diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2018-07-20 10:56:04 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2018-07-20 10:56:04 +0200 |
commit | 31bc1246bb56fcd8807678e3f7516023bdfaed44 (patch) | |
tree | 0c3ed662a5be943a4ceb70d021e1bb7ac9dc1015 /connector_lib/src | |
parent | 2945c875bda2c8236d0b3fd630358fcaca85f4a8 (diff) | |
download | National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.tar.gz National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.tar.bz2 National_eIDAS_Gateway-31bc1246bb56fcd8807678e3f7516023bdfaed44.zip |
add SZR client
add different logging backends
define errorcodes and error messages
update to eIDAS Ref. impl 2.1
Diffstat (limited to 'connector_lib/src')
6 files changed, 507 insertions, 0 deletions
diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/MSeIDASNodeConstants.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/MSeIDASNodeConstants.java new file mode 100644 index 00000000..968bd3ae --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/MSeIDASNodeConstants.java @@ -0,0 +1,72 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector; + +import at.gv.egiz.eaaf.core.api.data.EAAFConfigConstants; + +public class MSeIDASNodeConstants { + // ************ configuration properties ************ + public static final String PROP_CONFIG_APPLICATION_PREFIX = "eidas.ms."; + public static final String PROP_CONFIG_APPLICATION_PUBLIC_URL_PREFIX = "context.url.prefix"; + + private static final String PROP_CONFIG_PVP2_PREFIX = "pvp2."; + public static final String PROP_CONFIG_PVP2_KEYSTORE_PATH = PROP_CONFIG_PVP2_PREFIX + "keystore.path"; + public static final String PROP_CONFIG_PVP2_KEYSTORE_PASSWORD = PROP_CONFIG_PVP2_PREFIX + "keystore.password"; + public static final String PROP_CONFIG_PVP2_KEY_METADATA_ALIAS = PROP_CONFIG_PVP2_PREFIX + "key.metadata.alias"; + public static final String PROP_CONFIG_PVP2_KEY_METADATA_PASSWORD = PROP_CONFIG_PVP2_PREFIX + "key.metadata.password"; + public static final String PROP_CONFIG_PVP2_KEY_SIGNING_ALIAS = PROP_CONFIG_PVP2_PREFIX + "key.signing.alias"; + public static final String PROP_CONFIG_PVP2_KEY_SIGNING_PASSWORD = PROP_CONFIG_PVP2_PREFIX + "key.signing.password"; + public static final String PROP_CONFIG_PVP2_METADATA_VALIDITY = PROP_CONFIG_PVP2_PREFIX + "metadata.validity"; + + public static final String PROP_CONFIG_SP_VALIDATION_DISABLED = "configuration.sp.disableRegistrationRequirement"; + + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; + public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER; + public static final String PROP_CONFIG_SP_FRIENDLYNAME = "friendlyName"; + public static final String PROP_CONFIG_SP_PVP2_METADATA_URL = "pvp2.metadata.url"; + public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE = "pvp2.metadata.truststore"; + public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD = "pvp2.metadata.truststore.password"; + public static final String PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS = "policy.allowed.requested.targets"; + public static final String PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION = "policy.hasBaseIdTransferRestriction"; + + public static final String PROP_CONFIG_PVP_SCHEME_VALIDATION = "configuration.pvp.scheme.validation"; + public static final String PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES = "configuration.pvp.enable.entitycategories"; + + // ********** default values *************** + + //Default policy for SP-targets requested by MOA-ID to ms-specific eIDAS Connector + public static final String POLICY_DEFAULT_ALLOWED_TARGETS = ".*"; + // EAAFConstants.URN_PREFIX_CDID.replaceAll("\\.", "\\\\.").replaceAll("\\+", "\\\\+") + ".*"; + + public static final int METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout + public static final int DEFAULT_PVP_METADATA_VALIDITY = 24; //24 hours + public static final int DEFAULT_PVP_ASSERTION_VALIDITY = 5; //5 minutes + + + // ************ application end-points ************* + public static final String ENDPOINT_PVP_METADATA = "/pvp/metadata"; + public static final String ENDPOINT_PVP_POST = "/pvp/post"; + public static final String ENDPOINT_PVP_REDIRECT = "/pvp/redirect"; + + public static final String ENDPOINT_COUNTRYSELECTION = "/myHomeCountry"; + + + // ************ paths and templates ************ + public static final String CLASSPATH_TEMPLATE_DIR = "/templates/"; + public static final String FILESYSTEM_TEMPLATE_DIR = "./templates/"; + + public static final String TEMPLATE_HTML_ERROR = "error.html"; + public static final String TEMPLATE_HTML_PVP_POSTBINDING = "pvp2_post_binding.html"; + public static final String TEMPLATE_HTML_COUNTRYSELECTION = "countrySelection.html"; + + + // ************ execution context and generic data ************ + public static final String REQ_PARAM_SELECTED_COUNTRY = "selectedCountry"; + public static final String REQ_PARAM_STOP_PROCESS = "stopAuthProcess"; + + public static final String DATA_REQUESTERID = "req_requesterId"; + public static final String DATA_PROVIDERNAME = "req_providerName"; + public static final String DATA_REQUESTED_LOA_LIST = "req_requestedLoA"; + public static final String DATA_REQUESTED_LOA_COMPERISON = "req_requestedLoAComperision"; + +} diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/BasicConfigurationProvider.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/BasicConfigurationProvider.java new file mode 100644 index 00000000..b898dfef --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/BasicConfigurationProvider.java @@ -0,0 +1,114 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector.config; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eidas.specific.connector.MSeIDASNodeConstants; + +@Service("BasicMSSpecificNodeConfig") +public class BasicConfigurationProvider extends AbstractConfigurationImpl{ + private static final Logger log = LoggerFactory.getLogger(BasicConfigurationProvider.class); + + private Map<String, ISPConfiguration> spConfigCache = new HashMap<String, ISPConfiguration>(); + + public BasicConfigurationProvider(String configPath) throws EAAFConfigurationException { + super(configPath); + + } + + @Override + public ISPConfiguration getServiceProviderConfiguration(String entityId) throws EAAFConfigurationException { + if (!spConfigCache.containsKey(entityId)) { + log.debug("SP: " + entityId + " is NOT cached. Starting load operation ... "); + Map<String, String> allSPs = getBasicMOAIDConfigurationWithPrefix(MSeIDASNodeConstants.PROP_CONFIG_SP_LIST_PREFIX); + for (String key : allSPs.keySet()) { + if (key.endsWith(MSeIDASNodeConstants.PROP_CONFIG_SP_UNIQUEIDENTIFIER) && + allSPs.get(key).equals(entityId)) { + String listId = KeyValueUtils.getParentKey(key); + log.trace("Find SP configuration with list-Id: " + listId + ". Extracting configuration elements ... "); + Map<String, String> spConfig = KeyValueUtils.getSubSetWithPrefix(allSPs, listId + KeyValueUtils.KEY_DELIMITER); + spConfigCache.put(entityId, + new ServiceProviderConfiguration(spConfig, this)); + break; + } + } + + if (spConfigCache.containsKey(entityId)) + log.info("SP: " + entityId + " is loaded. Continuing auth. process ... "); + else { + log.warn("SP: " + entityId + " is NOT found in configuration. Stopping auth. process ... "); + return null; + + } + + } else + log.trace("SP: " + entityId + " is already cached. Use configuration from there ... "); + + + return spConfigCache.get(entityId); + } + + @Override + public <T> T getServiceProviderConfiguration(String entityId, Class<T> decorator) throws EAAFConfigurationException { + ISPConfiguration spConfig = getServiceProviderConfiguration(entityId); + if (spConfig != null && decorator != null) { + if (decorator.isInstance(spConfig)) + return (T)spConfig; + else + log.error("SPConfig: " + spConfig.getClass().getName() + " is NOT instance of: " + decorator.getName()); + + } + + return null; + + } + + @Override + public String validateIDPURL(URL url) throws EAAFException { + log.trace("Validate requested URL: " + url); + String urlPrefixFromConfig = getBasicConfiguration(MSeIDASNodeConstants.PROP_CONFIG_APPLICATION_PUBLIC_URL_PREFIX); + if (StringUtils.isEmpty(urlPrefixFromConfig)) { + log.warn("Application config containts NO URL prefix"); + throw new EAAFConfigurationException("Application config containts NO URL prefix"); + + } + + //remove last slash + if (urlPrefixFromConfig.endsWith("/")) + urlPrefixFromConfig = urlPrefixFromConfig.substring(0, urlPrefixFromConfig.length()-1); + + if (url != null && url.toExternalForm().startsWith(urlPrefixFromConfig)) + return urlPrefixFromConfig; + + + log.info("URL: " + url + " does NOT match to allowed application prefix: " + urlPrefixFromConfig); + return null; + } + + @Override + public String getApplicationSpecificKeyPrefix() { + return MSeIDASNodeConstants.PROP_CONFIG_APPLICATION_PREFIX; + + } + + @Override + protected String getBackupConfigPath() { + return null; + + } + + +} diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/ServiceProviderConfiguration.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/ServiceProviderConfiguration.java new file mode 100644 index 00000000..a742db6a --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/config/ServiceProviderConfiguration.java @@ -0,0 +1,140 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector.config; + +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.idp.conf.SPConfigurationImpl; +import at.gv.egiz.eidas.specific.connector.MSeIDASNodeConstants; + +public class ServiceProviderConfiguration extends SPConfigurationImpl { + private static final long serialVersionUID = 1L; + private static final Logger log = LoggerFactory.getLogger(ServiceProviderConfiguration.class); + + private List<String> minimumLoA = Arrays.asList(EAAFConstants.EIDAS_LOA_HIGH); + private String bPKTargetIdentifier; + private String loaMachtingMode = EAAFConstants.EIDAS_LOA_MATCHING_MINIMUM; + + public ServiceProviderConfiguration(Map<String, String> spConfig, IConfiguration authConfig) { + super(spConfig, authConfig); + + } + + @Override + public boolean hasBaseIdInternalProcessingRestriction() { + return false; + + } + + @Override + public boolean hasBaseIdTransferRestriction() { + Boolean spConfigPolicy = isConfigurationValue(MSeIDASNodeConstants.PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION); + if (spConfigPolicy != null) + return spConfigPolicy; + + else { + log.trace("SP configuration defines no baseID transfer restriction. Enforce default policy ..."); + for (String el : getTargetsWithNoBaseIdTransferRestriction()) { + if (this.bPKTargetIdentifier != null && this.bPKTargetIdentifier.startsWith(el)) { + log.debug("SP-Target: " + this.bPKTargetIdentifier + " has NO baseID transfer restriction in default policy"); + return false; + + } + } + } + + log.debug("Default-policy defines baseID transfer restriction for SP-Target: " + this.bPKTargetIdentifier); + return true; + } + + @Override + public List<String> getRequiredLoA() { + return minimumLoA; + + } + + public String getLoAMatchingMode() { + return loaMachtingMode; + + } + + + @Override + public String getAreaSpecificTargetIdentifier() { + return bPKTargetIdentifier; + } + + + @Override + public String getFriendlyName() { + return getConfigurationValue( + MSeIDASNodeConstants.PROP_CONFIG_SP_FRIENDLYNAME, + "NO FRIENDLYNAME SET"); + + } + + /** + * Set the minimum level of eIDAS authentication for this SP + * <br> + * <b>Default:</b> http://eidas.europa.eu/LoA/high + * <br> + * <b>Info:</b> In case of MINIMUM matching-mode, only one entry is allowed + * + * @param minimumLoA eIDAS LoA URIs + */ + + public void setRequiredLoA(List<String> minimumLoA) { + this.minimumLoA = minimumLoA; + } + + /** + * Set the mode of operation for LoA matching for this SP + * <b> + * <b>Default: minimum</b> + * <br> + * <b>Info:</b> Currently only 'minimum' and 'exact' are supported + * + * @param mode LoA matching mode according to SAML2 core specification + */ + public void setLoAMachtingMode(String mode) { + this.loaMachtingMode = mode; + } + + + /** + * Set the bPK Target for this service provider + * + * @param bPKTargetIdentifier + * @throws EAAFException If the bPKTargetIdentifier is NOT ALLOWED for this service provider + */ + public void setbPKTargetIdentifier(String bPKTargetIdentifier) throws EAAFException { + String allowedTargetIdentifierRegExPattern = getConfigurationValue( + MSeIDASNodeConstants.PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS, + MSeIDASNodeConstants.POLICY_DEFAULT_ALLOWED_TARGETS); + log.trace("Use bPK-target regex pattern: " + allowedTargetIdentifierRegExPattern); + + Pattern p = Pattern.compile(allowedTargetIdentifierRegExPattern); + Matcher m = p.matcher(bPKTargetIdentifier); + if (m.matches()) { + log.debug("Requested bPK-target: " + bPKTargetIdentifier + " matches regex pattern"); + this.bPKTargetIdentifier = bPKTargetIdentifier; + + } else { + log.warn("Requested bPK-target: " + bPKTargetIdentifier + " does NOT match regex pattern."); + throw new EAAFException("auth.37", new Object[] {bPKTargetIdentifier, getUniqueIdentifier()}); + + } + + } + +} diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/DefaultGUIBuilderImpl.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/DefaultGUIBuilderImpl.java new file mode 100644 index 00000000..7ae0c71c --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/DefaultGUIBuilderImpl.java @@ -0,0 +1,44 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector.gui; + +import java.io.InputStream; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.gui.IGUIBuilderConfiguration; +import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; +import at.gv.egiz.eaaf.core.impl.gui.AbstractGUIFormBuilderImpl; + +@Service("DefaultGUIBuilderImpl") +public class DefaultGUIBuilderImpl extends AbstractGUIFormBuilderImpl{ + private static final Logger log = LoggerFactory.getLogger(DefaultGUIBuilderImpl.class); + + private static final String CLASSPATH_HTMLTEMPLATES_DIR = "templates/"; + + public DefaultGUIBuilderImpl() throws GUIBuildException { + super(); + + } + + @Override + protected InputStream getInternalTemplate(IGUIBuilderConfiguration config) throws GUIBuildException { + String viewName = config.getViewName(); + log.debug("GUI template:" + viewName + " is not found in configuration directory. " + + " Load template from project library ... "); + String pathLocation = getInternalClasspathTemplateDir(config, CLASSPATH_HTMLTEMPLATES_DIR) + viewName; + try { + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(pathLocation); + return is; + + } catch (Exception e1) { + log.error("GUI template:" + pathLocation + " is NOT loadable from classpath!", e1); + throw new GUIBuildException("GUI template:" + pathLocation + " is NOT loadable from classpath!", e1); + + } + + } + +} diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/GUIBuilderConfigurationFactory.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/GUIBuilderConfigurationFactory.java new file mode 100644 index 00000000..8132c063 --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/GUIBuilderConfigurationFactory.java @@ -0,0 +1,32 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector.gui; + +import java.net.MalformedURLException; +import java.net.URI; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.gui.IGUIBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IGUIBuilderConfigurationFactory; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eidas.specific.connector.MSeIDASNodeConstants; + +@Service("GUIBuilderConfigurationFactory") +public class GUIBuilderConfigurationFactory implements IGUIBuilderConfigurationFactory { + @Autowired(required=true) private IConfiguration basicConfig; + + @Override + public IGUIBuilderConfiguration getDefaultErrorGUI(String authURL) { + return new StaticGuiBuilderConfiguration(basicConfig, authURL, MSeIDASNodeConstants.TEMPLATE_HTML_ERROR, null); + } + + @Override + public IGUIBuilderConfiguration getSPSpecificSAML2PostConfiguration(IRequest pendingReq, String viewName, URI configRootContextDir) + throws MalformedURLException { + return new StaticGuiBuilderConfiguration(basicConfig, pendingReq,MSeIDASNodeConstants.TEMPLATE_HTML_PVP_POSTBINDING , null); + } + +} diff --git a/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/StaticGuiBuilderConfiguration.java b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/StaticGuiBuilderConfiguration.java new file mode 100644 index 00000000..3a765eb5 --- /dev/null +++ b/connector_lib/src/main/java/at/gv/egiz/eidas/specific/connector/gui/StaticGuiBuilderConfiguration.java @@ -0,0 +1,105 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egiz.eidas.specific.connector.gui; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import org.apache.commons.lang.StringEscapeUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.gui.ModifyableGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.impl.gui.AbstractGUIFormBuilderConfiguration; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eidas.specific.connector.MSeIDASNodeConstants; + +public class StaticGuiBuilderConfiguration extends AbstractGUIFormBuilderConfiguration implements ModifyableGuiBuilderConfiguration { + private static final Logger log = LoggerFactory.getLogger(StaticGuiBuilderConfiguration.class); + + private IRequest pendingReq = null; + private IConfiguration basicConfig = null; + Map<String, Object> params = new HashMap<String, Object>(); + + public StaticGuiBuilderConfiguration(IConfiguration basicConfig, String authURL, String viewName, String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + this.basicConfig = basicConfig; + } + + public StaticGuiBuilderConfiguration(IConfiguration basicConfig, IRequest pendingReq, String viewName, String formSubmitEndpoint) { + super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); + this.pendingReq = pendingReq; + this.basicConfig = basicConfig; + + } + + @Override + public String getClasspathTemplateDir() { + return MSeIDASNodeConstants.CLASSPATH_TEMPLATE_DIR; + + } + + @Override + public String getDefaultContentType() { + return null; + + } + + @Override + public InputStream getTemplate(String viewName) { + String templateURL = MSeIDASNodeConstants.FILESYSTEM_TEMPLATE_DIR + viewName; + try { + String absURL = FileUtils.makeAbsoluteURL(templateURL, this.basicConfig.getConfigurationRootDirectory()); + if (!absURL.startsWith("file:")) { + log.warn("Path to template looks like NOT absolut: " + absURL + ". Template loading FAILED"); + + } else { + log.debug("Load template URL for view: " + viewName + " from: " + absURL); + URI uri = new URL(absURL).toURI(); + return new FileInputStream(new File(uri)); + + } + + + } catch (MalformedURLException | URISyntaxException | FileNotFoundException e) { + log.info("Can can build filesytem path to template: " + templateURL + + " Reason: " + e.getMessage()); + + } + + return null; + } + + @Override + protected Map<String, Object> getSpecificViewParameters() { + if (pendingReq != null) { + params.put(PARAM_PENDINGREQUESTID, StringEscapeUtils.escapeHtml(pendingReq.getPendingRequestId())); + + } + + return params; + } + + @Override + public void putCustomParameter(String key, String value) { + params.put(key, StringEscapeUtils.escapeHtml(value)); + + } + + @Override + public void putCustomParameterWithOutEscaption(String arg0, Object arg1) { + log.info("Add GUI-Template parameters WITHOUT escaption ARE NOT supported!!!!!"); + + } + +} |