refactor PVP2 IDP module to support more than one IPvpMetadataProvider in one application

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2021-01-25 19:03:25 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2021-01-25 19:03:38 +0100
commit: b3caa532978b6337b6015b08c17ec0466d6f9670 (patch)
tree: f8f4c1e6ee4395bd99e4cc59f7f00411d037b74f
parent: 6116a5aeea9fbf519c6f28fd17c65007cd0cbf64 (diff)
download: EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.tar.gz
EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.tar.bz2
EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.zip
6 files changed, 105 insertions, 59 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java
new file mode 100644
index 00000000..66393bb4
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java
@@ -0,0 +1,41 @@
+package at.gv.egiz.eaaf.modules.pvp2.impl.validation;
+
+import org.opensaml.security.SecurityException;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
+
+@AllArgsConstructor
+public class SignatureTrustEngineDecorator implements SignatureTrustEngine {
+
+  private SignatureTrustEngine trustEngine;
+  
+  @Getter
+  private IPvp2MetadataProvider metadataProvider;
+  
+  @Override
+  public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException {
+    return trustEngine.validate(token, trustBasisCriteria);
+    
+  }
+
+  @Override
+  public boolean validate(byte[] signature, byte[] content, String algorithmUri,
+      CriteriaSet trustBasisCriteria, Credential candidateCredential) throws SecurityException {
+    return trustEngine.validate(signature, content, algorithmUri, trustBasisCriteria, candidateCredential);
+    
+  }
+
+  @Override
+  public KeyInfoCredentialResolver getKeyInfoResolver() {
+    return trustEngine.getKeyInfoResolver();
+    
+  }
+  
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
index f0758706..fe941f74 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
@@ -22,9 +22,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation;
 import java.util.ArrayList;
 import java.util.List;
 
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
-
 import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
 import org.opensaml.saml.security.impl.MetadataCredentialResolver;
 import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
@@ -33,9 +30,10 @@ import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider;
 import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
 import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
 import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
-import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
 import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
 
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
 import lombok.extern.slf4j.Slf4j;
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 
@@ -50,7 +48,7 @@ public class TrustEngineFactory {
    * @throws Pvp2InternalErrorException In case of a TrustEngine initialization
    *                                    error
    */
-  public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(
+  public static SignatureTrustEngineDecorator getSignatureKnownKeysTrustEngine(
       final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException {
     try {
       final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
@@ -70,10 +68,9 @@ public class TrustEngineFactory {
       resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver);
       resolver.initialize();
 
-      final ExplicitKeySignatureTrustEngine engine =
-          new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver);
-
-      return engine;
+      return new SignatureTrustEngineDecorator(
+          new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver), 
+          mdResolver);
 
     } catch (final ComponentInitializationException e) {
       log.warn("Initialization of SignatureTrustEngine FAILED.", e);
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index e0a3ab8e..8bc770eb 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -27,17 +27,6 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.opensaml.core.criterion.EntityIdCriterion;
@@ -70,10 +59,20 @@ import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyR
 import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
 import org.opensaml.xmlsec.signature.support.SignatureException;
 import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator;
 import lombok.extern.slf4j.Slf4j;
 import net.shibboleth.utilities.java.support.net.BasicURLComparator;
 import net.shibboleth.utilities.java.support.net.URIException;
@@ -97,13 +96,7 @@ public class SamlVerificationEngine {
    */
   private static final int TIME_JITTER = 3;
 
-
-
-
-
-  @Autowired(required = true)
-  IPvp2MetadataProvider metadataProvider;
-
+  
   /**
    * Verify signature of a signed SAML2 object.
    *
@@ -140,27 +133,36 @@ public class SamlVerificationEngine {
       log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}",
           msg.getEntityID());
 
-      if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider)
-          || !((IRefreshableMetadataProvider) metadataProvider)
-              .refreshMetadataProvider(msg.getEntityID())) {
-        throw e;
-
-      } else {
-        log.trace("PVP2X metadata reload finished. Check validate message again.");
-
-        if (msg instanceof PvpSProfileRequest
-            && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) {
-          verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(),
-              sigTrustEngine);
+      if (sigTrustEngine instanceof SignatureTrustEngineDecorator) {
+        IPvp2MetadataProvider metadataProvider = 
+            ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider();
+        if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) 
+            || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) {
+          
+          throw e;
 
         } else {
-          verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine);
+          log.trace("PVP2X metadata reload finished. Check validate message again.");
 
-        }
+          if (msg instanceof PvpSProfileRequest
+              && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) {
+            verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(),
+                sigTrustEngine);
 
-      }
-      log.trace("Second PVP2X message validation finished");
+          } else {
+            verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine);
 
+          }
+
+        }
+        log.trace("Second PVP2X message validation finished");
+                                
+      } else {
+        log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.", 
+            SignatureTrustEngineDecorator.class);
+        throw e;
+        
+      }           
     }
   }
 
@@ -270,9 +272,6 @@ public class SamlVerificationEngine {
       throw new SamlAssertionValidationExeption(ERROR_16,
           new Object[] { e.getMessage() }, e);
 
-//    } catch (final ConfigurationException e) {
-//      throw new AssertionValidationExeption("pvp.12",
-//          new Object[]{loggerName, e.getMessage()}, e);
     }
   }
 
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
index 8da76265..50fd0f44 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
@@ -43,6 +43,7 @@ import org.opensaml.xmlsec.signature.SignableXMLObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.Assert;
 
 import at.gv.egiz.components.eventlog.api.EventConstants;
 import at.gv.egiz.eaaf.core.api.IRequest;
@@ -77,6 +78,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
 import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
+import lombok.Setter;
 
 public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo {
   private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class);
@@ -87,12 +89,16 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement
   @Autowired(required = true)
   protected IPvp2BasicConfiguration pvpBasicConfiguration;
   @Autowired(required = true)
-  protected IPvp2MetadataProvider metadataProvider;
-  @Autowired(required = true)
   protected SamlVerificationEngine samlVerificationEngine;
   @Autowired(required = false)
   protected List<IAuthnRequestPostProcessor> authRequestPostProcessors;
 
+  /**
+   * SAML2 metadata provider that should be used in this component.
+   */
+  @Setter
+  protected IPvp2MetadataProvider metadataProvider;
+  
   private IPvp2CredentialProvider pvpIdpCredentials;
 
   /**
@@ -554,11 +560,9 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement
 
   @PostConstruct
   private void verifyInitialization() {
-    if (pvpIdpCredentials == null) {
-      log.error("No SAML2 credentialProvider injected!");
-      throw new RuntimeException("No SAML2 credentialProvider injected!");
+    Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!");
+    Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!");
 
-    }
   }
 
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
index f9d7767f..68ba39a3 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
@@ -35,6 +35,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
+import org.springframework.util.Assert;
 
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.idp.IAction;
@@ -56,14 +57,13 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
 import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
 import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
 import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import lombok.Setter;
 
 @Service("PVPAuthenticationRequestAction")
 public class AuthenticationAction implements IAction {
   private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class);
 
   @Autowired(required = true)
-  private IPvp2MetadataProvider metadataProvider;
-  @Autowired(required = true)
   ApplicationContext springContext;
   @Autowired(required = true)
   IConfiguration authConfig;
@@ -74,6 +74,12 @@ public class AuthenticationAction implements IAction {
   @Autowired(required = true)
   IRevisionLogger revisionsLogger;
 
+  /**
+   * SAML2 metadata provider that should be used in this component.
+   */
+  @Setter
+  protected IPvp2MetadataProvider metadataProvider;
+  
   private IPvp2CredentialProvider pvpIdpCredentials;
 
   /**
@@ -168,11 +174,9 @@ public class AuthenticationAction implements IAction {
 
   @PostConstruct
   private void verifyInitialization() {
-    if (pvpIdpCredentials == null) {
-      log.error("No SAML2 credentialProvider injected!");
-      throw new RuntimeException("No SAML2 credentialProvider injected!");
+    Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!");
+    Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!");
 
-    }
   }
 
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
index 2bddd629..760f290e 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
@@ -38,6 +38,7 @@
   <bean   id="PVPAuthenticationRequestAction"
           class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AuthenticationAction">
       <property name="pvpIdpCredentials" ref="dummyCredentialProvider" />
+      <property name="metadataProvider" ref="dummyChainingMetadataResolver" />
   </bean>
 
   <bean   id="pvpMetadataService"
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2021-01-25 19:03:25 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2021-01-25 19:03:38 +0100
commit	b3caa532978b6337b6015b08c17ec0466d6f9670 (patch)
tree	f8f4c1e6ee4395bd99e4cc59f7f00411d037b74f
parent	6116a5aeea9fbf519c6f28fd17c65007cd0cbf64 (diff)
download	EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.tar.gz EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.tar.bz2 EAAF-Components-b3caa532978b6337b6015b08c17ec0466d6f9670.zip