From 759ac5f42c6aff901dbeede4fbf1a1d2e08cad0f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 4 Dec 2019 19:43:32 +0100
Subject: common EGIZ code-style refactoring

---
 .../modules/pvp2/impl/utils/QaaLevelVerifier.java  | 106 +++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
new file mode 100644
index 00000000..876fa744
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QaaLevelVerifier.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.gv.egiz.eaaf.modules.pvp2.impl.utils;
+
+import java.util.List;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * EAAF LoA Level verifier checks if requested LoA matchs to LoA of authentication.
+ *
+ *
+ * @author tlenz
+ *
+ */
+public class QaaLevelVerifier {
+
+  private static final Logger log = LoggerFactory.getLogger(QaaLevelVerifier.class);
+
+  private static boolean verifyQaaLevel(final String qaaAuth, final String requiredLoA,
+      final String matchingMode) throws QaaNotAllowedException {
+    // to MINIMUM machting
+    if (EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM.equals(matchingMode)) {
+      log.trace("Perfom LoA matching in 'MINIMUM' mode ... ");
+      if (EAAFConstants.EIDAS_LOA_LOW.equals(requiredLoA)
+          && (EAAFConstants.EIDAS_LOA_LOW.equals(qaaAuth)
+              || EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth)
+              || EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth))) {
+        return true;
+      } else if (EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(requiredLoA)
+          && (EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth)
+              || EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth))) {
+        return true;
+      } else if (EAAFConstants.EIDAS_LOA_HIGH.equals(requiredLoA)
+          && EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth)) {
+        return true;
+      }
+
+    } else if (EAAFConstants.EIDAS_LOA_MATCHING_EXACT.equals(matchingMode)) {
+      // to EXACT matching
+      log.trace("Perfom LoA matching in 'EXACT' mode ... ");
+      if (qaaAuth.equals(requiredLoA)) {
+        log.debug("Required LoA fits LoA from authentication. Continue auth process ... ");
+        return true;
+
+      }
+
+    } else {
+      log.warn("LoA matching-mode:" + matchingMode + " is NOT supported by this implementation");
+      throw new QaaNotAllowedException(qaaAuth, requiredLoA, matchingMode);
+
+    }
+
+    return false;
+
+  }
+
+  /**
+   * Check LoA level.
+   *
+   * @param qaaAuth LoA of authentication
+   * @param requiredLoAs List of allowed LoA levels
+   * @param matchingMode LoA matching mode
+   * @throws QaaNotAllowedException If LoA does not match
+   */
+  public static void verifyQaaLevel(final String qaaAuth, final List<String> requiredLoAs,
+      final String matchingMode) throws QaaNotAllowedException {
+    log.trace("Starting LoA verification: authLoA: " + qaaAuth + " requiredLoA: "
+        + StringUtils.join(requiredLoAs, "|") + " matchingMode: " + matchingMode);
+
+    boolean hasMatch = false;
+    for (final String loa : requiredLoAs) {
+      if (verifyQaaLevel(qaaAuth, loa, matchingMode)) {
+        hasMatch = true;
+      }
+
+    }
+
+    if (!hasMatch) {
+      throw new QaaNotAllowedException(qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode);
+    } else {
+      log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... ");
+    }
+
+  }
+}
-- 
cgit v1.2.3