aboutsummaryrefslogtreecommitdiff
path: root/connector
diff options
context:
space:
mode:
authorThomas <>2021-09-02 08:58:17 +0200
committerThomas <>2021-09-02 08:58:17 +0200
commit34094edfbf91cf445dbeae12b1b63cbfef543244 (patch)
tree88e2bbd008a7fd9f3a425bbcfdb53cfac4e24079 /connector
parent847e690da4a2f6b08ca604538f1f42e6e6717d0b (diff)
parente0a9aad4a321bae3b9c9afe7ea178d93b258749a (diff)
downloadNational_eIDAS_Gateway-34094edfbf91cf445dbeae12b1b63cbfef543244.tar.gz
National_eIDAS_Gateway-34094edfbf91cf445dbeae12b1b63cbfef543244.tar.bz2
National_eIDAS_Gateway-34094edfbf91cf445dbeae12b1b63cbfef543244.zip
Merge branch 'master' into feature/matching_rebased
# Conflicts: # connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java # connector/src/main/resources/specific_eIDAS_connector.beans.xml # connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java # connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java # connector/src/test/resources/spring/SpringTest_connector.beans.xml # eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java # eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java # eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java # eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/SzrClientTest.java # eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java # eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskTest.java # eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveAuthnResponseTaskTest.java # pom.xml
Diffstat (limited to 'connector')
-rw-r--r--connector/pom.xml16
-rw-r--r--connector/src/assembly/assembly_dir.xml2
-rw-r--r--connector/src/assembly/assembly_zip.xml3
-rw-r--r--connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java26
-rw-r--r--connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java15
-rw-r--r--connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java114
-rw-r--r--connector/src/main/resources/application.properties35
-rw-r--r--connector/src/main/resources/logback.xml107
-rw-r--r--connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java16
-rw-r--r--connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java16
-rw-r--r--connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthnRequestValidatorTest.java5
-rw-r--r--connector/src/test/resources/data/metadata_valid_without_encryption.xml1
-rw-r--r--connector/src/test/resources/data/pvp2_authn_3.xml3
13 files changed, 177 insertions, 182 deletions
diff --git a/connector/pom.xml b/connector/pom.xml
index bbc54443..8b123cd4 100644
--- a/connector/pom.xml
+++ b/connector/pom.xml
@@ -6,7 +6,7 @@
<parent>
<groupId>at.asitplus.eidas</groupId>
<artifactId>ms_specific</artifactId>
- <version>1.1.1-SNAPSHOT</version>
+ <version>1.2.2</version>
</parent>
<groupId>at.asitplus.eidas.ms_specific</groupId>
@@ -139,6 +139,20 @@
<groupId>com.github.skjolber</groupId>
<artifactId>mockito-soap-cxf</artifactId>
<scope>test</scope>
+ <!--exclusions>
+ <exclusion>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-wsdl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-rt-bindings-soap</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-core</artifactId>
+ </exclusion>
+ </exclusions-->
</dependency>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
diff --git a/connector/src/assembly/assembly_dir.xml b/connector/src/assembly/assembly_dir.xml
index 37e05390..59437be6 100644
--- a/connector/src/assembly/assembly_dir.xml
+++ b/connector/src/assembly/assembly_dir.xml
@@ -43,7 +43,9 @@
<includes>
<!-- include>README.md</include-->
<include>readme_${project.version}.txt</include>
+ <include>readme_${project.version}.md</include>
<include>eIDAS_Ref_Impl/*</include>
+ <include>handbook/*</include>
</includes>
</fileSet>
</fileSets>
diff --git a/connector/src/assembly/assembly_zip.xml b/connector/src/assembly/assembly_zip.xml
index 579da2e1..43877283 100644
--- a/connector/src/assembly/assembly_zip.xml
+++ b/connector/src/assembly/assembly_zip.xml
@@ -43,6 +43,9 @@
<includes>
<!-- include>README.md</include -->
<include>readme_${project.version}.txt</include>
+ <include>readme_${project.version}.md</include>
+ <include>eIDAS_Ref_Impl/*</include>
+ <include>handbook/*</include>
</includes>
</fileSet>
</fileSets>
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
index c41660ce..3a93c1b8 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java
@@ -30,6 +30,7 @@ import org.springframework.stereotype.Service;
import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions.EidIdentityStatusLevelValues;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer;
@@ -37,8 +38,9 @@ import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData;
+import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData;
import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder;
-import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
import lombok.extern.slf4j.Slf4j;
@Service("AuthenticationDataBuilder")
@@ -47,9 +49,9 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
@Override
protected IAuthData buildDeprecatedAuthData(IRequest pendingReq) throws EaafException {
- final IAuthProcessDataContainer authProcessData =
- pendingReq.getSessionData(AuthProcessDataWrapper.class);
- AuthenticationData authData = new AuthenticationData();
+ final EidAuthProcessDataWrapper authProcessData =
+ pendingReq.getSessionData(EidAuthProcessDataWrapper.class);
+ EidAuthenticationData authData = new EidAuthenticationData();
//set basis infos
super.generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData);
@@ -58,6 +60,9 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
authData.setSsoSessionValidTo(
new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
+ authData.setEidStatus(authProcessData.isTestIdentity()
+ ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY);
+
return authData;
}
@@ -65,16 +70,21 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
@Override
protected void buildServiceSpecificAuthenticationData(IAuthData authData, IRequest pendingReq)
throws EaafException {
- if (authData instanceof AuthenticationData) {
- ((AuthenticationData)authData).setGenericData(
+ if (authData instanceof EidAuthenticationData) {
+ ((EidAuthenticationData)authData).setGenericData(
ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME,
pendingReq.getUniquePiiTransactionIdentifier());
log.trace("Inject piiTransactionId: {} into AuthData", pendingReq.getUniquePiiTransactionIdentifier());
// set specific informations
- ((AuthenticationData)authData).setSsoSessionValidTo(
+ ((EidAuthenticationData)authData).setSsoSessionValidTo(
new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000));
+ //set E-ID status-level
+ final EidAuthProcessDataWrapper authProcessData =
+ pendingReq.getSessionData(EidAuthProcessDataWrapper.class);
+ ((EidAuthenticationData)authData).setEidStatus(authProcessData.isTestIdentity()
+ ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY);
} else {
throw new RuntimeException("Can not inject PiiTransactionId because AuthData is of unknown type: "
@@ -86,7 +96,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder
@Override
protected IAuthData getAuthDataInstance(IRequest arg0) throws EaafException {
- return new AuthenticationData();
+ return new EidAuthenticationData();
}
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java
index 55ce044d..eef09b8d 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/StatusMessageProvider.java
@@ -28,16 +28,16 @@ import java.util.Locale;
import java.util.MissingResourceException;
import java.util.ResourceBundle;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import at.gv.egiz.eaaf.core.api.IStatusMessenger;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import lombok.extern.slf4j.Slf4j;
@Service("StatusMessageProvider")
+@Slf4j
public class StatusMessageProvider implements IStatusMessenger {
- private static final Logger log = LoggerFactory.getLogger(StatusMessageProvider.class);
private static final String ERROR_MESSAGES_UNAVAILABLE =
"Error messages can NOT be load from application. Only errorCode: {0} is availabe";
@@ -96,7 +96,6 @@ public class StatusMessageProvider implements IStatusMessenger {
return ((EaafException) throwable).getErrorId();
}
-
return IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC;
}
@@ -118,7 +117,13 @@ public class StatusMessageProvider implements IStatusMessenger {
} else {
try {
- return externalError.getString(intErrorCode);
+ if (StringUtils.isNotEmpty(intErrorCode)) {
+ return externalError.getString(intErrorCode);
+
+ } else {
+ return IStatusMessenger.CODES_EXTERNAL_ERROR_GENERIC;
+
+ }
} catch (final MissingResourceException e2) {
log.info(MessageFormat.format(ERROR_NO_EXTERNALERROR_CODE, new Object[] { intErrorCode }));
diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
index a9eb06be..881eeb8a 100644
--- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
+++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
@@ -75,7 +75,7 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
if (nameIdPolicy != null) {
final String nameIdFormat = nameIdPolicy.getFormat();
if (nameIdFormat != null) {
- if (!(NameIDType.TRANSIENT.equals(nameIdFormat)
+ if (!(NameIDType.TRANSIENT.equals(nameIdFormat)
|| NameIDType.PERSISTENT.equals(nameIdFormat))) {
throw new NameIdFormatNotSupportedException(nameIdFormat);
@@ -114,10 +114,10 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
// post-process requested LoA comparison-level
pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setLoAMachtingMode(
extractComparisonLevel(authnReq));
-
- //extract information from requested attributes
+
+ // extract information from requested attributes
extractFromRequestedAttriutes(pendingReq, authnReq);
-
+
} catch (final EaafStorageException e) {
log.info("Can NOT store Authn. Req. data into pendingRequest.", e);
throw new AuthnRequestValidatorException("internal.02", null, e);
@@ -126,14 +126,14 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
}
- private void extractFromRequestedAttriutes(IRequest pendingReq, AuthnRequest authnReq)
- throws AuthnRequestValidatorException {
+ private void extractFromRequestedAttriutes(IRequest pendingReq, AuthnRequest authnReq)
+ throws AuthnRequestValidatorException, EaafStorageException {
// validate and process requested attributes
boolean sectorDetected = false;
-
+
final ServiceProviderConfiguration spConfig = pendingReq.getServiceProviderConfiguration(
ServiceProviderConfiguration.class);
-
+
if (authnReq.getExtensions() != null) {
final List<XMLObject> requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects();
for (final XMLObject reqAttrObj : requestedAttributes) {
@@ -143,77 +143,101 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
for (final EaafRequestedAttribute el : reqAttr.getAttributes()) {
log.trace("Processing req. attribute '" + el.getName() + "' ... ");
if (el.getName().equals(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
- sectorDetected = extractBpkTargetIdentifier(el, spConfig);
-
+ sectorDetected = extractBpkTargetIdentifier(el, spConfig);
+
} else if (el.getName().equals(ExtendedPvpAttributeDefinitions.EID_TRANSACTION_ID_NAME)) {
extractUniqueTransactionId(el, pendingReq);
-
+
+ } else if (el.getName().equals(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME)) {
+ extractBindingPublicKey(el, pendingReq);
+
} else {
log.debug("Ignore req. attribute: " + el.getName());
-
+
}
}
} else {
log.debug("No requested Attributes in Authn. Request");
-
+
}
} else {
log.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString());
-
+
}
}
}
-
+
if (!sectorDetected) {
log.warn("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information.");
throw new AuthnRequestValidatorException("pvp2.22", new Object[] {
"NO or NO VALID target-sector information" });
}
-
+
+ }
+
+ private void extractBindingPublicKey(EaafRequestedAttribute el, IRequest pendingReq)
+ throws EaafStorageException {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String bindingPubKey = el.getAttributeValues().get(0).getDOM().getTextContent();
+ pendingReq.setRawDataToTransaction(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME, bindingPubKey);
+ log.info("Find Binding Public-Key. eIDAS authentication will be used to create an ID Austria Binding");
+
+ } else {
+ log.warn(
+ "Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute",
+ el.getName());
+
+ }
}
/**
* Extract unique transactionId from AuthnRequest.
- *
- * @param el Requested attribute from AuthnRequest
- * @param pendingReq Current pendingRequest object (has to be of type {@link RequestImpl})
- * @return <code>true</code> if transactionId extraction was successful, otherwise <code>false</code>
+ *
+ * @param el Requested attribute from AuthnRequest
+ * @param pendingReq Current pendingRequest object (has to be of type
+ * {@link RequestImpl})
+ * @return <code>true</code> if transactionId extraction was successful,
+ * otherwise <code>false</code>
*/
private boolean extractUniqueTransactionId(EaafRequestedAttribute el, IRequest pendingReq) {
if (!(pendingReq instanceof RequestImpl)) {
- log.warn("Can NOT set unique transactionId from AuthnRequest,because 'PendingRequest' is NOT from Type: {}",
+ log.warn(
+ "Can NOT set unique transactionId from AuthnRequest,because 'PendingRequest' is NOT from Type: {}",
RequestImpl.class.getName());
-
- } else {
+
+ } else {
if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
- final String transactionId = el.getAttributeValues().get(0).getDOM().getTextContent();
- ((RequestImpl)pendingReq).setUniqueTransactionIdentifier(transactionId);
+ final String transactionId = el.getAttributeValues().get(0).getDOM().getTextContent();
+ ((RequestImpl) pendingReq).setUniqueTransactionIdentifier(transactionId);
return true;
} else {
- log.warn("Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute",
+ log.warn(
+ "Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute",
el.getName());
-
+
}
-
+
}
-
+
return false;
}
/**
* Extract the bPK target from requested attribute.
- *
- * @param el Requested attribute from AuthnRequest
+ *
+ * @param el Requested attribute from AuthnRequest
* @param spConfig Service-Provider configuration for current process
- * @return <code>true</code> if bPK target extraction was successful, otherwise <code>false</code>
+ * @return <code>true</code> if bPK target extraction was successful, otherwise
+ * <code>false</code>
*/
- private boolean extractBpkTargetIdentifier(EaafRequestedAttribute el, ServiceProviderConfiguration spConfig) {
+ private boolean extractBpkTargetIdentifier(EaafRequestedAttribute el,
+ ServiceProviderConfiguration spConfig) {
if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
- final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent();
+ final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent();
try {
spConfig.setBpkTargetIdentifier(sectorId);
return true;
@@ -227,16 +251,16 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
log.warn("Req. attribute '" + el.getName()
+ "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
}
-
+
return false;
-
+
}
-
- private void postprocessLoaLevel(IRequest pendingReq, AuthnRequest authnReq)
+
+ private void postprocessLoaLevel(IRequest pendingReq, AuthnRequest authnReq)
throws AuthnRequestValidatorException {
final List<String> reqLoA = extractLoA(authnReq);
- log.trace("SP requests LoA with: {}", String.join(", ",reqLoA));
-
+ log.trace("SP requests LoA with: {}", String.join(", ", reqLoA));
+
LevelOfAssurance minimumLoAFromConfig = LevelOfAssurance.fromString(basicConfig.getBasicConfiguration(
MsEidasNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL,
EaafConstants.EIDAS_LOA_HIGH));
@@ -246,15 +270,15 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
minimumLoAFromConfig = LevelOfAssurance.HIGH;
}
-
+
log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...",
- minimumLoAFromConfig);
+ minimumLoAFromConfig);
final List<String> allowedLoA = new ArrayList<>();
for (final String loa : reqLoA) {
try {
final LevelOfAssurance intLoa = LevelOfAssurance.fromString(loa);
String selectedLoA = EaafConstants.EIDAS_LOA_HIGH;
- if (intLoa != null
+ if (intLoa != null
&& intLoa.numericValue() <= minimumLoAFromConfig.numericValue()) {
log.info("Client: {} requested LoA: {} will be upgraded to: {}",
pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(),
@@ -281,7 +305,7 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA(
allowedLoA);
-
+
}
private String extractComparisonLevel(AuthnRequest authnReq) {
@@ -335,7 +359,7 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
private String extractScopeRequsterId(AuthnRequest authnReq) {
if (authnReq.getScoping() != null) {
final Scoping scoping = authnReq.getScoping();
- if (scoping.getRequesterIDs() != null
+ if (scoping.getRequesterIDs() != null
&& scoping.getRequesterIDs().size() > 0) {
if (scoping.getRequesterIDs().size() == 1) {
return scoping.getRequesterIDs().get(0).getRequesterID();
diff --git a/connector/src/main/resources/application.properties b/connector/src/main/resources/application.properties
index 8263ea82..e92099ab 100644
--- a/connector/src/main/resources/application.properties
+++ b/connector/src/main/resources/application.properties
@@ -17,9 +17,9 @@ spring.boot.admin.client.enabled=false
#############################################################################
## MS-speccific eIDAS-Connector configuration
-#proxy.context.url.prefix=
+#eidas.ms.context.url.prefix=
eidas.ms.context.url.request.validation=false
-#proxy.configRootDir=file:/.../config/
+#eidas.ms.configRootDir=file:/.../config/
eidas.ms.context.use.clustermode=true
eidas.ms.core.logging.level.info.errorcodes=auth.21
@@ -48,14 +48,28 @@ eidas.ms.core.pendingrequestid.digist.algorithm=HmacSHA256
## eIDAS Ref. Implementation connector ###
eidas.ms.auth.eIDAS.node_v2.entityId=ownSpecificConnector
+eidas.ms.auth.eIDAS.eid.testidentity.default=false
+
#eidas.ms.auth.eIDAS.node_v2.forward.endpoint=
eidas.ms.auth.eIDAS.node_v2.forward.method=POST
eidas.ms.auth.eIDAS.node_v2.countrycode=AT
-eidas.ms.auth.eIDAS.node_v2.publicSectorTargets=.*
-eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName=true
+eidas.ms.auth.eIDAS.node_v2.publicSectorTargets=urn:publicid:gv.at:cdid\+.*
+
+## use SAML2 requestId as transactionIdentifier to mitigate problems with SAML2 relaystate
eidas.ms.auth.eIDAS.node_v2.workarounds.useRequestIdAsTransactionIdentifier=true
-eidas.ms.auth.eIDAS.node_v2.workarounds.useStaticProviderNameForPublicSPs=true
+## use hashed version of unique SP-Identifier as requesterId
+eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm=true
+
+## user static requesterId for all SP's in case of LU
+eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll=true
+
+
+## set provider name for all public SPs
+eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName=false
+
+
+#eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat=
eidas.ms.auth.eIDAS.node_v2.loa.requested.minimum=http://eidas.europa.eu/LoA/high
#eidas.ms.auth.eIDAS.szrclient.useTestService=true
@@ -108,6 +122,7 @@ eidas.ms.auth.eIDAS.szrclient.params.setBirthNameIfAvailable=true
eidas.ms.auth.eIDAS.szrclient.debug.logfullmessages=false
eidas.ms.auth.eIDAS.szrclient.debug.useDummySolution=false
+
##without mandates
eidas.ms.auth.eIDAS.node_v2.attributes.requested.onlynatural.0=PersonIdentifier,true
eidas.ms.auth.eIDAS.node_v2.attributes.requested.onlynatural.1=FamilyName,true
@@ -136,7 +151,7 @@ eidas.ms.auth.eIDAS.node_v2.attributes.requested.representation.5=LegalName,true
#eidas.ms.pvp2.key.metadata.password=password
#eidas.ms.pvp2.key.signing.alias=sig
#eidas.ms.pvp2.key.signing.password=password
-#eidas.ms.pvp2.metadata.validity=24
+eidas.ms.pvp2.metadata.validity=24
#eidas.ms.pvp2.metadata.organisation.name=JUnit
#eidas.ms.pvp2.metadata.organisation.friendyname=For testing with jUnit
@@ -157,8 +172,6 @@ eidas.ms.auth.eIDAS.node_v2.attributes.requested.representation.5=LegalName,true
##only for advanced config
-eidas.ms.configuration.sp.disableRegistrationRequirement=
-#eidas.ms.configuration.restrictions.baseID.spTransmission=
-eidas.ms.configuration.auth.default.countrycode=
-eidas.ms.configuration.pvp.scheme.validation=
-eidas.ms.configuration.pvp.enable.entitycategories= \ No newline at end of file
+eidas.ms.configuration.sp.disableRegistrationRequirement=false
+eidas.ms.configuration.pvp.scheme.validation=true
+eidas.ms.configuration.pvp.enable.entitycategories=false \ No newline at end of file
diff --git a/connector/src/main/resources/logback.xml b/connector/src/main/resources/logback.xml
index 7aa2d0cc..9679d9e4 100644
--- a/connector/src/main/resources/logback.xml
+++ b/connector/src/main/resources/logback.xml
@@ -8,96 +8,6 @@
<!-- http://www.qos.ch/shop/products/professionalSupport -->
<!-- -->
<configuration>
- <appender name="msnode"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
- <File>logs/eidas-ms-specific.log</File>
- <encoder>
- <pattern>%5p | %d{dd HH:mm:ss,SSS} | %t | %m%n</pattern>
- </encoder>
- <rollingPolicy
- class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
- <maxIndex>9999</maxIndex>
- <FileNamePattern>logs/eidas-ms-specific.log.%i
- </FileNamePattern>
- </rollingPolicy>
- <triggeringPolicy
- class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
- <MaxFileSize>10000KB</MaxFileSize>
- </triggeringPolicy>
- </appender>
- <appender name="EIDASNODE"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
- <File>logs/eIDAS_node.log</File>
- <encoder>
- <pattern>%5p | %d{dd HH:mm:ss,SSS} | %t | %m%n</pattern>
- </encoder>
- <rollingPolicy
- class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
- <maxIndex>9999</maxIndex>
- <FileNamePattern>logs/eIDAS_node.log.%i
- </FileNamePattern>
- </rollingPolicy>
- <triggeringPolicy
- class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
- <MaxFileSize>10000KB</MaxFileSize>
- </triggeringPolicy>
- </appender>
- <appender name="reversion"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
- <File>logs/eidas-ms-reversion.log</File>
- <encoder>
- <pattern>%5p | %d{dd HH:mm:ss,SSS} | %t | %m%n</pattern>
- </encoder>
- <rollingPolicy
- class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
- <maxIndex>9999</maxIndex>
- <FileNamePattern>logs/eidas-ms-reversion.log.%i
- </FileNamePattern>
- </rollingPolicy>
- <triggeringPolicy
- class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
- <MaxFileSize>10000KB</MaxFileSize>
- </triggeringPolicy>
- </appender>
- <appender name="statistic"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
- <File>logs/eidas-ms-statistic.log</File>
- <encoder>
- <pattern>%m%n</pattern>
- </encoder>
- <rollingPolicy
- class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
- <maxIndex>9999</maxIndex>
- <FileNamePattern>logs/eidas-ms-statistic.log.%i
- </FileNamePattern>
- </rollingPolicy>
- <triggeringPolicy
- class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
- <MaxFileSize>10000KB</MaxFileSize>
- </triggeringPolicy>
- </appender>
- <appender name="stdout"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
- <File>logs/console.log</File>
- <encoder>
- <pattern>%5p | %d{dd HH:mm:ss,SSS} | %t | %m%n</pattern>
- </encoder>
- <rollingPolicy
- class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
- <maxIndex>9999</maxIndex>
- <FileNamePattern>logs/console.log.%i
- </FileNamePattern>
- </rollingPolicy>
- <triggeringPolicy
- class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
- <MaxFileSize>10000KB</MaxFileSize>
- </triggeringPolicy>
- </appender>
<appender name="console"
class="ch.qos.logback.core.ConsoleAppender">
<encoder>
@@ -105,27 +15,16 @@
</encoder>
</appender>
<logger name="at.gv.egiz.eaaf" level="info">
- <appender-ref ref="msnode" />
+ <appender-ref ref="console" />
</logger>
<logger name="eu.eidas" additivity="false" level="info">
- <appender-ref ref="EIDASNODE" />
+ <appender-ref ref="console" />
</logger>
<logger name="at.gv.egiz.eidas.specific" additivity="false"
level="info">
- <appender-ref ref="msnode" />
- </logger>
- <logger
- name="at.gv.egiz.eidas.specific.connector.logger.RevisionLogger"
- additivity="false" level="info">
- <appender-ref ref="reversion" />
- </logger>
- <logger
- name="at.gv.egiz.eidas.specific.connector.logger.StatisticLogger"
- additivity="false" level="info">
- <appender-ref ref="statistic" />
+ <appender-ref ref="console" />
</logger>
<root level="info">
- <appender-ref ref="stdout" />
<appender-ref ref="console" />
</root>
</configuration>
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
index 1690016e..4e66d324 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/FullStartUpAndProcessTest.java
@@ -51,13 +51,12 @@ import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
-import com.skjolberg.mockito.soap.SoapServiceRule;
+import com.github.skjolber.mockito.soap.SoapServiceRule;
import at.asitplus.eidas.specific.connector.controller.ProcessEngineSignalController;
import at.asitplus.eidas.specific.connector.controller.Pvp2SProfileEndpoint;
import at.asitplus.eidas.specific.connector.provider.PvpEndPointCredentialProvider;
import at.asitplus.eidas.specific.connector.provider.PvpMetadataProvider;
-import at.asitplus.eidas.specific.connector.test.saml2.Pvp2SProfileEndPointTest;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasSignalServlet;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
@@ -76,6 +75,7 @@ import at.gv.e_government.reference.namespace.persondata.de._20040201.Identifica
import at.gv.egiz.components.spring.api.SpringBootApplicationContextInitializer;
import at.gv.egiz.eaaf.core.api.IStatusMessenger;
import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController;
import at.gv.egiz.eaaf.core.impl.logging.LogMessageProviderFactory;
@@ -115,7 +115,7 @@ import szrservices.SignContentResponseType;
public class FullStartUpAndProcessTest {
private static final String FINAL_REDIRECT = "http://localhost/public/secure/finalizeAuthProtocol?pendingid=";
-
+
@Autowired private WebApplicationContext wac;
@Autowired private PvpEndPointCredentialProvider credentialProvider;
@Autowired private PvpMetadataProvider metadataProvider;
@@ -178,7 +178,6 @@ public class FullStartUpAndProcessTest {
System.out.println("Closiong Ignite Node ... ");
Ignition.stopAll(true);
-
//set Ignite-node holder to 'null' because static holders are shared between different tests
final Field field = IgniteInstanceInitializerSpecificCommunication.class.getDeclaredField("instance");
field.setAccessible(true);
@@ -400,7 +399,8 @@ public class FullStartUpAndProcessTest {
Assert.assertEquals("SAML2 status", Constants.SUCCESS_URI, saml2.getStatus().getStatusCode().getValue());
final AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(saml2);
- Assert.assertEquals("wrong resp attr. size", 6, extractor.getAllIncludeAttributeNames().size());
+
+ Assert.assertEquals("wrong resp attr. size", 7, extractor.getAllIncludeAttributeNames().size());
Assert.assertEquals("Wrong attr: LoA ", "http://eidas.europa.eu/LoA/high",
extractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.108"));
Assert.assertEquals("Wrong attr: PVP_VERSION ", "2.2",
@@ -413,7 +413,9 @@ public class FullStartUpAndProcessTest {
extractor.getSingleAttributeValue("urn:eidgvat:attributes.authblock.signed"));
Assert.assertNotNull("Wrong attr: piiTras.Id ",
extractor.getSingleAttributeValue("urn:eidgvat:attributes.piiTransactionId"));
-
+ Assert.assertEquals("Wrong attr:EID_STATUS_LEVEL ", "http://eid.gv.at/eID/status/identity",
+ extractor.getSingleAttributeValue(PvpAttributeDefinitions.EID_IDENTITY_STATUS_LEVEL_NAME));
+
}
private void injectSzrResponse() throws Exception {
@@ -538,7 +540,7 @@ public class FullStartUpAndProcessTest {
IOException, MarshallingException, ComponentInitializationException {
final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream(
XMLObjectProviderRegistrySupport.getParserPool(),
- Pvp2SProfileEndPointTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
+ FullStartUpAndProcessTest.class.getResourceAsStream("/data/pvp2_authn_1.xml"));
authnReq.setIssueInstant(DateTime.now());
RequestAbstractType signedAuthnReq =
Saml2Utils.signSamlObject(authnReq, credentialProvider.getMessageSigningCredential(), true);
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
index f4b8e57c..17ecb2ca 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthenticationDataBuilderTest.java
@@ -11,6 +11,7 @@ import java.util.Map;
import javax.xml.transform.TransformerException;
import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.RandomUtils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
@@ -35,6 +36,7 @@ import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
import at.gv.egiz.eaaf.core.api.data.EaafConstants;
import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions.EidIdentityStatusLevelValues;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
@@ -43,7 +45,9 @@ import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
import at.gv.egiz.eaaf.core.exceptions.EaafParserException;
import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
import at.gv.egiz.eaaf.core.impl.builder.BpkBuilder;
+import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData;
import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.EidAuthProcessDataWrapper;
import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser;
import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration;
import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl;
@@ -118,8 +122,10 @@ public class AuthenticationDataBuilderTest {
@Test
public void eidMode() throws EaafAuthenticationException {
// initialize state
+ boolean isTestIdentity = RandomUtils.nextBoolean();
pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true);
-
+ pendingReq.getSessionData(EidAuthProcessDataWrapper.class).setTestIdentity(isTestIdentity);
+
// execute
IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq);
@@ -128,6 +134,9 @@ public class AuthenticationDataBuilderTest {
Assert.assertNotNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class));
Assert.assertNotNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class));
Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
+ Assert.assertEquals("testIdentity flag",
+ isTestIdentity ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY,
+ ((EidAuthenticationData)authData).getEidStatus());
String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class);
String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class);
@@ -159,6 +168,8 @@ public class AuthenticationDataBuilderTest {
@Test
public void moaIdMode() throws EaafAuthenticationException, EaafBuilderException {
//initialize state
+ boolean isTestIdentity = RandomUtils.nextBoolean();
+ pendingReq.getSessionData(EidAuthProcessDataWrapper.class).setTestIdentity(isTestIdentity);
pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(false);
IIdentityLink idl = buildDummyIdl();
pendingReq.getSessionData(AuthProcessDataWrapper.class).setIdentityLink(idl);
@@ -173,6 +184,9 @@ public class AuthenticationDataBuilderTest {
Assert.assertNull("piiTransactionId",
authData.getGenericData(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, String.class));
+ Assert.assertEquals("testIdentity flag",
+ isTestIdentity ? EidIdentityStatusLevelValues.TESTIDENTITY : EidIdentityStatusLevelValues.IDENTITY,
+ ((EidAuthenticationData)authData).getEidStatus());
Assert.assertNotNull("assertion validTo", authData.getSsoSessionValidTo());
Assert.assertNotNull("LoA null", authData.getEidasQaaLevel());
diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthnRequestValidatorTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthnRequestValidatorTest.java
index 9aafb4b6..c57515a0 100644
--- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthnRequestValidatorTest.java
+++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/utils/AuthnRequestValidatorTest.java
@@ -214,6 +214,11 @@ public class AuthnRequestValidatorTest {
Assert.assertEquals("wrong transactionId", "transId_11223344556677aabbcc",
pendingReq.getUniqueTransactionIdentifier());
+
+ Assert.assertEquals("wrong binding pubkey", "binding_pubKey_1144225247125dsfasfasdf",
+ pendingReq.getRawData(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME, String.class));
+
+
}
diff --git a/connector/src/test/resources/data/metadata_valid_without_encryption.xml b/connector/src/test/resources/data/metadata_valid_without_encryption.xml
index b224c336..32b24e91 100644
--- a/connector/src/test/resources/data/metadata_valid_without_encryption.xml
+++ b/connector/src/test/resources/data/metadata_valid_without_encryption.xml
@@ -71,6 +71,7 @@ ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L</ds:X509Certificate>
<md:RequestedAttribute FriendlyName="userAuthBlock" Name="urn:eidgvat:attributes.authblock.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
<md:RequestedAttribute FriendlyName="piiTransactionId" Name="urn:eidgvat:attributes.piiTransactionId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
+ <md:RequestedAttribute FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
diff --git a/connector/src/test/resources/data/pvp2_authn_3.xml b/connector/src/test/resources/data/pvp2_authn_3.xml
index 35e49b0f..5352c441 100644
--- a/connector/src/test/resources/data/pvp2_authn_3.xml
+++ b/connector/src/test/resources/data/pvp2_authn_3.xml
@@ -31,6 +31,9 @@
<eid:RequestedAttribute FriendlyName="transactionId" Name="urn:eidgvat:attributes.transactionId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
<eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">transId_11223344556677aabbcc</eid:AttributeValue>
</eid:RequestedAttribute>
+ <eid:RequestedAttribute FriendlyName="Binding-PublicKey" Name="urn:eidgvat:attributes.binding.pubkey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
+ <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">binding_pubKey_1144225247125dsfasfasdf</eid:AttributeValue>
+ </eid:RequestedAttribute>
</eid:RequestedAttributes>
</saml2p:Extensions>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>