feat(core): support not-notified eIDAS LoA

4 files changed, 23 insertions, 12 deletions

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
index 142dcf28..9d24eb8c 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
@@ -315,12 +315,16 @@ public abstract class AbstractAuthenticationDataBuilder implements IAuthenticati
       if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_PREFIX)) {
         authData.setEidasLoa(currentLoA);
 
+      } else if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_NOT_NOTIFIED_PREFIX)) {
+        log.info("Find not-notified eIDAS LoA: {}. Use it as it is", currentLoA);
+        authData.setEidasLoa(currentLoA);
+        
       } else {
         log.info("Only eIDAS LoAs are supported by this implementation");
       }
 
     } else {
-      log.info("No QAA level found. Set to default level " + EaafConstants.EIDAS_LOA_LOW);
+      log.info("No QAA level found. Set to default level: {}", EaafConstants.EIDAS_LOA_LOW);
       authData.setEidasLoa(EaafConstants.EIDAS_LOA_LOW);
 
     }
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
index 82749b81..313dd61c 100644
--- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
@@ -53,6 +53,8 @@ public class EaafConstants {
   public static final String EIDAS_LOA_SUBSTANTIAL = EIDAS_LOA_PREFIX + "substantial";
   public static final String EIDAS_LOA_HIGH = EIDAS_LOA_PREFIX + "high";
 
+  public static final String EIDAS_LOA_NOT_NOTIFIED_PREFIX = "http://eidas.europa.eu/NotNotified/LoA/";
+  
   public static final String EIDAS_LOA_MATCHING_MINIMUM = "minimum";
   public static final String EIDAS_LOA_MATCHING_EXACT = "exact";
 
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
index ca6f29e4..7ed2e939 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
@@ -19,15 +19,15 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
 
-import java.util.List;
-
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+import java.util.Collection;
 
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+
 /**
  * EAAF LoA Level verifier checks if requested LoA matchs to LoA of
  * authentication.
@@ -86,17 +86,18 @@ public class QaaLevelVerifier {
    * @param matchingMode LoA matching mode
    * @throws QaaNotAllowedException If LoA does not match
    */
-  public static void verifyQaaLevel(final String qaaAuth, final List<String> requiredLoAs,
+  public static void verifyQaaLevel(final String qaaAuth, final Collection<String> requiredLoAs,
       final String matchingMode) throws QaaNotAllowedException {
-    log.trace("Starting LoA verification: authLoA: " + qaaAuth + " requiredLoA: "
-        + StringUtils.join(requiredLoAs, "|") + " matchingMode: " + matchingMode);
-
+    log.trace("Starting LoA verification with authLoA:{} requiredLoA:{} matchingMode:{} ", 
+        qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode);
+       
     boolean hasMatch = false;
     for (final String loa : requiredLoAs) {
       if (verifyQaaLevel(qaaAuth, loa, matchingMode)) {
         hasMatch = true;
+        break;
+        
       }
-
     }
 
     if (!hasMatch) {
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
index 261f7b2b..bbe1d95f 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -22,8 +22,10 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
 import java.security.MessageDigest;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Set;
 
 import javax.naming.ConfigurationException;
 
@@ -159,7 +161,7 @@ public class Pvp2AssertionBuilder implements PvpConstants {
           reqAuthnContext.getAuthnContextClassRefs();
 
       // get matching mode from authn. request      
-      String loaMatchingMode = pendingReq.getServiceProviderConfiguration().getLoAMatchingMode();
+      String loaMatchingMode = oaParam.getLoAMatchingMode();
       if (StringUtils.isEmpty(loaMatchingMode)) {
         loaMatchingMode = EaafConstants.EIDAS_LOA_MATCHING_MINIMUM;
         
@@ -172,7 +174,9 @@ public class Pvp2AssertionBuilder implements PvpConstants {
         authnContextClassRef.setURI(authData.getEidasQaaLevel());
 
       } else {
-        final List<String> eidasLoaFromRequest = new ArrayList<>();
+        final Set<String> eidasLoaFromRequest = new HashSet<>();
+        eidasLoaFromRequest.addAll(oaParam.getRequiredLoA());
+        
         for (final AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
           final String qaa_uri = authnClassRef.getURI();