diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-15 18:21:07 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-12-15 18:21:07 +0100 |
commit | 47e2b6c838233aec6482ae81db91d8d48f0d3ea3 (patch) | |
tree | 495db98e50d49f8170896df6a4577a8e480866d0 | |
parent | 230e6c3890c7e63b286e9a08001e5ffd63743d2c (diff) | |
parent | 76bba5972cfa6d6272a73cbdf56a8705419c55c8 (diff) | |
download | National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.gz National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.tar.bz2 National_eIDAS_Gateway-47e2b6c838233aec6482ae81db91d8d48f0d3ea3.zip |
Merge branch 'feature/EID_connection' into 'nightlybuild'
Feature/eid connection
See merge request egiz/eidas_at_proxy!2
29 files changed, 1519 insertions, 129 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 81a4a4dd..17655aa5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,5 @@ -image: maven:3.6-jdk-8 +#image: maven:3.6-jdk-8 +image: maven:latest variables: LC_ALL: "en_US.UTF-8" @@ -9,6 +10,9 @@ variables: MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${CI_PROJECT_DIR}/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true" GIT_DEPTH: "2" SECURE_LOG_LEVEL: "debug" + JACOCO_CSV_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.csv' + JACOCO_XML_LOCATION: '${CI_PROJECT_DIR}/build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml' + PROJECT_RELEASE_PACKAGE: '${CI_PROJECT_DIR}/target/*-dist.zip' include: - template: Dependency-Scanning.gitlab-ci.yml @@ -31,7 +35,48 @@ assemble: - tags script: | mvn $MAVEN_CLI_OPTS generate-sources compile test + after_script: + - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' $JACOCO_CSV_LOCATION artifacts: when: always reports: junit: "**/target/surefire-reports/TEST-*.xml" + paths: + - $JACOCO_CSV_LOCATION + - $JACOCO_XML_LOCATION + + +buildDistributionPackage: + stage: package + except: + - tags + script: | + export VERSION=$(mvn -B help:evaluate -Dexpression=project.version -B | grep -v "\[INFO\]" | grep -Po "\d+\.\d+\.\d+((-\w*)+)?") + echo "Build full package of version $VERSION" + mvn $MAVEN_CLI_OPTS verify -DskipTests + echo "VERSION=$VERSION" >> variables.env + artifacts: + when: always + reports: + dotenv: variables.env + name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME" + paths: + - $PROJECT_RELEASE_PACKAGE + +release: + stage: release + image: registry.gitlab.com/gitlab-org/release-cli:latest + needs: + - job: buildDistributionPackage + artifacts: true + when: manual + only: + - master + script: | + echo "Releasing version $VERSION of $LIB_NAME" + echo "Publishing version $VERSION to public EGIZ maven" + mvn $MAVEN_CLI_OPTS deploy + artifacts: + name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-EGIZ" + paths: + - $PROJECT_RELEASE_PACKAGE diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties index 483e9c97..fabfdfef 100644 --- a/basicConfig/default_config.properties +++ b/basicConfig/default_config.properties @@ -119,7 +119,7 @@ eidas.ms.sp.0.pvp2.metadata.truststore.password= ##only for advanced config eidas.ms.configuration.sp.disableRegistrationRequirement= -eidas.ms.configuration.restrictions.baseID.spTransmission= +#eidas.ms.configuration.restrictions.baseID.spTransmission= eidas.ms.configuration.auth.default.countrycode= eidas.ms.configuration.pvp.scheme.validation= eidas.ms.configuration.pvp.enable.entitycategories=
\ No newline at end of file diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml new file mode 100644 index 00000000..eca57a03 --- /dev/null +++ b/build_reporting/pom.xml @@ -0,0 +1,75 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>at.asitplus.eidas</groupId> + <artifactId>ms_specific</artifactId> + <version>1.1.1-SNAPSHOT</version> + </parent> + <artifactId>build_reporting</artifactId> + <packaging>pom</packaging> + <name>Reporting Module</name> + + <dependencies> + <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>connector_lib</artifactId> + </dependency> + <dependency> + <groupId>at.asitplus.eidas.ms_specific.modules</groupId> + <artifactId>authmodule-eIDAS-v2</artifactId> + </dependency> + <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>ms_specific_connector</artifactId> + <type>war</type> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> + <executions> + <!-- aggregated unit test coverage report --> + <execution> + <id>aggregate-reports-ut</id> + <phase>test</phase> + <goals> + <goal>report-aggregate</goal> + </goals> + <configuration> + <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title> + <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory> + <dataFileExcludes> + <!-- exclude coverage data of integration tests --> + <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude> + </dataFileExcludes> + </configuration> + </execution> + </executions> + </plugin> + + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <configuration> + <failBuildOnCVSS>11</failBuildOnCVSS> + <failOnError>false</failOnError> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + + </plugins> + </build> + +</project> diff --git a/connector/checks/spotbugs-exclude.xml b/connector/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..5d4fd515 --- /dev/null +++ b/connector/checks/spotbugs-exclude.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Write only application status into response. Should be removed if we switch to Spring Actuator --> + <Class name="at.asitplus.eidas.specific.connector.controller.MonitoringController" /> + <Method name="startSingleTests" /> + <Bug pattern="XSS_SERVLET" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token + Endpoint for Metadata generation can be unrestrected by design --> + <OR> + <Class name="at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController" /> + <Class name="at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint" /> + </OR> + <OR> + <Method name="performGenericAuthenticationProcess" /> + <Method name="pvpMetadataRequest" /> + </OR> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> +</FindBugsFilter> diff --git a/connector/pom.xml b/connector/pom.xml index 6621fb0f..3c2ddf07 100644 --- a/connector/pom.xml +++ b/connector/pom.xml @@ -156,6 +156,15 @@ </executions> </plugin> + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + </plugins> </build> </project> diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index 13cceafb..c41660ce 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -25,70 +25,63 @@ package at.asitplus.eidas.specific.connector.builder; import java.util.Date; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; -import org.w3c.dom.DOMException; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer; -import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.exceptions.EaafParserException; -import at.gv.egiz.eaaf.core.exceptions.XPathException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import lombok.extern.slf4j.Slf4j; @Service("AuthenticationDataBuilder") +@Slf4j public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder { - private static final Logger log = LoggerFactory.getLogger(AuthenticationDataBuilder.class); - + @Override - public IAuthData buildAuthenticationData(IRequest pendingReq) throws EaafAuthenticationException { - - final IAuthProcessDataContainer authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + protected IAuthData buildDeprecatedAuthData(IRequest pendingReq) throws EaafException { + final IAuthProcessDataContainer authProcessData = + pendingReq.getSessionData(AuthProcessDataWrapper.class); AuthenticationData authData = new AuthenticationData(); - - boolean isEidModeNew = pendingReq.getServiceProviderConfiguration() - .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); - - if (isEidModeNew) { - authData = (AuthenticationData) super.buildAuthenticationData(pendingReq); - } else { - try { - generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); - - // set specific informations - authData.setSsoSessionValidTo( - new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); - - } catch (EaafBuilderException | EaafParserException - | EaafConfigurationException | XPathException | DOMException e) { - log.warn("Can not build authentication data from auth. process information"); - throw new EaafAuthenticationException("builder.11", new Object[]{e.getMessage()}, e); - - } - } + + //set basis infos + super.generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); + + // set specific informations + authData.setSsoSessionValidTo( + new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + return authData; - } - - @Override - protected IAuthData buildDeprecatedAuthData(IRequest arg0) throws EaafException { - return new AuthenticationData(); } @Override - protected void buildServiceSpecificAuthenticationData(IAuthData arg0, IRequest arg1) throws EaafException { - // TODO Auto-generated method stub - + protected void buildServiceSpecificAuthenticationData(IAuthData authData, IRequest pendingReq) + throws EaafException { + if (authData instanceof AuthenticationData) { + ((AuthenticationData)authData).setGenericData( + ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, + pendingReq.getUniquePiiTransactionIdentifier()); + log.trace("Inject piiTransactionId: {} into AuthData", pendingReq.getUniquePiiTransactionIdentifier()); + + // set specific informations + ((AuthenticationData)authData).setSsoSessionValidTo( + new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + + + } else { + throw new RuntimeException("Can not inject PiiTransactionId because AuthData is of unknown type: " + + authData.getClass().getName()); + + } + } @Override @@ -100,8 +93,6 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder @Override protected Pair<String, String> buildOAspecificbPK(IRequest pendingReq, AuthenticationData authData) throws EaafBuilderException { - // TODO: check if bPK already exists - return super.buildOAspecificbPK(pendingReq, authData); } diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java index aa45c836..f2d9fc8c 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/controller/MonitoringController.java @@ -34,6 +34,7 @@ import org.apache.commons.text.StringEscapeUtils; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.CloseableHttpClient; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -250,9 +251,9 @@ public class MonitoringController { } // create HTTP client - // TODO: update if we switch to openSAML3 - CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); - HttpUriRequest request = new HttpGet(urlString); + CloseableHttpClient httpClient = httpClientFactory.getHttpClient(); + URIBuilder uriBuilder = new URIBuilder(urlString); + HttpUriRequest request = new HttpGet(uriBuilder.build()); final CloseableHttpResponse respCode = httpClient.execute(request); if (respCode.getStatusLine().getStatusCode() != 200) { diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java index 1721fe61..316dcb5f 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java @@ -1,18 +1,15 @@ package at.asitplus.eidas.specific.connector.test; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; + +import java.io.IOException; +import java.security.PublicKey; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; + +import javax.xml.transform.TransformerException; -import at.asitplus.eidas.specific.connector.builder.AuthenticationDataBuilder; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; -import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; -import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; -import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; -import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import org.apache.commons.lang3.RandomStringUtils; import org.junit.Assert; import org.junit.Before; @@ -29,14 +26,32 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.context.web.WebAppConfiguration; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; +import org.w3c.dom.Element; -import java.util.HashMap; -import java.util.Map; - -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; +import at.asitplus.eidas.specific.connector.builder.AuthenticationDataBuilder; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EaafParserException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration({"/applicationContext.xml", "/SpringTest_connector.beans.xml", "/eaaf_core.beans.xml", "/eaaf_pvp.beans.xml", "/eaaf_pvp_idp.beans.xml", "/spring/SpringTest-context_simple_storage.xml"}) +@ContextConfiguration({ "/applicationContext.xml", "/SpringTest_connector.beans.xml", "/eaaf_core.beans.xml", + "/eaaf_pvp.beans.xml", "/eaaf_pvp_idp.beans.xml", "/spring/SpringTest-context_simple_storage.xml" }) @WebAppConfiguration public class AuthenticationDataBuilderTest { @@ -55,11 +70,11 @@ public class AuthenticationDataBuilderTest { private String eidasBind; private String authBlock; - @BeforeClass public static void classInitializer() throws InitializationException, ComponentInitializationException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + + "src/test/resources/config/junit_config_3.properties"); EaafOpenSaml3xInitializer.eaafInitialize(); } @@ -80,28 +95,258 @@ public class AuthenticationDataBuilderTest { pendingReq = new TestRequestImpl(); pendingReq.setAuthUrl("https://localhost/ms_connector"); pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10)); + pendingReq.setPiiTransactionId(RandomStringUtils.randomAlphanumeric(10)); pendingReq.setSpConfig(oaParam); - pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true); authBlock = RandomStringUtils.randomAlphanumeric(20); eidasBind = RandomStringUtils.randomAlphanumeric(20); - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.SZR_AUTHBLOCK, authBlock); - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.EIDAS_BIND, eidasBind); + pendingReq.getSessionData(AuthProcessDataWrapper.class) + .setGenericDataToSession(Constants.SZR_AUTHBLOCK, authBlock); + pendingReq.getSessionData(AuthProcessDataWrapper.class) + .setGenericDataToSession(Constants.EIDAS_BIND, eidasBind); + pendingReq.getSessionData(AuthProcessDataWrapper.class) + .setQaaLevel(EaafConstants.EIDAS_LOA_PREFIX + RandomStringUtils.randomAlphabetic(5)); + pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession( + PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + RandomStringUtils.randomAlphabetic(2)); + LocaleContextHolder.resetLocaleContext(); + } @Test - public void first() throws EaafAuthenticationException { + public void eidMode() throws EaafAuthenticationException { + // initialize state + pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true); + + // execute IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq); + // validate state Assert.assertNotNull("AuthData null", authData); Assert.assertNotNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class)); Assert.assertNotNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class)); - Assert.assertNotNull("eidasBind null", authData.getEidasQaaLevel()); + Assert.assertNotNull("LoA null", authData.getEidasQaaLevel()); + String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); - Assert.assertEquals("authBlock not equal", authBlock, this.authBlock); - Assert.assertEquals("eidasBind not equal", eidasBind, this.eidasBind); + Assert.assertEquals("authBlock not equal", this.authBlock, authBlock); + Assert.assertEquals("eidasBind not equal", this.eidasBind, eidasBind); + Assert.assertEquals("piiTransactionId", + authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class), + this.pendingReq.getUniquePiiTransactionIdentifier()); + Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo()); + Assert.assertEquals("LoA", pendingReq.getSessionData(AuthProcessDataWrapper.class).getQaaLevel(), + authData.getEidasQaaLevel()); + Assert.assertEquals("EID-ISSUING-NATION", + pendingReq.getSessionData(AuthProcessDataWrapper.class).getGenericDataFromSession( + PvpAttributeDefinitions.EID_ISSUING_NATION_NAME), + authData.getCiticenCountryCode()); + + Assert.assertNull("bPK", authData.getBpk()); + Assert.assertNull("bPKType", authData.getBpkType()); + Assert.assertNull("FamilyName", authData.getFamilyName()); + Assert.assertNull("GivenName", authData.getGivenName()); + Assert.assertNull("DateOfBirth", authData.getDateOfBirth()); + Assert.assertNull("baseId", authData.getIdentificationValue()); + Assert.assertNull("baseIdType", authData.getIdentificationType()); + Assert.assertNull("IDL", authData.getIdentityLink()); + + } + + @Test + public void moaIdMode() throws EaafAuthenticationException, EaafBuilderException { + //initialize state + pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(false); + IIdentityLink idl = buildDummyIdl(); + pendingReq.getSessionData(AuthProcessDataWrapper.class).setIdentityLink(idl); + + //execute + IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq); + + //validate state + Assert.assertNotNull("AuthData null", authData); + Assert.assertNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class)); + Assert.assertNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class)); + Assert.assertNull("piiTransactionId", + authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class)); + + + Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo()); + Assert.assertNotNull("LoA null", authData.getEidasQaaLevel()); + Assert.assertEquals("LoA", pendingReq.getSessionData(AuthProcessDataWrapper.class).getQaaLevel(), + authData.getEidasQaaLevel()); + Assert.assertEquals("EID-ISSUING-NATION", + pendingReq.getSessionData(AuthProcessDataWrapper.class).getGenericDataFromSession( + PvpAttributeDefinitions.EID_ISSUING_NATION_NAME), + authData.getCiticenCountryCode()); + + Assert.assertEquals("FamilyName", idl.getFamilyName(), authData.getFamilyName()); + Assert.assertEquals("GivenName", idl.getGivenName(), authData.getGivenName()); + Assert.assertEquals("DateOfBirth", idl.getDateOfBirth(), authData.getFormatedDateOfBirth()); + Assert.assertEquals("bPK", + BpkBuilder.generateAreaSpecificPersonIdentifier( + idl.getIdentificationValue(), EaafConstants.URN_PREFIX_CDID + "XX").getFirst(), + authData.getBpk()); + Assert.assertEquals("bPKType", EaafConstants.URN_PREFIX_CDID + "XX", authData.getBpkType()); + Assert.assertNotNull("IDL", authData.getIdentityLink()); + + + } + + private IIdentityLink buildDummyIdl() { + return new IIdentityLink() { + + String familyName = RandomStringUtils.randomAlphabetic(10); + String givenName = RandomStringUtils.randomAlphabetic(10); + String dateOfBirth = "1955-02-03"; + String baseId = RandomStringUtils.randomAlphanumeric(20); + String saml2Serialized = RandomStringUtils.randomAlphanumeric(150); + + + + @Override + public void setSamlAssertion(Element arg0) throws TransformerException, IOException { + + } + + @Override + public void setPublicKey(PublicKey[] arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setPrPerson(Element arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setIssueInstant(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setIdentificationValue(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setIdentificationType(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setGivenName(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setFamilyName(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setDsigReferenceTransforms(Element[] arg0) { + // TODO Auto-generated method stub + + } + + @Override + public void setDateOfBirth(String arg0) { + // TODO Auto-generated method stub + + } + + @Override + public String getSerializedSamlAssertion() { + return this.saml2Serialized; + } + + @Override + public Element getSamlAssertion() { + IIdentityLink fullIdl; + try { + fullIdl = new SimpleIdentityLinkAssertionParser( + AuthenticationDataBuilderTest.class.getResourceAsStream("/data/test_idl_1.xml")).parseIdentityLink(); + return fullIdl.getSamlAssertion(); + + } catch (EaafParserException e) { + e.printStackTrace(); + } + + return null; + + } + + @Override + public PublicKey[] getPublicKey() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Element getPrPerson() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getName() { + // TODO Auto-generated method stub + return null; + } + + @Override + public Date getIssueInstantDate() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getIssueInstant() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getIdentificationValue() { + return this.baseId; + } + + @Override + public String getIdentificationType() { + return EaafConstants.URN_PREFIX_BASEID; + } + + @Override + public String getGivenName() { + return this.givenName; + } + + @Override + public String getFamilyName() { + return this.familyName; + } + + @Override + public Element[] getDsigReferenceTransforms() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getDateOfBirth() { + return this.dateOfBirth; + + } + }; } } diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java new file mode 100644 index 00000000..6e52f113 --- /dev/null +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/BasicConfigurationTest.java @@ -0,0 +1,135 @@ +package at.asitplus.eidas.specific.connector.test; + +import java.net.MalformedURLException; +import java.net.URL; +import java.security.cert.CertificateException; + +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.config.InitializationException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; + +import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import net.shibboleth.utilities.java.support.component.ComponentInitializationException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ + "/applicationContext.xml", + "/specific_eIDAS_connector.beans.xml", + "/eaaf_core.beans.xml", + "/eaaf_pvp.beans.xml", + "/eaaf_pvp_idp.beans.xml", + "/spring/SpringTest-context_simple_storage.xml" }) +@WebAppConfiguration +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) +public class BasicConfigurationTest { + + @Autowired private IConfigurationWithSP basicConfig; + + /** + * jUnit class initializer. + * @throws ComponentInitializationException In case of an error + * @throws InitializationException In case of an error + * @throws CertificateException + * + */ + @BeforeClass + public static void classInitializer() throws InitializationException, + ComponentInitializationException, CertificateException { + final String current = new java.io.File(".").toURI().toString(); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties"); + + } + + + @Test + public void basicConfig() throws MalformedURLException, EaafException { + Assert.assertEquals("validate req. URL", "http://localhost", + basicConfig.validateIdpUrl(new URL("http://junit/test"))); + + Assert.assertEquals("validate req. URL", "http://localhost", + basicConfig.validateIdpUrl(new URL("http://localhost/test1/test"))); + + } + + @Test + public void loadSpNotExist() throws EaafConfigurationException { + //check + ISpConfiguration sp = basicConfig.getServiceProviderConfiguration( + "https://not/exist"); + + //validate state + Assert.assertNull("spConfig", sp); + + + } + + @Test + public void loadSpDefault() throws EaafConfigurationException { + //check + ISpConfiguration sp = basicConfig.getServiceProviderConfiguration( + "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata"); + + //validate state + Assert.assertNotNull("spConfig", sp); + Assert.assertEquals("BaseId transfare restrication", true, sp.hasBaseIdTransferRestriction()); + Assert.assertEquals("BaseId process restrication", false, sp.hasBaseIdInternalProcessingRestriction()); + + Assert.assertEquals("req. LoA size", 1, sp.getRequiredLoA().size()); + Assert.assertEquals("req. LoA", EaafConstants.EIDAS_LOA_HIGH, sp.getRequiredLoA().get(0)); + Assert.assertEquals("LoA matching mode", + EaafConstants.EIDAS_LOA_MATCHING_MINIMUM, sp.getLoAMatchingMode()); + + } + + @Test + public void loadSpNoBaseIdTransferRestriction() throws EaafException { + //check + ServiceProviderConfiguration sp = basicConfig.getServiceProviderConfiguration( + "https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata", ServiceProviderConfiguration.class); + + //validate state + Assert.assertNotNull("spConfig", sp); + Assert.assertNull("bPKTarget already set", sp.getAreaSpecificTargetIdentifier()); + + //validate baseId transfer restriction + sp.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_CDID + "ZP"); + Assert.assertEquals("BaseId restrication", false, sp.hasBaseIdTransferRestriction()); + Assert.assertEquals("bPKTarget", EaafConstants.URN_PREFIX_CDID + "ZP", sp.getAreaSpecificTargetIdentifier()); + + sp.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_WBPK_TARGET_WITH_X + "FN+123456h"); + Assert.assertEquals("BaseId restrication", true, sp.hasBaseIdTransferRestriction()); + + } + + @Test + public void loadSpWithMsSpecificConfig() throws EaafConfigurationException { + //check + ServiceProviderConfiguration sp = basicConfig.getServiceProviderConfiguration( + "https://demo.egiz.gv.at/junit_test", ServiceProviderConfiguration.class); + + //validate state + Assert.assertNotNull("spConfig", sp); + Assert.assertEquals("friendlyName", "jUnit test", sp.getFriendlyName()); + Assert.assertEquals("UniqueId", "https://demo.egiz.gv.at/junit_test", sp.getUniqueIdentifier()); + Assert.assertEquals("BaseId restrication", true, sp.hasBaseIdTransferRestriction()); + Assert.assertEquals("generic config value", false, + sp.isConfigurationValue("policy.allowed.requested.targets")); + Assert.assertEquals("generic config value", "test", + sp.getConfigurationValue("policy.allowed.requested.targets")); + Assert.assertEquals("not_exist_value", "true", sp.getConfigurationValue("not.exist", "true")); + + } +} diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java index b7c6cd44..f6d22c98 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java @@ -13,6 +13,7 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.asitplus.eidas.specific.connector.attributes.AuthBlockAttributeBuilder; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; @@ -42,6 +43,19 @@ public class AuthBlockAttributeBuilderTest extends AbstractAttributeBuilderTest } @Test + public void checkName() { + Assert.assertEquals("Wrong attr. name", + ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, attrBuilde.getName()); + + } + + @Test + public void checkEmptyAttribute() { + Assert.assertNull("empty attr.", attrBuilde.buildEmpty(gen)); + + } + + @Test public void okTest() { log.info("starting: " + mTestName); try { diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java index 254efb59..9a2c6cdc 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java @@ -1,13 +1,7 @@ package at.asitplus.eidas.specific.connector.test.attributes; -import at.asitplus.eidas.specific.connector.attributes.EidasBindAttributeBuilder; -import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; -import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest; -import lombok.extern.slf4j.Slf4j; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.EIDAS_BIND; + import org.junit.Assert; import org.junit.Before; import org.junit.Rule; @@ -17,7 +11,14 @@ import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.EIDAS_BIND; +import at.asitplus.eidas.specific.connector.attributes.EidasBindAttributeBuilder; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest; +import lombok.extern.slf4j.Slf4j; @Slf4j @@ -36,6 +37,19 @@ public class EidasBindAttributeBuilderTest extends AbstractAttributeBuilderTest } @Test + public void checkName() { + Assert.assertEquals("Wrong attr. name", + ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, attrBuilde.getName()); + + } + + @Test + public void checkEmptyAttribute() { + Assert.assertNull("empty attr.", attrBuilde.buildEmpty(gen)); + + } + + @Test public void okTest() { log.info("starting: " + mTestName); try { diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java new file mode 100644 index 00000000..81ee2625 --- /dev/null +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/saml2/Pvp2SProfileEndPointTest.java @@ -0,0 +1,335 @@ +package at.asitplus.eidas.specific.connector.test.saml2; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Timer; + +import javax.xml.transform.TransformerException; + +import org.joda.time.DateTime; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.config.InitializationException; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.metadata.resolver.impl.ResourceBackedMetadataResolver; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; +import org.opensaml.security.credential.Credential; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.signature.support.SignatureException; +import org.opensaml.xmlsec.signature.support.SignatureValidator; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.ResourceLoader; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.context.web.WebAppConfiguration; +import org.springframework.util.Base64Utils; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint; +import at.asitplus.eidas.specific.connector.provider.PvpEndPointCredentialProvider; +import at.asitplus.eidas.specific.connector.provider.PvpMetadataProvider; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.IRequestStorage; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.OpenSaml3ResourceAdapter; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import net.shibboleth.utilities.java.support.xml.XMLParserException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ + "/applicationContext.xml", + "/specific_eIDAS_connector.beans.xml", + "/eaaf_core.beans.xml", + "/eaaf_pvp.beans.xml", + "/eaaf_pvp_idp.beans.xml", + "/spring/SpringTest-context_simple_storage.xml" }) +@WebAppConfiguration +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) +public class Pvp2SProfileEndPointTest { + + + @Autowired private Pvp2SProfileEndpoint controller; + @Autowired private PvpEndPointCredentialProvider credentialProvider; + @Autowired private PvpMetadataProvider metadataProvider; + @Autowired private ResourceLoader resourceLoader; + @Autowired private IRequestStorage storage; + + private static CertificateFactory fact; + + + private MockHttpServletRequest httpReq; + private MockHttpServletResponse httpResp; + + + /** + * jUnit class initializer. + * @throws ComponentInitializationException In case of an error + * @throws InitializationException In case of an error + * @throws CertificateException + * + */ + @BeforeClass + public static void classInitializer() throws InitializationException, + ComponentInitializationException, CertificateException { + final String current = new java.io.File(".").toURI().toString(); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties"); + + EaafOpenSaml3xInitializer.eaafInitialize(); + + fact = CertificateFactory.getInstance("X.509"); + + } + + /** + * jUnit test set-up. + * @throws EaafException + * + */ + @Before + public void initialize() throws EaafException { + httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector"); + httpResp = new MockHttpServletResponse(); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + } + + @Test + public void authnReqWrongEndpoint() throws EaafException, XMLParserException, UnmarshallingException, + UnsupportedEncodingException, TransformerException, IOException, MarshallingException, + ComponentInitializationException { + //initialize test + final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_3.xml")); + authnReq.setIssueInstant(DateTime.now()); + RequestAbstractType signedAuthnReq = + Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true); + String b64 = Base64Utils.encodeToString(DomUtils.serializeNode( + XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8")); + httpReq.setParameter("SAMLRequest", b64); + + final org.springframework.core.io.Resource resource = resourceLoader.getResource( + "classpath:/data/metadata_valid.xml"); + Timer timer = new Timer("PVP metadata-resolver refresh"); + ResourceBackedMetadataResolver fileSystemResolver = + new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource)); + fileSystemResolver.setId("test"); + fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool()); + fileSystemResolver.initialize(); + metadataProvider.addMetadataResolverIntoChain(fileSystemResolver); + + + //request SAML2 authentication + try { + controller.pvpIdpPostRequest(httpReq, httpResp); + Assert.fail("wrong AuthnRequest not detected"); + + }catch (EaafException e) { + Assert.assertEquals("wrong errorId", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void authnReqWrongSigned() throws EaafException, XMLParserException, UnmarshallingException, + UnsupportedEncodingException, TransformerException, IOException, MarshallingException, + ComponentInitializationException { + //initialize test + final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml")); + authnReq.setIssueInstant(DateTime.now()); + RequestAbstractType signedAuthnReq = + Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true); + String b64 = Base64Utils.encodeToString(DomUtils.serializeNode( + XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8")); + httpReq.setParameter("SAMLRequest", b64); + + final org.springframework.core.io.Resource resource = resourceLoader.getResource( + "classpath:/data/metadata_valid.xml"); + Timer timer = new Timer("PVP metadata-resolver refresh"); + ResourceBackedMetadataResolver fileSystemResolver = + new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource)); + fileSystemResolver.setId("test"); + fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool()); + fileSystemResolver.initialize(); + metadataProvider.addMetadataResolverIntoChain(fileSystemResolver); + + + //request SAML2 authentication + try { + controller.pvpIdpPostRequest(httpReq, httpResp); + Assert.fail("wrong AuthnRequest not detected"); + + }catch (EaafException e) { + Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId()); + + } + } + + @Test + public void authnReqMetadataExpired() throws EaafException, XMLParserException, UnmarshallingException, + UnsupportedEncodingException, TransformerException, IOException, MarshallingException, + ComponentInitializationException { + //initialize test + final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml")); + authnReq.setIssueInstant(DateTime.now()); + RequestAbstractType signedAuthnReq = + Saml2Utils.signSamlObject(authnReq, credentialProvider.getMetaDataSigningCredential(), true); + String b64 = Base64Utils.encodeToString(DomUtils.serializeNode( + XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8")); + httpReq.setParameter("SAMLRequest", b64); + + final org.springframework.core.io.Resource resource = resourceLoader.getResource( + "classpath:/data/metadata_expired.xml"); + Timer timer = new Timer("PVP metadata-resolver refresh"); + ResourceBackedMetadataResolver fileSystemResolver = + new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource)); + fileSystemResolver.setId("test"); + fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool()); + fileSystemResolver.initialize(); + metadataProvider.addMetadataResolverIntoChain(fileSystemResolver); + + + //request SAML2 authentication + try { + controller.pvpIdpPostRequest(httpReq, httpResp); + Assert.fail("wrong AuthnRequest not detected"); + + }catch (EaafException e) { + Assert.assertEquals("wrong errorId", "pvp2.21", e.getErrorId()); + + } + } + + @Test + public void authnReqValid() throws EaafException, XMLParserException, UnmarshallingException, + UnsupportedEncodingException, TransformerException, IOException, MarshallingException, + ComponentInitializationException { + //initialize test + final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml")); + authnReq.setIssueInstant(DateTime.now()); + RequestAbstractType signedAuthnReq = + Saml2Utils.signSamlObject(authnReq, credentialProvider.getMessageSigningCredential(), true); + String b64 = Base64Utils.encodeToString(DomUtils.serializeNode( + XMLObjectSupport.getMarshaller(signedAuthnReq).marshall(signedAuthnReq)).getBytes("UTF-8")); + httpReq.setParameter("SAMLRequest", b64); + + final org.springframework.core.io.Resource resource = resourceLoader.getResource( + "classpath:/data/metadata_valid.xml"); + Timer timer = new Timer("PVP metadata-resolver refresh"); + ResourceBackedMetadataResolver fileSystemResolver = + new ResourceBackedMetadataResolver(timer, new OpenSaml3ResourceAdapter(resource)); + fileSystemResolver.setId("test"); + fileSystemResolver.setParserPool(XMLObjectProviderRegistrySupport.getParserPool()); + fileSystemResolver.initialize(); + metadataProvider.addMetadataResolverIntoChain(fileSystemResolver); + + + //request SAML2 authentication + controller.pvpIdpPostRequest(httpReq, httpResp); + + + //validate state + Assert.assertEquals("http statuscode", 200, httpResp.getStatus()); + Assert.assertEquals("Wrong http ContentType", "text/html;charset=UTF-8", httpResp.getContentType()); + + String html = httpResp.getContentAsString(); + Assert.assertNotNull("html result is null", html); + Assert.assertFalse("html result is empty", html.isEmpty()); + Assert.assertTrue("Wrong page", html.contains("action=\"/myHomeCountry\"")); + + String pattern = "<input type=\"hidden\" name=\"pendingid\" value=\""; + int pendingIdStart = html.indexOf(pattern) + pattern.length(); + int pendingIdEnd = html.indexOf("\"", pendingIdStart); + String pendingReqId = html.substring(pendingIdStart, pendingIdEnd); + Assert.assertFalse("pendingReqId is empty", pendingReqId.isEmpty()); + + IRequest pendingReq = storage.getPendingRequest(pendingReqId); + Assert.assertNotNull("pendingReq", pendingReq); + Assert.assertNotNull("piiTransId", pendingReq.getUniquePiiTransactionIdentifier()); + Assert.assertNotNull("piiTransId", pendingReq.getUniqueTransactionIdentifier()); + + Assert.assertEquals("wrong OA Id", "https://demo.egiz.gv.at/demoportal-openID_demo", + pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class)); + Assert.assertEquals("wrong bPK Target", "urn:publicid:gv.at:cdid+BF", + pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + + + } + + @Test + public void checkSaml2Metadata() throws EaafException, UnsupportedEncodingException, XMLParserException, + UnmarshallingException, CertificateException, SignatureException { + + //request SAML2 Metadata + controller.pvpMetadataRequest(httpReq, httpResp); + + //validate state + Assert.assertEquals("http statuscode", 200, httpResp.getStatus()); + Assert.assertEquals("Wrong http ContentType", "application/xml", httpResp.getContentType()); + + String html = httpResp.getContentAsString(); + Assert.assertNotNull("html result is null", html); + Assert.assertFalse("html result is empty", html.isEmpty()); + + + final EntityDescriptor entity = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + new ByteArrayInputStream(html.getBytes("UTF-8"))); + + Assert.assertNotNull("Unmarshalling failed", entity); + Assert.assertNotNull("EntityId is null", entity.getEntityID()); + + Assert.assertNotNull("Signature is null", entity.getSignature()); + final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(entity.getSignature()); + + final Credential cred = new BasicX509Credential((X509Certificate) fact.generateCertificate( + Pvp2SProfileEndPointTest.class.getResourceAsStream("/config/keys/Metadata.pem"))); + SignatureValidator.validate(entity.getSignature(), cred); + + Assert.assertEquals("wrong entityId", "http://localhost/pvp/metadata", entity.getEntityID()); + Assert.assertNotNull("IDPSSODescr", entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); + Assert.assertNotNull("SPSSODescr", entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME)); + Assert.assertEquals("SPSSODescr. size", 0, + entity.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).size()); + + List<RoleDescriptor> idp = entity.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + Assert.assertEquals("IDP descr. size", 1, idp.size()); + Assert.assertEquals("IDP descr. endpoints", 2, idp.get(0).getEndpoints().size()); + Assert.assertEquals("IDP descr. keyDescr", 1, idp.get(0).getKeyDescriptors().size()); + + } + +} diff --git a/connector/src/test/resources/config/junit_config_1.properties b/connector/src/test/resources/config/junit_config_1.properties index 3350f947..78981b6a 100644 --- a/connector/src/test/resources/config/junit_config_1.properties +++ b/connector/src/test/resources/config/junit_config_1.properties @@ -97,19 +97,27 @@ eidas.ms.pvp2.metadata.contact.surname=Mustermann eidas.ms.pvp2.metadata.contact.email=max@junit.test ## Service Provider configuration -eidas.ms.sp.0.uniqueID= +eidas.ms.sp.0.uniqueID=https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata eidas.ms.sp.0.pvp2.metadata.truststore=keys/junit.jks eidas.ms.sp.0.pvp2.metadata.truststore.password=password - -#eidas.ms.sp.0.friendlyName= +eidas.ms.sp.0.friendlyName=jUnit test #eidas.ms.sp.0.pvp2.metadata.url= #eidas.ms.sp.0.policy.allowed.requested.targets=.* #eidas.ms.sp.0.policy.hasBaseIdTransferRestriction=false +## Service Provider configuration +eidas.ms.sp.1.uniqueID=https://demo.egiz.gv.at/junit_test +eidas.ms.sp.1.pvp2.metadata.truststore=keys/junit.jks +eidas.ms.sp.1.pvp2.metadata.truststore.password=password +eidas.ms.sp.1.friendlyName=jUnit test +eidas.ms.sp.1.pvp2.metadata.url=http://junit.test/metadata +eidas.ms.sp.1.policy.allowed.requested.targets=test +eidas.ms.sp.1.policy.hasBaseIdTransferRestriction=true + ##only for advanced config eidas.ms.configuration.sp.disableRegistrationRequirement= -eidas.ms.configuration.restrictions.baseID.spTransmission= +#eidas.ms.configuration.restrictions.baseID.spTransmission= eidas.ms.configuration.auth.default.countrycode= eidas.ms.configuration.pvp.scheme.validation= eidas.ms.configuration.pvp.enable.entitycategories=
\ No newline at end of file diff --git a/connector/src/test/resources/config/keys/Metadata.pem b/connector/src/test/resources/config/keys/Metadata.pem new file mode 100644 index 00000000..b544c194 --- /dev/null +++ b/connector/src/test/resources/config/keys/Metadata.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJB +VDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFk +YXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMC +QVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRh +ZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYA +O5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6H +rp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+ +WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7 +/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONb +f+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3l +PIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9 +YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NX +zh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWS +YI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW +9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZi +purO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A== +-----END CERTIFICATE----- diff --git a/connector/src/test/resources/data/metadata_expired.xml b/connector/src/test/resources/data/metadata_expired.xml new file mode 100644 index 00000000..16364c05 --- /dev/null +++ b/connector/src/test/resources/data/metadata_expired.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b67c160c0ad7b4ebd430581df167ac23" entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata" validUntil="2020-12-12T20:41:20.635Z"> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_b67c160c0ad7b4ebd430581df167ac23"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>00SaL0XjeknOb/DttutP50lTyAux1jaRPJIVdSupWvU=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>PfEBmLMX/ZgL6ViXghyWtal5MaMoW8k3zjw+54+WK1OAtVsVgOsIDRJE0M/a/VXBbMSifgY6J1gN23xhr61jkrjRQEkbDzLpWZLzWAJ65YqqUQo8wsKI2Gz0j12yY5D8/GOamKOH9KDi5ba1veXR/fnxRINoy7nZo4tcUWZChdl8BWkMN5ugr6dORNIQg/Ym3GabQ/hR5z+9FmveAKphdH63MC6qW3EgM9EMvOVkrLBTP92sNMAAJeaawui9tlxi9anVQ0OqwZsgKLvI7fyV4CM/0sd/ELjeReIlWlHk07Nz4eltMq3eOx3q1YurYvhE8XapHiQMehOtCS+Fzh10sw==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w +CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ +RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq +UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ +M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F +Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt +1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq +nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC +VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq +itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc +2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O +fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy +4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> + <md:KeyDescriptor use="signing"> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:X509Data> + <ds:X509Certificate>MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDEN +MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw +HhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDEN +MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwC +LZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqG +SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh +ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:KeyDescriptor use="encryption"> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w +CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ +RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq +UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ +M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F +Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt +1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq +nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC +VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq +itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc +2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O +fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy +4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/post" index="0" isDefault="true"/> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/redirect" index="1"/> + <md:AttributeConsumingService index="0" isDefault="true"> + <md:ServiceName xml:lang="en">Default Service</md:ServiceName> + <md:RequestedAttribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="MANDATE-TYPE-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.106" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + </md:AttributeConsumingService> + </md:SPSSODescriptor> + <md:Organization> + <md:OrganizationName xml:lang="de">EGIZ</md:OrganizationName> + <md:OrganizationDisplayName xml:lang="de">E-Government Innovationszentrum</md:OrganizationDisplayName> + <md:OrganizationURL xml:lang="de">http://www.egiz.gv.at</md:OrganizationURL> + </md:Organization> + <md:ContactPerson contactType="technical"> + <md:Company>E-Government Innovationszentrum</md:Company> + <md:GivenName>Lenz</md:GivenName> + <md:SurName>Thomas</md:SurName> + <md:EmailAddress>thomas.lenz@egiz.gv.at</md:EmailAddress> + <md:TelephoneNumber>+43 316 873 5525</md:TelephoneNumber> + </md:ContactPerson> +</md:EntityDescriptor> diff --git a/connector/src/test/resources/data/metadata_valid.xml b/connector/src/test/resources/data/metadata_valid.xml new file mode 100644 index 00000000..06e1e785 --- /dev/null +++ b/connector/src/test/resources/data/metadata_valid.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b67c160c0ad7b4ebd430581df167ac23" entityID="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata"> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_b67c160c0ad7b4ebd430581df167ac23"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>00SaL0XjeknOb/DttutP50lTyAux1jaRPJIVdSupWvU=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>PfEBmLMX/ZgL6ViXghyWtal5MaMoW8k3zjw+54+WK1OAtVsVgOsIDRJE0M/a/VXBbMSifgY6J1gN23xhr61jkrjRQEkbDzLpWZLzWAJ65YqqUQo8wsKI2Gz0j12yY5D8/GOamKOH9KDi5ba1veXR/fnxRINoy7nZo4tcUWZChdl8BWkMN5ugr6dORNIQg/Ym3GabQ/hR5z+9FmveAKphdH63MC6qW3EgM9EMvOVkrLBTP92sNMAAJeaawui9tlxi9anVQ0OqwZsgKLvI7fyV4CM/0sd/ELjeReIlWlHk07Nz4eltMq3eOx3q1YurYvhE8XapHiQMehOtCS+Fzh10sw==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w +CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ +RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq +UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ +M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F +Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt +1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq +nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC +VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq +itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc +2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O +fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy +4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> + <md:KeyDescriptor use="signing"> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:X509Data> + <ds:X509Certificate>MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDEN +MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw +HhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDEN +MAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwC +LZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqG +SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh +ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:KeyDescriptor use="encryption"> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w +CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ +RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq +UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ +M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F +Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt +1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq +nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC +VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq +itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc +2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O +fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy +4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </md:KeyDescriptor> + <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/post" index="0" isDefault="true"/> + <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/redirect" index="1"/> + <md:AttributeConsumingService index="0" isDefault="true"> + <md:ServiceName xml:lang="en">Default Service</md:ServiceName> + <md:RequestedAttribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + <md:RequestedAttribute FriendlyName="MANDATE-TYPE-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.106" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> + <md:RequestedAttribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> + </md:AttributeConsumingService> + </md:SPSSODescriptor> + <md:Organization> + <md:OrganizationName xml:lang="de">EGIZ</md:OrganizationName> + <md:OrganizationDisplayName xml:lang="de">E-Government Innovationszentrum</md:OrganizationDisplayName> + <md:OrganizationURL xml:lang="de">http://www.egiz.gv.at</md:OrganizationURL> + </md:Organization> + <md:ContactPerson contactType="technical"> + <md:Company>E-Government Innovationszentrum</md:Company> + <md:GivenName>Lenz</md:GivenName> + <md:SurName>Thomas</md:SurName> + <md:EmailAddress>thomas.lenz@egiz.gv.at</md:EmailAddress> + <md:TelephoneNumber>+43 316 873 5525</md:TelephoneNumber> + </md:ContactPerson> +</md:EntityDescriptor> diff --git a/connector/src/test/resources/data/pvp2_authn_1.xml b/connector/src/test/resources/data/pvp2_authn_1.xml index ff5f08a5..1275b200 100644 --- a/connector/src/test/resources/data/pvp2_authn_1.xml +++ b/connector/src/test/resources/data/pvp2_authn_1.xml @@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_27f4ce57e524e483446654a34cf886e2" IsPassive="false" IssueInstant="2019-12-11T10:50:19.032Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="http://localhost/pvp/post" ID="_27f4ce57e524e483446654a34cf886e2" IsPassive="false" IssueInstant="2019-12-11T10:50:19.032Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> diff --git a/connector/src/test/resources/data/test_idl_1.xml b/connector/src/test/resources/data/test_idl_1.xml new file mode 100644 index 00000000..8151468b --- /dev/null +++ b/connector/src/test/resources/data/test_idl_1.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID1467616845518699" IssueInstant="2016-07-04T09:20:45+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0"> + <saml:AttributeStatement> + <saml:Subject> + <saml:SubjectConfirmation> + <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> + <saml:SubjectConfirmationData> + <pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>AT/CZ/xWE0vFWarzpzSL4LYlpst9b6vg0=</pr:Value><pr:Type>urn:publicid:gv.at:eidasid+AT+CZ</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXMaria-Theresia Kunigunda</pr:GivenName><pr:FamilyName primary="undefined">XXXHabsburg-Lothringen</pr:FamilyName></pr:Name><pr:DateOfBirth>1980-02-29</pr:DateOfBirth></pr:Person> + </saml:SubjectConfirmationData> + </saml:SubjectConfirmation> + </saml:Subject> + <saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="49629022697474602497707473238246914610217535689798527313620157109614355242988" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="77111560713755914450736041751615112402310649832147731609221710465065501356492" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>1BFOitiQUc1lAHDGksneXWZGKGaFBcu03HEiIFsjHjNt/IfRZ4IzqHotUKItxnCdNtsFc1MkMJg+ +g0AXHsuU6MNgcbcXPaPfmHp+8+BJh+amDF3FnAN4ceG8oFAGVEZteOgfdWk1r5RQ2SK+0PuXPuLp +Tee7IzXtksReZkVEadUCxn/hiRXZa0dABgkFe3kSXbDr5tKXOF0FCtLKhZBI9z+NbX+aTSKOmAOq +4jyymoo5EP3L+iPecrUwHijD0Bm89h1JjxP521fkYe3Si+0J40okrmCCQHBr+IzB1uX98pKhvs7X +6rPjOJ6lBwP7XjK7D128P/cg4eH6v58cCfbLcQ==</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement> + +<dsig:Signature Id="signature-1-1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference Id="reference-1-1" URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>E+BXH0C2F6EYHjdJrOUKr+DsKT8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>Hvj40m9ridp2HOz81MTAqzf0q+sZC5YeKpJP43eK5G1HNH1/DNGU/r/6IVPibU9Y +YGYJoXpznxRFibEQ6dFCHAaNPyADmdGHyJSWryI5ypAap4Y8MJnaUGSWY49IZbht +PjfKWB2jUNzj1T2u6ebIifAThAK8ZqIE+e5uaR+qrrLicxIhXcSZoyScbKxMuT1Q +p6zNsNBOHujbVAfKFUE8WmGInyvuoDgerUrA0XstWWg2M9ghytcDJwZpTYwXvmmo +GV47ue0ITrtM+QqWVbt+dHO8369JFnGQ9h/6h/4j9iyNuxfG7u/EyHQiSuy0+FP8 +1lkLsg1YX+2pN0HElyXVqw==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD +ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD +VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD +VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5 +IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ +bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE +BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE +AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH +mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR +yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI +Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL +STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI +6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD +VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB +TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI +KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG +AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ +S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56 +QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ +KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb +gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W +ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature></saml:Assertion>
\ No newline at end of file diff --git a/connector_lib/checks/spotbugs-exclude.xml b/connector_lib/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..90ca96f2 --- /dev/null +++ b/connector_lib/checks/spotbugs-exclude.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- View parameters are hard-coded values --> + <Class name="at.asitplus.eidas.specific.connector.gui.SpringMvcGuiFormBuilderImpl" /> + <Method name="build" /> + <Bug pattern="SPRING_FILE_DISCLOSURE" /> + </Match> +</FindBugsFilter> diff --git a/connector_lib/pom.xml b/connector_lib/pom.xml index 795096f9..9a187f7f 100644 --- a/connector_lib/pom.xml +++ b/connector_lib/pom.xml @@ -68,6 +68,15 @@ </dependency> </dependencies> </plugin> + + <plugin> + <groupId>com.github.spotbugs</groupId> + <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> </plugins> </build> diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java index 6f7eace3..362d0244 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/config/ServiceProviderConfiguration.java @@ -57,12 +57,14 @@ public class ServiceProviderConfiguration extends SpConfigurationImpl { } + @Override public boolean hasBaseIdTransferRestriction() { final Boolean spConfigPolicy = isConfigurationValue( MsEidasNodeConstants.PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION); - if (spConfigPolicy != null) { + if (spConfigPolicy) { return spConfigPolicy; + } else { log.trace("SP configuration defines no baseID transfer restriction. Enforce default policy ..."); for (final String el : getTargetsWithNoBaseIdTransferRestriction()) { diff --git a/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..375f73f4 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/checks/spotbugs-exclude.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> + <Match> + <!-- Do not check code generated by Apache CXF framework --> + <Class name="~szrservices.SZRException"/> + </Match> + <Match> + <!-- Logging of SAML2 responses in case of errors or for debugging is allowed --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="getPendingRequestId" /> + <Bug pattern="CRLF_INJECTION_LOGS" /> + </Match> + <Match> + <!-- CSFR protection is implemented by pendingRequestId that is an one-time token --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet" /> + <Method name="restoreEidasAuthProcess" /> + <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> + </Match> + <Match> + <!-- File path is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry" /> + <Method name="initialize" /> + <Bug pattern="PATH_TRAVERSAL_IN" /> + </Match> + <Match> + <!-- Redirect URL is only loaded from configuration --> + <Class name="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask" /> + <Method name="execute" /> + <Bug pattern="UNVALIDATED_REDIRECT" /> + </Match> +</FindBugsFilter> diff --git a/eidas_modules/authmodule-eIDAS-v2/pom.xml b/eidas_modules/authmodule-eIDAS-v2/pom.xml index b2e841fb..d8459f9e 100644 --- a/eidas_modules/authmodule-eIDAS-v2/pom.xml +++ b/eidas_modules/authmodule-eIDAS-v2/pom.xml @@ -251,22 +251,33 @@ <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> + <version>${spotbugs-maven-plugin.version}</version> + <configuration> + <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> + </configuration> + </plugin> + + <plugin> + <groupId>org.jacoco</groupId> + <artifactId>jacoco-maven-plugin</artifactId> <executions> <execution> - <id>spotbugs_validate</id> + <id>post-unit-check</id> <phase>test</phase> <goals> <goal>check</goal> </goals> + <configuration> + <excludes> + <exclude>**/at/gv/e_government/reference/namespace/persondata/_20020228/*</exclude> + <exclude>**/org/w3/_2000/_09/*</exclude> + <exclude>**/szrservices/*</exclude> + </excludes> + </configuration> </execution> </executions> - <configuration> - <failOnError>true</failOnError> - <excludeFilterFile>spotbugs_exclude.xml</excludeFilterFile> - </configuration> </plugin> - <!-- enable co-existence of testng and junit --> <plugin> <artifactId>maven-surefire-plugin</artifactId> diff --git a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml b/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml deleted file mode 100644 index 90d418ff..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/spotbugs_exclude.xml +++ /dev/null @@ -1,6 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<FindBugsFilter> - <Match> - <Class name="~szrservices.SZRException"/> - </Match> -</FindBugsFilter>
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java index cfaecfbb..234d52dd 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java @@ -79,7 +79,8 @@ public class AuthBlockSigningService { EidasAuchBlock authBlock = new EidasAuchBlock(); authBlock.setChallenge(UUID.randomUUID().toString()); authBlock.setTimestamp(LocalDateTime.now().truncatedTo(ChronoUnit.SECONDS)); - authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class)); + authBlock.setUniqueId(pendingReq.getRawData(MsEidasNodeConstants.DATA_REQUESTERID, String.class)); + authBlock.setPiiTransactionId(pendingReq.getUniquePiiTransactionIdentifier()); String jwsPayload = mapper.writeValueAsString(authBlock); log.debug("Building and sign authBlock with data: {}", jwsPayload); @@ -185,6 +186,9 @@ public class AuthBlockSigningService { @JsonProperty("appId") private String uniqueId; + @JsonProperty("piiTransactionId") + private String piiTransactionId; + } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 69b993a4..6de5dae9 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -45,6 +45,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.Marshaller; import javax.xml.namespace.QName; @@ -58,8 +59,6 @@ import javax.xml.ws.BindingProvider; import javax.xml.ws.Dispatch; import javax.xml.ws.handler.Handler; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.lang3.StringUtils; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.endpoint.Client; @@ -75,6 +74,9 @@ import org.springframework.stereotype.Service; import org.w3c.dom.Document; import org.w3c.dom.Element; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; @@ -229,7 +231,7 @@ public class SzrClient { final String resp; try { - resp = this.szr.getStammzahlEncrypted(personInfo, false); + resp = this.szr.getStammzahlEncrypted(personInfo, true); } catch (SZRException_Exception e) { throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); } @@ -488,6 +490,7 @@ public class SzrClient { private byte[] sourceToByteArray(Source result) throws TransformerException { final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer transformer = factory.newTransformer(); transformer.setOutputProperty("omit-xml-declaration", "yes"); transformer.setOutputProperty("method", "xml"); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f9142f8e..11f8fc04 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -162,6 +162,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { //inject personal-data into session authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + authProcessData.setEidProcess(true); } else { //request SZR @@ -182,6 +183,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { //inject personal-data into session authProcessData.setIdentityLink(idlResult.getIdentityLink()); + authProcessData.setEidProcess(false); // set bPK and bPKType into auth session authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index dd485ee6..44fa01e8 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -2,6 +2,8 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; import static org.powermock.api.mockito.PowerMockito.when; import java.io.IOException; @@ -13,6 +15,7 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.Iterator; import java.util.List; import java.util.Map; @@ -29,6 +32,7 @@ import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; +import org.mockito.ArgumentCaptor; import org.powermock.core.classloader.annotations.PrepareForTest; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.mock.web.MockHttpServletRequest; @@ -39,18 +43,22 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; import com.skjolberg.mockito.soap.SoapServiceRule; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils.JwsResult; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.IRequestStorage; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -64,11 +72,14 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; +import at.gv.egiz.eaaf.core.impl.utils.Random; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.attribute.PersonType; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; +import szrservices.JwsHeaderParam; +import szrservices.PersonInfoType; import szrservices.SZR; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -93,7 +104,7 @@ public class CreateIdentityLinkTaskEidNewTest { EaafKeyStoreFactory keyStoreFactory; @Autowired - private AuthBlockSigningService authBlockSigner; + private IRequestStorage requestStorage; final ExecutionContext executionContext = new ExecutionContextImpl(); private MockHttpServletRequest httpReq; @@ -110,6 +121,10 @@ public class CreateIdentityLinkTaskEidNewTest { AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); + private static ObjectMapper mapper = new ObjectMapper(); + + private AuthenticationResponse response; + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -143,7 +158,7 @@ public class CreateIdentityLinkTaskEidNewTest { oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); - final AuthenticationResponse response = buildDummyAuthResponse(); + response = buildDummyAuthResponse(); pendingReq.getSessionData(AuthProcessDataWrapper.class) .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); @@ -151,7 +166,8 @@ public class CreateIdentityLinkTaskEidNewTest { pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); pendingReq.setAuthUrl("http://test.com/"); pendingReq.setTransactionId("avaasbav"); - + pendingReq.setPiiTransactionId(RandomStringUtils.randomAlphanumeric(10)); + executionContext.put(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY, "XX"); executionContext.put(EaafConstants.PROCESS_ENGINE_REQUIRES_NO_POSTAUTH_REDIRECT, true); @@ -161,32 +177,129 @@ public class CreateIdentityLinkTaskEidNewTest { @Test public void successfulProcess() throws Exception { //initialize test - when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); + String vsz = RandomStringUtils.randomNumeric(10); + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz); val signContentResp = new SignContentResponseType(); final SignContentEntry signContentEntry = new SignContentEntry(); signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); signContentResp.getOut().add(signContentEntry); when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); + String randomTestSp = RandomStringUtils.randomAlphabetic(10); + pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_REQUESTERID, randomTestSp); + //perform test task.execute(pendingReq, executionContext); - //validate state - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + //validate state + // check if pendingRequest was stored + IRequest storedPendingReq = requestStorage.getPendingRequest(pendingReq.getPendingRequestId()); + Assert.assertNotNull("pendingReq not stored", storedPendingReq); + + //check data in session + final AuthProcessDataWrapper authProcessData = storedPendingReq.getSessionData(AuthProcessDataWrapper.class); Assert.assertNotNull("AuthProcessData", authProcessData); Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class)); String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class); Assert.assertNotNull("AuthBlock", authBlock); - - //check authblock signature + + Assert.assertTrue("EID process", authProcessData.isEidProcess()); + Assert.assertTrue("foreigner process", authProcessData.isForeigner()); + Assert.assertEquals("EID-ISSUING_NATION", "LU", + authProcessData.getGenericDataFromSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, String.class)); + Assert.assertNotNull("LoA is null", authProcessData.getQaaLevel()); + Assert.assertEquals("LoA", response.getLevelOfAssurance(), + authProcessData.getQaaLevel()); + + + // check authblock signature final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); Pair<KeyStore, Provider> keyStore = getKeyStore(); X509Certificate[] trustedCerts = EaafKeyStoreUtils .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints); - Assert.assertTrue("AuthBlock not valid", result.isValid()); + Assert.assertTrue("AuthBlock not valid", result.isValid()); + JsonNode authBlockJson = mapper.readTree(result.getPayLoad()); + Assert.assertNotNull("deserialized AuthBlock", authBlockJson); + + Assert.assertNotNull("no piiTransactionId in pendingRequesdt", + storedPendingReq.getUniquePiiTransactionIdentifier()); + Assert.assertEquals("piiTransactionId", storedPendingReq.getUniquePiiTransactionIdentifier(), + authBlockJson.get("piiTransactionId").asText()); + Assert.assertEquals("appId", randomTestSp, authBlockJson.get("appId").asText()); + Assert.assertFalse("'challenge' is null", authBlockJson.get("challenge").asText().isEmpty()); + Assert.assertFalse("'timestamp' is null", authBlockJson.get("timestamp").asText().isEmpty()); + + + // check vsz request + ArgumentCaptor<PersonInfoType> argument4 = ArgumentCaptor.forClass(PersonInfoType.class); + ArgumentCaptor<Boolean> argument5 = ArgumentCaptor.forClass(Boolean.class); + verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); + + Boolean param5 = argument5.getValue(); + Assert.assertTrue("insertERnP flag", param5); + PersonInfoType person = argument4.getValue(); + Assert.assertEquals("FamilyName", + response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), + person.getPerson().getName().getFamilyName()); + Assert.assertEquals("GivenName", + response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), + person.getPerson().getName().getGivenName()); + Assert.assertEquals("DateOfBirth", + response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next()) + .toString().split("T")[0], + person.getPerson().getDateOfBirth()); + + Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry()); + Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType()); + + Assert.assertEquals("Identifier", + response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue( + response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next()) + .toString().split("/")[2], + person.getTravelDocument().getDocumentNumber()); + + // check bcBind singing request + ArgumentCaptor<Boolean> argument1 = ArgumentCaptor.forClass(Boolean.class); + ArgumentCaptor<List<JwsHeaderParam>> argument2 = ArgumentCaptor.forClass(List.class); + ArgumentCaptor<List<SignContentEntry>> argument3 = ArgumentCaptor.forClass(List.class); + verify(szrMock, times(1)).signContent(argument1.capture(), argument2.capture(), argument3.capture()); + Boolean param1 = argument1.getValue(); + Assert.assertFalse("addCert flag", param1); + + List<JwsHeaderParam> param2 = argument2.getValue(); + Assert.assertNotNull("JWS Headers", param2); + Assert.assertFalse("JWS Headers empty", param2.isEmpty()); + Assert.assertEquals("Wrong JWS header size", 1, param2.size()); + Assert.assertEquals("Missing JWS header key", "urn:at.gv.eid:bindtype", param2.get(0).getKey()); + Assert.assertEquals("Missing JWS header value", "urn:at.gv.eid:eidasBind", param2.get(0).getValue()); + + List<SignContentEntry> param3 = argument3.getValue(); + Assert.assertNotNull("sign Payload", param3); + Assert.assertEquals("wrong sign-payload size", 1, param3.size()); + Assert.assertNotNull("payload", param3.get(0).getValue().getBytes()); + JsonNode bcBind = mapper.readTree(param3.get(0).getValue().getBytes()); + Assert.assertNotNull("bcbind req", bcBind); + + Assert.assertEquals("vsz", vsz, bcBind.get("urn:eidgvat:attributes.vsz.value").asText()); + Assert.assertEquals("eid status", "urn:eidgvat:eid.status.eidas", + bcBind.get("urn:eidgvat:attributes.eid.status").asText()); + Assert.assertTrue("pubKeys", bcBind.has("urn:eidgvat:attributes.user.pubkeys")); + Assert.assertTrue("pubKeys", bcBind.get("urn:eidgvat:attributes.user.pubkeys").isArray()); + Iterator<JsonNode> pubKeys = bcBind.get("urn:eidgvat:attributes.user.pubkeys").elements(); + Assert.assertTrue("No PubKey", pubKeys.hasNext()); + Assert.assertEquals("Wrong pubKey", + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxcB5jnrAwGn7xjgVFv1UBUv1pluwDRFQx7x5O6rSn7pblYfwaWeKa8y" + + "jS5BDDaZ00mhhnSlm2XByNrkg5yBGetTgBGtQVAxV5apfuAWN8TS3uSXgdZol7Khd6kraUITtnulvLe8tNaboom5P0zN6UxbJN" + + "NVLishVp80HiRXiDbplCTUk8b5cYtmivdb0+5JBTa7L5N/anRVnHHoJCXgNPTouO8daUHZbG1mPk0HgqD8rhZ+OBzE+APKH9No" + + "agedSrGRDLdIgZxkrg0mxmfsZQIi2wdJSi3y0PAjEps/s4j0nmw9bPRgCMNLBqqjxtN5JKC8E1yyLm7YefXv/nPaMwIDAQAB", + pubKeys.next().asText()); + Assert.assertFalse("More than one PubKey", pubKeys.hasNext()); } @@ -261,12 +374,19 @@ public class CreateIdentityLinkTaskEidNewTest { .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller").build(); final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder() - .put(attributeDef, "de/st/" + RandomStringUtils.randomNumeric(64)) + .put(attributeDef, "LU/ST/" + RandomStringUtils.randomNumeric(64)) .put(attributeDef2, RandomStringUtils.randomAlphabetic(10)) .put(attributeDef3, RandomStringUtils.randomAlphabetic(10)).put(attributeDef4, "2001-01-01").build(); val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") - .attributes(attributeMap).build(); + return b.id("_".concat(Random.nextHexRandom16())) + .issuer(RandomStringUtils.randomAlphabetic(10)) + .subject(RandomStringUtils.randomAlphabetic(10)) + .statusCode("200") + .inResponseTo("_".concat(Random.nextHexRandom16())) + .subjectNameIdFormat("afaf") + .levelOfAssurance(EaafConstants.EIDAS_LOA_PREFIX + RandomStringUtils.randomAlphabetic(5)) + .attributes(attributeMap) + .build(); } } @@ -20,29 +20,32 @@ <egiz-spring-api>0.3</egiz-spring-api> <egiz-eventlog-slf4jBackend>0.4</egiz-eventlog-slf4jBackend> <eaaf-core.version>1.1.10</eaaf-core.version> - <org.springframework.version>5.2.9.RELEASE</org.springframework.version> + <org.springframework.version>5.2.12.RELEASE</org.springframework.version> <org.thymeleaf-spring5.version>3.0.11.RELEASE</org.thymeleaf-spring5.version> - <cxf.version>3.4.0</cxf.version> + <cxf.version>3.4.1</cxf.version> <org.apache.commons-lang3.version>3.11</org.apache.commons-lang3.version> <org.apache.commons-text.version>1.9</org.apache.commons-text.version> <commons-collections4.version>4.4</commons-collections4.version> - <com.google.guava.version>29.0-jre</com.google.guava.version> - <joda-time.version>2.10.6</joda-time.version> + <com.google.guava.version>30.0-jre</com.google.guava.version> + <joda-time.version>2.10.8</joda-time.version> <org.slf4j.version>1.7.30</org.slf4j.version> - <jackson-datatype-jsr310.version>2.11.3</jackson-datatype-jsr310.version> - - + <jackson-datatype-jsr310.version>2.12.0</jackson-datatype-jsr310.version> + + <!-- testing --> - <junit.version>4.13</junit.version> + <junit.version>4.13.1</junit.version> <surefire.version>2.22.2</surefire.version> <mockito-soap-cxf.version>1.0.5</mockito-soap-cxf.version> <!-- Code quality checks --> <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version> <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version> - <maven-pmd-plugin.version>3.13.0</maven-pmd-plugin.version> - <spotbugs-maven-plugin.version>4.0.4</spotbugs-maven-plugin.version> + <maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version> + <spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version> + <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version> + + <dependency-check-maven.version>6.0.3</dependency-check-maven.version> <license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory> <pmw_rules_location>https://apps.egiz.gv.at/checkstyle/egiz_pmd_checks.xml</pmw_rules_location> @@ -95,6 +98,7 @@ <module>connector_lib</module> <module>connector</module> <module>eidas_modules</module> + <module>build_reporting</module> </modules> <dependencyManagement> @@ -121,6 +125,12 @@ <version>${eaaf-core.version}</version> </dependency> <dependency> + <groupId>at.asitplus.eidas.ms_specific</groupId> + <artifactId>ms_specific_connector</artifactId> + <type>war</type> + <version>${egiz.eidas.version}</version> + </dependency> + <dependency> <groupId>at.asitplus.eidas.ms_specific.modules</groupId> <artifactId>authmodule-eIDAS-v2</artifactId> <version>${egiz.eidas.version}</version> @@ -303,6 +313,24 @@ <version>${maven-assembly-plugin.version}</version> </plugin> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${dependency-check-maven.version}</version> + <configuration> + <failBuildOnCVSS>11</failBuildOnCVSS> + <failOnError>false</failOnError> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + + </plugins> </pluginManagement> <plugins> @@ -453,6 +481,13 @@ </executions> <configuration> <failOnError>true</failOnError> + <plugins> + <plugin> + <groupId>com.h3xstream.findsecbugs</groupId> + <artifactId>findsecbugs-plugin</artifactId> + <version>${findsecbugs-plugin.version}</version> + </plugin> + </plugins> </configuration> </plugin> </plugins> @@ -479,4 +514,4 @@ </plugin> </plugins> </reporting> -</project>
\ No newline at end of file +</project> |