update to latest EAAF-components that uses OpenSAML3.x

1 files changed, 93 insertions, 44 deletions

diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java
index 6a223fd0..7738b0be 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java
@@ -24,38 +24,60 @@
 package at.asitplus.eidas.specific.connector.provider;
 
 import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Provider;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.ArrayList;
 import java.util.List;
 
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.params.HttpClientParams;
 import org.apache.commons.lang3.StringUtils;
-import org.opensaml.saml2.metadata.provider.MetadataProvider;
-import org.opensaml.xml.parse.BasicParserPool;
+import org.opensaml.saml.metadata.resolver.MetadataResolver;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
+import org.opensaml.security.x509.BasicX509Credential;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
-import at.asitplus.eidas.specific.connector.verification.MetadataSignatureVerificationFilter;
 import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
 import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
-import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory;
 import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter;
 
 @Service("PVPMetadataProvider")
 public class PvpMetadataProvider extends AbstractChainingMetadataProvider {
   private static final Logger log = LoggerFactory.getLogger(PvpMetadataProvider.class);
 
+  private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}";
+  
   @Autowired(required = true)
   IConfigurationWithSP basicConfig;
-
+  @Autowired
+  private PvpMetadataResolverFactory metadataProviderFactory;
+  @Autowired
+  private IHttpClientFactory httpClientFactory;
+
+  @Autowired
+  private EaafKeyStoreFactory keyStoreFactory;
+  
+  
   @Override
   protected String getMetadataUrl(String entityId) throws EaafConfigurationException {
     final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId);
@@ -80,7 +102,7 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider {
   }
 
   @Override
-  protected MetadataProvider createNewMetadataProvider(String entityId)
+  protected MetadataResolver createNewMetadataProvider(String entityId)
       throws EaafConfigurationException, IOException, CertificateException {
     final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId);
     if (spConfig != null) {
@@ -92,20 +114,44 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider {
           metadataUrl = entityId;
 
         }
-        final String trustStoreUrl = FileUtils.makeAbsoluteUrl(
-            spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE),
-            authConfig.getConfigurationRootDirectory());
-        final String trustStorePassword = spConfig.getConfigurationValue(
-            MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD);
-
-        return createNewSimpleMetadataProvider(metadataUrl,
-            buildMetadataFilterChain(metadataUrl, trustStoreUrl, trustStorePassword),
-            spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_UNIQUEIDENTIFIER),
-            getTimer(),
-            new BasicParserPool(),
-            createHttpClient());
-
-      } catch (final Pvp2MetadataException e) {
+        
+        KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
+        keyStoreConfig.setFriendlyName(MessageFormat.format(PROVIDER_ID_PATTERN, entityId));
+        keyStoreConfig.setKeyStoreType(KeyStoreType.JKS);
+        keyStoreConfig.setSoftKeyStoreFilePath(
+            spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE));
+        keyStoreConfig.setSoftKeyStorePassword(spConfig.getConfigurationValue(
+            MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD));
+        
+        keyStoreConfig.validate();
+        
+        Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+        
+        final List<MetadataFilter> filterList = new ArrayList<>();
+        filterList.add(new SchemaValidationFilter(true));
+        filterList.add(new SimpleMetadataSignatureVerificationFilter(
+            getTrustedCertificates(keyStore.getFirst()), entityId));
+        filterList.add(new PvpEntityCategoryFilter(
+            basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES,
+            true)));
+        
+        final MetadataFilterChain filter = new MetadataFilterChain();
+        filter.setFilters(filterList);
+
+        try {
+          return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId),
+              filter,
+              MessageFormat.format(PROVIDER_ID_PATTERN, entityId),
+              httpClientFactory.getHttpClient());
+
+        } catch (final Pvp2MetadataException e) {
+          log.info("Can NOT build metadata provider for entityId: {}", entityId);
+          throw new EaafConfigurationException("module.eidasauth.04",
+              new Object[] { entityId, e.getMessage() }, e);
+
+        }
+        
+      } catch (final EaafException e) {
         log.info("Can NOT initialize Metadata signature-verification filter. Reason: " + e.getMessage());
         throw new EaafConfigurationException("config.27",
             new Object[] { "Can NOT initialize Metadata signature-verification filter. Reason: " + e
@@ -122,34 +168,37 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider {
 
   @Override
   protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException {
-    // TODO Auto-generated method stub
     return null;
   }
 
-  private HttpClient createHttpClient() {
-    final HttpClient httpClient = new HttpClient();
-    final HttpClientParams httpClientParams = new HttpClientParams();
-    httpClientParams.setSoTimeout(MsEidasNodeConstants.METADATA_SOCKED_TIMEOUT);
-    httpClient.setParams(httpClientParams);
-    return httpClient;
-
+  @Override
+  protected String getMetadataProviderId() {
+    return "Service-provider chainging metadata provider";
+    
   }
+    
+  private List<BasicX509Credential> getTrustedCertificates(KeyStore trustStore) throws EaafConfigurationException {
+    try {
+      final List<X509Certificate> certs =
+          EaafKeyStoreUtils.readCertsFromKeyStore(trustStore);
+      if (certs.isEmpty()) {
+        log.warn("No trusted metadata-signing certificates in configuration");
+        throw new EaafConfigurationException("module.eidasauth.02",
+            new Object[] { "No trusted metadata-signing certificates" });
 
-  private MetadataFilterChain buildMetadataFilterChain(String metadataUrl,
-      String trustStoreUrl, String trustStorePassword) throws CertificateException, Pvp2MetadataException {
-    final MetadataFilterChain filterChain = new MetadataFilterChain();
-    filterChain.getFilters().add(new SchemaValidationFilter(
-        basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_SCHEME_VALIDATION,
-            true)));
+      }
 
-    filterChain.getFilters().add(
-        new MetadataSignatureVerificationFilter(
-            trustStoreUrl, trustStorePassword, metadataUrl));
+      final List<BasicX509Credential> result = new ArrayList<>();
+      for (final X509Certificate cert : certs) {
+        result.add(new BasicX509Credential(cert));
 
-    filterChain.getFilters().add(new PvpEntityCategoryFilter(
-        basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES,
-            true)));
+      }
+      return result;
+
+    } catch (final KeyStoreException e) {
+      throw new EaafConfigurationException("module.eidasauth.01",
+          new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e);
 
-    return filterChain;
+    }
   }
 }