIdConnectDiscoveryDocument are null.";
+
+    public static final String OPENIDDISCOVERYURI_STRING_IS_NULL_OR_EMPTY 
+        = "OpenIdConnectDiscoveryDocument.OpenIdDiscoveryUri string value is null or empty.";
+
+    public static final String OPENIDDISCOVERYURI_STRING_IS_NOT_ABSOLUTE_URI 
+        = "String representation of OpenIdConnectDiscoveryDocument.OpenIdDiscoveryUri is not valid absolute Uri.";
+
+    private ErrorMessages() {
+    }
+}

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/implementation/templates/tokenrestriction/OpenIdConnectDiscoveryDocument.java

@@ -0,0 +1,29 @@
+package com.microsoft.windowsazure.services.media.implementation.templates.tokenrestriction;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "OpenIdConnectDiscoveryDocument")
+public class OpenIdConnectDiscoveryDocument {
+
+    @XmlElement(name = "OpenIdDiscoveryUri")
+    private String openIdDiscoveryUri;
+
+    /**
+     * @return the openIdDiscoveryUri
+     */
+    public String getOpenIdDiscoveryUri() {
+        return openIdDiscoveryUri;
+    }
+
+    /**
+     * @param openIdDiscoveryUri the openIdDiscoveryUri to set
+     */
+    public void setOpenIdDiscoveryUri(String openIdDiscoveryUri) {
+        this.openIdDiscoveryUri = openIdDiscoveryUri;
+    }
+    
+}

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/implementation/templates/tokenrestriction/TokenRestrictionTemplate.java

@@ -34,6 +34,9 @@ public class TokenRestrictionTemplate {
 
     @XmlElement(name = "TokenType")
     private TokenType tokenType;
+
+    @XmlElement(name = "OpenIdConnectDiscoveryDocument")
+    private OpenIdConnectDiscoveryDocument openIdConnectDiscoveryDocument;
 
     @SuppressWarnings("unused")
     private TokenRestrictionTemplate() {
@@ -146,4 +149,21 @@ public TokenRestrictionTemplate setAlternateVerificationKeys(List<TokenVerificat
         this.alternateVerificationKeys = alternateVerificationKeys;
         return this;
     }
+    
+    /**
+     * @return the alternateVerificationKeys
+     */
+    public OpenIdConnectDiscoveryDocument getOpenIdConnectDiscoveryDocument() {
+        return openIdConnectDiscoveryDocument;
+    }
+
+    /**
+     * @param alternateVerificationKeys the alternateVerificationKeys to set
+     * @return this
+     */
+    public TokenRestrictionTemplate setOpenIdConnectDiscoveryDocument(OpenIdConnectDiscoveryDocument openIdConnectDiscoveryDocument) {
+        this.openIdConnectDiscoveryDocument = openIdConnectDiscoveryDocument;
+        return this;
+    }
+    
 }

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/implementation/templates/tokenrestriction/TokenRestrictionTemplateSerializer.java

@@ -3,6 +3,8 @@
 import java.io.File;
 import java.io.StringReader;
 import java.io.StringWriter;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.net.URLEncoder;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -37,16 +39,38 @@ private TokenRestrictionTemplateSerializer() {
     }
 
     public static String serialize(TokenRestrictionTemplate template) throws JAXBException {
+
+        if (template.getPrimaryVerificationKey() == null && template.getOpenIdConnectDiscoveryDocument() == null) {
+            throw new IllegalArgumentException(
+                    ErrorMessages.PRIMARY_VERIFICATIONKEY_AND_OPENIDCONNECTDISCOVERYDOCUMENT_ARE_NULL);
+        }
+
+        if (template.getOpenIdConnectDiscoveryDocument() != null) {
+            if (template.getOpenIdConnectDiscoveryDocument().getOpenIdDiscoveryUri() == null
+                    || template.getOpenIdConnectDiscoveryDocument().getOpenIdDiscoveryUri().isEmpty()) {
+                throw new IllegalArgumentException(ErrorMessages.OPENIDDISCOVERYURI_STRING_IS_NULL_OR_EMPTY);
+            }
+
+            boolean openIdDiscoveryUrlValid = true;
+            try {
+                new URL(template.getOpenIdConnectDiscoveryDocument().getOpenIdDiscoveryUri());
+            } catch (MalformedURLException e) {
+                openIdDiscoveryUrlValid = false;
+            }
+
+            if (!openIdDiscoveryUrlValid) {
+                throw new IllegalArgumentException(ErrorMessages.OPENIDDISCOVERYURI_STRING_IS_NOT_ABSOLUTE_URI);
+            }
+        }
+
         StringWriter writer = new StringWriter();
         JAXBContext context = JAXBContext.newInstance(TokenRestrictionTemplate.class);
         Marshaller m = context.createMarshaller();
         m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
         m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() {
             @Override
             public String[] getPreDeclaredNamespaceUris() {
-                return new String[] { 
-                        XMLConstants.W3C_XML_SCHEMA_INSTANCE_NS_URI 
-                     };
+                return new String[] { XMLConstants.W3C_XML_SCHEMA_INSTANCE_NS_URI };
             }
 
             @Override
@@ -101,8 +125,8 @@ private static String urlEncode(String toEncode) {
     }
 
     public static String generateTestToken(TokenRestrictionTemplate tokenTemplate, TokenVerificationKey signingKeyToUse,
-            UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration, Date notBefore) {    
-        
+            UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration, Date notBefore) {
+
         if (tokenTemplate == null) {
             throw new NullPointerException("tokenTemplate");
         }
@@ -117,61 +141,63 @@ public static String generateTestToken(TokenRestrictionTemplate tokenTemplate, T
             cal.add(Calendar.MINUTE, 10);
             tokenExpiration = cal.getTime();
         }
-        
+
         if (notBefore == null) {
             Calendar cal = Calendar.getInstance();
             cal.setTime(new Date());
             cal.add(Calendar.MINUTE, -5);
             notBefore = cal.getTime();
         }
-        
+
         if (tokenTemplate.getTokenType().equals(TokenType.SWT)) {
-            return generateTestTokenSWT(tokenTemplate, signingKeyToUse, keyIdForContentKeyIdentifierClaim, tokenExpiration);
+            return generateTestTokenSWT(tokenTemplate, signingKeyToUse, keyIdForContentKeyIdentifierClaim,
+                    tokenExpiration);
         } else {
-            return generateTestTokenJWT(tokenTemplate, signingKeyToUse, keyIdForContentKeyIdentifierClaim, tokenExpiration, notBefore);
+            return generateTestTokenJWT(tokenTemplate, signingKeyToUse, keyIdForContentKeyIdentifierClaim,
+                    tokenExpiration, notBefore);
         }
     }
 
-    public static String generateTestTokenJWT(TokenRestrictionTemplate tokenTemplate, TokenVerificationKey signingKeyToUse,
-        UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration, Date notBefore) {
-    
+    public static String generateTestTokenJWT(TokenRestrictionTemplate tokenTemplate,
+            TokenVerificationKey signingKeyToUse, UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration,
+            Date notBefore) {
+
         SymmetricVerificationKey signingKey = (SymmetricVerificationKey) signingKeyToUse;
         SecretKeySpec secretKey = new SecretKeySpec(signingKey.getKeyValue(), "HmacSHA256");
-        
+
         // Mapping Claims.
         Map<String, Object> claims = new HashMap<String, Object>();
         for (TokenClaim claim : tokenTemplate.getRequiredClaims()) {
             String claimValue = claim.getClaimValue();
             if (claimValue == null && claim.getClaimType().equals(TokenClaim.getContentKeyIdentifierClaimType())) {
                 if (keyIdForContentKeyIdentifierClaim == null) {
-                    throw new IllegalArgumentException(String.format("The 'keyIdForContentKeyIdentifierClaim' parameter cannot be null when the token template contains a required '%s' claim type.", TokenClaim.getContentKeyIdentifierClaimType()));
+                    throw new IllegalArgumentException(String.format(
+                            "The 'keyIdForContentKeyIdentifierClaim' parameter cannot be null when the token template contains a required '%s' claim type.",
+                            TokenClaim.getContentKeyIdentifierClaimType()));
                 }
                 claimValue = keyIdForContentKeyIdentifierClaim.toString();
             }
-            claims.put(claim.getClaimType(), claimValue);    
+            claims.put(claim.getClaimType(), claimValue);
         }
 
-        return Jwts.builder()
-                .setHeaderParam("typ", "JWT")
-                .setClaims(claims)
-                .setIssuer(tokenTemplate.getIssuer().toString())
-                .setAudience(tokenTemplate.getAudience().toString())
-                .setIssuedAt(notBefore)
-                .setExpiration(tokenExpiration)
-                .signWith(SignatureAlgorithm.HS256, secretKey)
+        return Jwts.builder().setHeaderParam("typ", "JWT").setClaims(claims)
+                .setIssuer(tokenTemplate.getIssuer().toString()).setAudience(tokenTemplate.getAudience().toString())
+                .setIssuedAt(notBefore).setExpiration(tokenExpiration).signWith(SignatureAlgorithm.HS256, secretKey)
                 .compact();
     }
-    
-    public static String generateTestTokenSWT(TokenRestrictionTemplate tokenTemplate, TokenVerificationKey signingKeyToUse,
-            UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration) {
-        
+
+    public static String generateTestTokenSWT(TokenRestrictionTemplate tokenTemplate,
+            TokenVerificationKey signingKeyToUse, UUID keyIdForContentKeyIdentifierClaim, Date tokenExpiration) {
+
         StringBuilder builder = new StringBuilder();
 
         for (TokenClaim claim : tokenTemplate.getRequiredClaims()) {
             String claimValue = claim.getClaimValue();
             if (claim.getClaimType().equals(TokenClaim.getContentKeyIdentifierClaimType())) {
                 if (keyIdForContentKeyIdentifierClaim == null) {
-                    throw new IllegalArgumentException(String.format("The 'keyIdForContentKeyIdentifierClaim' parameter cannot be null when the token template contains a required '%s' claim type.", TokenClaim.getContentKeyIdentifierClaimType()));
+                    throw new IllegalArgumentException(String.format(
+                            "The 'keyIdForContentKeyIdentifierClaim' parameter cannot be null when the token template contains a required '%s' claim type.",
+                            TokenClaim.getContentKeyIdentifierClaimType()));
                 }
                 claimValue = keyIdForContentKeyIdentifierClaim.toString();
             }

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/models/AssetDeliveryPolicyConfigurationKey.java

@@ -35,9 +35,10 @@ public enum AssetDeliveryPolicyConfigurationKey {
     /** The PlayReady Custom Attributes to add to the PlayReady Content Header. */
     PlayReadyCustomAttributes(5),
     /** The initialization vector to use for envelope encryption. */
-    EnvelopeEncryptionIV(6);
-    
-    
+    EnvelopeEncryptionIV(6),
+    /** Widevine DRM Acquisition Url to use for common encryption. */
+    WidevineLicenseAcquisitionUrl(7);
+
 
     /** The AssetDeliveryPolicyType code. */
     private int assetDeliveryPolicyConfigurationKey;
@@ -84,6 +85,8 @@ public static AssetDeliveryPolicyConfigurationKey fromCode(int option) {
             return AssetDeliveryPolicyConfigurationKey.PlayReadyCustomAttributes;
         case 6:
             return AssetDeliveryPolicyConfigurationKey.EnvelopeEncryptionIV;
+        case 7:
+            return AssetDeliveryPolicyConfigurationKey.WidevineLicenseAcquisitionUrl;
         default:
             throw new InvalidParameterException("option");
         }

services/azure-media/src/main/java/com/microsoft/windowsazure/services/media/models/ContentKeyDeliveryType.java

@@ -27,7 +27,9 @@ public enum ContentKeyDeliveryType {
     /** Use PlayReady License acquisition protocol. */
     PlayReadyLicense(1),
     /** Use MPEG Baseline HTTP key protocol. */
-    BaselineHttp(2);
+    BaselineHttp(2),
+    /** Use Widevine license acquisition protocol. */
+    Widevine(3);
 
     /** The AssetDeliveryPolicyType code. */
     private int contentKeyDeliveryType;
@@ -66,6 +68,8 @@ public static ContentKeyDeliveryType fromCode(int option) {
             return ContentKeyDeliveryType.PlayReadyLicense;
         case 2:
             return ContentKeyDeliveryType.BaselineHttp;
+        case 3:
+            return ContentKeyDeliveryType.Widevine;
         default:
             throw new InvalidParameterException("option");
         }