fix(matching): remove prefix from bPK aftern an ID Austria login

4 files changed, 109 insertions, 13 deletions

diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java
index 286b63b1..b212d133 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java
@@ -127,7 +127,9 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
   private static final String ERROR_MSG_01 = "Processing PVP response from 'ID Austria system' FAILED.";
   private static final String ERROR_MSG_02 = "PVP response decryption FAILED. No credential found.";
   private static final String ERROR_MSG_03 = "PVP response validation FAILED.";
-
+  private static final String ERROR_GENERIC = "Matching failed, because response from ID Austria was "
+      + "invalid or contains an error. Detail: {}";
+  
   private static final String MSG_PROP_23 = "module.eidasauth.matching.23";
   private static final String MSG_PROP_24 = "module.eidasauth.matching.24";
   
@@ -155,6 +157,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
       InboundMessage inboundMessage = decodeAndVerifyMessage(request, response, decoder, comparator);
       Pair<PvpSProfileResponse, Boolean> processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage);
       if (processedMsg.getSecond()) {
+        log.info("Matching failed, because ID Austria login was stopped by user.");
         // forward to next matching step in case of ID Autria authentication was stopped by user
         executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true);
         executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_23);
@@ -177,6 +180,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
 
       // check if MDS from ID Austria authentication matchs to eIDAS authentication
       if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) {
+        log.info("Matching failed, because MDS from ID-Austria login does not match to MDS from initial eIDAS");
         executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true);
         executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_24);
         executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true);  
@@ -207,28 +211,27 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
       }
 
     } catch (final AuthnResponseValidationException e) {
+      log.info(ERROR_GENERIC, e.getMessage());
       throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e);
 
     } catch (MessageDecodingException | SecurityException | SamlSigningException e) {
-      //final String samlRequest = request.getParameter("SAMLRequest");
-      //log.debug("Receive INVALID PVP Response from 'ms-specific eIDAS node': {}",
-      //    samlRequest, null, e);
+      log.info(ERROR_GENERIC, e.getMessage());
       throw new TaskExecutionException(pendingReq, ERROR_MSG_00,
           new AuthnResponseValidationException(ERROR_PVP_11, new Object[]{MODULE_NAME_FOR_LOGGING}, e));
 
     } catch (IOException | MarshallingException | TransformerException e) {
-      log.debug("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+      log.info("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
       throw new TaskExecutionException(pendingReq, ERROR_MSG_01,
           new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e));
 
     } catch (final CredentialsNotAvailableException e) {
-      log.debug("PVP response decryption FAILED. No credential found.", e);
+      log.info("PVP response decryption FAILED. No credential found.", e);
       throw new TaskExecutionException(pendingReq, ERROR_MSG_02,
           new AuthnResponseValidationException(ERROR_PVP_10, new Object[]{MODULE_NAME_FOR_LOGGING}, e));
 
     } catch (final Exception e) {
       // todo catch ManualFixNecessaryException in any other way?
-      log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e);
+      log.info("PVP response validation FAILED. Msg: {}",e.getMessage(), e);
       throw new TaskExecutionException(pendingReq, ERROR_MSG_03,
           new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e));
 
@@ -356,7 +359,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
     final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
     for (final String attrName : includedAttrNames) {
       if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) {
-        builder.bpk(extractor.getSingleAttributeValue(attrName));
+        builder.bpk(removeTargetPrefixFromBpk(extractor.getSingleAttributeValue(attrName)));
       }
       if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) {
         builder.givenName(extractor.getSingleAttributeValue(attrName));
@@ -377,5 +380,24 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet
 
   }
 
+  private String removeTargetPrefixFromBpk(String bpkWithPrefix) {
+    if (StringUtils.isNotEmpty(bpkWithPrefix)) {    
+      final String[] spitted = bpkWithPrefix.split(":");
+      if (spitted.length == 2) {
+        log.debug("Find PVP-Attr: {}", PvpAttributeDefinitions.BPK_FRIENDLY_NAME);
+        return spitted[1];
+            
+      } else {      
+        log.info("Find PVP-Attr: {} without prefix. Use it as it is", PvpAttributeDefinitions.BPK_FRIENDLY_NAME);
+        return spitted[0];
+      
+      }
+    } else {
+      log.warn("Receive no bPK in response from ID Austria System. There is something wrong on IDA side!!!");
+      return null;  
+      
+    }        
+  }
+
 
 }
diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java
index b99bd302..cada6f40 100644
--- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java
+++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java
@@ -197,7 +197,6 @@ public class ZmrClientProductionTest {
 
   }
 
-  @Ignore
   @Test
   public void updateZmrEntryTestIdentity() throws EidasSAuthenticationException {    
     final String personalIdentifier = "7cEYSvKZasdfsafsaf4CDVzNT4E7cjkU4Vq";
@@ -205,9 +204,9 @@ public class ZmrClientProductionTest {
 
     final SimpleEidasData eidasData = SimpleEidasData.builder()
         .citizenCountryCode(cc)
-        .familyName("XXXÖhlinger")
-        .givenName("XXXHildegard")
-        .dateOfBirth("1971-02-18")       
+        .familyName("Muster301")
+        .givenName("Eric")
+        .dateOfBirth("1988-01-03")       
         .personalIdentifier(cc + "/AT/" + personalIdentifier)
         .pseudonym(personalIdentifier)
         .build();
diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java
index 8fae81b1..034f06d1 100644
--- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java
+++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java
@@ -79,7 +79,7 @@ import net.shibboleth.utilities.java.support.xml.ParserPool;
 public class ReceiveMobilePhoneSignatureResponseTaskTest {
 
   private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml";
-  private static final String BPK_FROM_ID_AUSTRIA = "BF:QVGm48cqcM4UcyhDTNGYmVdrIoY=";
+  private static final String BPK_FROM_ID_AUSTRIA = "QVGm48cqcM4UcyhDTNGYmVdrIoY=";
 
   @Autowired
   protected MsConnectorDummyConfigMap authConfig;
@@ -377,6 +377,29 @@ public class ReceiveMobilePhoneSignatureResponseTaskTest {
     //Mockito.verify(registerSearchService).step7aKittProcess(eq(registerSearchResult), eq(eidData));
   }
 
+  @Test
+  public void httpPostValidSignedAssertionEidValid_ExactlyOneRegisterResultDeprecadedBpkEnc() throws Exception {
+    setupMetadataResolver();
+    initResponse("/data/Response_with_EID_deprecated_bpk_encoding.xml", true);
+    AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    SimpleEidasData eidData = createEidasDataMatchingToSamlResponse().build();
+    authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+    RegisterStatusResults registerSearchResult = buildResultWithOneMatch();
+    MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, registerSearchResult);
+
+    task.execute(pendingReq, executionContext);
+
+    AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    assertEquals("LoA", "http://eidas.europa.eu/LoA/low", session.getQaaLevel());
+    assertEquals("IssueInstant", "2014-03-05T06:39:51Z", session.getIssueInstantString());
+    assertNull("Transition To S16", executionContext.get(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK));
+
+    //TODO: update this check because this task selects one result from MDS search result before and creates a new element
+    //Mockito.verify(registerSearchService).step7aKittProcess(eq(registerSearchResult), eq(eidData));
+  }
+  
+  
+  
   //TODO: implement new test that this test makes no sense any more
   @Ignore
   @Test
diff --git a/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml b/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml
new file mode 100644
index 00000000..92ace06c
--- /dev/null
+++ b/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer>
+	<saml2p:Status>
+		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+	</saml2p:Status>
+	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0">
+		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer>
+		<saml2:Subject>
+			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID>
+			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/idaustria/post"/>
+			</saml2:SubjectConfirmation>
+		</saml2:Subject>
+		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z">
+			<saml2:AudienceRestriction>
+				<saml2:Audience>https://localhost/authhandler/sp/idaustria/metadata</saml2:Audience>
+			</saml2:AudienceRestriction>
+		</saml2:Conditions>
+		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406">
+			<saml2:AuthnContext>
+				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef>
+			</saml2:AuthnContext>
+		</saml2:AuthnStatement>
+		<saml2:AttributeStatement>
+			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue>
+			</saml2:Attribute>
+			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>
+			</saml2:Attribute>
+            <saml2:Attribute FriendlyName="userAuthBlock" Name="urn:eidgvat:attributes.authblock.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue>
+            </saml2:Attribute>
+		</saml2:AttributeStatement>
+	</saml2:Assertion>
+</saml2p:Response>