diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java')
| -rw-r--r-- | eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java | 112 |
1 files changed, 61 insertions, 51 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java index 7369da15..5ef112dd 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java @@ -1,4 +1,28 @@ /******************************************************************************* + * Copyright 2017 Graz University of Technology + * EAAF-Core Components has been developed in a cooperation between EGIZ, + * A-SIT+, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/******************************************************************************* + *******************************************************************************/ +/******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; @@ -118,78 +142,64 @@ public class PVP2AssertionBuilder implements PVPConstants { AssertionConsumerService assertionConsumerService, SLOInformationInterface sloInformation) throws PVP2Exception { - RequestedAuthnContext reqAuthnContext = authnRequest - .getRequestedAuthnContext(); - - AuthnContextClassRef authnContextClassRef = SAML2Utils - .createSAMLObject(AuthnContextClassRef.class); - ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration(); + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + //check if authn. request contains LoA + RequestedAuthnContext reqAuthnContext = authnRequest.getRequestedAuthnContext(); if (reqAuthnContext == null) { authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); } else { - - boolean eIDAS_qaa_found = false; - - List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs(); - - if (reqAuthnContextClassRefIt.size() == 0) { - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), EAAFConstants.EIDAS_QAA_HIGH); + //authn. request requests LoA levels. To LoA validation + List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs(); - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(EAAFConstants.EIDAS_QAA_HIGH); + //get matching mode from authn. request + String loaMatchingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM; + if (StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString())) + loaMatchingMode = reqAuthnContext.getComparison().toString(); + + //get requested LoAs + if (reqAuthnContextClassRefIt.size() == 0) { + QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), + oaParam.getRequiredLoA(), loaMatchingMode); + authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - } else { + } else { + List<String> eIDASLoaFromRequest = new ArrayList<String>(); for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { String qaa_uri = authnClassRef.getAuthnContextClassRef(); - - if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { + + if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) { if (loaLevelMapper != null) { log.debug("Find no eIDAS LoA. Start mapping process ... " ); - qaa_uri = loaLevelMapper.mapToeIDASLoA(qaa_uri.trim()); + eIDASLoaFromRequest.add(loaLevelMapper.mapToeIDASLoA(qaa_uri.trim())); } else log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore " - + "'" + qaa_uri.trim() + "'"); - - } + + "'" + qaa_uri.trim() + "'"); + } else + eIDASLoaFromRequest.add(qaa_uri.trim()); - if (qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_HIGH) - || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_SUBSTANTIAL) - || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_LOW)) { + } + + //stop process if no supported LoA scheme is requested + if (eIDASLoaFromRequest.isEmpty()) { + log.info("Authn. request contains no supported LoA level. Stop authentication process ... "); + throw new QAANotSupportedException("No supported LoA in Authn. request"); - if (authData.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), oaParam.getMinimumLevelOfAssurence()); - - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - - } else { - - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), - qaa_uri.trim()); - - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - - } - break; - } - } - } - - if (!eIDAS_qaa_found) - throw new QAANotSupportedException(EAAFConstants.EIDAS_QAA_HIGH); + } + + //verifiy LoAs from request to authentication LoA + QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), eIDASLoaFromRequest , loaMatchingMode); + authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); + } } - - SPSSODescriptor spSSODescriptor = peerEntity - .getSPSSODescriptor(SAMLConstants.SAML20P_NS); + //load SPSS decriptor from service-provider metadata + SPSSODescriptor spSSODescriptor = peerEntity.getSPSSODescriptor(SAMLConstants.SAML20P_NS); //add Attributes to Assertion List<Attribute> attrList = new ArrayList<Attribute>(); |