diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-21 16:22:31 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-21 16:22:31 +0100 |
commit | 7ba8da297b7be40255ba5efb40c69a21fb130b3b (patch) | |
tree | 14294d39790209235180d6a1de48539e163e7ebf /connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java | |
parent | d5f104bf22d204732897ef7127ad704d43d7a194 (diff) | |
download | National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.tar.gz National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.tar.bz2 National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.zip |
update to latest EAAF-components that uses OpenSAML3.x
Diffstat (limited to 'connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java')
-rw-r--r-- | connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java | 137 |
1 files changed, 93 insertions, 44 deletions
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java index 6a223fd0..7738b0be 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java @@ -24,38 +24,60 @@ package at.asitplus.eidas.specific.connector.provider; import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.text.MessageFormat; +import java.util.ArrayList; import java.util.List; -import org.apache.commons.httpclient.HttpClient; -import org.apache.commons.httpclient.params.HttpClientParams; import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.opensaml.security.x509.BasicX509Credential; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; -import at.asitplus.eidas.specific.connector.verification.MetadataSignatureVerificationFilter; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; @Service("PVPMetadataProvider") public class PvpMetadataProvider extends AbstractChainingMetadataProvider { private static final Logger log = LoggerFactory.getLogger(PvpMetadataProvider.class); + private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; + @Autowired(required = true) IConfigurationWithSP basicConfig; - + @Autowired + private PvpMetadataResolverFactory metadataProviderFactory; + @Autowired + private IHttpClientFactory httpClientFactory; + + @Autowired + private EaafKeyStoreFactory keyStoreFactory; + + @Override protected String getMetadataUrl(String entityId) throws EaafConfigurationException { final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId); @@ -80,7 +102,7 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { } @Override - protected MetadataProvider createNewMetadataProvider(String entityId) + protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, IOException, CertificateException { final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId); if (spConfig != null) { @@ -92,20 +114,44 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { metadataUrl = entityId; } - final String trustStoreUrl = FileUtils.makeAbsoluteUrl( - spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE), - authConfig.getConfigurationRootDirectory()); - final String trustStorePassword = spConfig.getConfigurationValue( - MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD); - - return createNewSimpleMetadataProvider(metadataUrl, - buildMetadataFilterChain(metadataUrl, trustStoreUrl, trustStorePassword), - spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_UNIQUEIDENTIFIER), - getTimer(), - new BasicParserPool(), - createHttpClient()); - - } catch (final Pvp2MetadataException e) { + + KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setFriendlyName(MessageFormat.format(PROVIDER_ID_PATTERN, entityId)); + keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); + keyStoreConfig.setSoftKeyStoreFilePath( + spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE)); + keyStoreConfig.setSoftKeyStorePassword(spConfig.getConfigurationValue( + MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD)); + + keyStoreConfig.validate(); + + Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); + + final List<MetadataFilter> filterList = new ArrayList<>(); + filterList.add(new SchemaValidationFilter(true)); + filterList.add(new SimpleMetadataSignatureVerificationFilter( + getTrustedCertificates(keyStore.getFirst()), entityId)); + filterList.add(new PvpEntityCategoryFilter( + basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES, + true))); + + final MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); + + try { + return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), + filter, + MessageFormat.format(PROVIDER_ID_PATTERN, entityId), + httpClientFactory.getHttpClient()); + + } catch (final Pvp2MetadataException e) { + log.info("Can NOT build metadata provider for entityId: {}", entityId); + throw new EaafConfigurationException("module.eidasauth.04", + new Object[] { entityId, e.getMessage() }, e); + + } + + } catch (final EaafException e) { log.info("Can NOT initialize Metadata signature-verification filter. Reason: " + e.getMessage()); throw new EaafConfigurationException("config.27", new Object[] { "Can NOT initialize Metadata signature-verification filter. Reason: " + e @@ -122,34 +168,37 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { @Override protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { - // TODO Auto-generated method stub return null; } - private HttpClient createHttpClient() { - final HttpClient httpClient = new HttpClient(); - final HttpClientParams httpClientParams = new HttpClientParams(); - httpClientParams.setSoTimeout(MsEidasNodeConstants.METADATA_SOCKED_TIMEOUT); - httpClient.setParams(httpClientParams); - return httpClient; - + @Override + protected String getMetadataProviderId() { + return "Service-provider chainging metadata provider"; + } + + private List<BasicX509Credential> getTrustedCertificates(KeyStore trustStore) throws EaafConfigurationException { + try { + final List<X509Certificate> certs = + EaafKeyStoreUtils.readCertsFromKeyStore(trustStore); + if (certs.isEmpty()) { + log.warn("No trusted metadata-signing certificates in configuration"); + throw new EaafConfigurationException("module.eidasauth.02", + new Object[] { "No trusted metadata-signing certificates" }); - private MetadataFilterChain buildMetadataFilterChain(String metadataUrl, - String trustStoreUrl, String trustStorePassword) throws CertificateException, Pvp2MetadataException { - final MetadataFilterChain filterChain = new MetadataFilterChain(); - filterChain.getFilters().add(new SchemaValidationFilter( - basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_SCHEME_VALIDATION, - true))); + } - filterChain.getFilters().add( - new MetadataSignatureVerificationFilter( - trustStoreUrl, trustStorePassword, metadataUrl)); + final List<BasicX509Credential> result = new ArrayList<>(); + for (final X509Certificate cert : certs) { + result.add(new BasicX509Credential(cert)); - filterChain.getFilters().add(new PvpEntityCategoryFilter( - basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES, - true))); + } + return result; + + } catch (final KeyStoreException e) { + throw new EaafConfigurationException("module.eidasauth.01", + new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e); - return filterChain; + } } } |