From b13a7517ea0f625d9b24b8d1ca709c8224e9c4d4 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Mon, 19 Dec 2022 14:28:16 +0100 Subject: feat(core): support not-notified eIDAS LoA --- .../builder/AbstractAuthenticationDataBuilder.java | 6 +++++- .../at/gv/egiz/eaaf/core/api/data/EaafConstants.java | 2 ++ .../modules/pvp2/impl/utils/QaaLevelVerifier.java | 19 ++++++++++--------- .../pvp2/idp/impl/builder/Pvp2AssertionBuilder.java | 8 ++++++-- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java index 142dcf28..9d24eb8c 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/AbstractAuthenticationDataBuilder.java @@ -315,12 +315,16 @@ public abstract class AbstractAuthenticationDataBuilder implements IAuthenticati if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_PREFIX)) { authData.setEidasLoa(currentLoA); + } else if (currentLoA.startsWith(EaafConstants.EIDAS_LOA_NOT_NOTIFIED_PREFIX)) { + log.info("Find not-notified eIDAS LoA: {}. Use it as it is", currentLoA); + authData.setEidasLoa(currentLoA); + } else { log.info("Only eIDAS LoAs are supported by this implementation"); } } else { - log.info("No QAA level found. Set to default level " + EaafConstants.EIDAS_LOA_LOW); + log.info("No QAA level found. Set to default level: {}", EaafConstants.EIDAS_LOA_LOW); authData.setEidasLoa(EaafConstants.EIDAS_LOA_LOW); } diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java index 82749b81..313dd61c 100644 --- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java +++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/api/data/EaafConstants.java @@ -53,6 +53,8 @@ public class EaafConstants { public static final String EIDAS_LOA_SUBSTANTIAL = EIDAS_LOA_PREFIX + "substantial"; public static final String EIDAS_LOA_HIGH = EIDAS_LOA_PREFIX + "high"; + public static final String EIDAS_LOA_NOT_NOTIFIED_PREFIX = "http://eidas.europa.eu/NotNotified/LoA/"; + public static final String EIDAS_LOA_MATCHING_MINIMUM = "minimum"; public static final String EIDAS_LOA_MATCHING_EXACT = "exact"; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java index ca6f29e4..7ed2e939 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java @@ -19,15 +19,15 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; -import java.util.List; - -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException; +import java.util.Collection; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException; + /** * EAAF LoA Level verifier checks if requested LoA matchs to LoA of * authentication. @@ -86,17 +86,18 @@ public class QaaLevelVerifier { * @param matchingMode LoA matching mode * @throws QaaNotAllowedException If LoA does not match */ - public static void verifyQaaLevel(final String qaaAuth, final List requiredLoAs, + public static void verifyQaaLevel(final String qaaAuth, final Collection requiredLoAs, final String matchingMode) throws QaaNotAllowedException { - log.trace("Starting LoA verification: authLoA: " + qaaAuth + " requiredLoA: " - + StringUtils.join(requiredLoAs, "|") + " matchingMode: " + matchingMode); - + log.trace("Starting LoA verification with authLoA:{} requiredLoA:{} matchingMode:{} ", + qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode); + boolean hasMatch = false; for (final String loa : requiredLoAs) { if (verifyQaaLevel(qaaAuth, loa, matchingMode)) { hasMatch = true; + break; + } - } if (!hasMatch) { diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java index 261f7b2b..bbe1d95f 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java @@ -22,8 +22,10 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; import java.security.MessageDigest; import java.time.Instant; import java.util.ArrayList; +import java.util.HashSet; import java.util.Iterator; import java.util.List; +import java.util.Set; import javax.naming.ConfigurationException; @@ -159,7 +161,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { reqAuthnContext.getAuthnContextClassRefs(); // get matching mode from authn. request - String loaMatchingMode = pendingReq.getServiceProviderConfiguration().getLoAMatchingMode(); + String loaMatchingMode = oaParam.getLoAMatchingMode(); if (StringUtils.isEmpty(loaMatchingMode)) { loaMatchingMode = EaafConstants.EIDAS_LOA_MATCHING_MINIMUM; @@ -172,7 +174,9 @@ public class Pvp2AssertionBuilder implements PvpConstants { authnContextClassRef.setURI(authData.getEidasQaaLevel()); } else { - final List eidasLoaFromRequest = new ArrayList<>(); + final Set eidasLoaFromRequest = new HashSet<>(); + eidasLoaFromRequest.addAll(oaParam.getRequiredLoA()); + for (final AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { final String qaa_uri = authnClassRef.getURI(); -- cgit v1.2.3