/* * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software distributed under the Licence * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express * or implied. See the Licence for the specific language governing permissions and limitations under * the Licence. * * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egiz.eaaf.modules.pvp2.impl.utils; import java.util.List; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotAllowedException; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * EAAF LoA Level verifier checks if requested LoA matchs to LoA of * authentication. * * * @author tlenz * */ public class QaaLevelVerifier { private static final Logger log = LoggerFactory.getLogger(QaaLevelVerifier.class); private static boolean verifyQaaLevel(final String qaaAuth, final String requiredLoA, final String matchingMode) throws QaaNotAllowedException { // to MINIMUM machting if (EaafConstants.EIDAS_LOA_MATCHING_MINIMUM.equals(matchingMode)) { log.trace("Perfom LoA matching in 'MINIMUM' mode ... "); if (EaafConstants.EIDAS_LOA_LOW.equals(requiredLoA) && (EaafConstants.EIDAS_LOA_LOW.equals(qaaAuth) || EaafConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth) || EaafConstants.EIDAS_LOA_HIGH.equals(qaaAuth))) { return true; } else if (EaafConstants.EIDAS_LOA_SUBSTANTIAL.equals(requiredLoA) && (EaafConstants.EIDAS_LOA_SUBSTANTIAL.equals(qaaAuth) || EaafConstants.EIDAS_LOA_HIGH.equals(qaaAuth))) { return true; } else if (EaafConstants.EIDAS_LOA_HIGH.equals(requiredLoA) && EaafConstants.EIDAS_LOA_HIGH.equals(qaaAuth)) { return true; } } else if (EaafConstants.EIDAS_LOA_MATCHING_EXACT.equals(matchingMode)) { // to EXACT matching log.trace("Perfom LoA matching in 'EXACT' mode ... "); if (qaaAuth.equals(requiredLoA)) { log.debug("Required LoA fits LoA from authentication. Continue auth process ... "); return true; } } else { log.warn("LoA matching-mode:" + matchingMode + " is NOT supported by this implementation"); throw new QaaNotAllowedException(qaaAuth, requiredLoA, matchingMode); } return false; } /** * Check LoA level. * * @param qaaAuth LoA of authentication * @param requiredLoAs List of allowed LoA levels * @param matchingMode LoA matching mode * @throws QaaNotAllowedException If LoA does not match */ public static void verifyQaaLevel(final String qaaAuth, final List requiredLoAs, final String matchingMode) throws QaaNotAllowedException { log.trace("Starting LoA verification: authLoA: " + qaaAuth + " requiredLoA: " + StringUtils.join(requiredLoAs, "|") + " matchingMode: " + matchingMode); boolean hasMatch = false; for (final String loa : requiredLoAs) { if (verifyQaaLevel(qaaAuth, loa, matchingMode)) { hasMatch = true; } } if (!hasMatch) { throw new QaaNotAllowedException(qaaAuth, StringUtils.join(requiredLoAs, "|"), matchingMode); } else { log.debug("Requesed LoA fits LoA from authentication. Continue auth process ... "); } } }