aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2019-09-10 17:19:35 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2019-09-10 17:19:35 +0200
commit0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab (patch)
treea8a00b0747951c6b6e94e4a631f433bf087a8ff0
parent785613b05ac12afc6f47d5ad714cc1591b47c171 (diff)
downloadNational_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.tar.gz
National_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.tar.bz2
National_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.zip
update AuthnRequestValidator to check requested LoA and upgrade LoA if it is to low
-rw-r--r--connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java48
-rw-r--r--connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java9
2 files changed, 57 insertions, 0 deletions
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
index 12dffe45..bceb9f35 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
@@ -39,11 +39,14 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xml.XMLObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
import at.asitplus.eidas.specific.connector.MSeIDASNodeConstants;
import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration;
import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
@@ -56,6 +59,8 @@ public class AuthnRequestValidator implements IAuthnRequestValidator {
private static final Logger log = LoggerFactory.getLogger(AuthnRequestValidator.class);
+ @Autowired(required=true) private IConfiguration basicConfig;
+
@Override
public void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq,
SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException {
@@ -98,6 +103,49 @@ public class AuthnRequestValidator implements IAuthnRequestValidator {
//post-process requested LoA
List<String> reqLoA = extractLoA(authnReq);
+ String minimumLoAFromConfig = basicConfig.getBasicConfiguration(
+ MSeIDASNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL,
+ EAAFConstants.EIDAS_LOA_HIGH);
+ String intMinimumLoAFromConfig = minimumLoAFromConfig;
+ if (minimumLoAFromConfig.startsWith(EAAFConstants.EIDAS_LOA_PREFIX))
+ intMinimumLoAFromConfig = minimumLoAFromConfig.substring(EAAFConstants.EIDAS_LOA_PREFIX.length());
+
+ log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...", minimumLoAFromConfig);
+ List<String> allowedLoA = new ArrayList<>();
+ for (String loa : reqLoA) {
+ String intLoa = loa;
+ if (loa.startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) {
+ intLoa = loa.substring(EAAFConstants.EIDAS_LOA_PREFIX.length());
+
+ }
+
+ try {
+ String selectedLoA = EAAFConstants.EIDAS_LOA_HIGH;
+ if (MSeIDASNodeConstants.EIDAS_LOA_LEVEL_ORDER.valueOf(intLoa).ordinal() >=
+ MSeIDASNodeConstants.EIDAS_LOA_LEVEL_ORDER.valueOf(intMinimumLoAFromConfig).ordinal()) {
+ log.info("Client: {} requested LoA: {} will be upgraded to: {}",
+ pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(),
+ loa,
+ minimumLoAFromConfig);
+ selectedLoA = loa;
+
+ }
+
+ if (!allowedLoA.contains(selectedLoA)) {
+ log.debug("Allow LoA: {} for Client: {}",
+ selectedLoA,
+ pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+ allowedLoA.add(selectedLoA);
+
+ }
+
+ } catch (IllegalArgumentException e) {
+ log.warn("LoA: {} is currently NOT supported and it will be ignored.", loa);
+
+ }
+
+ }
+
pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA(reqLoA);
//post-process requested LoA comparison-level
diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java
index 3ca82a66..7b6aec86 100644
--- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java
+++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java
@@ -54,6 +54,8 @@ public class MSeIDASNodeConstants {
//TODO: is not implemented yet
public static final String PROP_CONFIG_SP_VALIDATION_DISABLED = "configuration.sp.disableRegistrationRequirement";
+ public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum";
+
public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp.";
public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER;
public static final String PROP_CONFIG_SP_FRIENDLYNAME = "friendlyName";
@@ -114,4 +116,11 @@ public class MSeIDASNodeConstants {
public static final List<String> COUNTRY_SELECTION_PARAM_WHITELIST =
Arrays.asList(REQ_PARAM_SELECTED_COUNTRY, REQ_PARAM_SELECTED_ENVIRONMENT);
+
+ public enum EIDAS_LOA_LEVEL_ORDER {
+ low,
+ substantial,
+ high
+ }
+
}