feat(szr): add configuration property to activate/deactivate work-around for insertErnp in case of IDA mode

5 files changed, 148 insertions, 11 deletions

diff --git a/connector/src/main/resources/application.properties b/connector/src/main/resources/application.properties
index e7437840..73a258d7 100644
--- a/connector/src/main/resources/application.properties
+++ b/connector/src/main/resources/application.properties
@@ -100,7 +100,7 @@ eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject=false
 
 #Raw eIDAS Id data storage
 eidas.ms.auth.eIDAS.szrclient.workarounds.eidmapping.revisionlog.active=true
-
+eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida=true
 
 eidas.ms.auth.eIDAS.szrclient.params.setPlaceOfBirthIfAvailable=true
 eidas.ms.auth.eIDAS.szrclient.params.setBirthNameIfAvailable=true
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
index 1732a61a..08b1b315 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java
@@ -132,6 +132,10 @@ public class Constants {
   public static final String CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_SQLLITEDATASTORE_ACTIVE =
       CONIG_PROPS_EIDAS_SZRCLIENT + ".workarounds.datastore.sqlite.active";
 
+  public static final String CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_IDA_VSZ_IDL =
+      CONIG_PROPS_EIDAS_SZRCLIENT + ".workarounds.use.getidentitylink.for.ida";
+
+  
   // http endpoint descriptions
   public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/light/sp/post";
   public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/light/sp/redirect";
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index 5558fdfd..e000a2e4 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -226,15 +226,15 @@ public class SzrClient {
    * Request a encryped baseId from SRZ.
    *
    * @param personInfo Minimum dataset of person
+   * @param insertErnp insertErnp flag on SZR request
    * @return encrypted baseId
    * @throws SzrCommunicationException    In case of a SZR error
    */
-  public String getEncryptedStammzahl(final PersonInfoType personInfo)
-      throws SzrCommunicationException {
-
+  public String getEncryptedStammzahl(final PersonInfoType personInfo, boolean insertErnp) 
+    throws SzrCommunicationException{
     final String resp;
     try {
-      resp = this.szr.getStammzahlEncrypted(personInfo, false);
+      resp = this.szr.getStammzahlEncrypted(personInfo, insertErnp);
     } catch (SZRException_Exception e) {
       throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
     }
@@ -244,6 +244,23 @@ public class SzrClient {
     }
 
     return resp;
+    
+  }
+  
+  
+  
+  
+  
+  /**
+   * Request a encrypted baseId from SRZ without insertErnp.
+   *
+   * @param personInfo Minimum dataset of person
+   * @return encrypted baseId
+   * @throws SzrCommunicationException    In case of a SZR error
+   */
+  public String getEncryptedStammzahl(final PersonInfoType personInfo)
+      throws SzrCommunicationException {
+    return getEncryptedStammzahl(personInfo, false);
 
   }
 
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
index 4a501ed6..d08d8362 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java
@@ -150,12 +150,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
         if (pendingReq.getServiceProviderConfiguration()
             .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) {
           
-          // work-around, because getEncryptedStammzahl does not support insertERnP for eIDAS entities
-          SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo);
-                              
-          // get encrypted baseId
-          String vsz = szrClient.getEncryptedStammzahl(buildGetEncryptedBaseIdReq(idlResult.identityLink));
-                    
+          // get VSZ
+          String vsz = getVszForPerson(personInfo);
+                                                         
           //write revision-Log entry and extended infos personal-identifier mapping
           revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED);
           writeExtendedRevisionLogEntry(simpleAttrMap, eidData);
@@ -224,6 +221,24 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
     }
   }
 
+  private String getVszForPerson(PersonInfoType personInfo) throws SzrCommunicationException, EaafException {
+    if (basicConfig.getBasicConfigurationBoolean(
+        Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_IDA_VSZ_IDL, true)) {
+      log.debug("IDA workaround is active. Requesting IDL to insert person into ERnP .... ");
+      
+      // work-around, because getEncryptedStammzahl does not support insertERnP for eIDAS entities
+      SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo);
+                                   
+      // get encrypted baseId
+      return szrClient.getEncryptedStammzahl(buildGetEncryptedBaseIdReq(idlResult.identityLink));
+      
+                 
+    } else {
+      return szrClient.getEncryptedStammzahl(personInfo, true);  
+      
+    }
+  }
+
   private PersonInfoType buildGetEncryptedBaseIdReq(IIdentityLink identityLink) throws EaafBuilderException {
     log.debug("Generating getVsz request from identityLink information ... ");
     final PersonInfoType personInfo = new PersonInfoType();
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
index 720365fe..fbc070a9 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java
@@ -141,6 +141,7 @@ public class CreateIdentityLinkTaskEidNewTest {
     RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
        
     basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.debug.useDummySolution", "false");
+    basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida", "true");
     
     final Map<String, String> spConfig = new HashMap<>();
     spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp");
@@ -302,6 +303,106 @@ public class CreateIdentityLinkTaskEidNewTest {
     
   }
 
+
+  
+  @Test
+  public void successfulProcessWithStandardInfosWithoutIdl() throws Exception {
+    //initialize test
+    basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.workarounds.use.getidentitylink.for.ida", "false");
+    
+    String vsz = RandomStringUtils.randomNumeric(10);
+    when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(vsz);
+    val signContentResp = new SignContentResponseType();
+    final SignContentEntry signContentEntry = new SignContentEntry();
+    signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10));
+    signContentResp.getOut().add(signContentEntry);
+    when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp);
+    
+    String randomTestSp = RandomStringUtils.randomAlphabetic(10);
+    String bindingPubKey = RandomStringUtils.randomAlphabetic(10);
+    pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_REQUESTERID, randomTestSp);
+    pendingReq.setRawDataToTransaction(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME, bindingPubKey);
+    
+    //perform test
+    task.execute(pendingReq, executionContext);
+
+    //validate state    
+    // check if pendingRequest was stored
+    IRequest storedPendingReq = requestStorage.getPendingRequest(pendingReq.getPendingRequestId());
+    Assert.assertNotNull("pendingReq not stored", storedPendingReq);
+    
+    //check data in session
+    final AuthProcessDataWrapper authProcessData = storedPendingReq.getSessionData(AuthProcessDataWrapper.class);
+    Assert.assertNotNull("AuthProcessData", authProcessData);
+    Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class));
+
+    // check authblock signature
+    String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class);
+    Assert.assertNotNull("AuthBlock", authBlock);
+    final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
+        BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
+    Pair<KeyStore, Provider> keyStore = getKeyStore();
+    X509Certificate[] trustedCerts = EaafKeyStoreUtils
+        .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond();
+    JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints);
+    Assert.assertTrue("AuthBlock not valid", result.isValid());        
+    JsonNode authBlockJson = mapper.readTree(result.getPayLoad());    
+    Assert.assertNotNull("deserialized AuthBlock", authBlockJson);
+    
+    Assert.assertNotNull("no piiTransactionId in pendingRequesdt", 
+        storedPendingReq.getUniquePiiTransactionIdentifier());
+    Assert.assertEquals("piiTransactionId", storedPendingReq.getUniquePiiTransactionIdentifier(), 
+        authBlockJson.get("piiTransactionId").asText());
+    Assert.assertEquals("appId", randomTestSp, authBlockJson.get("appId").asText());    
+    Assert.assertFalse("'challenge' is null", authBlockJson.get("challenge").asText().isEmpty());
+    Assert.assertFalse("'timestamp' is null", authBlockJson.get("timestamp").asText().isEmpty());
+    Assert.assertTrue("binding pubKey", authBlockJson.has("bindingPublicKey"));
+    Assert.assertEquals("binding PubKey", bindingPubKey, authBlockJson.get("bindingPublicKey").asText());
+    
+    Assert.assertTrue("EID process", authProcessData.isEidProcess());
+    Assert.assertTrue("foreigner process", authProcessData.isForeigner());
+    Assert.assertEquals("EID-ISSUING_NATION", "LU", 
+        authProcessData.getGenericDataFromSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, String.class));
+    Assert.assertNotNull("LoA is null", authProcessData.getQaaLevel());
+    Assert.assertEquals("LoA", response.getLevelOfAssurance(), 
+        authProcessData.getQaaLevel());
+      
+    // check vsz request
+    ArgumentCaptor<PersonInfoType> argument4 = ArgumentCaptor.forClass(PersonInfoType.class);
+    ArgumentCaptor<Boolean> argument5 = ArgumentCaptor.forClass(Boolean.class);        
+    verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture());
+    
+    Boolean param5 = argument5.getValue();
+    Assert.assertTrue("insertERnP flag", param5);    
+    PersonInfoType person = argument4.getValue();
+    Assert.assertEquals("FamilyName", 
+        response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("FamilyName").iterator().next()), 
+        person.getPerson().getName().getFamilyName());
+    Assert.assertEquals("GivenName", 
+        response.getAttributes().getAttributeValuesByFriendlyName("FirstName").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("FirstName").iterator().next()), 
+        person.getPerson().getName().getGivenName());
+    Assert.assertEquals("DateOfBirth", 
+        response.getAttributes().getAttributeValuesByFriendlyName("DateOfBirth").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("DateOfBirth").iterator().next())
+            .toString().split("T")[0], 
+        person.getPerson().getDateOfBirth());
+    
+    Assert.assertNull("PlaceOfBirth", person.getPerson().getPlaceOfBirth());     
+    Assert.assertNull("BirthName", person.getPerson().getAlternativeName());
+    
+    Assert.assertEquals("CitizenCountry", "LU", person.getTravelDocument().getIssuingCountry());
+    Assert.assertEquals("DocumentType", "ELEKTR_DOKUMENT", person.getTravelDocument().getDocumentType());
+    
+    Assert.assertEquals("Identifier", 
+        response.getAttributes().getAttributeValuesByFriendlyName("PersonIdentifier").getFirstValue(
+            response.getAttributes().getDefinitionsByFriendlyName("PersonIdentifier").iterator().next())
+            .toString().split("/")[2], 
+        person.getTravelDocument().getDocumentNumber());
+    
+  }
+  
   @Test
   public void successfulProcessWithStandardInfos() throws Exception {
     //initialize test