From b13a7517ea0f625d9b24b8d1ca709c8224e9c4d4 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Mon, 19 Dec 2022 14:28:16 +0100
Subject: feat(core): support not-notified eIDAS LoA
---
.../builder/AbstractAuthenticationDataBuilder.java | 6 +++++-
.../at/gv/egiz/eaaf/core/api/data/EaafConstants.java | 2 ++
.../modules/pvp2/impl/utils/QaaLevelVerifier.java | 19 ++++++++++---------
.../pvp2/idp/impl/builder/Pvp2AssertionBuilder.java | 8 ++++++--
4 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
index 142dcf28..9d24eb8c 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java
@@ -315,12 +315,16 @@ public abstract class AbstractAuthenticationDataBuilder implements IAuthenticati
if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_PREFIX)) {
authData.setEidasLoa(currentLoA);
+ } else if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_NOT_NOTIFIED_PREFIX)) {
+ log.info("Find not-notified eIDAS LoA: {}. Use it as it is", currentLoA);
+ authData.setEidasLoa(currentLoA);
+
} else {
log.info("Only eIDAS LoAs are supported by this implementation");
}
} else {
- log.info("No QAA level found. Set to default level " + EaafConstants.EIDAS_LOA_LOW);
+ log.info("No QAA level found. Set to default level: {}", EaafConstants.EIDAS_LOA_LOW);
authData.setEidasLoa(EaafConstants.EIDAS_LOA_LOW);
}
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
index 82749b81..313dd61c 100644
--- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java
@@ -53,6 +53,8 @@ public class EaafConstants {
public static final String EIDAS_LOA_SUBSTANTIAL = EIDAS_LOA_PREFIX + "substantial";
public static final String EIDAS_LOA_HIGH = EIDAS_LOA_PREFIX + "high";
+ public static final String EIDAS_LOA_NOT_NOTIFIED_PREFIX = "http://eidas.europa.eu/NotNotified/LoA/";
+
public static final String EIDAS_LOA_MATCHING_MINIMUM = "minimum";
public static final String EIDAS_LOA_MATCHING_EXACT = "exact";
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
index ca6f29e4..7ed2e939 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
@@ -19,15 +19,15 @@
package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
-import java.util.List;
-
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+import java.util.Collection;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+
/**
* EAAF LoA Level verifier checks if requested LoA matchs to LoA of
* authentication.
@@ -86,17 +86,18 @@ public class QaaLevelVerifier {
* @param matchingMode LoA matching mode
* @throws QaaNotAllowedException If LoA does not match
*/
- public static void verifyQaaLevel(final String qaaAuth, final List<String> requiredLoAs,
+ public static void verifyQaaLevel(final String qaaAuth, final Collection<String> requiredLoAs,
final String matchingMode) throws QaaNotAllowedException {
- log.trace("Starting LoA verification: authLoA: " + qaaAuth + " requiredLoA: "
- + StringUtils.join(requiredLoAs, "|") + " matchingMode: " + matchingMode);
-
+ log.trace("Starting LoA verification with authLoA:{} requiredLoA:{} matchingMode:{} ",
+ qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode);
+
boolean hasMatch = false;
for (final String loa : requiredLoAs) {
if (verifyQaaLevel(qaaAuth, loa, matchingMode)) {
hasMatch = true;
+ break;
+
}
-
}
if (!hasMatch) {
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
index 261f7b2b..bbe1d95f 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -22,8 +22,10 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
import java.security.MessageDigest;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
+import java.util.Set;
import javax.naming.ConfigurationException;
@@ -159,7 +161,7 @@ public class Pvp2AssertionBuilder implements PvpConstants {
reqAuthnContext.getAuthnContextClassRefs();
// get matching mode from authn. request
- String loaMatchingMode = pendingReq.getServiceProviderConfiguration().getLoAMatchingMode();
+ String loaMatchingMode = oaParam.getLoAMatchingMode();
if (StringUtils.isEmpty(loaMatchingMode)) {
loaMatchingMode = EaafConstants.EIDAS_LOA_MATCHING_MINIMUM;
@@ -172,7 +174,9 @@ public class Pvp2AssertionBuilder implements PvpConstants {
authnContextClassRef.setURI(authData.getEidasQaaLevel());
} else {
- final List<String> eidasLoaFromRequest = new ArrayList<>();
+ final Set<String> eidasLoaFromRequest = new HashSet<>();
+ eidasLoaFromRequest.addAll(oaParam.getRequiredLoA());
+
for (final AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
final String qaa_uri = authnClassRef.getURI();
--
cgit v1.2.3