From 47ca9c6c93447788376ba53e394ed3116d5a3dcc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 2 Jul 2018 18:10:21 +0200 Subject: add requested attributes to PVP S-profile --- .../tasks/RestartAuthProzessManagement.java | 2 +- .../at/gv/egiz/eaaf/modules/pvp2/PVPConstants.java | 8 ++ .../metadata/IPVPMetadataBuilderConfiguration.java | 3 +- .../pvp2/api/reqattr/EAAFRequestedAttribute.java | 130 +++++++++++++++++++++ .../pvp2/api/reqattr/EAAFRequestedAttributes.java | 32 +++++ .../api/validation/IAuthnRequestValidator.java | 15 +++ .../pvp2/impl/builder/PVPAttributeBuilder.java | 19 ++- .../pvp2/impl/builder/PVPMetadataBuilder.java | 3 +- .../reqattr/EAAFExtensionImplementation.java | 12 ++ .../reqattr/EAAFRequestExtensionBuilder.java | 21 ++++ .../reqattr/EAAFRequestedAttributeBuilder.java | 21 ++++ .../reqattr/EAAFRequestedAttributeMarshaller.java | 52 +++++++++ .../EAAFRequestedAttributeUnmarshaller.java | 51 ++++++++ .../reqattr/EAAFRequestedAttributesBuilder.java | 21 ++++ .../reqattr/EAAFRequestedAttributesMarshaller.java | 7 ++ .../EAAFRequestedAttributesUnmarshaller.java | 21 ++++ .../initialize/EAAFDefaultSAML2Bootstrap.java | 30 ++++- .../impl/reqattr/EAAFRequestedAttributeImpl.java | 109 +++++++++++++++++ .../impl/reqattr/EAAFRequestedAttributesImpl.java | 37 ++++++ .../eaaf/modules/pvp2/impl/utils/SAML2Utils.java | 29 +++++ .../impl/verification/AuthnRequestValidator.java | 45 ------- .../src/main/resources/eaaf_pvp.beans.xml | 5 +- .../pvp2/idp/impl/AbstractPVP2XProtocol.java | 54 +++------ .../api/IPVPAuthnRequestBuilderConfiguruation.java | 29 +++++ .../pvp2/sp/impl/PVPAuthnRequestBuilder.java | 38 +++++- 25 files changed, 694 insertions(+), 100 deletions(-) create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttribute.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttributes.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFExtensionImplementation.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestExtensionBuilder.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeBuilder.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeMarshaller.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeUnmarshaller.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesBuilder.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesMarshaller.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesUnmarshaller.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributeImpl.java create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributesImpl.java delete mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AuthnRequestValidator.java diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java index 2e5f49ed..ae63614e 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/tasks/RestartAuthProzessManagement.java @@ -53,7 +53,7 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask { if (processDefinitionId == null) { log.warn("No suitable authentication process found for SessionID " + pendingReq.getPendingRequestId()); throw new EAAFException("process.02", new Object[] { pendingReq.getPendingRequestId()}, - "No suitable authentication process found for SessionID \" + pendingReq.getPendingRequestId()"); + "No suitable authentication process found for SessionID " + pendingReq); } String processInstanceId = processEngine.createProcessInstance(processDefinitionId, newec); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PVPConstants.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PVPConstants.java index f5b7baa8..84117406 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PVPConstants.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/PVPConstants.java @@ -6,6 +6,8 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; +import javax.xml.namespace.QName; + import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.signature.SignatureConstants; @@ -103,5 +105,11 @@ public interface PVPConstants extends PVPAttributeDefinitions { } }); + //constants for requested SAML2 attribtes by using eIDAS namespace + public static final String EIDAS10_SAML_NS = "http://eidas.europa.eu/saml-extensions"; + public static final String EIDAS10_PREFIX = "eidas"; + + public static final QName EIDAS_REQUESTED_ATTRIBUTE_VALUE_TYPE = + new QName(EIDAS10_SAML_NS, "AttributeValue", EIDAS10_PREFIX); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPVPMetadataBuilderConfiguration.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPVPMetadataBuilderConfiguration.java index 218e5171..61a040c1 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPVPMetadataBuilderConfiguration.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPVPMetadataBuilderConfiguration.java @@ -2,6 +2,7 @@ *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.api.metadata; +import java.util.Collection; import java.util.List; import org.opensaml.saml2.core.Attribute; @@ -193,7 +194,7 @@ public interface IPVPMetadataBuilderConfiguration { * * @return */ - public List getSPRequiredAttributes(); + public Collection getSPRequiredAttributes(); /** * Set all nameID types which allowed from the SP diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttribute.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttribute.java new file mode 100644 index 00000000..71949bc1 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttribute.java @@ -0,0 +1,130 @@ +package at.gv.egiz.eaaf.modules.pvp2.api.reqattr; + +import java.util.List; + +import javax.xml.namespace.QName; + +import org.opensaml.common.SAMLObject; +import org.opensaml.xml.AttributeExtensibleXMLObject; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.schema.XSBooleanValue; + +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; + +public interface EAAFRequestedAttribute extends SAMLObject, AttributeExtensibleXMLObject , org.opensaml.saml2.metadata.RequestedAttribute{ + + /** Element local name. */ + String DEF_LOCAL_NAME = "RequestedAttribute"; + + /** Local name of the XSI type. */ + String TYPE_LOCAL_NAME = "RequestedAttributeAbstractType"; + + + /** Default element name. */ + QName DEFAULT_ELEMENT_NAME = new QName(PVPConstants.EIDAS10_SAML_NS, DEF_LOCAL_NAME, + PVPConstants.EIDAS10_PREFIX); + + /** QName of the XSI type. */ + QName TYPE_NAME = new QName(PVPConstants.EIDAS10_SAML_NS, TYPE_LOCAL_NAME, + PVPConstants.EIDAS10_PREFIX); + + + + /** NAME_ATTRIB_NAME attribute name. */ + String NAME_ATTRIB_NAME = "Name"; + + /** NAME_FORMAT_ATTRIB_NAME attribute name. */ + String NAME_FORMAT_ATTR = "NameFormat"; + + /** IS_REQUIRED_ATTRIB_NAME attribute name. */ + String IS_REQUIRED_ATTR = "isRequired"; + + /** FRIENDLY_NAME_ATTRIB_NAME attribute name. */ + String FRIENDLY_NAME_ATT = "FriendlyName"; + + /** Unspecified attribute format ID. */ + String UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"; + + /** URI reference attribute format ID. */ + String URI_REFERENCE = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"; + + /** Basic attribute format ID. */ + String BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"; + + /** + * Gets the name. + * + * @return the name + */ + String getName(); + + /** + * Sets the name. + * + * @param name the new name + */ + void setName(String name); + + /** + * Gets the name format. + * + * @return the name format + */ + String getNameFormat(); + + /** + * Sets the name format. + * + * @param nameFormat the new name format + */ + void setNameFormat(String nameFormat); + + /** + * Gets the friendly name. + * + * @return the friendly name + */ + String getFriendlyName(); + + /** + * Sets the friendly name. + * + * @param friendlyName the new friendly name + */ + void setFriendlyName(String friendlyName); + +/* *//** + * Gets the checks if is required. + * + * @return the checks if is required + *//* + String isRequired();*/ + + /** + * Gets the checks if is required xs boolean. + * + * @return the checks if is required xs boolean + */ + String getIsRequiredXSBoolean(); + + /** + * Sets the checks if is required. + * + * @param newIsRequired the new checks if is required + */ + void setIsRequired(String newIsRequired); + + /** + * Gets the attribute values. + * + * @return the attribute values + */ + List getAttributeValues(); + + XSBooleanValue isRequiredXSBoolean(); + + void setIsRequired(Boolean aBoolean); + + void setIsRequired(XSBooleanValue xsBooleanValue); + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttributes.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttributes.java new file mode 100644 index 00000000..42b59d98 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/reqattr/EAAFRequestedAttributes.java @@ -0,0 +1,32 @@ +package at.gv.egiz.eaaf.modules.pvp2.api.reqattr; + +import java.util.List; + +import javax.xml.namespace.QName; + +import org.opensaml.common.SAMLObject; + +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; + +public interface EAAFRequestedAttributes extends SAMLObject { + /** The Constant DEFAULT_ELEMENT_LOCAL_NAME. */ + String DEF_LOCAL_NAME = "RequestedAttributes"; + + /** Default element name. */ + QName DEFAULT_ELEMENT_NAME = new QName(PVPConstants.EIDAS10_SAML_NS, DEF_LOCAL_NAME, + PVPConstants.EIDAS10_PREFIX); + + /** Local name of the XSI type. */ + String TYPE_LOCAL_NAME = "RequestedAttributesType"; + + /** QName of the XSI type. */ + QName TYPE_NAME = new QName(PVPConstants.EIDAS10_SAML_NS, TYPE_LOCAL_NAME, + PVPConstants.EIDAS10_PREFIX); + + /** + * Gets the attributes. + * + * @return the attributes + */ + List getAttributes(); +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java new file mode 100644 index 00000000..bf5385aa --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java @@ -0,0 +1,15 @@ +package at.gv.egiz.eaaf.modules.pvp2.api.validation; + +import javax.servlet.http.HttpServletRequest; + +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.metadata.SPSSODescriptor; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; + +public interface IAuthnRequestValidator { + + void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq, SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException; + +} \ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPAttributeBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPAttributeBuilder.java index 41623f3d..e7c136c9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPAttributeBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPAttributeBuilder.java @@ -21,6 +21,7 @@ import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.InvalidDateFormatAttributeException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PVPMETADATA; import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidDateFormatException; import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; @@ -112,15 +113,25 @@ public class PVPAttributeBuilder { } - + /** + * Return all attributes that has a {@link PVPMETADATA} annotation + * + * @return + */ public static List buildSupportedEmptyAttributes() { List attributes = new ArrayList(); Iterator builderIt = builders.values().iterator(); while (builderIt.hasNext()) { IAttributeBuilder builder = builderIt.next(); - Attribute emptyAttribute = builder.buildEmpty(generator); - if (emptyAttribute != null) { - attributes.add(emptyAttribute); + if (builder.getClass().isAnnotationPresent(PVPMETADATA.class)) { + Attribute emptyAttribute = builder.buildEmpty(generator); + if (emptyAttribute != null) { + attributes.add(emptyAttribute); + } + + } else { + log.trace(builder.getName() + "is no PVP Metadata attribute"); + } } return attributes; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPMetadataBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPMetadataBuilder.java index abfac305..e29b3e91 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPMetadataBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PVPMetadataBuilder.java @@ -4,6 +4,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.builder; import java.io.IOException; import java.io.StringWriter; +import java.util.Collection; import java.util.List; import javax.xml.parsers.DocumentBuilder; @@ -308,7 +309,7 @@ public class PVPMetadataBuilder { //add required attributes - List reqSPAttr = config.getSPRequiredAttributes(); + Collection reqSPAttr = config.getSPRequiredAttributes(); AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); attributeService.setIndex(0); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFExtensionImplementation.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFExtensionImplementation.java new file mode 100644 index 00000000..fe4e4123 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFExtensionImplementation.java @@ -0,0 +1,12 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.saml2.common.impl.ExtensionsImpl; + +public class EAAFExtensionImplementation extends ExtensionsImpl { + + protected EAAFExtensionImplementation(String namespaceURI, String elementLocalName, String namespacePrefix) { + super(namespaceURI, elementLocalName, namespacePrefix); + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestExtensionBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestExtensionBuilder.java new file mode 100644 index 00000000..e9aaefb6 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestExtensionBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.common.impl.AbstractSAMLObjectBuilder; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; + +public class EAAFRequestExtensionBuilder extends AbstractSAMLObjectBuilder { + + @Override + public Extensions buildObject() { + return buildObject(SAMLConstants.SAML20P_NS, Extensions.LOCAL_NAME, SAMLConstants.SAML20P_PREFIX); + + } + + @Override + public Extensions buildObject(String namespaceURI, String localName, String namespacePrefix) { + return new EAAFExtensionImplementation(namespaceURI, localName, namespacePrefix); + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeBuilder.java new file mode 100644 index 00000000..69655450 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.common.impl.AbstractSAMLObjectBuilder; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.impl.reqattr.EAAFRequestedAttributeImpl; + +public class EAAFRequestedAttributeBuilder extends AbstractSAMLObjectBuilder { + + @Override + public EAAFRequestedAttribute buildObject() { + return buildObject(EAAFRequestedAttribute.DEFAULT_ELEMENT_NAME); + } + + @Override + public EAAFRequestedAttribute buildObject(String namespaceURI, String localName, String namespacePrefix) { + return new EAAFRequestedAttributeImpl(namespaceURI, localName, + namespacePrefix); + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeMarshaller.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeMarshaller.java new file mode 100644 index 00000000..8bfd144a --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeMarshaller.java @@ -0,0 +1,52 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import java.util.Map.Entry; + +import javax.xml.namespace.QName; + +import org.opensaml.Configuration; +import org.opensaml.common.impl.AbstractSAMLObjectMarshaller; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.util.XMLHelper; +import org.w3c.dom.Attr; +import org.w3c.dom.Element; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; + +public class EAAFRequestedAttributeMarshaller extends AbstractSAMLObjectMarshaller { + protected final void marshallAttributes(final XMLObject samlElement, + final Element domElement) throws MarshallingException { + final EAAFRequestedAttribute requestedAttr = (EAAFRequestedAttribute) samlElement; + + if (requestedAttr.getName() != null) { + domElement.setAttributeNS(null, EAAFRequestedAttribute.NAME_ATTRIB_NAME, requestedAttr.getName()); + } + + if (requestedAttr.getNameFormat() != null) { + domElement.setAttributeNS(null, EAAFRequestedAttribute.NAME_FORMAT_ATTR, requestedAttr.getNameFormat()); + } + + if (requestedAttr.getFriendlyName() != null) { + domElement.setAttributeNS(null, EAAFRequestedAttribute.FRIENDLY_NAME_ATT, requestedAttr.getFriendlyName()); + } + + if (requestedAttr.getIsRequiredXSBoolean() != null) { + domElement.setAttributeNS(null, EAAFRequestedAttribute.IS_REQUIRED_ATTR, requestedAttr.getIsRequiredXSBoolean()); + } + + Attr attr; + for (Entry entry : requestedAttr.getUnknownAttributes() + .entrySet()) { + attr = XMLHelper.constructAttribute(domElement.getOwnerDocument(), + entry.getKey()); + attr.setValue(entry.getValue()); + domElement.setAttributeNodeNS(attr); + if (Configuration.isIDAttribute(entry.getKey()) + || requestedAttr.getUnknownAttributes().isIDAttribute( + entry.getKey())) { + attr.getOwnerElement().setIdAttributeNode(attr, true); + } + } + } +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeUnmarshaller.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeUnmarshaller.java new file mode 100644 index 00000000..2754f145 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributeUnmarshaller.java @@ -0,0 +1,51 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import javax.xml.namespace.QName; + +import org.opensaml.common.impl.AbstractSAMLObjectUnmarshaller; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.UnmarshallingException; +import org.opensaml.xml.util.XMLHelper; +import org.w3c.dom.Attr; + +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; + +public class EAAFRequestedAttributeUnmarshaller extends AbstractSAMLObjectUnmarshaller { + protected final void processChildElement(final XMLObject parentSAMLObject, final XMLObject childSAMLObject) throws UnmarshallingException { + final EAAFRequestedAttribute requestedAttr = (EAAFRequestedAttribute) parentSAMLObject; + final QName childQName = childSAMLObject.getElementQName(); + + if ("AttributeValue".equals(childQName.getLocalPart()) + && childQName.getNamespaceURI().equals(PVPConstants.EIDAS10_SAML_NS)) { + requestedAttr.getAttributeValues().add(childSAMLObject); + + } else + super.processChildElement(parentSAMLObject, childSAMLObject); + + } + + protected final void processAttribute(final XMLObject samlObject, final Attr attribute) throws UnmarshallingException { + final EAAFRequestedAttribute requestedAttr = (EAAFRequestedAttribute) samlObject; + if (attribute.getLocalName().equals(EAAFRequestedAttribute.NAME_ATTRIB_NAME)) { + requestedAttr.setName(attribute.getValue()); + + } else if (attribute.getLocalName().equals(EAAFRequestedAttribute.NAME_FORMAT_ATTR)) { + requestedAttr.setNameFormat(attribute.getValue()); + + } else if (attribute.getLocalName().equals(EAAFRequestedAttribute.FRIENDLY_NAME_ATT)) { + requestedAttr.setFriendlyName(attribute.getValue()); + + } else if (attribute.getLocalName().equals(EAAFRequestedAttribute.IS_REQUIRED_ATTR)) { + requestedAttr.setIsRequired(attribute.getValue()); + + } else { + final QName attribQName = XMLHelper.getNodeQName(attribute); + if (attribute.isId()) { + requestedAttr.getUnknownAttributes().registerID(attribQName); + } + requestedAttr.getUnknownAttributes().put(attribQName, + attribute.getValue()); + } + } +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesBuilder.java new file mode 100644 index 00000000..4d17936a --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesBuilder.java @@ -0,0 +1,21 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.common.impl.AbstractSAMLObjectBuilder; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.impl.reqattr.EAAFRequestedAttributesImpl; + +public class EAAFRequestedAttributesBuilder extends AbstractSAMLObjectBuilder { + + @Override + public EAAFRequestedAttributes buildObject() { + return buildObject(EAAFRequestedAttributes.DEFAULT_ELEMENT_NAME); + } + + @Override + public EAAFRequestedAttributes buildObject(String namespaceURI, String localName, String namespacePrefix) { + return new EAAFRequestedAttributesImpl(namespaceURI, localName, + namespacePrefix); + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesMarshaller.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesMarshaller.java new file mode 100644 index 00000000..e390ad3e --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesMarshaller.java @@ -0,0 +1,7 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.common.impl.AbstractSAMLObjectMarshaller; + +public class EAAFRequestedAttributesMarshaller extends AbstractSAMLObjectMarshaller { + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesUnmarshaller.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesUnmarshaller.java new file mode 100644 index 00000000..96a694fe --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/reqattr/EAAFRequestedAttributesUnmarshaller.java @@ -0,0 +1,21 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr; + +import org.opensaml.common.impl.AbstractSAMLObjectUnmarshaller; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.io.UnmarshallingException; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; + +public class EAAFRequestedAttributesUnmarshaller extends AbstractSAMLObjectUnmarshaller { + protected final void processChildElement(final XMLObject parentObject, + final XMLObject childObject) throws UnmarshallingException { + final EAAFRequestedAttributes attrStatement = (EAAFRequestedAttributes) parentObject; + if (childObject instanceof EAAFRequestedAttribute) { + attrStatement.getAttributes().add((EAAFRequestedAttribute) childObject); + + } else + super.processChildElement(parentObject, childObject); + + } +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EAAFDefaultSAML2Bootstrap.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EAAFDefaultSAML2Bootstrap.java index 7b9bef88..81c8313e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EAAFDefaultSAML2Bootstrap.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EAAFDefaultSAML2Bootstrap.java @@ -6,6 +6,15 @@ import org.opensaml.Configuration; import org.opensaml.DefaultBootstrap; import org.opensaml.xml.ConfigurationException; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributeMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributeUnmarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributesBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributesMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestedAttributesUnmarshaller; + /** * @author tlenz * @@ -26,9 +35,28 @@ public class EAAFDefaultSAML2Bootstrap extends DefaultBootstrap { initializeESAPI(); + initializeExtenstions(); + } - public static void initializeDefaultPVPConfiguration() { + private static void initializeExtenstions() { + Configuration.registerObjectProvider( + EAAFRequestedAttribute.DEFAULT_ELEMENT_NAME, + new EAAFRequestedAttributeBuilder(), + new EAAFRequestedAttributeMarshaller(), + new EAAFRequestedAttributeUnmarshaller() + ); + + Configuration.registerObjectProvider( + EAAFRequestedAttributes.DEFAULT_ELEMENT_NAME, + new EAAFRequestedAttributesBuilder(), + new EAAFRequestedAttributesMarshaller(), + new EAAFRequestedAttributesUnmarshaller() + ); + + } + + public static void initializeDefaultPVPConfiguration() { initializeGlobalSecurityConfiguration(); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributeImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributeImpl.java new file mode 100644 index 00000000..a04f6123 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributeImpl.java @@ -0,0 +1,109 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.reqattr; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import org.opensaml.common.impl.AbstractSAMLObject; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.schema.XSBooleanValue; +import org.opensaml.xml.util.AttributeMap; +import org.opensaml.xml.util.XMLObjectChildrenList; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; + +public class EAAFRequestedAttributeImpl extends AbstractSAMLObject implements EAAFRequestedAttribute { + + private final XMLObjectChildrenList attributeValues; + private String friendlyName; + private String isRequired; + private String name; + private String nameFormat; + private AttributeMap unknownAttributes; + + public EAAFRequestedAttributeImpl(String namespaceURI, String elementLocalName, String namespacePrefix) { + super(namespaceURI, elementLocalName, namespacePrefix); + unknownAttributes = new AttributeMap(this); + attributeValues = new XMLObjectChildrenList(this); + + } + + public final List getAttributeValues() { + return attributeValues; + } + + public final String getFriendlyName() { + return friendlyName; + } + + public final String getIsRequiredXSBoolean() { + return isRequired; + } + + public final String getName() { + return name; + } + + public final String getNameFormat() { + return nameFormat; + } + + public final List getOrderedChildren() { + final List children = new ArrayList(); + children.addAll(attributeValues); + return Collections.unmodifiableList(children); + } + + + public final AttributeMap getUnknownAttributes() { + return unknownAttributes; + } + + + public final void setFriendlyName(final String newFriendlyName) { + this.friendlyName = prepareForAssignment(this.friendlyName, + newFriendlyName); + } + + + public final void setIsRequired(final String newIsRequired) { + isRequired = prepareForAssignment(this.isRequired, newIsRequired); + + } + + + public final void setName(final String newName) { + this.name = prepareForAssignment(this.name, newName); + } + + + public final void setNameFormat(final String newNameFormat) { + this.nameFormat = prepareForAssignment(this.nameFormat, newNameFormat); + } + + + public final void setUnknownAttributes(final AttributeMap newUnknownAttr) { + this.unknownAttributes = newUnknownAttr; + } + + @Override + public XSBooleanValue isRequiredXSBoolean() { + return XSBooleanValue.valueOf(isRequired); + } + + @Override + public void setIsRequired(Boolean aBoolean) { + this.isRequired = String.valueOf(aBoolean); + } + + @Override + public void setIsRequired(XSBooleanValue xsBooleanValue) { + this.isRequired = String.valueOf(xsBooleanValue); + } + + @Override + public Boolean isRequired() { + return Boolean.parseBoolean(isRequired); + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributesImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributesImpl.java new file mode 100644 index 00000000..c78ffe94 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EAAFRequestedAttributesImpl.java @@ -0,0 +1,37 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.reqattr; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import org.opensaml.common.impl.AbstractSAMLObject; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.util.IndexedXMLObjectChildrenList; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; + +public class EAAFRequestedAttributesImpl extends AbstractSAMLObject implements EAAFRequestedAttributes { + + private final IndexedXMLObjectChildrenList indexedChildren; + + public EAAFRequestedAttributesImpl(String namespaceURI, String elementLocalName, String namespacePrefix) { + super(namespaceURI, elementLocalName, namespacePrefix); + indexedChildren = new IndexedXMLObjectChildrenList(this); + } + + @Override + public List getOrderedChildren() { + final List children = new ArrayList(); + children.addAll(indexedChildren); + return Collections.unmodifiableList(children); + + } + + @Override + public List getAttributes() { + return (List) indexedChildren + .subList(EAAFRequestedAttribute.DEFAULT_ELEMENT_NAME); + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java index 1da3fea3..4e9d3073 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java @@ -12,8 +12,10 @@ import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import org.apache.commons.lang3.StringUtils; import org.opensaml.Configuration; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; @@ -24,9 +26,13 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.schema.XSString; +import org.opensaml.xml.schema.impl.XSStringBuilder; import org.w3c.dom.Document; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; public class SAML2Utils { @@ -121,5 +127,28 @@ public class SAML2Utils { envelope.setBody(body); return envelope; + } + + public static EAAFRequestedAttribute generateReqAuthnAttributeSimple(Attribute attr, boolean isRequired, String value) { + EAAFRequestedAttribute requested = SAML2Utils.createSAMLObject(EAAFRequestedAttribute.class); + requested.setName(attr.getName()); + requested.setNameFormat(attr.getNameFormat()); + requested.setFriendlyName(attr.getFriendlyName()); + requested.setIsRequired(String.valueOf(isRequired)); + List attributeValues = requested.getAttributeValues(); + if (StringUtils.isNotEmpty(value)) { + XMLObject attributeValueForRequest = createAttributeValue(PVPConstants.EIDAS_REQUESTED_ATTRIBUTE_VALUE_TYPE, value); + attributeValues.add(attributeValueForRequest); + } + return requested; + + } + + private static XMLObject createAttributeValue(QName attributeValueType, String value) { + XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); + XSString stringValue = stringBuilder.buildObject(attributeValueType, XSString.TYPE_NAME); + stringValue.setValue(value); + return stringValue; + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AuthnRequestValidator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AuthnRequestValidator.java deleted file mode 100644 index 86c7f309..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AuthnRequestValidator.java +++ /dev/null @@ -1,45 +0,0 @@ -/******************************************************************************* - *******************************************************************************/ -package at.gv.egiz.eaaf.modules.pvp2.impl.verification; - -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; -import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException; - - -/** - * @author tlenz - * - */ -public class AuthnRequestValidator { - private static final Logger log = LoggerFactory.getLogger(AuthnRequestValidator.class); - - public static void validate(AuthnRequest req) throws AuthnRequestValidatorException{ - - //validate NameIDPolicy - NameIDPolicy nameIDPolicy = req.getNameIDPolicy(); - if (nameIDPolicy != null) { - String nameIDFormat = nameIDPolicy.getFormat(); - if (nameIDFormat != null) { - if ( !(NameID.TRANSIENT.equals(nameIDFormat) || - NameID.PERSISTENT.equals(nameIDFormat) || - NameID.UNSPECIFIED.equals(nameIDFormat)) ) { - - throw new NameIDFormatNotSupportedException(nameIDFormat); - - } - - } else - log.trace("Find NameIDPolicy, but NameIDFormat is 'null'"); - } else - log.trace("AuthnRequest includes no 'NameIDPolicy'"); - - - - } -} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/resources/eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_core/src/main/resources/eaaf_pvp.beans.xml index 2c64b5f1..ed582d1a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/resources/eaaf_pvp.beans.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/resources/eaaf_pvp.beans.xml @@ -23,8 +23,5 @@ - - - + \ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java index 93ffa789..ee0eee0a 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPVP2XProtocol.java @@ -19,9 +19,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.saml2.core.impl.AuthnRequestImpl; import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.security.SecurityPolicyException; @@ -35,7 +33,6 @@ import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IModulInfo; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; import at.gv.egiz.eaaf.core.exceptions.EAAFException; @@ -47,6 +44,7 @@ import at.gv.egiz.eaaf.modules.pvp2.PVPEventConstants; import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator; import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPVPRequestException; import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException; import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; @@ -61,7 +59,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.AuthnRequestValidator; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine; public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulController implements IModulInfo { @@ -70,8 +67,11 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon @Autowired(required=true) protected IPVP2BasicConfiguration pvpBasicConfiguration; @Autowired(required=true) protected IPVPMetadataProvider metadataProvider; @Autowired(required=true) protected SAMLVerificationEngine samlVerificationEngine; + @Autowired(required=true) protected IAuthnRequestValidator authRequestValidator; private AbstractCredentialProvider pvpIDPCredentials; + + /** * Sets a specific credential provider for PVP S-Profile IDP component. @@ -470,42 +470,14 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon } } - - //select AttributeConsumingService from request - AttributeConsumingService attributeConsumer = null; - Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int attributeIdx = 0; - - if(aIdx != null) { - attributeIdx = aIdx.intValue(); - } - - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); - } - + //validate AuthnRequest - AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; - AuthnRequestValidator.validate(authReq); - -// String useMandate = request.getParameter(PARAM_USEMANDATE); -// if(useMandate != null) { -// if(useMandate.equals("true") && attributeConsumer != null) { -// if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { -// throw new MandateAttributesNotHandleAbleException(); -// } -// } -// } - + AuthnRequest authReq = (AuthnRequest) samlReq; String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID(); - oaURL = StringEscapeUtils.escapeHtml(oaURL); - ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); - - log.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - - pendingReq.setSPEntityId(oaURL); - pendingReq.setOnlineApplicationConfiguration(oa); + log.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); + + pendingReq.setSPEntityId(StringEscapeUtils.escapeHtml(oaURL)); + pendingReq.setOnlineApplicationConfiguration(authConfig.getServiceProviderConfiguration(pendingReq.getSPEntityId())); pendingReq.setBinding(consumerService.getBinding()); pendingReq.setRequest(moaRequest); pendingReq.setConsumerURL(consumerService.getLocation()); @@ -513,13 +485,17 @@ public abstract class AbstractPVP2XProtocol extends AbstractAuthProtocolModulCon //parse AuthRequest pendingReq.setPassiv(authReq.isPassive()); pendingReq.setForce(authReq.isForceAuthn()); - + //AuthnRequest needs authentication pendingReq.setNeedAuthentication(true); //set protocol action, which should be executed after authentication pendingReq.setAction(AuthenticationAction.class.getName()); + log.trace("Starting extended AuthnRequest validation and processing ... "); + authRequestValidator.validate(request, pendingReq, authReq, spSSODescriptor); + log.debug("Extended AuthnRequest validation and processing finished"); + //write revisionslog entry revisionsLogger.logEvent(pendingReq, PVPEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST); diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java index b0439775..7ddf05bd 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/api/IPVPAuthnRequestBuilderConfiguruation.java @@ -2,11 +2,15 @@ *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.sp.api; +import java.util.List; + import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.xml.security.credential.Credential; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; + /** * @author tlenz * @@ -139,4 +143,29 @@ public interface IPVPAuthnRequestBuilderConfiguruation { public Element getSubjectConformationDate(); + /** + * Get the EntityId of the SP in case of a SAML2 proxy use-case + * + * @return + */ + public String getScopeRequesterId(); + + + /** + * Get a FriendlyName for the SP that sends the request + * + * @return + */ + public String getProviderName(); + + + /** + * Get a Set of SAML2 attributes that are requested by using SAML2 requested attributes + *
+ * Info: Attributes are requested by using eIDAS SAML2 extension for requested attributes + * + * @return + */ + public List getRequestedAttributes(); + } diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java index 9b02dc77..087504e6 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PVPAuthnRequestBuilder.java @@ -3,6 +3,7 @@ package at.gv.egiz.eaaf.modules.pvp2.sp.impl; import java.security.NoSuchAlgorithmException; +import java.util.List; import javax.servlet.http.HttpServletResponse; @@ -10,6 +11,7 @@ import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.AuthnRequest; @@ -18,6 +20,8 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.RequesterID; +import org.opensaml.saml2.core.Scoping; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.SubjectConfirmation; import org.opensaml.saml2.core.SubjectConfirmationData; @@ -33,9 +37,12 @@ import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EAAFRequestExtensionBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation; import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; @@ -44,7 +51,7 @@ import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; * @author tlenz * */ -@Service("PVPAuthnRequestBuilder") +@Service("pvpAuthnRequestBuilder") public class PVPAuthnRequestBuilder { private static final Logger log = LoggerFactory.getLogger(PVPAuthnRequestBuilder.class); @@ -182,8 +189,31 @@ public class PVPAuthnRequestBuilder { } - //TODO: implement requested attributes - //maybe: config.getRequestedAttributes(); + + //set ProviderName + if (StringUtils.isNotEmpty(config.getProviderName())) + authReq.setProviderName(config.getProviderName()); + + //set RequesterId in case of proxy mode + if (StringUtils.isNotEmpty(config.getScopeRequesterId())) { + Scoping scope = SAML2Utils.createSAMLObject(Scoping.class); + RequesterID requesterId = SAML2Utils.createSAMLObject(RequesterID.class); + requesterId.setRequesterID(config.getScopeRequesterId()); + scope.getRequesterIDs().add(requesterId ); + authReq.setScoping(scope ); + + } + + //add optional requested attributes + if (config.getRequestedAttributes() != null) { + List reqAttr = config.getRequestedAttributes(); + Extensions extenstions = new EAAFRequestExtensionBuilder().buildObject(); + EAAFRequestedAttributes reqAttributs = SAML2Utils.createSAMLObject(EAAFRequestedAttributes.class); + reqAttributs.getAttributes().addAll(reqAttr); + extenstions.getUnknownXMLObjects().add(reqAttributs); + authReq.setExtensions(extenstions ); + + } //select message encoder IEncoder binding = null; @@ -201,5 +231,5 @@ public class PVPAuthnRequestBuilder { binding.encodeRequest(null, httpResp, authReq, endpoint.getLocation(), pendingReq.getPendingRequestId(), config.getAuthnRequestSigningCredential(), pendingReq); } - + } -- cgit v1.2.3