From 729500a159c61a697c528e0c86abd132f4380b0d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 12 Jul 2018 16:10:53 +0200
Subject: some more updates

---
 .../idp/impl/builder/PVP2AssertionBuilder.java     | 112 +++++++++++----------
 1 file changed, 61 insertions(+), 51 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java
index 7369da15..5ef112dd 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/PVP2AssertionBuilder.java
@@ -1,3 +1,27 @@
+/*******************************************************************************
+ * Copyright 2017 Graz University of Technology
+ * EAAF-Core Components has been developed in a cooperation between EGIZ,  
+ * A-SIT+, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+/*******************************************************************************
+ *******************************************************************************/
 /*******************************************************************************
  *******************************************************************************/
 package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;
@@ -118,78 +142,64 @@ public class PVP2AssertionBuilder implements PVPConstants {
 			AssertionConsumerService assertionConsumerService, SLOInformationInterface sloInformation)
 			throws PVP2Exception {
 
-		RequestedAuthnContext reqAuthnContext = authnRequest
-				.getRequestedAuthnContext();
-
-		AuthnContextClassRef authnContextClassRef = SAML2Utils
-				.createSAMLObject(AuthnContextClassRef.class);
-		
 		ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration();
+		AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
 		
+		//check if authn. request contains LoA 							
+		RequestedAuthnContext reqAuthnContext = authnRequest.getRequestedAuthnContext();
 		if (reqAuthnContext == null) {
 			 authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
 			
 		} else {
- 
-			boolean eIDAS_qaa_found = false;
-	
-			List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
-					.getAuthnContextClassRefs();
-		
-			if (reqAuthnContextClassRefIt.size() == 0) {			 
-				QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), EAAFConstants.EIDAS_QAA_HIGH);
+			//authn. request requests LoA levels. To LoA validation
+			List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs();
 			
-				eIDAS_qaa_found = true;
-				authnContextClassRef.setAuthnContextClassRef(EAAFConstants.EIDAS_QAA_HIGH);
+			//get matching mode from authn. request
+			String loaMatchingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM;
+			if (StringUtils.isNotEmpty(reqAuthnContext.getComparison().toString()))
+				loaMatchingMode = reqAuthnContext.getComparison().toString();
+						
+			//get requested LoAs
+			if (reqAuthnContextClassRefIt.size() == 0) {			 
+				QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), 
+						oaParam.getRequiredLoA(), loaMatchingMode);			
+				authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
 			 
-			} else {
+			} else {								
+				List<String> eIDASLoaFromRequest = new ArrayList<String>();				
 				for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
 					String qaa_uri = authnClassRef.getAuthnContextClassRef();
-										
-					if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) {
+									
+					if (!qaa_uri.trim().startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) {
 						if (loaLevelMapper != null) {
 							log.debug("Find no eIDAS LoA. Start mapping process ... " );
-							qaa_uri = loaLevelMapper.mapToeIDASLoA(qaa_uri.trim());
+							eIDASLoaFromRequest.add(loaLevelMapper.mapToeIDASLoA(qaa_uri.trim()));
 							
 						} else
 							log.debug("AuthnRequest contains no eIDAS LoA. NO LoA mapper FOUND, ignore "
-									+ "'" +  qaa_uri.trim() + "'");
-											
-					}
+									+ "'" +  qaa_uri.trim() + "'");						
+					} else
+						eIDASLoaFromRequest.add(qaa_uri.trim());
 					
-					if (qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_HIGH)
-							|| qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_SUBSTANTIAL)
-							|| qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_LOW)) {
+				}
+				
+				//stop process if no supported LoA scheme is requested
+				if (eIDASLoaFromRequest.isEmpty()) {
+					log.info("Authn. request contains no supported LoA level. Stop authentication process ... ");
+					throw new QAANotSupportedException("No supported LoA in Authn. request");
 					
-						 if (authData.isForeigner()) {
-							 QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), oaParam.getMinimumLevelOfAssurence());
-							 
-							 eIDAS_qaa_found = true;
-							 authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
-							 
-						 } else {
-							 
-							 QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), 
-									 qaa_uri.trim());
-							 
-							 eIDAS_qaa_found = true;
-							 authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
-							 							 
-						 }
-						 break;
-					 }
-				 }
-			 }
-	
-			if (!eIDAS_qaa_found)
-				throw new QAANotSupportedException(EAAFConstants.EIDAS_QAA_HIGH);
+				}
+				
+				//verifiy LoAs from request to authentication LoA
+				QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), eIDASLoaFromRequest , loaMatchingMode);							
+				authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel());
 				
+			}
 		}
 		
 
-
-		SPSSODescriptor spSSODescriptor = peerEntity
-				.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+		//load SPSS decriptor from service-provider metadata
+		SPSSODescriptor spSSODescriptor = peerEntity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
 				
 		//add Attributes to Assertion
 		List<Attribute> attrList = new ArrayList<Attribute>();
-- 
cgit v1.2.3