diff options
Diffstat (limited to 'eaaf_modules')
| -rw-r--r-- | eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java | 324 | 
1 files changed, 177 insertions, 147 deletions
| diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java index f95d4adc..a12fb36f 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualEidTask.java @@ -6,11 +6,14 @@ import java.util.Map;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import org.apache.commons.fileupload.FileUploadException;  import org.apache.commons.lang3.StringUtils;  import org.jose4j.base64url.Base64Url;  import org.springframework.beans.factory.annotation.Autowired;  import com.fasterxml.jackson.core.JsonParseException; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonMappingException;  import com.fasterxml.jackson.databind.JsonNode;  import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; @@ -48,155 +51,12 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask      try {        log.debug("Receiving SL2.0 response process .... "); -      JsonNode sl20ReqObj = null; -      // A-Trust does not SET http-header 'SL2ClientType' with value 'native' -      // If A-trust sends an error, its maybe FrontChannel on DataURL -      // boolean aTrustErrorWorkAround = false; +      // get SL2.0 command or result from HTTP request +      sl20Result = getSl20OperationFromHttp(request); +      revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_DATAURL_IP, request.getRemoteAddr()); -      try { -        // get SL2.0 command or result from HTTP request -        final Map<String, String> reqParams = getParameters(request); -        sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); - -        if (StringUtils.isEmpty(sl20Result)) { -          // Workaround for SIC Handy-Signature, because it sends result in InputStream -          final String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8"); -          if (StringUtils.isNotEmpty(isReqInput)) { -            log.info("Use SIC Handy-Signature work-around!"); -            sl20Result = isReqInput.substring("slcommand=".length()); - -          } else { -            log.info("NO SL2.0 commando or result FOUND."); -            throw new SL20Exception("sl20.04", null); -          } - -        } - -        log.trace("Received SL2.0 result: " + sl20Result); -        revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_DATAURL_IP, request.getRemoteAddr()); - -        // parse SL2.0 command/result into JSON -        try { -          sl20ReqObj = JsonMapper.getMapper().readTree(Base64Url.decodeToUtf8String(sl20Result)); - -        } catch (final JsonParseException e) { -          log.error("SL2.0 command or result is NOT valid JSON. Received msg: {}", sl20Result, e); -          throw new SL20Exception("sl20.02", new Object[] { "SL2.0 command or result is NOT valid JSON." }, -              e); - -        } - -        log.info("Receive response from A-Trust. Starting response-message validation ... "); -         -        // check on errorMessage -        final VerificationResult payLoadContainerErrorCheck = SL20JsonExtractorUtils.extractSL20PayLoad( -            sl20ReqObj, -            joseTools, false); -        if (SL20JsonExtractorUtils -            .getStringValue(payLoadContainerErrorCheck.getPayload(), -                SL20Constants.SL20_COMMAND_CONTAINER_NAME, true) -            .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR)) { -          log.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR + " result .... "); -          final JsonNode errorResult = SL20JsonExtractorUtils.extractSL20Result(payLoadContainerErrorCheck -              .getPayload(), -              joseTools, false); -          final String errorCode = SL20JsonExtractorUtils.getStringValue(errorResult, -              SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, true); -          final String errorMsg = SL20JsonExtractorUtils.getStringValue(errorResult, -              SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, false); - -          final SL20VdaResponseException ex = new SL20VdaResponseException("sl20.08", new Object[] { -              errorCode, errorMsg }, errorCode); -          log.info("Receiving errorcode: {} with msg: {} from VDA! Stopping auth-process ... ", errorCode, -              errorMsg); - -          final String vdaSessionId = SL20JsonExtractorUtils.getStringValue(errorResult, -              SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERROR_VDASESSIONID, false); -          if (StringUtils.isNotEmpty(vdaSessionId)) { -            log.debug("VDA provides an optional sessionId. Inject it to internal error-holder "); -            ex.setVdaSessionId(vdaSessionId); - -          } -          throw ex; - -        } else { -          // Receive no error - To request validation - -          // validate reqId with inResponseTo -          final String sl20ReqId = pendingReq -              .getRawData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class); -          final String inRespTo = SL20JsonExtractorUtils.getStringValue(sl20ReqObj, -              SL20Constants.SL20_INRESPTO, true); -          if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) { -            log.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); -            throw new SL20SecurityException( -                "SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); -          } - -          // validate signature -          final VerificationResult payLoadContainer = SL20JsonExtractorUtils.extractSL20PayLoad(sl20ReqObj, -              joseTools, -              authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); - -          if (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned()) { -            if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, -                true)) { -              log.info("SL20 result from VDA was not valid signed"); -              throw new SL20SecurityException(new Object[] { "Signature on SL20 result NOT valid." }); - -            } else { -              log.warn("SL20 result from VDA is NOT valid signed, but signatures-verification " -                  + "is DISABLED by configuration!"); - -            } -          } - -          // extract payloaf -          final JsonNode payLoad = payLoadContainer.getPayload(); - -          // handle SL2.0 response payLoad -          handleResponsePayLoad(payLoad); - -        } - -      } catch (final EaafAuthenticationException e) { -        if (sl20Result != null) { -          log.debug("Received SL2.0 result: " + sl20Result); -        } - -        pendingReq.setRawDataToTransaction( -            Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, -            new ExceptionContainer(null, -                new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), -                    e))); - -      } catch (final Exception e) { -        if (sl20Result != null) { -          log.debug("Received SL2.0 result: " + sl20Result); -        } - -        pendingReq.setRawDataToTransaction( -            Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, -            new ExceptionContainer(null, new TaskExecutionException(pendingReq, e.getMessage(), e))); - -      } finally { -        // store pending request -        requestStoreage.storePendingRequest(pendingReq); - -        // write SL2.0 response -        if (sl20ReqObj != null) { -          final String resumeEndpoint = new DataUrlBuilder().buildDataUrl(pendingReq.getAuthUrl(), -              getResumeEndPoint(), pendingReq.getPendingRequestId()); -          SL20ResponseUtils.buildResponse(request, response, pendingReq, resumeEndpoint, -              SL20JsonExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false), -              authConfig); - -        } else { -          SL20ResponseUtils.buildErrorResponse(response, "2000", "General transport Binding error"); -        } - -      } +      internalExecute(request, response, sl20Result);      } catch (final Exception e) {        // write internal server errror 500 according to SL2.0 specification, chapter @@ -221,4 +81,174 @@ public abstract class AbstractReceiveQualEidTask extends AbstractAuthServletTask    protected abstract String getResumeEndPoint(); +  private void internalExecute(HttpServletRequest request, HttpServletResponse response, String sl20Result) +      throws Exception { +    JsonNode sl20ReqObj = null; +    try { +      // parse SL2.0 command/result into JSON +      sl20ReqObj = decodeSl20Request(sl20Result); +      log.info("Receive response from A-Trust. Starting response-message validation ... "); + +      // check on errorMessage +      final VerificationResult payLoadContainerErrorCheck = +          SL20JsonExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, false); + +      if (SL20JsonExtractorUtils.getStringValue( +          payLoadContainerErrorCheck.getPayload(), SL20Constants.SL20_COMMAND_CONTAINER_NAME, true) +          .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR)) { +        handleSl20Error(payLoadContainerErrorCheck); + +      } else { +        // Receive no error - To request validation +        handleSl20Operation(sl20ReqObj); + +      } + +    } catch (final EaafAuthenticationException e) { +      if (sl20Result != null) { +        log.debug("Received SL2.0 result: " + sl20Result); +      } + +      pendingReq.setRawDataToTransaction( +          Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, +          new ExceptionContainer(null, +              new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), +                  e))); + +    } catch (final Exception e) { +      if (sl20Result != null) { +        log.debug("Received SL2.0 result: " + sl20Result); +      } + +      pendingReq.setRawDataToTransaction( +          Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, +          new ExceptionContainer(null, new TaskExecutionException(pendingReq, e.getMessage(), e))); + +    } finally { +      // store pending request +      requestStoreage.storePendingRequest(pendingReq); + +      // write SL2.0 response +      if (sl20ReqObj != null) { +        final String resumeEndpoint = new DataUrlBuilder().buildDataUrl(pendingReq.getAuthUrl(), +            getResumeEndPoint(), pendingReq.getPendingRequestId()); +        SL20ResponseUtils.buildResponse(request, response, pendingReq, resumeEndpoint, +            SL20JsonExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false), +            authConfig); + +      } else { +        SL20ResponseUtils.buildErrorResponse(response, "2000", "General transport Binding error"); + +      } +    } +  } + +  private String getSl20OperationFromHttp(HttpServletRequest request) +      throws SL20Exception, IOException, FileUploadException { +    // A-Trust does not SET http-header 'SL2ClientType' with value 'native' +    // If A-trust sends an error, its maybe FrontChannel on DataURL +    // boolean aTrustErrorWorkAround = false; +    String sl20Result = getSl20OperationFromHttp(request); + +    // get SL2.0 command or result from HTTP request +    final Map<String, String> reqParams = getParameters(request); +    sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); + +    if (StringUtils.isEmpty(sl20Result)) { +      // Workaround for SIC Handy-Signature, because it sends result in InputStream +      final String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8"); +      if (StringUtils.isNotEmpty(isReqInput)) { +        log.info("Use SIC Handy-Signature work-around!"); +        sl20Result = isReqInput.substring("slcommand=".length()); + +      } else { +        log.info("NO SL2.0 commando or result FOUND."); +        throw new SL20Exception("sl20.04", null); +      } + +    } + +    log.trace("Received SL2.0 result: {}", sl20Result); +    return sl20Result; + +  } + +  private JsonNode decodeSl20Request(String sl20Result) +      throws JsonMappingException, JsonProcessingException, SL20Exception { +    try { +      return JsonMapper.getMapper().readTree(Base64Url.decodeToUtf8String(sl20Result)); + +    } catch (final JsonParseException e) { +      log.error("SL2.0 command or result is NOT valid JSON. Received msg: {}", sl20Result, e); +      throw new SL20Exception("sl20.02", new Object[] { "SL2.0 command or result is NOT valid JSON." }, +          e); + +    } +  } + +  private void handleSl20Error(VerificationResult payLoadContainerErrorCheck) throws SL20Exception { +    log.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR + " result .... "); +    final JsonNode errorResult = SL20JsonExtractorUtils.extractSL20Result(payLoadContainerErrorCheck +        .getPayload(), +        joseTools, false); +    final String errorCode = SL20JsonExtractorUtils.getStringValue(errorResult, +        SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORCODE, true); +    final String errorMsg = SL20JsonExtractorUtils.getStringValue(errorResult, +        SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERRORMESSAGE, false); + +    final SL20VdaResponseException ex = new SL20VdaResponseException("sl20.08", new Object[] { +        errorCode, errorMsg }, errorCode); +    log.info("Receiving errorcode: {} with msg: {} from VDA! Stopping auth-process ... ", errorCode, +        errorMsg); + +    final String vdaSessionId = SL20JsonExtractorUtils.getStringValue(errorResult, +        SL20Constants.SL20_COMMAND_PARAM_GENERAL_RESPONSE_ERROR_VDASESSIONID, false); +    if (StringUtils.isNotEmpty(vdaSessionId)) { +      log.debug("VDA provides an optional sessionId. Inject it to internal error-holder "); +      ex.setVdaSessionId(vdaSessionId); + +    } +    throw ex; + +  } + +  private void handleSl20Operation(JsonNode sl20ReqObj) throws SlCommandoParserException, SL20Exception, +      EaafStorageException { +    // validate reqId with inResponseTo +    final String sl20ReqId = pendingReq +        .getRawData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class); +    final String inRespTo = SL20JsonExtractorUtils.getStringValue(sl20ReqObj, +        SL20Constants.SL20_INRESPTO, true); +    if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) { +      log.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); +      throw new SL20SecurityException( +          "SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo); +    } + +    // validate signature +    final VerificationResult payLoadContainer = SL20JsonExtractorUtils.extractSL20PayLoad(sl20ReqObj, +        joseTools, +        authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); + +    if (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned()) { +      if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, +          true)) { +        log.info("SL20 result from VDA was not valid signed"); +        throw new SL20SecurityException(new Object[] { "Signature on SL20 result NOT valid." }); + +      } else { +        log.warn("SL20 result from VDA is NOT valid signed, but signatures-verification " +            + "is DISABLED by configuration!"); + +      } +    } + +    // extract payloaf +    final JsonNode payLoad = payLoadContainer.getPayload(); + +    // handle SL2.0 response payLoad +    handleResponsePayLoad(payLoad); + +  } +  } | 
