compare eiddata with mobile phone signature data

3 files changed, 164 insertions, 11 deletions

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java
new file mode 100644
index 00000000..254b8c70
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2020 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao;
+
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException;
+import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType;
+import lombok.Data;
+
+@Data
+public class SimpleMobileSignatureData {
+
+  private String citizenCountryCode;
+
+  private String bpk;
+  private String givenName;
+  private String familyName;
+  private String dateOfBirth;
+
+
+  public boolean equalsSimpleEidasData(SimpleEidasData result) {
+    if (!result.getGivenName().equals(givenName)) {
+      return false;
+    }
+    if (!result.getFamilyName().equals(familyName)) {
+      return false;
+    }
+    if (!result.getDateOfBirth().equals(dateOfBirth)) {
+      return false;
+    }
+    return true;
+  }
+
+  private boolean equals(String a, String b) {
+    if (a == null && b == null) {
+      return true;
+    }
+    if (a == null) {
+      return false;
+    }
+    if (b == null) {
+      return false;
+    }
+    return a.equals(b);
+  }
+}
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
index d919d229..101e7c29 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
@@ -27,7 +27,9 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MergedRegisterSearchResult;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleMobileSignatureData;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp.IErnpClient;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.EidasAuthEventConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants;
@@ -35,6 +37,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustri
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.Utils;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.zmr.IZmrClient;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
@@ -188,12 +191,16 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
 
         }
 
-
         // initialize Attribute extractor
         final AssertionAttributeExtractor extractor =
             new AssertionAttributeExtractor(processedMsg.getFirst().getResponse());
 
-        String bpkzp = getAuthDataFromInterfederation(extractor, authProcessData);
+        SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor, authProcessData);
+        if(!simpleMobileSignatureData.equalsSimpleEidasData(eidData)) {
+          //User cheated?
+          throw new InvalidUserInputException();//TODO
+        }
+        String bpkzp = simpleMobileSignatureData.getBpk();
 
         MergedRegisterSearchResult result = searchInZmrAndErnp(bpkzp);
         if (result.getResultCount() == 0) {
@@ -307,11 +314,12 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
     return null;
   }
 
-  private String getAuthDataFromInterfederation(AssertionAttributeExtractor extractor,
-                                                AuthProcessDataWrapper authProcessData)
+  private SimpleMobileSignatureData getAuthDataFromInterfederation(AssertionAttributeExtractor extractor,
+                                                                   AuthProcessDataWrapper authProcessData)
       throws EaafBuilderException {
 
     List<String> requiredAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES;
+    SimpleMobileSignatureData simpleMobileSignatureData = new SimpleMobileSignatureData();
     String bpk = null;
     try {
       // check if all attributes are include
@@ -328,13 +336,20 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
         map.put(attrName, extractor.getSingleAttributeValue(attrName));
 
         if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) {
-          bpk = extractor.getSingleAttributeValue(attrName);
+          simpleMobileSignatureData.setBpk(extractor.getSingleAttributeValue(attrName));
+        }
+        if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) {
+          simpleMobileSignatureData.setGivenName(extractor.getSingleAttributeValue(attrName));
+        }
+        if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) {
+          simpleMobileSignatureData.setFamilyName(extractor.getSingleAttributeValue(attrName));
+        }
+        if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) {
+          simpleMobileSignatureData.setDateOfBirth(extractor.getSingleAttributeValue(attrName));
         }
         if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) {
           authProcessData.setQaaLevel(extractor.getSingleAttributeValue(attrName));
         }
-        //injectAuthInfosIntoSession(session, attrName,
-        //    extractor.getSingleAttributeValue(attrName));
 
       }
 
@@ -370,7 +385,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
       throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e);
 
     }
-    return bpk;
+    return simpleMobileSignatureData;
   }
 
   //  private void injectAuthInfosIntoSession(AhAuthProcessDataWrapper session, String attrName, String attrValue)
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
index 2e3da7bc..fbf011b1 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
@@ -6,6 +6,10 @@ import java.util.Base64;
 
 import javax.xml.transform.TransformerException;
 
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MergedRegisterSearchResult;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider;
@@ -13,6 +17,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhone
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyAuthConfigMap;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyOA;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyPendingRequest;
+import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.RandomStringUtils;
@@ -520,7 +525,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
   @Test
   public void httpPostValidSignedAssertionEidValid() throws IOException, SamlSigningException,
       Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
-      MarshallingException, TransformerException, TaskExecutionException {
+      MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
 
     oaParam.putGenericConfigurationKey(
         IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -536,6 +541,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
     httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString(
         DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes("UTF-8")));
 
+    //put SimpleEidasData in session
+    final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    SimpleEidasData eidData = new SimpleEidasData();
+    eidData.setFamilyName("Mustermann");
+    eidData.setGivenName("Max");
+    eidData.setDateOfBirth("1940-01-01");
+    authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
     //perform task
     task.execute(pendingReq, executionContext);
 
@@ -580,9 +593,52 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
   }
 
   @Test
+  public void httpPostValidSignedAssertionEidValidButNameMissmatch() throws IOException, SamlSigningException,
+      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
+      MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
+
+    oaParam.putGenericConfigurationKey(
+        IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
+
+    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
+        METADATA_PATH, null, "jUnit IDP", null));
+
+    final Response response = initializeResponse(
+        "classpath:/data/idp_metadata_classpath_entity.xml",
+        "/data/Response_with_EID.xml",
+        credentialProvider.getMessageSigningCredential(),
+        true);
+    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString(
+        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes("UTF-8")));
+
+    //put SimpleEidasData in session
+    final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    SimpleEidasData eidData = new SimpleEidasData();
+    eidData.setFamilyName("Mustermann1");
+    eidData.setGivenName("Max");
+    eidData.setDateOfBirth("1940-01-01");
+    authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
+    //perform task
+    try {
+      task.execute(pendingReq, executionContext);
+      Assert.fail("Invalid response not detected");
+
+    } catch (final TaskExecutionException e) {
+      Assert.assertNotNull(e.getPendingRequestID());
+      Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID());
+      Assert.assertNotNull(e.getOriginalException());
+      org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class,
+          e.getOriginalException());
+      Assert.assertTrue(e.getOriginalException().getCause() instanceof InvalidUserInputException);
+      }
+
+  }
+
+  @Test
   public void httpPostValidSignedAssertionLegacyValid() throws IOException, SamlSigningException,
       Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
-      MarshallingException, TransformerException, TaskExecutionException {
+      MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
 //    authConfig.putConfigValue(AuthHandlerConstants.PROP_CONFIG_LEGACY_ALLOW, "true");
     oaParam.putGenericConfigurationKey(
         IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -590,6 +646,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
     metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
         METADATA_PATH, null, "jUnit IDP", null));
 
+    //put SimpleEidasData in session
+    final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    SimpleEidasData eidData = new SimpleEidasData();
+    eidData.setFamilyName("Mustermann");
+    eidData.setGivenName("Max");
+    eidData.setDateOfBirth("1940-01-01");
+    authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
     final Response response = initializeResponse(
         "classpath:/data/idp_metadata_classpath_entity.xml",
         "/data/Response_with_legacy.xml",
@@ -647,7 +711,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
   @Test
   public void httpPostValidSignedAssertionWithLegacyAndEid() throws IOException, SamlSigningException,
       Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
-      MarshallingException, TransformerException, TaskExecutionException {
+      MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
 
     oaParam.putGenericConfigurationKey(
         IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -655,6 +719,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
     metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
         METADATA_PATH, null, "jUnit IDP", null));
 
+    //put SimpleEidasData in session
+    final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+    SimpleEidasData eidData = new SimpleEidasData();
+    eidData.setFamilyName("Mustermann");
+    eidData.setGivenName("Max");
+    eidData.setDateOfBirth("1940-01-01");
+    authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
     final Response response = initializeResponse(
         "classpath:/data/idp_metadata_classpath_entity.xml",
         "/data/Response_with_legacy_and_EID.xml",