diff options
Diffstat (limited to 'eaaf_modules')
32 files changed, 442 insertions, 233 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/pom.xml b/eaaf_modules/eaaf_module_auth_sl20/pom.xml index 81611aff..c113ef98 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/pom.xml +++ b/eaaf_modules/eaaf_module_auth_sl20/pom.xml @@ -6,7 +6,7 @@ <parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_modules</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <artifactId>eaaf_module_auth_sl20</artifactId> <name>Generic SL2.0 authentication</name> @@ -42,7 +42,11 @@ <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> </dependency> - + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/data/VerificationResult.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/data/VerificationResult.java index bb0c41d7..0f88e251 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/data/VerificationResult.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/data/VerificationResult.java @@ -9,6 +9,7 @@ public class VerificationResult { private Boolean validSigned = null; private List<X509Certificate> certs = null; + private JsonNode header = null; private JsonNode payload = null; public VerificationResult(final JsonNode payload) { @@ -19,11 +20,14 @@ public class VerificationResult { /** * JWS signature verification-result container. * + * @param joseHeader JWS header * @param payload JWS payload * @param certs JWS signercertificate * @param wasValidSigned true if signature was valid */ - public VerificationResult(final JsonNode payload, final List<X509Certificate> certs, final boolean wasValidSigned) { + public VerificationResult(final JsonNode joseHeader, final JsonNode payload, + final List<X509Certificate> certs, final boolean wasValidSigned) { + this.header = joseHeader; this.payload = payload; this.certs = certs; this.validSigned = wasValidSigned; @@ -42,4 +46,8 @@ public class VerificationResult { return payload; } + public JsonNode getJoseHeader() { + return header; + + } } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java index d1887d5c..6a5e1ef0 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractCreateQualEidRequestTask.java @@ -1,5 +1,6 @@ package at.gv.egiz.eaaf.modules.auth.sl20.tasks; +import java.io.Serializable; import java.security.cert.CertificateEncodingException; import java.util.ArrayList; import java.util.List; @@ -28,8 +29,8 @@ import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eaaf.core.impl.utils.TransactionIdUtils; @@ -39,6 +40,7 @@ import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20Constants; +import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20Constants.VdaAuthMethod; import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20HttpBindingUtils; import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JsonBuilderUtils; import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JsonExtractorUtils; @@ -95,6 +97,15 @@ public abstract class AbstractCreateQualEidRequestTask extends AbstractAuthServl final List<NameValuePair> parameters = new ArrayList<>(); parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes("UTF-8")))); + + //set specific authentication method if it was selection by process step before + VdaAuthMethod authMethod = getVdaAuthMethodFromContext(executionContext); + if (authMethod != null) { + log.debug("Request VDA with authType: {}", authMethod); + parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_AUTH_METHOD_PARAM, + authMethod.getAuthMethod())); + } + httpReq.setEntity(new UrlEncodedFormEntity(parameters)); // build http GET request @@ -191,6 +202,13 @@ public abstract class AbstractCreateQualEidRequestTask extends AbstractAuthServl } /** + * Get ExecutionContext parameter-key for VDA AuthMethod information. + * + * @return Key to get AuthMethod from {@link ExecutionContext} + */ + protected abstract String getAuthMethodContextParamKey(); + + /** * Create a implementation specific qualified eID SL2.0 command * * @param oaConfig @@ -201,6 +219,18 @@ public abstract class AbstractCreateQualEidRequestTask extends AbstractAuthServl */ protected abstract String buildSignedQualifiedEidCommand() throws CertificateEncodingException, SL20Exception; + + private VdaAuthMethod getVdaAuthMethodFromContext(ExecutionContext executionContext) { + Serializable authMethodRaw = executionContext.get(getAuthMethodContextParamKey()); + if (authMethodRaw instanceof String) { + log.trace("Find authMethod parameter: {} on context", authMethodRaw); + return VdaAuthMethod.fromString((String) authMethodRaw); + + } + + return null; + } + private String extractVdaUrlForSpecificOa(final ISpConfiguration oaConfig, final ExecutionContext executionContext) { // load SP specific config for development and testing purposes diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 1b1f090f..43c44647 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -13,22 +13,6 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.utils.X509Utils; -import at.gv.egiz.eaaf.modules.auth.sl20.Constants; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; - import org.apache.commons.lang3.StringUtils; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; @@ -50,6 +34,22 @@ import org.springframework.util.Base64Utils; import com.fasterxml.jackson.core.JsonParseException; import com.fasterxml.jackson.databind.JsonNode; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.X509Utils; +import at.gv.egiz.eaaf.modules.auth.sl20.Constants; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; + @Service public class JsonSecurityUtils implements IJoseTools { private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class); @@ -230,7 +230,10 @@ public class JsonSecurityUtils implements IJoseTools { jws.setKey(selectedKey); // load payLoad - return new VerificationResult(mapper.getMapper().readTree(jws.getPayload()), null, jws.verifySignature()); + return new VerificationResult( + mapper.getMapper().readTree(jws.getHeaders().getFullHeaderAsJsonString()), + mapper.getMapper().readTree(jws.getPayload()), + x5cCerts, jws.verifySignature()); } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java index 01316b9b..bfc393db 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java @@ -4,6 +4,8 @@ import java.util.Arrays; import java.util.Collections; import java.util.List; +import javax.annotation.Nonnull; + import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; import org.jose4j.jws.AlgorithmIdentifiers; @@ -11,10 +13,54 @@ import org.jose4j.jws.AlgorithmIdentifiers; public class SL20Constants { public static final int CURRENT_SL20_VERSION = 10; + // http binding parameters public static final String PARAM_SL20_REQ_COMMAND_PARAM = "slcommand"; public static final String PARAM_SL20_REQ_COMMAND_PARAM_OLD = "sl2command"; + public static final String PARAM_SL20_REQ_AUTH_METHOD_PARAM = "authtype"; + + public enum VdaAuthMethod { + ANY("any"), MOBILEPHONE("handy"), CARD("card"), SMARTPHONE("smartphone"); + + private final String authMethod; + + VdaAuthMethod(final String method) { + this.authMethod = method; + } + + /** + * Get VDA AuthMethod. + * + * @return + */ + public String getAuthMethod() { + return this.authMethod; + } + + /** + * Get VDA authmethod from String representation. + * + * @param s authMethod parameter + * @return AuthMethod, or VdaAuthMethod.ANY if the parameter is unknown + */ + public static VdaAuthMethod fromString(@Nonnull final String s) { + try { + return VdaAuthMethod.valueOf(s.toUpperCase()); + + } catch (IllegalArgumentException | NullPointerException e) { + return VdaAuthMethod.ANY; + + } + } + + @Override + public String toString() { + return getAuthMethod(); + + } + } + public static final String PARAM_SL20_REQ_ICP_RETURN_URL_PARAM = "slIPCReturnUrl"; public static final String PARAM_SL20_REQ_TRANSACTIONID = "slTransactionID"; diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java index eb17781b..d76f4aad 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonBuilderUtils.java @@ -105,6 +105,7 @@ public class SL20JsonBuilderUtils { * @param name commando name * @param result commando result * @param encryptedResult encrypted commando result + * @param signer {@link JsonSecurityUtils} implementation * @return JWS in serialized form * @throws SlCommandoBuildException in case of an error * diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java index eb6de461..40ea0430 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20JsonExtractorUtils.java @@ -63,6 +63,7 @@ public class SL20JsonExtractorUtils { * @param input JSON * @param keyID Element identifier * @param isRequired true, if the element must not null + * @param defaultValue in case of no existing element with key * @return Boolean * @throws SlCommandoParserException In case of an error */ @@ -269,6 +270,7 @@ public class SL20JsonExtractorUtils { * * @param container JSON * @param joseTools JWS implementation + * @param mustBeSigned Throw an error if the result was not signed * @return Signature verification result that contains the payLoad * @throws SlCommandoParserException In case of an error */ diff --git a/eaaf_modules/eaaf_module_moa-sig/pom.xml b/eaaf_modules/eaaf_module_moa-sig/pom.xml index 11b8cfd9..aa63b3c3 100644 --- a/eaaf_modules/eaaf_module_moa-sig/pom.xml +++ b/eaaf_modules/eaaf_module_moa-sig/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_modules</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <artifactId>eaaf_module_moa-sig</artifactId> <name>MOA-Sig signature verification module</name> @@ -59,7 +59,12 @@ <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_core_api</artifactId> </dependency> - + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> + <dependency> <groupId>joda-time</groupId> <artifactId>joda-time</artifactId> diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml index 31110bfd..253d0afb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml @@ -7,7 +7,7 @@ <parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_modules</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <artifactId>eaaf_module_pvp2_core</artifactId> <name>eaaf_module_pvp2_core</name> @@ -48,6 +48,12 @@ </dependency> <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> + + <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <scope>provided</scope> diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java index a564efb2..acd565a1 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/utils/IPvp2CredentialProvider.java @@ -1,11 +1,14 @@ package at.gv.egiz.eaaf.modules.pvp2.api.utils; +import java.security.KeyStore; +import java.security.Provider; import java.security.cert.X509Certificate; import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; @@ -51,5 +54,15 @@ public interface IPvp2CredentialProvider { @Nonnull List<X509Certificate> getTrustedCertificates() throws CredentialsNotAvailableException; + + + /** + * Get the {@link KeyStore} that is used in this {@link IPvp2CredentialProvider}. + * + * @return KeyStore {@link Pair} of {@link KeyStore} and JCE {@link Provider} + * if a special provider is in use + */ + @Nonnull + Pair<KeyStore, Provider> getKeyStore(); }
\ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java index bf201803..1d6e3738 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/CitizenTokenBuilder.java @@ -19,8 +19,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.builder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.core.xml.schema.XSInteger; @@ -30,6 +28,8 @@ import org.opensaml.core.xml.schema.impl.XSStringBuilder; import org.opensaml.saml.saml2.core.Attribute; import org.opensaml.saml.saml2.core.AttributeValue; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + /** * Build all attributes from PVP2 citizen-token. * @@ -73,6 +73,7 @@ public class CitizenTokenBuilder { * Build simple attribute. * * @param friendlyName attribute friendly-name + * @param name attribute name * @param value Attributevalue * @return XML attribute */ @@ -89,6 +90,7 @@ public class CitizenTokenBuilder { * Build simple attribute. * * @param friendlyName attribute friendly-name + * @param name attribute name * @param value Attributevalue * @return XML attribute */ diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java index 0b505e56..d29f1a0e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java @@ -8,15 +8,6 @@ import javax.annotation.Nullable; import javax.annotation.PostConstruct; import javax.net.ssl.SSLHandshakeException; -import at.gv.egiz.components.spring.api.IDestroyableObject; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.impl.utils.FileUtils; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter; - import org.apache.http.client.HttpClient; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; @@ -30,6 +21,15 @@ import org.springframework.core.io.ResourceLoader; import com.google.common.base.Predicates; import com.google.common.base.Throwables; import com.google.common.collect.FluentIterable; + +import at.gv.egiz.components.spring.api.IDestroyableObject; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.resolver.ResolverException; @@ -90,6 +90,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { * @param filter Filters, which should be used to validate the * metadata * @param idForLogging Id, which is used for Logging + * @param pool XML parser-pool to parse SAML2 Metadaten * @param httpClient Apache commons 4.x http client * * @return SAML2 Metadata Provider, or null if the metadata provider can not diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index 26a5c5f6..e17e625e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -32,6 +32,12 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; +import org.apache.commons.lang3.StringUtils; +import org.apache.xml.security.algorithms.JCEMapper; +import org.opensaml.security.credential.UsageType; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.ResourceLoader; + import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -44,13 +50,6 @@ import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter; - -import org.apache.commons.lang3.StringUtils; -import org.apache.xml.security.algorithms.JCEMapper; -import org.opensaml.security.credential.UsageType; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.ResourceLoader; - import lombok.extern.slf4j.Slf4j; @Slf4j @@ -256,6 +255,11 @@ public abstract class AbstractCredentialProvider implements IPvp2CredentialProvi } + public Pair<KeyStore, Provider> getKeyStore() { + return keyStore; + + } + @PostConstruct private void initialize() throws Exception { try { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java index ef09e5c4..5a97924f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java @@ -23,15 +23,14 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; - import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor; @@ -40,13 +39,18 @@ import org.opensaml.security.x509.BasicX509Credential; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureValidator; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; import lombok.extern.slf4j.Slf4j; @Slf4j public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { private final String metadataUrl; - private final List<BasicX509Credential> trustedCredential = new ArrayList<>(); + private final KeyStore trustedCredential; private static final String ERROR_07 = "internal.pvp.07"; private static final String ERROR_12 = "internal.pvp.12"; @@ -61,13 +65,13 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS * SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b> * </p> * - * @param credentials Trust X509 certificates + * @param keyStore TrustStore that contains trusted X509 certificates * @param metadataUrl Metadata URL for logging purposes */ - public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials, + public SimpleMetadataSignatureVerificationFilter(@Nonnull KeyStore keyStore, @Nonnull String metadataUrl) { this.metadataUrl = metadataUrl; - this.trustedCredential.addAll(credentials); + this.trustedCredential = keyStore; } @@ -121,7 +125,7 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS // perform cryptographic signature verification boolean isTrusted = false; - for (final BasicX509Credential cred : trustedCredential) { + for (final BasicX509Credential cred : getTrustedCertificates()) { log.trace("Validating signature with credential: {} ... ", cred.getEntityCertificate().getSubjectDN()); try { @@ -140,7 +144,31 @@ public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataS throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID); } + } + + private List<BasicX509Credential> getTrustedCertificates() throws EaafConfigurationException { + try { + final List<X509Certificate> certs = + EaafKeyStoreUtils.readCertsFromKeyStore(trustedCredential); + if (certs.isEmpty()) { + log.warn("No trusted metadata-signing certificates in configuration"); + throw new EaafConfigurationException("module.eidasauth.02", + new Object[] { "No trusted metadata-signing certificates" }); + + } + + final List<BasicX509Credential> result = new ArrayList<>(); + for (final X509Certificate cert : certs) { + result.add(new BasicX509Credential(cert)); + } + return result; + + } catch (final KeyStoreException e) { + throw new EaafConfigurationException("module.eidasauth.01", + new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e); + + } } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java index d5186857..e593c1d4 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -3,28 +3,9 @@ package at.gv.egiz.eaaf.modules.pvp2.test; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; - +import org.apache.xml.security.algorithms.JCEMapper; import org.joda.time.DateTime; +import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; @@ -47,6 +28,26 @@ import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.Assert; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; import net.shibboleth.utilities.java.support.xml.XMLParserException; @@ -72,6 +73,17 @@ public abstract class AbstractSamlVerificationEngine { EaafOpenSaml3xInitializer.eaafInitialize(); } + + /** + * Reset OpenSAML3.x JCEMapper to default. + * + */ + @AfterClass + public static void classCloser() { + JCEMapper.setProviderId(null); + + } + protected abstract String getMetadataJunitJKeystore(); protected abstract String getMetadataClassPathEntityPath(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/PvpCoreMessageSourceTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/PvpCoreMessageSourceTest.java index b94ed8cc..88106e5b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/PvpCoreMessageSourceTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/PvpCoreMessageSourceTest.java @@ -2,8 +2,6 @@ package at.gv.egiz.eaaf.modules.pvp2.test; import java.util.List; -import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; - import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; @@ -14,10 +12,12 @@ import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", -"/spring/test_eaaf_core_spring_config.beans.xml", -"/spring/eaaf_utils.beans.xml" }) + "/spring/test_eaaf_core_spring_config.beans.xml", + "/spring/eaaf_utils.beans.xml" }) @TestPropertySource(locations = { "/config/config_1.props" }) public class PvpCoreMessageSourceTest { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/QaaLevelVerifierTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/QaaLevelVerifierTest.java index 44cdf111..c2530004 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/QaaLevelVerifierTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/QaaLevelVerifierTest.java @@ -27,7 +27,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } try { @@ -35,7 +35,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } } @@ -54,7 +54,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } } @@ -69,7 +69,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } QaaLevelVerifier.verifyQaaLevel(EaafConstants.EIDAS_LOA_SUBSTANTIAL, requiredLoAs, matchingMode); @@ -80,7 +80,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } } @@ -95,7 +95,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } try { @@ -103,7 +103,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } QaaLevelVerifier.verifyQaaLevel(EaafConstants.EIDAS_LOA_HIGH, requiredLoAs, matchingMode); @@ -113,7 +113,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } } @@ -128,7 +128,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } QaaLevelVerifier.verifyQaaLevel(EaafConstants.EIDAS_LOA_LOW, requiredLoAs, matchingMode); @@ -139,7 +139,7 @@ public class QaaLevelVerifierTest { Assert.fail("LoA should not be allowed"); } catch (QaaNotAllowedException e) { - + Assert.assertNotNull("No errorMsg", e.getMessage()); } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java index 64bfb8f6..57c4b93a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java @@ -1,22 +1,5 @@ package at.gv.egiz.eaaf.modules.pvp2.test; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; - import org.joda.time.DateTime; import org.junit.Test; import org.junit.runner.RunWith; @@ -30,12 +13,30 @@ import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.StatusCode; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.util.Assert; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; import net.shibboleth.utilities.java.support.xml.XMLParserException; @RunWith(SpringJUnit4ClassRunner.class) @@ -43,6 +44,7 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException; "/spring/test_eaaf_core_spring_config.beans.xml", "/spring/eaaf_utils.beans.xml" }) @TestPropertySource(locations = { "/config/config_1.props" }) +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { @Autowired diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java index 5b06a73f..926f25b2 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java @@ -1,20 +1,24 @@ package at.gv.egiz.eaaf.modules.pvp2.test; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; - import org.junit.Test; import org.junit.runner.RunWith; import org.opensaml.xmlsec.signature.support.SignatureConstants; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; + +//@IfProfileValue(name = "spring.profiles.active", value = "devEnvironment") @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", "/spring/test_eaaf_core_spring_config.beans.xml", "/spring/eaaf_utils.beans.xml" }) @TestPropertySource(locations = { "/config/config_3.props" }) +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerificationEngine { @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java index 147199a5..f14a9093 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java @@ -9,33 +9,6 @@ import java.util.Map; import javax.xml.parsers.ParserConfigurationException; -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; -import at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory; -import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; -import at.gv.egiz.eaaf.core.impl.utils.DomUtils; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; -import at.gv.egiz.eaaf.modules.pvp2.test.metadata.MetadataResolverTest; - import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; import org.joda.time.DateTime; @@ -69,6 +42,32 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.metadata.MetadataResolverTest; import net.shibboleth.utilities.java.support.net.URIComparator; import net.shibboleth.utilities.java.support.xml.SerializeSupport; import net.shibboleth.utilities.java.support.xml.XMLParserException; @@ -357,7 +356,8 @@ public class PostBindingTest { @Test public void decodeRequestSuccessWithRequestAttributes() throws MessageDecodingException, SecurityException, - IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, MarshallingException { + IOException, Pvp2Exception, CredentialsNotAvailableException, XMLParserException, + UnmarshallingException, MarshallingException { final String serviceUrl = "https://eidas-test.bmi.gv.at/ms_connector/pvp/post"; final String relayState = RandomStringUtils.randomAlphanumeric(10); @@ -369,7 +369,8 @@ public class PostBindingTest { issuer.setValue("https://demo.egiz.gv.at/demoportal_demologin/"); authnReq.setIssuer(issuer); - final RequestAbstractType signedAuthn = Saml2Utils.signSamlObject(authnReq, credentialProvider.getMessageSigningCredential(), true); + final RequestAbstractType signedAuthn = Saml2Utils.signSamlObject( + authnReq, credentialProvider.getMessageSigningCredential(), true); final Element signedElement = XMLObjectSupport.getMarshaller(signedAuthn).marshall(signedAuthn); final String b64AuthnReq = Base64.getEncoder().encodeToString(SerializeSupport.nodeToString(signedElement).getBytes("UTF-8")); @@ -404,7 +405,8 @@ public class PostBindingTest { Assert.assertEquals("extension child size", 1, parsedAuthnReq.getExtensions().getUnknownXMLObjects().size()); final XMLObject reqAttrs = parsedAuthnReq.getExtensions().getUnknownXMLObjects().get(0); - org.springframework.util.Assert.isInstanceOf(EaafRequestedAttributes.class, reqAttrs, "Wrong requested Attributes type"); + org.springframework.util.Assert.isInstanceOf( + EaafRequestedAttributes.class, reqAttrs, "Wrong requested Attributes type"); final EaafRequestedAttributes eaafReqAttrs = (EaafRequestedAttributes) reqAttrs; Assert.assertNotNull("Req attr is null", eaafReqAttrs.getAttributes()); Assert.assertFalse("Req attr is empty", eaafReqAttrs.getAttributes().isEmpty()); @@ -418,7 +420,8 @@ public class PostBindingTest { Assert.assertEquals("Req. Attr. Value size", 1, eaafReqAttr.getAttributeValues().size()); org.springframework.util.Assert.isInstanceOf(XSString.class, eaafReqAttr.getAttributeValues().get(0), "Wrong requested Attributes Value type"); - Assert.assertEquals("Req. Attr. Value", "urn:publicid:gv.at:cdid+BF", ((XSString)eaafReqAttr.getAttributeValues().get(0)).getValue()); + Assert.assertEquals("Req. Attr. Value", "urn:publicid:gv.at:cdid+BF", + ((XSString)eaafReqAttr.getAttributeValues().get(0)).getValue()); } @@ -454,7 +457,9 @@ public class PostBindingTest { try { Assert.assertNotNull("AuthnReq is null", msg.getInboundMessage()); - } catch (final RuntimeException e) { } + } catch (final RuntimeException e) { + Assert.assertNotNull("No errorMsg", e.getMessage()); + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java index 37e4acd1..cbeca4c3 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java @@ -6,8 +6,8 @@ import java.net.URLDecoder; import javax.xml.parsers.ParserConfigurationException; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java index 7418e1b3..1fe9afcf 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyCredentialProvider.java @@ -1,13 +1,13 @@ package at.gv.egiz.eaaf.modules.pvp2.test.dummy; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; -import org.springframework.beans.factory.annotation.Autowired; - public class DummyCredentialProvider extends AbstractCredentialProvider { @Autowired IConfiguration basicConfig; @@ -49,6 +49,11 @@ public class DummyCredentialProvider extends AbstractCredentialProvider { } + /** + * Get Path to keystore. + * + * @return + */ public String getKeyStoreFilePath() { final String path = basicConfig.getBasicConfiguration(KEYSTORE_PATH); return path; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java index 64ebe00c..3673859a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java @@ -6,7 +6,7 @@ import java.util.ArrayList; import java.util.List; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/ChainingMetadataTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/ChainingMetadataTest.java index 6abe52dc..27c42c57 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/ChainingMetadataTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/ChainingMetadataTest.java @@ -5,8 +5,8 @@ import java.io.UnsupportedEncodingException; import java.util.Arrays; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataBuilderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataBuilderTest.java index 0f8817a0..3cc0a908 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataBuilderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataBuilderTest.java @@ -14,15 +14,6 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactoryConfigurationError; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; - import org.apache.commons.lang3.RandomStringUtils; import org.junit.Assert; import org.junit.BeforeClass; @@ -46,10 +37,20 @@ import org.opensaml.security.x509.BasicX509Credential; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureValidator; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import net.shibboleth.utilities.java.support.xml.XMLParserException; @@ -61,6 +62,7 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException; "/spring/test_eaaf_core_spring_config.beans.xml", "/spring/eaaf_utils.beans.xml" }) @TestPropertySource(locations = { "/config/config_1.props" }) +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) public class MetadataBuilderTest { @Autowired private PvpMetadataBuilder metadataBuilder; @@ -157,7 +159,16 @@ public class MetadataBuilderTest { return entity; } - public static IPvpMetadataBuilderConfiguration idpMetadataConfig(IPvp2CredentialProvider credentialProvider, boolean buildSpInfos, boolean buildIdpInfos) { + /** + * Dummy Metadata builder configuration. + * + * @param credentialProvider Credentialprovider + * @param buildSpInfos Sp metadata flag + * @param buildIdpInfos IDP metadata flag + * @return + */ + public static IPvpMetadataBuilderConfiguration idpMetadataConfig( + IPvp2CredentialProvider credentialProvider, boolean buildSpInfos, boolean buildIdpInfos) { return new IPvpMetadataBuilderConfiguration() { @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java index accdd8b0..1cbc2f14 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java @@ -2,6 +2,9 @@ package at.gv.egiz.eaaf.modules.pvp2.test.metadata; import java.io.IOException; import java.io.UnsupportedEncodingException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -10,21 +13,6 @@ import java.util.List; import javax.xml.transform.TransformerException; -import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; - import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; import org.joda.time.DateTime; @@ -68,6 +56,20 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.ResolverException; @@ -91,7 +93,8 @@ public class MetadataResolverTest { private PvpMetadataResolverFactory metadataResolverFactory; @Autowired private IHttpClientFactory httpClientFactory; - @Autowired private DummyCredentialProvider credentialProvider; + @Autowired + private DummyCredentialProvider credentialProvider; /** * JUnit class initializer. @@ -183,16 +186,15 @@ public class MetadataResolverTest { } @Test - public void noCredentials() { + public void noCredentials() throws KeyStoreException { final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml"; - final List<BasicX509Credential> credentials = new ArrayList<>(); - + final KeyStore keystore = KeyStore.getInstance("JKS"); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, metadataUrl)); final MetadataFilterChain filterChain = new MetadataFilterChain(); @@ -212,20 +214,21 @@ public class MetadataResolverTest { } @Test - public void wrongCredentials() throws CertificateException { + public void wrongCredentials() throws CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException { final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml"; - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); final BasicX509Credential credential = new BasicX509Credential((X509Certificate) fact.generateCertificate( MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); - credentials.add(credential); + keystore.setCertificateEntry("1", credential.getEntityCertificate()); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, metadataUrl)); final MetadataFilterChain filterChain = new MetadataFilterChain(); @@ -246,21 +249,22 @@ public class MetadataResolverTest { @Test public void validCredentialsInvalidSig() throws CertificateException, Pvp2MetadataException, - ResolverException { + ResolverException, KeyStoreException, NoSuchAlgorithmException, IOException { final String metadataUrl = "classpath:/data/pvp_metadata_moaid_test.xml"; - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt")))); + keystore.setCertificateEntry("1", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, metadataUrl)); final MetadataFilterChain filterChain = new MetadataFilterChain(); @@ -281,7 +285,8 @@ public class MetadataResolverTest { @Test public void metadataSignatureValidCredentials() throws CertificateException, Pvp2MetadataException, ResolverException, XMLParserException, UnmarshallingException, SamlSigningException, - CredentialsNotAvailableException, MarshallingException, TransformerException, IOException { + CredentialsNotAvailableException, MarshallingException, TransformerException, IOException, + KeyStoreException, NoSuchAlgorithmException { mockWebServer.shutdown(); mockWebServer = new MockWebServer(); @@ -300,19 +305,20 @@ public class MetadataResolverTest { .setBody(SerializeSupport.nodeToString(metadataElement)) .setHeader("Content-Type", "text/html;charset=utf-8")); - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt")))); + keystore.setCertificateEntry("1", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); + keystore.setCertificateEntry("3", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, mockServerUrl.url().toString())); filterList.add(new PvpEntityCategoryFilter(true)); @@ -332,7 +338,8 @@ public class MetadataResolverTest { @Test public void metadataSignatureValidCredentialsSecond() throws CertificateException, Pvp2MetadataException, ResolverException, XMLParserException, UnmarshallingException, SamlSigningException, - CredentialsNotAvailableException, MarshallingException, TransformerException, IOException { + CredentialsNotAvailableException, MarshallingException, TransformerException, IOException, + KeyStoreException, NoSuchAlgorithmException { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), @@ -347,19 +354,20 @@ public class MetadataResolverTest { .setBody(SerializeSupport.nodeToString(metadataElement)) .setHeader("Content-Type", "text/html;charset=utf-8")); - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt")))); + keystore.setCertificateEntry("1", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); + keystore.setCertificateEntry("3", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, mockServerUrl.url().toString())); filterList.add(new PvpEntityCategoryFilter(true)); @@ -370,8 +378,6 @@ public class MetadataResolverTest { mockServerUrl.url().toString(), filterChain, "jUnit test", httpClientFactory.getHttpClient()); - - final EntityDescriptor descr = mdResolver.getEntityDescriptor(metadata.getEntityID()); Assert.assertNotNull("No EntityDescripter", descr); @@ -385,11 +391,13 @@ public class MetadataResolverTest { @Test public void metadataSignatureValidCredentialsThird() throws CertificateException, Pvp2MetadataException, ResolverException, XMLParserException, UnmarshallingException, SamlSigningException, - CredentialsNotAvailableException, MarshallingException, TransformerException, IOException { + CredentialsNotAvailableException, MarshallingException, TransformerException, IOException, + KeyStoreException, NoSuchAlgorithmException { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), - MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid_with_entityCategory_egov.xml")); + MetadataResolverTest.class.getResourceAsStream( + "/data/pvp_metadata_valid_with_entityCategory_egov.xml")); metadata.setValidUntil(DateTime.now().plusDays(1)); metadata.setSignature(null); metadata.setEntityID(RandomStringUtils.randomAlphabetic(10)); @@ -400,19 +408,20 @@ public class MetadataResolverTest { .setBody(SerializeSupport.nodeToString(metadataElement)) .setHeader("Content-Type", "text/html;charset=utf-8")); - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt")))); + keystore.setCertificateEntry("1", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); + keystore.setCertificateEntry("3", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, mockServerUrl.url().toString())); filterList.add(new PvpEntityCategoryFilter(true)); @@ -423,8 +432,6 @@ public class MetadataResolverTest { mockServerUrl.url().toString(), filterChain, "jUnit test", httpClientFactory.getHttpClient()); - - final EntityDescriptor descr = mdResolver.getEntityDescriptor(metadata.getEntityID()); Assert.assertNotNull("No EntityDescripter", descr); @@ -438,7 +445,8 @@ public class MetadataResolverTest { @Test public void metadataExpired() throws CertificateException, Pvp2MetadataException, ResolverException, XMLParserException, UnmarshallingException, SamlSigningException, - CredentialsNotAvailableException, MarshallingException, TransformerException, IOException { + CredentialsNotAvailableException, MarshallingException, TransformerException, IOException, + KeyStoreException, NoSuchAlgorithmException { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), @@ -452,24 +460,24 @@ public class MetadataResolverTest { .setBody(SerializeSupport.nodeToString(metadataElement)) .setHeader("Content-Type", "text/html;charset=utf-8")); - final List<BasicX509Credential> credentials = new ArrayList<>(); + final KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(null, "junit".toCharArray()); final CertificateFactory fact = CertificateFactory.getInstance("X.509"); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt")))); - credentials.add(new BasicX509Credential((X509Certificate) fact.generateCertificate( - MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt")))); + keystore.setCertificateEntry("1", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/metadata_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/assertion_sig_cert.crt"))); + keystore.setCertificateEntry("2", fact.generateCertificate( + MetadataResolverTest.class.getResourceAsStream("/data/junit_metadata_sig_cert.crt"))); final List<MetadataFilter> filterList = new ArrayList<>(); filterList.add(new SchemaValidationFilter(true)); filterList.add(new SimpleMetadataSignatureVerificationFilter( - credentials, + keystore, mockServerUrl.url().toString())); filterList.add(new RequiredValidUntilFilter()); filterList.add(new PvpEntityCategoryFilter(false)); - final MetadataFilterChain filterChain = new MetadataFilterChain(); filterChain.setFilters(filterList); @@ -484,7 +492,6 @@ public class MetadataResolverTest { } - } @Test diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml index ffda330d..e8fb2acc 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_modules</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <artifactId>eaaf_module_pvp2_idp</artifactId> <name>eaaf_module_pvp2_idp</name> @@ -19,7 +19,11 @@ <artifactId>eaaf_module_pvp2_core</artifactId> <version>${egiz.eaaf.version}</version> </dependency> - + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthenticationActionTest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthenticationActionTest.java index a88fa869..df5c15f8 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthenticationActionTest.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthenticationActionTest.java @@ -39,6 +39,7 @@ public class AuthenticationActionTest { protected MockHttpServletRequest httpReq; protected MockHttpServletResponse httpResp; private PvpSProfilePendingRequest pendingReq; + /** * JUnit class initializer. * diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/MetadataActionTest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/MetadataActionTest.java index 8436a43d..51b4eaef 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/MetadataActionTest.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/MetadataActionTest.java @@ -35,6 +35,7 @@ public class MetadataActionTest { protected MockHttpServletRequest httpReq; protected MockHttpServletResponse httpResp; private TestRequestImpl pendingReq; + /** * JUnit class initializer. * diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_core.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_core.beans.xml index 99552053..fa7b4eae 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_core.beans.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_core.beans.xml @@ -20,7 +20,7 @@ class="at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory" /> <bean id="httpClientFactory" - class="at.gv.egiz.eaaf.core.impl.utils.HttpClientFactory" /> + class="at.gv.egiz.eaaf.core.impl.http.HttpClientFactory" /> <bean id="dummyRevisionLogger" class="at.gv.egiz.eaaf.core.impl.logging.DummyRevisionsLogger" /> diff --git a/eaaf_modules/eaaf_module_pvp2_sp/pom.xml b/eaaf_modules/eaaf_module_pvp2_sp/pom.xml index 69eb26ab..3b661c7b 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/pom.xml +++ b/eaaf_modules/eaaf_module_pvp2_sp/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>at.gv.egiz.eaaf</groupId> <artifactId>eaaf_modules</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <artifactId>eaaf_module_pvp2_sp</artifactId> <name>eaaf_module_pvp2_sp</name> @@ -25,7 +25,11 @@ </exclusion> </exclusions> </dependency> - + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-webmvc</artifactId> + <scope>provided</scope> + </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> diff --git a/eaaf_modules/pom.xml b/eaaf_modules/pom.xml index 228a41cf..84f4163d 100644 --- a/eaaf_modules/pom.xml +++ b/eaaf_modules/pom.xml @@ -4,7 +4,7 @@ <parent> <groupId>at.gv.egiz</groupId> <artifactId>eaaf</artifactId> - <version>1.1.0</version> + <version>1.1.1</version> </parent> <groupId>at.gv.egiz.eaaf</groupId> |