aboutsummaryrefslogtreecommitdiff
path: root/modules/eidas_proxy-sevice/src/main/java/at/asitplus
diff options
context:
space:
mode:
authorThomas <>2022-10-11 19:16:17 +0200
committerThomas <>2022-10-11 19:16:17 +0200
commit7571d90b2910740424988d0e7e5473dbd2d33cfa (patch)
tree0ec3dff2328b66831283d53448b3d5425038b2fb /modules/eidas_proxy-sevice/src/main/java/at/asitplus
parentf3f0927a1226b32d1c43a116e3421ded9c181323 (diff)
downloadNational_eIDAS_Gateway-7571d90b2910740424988d0e7e5473dbd2d33cfa.tar.gz
National_eIDAS_Gateway-7571d90b2910740424988d0e7e5473dbd2d33cfa.tar.bz2
National_eIDAS_Gateway-7571d90b2910740424988d0e7e5473dbd2d33cfa.zip
feat(ejustice): add validation to disallow eJusticeRole for legal and natural person in one single request
Diffstat (limited to 'modules/eidas_proxy-sevice/src/main/java/at/asitplus')
-rw-r--r--modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java21
-rw-r--r--modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java26
-rw-r--r--modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java39
3 files changed, 83 insertions, 3 deletions
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
index f8c14ceb..46dd714d 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
@@ -11,12 +11,14 @@ import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration;
+import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes;
import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.idp.IEidAuthData;
import at.gv.egiz.eaaf.core.api.idp.IExtendedConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import eu.eidas.auth.commons.light.ILightRequest;
import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;
@@ -31,6 +33,11 @@ import lombok.extern.slf4j.Slf4j;
@Slf4j
public class EJusticePersonRoleHandler implements IEidasAttributeHandler {
+ public static final String EIDAS_ATTR_EJUSTIC_NAT =
+ "http://e-justice.europa.eu/attributes/naturalperson/eJusticeNaturalPersonRole";
+ public static final String EIDAS_ATTR_EJUSTIC_JUR =
+ "http://e-justice.europa.eu/attributes/legalperson/eJusticeLegalPersonRole";
+
public static final String CONFIG_PROP_IDA_MANDATE_PROFILE = "advanced.attributes.ejusticerole.mandate.profiles";
public static final String CONFIG_PROP_IDA_MANDATE_MODE = "advanced.attributes.ejusticerole.mandate.mode";
public static final String CONFIG_PROP_IDA_ADDITIONAL_ATTRIBUTES =
@@ -140,5 +147,19 @@ public class EJusticePersonRoleHandler implements IEidasAttributeHandler {
return value;
}
+
+ @Override
+ public final void validateAuthnRequest(ILightRequest eidasRequest) throws EidasProxyServiceException {
+ boolean isNatReq =
+ eidasRequest.getRequestedAttributes().getAttributeValuesByNameUri(EIDAS_ATTR_EJUSTIC_NAT) != null;
+ boolean isJurReq =
+ eidasRequest.getRequestedAttributes().getAttributeValuesByNameUri(EIDAS_ATTR_EJUSTIC_JUR) != null;
+
+ if (isNatReq && isJurReq) {
+ log.warn("eJustice attributes for legal and natural person can NOT be requested at the same time.");
+ throw new EidasProxyServiceException("eidas.proxyservice.ejustice.01", null);
+
+ }
+ }
}
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
index 36deba30..15650e29 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
@@ -3,12 +3,19 @@ package at.asitplus.eidas.specific.modules.msproxyservice.handler;
import javax.annotation.Nullable;
import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration;
+import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
import at.gv.egiz.eaaf.core.api.idp.IEidAuthData;
+import eu.eidas.auth.commons.light.ILightRequest;
import lombok.NonNull;
/**
* Handlers for attribute-processing that requires more features than a simple mapping.
*
+ * <p><b>Important:</b> That interface provides attribute-specific extension- and modification hooks for
+ * post-processing of service configuration and authentication data. If more than one attribute-specific implementation
+ * operates on the same process, concurrency issues are possible because any implementation of that interface are
+ * executed independent from each other.</p>
+ *
* @author tlenz
*
*/
@@ -17,6 +24,10 @@ public interface IEidasAttributeHandler {
/**
* Perform attribute-releated post-processing of internal Service-Provider configuration.
*
+ * <p><b>Important:</b> Modifications done by that method are independent from any other implementation of
+ * the same interface and there is no specific order if more than one handler are selected. <br>
+ * Therefore, concurrency issues has to be noticed!</p>
+ *
* @param spConfig SP configuration that was build from incoming eIDAS Authn. request.
*/
void performSpConfigPostprocessing(@NonNull ServiceProviderConfiguration spConfig);
@@ -25,12 +36,18 @@ public interface IEidasAttributeHandler {
/**
* Perform attribute-specific post-processing of authentication information.
*
+ * <p><b>Important:</b> Modifications done by that method are independent from any other implementation of
+ * the same interface and there is no specific order if more than one handler are selected. <br>
+ * Therefore, concurrency issues has to be noticed!</p>
+ *
* @param authData authentication information from ID Austria system that should be post processed.
*/
@NonNull
void performAuthDataPostprocessing(@NonNull IEidAuthData authData);
+
+
/**
* Build eIDAS attribute-value from authentication data.
*
@@ -40,6 +57,15 @@ public interface IEidasAttributeHandler {
@Nullable
String buildAttributeValue(@NonNull IEidAuthData eidAuthData);
+
+ /**
+ * Extended validation of incoming eIDAS AuthnRequest.
+ *
+ * @param eidasRequest Incoming eIDAS authentication request
+ * @throws EidasProxyServiceException In case of a validation error
+ */
+ void validateAuthnRequest(ILightRequest eidasRequest) throws EidasProxyServiceException;
+
}
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
index d0e3d1ba..b5f6b6d2 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
@@ -21,6 +21,7 @@ import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.StatusCode;
+import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -264,7 +265,25 @@ public class EidasProxyServiceController extends AbstractController implements I
}
- // TODO: validate some other stuff
+ // perform advanced request validation
+ Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream()
+ .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null))
+ .filter(Objects::nonNull)
+ .distinct()
+ .collect(Collectors.toSet());
+
+ if (!requiredHandlers.isEmpty()) {
+ log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
+ + "Starting advanced attribute-validation ... ", requiredHandlers.size());
+ for (String el : requiredHandlers) {
+ executeAdvancedRequestValidation(el, eidasRequest);
+
+ }
+
+ } else {
+ log.debug("No advanced eIDAS attribute-validation required.");
+
+ }
}
@@ -283,8 +302,8 @@ public class EidasProxyServiceController extends AbstractController implements I
&& EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
throw new EidasProxyServiceException(ERROR_08, null);
- }
-
+ }
+
// TODO: validate some other stuff
}
@@ -381,6 +400,20 @@ public class EidasProxyServiceController extends AbstractController implements I
}
}
+ private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest)
+ throws EidasProxyServiceException {
+ try {
+ IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class);
+
+ log.trace("Perfom request-validastion by using: {}", handler.getClass().getName());
+ handler.validateAuthnRequest(eidasRequest);
+
+ } catch (BeansException e) {
+ log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
+
+ }
+ }
+
private void buildNationalRequestedAttributes(
ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) {
final boolean mandatesEnabled = !SpMandateModes.NONE.equals(spConfig.getMandateMode());