Merge branch 'feature/hsmfacade' into nightlyBuild

# Conflicts: # eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java # eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_core.beans.xml
author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-17 08:10:16 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-17 08:10:16 +0100
commit: b8b5d79f36c0d51a10dc820b09833179442b5155 (patch)
tree: 7f4ff3c66c8b57b919cd83a4fc8a0247e9c7c0ab /eaaf_modules/eaaf_module_pvp2_core
parent: 8fd4b91b8da067055133b2feb97e726c6a834c78 (diff)
parent: c4e1a45e7958cab402d83f6f4ae208df1bb2ab58 (diff)
download: EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.tar.gz
EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.tar.bz2
EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.zip
8 files changed, 138 insertions, 69 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index c9aac506..a81ad889 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -22,7 +22,6 @@
       <artifactId>eaaf-core</artifactId>
       <version>${egiz.eaaf.version}</version>
     </dependency>
-
     <dependency>
       <groupId>org.opensaml</groupId>
       <artifactId>opensaml-core</artifactId>
@@ -82,6 +81,12 @@
       <artifactId>mockwebserver</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+    <groupId>xml-apis</groupId>
+    <artifactId>xml-apis</artifactId>
+    <version>1.4.01</version>
+    <scope>test</scope>
+  </dependency>
 
   </dependencies>
 
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
index 8a33b205..902f84c7 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java
@@ -406,6 +406,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec
 
   private void addAndRemoveMetadataProvider() throws EaafConfigurationException {
     log.info("EAAF chaining metadata resolver starting internal managment task .... ");
+
     // get all actually loaded metadata providers
     final Map<String, MetadataResolver> loadedproviders = getAllActuallyLoadedResolvers();
 
@@ -428,6 +429,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec
       try {
         if (StringUtils.isNotEmpty(metadataurl)
             && loadedproviders.containsKey(metadataurl)) {
+          // SAML2 SP is actually loaded, to nothing
           loadedproviders.remove(metadataurl);
 
         }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index 6959b6bd..cd77228c 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -19,8 +19,6 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.cert.Certificate;
@@ -33,24 +31,24 @@ import java.util.List;
 import javax.annotation.Nonnull;
 import javax.annotation.PostConstruct;
 
+import org.apache.commons.lang3.StringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
+import org.opensaml.security.credential.UsageType;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.io.ResourceLoader;
+
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
 import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
 import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
 import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
-
-import org.apache.commons.lang3.StringUtils;
-import org.opensaml.security.credential.UsageType;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.Lazy;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
@@ -63,6 +61,9 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
   @Autowired
   protected IConfiguration basicConfig;
 
+  @Autowired
+  private EaafKeyStoreFactory keyStoreFactory;
+
   private KeyStore keyStore = null;
 
   /**
@@ -71,23 +72,25 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
    *
    * @return keyStore friendlyName
    */
-  public abstract String getFriendlyName();
+  public final String getFriendlyName() {
+    try {
+      return getBasicKeyStoreConfig().getFriendlyName();
+      
+    } catch (EaafConfigurationException e) {
+      return "No KeyStoreName";
+      
+    }
 
-  /**
-   * Get KeyStore.
-   *
-   * @return URL to the keyStore
-   * @throws EaafException In case of an invalid filepath
-   */
-  @Nonnull
-  public abstract String getKeyStoreFilePath() throws EaafException;
+  }
 
   /**
-   * Get keyStore password.
+   * Get the basic KeyStore configuration object for this SAML2 credential.
    *
-   * @return Password of the keyStore
+   * @return KeyStore configuration object
+   * @throws EaafConfigurationException  In case of a configuration error
    */
-  public abstract String getKeyStorePassword();
+  @Nonnull
+  public abstract KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException;
 
   /**
    * Get alias of key for metadata signing.
@@ -154,8 +157,6 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
     }
   }
 
-
-
   /**
    * Get Credentials to sign SAML2 messages, like AuthnRequest, Response,
    * Assertions as some examples.
@@ -250,21 +251,36 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi
 
   }
 
-  @Lazy
   @PostConstruct
   private void initialize() throws Exception {
     try {
-      final Resource ressource = resourceLoader.getResource(getKeyStoreFilePath());
-      final InputStream is = ressource.getInputStream();
-      keyStore = KeyStoreUtils.loadKeyStore(is, getKeyStorePassword());
+      final KeyStoreConfiguration keyStoreConfig = getBasicKeyStoreConfig();
+      keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+
+      if (JCEMapper.getProviderId() != null
+          && !JCEMapper.getProviderId().equals(keyStore.getProvider().getName())) {
+        log.error("OpenSAML3.x can ONLY use a single type of CryptoProvider in an application. "
+            + "Can NOT set: {}, because {} was already set", keyStore.getProvider().getName(),
+            JCEMapper.getProviderId());
+        throw new EaafConfigurationException(EaafKeyStoreFactory.ERRORCODE_06,
+            new Object[] { keyStoreConfig.getFriendlyName(),
+                "OpenSAML3.x can ONLY use a single type of CryptoProvider" });
+
+      }
 
-      if (keyStore == null) {
-        throw new EaafConfigurationException("module.00",
-            new Object[] { getFriendlyName(), "KeyStore initialization failed. Maybe wrong password" });
+      // Set JCEMapper only in case of HSM based KeyStores because Software KeyStores
+      // can use
+      // the default SecurityProvider system in OpenSAML3.x signing engine
+      if (!KeyStoreType.JKS.equals(keyStoreConfig.getKeyStoreType())
+          && !KeyStoreType.PKCS12.equals(keyStoreConfig.getKeyStoreType())
+          && JCEMapper.getProviderId() == null) {
+        log.info("Register CryptoProvider: {} as defaut for OpenSAML3.x",
+            keyStore.getProvider().getName());
+        JCEMapper.setProviderId(keyStore.getProvider().getName());
 
       }
 
-    } catch (IOException | KeyStoreException | EaafException e) {
+    } catch (final EaafException e) {
       log.error("Can not initialize KeyStore for eIDAS authentication client.", e);
       throw e;
 
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
index b6171e97..22ee389f 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
@@ -3,14 +3,8 @@ package at.gv.egiz.eaaf.modules.pvp2.test;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
-import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
-
 import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.xml.security.algorithms.JCEMapper;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -23,6 +17,14 @@ import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
+import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
+
 
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration({
@@ -34,9 +36,14 @@ public class CredentialProviderTest {
 
   private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks";
   private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks";
+  //private static final String HSMF_ALIAS_METADATA = "shibboleth-sign";
+  //private static final String HSMF_ALIAS_SIGN = "shibboleth-sign";
+  //private static final String HSMF_ALIAS_ENC = "shibboleth-sign";
+  
   private static final String ALIAS_METADATA = "meta";
   private static final String ALIAS_SIGN = "sig";
   private static final String ALIAS_ENC = "meta";
+  
   private static final String PASSWORD = "password";
 
 
@@ -59,6 +66,8 @@ public class CredentialProviderTest {
 
     config.removeConfigValue(DummyCredentialProvider.KEY_ENCRYPTION_ALIAS);
     config.removeConfigValue(DummyCredentialProvider.KEY_ENCRYPTION_PASSWORD);
+    
+    JCEMapper.setProviderId(null);
 
   }
 
@@ -86,7 +95,7 @@ public class CredentialProviderTest {
       Assert.fail("No KeyStore not detected");
 
     } catch (final BeansException e) {
-      org.springframework.util.Assert.isInstanceOf(java.io.FileNotFoundException.class,
+      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class,
           e.getCause(), "Wrong exception");
     }
 
@@ -101,7 +110,7 @@ public class CredentialProviderTest {
       Assert.fail("No KeyStore not detected");
 
     } catch (final BeansException e) {
-      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class,
+      org.springframework.util.Assert.isInstanceOf(EaafFactoryException.class,
           e.getCause(), "Wrong exception");
 
     }
@@ -384,6 +393,33 @@ public class CredentialProviderTest {
 
   @Test
   @DirtiesContext
+  public void otherKeyStoreTypeAlreadyLoaded() throws CredentialsNotAvailableException {
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_PATH, PATH_JKS_WITHOUT_TRUST_CERTS);
+
+    config.putConfigValue(PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
+        "RSA-SIG_" + RandomStringUtils.randomAlphabetic(10));
+    config.putConfigValue(PvpConstants.CONFIG_PROP_SEC_SIGNING_EC_ALG,
+        "EC-SIG_" + RandomStringUtils.randomAlphabetic(10));
+    config.putConfigValue(PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
+        "RSA_ENC_" + RandomStringUtils.randomAlphabetic(10));
+    config.putConfigValue(PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
+        "EC-ENC_" + RandomStringUtils.randomAlphabetic(10));
+    
+    try {
+      JCEMapper.setProviderId(RandomStringUtils.randomAlphabetic(5));
+      
+      context.getBean(DummyCredentialProvider.class);
+
+    } catch (final BeansException e) {
+      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class,
+          e.getCause(), "Wrong exception");
+
+    }
+
+  }
+  
+  @Test
+  @DirtiesContext
   public void notKeyConfiguration() {
     final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class);
 
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java
index b9f1326d..0f8eff72 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java
@@ -1,15 +1,12 @@
 package at.gv.egiz.eaaf.modules.pvp2.test.dummy;
 
-import java.net.MalformedURLException;
+import org.springframework.beans.factory.annotation.Autowired;
 
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
 
-import org.springframework.beans.factory.annotation.Autowired;
-
 public class DummyCredentialProvider extends AbstractCredentialProvider {
 
   @Autowired IConfiguration basicConfig;
@@ -26,32 +23,26 @@ public class DummyCredentialProvider extends AbstractCredentialProvider {
   public static final String KEY_ENCRYPTION_ALIAS = "key.enc.alias";
   public static final String KEY_ENCRYPTION_PASSWORD = "key.enc.pass";
 
+  private static final String KEYSTORENAME = "jUnit test credential provider";
+  
   @Override
-  public String getFriendlyName() {
-    return "jUnit test credential provider";
+  public KeyStoreConfiguration getBasicKeyStoreConfig() {
+    KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
+    keyStoreConfig.setKeyStoreType(KeyStoreType.JKS);
+    keyStoreConfig.setFriendlyName(KEYSTORENAME);
+    
+    keyStoreConfig.setSoftKeyStoreFilePath(getKeyStoreFilePath());
+    keyStoreConfig.setSoftKeyStorePassword(getKeyStorePassword());
+    
+    return keyStoreConfig;
   }
 
-  @Override
-  public String getKeyStoreFilePath() throws EaafException {
+  public String getKeyStoreFilePath() {
     final String path = basicConfig.getBasicConfiguration(KEYSTORE_PATH);
-
-    if (path != null) {
-      try {
-        return FileUtils.makeAbsoluteUrl(
-            path,
-            basicConfig.getConfigurationRootDirectory());
-
-      } catch (final MalformedURLException e) {
-        throw new EaafConfigurationException("internel test error", null, e);
-
-      }
-    }
-
-    throw new EaafConfigurationException("No keyStore path", null);
-
+    return path;
+   
   }
 
-  @Override
   public String getKeyStorePassword() {
     return basicConfig.getBasicConfiguration(KEYSTORE_PASSWORD);
   }
@@ -86,4 +77,5 @@ public class DummyCredentialProvider extends AbstractCredentialProvider {
     return basicConfig.getBasicConfiguration(KEY_ENCRYPTION_PASSWORD);
   }
 
+
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_2.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_2.props
new file mode 100644
index 00000000..60cecebb
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_2.props
@@ -0,0 +1,12 @@
+keystore.path=classpath:/data/junit.jks
+keystore.pass=password
+key.metadata.alias=shibboleth-sign
+key.metadata.pass=password
+key.sig.alias=shibboleth-sign
+key.sig.pass=password
+key.enc.alias=
+key.enc.pass=
+
+client.http.connection.timeout.socket=2
+client.http.connection.timeout.connection=2
+client.http.connection.timeout.request=2
+\ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core.beans.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core.beans.xml
index 3b2d0a28..5e3f0b9b 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core.beans.xml
@@ -19,4 +19,7 @@
   <bean id="httpClientFactory"
         class="at.gv.egiz.eaaf.core.impl.utils.HttpClientFactory" />
 
+  <bean id="eaafKeyStoreFactory"
+        class="at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory" />
+
 </beans>
 \ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core_spring_config.beans.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core_spring_config.beans.xml
index 5c1a6095..5319236b 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core_spring_config.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/spring/test_eaaf_core_spring_config.beans.xml
@@ -14,4 +14,7 @@
         class="at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfig" />
   
 
+  <bean id="eaafKeyStoreFactory"
+        class="at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory" />
+
 </beans>
 \ No newline at end of file
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-17 08:10:16 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-17 08:10:16 +0100
commit	b8b5d79f36c0d51a10dc820b09833179442b5155 (patch)
tree	7f4ff3c66c8b57b919cd83a4fc8a0247e9c7c0ab /eaaf_modules/eaaf_module_pvp2_core
parent	8fd4b91b8da067055133b2feb97e726c6a834c78 (diff)
parent	c4e1a45e7958cab402d83f6f4ae208df1bb2ab58 (diff)
download	EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.tar.gz EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.tar.bz2 EAAF-Components-b8b5d79f36c0d51a10dc820b09833179442b5155.zip