From 729500a159c61a697c528e0c86abd132f4380b0d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 12 Jul 2018 16:10:53 +0200 Subject: some more updates --- .../impl/utils/AbstractCredentialProvider.java | 24 ++++++ .../modules/pvp2/impl/utils/QAALevelVerifier.java | 92 ++++++++++++++++++---- .../eaaf/modules/pvp2/impl/utils/SAML2Utils.java | 49 +++++++++++- 3 files changed, 147 insertions(+), 18 deletions(-) (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java index 40ad8a82..103c10c2 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java @@ -1,3 +1,27 @@ +/******************************************************************************* + * Copyright 2017 Graz University of Technology + * EAAF-Core Components has been developed in a cooperation between EGIZ, + * A-SIT+, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/******************************************************************************* + *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java index 707f12e2..1621aa84 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/QAALevelVerifier.java @@ -1,7 +1,33 @@ +/******************************************************************************* + * Copyright 2017 Graz University of Technology + * EAAF-Core Components has been developed in a cooperation between EGIZ, + * A-SIT+, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/******************************************************************************* + *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; +import java.util.List; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -16,26 +42,58 @@ public class QAALevelVerifier { private static final Logger log = LoggerFactory.getLogger(QAALevelVerifier.class); - public static void verifyQAALevel(String qaaAuth, String qaaRequest) throws QAANotAllowedException { - - if (EAAFConstants.EIDAS_QAA_LOW.equals(qaaRequest) && - (EAAFConstants.EIDAS_QAA_LOW.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - ) - log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); + private static boolean verifyQAALevel(String qaaAuth, String requiredLoA, String matchingMode) throws QAANotAllowedException { + //to MINIMUM machting + if (EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM.equals(matchingMode)) { + log.trace("Perfom LoA matching in 'MINIMUM' mode ... "); + if (EAAFConstants.EIDAS_LOA_LOW.equals(requiredLoA) && + (EAAFConstants.EIDAS_LOA_LOW.equals(qaaAuth) || + EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth) || + EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth)) + ) + return true; + + else if (EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(requiredLoA) && + (EAAFConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth) || + EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth)) + ) + return true; + + else if (EAAFConstants.EIDAS_LOA_HIGH.equals(requiredLoA) && EAAFConstants.EIDAS_LOA_HIGH.equals(qaaAuth)) + return true; + + } else if (EAAFConstants.EIDAS_LOA_MATCHING_EXACT.equals(matchingMode)) { + //to EXACT matching + log.trace("Perfom LoA matching in 'EXACT' mode ... "); + if (qaaAuth.equals(requiredLoA)) { + log.debug("Required LoA fits LoA from authentication. Continue auth process ... "); + return true; + + } + + } else { + log.warn("LoA matching-mode:" + matchingMode + " is NOT supported by this implementation"); + throw new QAANotAllowedException(qaaAuth, requiredLoA, matchingMode); + + } - else if (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaRequest) && - (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - ) - log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); + return false; + + } + + public static void verifyQAALevel(String qaaAuth, List requiredLoAs, String matchingMode) throws QAANotAllowedException { + boolean hasMatch = false; + for (String loa : requiredLoAs) { + if (verifyQAALevel(qaaAuth, loa, matchingMode)) + hasMatch = true; + + } - else if (EAAFConstants.EIDAS_QAA_HIGH.equals(qaaRequest) && EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); + if (!hasMatch) + throw new QAANotAllowedException(qaaAuth, requiredLoAs.toArray().toString(), matchingMode); - else - throw new QAANotAllowedException(qaaAuth, qaaRequest); + else + log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java index 4e9d3073..0e755efb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/SAML2Utils.java @@ -1,3 +1,27 @@ +/******************************************************************************* + * Copyright 2017 Graz University of Technology + * EAAF-Core Components has been developed in a cooperation between EGIZ, + * A-SIT+, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/******************************************************************************* + *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; @@ -11,10 +35,14 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; import org.apache.commons.lang3.StringUtils; import org.opensaml.Configuration; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; @@ -28,6 +56,8 @@ import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.schema.XSString; import org.opensaml.xml.schema.impl.XSStringBuilder; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.w3c.dom.Document; import at.gv.egiz.eaaf.core.impl.utils.Random; @@ -35,7 +65,8 @@ import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; public class SAML2Utils { - + private static final Logger log = LoggerFactory.getLogger(SAML2Utils.class); + public static T createSAMLObject(final Class clazz) { try { XMLObjectBuilderFactory builderFactory = Configuration @@ -144,6 +175,22 @@ public class SAML2Utils { } + public static void schemeValidation(XMLObject xmlObject) throws Exception { + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + DOMSource source = new DOMSource(xmlObject.getDOM()); + val.validate(source); + log.debug("SAML2 Scheme validation successful"); + return; + + } catch (Exception e) { + log.warn("SAML2 scheme validation FAILED.", e); + throw e; + + } + } + private static XMLObject createAttributeValue(QName attributeValueType, String value) { XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); XSString stringValue = stringBuilder.buildObject(attributeValueType, XSString.TYPE_NAME); -- cgit v1.2.3