diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-21 16:22:31 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-21 16:22:31 +0100 |
commit | 7ba8da297b7be40255ba5efb40c69a21fb130b3b (patch) | |
tree | 14294d39790209235180d6a1de48539e163e7ebf /connector/src/main/java/at/asitplus/eidas/specific/connector/provider | |
parent | d5f104bf22d204732897ef7127ad704d43d7a194 (diff) | |
download | National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.tar.gz National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.tar.bz2 National_eIDAS_Gateway-7ba8da297b7be40255ba5efb40c69a21fb130b3b.zip |
update to latest EAAF-components that uses OpenSAML3.x
Diffstat (limited to 'connector/src/main/java/at/asitplus/eidas/specific/connector/provider')
3 files changed, 116 insertions, 86 deletions
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java index 92373328..0ae5f76d 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java @@ -23,9 +23,6 @@ package at.asitplus.eidas.specific.connector.provider; -import java.net.MalformedURLException; - -import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -33,8 +30,8 @@ import org.springframework.beans.factory.annotation.Autowired; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; public class PvpEndPointCredentialProvider extends AbstractCredentialProvider { @@ -44,41 +41,25 @@ public class PvpEndPointCredentialProvider extends AbstractCredentialProvider { IConfiguration basicConfiguration; @Override - public String getFriendlyName() { - return "PVP2 S-Profile EndPoint"; - } - - @Override - public String getKeyStoreFilePath() throws EaafException { - try { - final String path = basicConfiguration.getBasicConfiguration( - MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PATH); - if (StringUtils.isEmpty(path)) { - log.error(getFriendlyName() + " | Path to keyStore is NULL or EMPTY"); - throw new EaafConfigurationException("config.27", - new Object[] { getFriendlyName() + " | Path to keyStore is NULL or EMPTY" }); - - } - - return FileUtils.makeAbsoluteUrl( - path, - basicConfiguration.getConfigurationRootDirectory()); - - } catch (final MalformedURLException e) { - log.error(getFriendlyName() + " | Path to keyStore NOT valid.", e); - throw new EaafConfigurationException("config.27", - new Object[] { getFriendlyName() + " | Path to keyStore NOT valid." }, e); - - } - - } - - @Override - public String getKeyStorePassword() { - return basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PASSWORD); - + public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException { + final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setFriendlyName("PVP2 S-Profile EndPoint"); + keyStoreConfig.setKeyStoreType( + basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.CONFIG_PROPS_KEYSTORE_TYPE, + KeyStoreType.PKCS12.getKeyStoreType())); + keyStoreConfig.setKeyStoreName( + basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.CONFIG_PROPS_KEYSTORE_NAME)); + keyStoreConfig.setSoftKeyStoreFilePath(basicConfiguration.getBasicConfiguration( + MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PATH)); + keyStoreConfig.setSoftKeyStorePassword( + basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PASSWORD)); + + keyStoreConfig.validate(); + + return keyStoreConfig; } - + + @Override public String getMetadataKeyAlias() { return basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEY_METADATA_ALIAS); diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java index 8b0419d0..e8bc4eb8 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java @@ -31,7 +31,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataConfigurationFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; @Service("PVPMetadataConfigurationFactory") public class PvpMetadataConfigurationFactory implements IPvpMetadataConfigurationFactory { @@ -43,9 +43,9 @@ public class PvpMetadataConfigurationFactory implements IPvpMetadataConfiguratio @Override public IPvpMetadataBuilderConfiguration generateMetadataBuilderConfiguration(String authUrl, - AbstractCredentialProvider pvpIdpCredentials) { + IPvp2CredentialProvider pvpIdpCredentials) { return new PvpMetadataConfiguration(basicConfig, authUrl, pvpBasicConfig, pvpIdpCredentials); - + } } diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java index 6a223fd0..7738b0be 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java @@ -24,38 +24,60 @@ package at.asitplus.eidas.specific.connector.provider; import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.text.MessageFormat; +import java.util.ArrayList; import java.util.List; -import org.apache.commons.httpclient.HttpClient; -import org.apache.commons.httpclient.params.HttpClientParams; import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.opensaml.security.x509.BasicX509Credential; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; -import at.asitplus.eidas.specific.connector.verification.MetadataSignatureVerificationFilter; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; @Service("PVPMetadataProvider") public class PvpMetadataProvider extends AbstractChainingMetadataProvider { private static final Logger log = LoggerFactory.getLogger(PvpMetadataProvider.class); + private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; + @Autowired(required = true) IConfigurationWithSP basicConfig; - + @Autowired + private PvpMetadataResolverFactory metadataProviderFactory; + @Autowired + private IHttpClientFactory httpClientFactory; + + @Autowired + private EaafKeyStoreFactory keyStoreFactory; + + @Override protected String getMetadataUrl(String entityId) throws EaafConfigurationException { final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId); @@ -80,7 +102,7 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { } @Override - protected MetadataProvider createNewMetadataProvider(String entityId) + protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, IOException, CertificateException { final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId); if (spConfig != null) { @@ -92,20 +114,44 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { metadataUrl = entityId; } - final String trustStoreUrl = FileUtils.makeAbsoluteUrl( - spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE), - authConfig.getConfigurationRootDirectory()); - final String trustStorePassword = spConfig.getConfigurationValue( - MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD); - - return createNewSimpleMetadataProvider(metadataUrl, - buildMetadataFilterChain(metadataUrl, trustStoreUrl, trustStorePassword), - spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_UNIQUEIDENTIFIER), - getTimer(), - new BasicParserPool(), - createHttpClient()); - - } catch (final Pvp2MetadataException e) { + + KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setFriendlyName(MessageFormat.format(PROVIDER_ID_PATTERN, entityId)); + keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); + keyStoreConfig.setSoftKeyStoreFilePath( + spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE)); + keyStoreConfig.setSoftKeyStorePassword(spConfig.getConfigurationValue( + MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD)); + + keyStoreConfig.validate(); + + Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); + + final List<MetadataFilter> filterList = new ArrayList<>(); + filterList.add(new SchemaValidationFilter(true)); + filterList.add(new SimpleMetadataSignatureVerificationFilter( + getTrustedCertificates(keyStore.getFirst()), entityId)); + filterList.add(new PvpEntityCategoryFilter( + basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES, + true))); + + final MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); + + try { + return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), + filter, + MessageFormat.format(PROVIDER_ID_PATTERN, entityId), + httpClientFactory.getHttpClient()); + + } catch (final Pvp2MetadataException e) { + log.info("Can NOT build metadata provider for entityId: {}", entityId); + throw new EaafConfigurationException("module.eidasauth.04", + new Object[] { entityId, e.getMessage() }, e); + + } + + } catch (final EaafException e) { log.info("Can NOT initialize Metadata signature-verification filter. Reason: " + e.getMessage()); throw new EaafConfigurationException("config.27", new Object[] { "Can NOT initialize Metadata signature-verification filter. Reason: " + e @@ -122,34 +168,37 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { @Override protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { - // TODO Auto-generated method stub return null; } - private HttpClient createHttpClient() { - final HttpClient httpClient = new HttpClient(); - final HttpClientParams httpClientParams = new HttpClientParams(); - httpClientParams.setSoTimeout(MsEidasNodeConstants.METADATA_SOCKED_TIMEOUT); - httpClient.setParams(httpClientParams); - return httpClient; - + @Override + protected String getMetadataProviderId() { + return "Service-provider chainging metadata provider"; + } + + private List<BasicX509Credential> getTrustedCertificates(KeyStore trustStore) throws EaafConfigurationException { + try { + final List<X509Certificate> certs = + EaafKeyStoreUtils.readCertsFromKeyStore(trustStore); + if (certs.isEmpty()) { + log.warn("No trusted metadata-signing certificates in configuration"); + throw new EaafConfigurationException("module.eidasauth.02", + new Object[] { "No trusted metadata-signing certificates" }); - private MetadataFilterChain buildMetadataFilterChain(String metadataUrl, - String trustStoreUrl, String trustStorePassword) throws CertificateException, Pvp2MetadataException { - final MetadataFilterChain filterChain = new MetadataFilterChain(); - filterChain.getFilters().add(new SchemaValidationFilter( - basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_SCHEME_VALIDATION, - true))); + } - filterChain.getFilters().add( - new MetadataSignatureVerificationFilter( - trustStoreUrl, trustStorePassword, metadataUrl)); + final List<BasicX509Credential> result = new ArrayList<>(); + for (final X509Certificate cert : certs) { + result.add(new BasicX509Credential(cert)); - filterChain.getFilters().add(new PvpEntityCategoryFilter( - basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES, - true))); + } + return result; + + } catch (final KeyStoreException e) { + throw new EaafConfigurationException("module.eidasauth.01", + new Object[] { "Trusted metadata-signing certificates", e.getMessage() }, e); - return filterChain; + } } } |