feat(connector): make nameIdFormat configurable for earch citizen country

author: Thomas <> 2023-03-02 11:09:43 +0100
committer: Thomas <> 2023-03-02 11:09:43 +0100
commit: 72785de93272ba74a5b587403cd5097727674115 (patch)
tree: 5c3c4a2a31d0f0c5b26f4fe08ce22c7f3891e4c4
parent: 779eb51796aecd05606b7abc69851b02214d21cd (diff)
download: National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.tar.gz
National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.tar.bz2
National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.zip
5 files changed, 69 insertions, 5 deletions
diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
index fa26e48f..80348f3d 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
@@ -78,6 +78,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {
     validateSelectionWithState(pendingReq, countryCode);
     
     // build country-specific authentication request
+    buildNameIdPolicy(authnRequestBuilder, countryCode);
     buildLevelOfAssurance(pendingReq.getServiceProviderConfiguration(), authnRequestBuilder);
     buildProviderNameAndRequesterIdAttribute(pendingReq, authnRequestBuilder);
     buildRequestedAttributes(authnRequestBuilder);
@@ -320,6 +321,21 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {
     
   }
 
+  private void buildNameIdPolicy(Builder authnRequestBuilder, String countryCode) {
+    String ccSpecificPolicy = basicConfig.getBasicConfiguration(
+        Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT + "." + countryCode.toLowerCase());
+
+    if (StringUtils.isNotEmpty(ccSpecificPolicy)) {
+      log.debug("Using specific nameIdFormat:{} to request: {}", ccSpecificPolicy, countryCode);
+      authnRequestBuilder.nameIdFormat(ccSpecificPolicy);
+
+    } else {
+      log.trace("Using default nameIdFormat to request: {}", countryCode);
+      authnRequestBuilder.nameIdFormat(
+          basicConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT));
+
+    }
+  }
 
   private void buildRequestedAttributes(Builder authnRequestBuilder) {
     // build and add requested attribute set
diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
index cf6ecb8d..82489e25 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
@@ -181,10 +181,6 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
     final LightRequest.Builder builder = LightRequest.builder();
     builder.id(UUID.randomUUID().toString());
     
-    // set nameIDFormat
-    builder.nameIdFormat(
-        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT));
-
     builder.citizenCountryCode(citizenCountryCode);
     builder.issuer(issuer);
     // Add country-specific information into eIDAS request
diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
index 761738aa..f9bca8e3 100644
--- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
+++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
@@ -95,7 +95,8 @@ public class GenerateAuthnRequestTaskTest {
     basicConfig.putConfigValue(
         "eidas.ms.auth.eIDAS.node_v2.forward.method", "GET");
     basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat");        
-    basicConfig.removeConfigValue(Constants.CONIG_PROPS_EIDAS_WORKAROUND_STAGING_MS_CONNECTOR);    
+    basicConfig.removeConfigValue(Constants.CONIG_PROPS_EIDAS_WORKAROUND_STAGING_MS_CONNECTOR);
+    basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de");
     
   }
   
@@ -503,6 +504,48 @@ public class GenerateAuthnRequestTaskTest {
   }
   
   @Test
+  public void ccSpecificNameIdFormat() throws TaskExecutionException,
+      SpecificCommunicationException, EaafStorageException, UnsupportedEncodingException {
+    // set-up test
+    executionContext.put(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY, "DE");
+    executionContext.put("selectedEnvironment", "prod");
+
+    String providerName = RandomStringUtils.randomAlphanumeric(10);
+    pendingReq.setRawDataToTransaction(Constants.DATA_PROVIDERNAME, providerName);
+
+    basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets");
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de",
+        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
+
+    String dynEndPoint = "http://test/" + RandomStringUtils.randomAlphabetic(5);
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.forward.endpoint", dynEndPoint);
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.forward.method", "GET");
+
+    // execute test
+    task.execute(pendingReq, executionContext);
+
+    // validate state
+    Assert.assertEquals("Wrong http statusCode", 302, httpResp.getStatus());
+    Assert.assertNotNull("No redirect header", httpResp.getHeaderValue("Location"));
+    Assert.assertTrue("Wrong redirect endpoint",
+        ((String) httpResp.getHeaderValue("Location")).startsWith(dynEndPoint));
+
+    final ILightRequest eidasReq = commService.getAndRemoveRequest(null, null);
+
+    Assert.assertEquals("no PublicSP", "public", eidasReq.getSpType());
+    Assert.assertEquals("wrong LoA", EaafConstants.EIDAS_LOA_HIGH,
+        eidasReq.getLevelOfAssurance());
+
+    Assert.assertEquals("Wrong req. attr. size", 8, eidasReq.getRequestedAttributes().size());
+
+    Assert.assertEquals("nameIdFormat", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        eidasReq.getNameIdFormat());
+  }
+
+  @Test
   public void withEidasNodePostReqNotValidTemplate() throws TaskExecutionException,
       SpecificCommunicationException, EaafStorageException, UnsupportedEncodingException {
     //set-up test
@@ -637,6 +680,9 @@ public class GenerateAuthnRequestTaskTest {
     String providerName = RandomStringUtils.randomAlphanumeric(10);
     pendingReq.setRawDataToTransaction(Constants.DATA_PROVIDERNAME, providerName);
     
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat",
+        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
     basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets");
     basicConfig.putConfigValue(
         "eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName", "false");
@@ -665,6 +711,8 @@ public class GenerateAuthnRequestTaskTest {
     Assert.assertNull("RequesterId found", eidasReq.getRequesterId());
     Assert.assertEquals("no PublicSP", "public", eidasReq.getSpType());
     Assert.assertEquals("wrong LoA", "http://eidas.europa.eu/LoA/high", eidasReq.getLevelOfAssurance());
+    Assert.assertEquals("nameIdFormat", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        eidasReq.getNameIdFormat());
     
   }
   
diff --git a/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties b/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
index 41f0fe7b..2cd19a01 100644
--- a/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
+++ b/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
@@ -40,6 +40,8 @@ eidas.ms.auth.eIDAS.node_v2.workarounds.useStaticProviderNameForPublicSPs=true
 eidas.ms.auth.eIDAS.node_v2.staticProviderNameForPublicSPs=myNode
 
 eidas.ms.auth.eIDAS.node_v2.loa.requested.minimum=http://eidas.europa.eu/LoA/high
+eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+
 
 eidas.ms.auth.eIDAS.szrclient.useTestService=true
 eidas.ms.auth.eIDAS.szrclient.endpoint.prod=
diff --git a/ms_specific_connector/src/main/resources/application.properties b/ms_specific_connector/src/main/resources/application.properties
index e0260e9c..2c37ffba 100644
--- a/ms_specific_connector/src/main/resources/application.properties
+++ b/ms_specific_connector/src/main/resources/application.properties
@@ -103,6 +103,8 @@ eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName=false
 
 ## set NameIdPolicy to 'unspecified' as work-around for DE Middleware v1.2.x
 eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+#eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
 
 eidas.ms.auth.eIDAS.node_v2.loa.requested.minimum=http://eidas.europa.eu/LoA/high
author	Thomas <>	2023-03-02 11:09:43 +0100
committer	Thomas <>	2023-03-02 11:09:43 +0100
commit	72785de93272ba74a5b587403cd5097727674115 (patch)
tree	5c3c4a2a31d0f0c5b26f4fe08ce22c7f3891e4c4
parent	779eb51796aecd05606b7abc69851b02214d21cd (diff)
download	National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.tar.gz National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.tar.bz2 National_eIDAS_Gateway-72785de93272ba74a5b587403cd5097727674115.zip