aboutsummaryrefslogtreecommitdiff
path: root/modules/eidas_proxy-sevice
diff options
context:
space:
mode:
authorThomas <>2022-12-01 08:21:51 +0100
committerThomas <>2022-12-01 08:21:51 +0100
commit709244c42e6dfe339805a1476a70a5690b1ee4dc (patch)
treeaa80c206912e03a3452d61ffbffc694c87d24504 /modules/eidas_proxy-sevice
parent0847c9ecc75ccd5d38d09e96c6d09c8326d6a7e5 (diff)
downloadNational_eIDAS_Gateway-709244c42e6dfe339805a1476a70a5690b1ee4dc.tar.gz
National_eIDAS_Gateway-709244c42e6dfe339805a1476a70a5690b1ee4dc.tar.bz2
National_eIDAS_Gateway-709244c42e6dfe339805a1476a70a5690b1ee4dc.zip
feat(proxyservice): add configuration flag to disable error forwarding to eIDAS Node
Diffstat (limited to 'modules/eidas_proxy-sevice')
-rw-r--r--modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java4
-rw-r--r--modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java140
-rw-r--r--modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java28
3 files changed, 105 insertions, 67 deletions
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
index a2a2e78f..418d2799 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
@@ -18,7 +18,9 @@ public class MsProxyServiceConstants {
public static final String CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID = EidasConstants.CONIG_PROPS_EIDAS_NODE
+ ".proxy.entityId";
public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL = EidasConstants.CONIG_PROPS_EIDAS_NODE
- + ".proxy.forward.endpoint";
+ + ".proxy.forward.endpoint";
+ public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS = EidasConstants.CONIG_PROPS_EIDAS_NODE
+ + ".proxy.forward.errors";
public static final String CONIG_PROPS_EIDAS_PROXY_ATTIBUTE_CONFIGURATION =
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
index b5f6b6d2..4de28956 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
@@ -45,6 +45,7 @@ import at.gv.egiz.eaaf.core.api.data.EaafConstants;
import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes;
import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.exceptions.GuiBuildException;
import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
@@ -99,8 +100,7 @@ public class EidasProxyServiceController extends AbstractController implements I
*/
@RequestMapping(value = {
MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_POST,
- MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT
- },
+ MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT },
method = { RequestMethod.POST, RequestMethod.GET })
public void receiveEidasAuthnRequest(HttpServletRequest httpReq, HttpServletResponse httpResp)
throws IOException,
@@ -196,42 +196,9 @@ public class EidasProxyServiceController extends AbstractController implements I
@Override
public boolean generateErrorMessage(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp,
IRequest pendingReq) throws Throwable {
- if (pendingReq instanceof ProxyServicePendingRequest) {
- try {
- final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest();
-
- // build eIDAS response
- final Builder lightRespBuilder = LightResponse.builder();
- lightRespBuilder.id(UUID.randomUUID().toString());
- lightRespBuilder.inResponseToId(eidasReq.getId());
- lightRespBuilder.relayState(eidasReq.getRelayState());
- lightRespBuilder.issuer(authConfig.getBasicConfiguration(
- MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
- lightRespBuilder.subject(UUID.randomUUID().toString());
- lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT);
- lightRespBuilder.status(ResponseStatus.builder()
- .statusCode(StatusCode.RESPONDER)
- .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue())
- .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()))
- .build());
-
- // forward to eIDAS Proxy-Service
- responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build());
-
- return true;
-
- } catch (ServletException | IOException | GuiBuildException e1) {
- log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1);
-
- }
-
- } else {
- log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}",
- ProxyServicePendingRequest.class.getName());
-
- }
-
- return false;
+ return authConfig.getBasicConfigurationBoolean(
+ MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS, false)
+ && generateAndSendError(e, httpReq, httpResp, pendingReq);
}
@@ -272,17 +239,17 @@ public class EidasProxyServiceController extends AbstractController implements I
.distinct()
.collect(Collectors.toSet());
- if (!requiredHandlers.isEmpty()) {
+ if (!requiredHandlers.isEmpty()) {
log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
- + "Starting advanced attribute-validation ... ", requiredHandlers.size());
+ + "Starting advanced attribute-validation ... ", requiredHandlers.size());
for (String el : requiredHandlers) {
executeAdvancedRequestValidation(el, eidasRequest);
-
+
}
-
+
} else {
log.debug("No advanced eIDAS attribute-validation required.");
-
+
}
}
@@ -302,8 +269,8 @@ public class EidasProxyServiceController extends AbstractController implements I
&& EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
throw new EidasProxyServiceException(ERROR_08, null);
- }
-
+ }
+
// TODO: validate some other stuff
}
@@ -354,10 +321,10 @@ public class EidasProxyServiceController extends AbstractController implements I
// map eIDAS attributes to national attributes
buildNationalRequestedAttributes(spConfig, eidasRequest);
-
+
// execute custom attribute-handler
advancedAttributeHandler(spConfig, eidasRequest);
-
+
return spConfig;
} catch (final EidasProxyServiceException e) {
@@ -368,7 +335,7 @@ public class EidasProxyServiceController extends AbstractController implements I
}
}
-
+
private void advancedAttributeHandler(ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) {
Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream()
.map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null))
@@ -376,44 +343,46 @@ public class EidasProxyServiceController extends AbstractController implements I
.distinct()
.collect(Collectors.toSet());
- if (!requiredHandlers.isEmpty()) {
+ if (!requiredHandlers.isEmpty()) {
log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
- + "Starting advanced attribute-handling ... ", requiredHandlers.size());
- requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig));
-
+ + "Starting advanced attribute-handling ... ", requiredHandlers.size());
+ requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig));
+
} else {
log.debug("No advanced eIDAS attribute-handling required.");
-
- }
+
+ }
}
private void executeAttributeHandler(String handlerClass, ServiceProviderConfiguration spConfig) {
try {
IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class);
-
+
log.trace("Perfom SP config post-processing by using: {}", handler.getClass().getName());
handler.performSpConfigPostprocessing(spConfig);
-
+
} catch (Exception e) {
- log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
-
- }
+ log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed",
+ handlerClass, e);
+
+ }
}
- private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest)
+ private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest)
throws EidasProxyServiceException {
try {
IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class);
-
+
log.trace("Perfom request-validastion by using: {}", handler.getClass().getName());
handler.validateAuthnRequest(eidasRequest);
-
+
} catch (BeansException e) {
- log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
-
- }
+ log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed",
+ handlerClass, e);
+
+ }
}
-
+
private void buildNationalRequestedAttributes(
ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) {
final boolean mandatesEnabled = !SpMandateModes.NONE.equals(spConfig.getMandateMode());
@@ -552,6 +521,45 @@ public class EidasProxyServiceController extends AbstractController implements I
spConfig.getMandateProfiles(), spConfig.getUniqueIdentifier());
}
+ }
+
+ private boolean generateAndSendError(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp,
+ IRequest pendingReq) throws EaafConfigurationException {
+ if (pendingReq instanceof ProxyServicePendingRequest) {
+ try {
+ final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest();
+
+ // build eIDAS response
+ final Builder lightRespBuilder = LightResponse.builder();
+ lightRespBuilder.id(UUID.randomUUID().toString());
+ lightRespBuilder.inResponseToId(eidasReq.getId());
+ lightRespBuilder.relayState(eidasReq.getRelayState());
+ lightRespBuilder.issuer(authConfig.getBasicConfiguration(
+ MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
+ lightRespBuilder.subject(UUID.randomUUID().toString());
+ lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT);
+ lightRespBuilder.status(ResponseStatus.builder()
+ .statusCode(StatusCode.RESPONDER)
+ .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue())
+ .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()))
+ .build());
+
+ // forward to eIDAS Proxy-Service
+ responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build());
+
+ return true;
+
+ } catch (ServletException | IOException | GuiBuildException e1) {
+ log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1);
+
+ }
+
+ } else {
+ log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}",
+ ProxyServicePendingRequest.class.getName());
+
+ }
+ return false;
}
}
diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java
index 5894ea45..c23f1d53 100644
--- a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java
+++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java
@@ -93,6 +93,7 @@ public class EidasProxyServiceControllerTest {
config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint",
"http://eidas.proxy/endpoint");
+ config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.errors", "true");
springManagedSpecificConnectorCommunicationService =
(SpecificCommunicationService) context.getBean(
@@ -155,6 +156,33 @@ public class EidasProxyServiceControllerTest {
}
@Test
+ public void generateErrorResponseWithoutForward() throws Throwable {
+ config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.errors", "false");
+
+ ProxyServicePendingRequest pendingReq = new ProxyServicePendingRequest();
+ pendingReq.initialize(httpReq, config);
+
+ LightRequest.Builder eidasRequestBuilder = LightRequest.builder()
+ .id(UUID.randomUUID().toString())
+ .issuer(RandomStringUtils.randomAlphabetic(10))
+ .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
+ .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH)
+ .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
+ .spType("public")
+ .requesterId(RandomStringUtils.randomAlphanumeric(10))
+ .providerName(RandomStringUtils.randomAlphanumeric(10));
+ pendingReq.setEidasRequest(eidasRequestBuilder.build());
+
+
+ // execute test
+ Assert.assertFalse("wrong statusCode", controller.generateErrorMessage(
+ new EaafException("1000"),
+ httpReq, httpResp,
+ pendingReq));
+
+ }
+
+ @Test
public void missingEidasToken() {
EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class,
() -> controller.receiveEidasAuthnRequest(httpReq, httpResp));