From d781f0e89f16c650f70cc47d1ed5c4da2673b4d1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 11 Apr 2019 09:45:25 +0200
Subject: add EAAF module for authentication method based on Security-Layer 2.0
 communication

---
 .../sl20/tasks/AbstractReceiveQualeIDTask.java     | 285 +++++++++++++++++++++
 1 file changed, 285 insertions(+)
 create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java

(limited to 'eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java')

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java
new file mode 100644
index 00000000..34a097bd
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/tasks/AbstractReceiveQualeIDTask.java
@@ -0,0 +1,285 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.tasks;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.entity.ContentType;
+import org.jose4j.base64url.Base64Url;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.core.impl.utils.DataURLBuilder;
+import at.gv.egiz.eaaf.core.impl.utils.StreamUtils;
+import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.EventCodes;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoParserException;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.JsonMapper;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONBuilderUtils;
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.SL20JSONExtractorUtils;
+
+
+public abstract class AbstractReceiveQualeIDTask extends AbstractAuthServletTask {
+	private static final Logger log = LoggerFactory.getLogger(AbstractReceiveQualeIDTask.class);
+	
+	@Autowired(required=true) private IJOSETools joseTools;
+	
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {		
+		String sl20Result = null;
+		 
+		try {
+			log.debug("Receiving SL2.0 response process .... ");
+			JsonNode sl20ReqObj = null;			
+			try {
+				//get SL2.0 command or result from HTTP request
+				Map<String, String> reqParams = getParameters(request);
+				sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				
+				if (StringUtils.isEmpty(sl20Result)) {
+					//Workaround for SIC Handy-Signature, because it sends result in InputStream
+					String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
+					if (StringUtils.isNotEmpty(isReqInput)) {
+						log.info("Use SIC Handy-Signature work-around!");
+						sl20Result = isReqInput.substring("slcommand=".length());
+						
+					} else {					
+						log.info("NO SL2.0 commando or result FOUND.");
+						throw new SL20Exception("sl20.04", null);
+					}
+				
+				}
+
+				log.trace("Received SL2.0 result: " + sl20Result);				
+				revisionsLogger.logEvent(pendingReq, EventCodes.AUTHPROCESS_SL20_DATAURL_IP, request.getRemoteAddr());
+			
+				//parse SL2.0 command/result into JSON			
+				try {
+					sl20ReqObj = new JsonMapper().getMapper().readTree(Base64Url.decodeToUtf8String(sl20Result));
+				
+				} catch (JsonParseException  e) {
+					log.warn("SL2.0 command or result is NOT valid JSON.", e);
+					log.debug("SL2.0 msg: " + sl20Result);
+					throw new SL20Exception("sl20.02", new Object[]{"SL2.0 command or result is NOT valid JSON."}, e);
+				
+				}
+			
+				//validate reqId with inResponseTo 
+				String sl20ReqId = pendingReq.getRawData(Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class);
+				String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
+				if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
+					log.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+					throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+				}
+			
+			
+				//validate signature
+				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(
+						sl20ReqObj, joseTools, 
+						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
+				
+				if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) {
+					if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) {
+						log.info("SL20 result from VDA was not valid signed");
+						throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+				
+					} else {
+						log.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!");
+						
+					}
+				}
+				
+				/*TODO validate certificate by using MOA-SPSS
+				* currently, the certificate is validated in IJOSETools by using a pkcs12 or jks keystore
+				*/
+				List<X509Certificate> sigCertChain = payLoadContainer.getCertChain();
+			
+			
+				//extract payloaf
+				JsonNode payLoad = payLoadContainer.getPayload();
+			
+				
+				//handle SL2.0 response payLoad
+				handleResponsePayLoad(payLoad);
+								
+				
+			} catch (EAAFAuthenticationException  e) {
+				log.warn("SL2.0 processing error:", e);
+				if (sl20Result != null)
+					log.debug("Received SL2.0 result: " + sl20Result);
+				pendingReq.setRawDataToTransaction(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e));
+				
+			} catch (Exception e) {
+				log.warn("ERROR:", e);
+				log.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				if (sl20Result != null)
+					log.debug("Received SL2.0 result: " + sl20Result);
+				pendingReq.setRawDataToTransaction(
+						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
+						new TaskExecutionException(pendingReq, e.getMessage(), e));
+				
+			} finally {
+				//store pending request
+				requestStoreage.storePendingRequest(pendingReq);
+								
+					//write SL2.0 response
+					if (sl20ReqObj != null)				
+						buildResponse(request, response, sl20ReqObj);
+					else 
+						buildErrorResponse(request, response, "2000", "General transport Binding error");					
+					
+			}
+		
+		} catch (Exception e) {
+			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding			
+			log.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e);
+			if (sl20Result != null)
+				log.debug("Received SL2.0 result: " + sl20Result);
+			try {
+				response.sendError(500, "Internal Server Error.");
+				
+			} catch (IOException e1) {
+				log.error("Can NOT send error message. SOMETHING IS REALY WRONG!", e);
+				
+			}	
+			
+		} finally {
+			TransactionIDUtils.removeTransactionId();
+			TransactionIDUtils.removeSessionId();
+			
+		}
+	}
+
+	protected abstract void handleResponsePayLoad(JsonNode payLoad) throws SLCommandoParserException, SL20Exception, EAAFStorageException;
+
+	protected abstract String getResumeEndPoint();
+	
+	private void buildErrorResponse(HttpServletRequest request, HttpServletResponse response, String errorCode, String errorMsg) throws Exception {				
+		ObjectNode error = SL20JSONBuilderUtils.createErrorCommandResult(errorCode, errorMsg);
+		ObjectNode respContainer = SL20JSONBuilderUtils.createGenericRequest(
+				UUID.randomUUID().toString(), 
+				null, 
+				error , 
+				null);
+			
+		log.debug("Client request containts 'native client' header ... ");	
+		log.trace("SL20 response to VDA: " + respContainer);
+		StringWriter writer = new StringWriter();
+		writer.write(respContainer.toString());						
+		final byte[] content = writer.toString().getBytes("UTF-8");
+		response.setStatus(HttpServletResponse.SC_OK);
+		response.setContentLength(content.length);
+		response.setContentType(ContentType.APPLICATION_JSON.toString());						
+		response.getOutputStream().write(content);
+				
+	}
+
+	private void buildResponse(HttpServletRequest request, HttpServletResponse response, JsonNode sl20ReqObj) throws IOException, SL20Exception {		
+				//create response 
+				Map<String, String> reqParameters = new HashMap<String, String>();
+				reqParameters.put(EAAFConstants.PARAM_HTTP_TARGET_PENDINGREQUESTID, pendingReq.getPendingRequestId());
+				ObjectNode callReqParams = SL20JSONBuilderUtils.createCallCommandParameters(
+						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), getResumeEndPoint(), null), 
+						SL20Constants.SL20_COMMAND_PARAM_GENERAL_CALL_METHOD_GET, 
+						false, 
+						reqParameters);
+				ObjectNode callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
+				
+				//build first redirect command for app
+				ObjectNode redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+				generateICPRedirectURLForDebugging(), 
+				callCommand, null, true);
+				ObjectNode redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
+								
+				//build second redirect command for IDP
+				ObjectNode redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
+						new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), getResumeEndPoint(), null), 
+						redirectOneCommand, null, true);
+				ObjectNode redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
+				
+				//build generic SL2.0 response container								
+				String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+				ObjectNode respContainer = SL20JSONBuilderUtils.createGenericRequest(
+						UUID.randomUUID().toString(), 
+						transactionId, 
+						redirectTwoCommand, 
+						null); 
+				
+		//workaround for A-Trust
+				if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
+				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)
+					|| true) {					
+			log.debug("Client request containts 'native client' header ... ");
+			log.trace("SL20 response to VDA: " + respContainer);
+					StringWriter writer = new StringWriter();
+					writer.write(respContainer.toString());						
+					final byte[] content = writer.toString().getBytes("UTF-8");
+					response.setStatus(HttpServletResponse.SC_OK);
+					response.setContentLength(content.length);
+					response.setContentType(ContentType.APPLICATION_JSON.toString());						
+					response.getOutputStream().write(content);
+					
+					
+				} else {
+					log.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
+					throw new SL20Exception("sl20.06", 
+							new Object[] {"SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"});
+					
+				}
+			}
+
+	/**
+	 * Generates a IPC redirect URL that is configured on IDP side
+	 * 
+	 * @return IPC ReturnURL, or null if no URL is configured
+	 */
+	private String generateICPRedirectURLForDebugging() {
+		final String PATTERN_PENDING_REQ_ID = "#PENDINGREQID#";
+			
+		String ipcRedirectURLConfig = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_IPC_RETURN_URL);				
+		if (StringUtils.isNotEmpty(ipcRedirectURLConfig)) {			
+			if (ipcRedirectURLConfig.contains(PATTERN_PENDING_REQ_ID)) {
+				log.trace("Find 'pendingReqId' pattern in IPC redirect URL. Update url ... ");
+				ipcRedirectURLConfig = ipcRedirectURLConfig.replaceAll(
+						"#PENDINGREQID#", 
+						EAAFConstants.PARAM_HTTP_TARGET_PENDINGREQUESTID + "=" + pendingReq.getPendingRequestId());
+			
+			}
+			
+			return ipcRedirectURLConfig;
+		}
+	
+		return null;
+		
+	}
+	
+	
+}
-- 
cgit v1.2.3