diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2019-09-10 17:19:35 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2019-09-10 17:19:35 +0200 |
commit | 0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab (patch) | |
tree | a8a00b0747951c6b6e94e4a631f433bf087a8ff0 | |
parent | 785613b05ac12afc6f47d5ad714cc1591b47c171 (diff) | |
download | National_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.tar.gz National_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.tar.bz2 National_eIDAS_Gateway-0cb050cee45dbe845cd6fc724e4ef07cfbcbb6ab.zip |
update AuthnRequestValidator to check requested LoA and upgrade LoA if it is to low
2 files changed, 57 insertions, 0 deletions
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java index 12dffe45..bceb9f35 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java @@ -39,11 +39,14 @@ import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.xml.XMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; import at.asitplus.eidas.specific.connector.MSeIDASNodeConstants; import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; @@ -56,6 +59,8 @@ public class AuthnRequestValidator implements IAuthnRequestValidator { private static final Logger log = LoggerFactory.getLogger(AuthnRequestValidator.class); + @Autowired(required=true) private IConfiguration basicConfig; + @Override public void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq, SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException { @@ -98,6 +103,49 @@ public class AuthnRequestValidator implements IAuthnRequestValidator { //post-process requested LoA List<String> reqLoA = extractLoA(authnReq); + String minimumLoAFromConfig = basicConfig.getBasicConfiguration( + MSeIDASNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL, + EAAFConstants.EIDAS_LOA_HIGH); + String intMinimumLoAFromConfig = minimumLoAFromConfig; + if (minimumLoAFromConfig.startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) + intMinimumLoAFromConfig = minimumLoAFromConfig.substring(EAAFConstants.EIDAS_LOA_PREFIX.length()); + + log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...", minimumLoAFromConfig); + List<String> allowedLoA = new ArrayList<>(); + for (String loa : reqLoA) { + String intLoa = loa; + if (loa.startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) { + intLoa = loa.substring(EAAFConstants.EIDAS_LOA_PREFIX.length()); + + } + + try { + String selectedLoA = EAAFConstants.EIDAS_LOA_HIGH; + if (MSeIDASNodeConstants.EIDAS_LOA_LEVEL_ORDER.valueOf(intLoa).ordinal() >= + MSeIDASNodeConstants.EIDAS_LOA_LEVEL_ORDER.valueOf(intMinimumLoAFromConfig).ordinal()) { + log.info("Client: {} requested LoA: {} will be upgraded to: {}", + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), + loa, + minimumLoAFromConfig); + selectedLoA = loa; + + } + + if (!allowedLoA.contains(selectedLoA)) { + log.debug("Allow LoA: {} for Client: {}", + selectedLoA, + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + allowedLoA.add(selectedLoA); + + } + + } catch (IllegalArgumentException e) { + log.warn("LoA: {} is currently NOT supported and it will be ignored.", loa); + + } + + } + pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA(reqLoA); //post-process requested LoA comparison-level diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java index 3ca82a66..7b6aec86 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MSeIDASNodeConstants.java @@ -54,6 +54,8 @@ public class MSeIDASNodeConstants { //TODO: is not implemented yet public static final String PROP_CONFIG_SP_VALIDATION_DISABLED = "configuration.sp.disableRegistrationRequirement"; + public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum"; + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER; public static final String PROP_CONFIG_SP_FRIENDLYNAME = "friendlyName"; @@ -114,4 +116,11 @@ public class MSeIDASNodeConstants { public static final List<String> COUNTRY_SELECTION_PARAM_WHITELIST = Arrays.asList(REQ_PARAM_SELECTED_COUNTRY, REQ_PARAM_SELECTED_ENVIRONMENT); + + public enum EIDAS_LOA_LEVEL_ORDER { + low, + substantial, + high + } + } |