aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Kollmann <christian.kollmann@a-sit.at>2021-07-15 14:37:05 +0200
committerChristian Kollmann <christian.kollmann@a-sit.at>2021-07-15 16:15:37 +0200
commit1fdf8a0784c70479fbf59c6c3841faeae290b883 (patch)
tree0cf9e3abc5bc8d87ee15e3220cae6b4eb13005b0
parent594114759ea7df52a2a21db91e20272f3aa5a3c9 (diff)
downloadNational_eIDAS_Gateway-1fdf8a0784c70479fbf59c6c3841faeae290b883.tar.gz
National_eIDAS_Gateway-1fdf8a0784c70479fbf59c6c3841faeae290b883.tar.bz2
National_eIDAS_Gateway-1fdf8a0784c70479fbf59c6c3841faeae290b883.zip
Verify data of alternative eIDAS authn matches initial authn
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java28
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java16
2 files changed, 34 insertions, 10 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
index cedf01e3..35f353f4 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
@@ -38,10 +38,10 @@ public class SimpleEidasData {
* Full eIDAS personal identifier with prefix.
*/
private final String personalIdentifier;
-
+
/**
* Citizen country-code from eIDAS personal-identifier.
- */
+ */
private final String citizenCountryCode;
// MDS
@@ -67,11 +67,11 @@ public class SimpleEidasData {
* @throws WorkflowException if multiple results have been found
*/
public boolean equalsRegisterData(RegisterResult result) throws WorkflowException {
- /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName,
+ /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName,
* familyName, dateOfBirth) has to be always available. Any other attributes are optional.
- * This check will always evaluate to false if register has more information as current eIDAS process!!!
+ * This check will always evaluate to false if register has more information as current eIDAS process!!!
*/
-
+
return new EqualsBuilder()
.append(result.getGivenName(), givenName)
.append(result.getFamilyName(), familyName)
@@ -80,10 +80,20 @@ public class SimpleEidasData {
.append(result.getBirthName(), birthName)
.append(result.getTaxNumber(), taxNumber)
.isEquals() && result.getPseudonym().stream()
- .filter(el -> el.equals(pseudonym))
- .findFirst()
- .isPresent();
-
+ .anyMatch(el -> el.equals(pseudonym));
}
+ /**
+ * Checks if the MDS (<code>givenName</code>, <code>familyName</code>,
+ * <code>dateOfBirth</code>) matches.
+ */
+ public boolean equalsMds(SimpleEidasData other) {
+ return new EqualsBuilder()
+ .append(other.givenName, givenName)
+ .append(other.familyName, familyName)
+ .append(other.dateOfBirth, dateOfBirth)
+ .isEquals();
+ }
+
+
}
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
index 38a7076a..4705c56b 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
@@ -46,6 +46,7 @@ import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
+import java.util.Objects;
import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK;
@@ -97,7 +98,7 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
try {
final SimpleEidasData altEidasData = convertEidasAttrToSimpleData();
final SimpleEidasData initialEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq);
- // TODO Verify that altEidasData and initialEidasData "match"?
+ verifyAlternativeEidasData(altEidasData, initialEidasData);
step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData, initialEidasData);
} catch (WorkflowException e) {
throw new TaskExecutionException(pendingReq, "Initial search failed", e);
@@ -107,6 +108,19 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
}
}
+ private void verifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData)
+ throws WorkflowException {
+ if (initialEidasData == null) {
+ throw new WorkflowException("step11", "No initial eIDAS authn data");
+ }
+ if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) {
+ throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true);
+ }
+ if (!altEidasData.equalsMds(initialEidasData)) {
+ throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true);
+ }
+ }
+
private void step11RegisterSearchWithPersonIdentifier(
ExecutionContext executionContext, SimpleEidasData initialEidasData, SimpleEidasData altEidasData)
throws WorkflowException, EaafStorageException {