From aee52550868c56de7f7063e4ca153b031dedecb0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Jul 2018 15:49:38 +0200 Subject: some updates and bugfixes --- .../java/at/gv/egiz/eaaf/core/api/IRequest.java | 19 +++++----- .../idp/auth/AbstractAuthenticationManager.java | 2 +- .../builder/AbstractAuthenticationDataBuilder.java | 20 +++++------ .../impl/idp/controller/protocols/RequestImpl.java | 42 ++++++++++++++++------ .../at/gv/egiz/eaaf/core/impl/utils/FileUtils.java | 13 +++---- .../at/gv/egiz/eaaf/core/impl/utils/Random.java | 12 ++----- .../core/impl/idp/module/test/TestRequestImpl.java | 40 +++++++++++++++------ .../modules/pvp2/impl/utils/QAALevelVerifier.java | 7 +++- .../pvp2/idp/impl/AuthenticationAction.java | 16 ++++----- .../idp/impl/builder/PVP2AssertionBuilder.java | 10 +++--- 10 files changed, 111 insertions(+), 70 deletions(-) diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/IRequest.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/IRequest.java index 620018ad..4c145fbc 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/IRequest.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/api/IRequest.java @@ -100,7 +100,7 @@ public interface IRequest { * @param key The specific identifier of the request-data object * @return The request-data object or null if no data is found with this key */ - public Object getGenericData(String key); + public Object getRawData(String key); /** * Returns a generic request-data object with is stored with a specific identifier @@ -109,7 +109,7 @@ public interface IRequest { * @param clazz The class type which is stored with this key * @return The request-data object or null if no data is found with this key */ - public T getGenericData(String key, final Class clazz); + public T getRawData(String key, final Class clazz); /** * Store a generic data-object into pending request with a specific identifier @@ -118,7 +118,7 @@ public interface IRequest { * @param object Generic data-object which should be stored. This data-object had to be implement the 'java.io.Serializable' interface * @throws SessionDataStorageException Error message if the data-object can not stored to generic request-data storage */ - public void setGenericDataToSession(String key, Object object) throws EAAFStorageException; + public void setRawDataToTransaction(String key, Object object) throws EAAFStorageException; /** * Store generic data-objects into pending request with specific identifiers @@ -126,16 +126,15 @@ public interface IRequest { * @param map Map with Identifiers and values * @throws SessionDataStorageException Error message if the data-object can not stored to generic request-data storage */ - public void setGenericDataToSession(Map map) throws EAAFStorageException; - - - + public void setRawDataToTransaction(Map map) throws EAAFStorageException; + /** - * Get the internal dataStorage map + * Wrap the internal dataStorage map into a DAO * - * @return read-only map of data stored to this pending request + * @param wrapper DOA to access SessionData + * @return */ - public Map genericFullDataStorage(); + public T getSessionData(Class wrapper); /** * Hold the identifier of this request object. diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java index a4734e66..1fb4bf6b 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java @@ -236,7 +236,7 @@ public abstract class AbstractAuthenticationManager implements IAuthenticationMa log.debug("Find SSL-client-certificate on request --> Add it to context"); executionContext.put(EAAFConstants.PROCESS_ENGINE_SSL_CLIENT_CERTIFICATE, ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); - pendingReq.setGenericDataToSession(EAAFConstants.PROCESS_ENGINE_SSL_CLIENT_CERTIFICATE, + pendingReq.setRawDataToTransaction(EAAFConstants.PROCESS_ENGINE_SSL_CLIENT_CERTIFICATE, ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java index 94d9a810..c095135d 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java @@ -440,16 +440,16 @@ public abstract class AbstractAuthenticationDataBuilder implements IAuthenticati */ private String getbPKTypeFromPVPAttribute(IAuthProcessDataContainer session) { String pvpbPKTypeAttr = session.getGenericDataFromSession(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class); - if (StringUtils.isNotEmpty(pvpbPKTypeAttr)) { - - //fix a wrong bPK-Type encoding, which was used in some PVP Standardportal implementations - if (pvpbPKTypeAttr.startsWith(EAAFConstants.URN_PREFIX_CDID) && - !pvpbPKTypeAttr.substring(EAAFConstants.URN_PREFIX_CDID.length(), - EAAFConstants.URN_PREFIX_CDID.length() + 1).equals("+")) { - log.warn("Receive uncorrect encoded bBKType attribute " + pvpbPKTypeAttr + " Starting attribute value correction ... "); - pvpbPKTypeAttr = EAAFConstants.URN_PREFIX_CDID + "+" + pvpbPKTypeAttr.substring(EAAFConstants.URN_PREFIX_CDID.length() + 1); - - } + + if (StringUtils.isNotEmpty(pvpbPKTypeAttr)) { +// //fix a wrong bPK-Type encoding, which was used in some PVP Standardportal implementations +// if (pvpbPKTypeAttr.startsWith(EAAFConstants.URN_PREFIX_CDID) && +// !pvpbPKTypeAttr.substring(EAAFConstants.URN_PREFIX_CDID.length(), +// EAAFConstants.URN_PREFIX_CDID.length() + 1).equals("+")) { +// log.warn("Receive uncorrect encoded bBKType attribute " + pvpbPKTypeAttr + " Starting attribute value correction ... "); +// pvpbPKTypeAttr = EAAFConstants.URN_PREFIX_CDID + "+" + pvpbPKTypeAttr.substring(EAAFConstants.URN_PREFIX_CDID.length() + 1); +// +// } log.debug("Find PVP-Attr: " + PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); return pvpbPKTypeAttr; } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/protocols/RequestImpl.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/protocols/RequestImpl.java index a453a8a3..7d59f043 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/protocols/RequestImpl.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/protocols/RequestImpl.java @@ -27,6 +27,7 @@ package at.gv.egiz.eaaf.core.impl.idp.controller.protocols; import java.io.Serializable; +import java.lang.reflect.InvocationTargetException; import java.net.MalformedURLException; import java.net.URL; import java.util.Date; @@ -48,6 +49,7 @@ import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils; @@ -141,7 +143,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ //set requester's IP address try { - setGenericDataToSession(DATAID_REQUESTER_IP_ADDRESS, req.getRemoteAddr()); + setRawDataToTransaction(DATAID_REQUESTER_IP_ADDRESS, req.getRemoteAddr()); } catch (EAAFStorageException e) { log.info("Can NOT store remote IP address into 'pendingRequest'." , e); @@ -215,11 +217,31 @@ public abstract class RequestImpl implements IRequest, Serializable{ this.internalSSOSessionId = internalSSOSessionId; } - + @Override - public final Map genericFullDataStorage() { - return this.genericDataStorage; + public final T getSessionData(final Class wrapper) { + if (wrapper != null) { + if (AuthProcessDataWrapper.class.isAssignableFrom(wrapper)) { + try { + return wrapper.getConstructor(Map.class).newInstance(this.genericDataStorage); + + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException + | IllegalArgumentException | InvocationTargetException e) { + log.error("Can NOT instance wrapper: " + wrapper.getName(), e); + + } + + } + + log.error("Can NOT wrap generic data into session data. " + + "Reason: Wrapper " + wrapper.getName() + " is NOT a valid wrapper"); + throw new RuntimeException("Can NOT wrap generic data into session data. " + + "Reason: Wrapper " + wrapper.getName() + " is NOT a valid wrapper"); + + } + return null; + } @Override @@ -346,7 +368,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ } @Override - public final Object getGenericData(String key) { + public final Object getRawData(String key) { if (StringUtils.isNotEmpty(key)) { return genericDataStorage.get(key); @@ -357,7 +379,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ } @Override - public final T getGenericData(String key, final Class clazz) { + public final T getRawData(String key, final Class clazz) { if (StringUtils.isNotEmpty(key)) { Object data = genericDataStorage.get(key); @@ -383,13 +405,13 @@ public abstract class RequestImpl implements IRequest, Serializable{ } @Override - public final void setGenericDataToSession(String key, Object object) throws EAAFStorageException { + public final void setRawDataToTransaction(String key, Object object) throws EAAFStorageException { if (StringUtils.isEmpty(key)) { log.info("Generic request-data can not be stored with a 'null' key"); throw new EAAFStorageException("Generic request-data can not be stored with a 'null' key", null); } - + if (object != null) { if (!Serializable.class.isInstance(object)) { log.warn("Generic request-data can only store objects which implements the 'Seralizable' interface"); @@ -408,7 +430,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ } @Override - public final void setGenericDataToSession(Map map) throws EAAFStorageException { + public final void setRawDataToTransaction(Map map) throws EAAFStorageException { if (map == null) { log.info("Generic request-data can not be stored with a 'null' map"); throw new EAAFStorageException("Generic request-data can not be stored with a 'null' map", null); @@ -417,7 +439,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ //validate and store values for (Entry el : map.entrySet()) - setGenericDataToSession(el.getKey(), el.getValue()); + setRawDataToTransaction(el.getKey(), el.getValue()); } diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/FileUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/FileUtils.java index f458c142..a7bd8f81 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/FileUtils.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/FileUtils.java @@ -40,14 +40,13 @@ import java.net.URI; import java.net.URL; import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; -/** - * Utility for accessing files on the file system, and for reading from input streams. - * @author Paul Ivancsics - * @version $Id$ - */ public class FileUtils { - + private static final Logger log = LoggerFactory.getLogger(FileUtils.class); + + /** * Reads a file, given by URL, into a byte array. * @param urlString file URL @@ -112,6 +111,8 @@ public class FileUtils { public static String makeAbsoluteURL(String url, String root) { //if url is relative to rootConfigFileDirName make it absolute + log.trace("Making AbsoluteURL URL: " + url + " Root-Path: " + root); + if (StringUtils.isEmpty(root)) root = null; diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Random.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Random.java index b190bfba..2504d8f1 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Random.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Random.java @@ -36,6 +36,8 @@ import org.apache.commons.lang3.ArrayUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.impl.idp.process.support.SecureRandomHolder; + /** * Random number generator used to generate ID's @@ -60,15 +62,7 @@ public class Random { } catch (NoSuchAlgorithmException e) { log.warn("Can NOT initialize SecureRandom with: 'SHA256PRNG-FIPS186'. Use 'StrongSecureRandom' as backup"); - - try { - random = SecureRandom.getInstanceStrong(); - - } catch (NoSuchAlgorithmException e1) { - log.error("Can NOT initialize SecureRandom. StartUp process FAILED!"); - throw new RuntimeException("Can NOT initialize SecureRandom. StartUp process FAILED!", e); - - } + random = SecureRandomHolder.getInstance(); } diff --git a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/module/test/TestRequestImpl.java b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/module/test/TestRequestImpl.java index a3812816..b1f53db3 100644 --- a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/module/test/TestRequestImpl.java +++ b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/module/test/TestRequestImpl.java @@ -26,12 +26,14 @@ *******************************************************************************/ package at.gv.egiz.eaaf.core.impl.idp.module.test; +import java.lang.reflect.InvocationTargetException; import java.util.HashMap; import java.util.Map; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; /** * @author tlenz @@ -83,7 +85,7 @@ public class TestRequestImpl implements IRequest { * @see at.gv.egovernment.moa.id.moduls.IRequest#getGenericData(java.lang.String) */ @Override - public Object getGenericData(String key) { + public Object getRawData(String key) { return storage.get(key); } @@ -91,7 +93,7 @@ public class TestRequestImpl implements IRequest { * @see at.gv.egovernment.moa.id.moduls.IRequest#getGenericData(java.lang.String, java.lang.Class) */ @Override - public T getGenericData(String key, Class clazz) { + public T getRawData(String key, Class clazz) { return (T)storage.get(key); } @@ -218,14 +220,9 @@ public class TestRequestImpl implements IRequest { } @Override - public void setGenericDataToSession(Map map) throws EAAFStorageException { + public void setRawDataToTransaction(Map map) throws EAAFStorageException { storage.putAll(map); - - } - - @Override - public Map genericFullDataStorage() { - return storage; + } @Override @@ -270,7 +267,7 @@ public class TestRequestImpl implements IRequest { } @Override - public void setGenericDataToSession(String key, Object object) throws EAAFStorageException { + public void setRawDataToTransaction(String key, Object object) throws EAAFStorageException { storage.put(key, object); } @@ -278,6 +275,29 @@ public class TestRequestImpl implements IRequest { public void setSpConfig(ISPConfiguration spConfig) { this.spConfig = spConfig; } + + @Override + public T getSessionData(Class wrapper) { + if (wrapper != null) { + if (AuthProcessDataWrapper.class.isAssignableFrom(wrapper)) { + try { + return wrapper.getConstructor(Map.class).newInstance(this.storage); + + } catch (NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException + | IllegalArgumentException | InvocationTargetException e) { + throw new RuntimeException("Can NOT instance wrapper: " + wrapper.getName(), e); + + } + + } + + throw new RuntimeException("Can NOT wrap generic data into session data. " + + "Reason: Wrapper " + wrapper.getName() + " is NOT a valid wrapper"); + + } + + return null; + } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java index 1621aa84..2bb2cb10 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java @@ -28,6 +28,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; import java.util.List; +import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -82,6 +83,10 @@ public class QAALevelVerifier { } public static void verifyQAALevel(String qaaAuth, List requiredLoAs, String matchingMode) throws QAANotAllowedException { + log.trace("Starting LoA verification: authLoA: " + qaaAuth + + " requiredLoA: " + StringUtils.join(requiredLoAs, "|") + + " matchingMode: " + matchingMode); + boolean hasMatch = false; for (String loa : requiredLoAs) { if (verifyQAALevel(qaaAuth, loa, matchingMode)) @@ -90,7 +95,7 @@ public class QAALevelVerifier { } if (!hasMatch) - throw new QAANotAllowedException(qaaAuth, requiredLoAs.toArray().toString(), matchingMode); + throw new QAANotAllowedException(qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode); else log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index 32c2cce7..b6e00709 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -139,17 +139,17 @@ public class AuthenticationAction implements IAction { sloInformation.setProtocolType(req.requestedModule()); sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier()); return sloInformation; - - } catch (MessageEncodingException e) { - log.error("Message Encoding exception", e); - throw new ResponderErrorException("pvp2.01", null, e); - - } catch (SecurityException e) { - log.error("Security exception", e); + + } catch (MessageEncodingException | SecurityException e) { + log.warn("Message Encoding exception", e); throw new ResponderErrorException("pvp2.01", null, e); } catch (EAAFException e) { - log.error("Response generation error", e); + log.info("Response generation error: Msg: ", e.getMessage()); + throw new ResponderErrorException(e.getErrorId(), e.getParams(), e); + + } catch (Exception e) { + log.warn("Response generation error", e); throw new ResponderErrorException("pvp2.01", null, e); } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java index 5ef112dd..d049aeb3 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java @@ -156,7 +156,8 @@ public class PVP2AssertionBuilder implements PVPConstants { //get matching mode from authn. request String loaMatchingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM; - if (StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString())) + if (reqAuthnContext.getComparison() != null && + StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString())) loaMatchingMode = reqAuthnContext.getComparison().toString(); //get requested LoAs @@ -172,7 +173,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) { if (loaLevelMapper != null) { - log.debug("Find no eIDAS LoA. Start mapping process ... " ); + log.debug("Find no eIDAS LoA in AuthnReq. Start mapping process ... " ); eIDASLoaFromRequest.add(loaLevelMapper.mapToeIDASLoA(qaa_uri.trim())); } else @@ -356,14 +357,13 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); -// subjectConfirmationData.setNotBefore(date); + subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); //set 'recipient' attribute in subjectConformationData subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); //set IP address of the user machine as 'Address' attribute in subjectConformationData - String usersIPAddress = pendingReq.getGenericData( + String usersIPAddress = pendingReq.getRawData( RequestImpl.DATAID_REQUESTER_IP_ADDRESS, String.class); if (StringUtils.isNotEmpty(usersIPAddress)) subjectConfirmationData.setAddress(usersIPAddress); -- cgit v1.2.3