diff options
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks')
13 files changed, 2049 insertions, 470 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java new file mode 100644 index 00000000..4705c56b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java @@ -0,0 +1,186 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterOperationStatus; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Map; +import java.util.Objects; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; + +/** + * Searches registers (ERnP and ZMR) after alternative eIDAS authn, before adding person to SZR. + * Input: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE} data from the alternative eIDAS authn</li> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} data from the initial eIDAS authn</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} results after second search in registers with MDS</li> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateOtherLoginMethodGuiTask} if no results in registers were found for this user</li> + * <li>{@link CreateIdentityLinkTask} if search in register returned one match, user is uniquely identified</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("AlternativeSearchTask") +@SuppressWarnings("PMD.TooManyStaticImports") +public class AlternativeSearchTask extends AbstractAuthServletTask { + + private final RegisterSearchService registerSearchService; + private final ICcSpecificEidProcessingService eidPostProcessor; + + /** + * Constructor. + * + * @param registerSearchService Service for register search access + * @param eidPostProcessor Country-Specific post processing of attributes + */ + public AlternativeSearchTask(RegisterSearchService registerSearchService, + ICcSpecificEidProcessingService eidPostProcessor) { + this.registerSearchService = registerSearchService; + this.eidPostProcessor = eidPostProcessor; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final SimpleEidasData altEidasData = convertEidasAttrToSimpleData(); + final SimpleEidasData initialEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + verifyAlternativeEidasData(altEidasData, initialEidasData); + step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData, initialEidasData); + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Initial search failed", e); + } catch (final Exception e) { + log.error("Initial search failed", e); + throw new TaskExecutionException(pendingReq, "Initial search failed with a generic error", e); + } + } + + private void verifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData) + throws WorkflowException { + if (initialEidasData == null) { + throw new WorkflowException("step11", "No initial eIDAS authn data"); + } + if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) { + throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true); + } + if (!altEidasData.equalsMds(initialEidasData)) { + throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true); + } + } + + private void step11RegisterSearchWithPersonIdentifier( + ExecutionContext executionContext, SimpleEidasData initialEidasData, SimpleEidasData altEidasData) + throws WorkflowException, EaafStorageException { + try { + log.trace("Starting step11RegisterSearchWithPersonIdentifier"); + RegisterStatusResults searchResult = registerSearchService.searchWithPersonIdentifier(altEidasData); + int resultCount = searchResult.getResultCount(); + if (resultCount == 0) { + step12CountrySpecificSearch(executionContext, searchResult.getOperationStatus(), initialEidasData, + altEidasData); + } else if (resultCount == 1) { + foundMatchFinalizeTask(searchResult, altEidasData); + } else { + throw new WorkflowException("step11RegisterSearchWithPersonIdentifier", + "More than one entry with unique personal-identifier", true); + } + } catch (WorkflowException e) { + //TODO: what we do in case of a workflow error and manual matching are necessary?? + log.warn("Workflow error during matching step: {}. Reason: {}", e.getProcessStepName(), e.getErrorReason()); + throw e; + } + } + + private void step12CountrySpecificSearch(ExecutionContext executionContext, + RegisterOperationStatus registerOperationStatus, + SimpleEidasData initialEidasData, + SimpleEidasData altEidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting 'step12CountrySpecificSearch' ... "); + RegisterStatusResults searchResult = registerSearchService.searchWithCountrySpecifics( + registerOperationStatus, altEidasData); + if (searchResult.getResultCount() == 0) { + log.trace("'step12CountrySpecificSearch' ends with no result. Forward to GUI based matching step ... "); + log.debug("Forward to GUI based matching steps ... "); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + } else if (searchResult.getResultCount() == 1) { + log.trace("'step12CountrySpecificSearch' finds a person. Forward to 'step7aKittProcess' step ... "); + registerSearchService.step7bKittProcess(searchResult, initialEidasData, altEidasData); + foundMatchFinalizeTask(searchResult, altEidasData); + } else { + throw new WorkflowException("step12CountrySpecificSearch", + "More than one entry with unique country-specific information", true); + } + } + + private void foundMatchFinalizeTask(RegisterStatusResults searchResult, SimpleEidasData eidasData) + throws WorkflowException, EaafStorageException { + MatchedPersonResult result = MatchedPersonResult.generateFormMatchingResult( + searchResult.getResult(), eidasData.getCitizenCountryCode()); + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, result); + } + + @NotNull + private SimpleEidasData convertEidasAttrToSimpleData() + throws EidasAttributeException, EidPostProcessingException { + final ILightResponse eidasResponse = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq) + .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE, ILightResponse.class); + Map<String, Object> simpleMap = MatchingTaskUtils.convertEidasAttrToSimpleMap( + eidasResponse.getAttributes().getAttributeMap(), log); + return eidPostProcessor.postProcess(simpleMap); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f4849b07..35717ae0 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -25,44 +25,39 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; import java.io.IOException; import java.io.InputStream; -import java.util.HashMap; import java.util.List; -import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.parsers.ParserConfigurationException; -import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; +import org.jetbrains.annotations.Nullable; +import org.jose4j.lang.JoseException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.xml.sax.SAXException; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; +import com.fasterxml.jackson.core.JsonProcessingException; import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.szr.SzrClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; -import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; -import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; -import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.builder.BpkBuilder; import at.gv.egiz.eaaf.core.impl.data.Pair; @@ -71,37 +66,45 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; -import eu.eidas.auth.commons.attribute.AttributeDefinition; -import eu.eidas.auth.commons.attribute.AttributeValue; -import eu.eidas.auth.commons.light.ILightResponse; -import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; import lombok.Data; import lombok.extern.slf4j.Slf4j; import szrservices.IdentityLinkType; -import szrservices.PersonInfoType; -import szrservices.TravelDocumentType; /** - * Task that creates the IdentityLink for an eIDAS authenticated person. - * + * Task that creates the IdentityLink for an eIDAS authenticated person. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} the BPK of the matched entry in a register</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#EIDAS_BIND} the binding block</li> + * <li>{@link Constants#SZR_AUTHBLOCK} the auth block</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link at.gv.egiz.eaaf.core.impl.idp.controller.tasks.FinalizeAuthenticationTask}</li> + * </ul> + * TODO Take Constants#DATA_SIMPLE_EIDAS and Constants#DATA_RESULT_MATCHING_BPK + * TODO Only do VSZ Erstellung and eidasBind -- this is always the end of the whole process + * TODO Move Eintragung to separate Task, as it does not happen every time * @author tlenz */ @Slf4j @Component("CreateIdentityLinkTask") public class CreateIdentityLinkTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired private IConfiguration basicConfig; @Autowired private SzrClient szrClient; @Autowired - private ICcSpecificEidProcessingService eidPostProcessor; - - @Autowired private AuthBlockSigningService authBlockSigner; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - + /* * (non-Javadoc) * @@ -113,348 +116,269 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - try { - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final ILightResponse eidasResponse = authProcessData - .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - - final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap( - eidasResponse.getAttributes().getAttributeMap()); - - // post-process eIDAS attributes - final ErnbEidData eidData = eidPostProcessor.postProcess(simpleAttrMap); - - // write MDS into technical log and revision log + try { + + /*TODO: needs more re-factoring if we finalize CreateNewErnpEntryTask and we know how add entries into ERnP + * Maybe, we can fully replace eidData by matchedPersonData, + * because matchedPersonData holds the result after a successful matching process. + * + * Currently, we only add a work-around to operate without new ERnP implementation. + */ + final SimpleEidasData eidData = MatchingTaskUtils.getInitialEidasData(pendingReq); + MatchedPersonResult matchedPersonData = MatchingTaskUtils.getFinalMatchingResult(pendingReq); + writeMdsLogInformation(eidData); - //build IdentityLink or VSZ and eidasBind if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { - SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); - //inject personal-data into session - authProcessData.setIdentityLink(idlResult.getIdentityLink()); + buildDummyIdentityLink(eidData); - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( - idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - } else { - //build SZR request from eIDAS data - final PersonInfoType personInfo = generateSzrRequest(eidData); - //request SZR based on IDL or E-ID mode if (pendingReq.getServiceProviderConfiguration() .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { - - // get encrypted baseId - String vsz = szrClient.getEncryptedStammzahl(personInfo); - - //write revision-Log entry and extended infos personal-identifier mapping - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); - writeExtendedRevisionLogEntry(simpleAttrMap, eidData); - - - // get eIDAS bind - String signedEidasBind = szrClient.getEidsaBind(vsz, - authBlockSigner.getBase64EncodedPublicKey(), - EID_STATUS, eidData); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); - authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); - - //get signed AuthBlock - String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.TECH_AUCHBLOCK_CREATED); - authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); + executeEidMode(eidData, matchedPersonData); - //inject personal-data into session - authProcessData.setEidProcess(true); - } else { - //request SZR - SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); + executeIdlMode(eidData, matchedPersonData); - //write revision-Log entry for personal-identifier mapping - writeExtendedRevisionLogEntry(simpleAttrMap, eidData); - - //check result-data and write revision-log based on current state - checkStateAndWriteRevisionLog(idlResult); - - //inject personal-data into session - authProcessData.setIdentityLink(idlResult.getIdentityLink()); - authProcessData.setEidProcess(false); - - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( - idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - - } + } } - //add generic info's into session - authProcessData.setForeigner(true); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); - - // store pending-request + storeGenericInfoToSession(eidData); requestStoreage.storePendingRequest(pendingReq); - } catch (final EidasAttributeException e) { throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); - + } catch (final EaafException e) { throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); - + } catch (final Exception e) { log.error("IdentityLink generation for foreign person FAILED.", e); throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); + + } + } + + private void storeGenericInfoToSession(SimpleEidasData eidData) throws EaafStorageException { + AuthProcessDataWrapper authProcessData = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessData.setForeigner(true); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + eidData.getCitizenCountryCode()); + } + + private void executeIdlMode(SimpleEidasData eidData, MatchedPersonResult matchedPersonData) throws EaafException { + //request SZR + SzrResultHolder idlResult = requestSzrForIdentityLink(eidData, matchedPersonData); + + //write revision-Log entry for personal-identifier mapping + writeExtendedRevisionLogEntry(eidData, eidData.getPersonalIdentifier()); + //check result-data and write revision-log based on current state + checkStateAndWriteRevisionLog(idlResult); + + //inject personal-data into session + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessDataWrapper.setIdentityLink(idlResult.getIdentityLink()); + authProcessDataWrapper.setEidProcess(false); + + // set bPK and bPKType into auth session + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } + private void executeEidMode(SimpleEidasData eidData, MatchedPersonResult matchedPersonData) + throws JsonProcessingException, EaafException, JoseException { + // get encrypted baseId + String vsz; + if (matchedPersonData != null) { + log.debug("Requesting encrypted baseId by already matched person information ... "); + vsz = szrClient.getEncryptedStammzahl(matchedPersonData); + + } else { + log.debug("Requesting encrypted baseId by using eIDAS information directly ... "); + vsz = szrClient.createNewErnpEntry(eidData); + } + + //write revision-Log entry and extended infos personal-identifier mapping + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); + writeExtendedRevisionLogEntry(eidData, eidData.getPersonalIdentifier()); + + // get eIDAS bind + String signedEidasBind = szrClient + .getEidasBind(vsz, authBlockSigner.getBase64EncodedPublicKey(), EID_STATUS, eidData); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessDataWrapper.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + + //get signed AuthBlock + String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.TECH_AUCHBLOCK_CREATED); + authProcessDataWrapper.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); + + //inject personal-data into session + authProcessDataWrapper.setEidProcess(true); + + } + + private void buildDummyIdentityLink(SimpleEidasData eidData) + throws ParserConfigurationException, SAXException, IOException, EaafException { + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); + //inject personal-data into session + authProcessDataWrapper.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); } - private void writeExtendedRevisionLogEntry(Map<String, Object> simpleAttrMap, ErnbEidData eidData) { - // write ERnB input-data into revision-log + private void writeExtendedRevisionLogEntry(SimpleEidasData eidData, String personalIdentifier) { + // write ERnP input-data into revision-log if (basicConfig.getBasicConfigurationBoolean( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, - (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, personalIdentifier); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); } } - - private PersonInfoType generateSzrRequest(ErnbEidData eidData) { - log.debug("Starting connecting SZR Gateway"); - final PersonInfoType personInfo = new PersonInfoType(); - final PersonNameType personName = new PersonNameType(); - final PhysicalPersonType naturalPerson = new PhysicalPersonType(); - final TravelDocumentType eDocument = new TravelDocumentType(); - - naturalPerson.setName(personName); - personInfo.setPerson(naturalPerson); - personInfo.setTravelDocument(eDocument); - - // person information - personName.setFamilyName(eidData.getFamilyName()); - personName.setGivenName(eidData.getGivenName()); - naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); - eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); - eDocument.setDocumentNumber(eidData.getPseudonym()); - - // eID document information - eDocument.setDocumentType(basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); - - // set PlaceOfBirth if available - if (eidData.getPlaceOfBirth() != null) { - log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, - true)) { - naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); - log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - - } - } - // set BirthName if available - if (eidData.getBirthName() != null) { - log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, - true)) { - final AlternativeNameType alternativeName = new AlternativeNameType(); - naturalPerson.setAlternativeName(alternativeName); - alternativeName.setFamilyName(eidData.getBirthName()); - log.trace("Adding 'BirthName' to ERnB request ... "); + private SzrResultHolder requestSzrForIdentityLink(SimpleEidasData eidData, + MatchedPersonResult matchedPersonData) throws EaafException { + //request IdentityLink from SZR + IdentityLinkType result; - } + if (matchedPersonData != null) { + log.debug("Requesting encrypted baseId by already matched person information ... "); + result = szrClient.getIdentityLinkInRawMode(matchedPersonData); + + } else { + log.debug("Requesting encrypted baseId by using eIDAS information directly ... "); + result = szrClient.getIdentityLinkInRawMode(eidData); + } - return personInfo; - - } - - private SzrResultHolder requestSzrForIdentityLink(PersonInfoType personInfo) - throws SzrCommunicationException, EaafException { - //request IdentityLink from SZR - final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); final Element idlFromSzr = (Element) result.getAssertion(); - IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); + final IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); // get bPK from SZR String bpk = null; - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - List<String> bpkList = szrClient - .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")); + String targetId = pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(); + boolean debugUseSzrForBpk = basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true); + if (debugUseSzrForBpk) { + String vkz = basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"); + List<String> bpkList = szrClient.getBpk(eidData, targetId, vkz); if (!bpkList.isEmpty()) { bpk = bpkList.get(0); - } - - } else { log.debug("Calculating bPK from baseId ... "); - new BpkBuilder(); - final Pair<String, String> bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + String idValue = identityLink.getIdentificationValue(); + String idType = identityLink.getIdentificationType(); + final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(idValue, idType, targetId); bpk = bpkCalc.getFirst(); - } - + return new SzrResultHolder(identityLink, bpk); - } - + private void checkStateAndWriteRevisionLog(SzrResultHolder idlResult) throws SzrCommunicationException { // write some infos into revision log if (idlResult.getIdentityLink() == null) { log.error("ERnB did not return an identity link."); throw new SzrCommunicationException("ernb.00", null); - } - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_IDL_RECEIVED, - idlResult.getIdentityLink().getSamlAssertion() - .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); + + String assertionId = idlResult.getIdentityLink().getSamlAssertion() + .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED, assertionId); if (idlResult.getBpK() == null) { log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + .getAreaSpecificTargetIdentifier()); throw new SzrCommunicationException("ernb.01", null); - } + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); log.debug("ERnB communication was successfull"); - } - - private String extendBpkByPrefix(String bpk, String type) { - String bpkType = null; - - if (type.startsWith(EaafConstants.URN_PREFIX_WBPK)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_WBPK.length()); - } else if (type.startsWith(EaafConstants.URN_PREFIX_CDID)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_CDID.length()); - } else if (type.startsWith(EaafConstants.URN_PREFIX_EIDAS)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_EIDAS.length()); - } + private String extendBpkByPrefix(String bpk, String type) { + String bpkType = getBpkType(type); if (bpkType != null) { log.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + bpkType); return bpkType + ":" + bpk; - } else { log.warn("Service Provider Target with: " + type + " is NOT supported. Set bPK as it is ..."); return bpk; - } - } - private Map<String, Object> convertEidasAttrToSimpleMap( - ImmutableMap<AttributeDefinition<?>, ImmutableSet<? extends AttributeValue<?>>> attributeMap) { - final Map<String, Object> result = new HashMap<>(); - - for (final AttributeDefinition<?> el : attributeMap.keySet()) { - - final Class<?> parameterizedType = el.getParameterizedType(); - if (DateTime.class.equals(parameterizedType)) { - final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); - if (attribute != null) { - result.put(el.getFriendlyName(), attribute); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + attribute.toString()); - - } else { - log.info("Ignore empty 'DateTime' attribute"); - } - - } else if (PostalAddress.class.equals(parameterizedType)) { - final PostalAddress addressAttribute = EidasResponseUtils - .translateAddressAttribute(el, attributeMap.get(el).asList()); - if (addressAttribute != null) { - result.put(el.getFriendlyName(), addressAttribute); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + addressAttribute.toString()); - - } else { - log.info("Ignore empty 'PostalAddress' attribute"); - } - - } else { - final List<String> natPersonIdObj = EidasResponseUtils - .translateStringListAttribute(el, attributeMap.get(el)); - final String stringAttr = natPersonIdObj.get(0); - if (StringUtils.isNotEmpty(stringAttr)) { - result.put(el.getFriendlyName(), stringAttr); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + stringAttr); - - } else { - log.info("Ignore empty 'String' attribute"); - } - - } + @Nullable + private String getBpkType(String type) { + if (type.startsWith(EaafConstants.URN_PREFIX_WBPK)) { + return type.substring(EaafConstants.URN_PREFIX_WBPK.length()); + } else if (type.startsWith(EaafConstants.URN_PREFIX_CDID)) { + return type.substring(EaafConstants.URN_PREFIX_CDID.length()); + } else if (type.startsWith(EaafConstants.URN_PREFIX_EIDAS)) { + return type.substring(EaafConstants.URN_PREFIX_EIDAS.length()); + } else { + return null; } - - log.debug("Receive #" + result.size() + " attributes with names: " + result.keySet().toString()); - - return result; } - private void writeMdsLogInformation(ErnbEidData eidData) { - // log MDS and country code into technical log - if (basicConfig - .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) { + + /** + * write MDS into technical log and revision log. + */ + private void writeMdsLogInformation(SimpleEidasData eidData) { + boolean writeMdsInTechLog = basicConfig + .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false); + if (writeMdsInTechLog) { log.info("eIDAS Auth. for user: " + eidData.getGivenName() + " " + eidData.getFamilyName() + " " + eidData - .getFormatedDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode()); + .getDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode()); } - // log MDS and country code into revision log - if (basicConfig + boolean writeMdsInRevLog = basicConfig .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG, - false)) { + false); + if (writeMdsInRevLog) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_MDSDATA, - "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData - .getFormatedDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}"); + "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData + .getDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}"); } - } - + @Data - private static class SzrResultHolder { + private static class SzrResultHolder { final IIdentityLink identityLink; final String bpK; - + } - + /** * Build a dummy IdentityLink and a dummy bPK based on eIDAS information. - * + * * <br><br> * <b>FOR LOCAL TESTING ONLY!!!</b> - * + * * @param eidData Information from eIDAS response * @return IdentityLink and bPK * @throws ParserConfigurationException In case of an IDL processing error - * @throws SAXException In case of an IDL processing error - * @throws IOException In case of an IDL processing error - * @throws EaafException In case of a bPK generation error + * @throws SAXException In case of an IDL processing error + * @throws IOException In case of an IDL processing error + * @throws EaafException In case of a bPK generation error */ - private SzrResultHolder createDummyIdentityLinkForTestDeployment(ErnbEidData eidData) + private SzrResultHolder createDummyIdentityLinkForTestDeployment(SimpleEidasData eidData) throws ParserConfigurationException, SAXException, IOException, EaafException { log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); // create fake IdL @@ -487,17 +411,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final Node prDateOfBirth = XPathUtils .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); - prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); + prDateOfBirth.getFirstChild().setNodeValue(eidData.getDateOfBirth()); identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); - final Pair<String, String> bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + String idValue = identityLink.getIdentificationValue(); + String idType = identityLink.getIdentificationType(); + String targetId = pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(); + final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(idValue, idType, targetId); return new SzrResultHolder(identityLink, bpkCalc.getFirst()); - + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java new file mode 100644 index 00000000..6fc6d499 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java @@ -0,0 +1,93 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that searches ERnP and ZMR before adding person to SZR. + * This corresponds to Step 9 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS}</li> + * </ul> + * Output: + * <ul> + * <li>TODO MDS, BPK of new entry</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("CreateNewErnbEntryTask") +public class CreateNewErnpEntryTask extends AbstractAuthServletTask { + + //private final SzrClient szrClient; + + ///** + // * Constructor. + // * @param szrClient SZR client for creating a new ERnP entry + // */ + //public CreateNewErnpEntryTask(SzrClient szrClient) { + // this.szrClient = szrClient; + //} + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + //SimpleEidasData simpleEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + + // insert person into ERnP + //TODO: should we insert it directly into ERnP? + //TODO: has to updated to new eIDAS document model in ERnP + //String vsz = szrClient.createNewErnpEntry(simpleEidasData); + + // finish matching process, because new user-entry uniquly matches + //log.info("User successfully registerred into ERnP and matching tasks are finished "); + //MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + // MatchedPersonResult.builder() + // .vsz(vsz) + // .build()); + + log.warn("Skipping new insert ERnP task, because it's currently unknown who we should it"); + + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Initial search FAILED.", e); + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java new file mode 100644 index 00000000..d8266398 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java @@ -0,0 +1,76 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * Show GUI where user can provide an Austrian residence address, to provide further input to match the identity. + * + * @author ckollmann + */ +@Slf4j +@Component("GenerateAustrianResidenceGuiTask") +public class GenerateAustrianResidenceGuiTask extends AbstractAuthServletTask { + + @Autowired + private ISpringMvcGuiFormBuilder guiBuilder; + @Autowired + private IConfiguration basicConfig; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final IGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, + pendingReq, + basicConfig.getBasicConfiguration(//TODO + MsEidasNodeConstants.PROP_CONFIG_WEBCONTENT_TEMPLATES_RESIDENCY, + MsEidasNodeConstants.TEMPLATE_HTML_RESIDENCY), + MsEidasNodeConstants.ENDPOINT_RESIDENCY_INPUT, + resourceLoader); + + guiBuilder.build(request, response, config, "Query Austrian residency"); + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Gui creation FAILED.", e); + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java index 9900fa98..74525e65 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java @@ -19,10 +19,11 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.io.IOException; import java.util.UUID; import javax.servlet.ServletException; @@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Component; @@ -39,6 +41,7 @@ import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; @@ -46,6 +49,8 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.GuiBuildException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import eu.eidas.auth.commons.EidasParameterKeys; @@ -58,146 +63,163 @@ import eu.eidas.specificcommunication.exception.SpecificCommunicationException; import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; import lombok.extern.slf4j.Slf4j; + /** - * Authentication-process task that generates the Authn. Request to eIDAS Node. - * - * @author tlenz + * Generates the authn request to the eIDAS Node. This is the first task in the process. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>none</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveAuthnResponseTask} + * to read the response from the eIDAS Node</li> + * </ul> * + * @author tlenz + * @author ckollmann */ @Slf4j -@Component("ConnecteIDASNodeTask") +@Component("GenerateAuthnRequestTask") public class GenerateAuthnRequestTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired IConfiguration basicConfig; + @Autowired ApplicationContext context; + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired ITransactionStorage transactionStore; + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired ISpringMvcGuiFormBuilder guiBuilder; + @Autowired ICcSpecificEidProcessingService ccSpecificProcessing; @Override - public void execute(ExecutionContext executionContext, - HttpServletRequest request, HttpServletResponse response) + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - try { - // get target, environment and validate citizen countryCode - final String citizenCountryCode = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); - final String environment = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT); - - if (StringUtils.isEmpty(citizenCountryCode)) { - // illegal state; task should not have been executed without a selected country - throw new EidasSAuthenticationException("eidas.03", new Object[] { "" }); - - } - - // TODO: maybe add countryCode validation before request ref. impl. eIDAS node - log.info("Request eIDAS auth. for citizen of country: " + citizenCountryCode); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.COUNTRY_SELECTED, citizenCountryCode); - - // build eIDAS AuthnRequest - final LightRequest.Builder authnRequestBuilder = LightRequest.builder(); - authnRequestBuilder.id(UUID.randomUUID().toString()); - - // set nameIDFormat - authnRequestBuilder.nameIdFormat( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT)); - - // set citizen country code for foreign uses - authnRequestBuilder.citizenCountryCode(citizenCountryCode); - - //set Issuer - final String issur = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); - if (StringUtils.isEmpty(issur)) { - log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); - throw new EaafConfigurationException("config.27", - new Object[] { "Application config containts NO " + Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID }); - - } - authnRequestBuilder.issuer(issur); - + final String citizenCountryCode = extractCitizenCountryCode(executionContext); + final String environment = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT); + final String issuer = loadIssuerFromConfig(); + final LightRequest lightAuthnReq = buildEidasAuthnRequest(citizenCountryCode, issuer); - // Add country-specific informations into eIDAS request - ccSpecificProcessing.preProcess(citizenCountryCode, pendingReq, authnRequestBuilder); - - // build request - final LightRequest lightAuthnReq = authnRequestBuilder.build(); - - // put request into Hazelcast cache final BinaryLightToken token = putRequestInCommunicationCache(lightAuthnReq); final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token); - - // Workaround, because eIDAS node ref. impl. does not return relayState - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER, - false)) { - log.trace("Put lightRequestId into transactionstore as session-handling backup"); - transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); - - } - - // select forward URL regarding the selected environment - String forwardUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); - if (StringUtils.isNotEmpty(environment)) { - forwardUrl = selectedForwardUrlForEnvironment(environment); - } - - if (StringUtils.isEmpty(forwardUrl)) { - log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops"); - throw new EaafConfigurationException("config.08", new Object[] { - environment == null ? Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL - : Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + environment - }); - - } - log.debug("ForwardURL: " + forwardUrl + " selected to forward eIDAS request"); - - if (basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, - Constants.FORWARD_METHOD_GET).equals(Constants.FORWARD_METHOD_GET)) { - - log.debug("Use http-redirect for eIDAS node forwarding ... "); - // send redirect - final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(forwardUrl); - redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); - response.sendRedirect(redirectUrl.build().encode().toString()); - + workaroundRelayState(lightAuthnReq); + final String forwardUrl = selectForwardUrl(environment); + + String configValue = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, Constants.FORWARD_METHOD_GET); + boolean useHttpRedirect = configValue.equals(Constants.FORWARD_METHOD_GET); + if (useHttpRedirect) { + sendRedirect(response, tokenBase64, forwardUrl); } else { - log.debug("Use http-post for eIDAS node forwarding ... "); - final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( - basicConfig, - pendingReq, - Constants.TEMPLATE_POST_FORWARD_NAME, - null, - resourceLoader); - - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_ENDPOINT, forwardUrl); - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, - EidasParameterKeys.TOKEN.toString()); - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, - tokenBase64); - - guiBuilder.build(request, response, config, "Forward to eIDASNode form"); - + sendPost(request, response, tokenBase64, forwardUrl); } revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.EIDAS_NODE_CONNECTED, lightAuthnReq.getId()); - } catch (final EidasSAuthenticationException e) { throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", e); - } catch (final Exception e) { log.warn("eIDAS AuthnRequest generation FAILED.", e); throw new TaskExecutionException(pendingReq, e.getMessage(), e); + } + } + + @NotNull + private String extractCitizenCountryCode(ExecutionContext executionContext) throws EidasSAuthenticationException { + final String result = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + // illegal state; task should not have been executed without a selected country + if (StringUtils.isEmpty(result)) { + throw new EidasSAuthenticationException("eidas.03", new Object[]{""}); + } + // TODO: maybe add countryCode validation before request ref. impl. eIDAS node + log.info("Request eIDAS auth. for citizen of country: {}", result); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.COUNTRY_SELECTED, result); + return result; + } + + @NotNull + private String loadIssuerFromConfig() throws EaafConfigurationException { + final String result = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); + if (StringUtils.isEmpty(result)) { + log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); + throw new EaafConfigurationException("config.27", + new Object[]{"Application config containts NO " + Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID}); + } + return result; + } + @NotNull + private LightRequest buildEidasAuthnRequest(String citizenCountryCode, String issuer) + throws EidPostProcessingException { + final LightRequest.Builder builder = LightRequest.builder(); + builder.id(UUID.randomUUID().toString()); + + // set nameIDFormat + builder.nameIdFormat( + authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT)); + + builder.citizenCountryCode(citizenCountryCode); + builder.issuer(issuer); + // Add country-specific information into eIDAS request + ccSpecificProcessing.preProcess(citizenCountryCode, pendingReq, builder); + return builder.build(); + } + + private BinaryLightToken putRequestInCommunicationCache(ILightRequest lightRequest) + throws ServletException { + final BinaryLightToken binaryLightToken; + try { + String beanName = SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString(); + final SpecificCommunicationService service = (SpecificCommunicationService) context.getBean(beanName); + binaryLightToken = service.putRequest(lightRequest); + } catch (final SpecificCommunicationException e) { + log.error("Unable to process specific request"); + throw new ServletException(e); } + return binaryLightToken; + } + + /** + * Workaround, because eIDAS node ref. impl. does not return relayState + */ + private void workaroundRelayState(LightRequest lightAuthnReq) throws EaafException { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER, + false)) { + log.trace("Put lightRequestId into transactionstore as session-handling backup"); + transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); + } + } + + @NotNull + private String selectForwardUrl(String environment) throws EaafConfigurationException { + String result = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); + if (StringUtils.isNotEmpty(environment)) { + result = selectedForwardUrlForEnvironment(environment); + } + if (StringUtils.isEmpty(result)) { + log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops"); + throw new EaafConfigurationException("config.08", new Object[]{ + environment == null ? Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + : Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + environment + }); + } + log.debug("ForwardURL: {} selected to forward eIDAS request", result); + return result; } /** @@ -205,51 +227,48 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { * <br> * <b>Info: </b> This method is needed, because eIDAS Ref. Impl only supports * one countrycode on each instance. In consequence, more than one eIDAS Ref. - * Impl nodes are required to support producation, testing, or QS stages for one + * Impl nodes are required to support production, testing, or QS stages for one * country by using one ms-specific eIDAS connector - * + * * @param environment Environment selector from CountrySlection page - * @return + * @return the URL from the configuration */ private String selectedForwardUrlForEnvironment(String environment) { - log.trace("Starting endpoint selection process for environment: " + environment + " ... "); + log.trace("Starting endpoint selection process for environment: {} ... ", environment); if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_PRODUCTION)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS); - } else if (environment.equalsIgnoreCase( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING)) { + } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING); - } else if (environment.equalsIgnoreCase( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT)) { + } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT); } - - log.info("Environment selector: " + environment + " is not supported"); + log.info("Environment selector: {} is not supported", environment); return null; - } - private BinaryLightToken putRequestInCommunicationCache(ILightRequest lightRequest) - throws ServletException { - final BinaryLightToken binaryLightToken; - try { - final SpecificCommunicationService springManagedSpecificConnectorCommunicationService = - (SpecificCommunicationService) context.getBean( - SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); - - binaryLightToken = springManagedSpecificConnectorCommunicationService.putRequest(lightRequest); - - } catch (final SpecificCommunicationException e) { - log.error("Unable to process specific request"); - throw new ServletException(e); - - } + private void sendRedirect(HttpServletResponse response, String tokenBase64, String forwardUrl) throws IOException { + log.debug("Use http-redirect for eIDAS node forwarding ... "); + final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(forwardUrl); + redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); + response.sendRedirect(redirectUrl.build().encode().toString()); + + } - return binaryLightToken; + private void sendPost(HttpServletRequest request, HttpServletResponse response, String tokenBase64, String forwardUrl) + throws GuiBuildException { + log.debug("Use http-post for eIDAS node forwarding ... "); + final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, pendingReq, Constants.TEMPLATE_POST_FORWARD_NAME, null, resourceLoader); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_ENDPOINT, forwardUrl); + String token = EidasParameterKeys.TOKEN.toString(); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, token); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, tokenBase64); + guiBuilder.build(request, response, config, "Forward to eIDASNode form"); } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java new file mode 100644 index 00000000..e6484e63 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java @@ -0,0 +1,145 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthRequestBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PvpAuthnRequestBuilder; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy; +import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.text.MessageFormat; + +/** + * Generate a SAML2 AuthnRequest to authenticate the user at ID Austria system. + * This corresponds to Step 15A in the eIDAS Matching Concept. + * + * @author tlenz + */ +@Slf4j +@Component("GenerateMobilePhoneSignatureRequestTask") +public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServletTask { + + private static final String ERROR_MSG_1 = + "Requested 'ms-specific eIDAS node' {0} has no valid metadata or metadata is not found"; + + @Autowired + PvpAuthnRequestBuilder authnReqBuilder; + @Autowired + IdAustriaClientAuthCredentialProvider credential; + @Autowired + IdAustriaClientAuthMetadataProvider metadataService; + @Autowired + private IConfiguration basicConfig; + @Autowired + protected ITransactionStorage transactionStorage; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + log.trace("Starting GenerateMobilePhoneSignatureRequestTask"); + final String entityId = loadEntityId(); + final EntityDescriptor entityDesc = loadEntityDescriptor(entityId); + final IdAustriaClientAuthRequestBuilderConfiguration authnReqConfig = buildAuthnRequestConfig(entityDesc); + final String relayState = buildRelayState(); + authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig, relayState, response); // also transmits! + } catch (final Exception e) { + throw new TaskExecutionException(pendingReq, "Generation of SAML2 AuthnRequest to ID Austria System FAILED", e); + } + } + + @NotNull + private String loadEntityId() throws EaafConfigurationException { + final String msNodeEntityID = basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + if (StringUtils.isEmpty(msNodeEntityID)) { + log.warn("ID Austria authentication not possible -> NO EntityID for ID Austria System FOUND!"); + throw new EaafConfigurationException(Constants.ERRORCODE_00, + new Object[]{IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID}); + } + return msNodeEntityID; + } + + /** + * Build relayState for session synchronization, because SAML2 only allows RelayState with 80 characters + * but encrypted PendingRequestId is much longer. + */ + @NotNull + private String buildRelayState() throws EaafException { + String relayState = Random.nextProcessReferenceValue(); + transactionStorage.put(relayState, pendingReq.getPendingRequestId(), -1); + return relayState; + } + + @NotNull + private EntityDescriptor loadEntityDescriptor(String msNodeEntityID) + throws ResolverException, EaafConfigurationException { + final EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID); + if (entityDesc == null) { + throw new EaafConfigurationException(IdAustriaClientAuthConstants.ERRORCODE_02, + new Object[]{MessageFormat.format(ERROR_MSG_1, msNodeEntityID)}); + + } + return entityDesc; + } + + @NotNull + private IdAustriaClientAuthRequestBuilderConfiguration buildAuthnRequestConfig(EntityDescriptor entityDesc) + throws CredentialsNotAvailableException { + final IdAustriaClientAuthRequestBuilderConfiguration authnReqConfig = + new IdAustriaClientAuthRequestBuilderConfiguration(); + final SecureRandomIdentifierGenerationStrategy gen = new SecureRandomIdentifierGenerationStrategy(); + authnReqConfig.setRequestId(gen.generateIdentifier()); + authnReqConfig.setIdpEntity(entityDesc); + authnReqConfig.setPassive(false); + authnReqConfig.setSignCred(credential.getMessageSigningCredential()); + authnReqConfig.setSpEntityID( + pendingReq.getAuthUrlWithOutSlash() + IdAustriaClientAuthConstants.ENDPOINT_METADATA); + authnReqConfig.setRequestedLoA(authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_LOA, + IdAustriaClientAuthConstants.CONFIG_DEFAULT_LOA_EIDAS_LEVEL)); + return authnReqConfig; + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java new file mode 100644 index 00000000..dbdda78e --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java @@ -0,0 +1,82 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that provides GUI for user to select an alternative login method. + * This page is shown when the matching of the eIDAS data to ZMR/ERnP data is ambiguous. + * This corresponds to Steps 10, 14, 16 in the eIDAS Matching Concept. + * The response is handled in {@link ReceiveOtherLoginMethodGuiResponseTask} + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("GenerateOtherLoginMethodGuiTask") +public class GenerateOtherLoginMethodGuiTask extends AbstractAuthServletTask { + + @Autowired + private ISpringMvcGuiFormBuilder guiBuilder; + + @Autowired + private IConfiguration basicConfig; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final IGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, + pendingReq, + basicConfig.getBasicConfiguration( + MsEidasNodeConstants.PROP_CONFIG_WEBCONTENT_TEMPLATES_OTHER_LOGIN_METHOD_SELECTION, + MsEidasNodeConstants.TEMPLATE_HTML_OTHERLOGINMETHODS), + MsEidasNodeConstants.ENDPOINT_OTHER_LOGIN_METHOD_SELECTION, + resourceLoader); + + guiBuilder.build(request, response, config, "Other login methods selection form"); + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Gui creation FAILED.", e); + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java new file mode 100644 index 00000000..2341b733 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java @@ -0,0 +1,202 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterOperationStatus; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Map; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; + +/** + * Searches registers (ERnP and ZMR) after initial user auth, before adding person to SZR. + * Input: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE}</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} converted from Full eIDAS Response</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from first search in registers with + * PersonIdentifier</li> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} results after second search in registers with MDS</li> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link CreateNewErnpEntryTask} if no results in registers where found for this user</li> + * <li>{@link GenerateOtherLoginMethodGuiTask} if search with MDS returns more than one match, user may provide + * alternative login methods to get an unique match</li> + * <li>{@link CreateIdentityLinkTask} if search in register returned one match, user is uniquely identified</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("InitialSearchTask") +@SuppressWarnings("PMD.TooManyStaticImports") +public class InitialSearchTask extends AbstractAuthServletTask { + + private final RegisterSearchService registerSearchService; + private final ICcSpecificEidProcessingService eidPostProcessor; + + /** + * Constructor. + * + * @param registerSearchService Service for register search access + * @param eidPostProcessor Country-Specific post processing of attributes + */ + public InitialSearchTask(RegisterSearchService registerSearchService, + ICcSpecificEidProcessingService eidPostProcessor) { + this.registerSearchService = registerSearchService; + this.eidPostProcessor = eidPostProcessor; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final SimpleEidasData eidasData = convertEidasAttrToSimpleData(); + MatchingTaskUtils.storeInitialEidasData(pendingReq, eidasData); + step2RegisterSearchWithPersonIdentifier(executionContext, eidasData); + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Initial search failed", e); + } catch (final Exception e) { + log.error("Initial search failed", e); + throw new TaskExecutionException(pendingReq, "Initial search failed with a generic error", e); + } + } + + private void step2RegisterSearchWithPersonIdentifier( + ExecutionContext executionContext, SimpleEidasData eidasData) throws WorkflowException, EaafStorageException { + try { + log.trace("Starting step2RegisterSearchWithPersonIdentifier"); + RegisterStatusResults searchResult = registerSearchService.searchWithPersonIdentifier(eidasData); + int resultCount = searchResult.getResultCount(); + if (resultCount == 0) { + step6CountrySpecificSearch(executionContext, searchResult.getOperationStatus(), eidasData); + } else if (resultCount == 1) { + foundMatchFinalizeTask(searchResult, eidasData); + } else { + throw new WorkflowException("step2RegisterSearchWithPersonIdentifier", + "More than one entry with unique personal-identifier", true); + } + } catch (WorkflowException e) { + //TODO: what we do in case of a workflow error and manual matching are necessary?? + log.warn("Workflow error during matching step: {}. Reason: {}", e.getProcessStepName(), e.getErrorReason()); + throw e; + } + } + + private void step6CountrySpecificSearch( + ExecutionContext executionContext, RegisterOperationStatus registerOperationStatus, SimpleEidasData eidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting 'step6CountrySpecificSearch' ... "); + RegisterStatusResults searchResult = registerSearchService.searchWithCountrySpecifics( + registerOperationStatus, eidasData); + if (searchResult.getResultCount() == 0) { + log.trace("'step6CountrySpecificSearch' ends with no result. Forward to next matching step ... "); + step8RegisterSearchWithMds(executionContext, searchResult.getOperationStatus(), eidasData); + } else if (searchResult.getResultCount() == 1) { + log.trace("'step6CountrySpecificSearch' finds a person. Forward to 'step7aKittProcess' step ... "); + registerSearchService.step7aKittProcess(searchResult, eidasData); + foundMatchFinalizeTask(searchResult, eidasData); + } else { + throw new WorkflowException("step6CountrySpecificSearch", + "More than one entry with unique country-specific information", true); + } + } + + private void step8RegisterSearchWithMds(ExecutionContext executionContext, + RegisterOperationStatus registerOperationStatus, SimpleEidasData eidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting step8RegisterSearchWithMds"); + RegisterStatusResults registerData = registerSearchService.searchWithMds(registerOperationStatus, eidasData); + if (registerData.getResultCount() == 0) { + log.debug("Matching step: 'step8RegisterSearchWithMds' has no result. Forward to create new ERnP entry ... "); + executionContext.put(TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK, true); + } else { + log.debug("Matching step: 'step8RegisterSearchWithMds' has #{} results. " + + "Forward to GUI based matching steps ... ", registerData.getResultCount()); + MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, registerData); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + } + } + + private void foundMatchFinalizeTask(RegisterStatusResults searchResult, SimpleEidasData eidasData) + throws WorkflowException, EaafStorageException { + RegisterResult updatedResult = step3CheckRegisterUpdateNecessary(searchResult.getResult(), eidasData); + MatchedPersonResult result = MatchedPersonResult.generateFormMatchingResult( + updatedResult, eidasData.getCitizenCountryCode()); + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, result); + } + + private RegisterResult step3CheckRegisterUpdateNecessary(RegisterResult searchResult, + SimpleEidasData eidasData) throws WorkflowException { + log.trace("Starting step3CheckRegisterUpdateNecessary"); + if (!eidasData.equalsRegisterData(searchResult)) { + log.info("Skipping update-register-information step, because it's not supported yet"); + //TODO: return updated search result if updates are allowed + return searchResult; + } else { + log.debug("Register information match to eIDAS information. No update required"); + return searchResult; + } + } + + @NotNull + private SimpleEidasData convertEidasAttrToSimpleData() + throws EidasAttributeException, EidPostProcessingException { + final ILightResponse eidasResponse = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq) + .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); + Map<String, Object> simpleMap = MatchingTaskUtils.convertEidasAttrToSimpleMap( + eidasResponse.getAttributes().getAttributeMap(), log); + return eidPostProcessor.postProcess(simpleMap); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java new file mode 100644 index 00000000..83fdf771 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java @@ -0,0 +1,214 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import java.util.Enumeration; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringEscapeUtils; +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.AllArgsConstructor; +import lombok.Data; +import lombok.NoArgsConstructor; +import lombok.extern.slf4j.Slf4j; + + +/** + * Task receives the response of {@link GenerateAustrianResidenceGuiTask} and handles it. + * This corresponds to Steps 17B, 18, 19 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link CreateNewErnpEntryTask} if no results from search with residency data in registers</li> + * <li>{@link CreateIdentityLinkTask} if one exact match between initial register search (with MDS) and results + * from search with residency data in registers exists</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("ReceiveAustrianResidenceGuiResponseTask") +public class ReceiveAustrianResidenceGuiResponseTask extends AbstractAuthServletTask { + + public static final String PARAM_FORMER_RESIDENCE_AVAILABLE = "formerResidenceAvailable"; + public static final String PARAM_STREET = "street"; + public static final String PARAM_CITY = "city"; + public static final String PARAM_ZIPCODE = "zipcode"; + private final RegisterSearchService registerSearchService; + + public ReceiveAustrianResidenceGuiResponseTask(RegisterSearchService registerSearchService) { + this.registerSearchService = registerSearchService; + } + + @Data + @AllArgsConstructor + @NoArgsConstructor + public static class UserInput { + private boolean formerResidenceAvailable; + private String zipcode; + private String city; + private String street; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + log.trace("Starting ReceiveAustrianResidenceGuiResponseTask"); + + UserInput input = parseHtmlInput(request); + if (!input.isFormerResidenceAvailable()) { + moveToNextTask(executionContext); + return; + + } + + //TODO: Here, we need an error handling an can not stop full process if form input was invalid + //TODO: check minimum form elements + /*TODO: maybe we can switch to custom controller and use WebMVC form-binding feature. + * Binding element can be add as attribute to this request + */ + if (input.getStreet().isEmpty() || input.getCity().isEmpty() || input.getZipcode().isEmpty()) { + // HTML form should ensure that mandatory fields are set => this should never happen + throw new TaskExecutionException(pendingReq, "Invalid user input", + new InvalidUserInputException("module.eidasauth.matching.06")); + + } + + + + try { + SimpleEidasData eidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + RegisterStatusResults initialSearchResult = MatchingTaskUtils.getIntermediateMatchingResult(pendingReq); + + RegisterStatusResults residencyResult = + registerSearchService.searchWithResidence(initialSearchResult.getOperationStatus(), + eidasData, input.zipcode, input.city, input.street); + if (residencyResult.getResultCount() == 0) { + //TODO: her we should add a GUI step of result is zero to inform user an forward process by click + moveToNextTask(executionContext); + + } else if (residencyResult.getResultCount() == 1) { + compareSearchResultWithInitialData(executionContext, residencyResult, eidasData); + + } else { + /*TODO: align with form generation task and to better error handling in case of more-than-one result. + * Maybe the user has to provide more information. + */ + throw new TaskExecutionException(pendingReq, + "Manual Fix necessary", new ManualFixNecessaryException(eidasData)); + + } + + } catch (EaafStorageException e) { + log.error("Search with residency data failed", e); + throw new TaskExecutionException(pendingReq, "Search with residency data failed", e); + + } + } + + private void compareSearchResultWithInitialData(ExecutionContext executionContext, + RegisterStatusResults residencyResult, SimpleEidasData eidasData) + throws TaskExecutionException, EaafStorageException { + try { + /*TODO: check 'equalsRegisterData' because this method maybe this method evaluate to an invalid result. + * See TODO in methods body + */ + if (eidasData.equalsRegisterData(residencyResult.getResult())) { + // update register information + registerSearchService.step7aKittProcess(residencyResult, eidasData); + + // store search result to re-used in CreateIdentityLink step, because there we need bPK and MDS + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + MatchedPersonResult.generateFormMatchingResult( + residencyResult.getResult(), eidasData.getCitizenCountryCode())); + + } else { + moveToNextTask(executionContext); + + } + + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Search failed", new ManualFixNecessaryException(eidasData)); + + } + } + + private void moveToNextTask(ExecutionContext executionContext) { + // Later on, this should transition to Step 20 + executionContext.put(Constants.TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK, true); + + } + + private @NotNull UserInput parseHtmlInput(HttpServletRequest request) { + Enumeration<String> reqParamNames = request.getParameterNames(); + UserInput result = new UserInput(); + while (reqParamNames.hasMoreElements()) { + final String paramName = reqParamNames.nextElement(); + String escaped = StringEscapeUtils.escapeHtml(request.getParameter(paramName)); + if (PARAM_FORMER_RESIDENCE_AVAILABLE.equalsIgnoreCase(paramName)) { + result.setFormerResidenceAvailable(Boolean.parseBoolean(escaped)); + + } else if (PARAM_STREET.equalsIgnoreCase(paramName)) { + result.setStreet(escaped); + + } else if (PARAM_CITY.equalsIgnoreCase(paramName)) { + result.setCity(escaped); + + } else if (PARAM_ZIPCODE.equalsIgnoreCase(paramName)) { + result.setZipcode(escaped); + + } + } + return result; + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java new file mode 100644 index 00000000..aa04f55e --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java @@ -0,0 +1,131 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasValidationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.validator.EidasResponseValidator; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; +import org.jetbrains.annotations.NotNull; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + + +/** + * Receives the authn response from the eIDAS Node, containing the (alternative) eIDAS authentication. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE} the full response details</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link InitialSearchTask} to perform search in registers</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ +@Slf4j +@Component("ReceiveAuthnResponseTask") +public class ReceiveAuthnResponseAlternativeTask extends AbstractAuthServletTask { + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") + @Autowired + private IConfiguration basicConfig; + + @Autowired + private EidasAttributeRegistry attrRegistry; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, + HttpServletResponse response) throws TaskExecutionException { + try { + final ILightResponse eidasResponse = extractEidasResponse(request); + checkStatusCode(eidasResponse); + validateMsSpecificResponse(executionContext, eidasResponse); + storeInSession(eidasResponse); + } catch (final Exception e) { + log.warn("eIDAS Response processing FAILED.", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), + new EidasSAuthenticationException("eidas.05", new Object[]{e.getMessage()}, e)); + } + } + + @NotNull + private ILightResponse extractEidasResponse(HttpServletRequest request) throws EidasSAuthenticationException { + final ILightResponse eidasResponse = (ILightResponse) request.getAttribute(Constants.DATA_FULL_EIDAS_RESPONSE); + if (eidasResponse == null) { + log.warn("NO eIDAS response-message found."); + throw new EidasSAuthenticationException("eidas.01", null); + } + log.debug("Receive eIDAS response with RespId: {} for ReqId: {}", + eidasResponse.getId(), eidasResponse.getInResponseToId()); + log.trace("Full eIDAS-Resp: {}", eidasResponse); + return eidasResponse; + } + + private void checkStatusCode(ILightResponse eidasResponse) throws EidasSAuthenticationException { + if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { + log.info("Receive eIDAS Response with StatusCode: {} Subcode: {} Msg: {}", + eidasResponse.getStatus().getStatusCode(), + eidasResponse.getStatus().getSubStatusCode(), + eidasResponse.getStatus().getStatusMessage()); + throw new EidasSAuthenticationException("eidas.02", new Object[]{eidasResponse.getStatus() + .getStatusCode(), eidasResponse.getStatus().getStatusMessage()}); + } + } + + private void validateMsSpecificResponse(ExecutionContext executionContext, ILightResponse eidasResponse) + throws EidasValidationException { + final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); + final String citizenCountryCode = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, attrRegistry); + } + + private void storeInSession(ILightResponse eidasResponse) throws EaafException { + log.debug("Store eIDAS response information into pending-request."); + final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE, eidasResponse); + requestStoreage.storePendingRequest(pendingReq); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java index 6cab9214..86cd2164 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java @@ -19,13 +19,14 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -33,6 +34,7 @@ import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasValidationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.validator.EidasResponseValidator; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; @@ -44,87 +46,102 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import eu.eidas.auth.commons.light.ILightResponse; import lombok.extern.slf4j.Slf4j; + +/** + * Receives the authn response from the eIDAS Node, containing the (initial) eIDAS authentication. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE} the full response details</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link InitialSearchTask} to perform search in registers</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ @Slf4j -@Component("ReceiveResponseFromeIDASNodeTask") +@Component("ReceiveAuthnResponseTask") public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired private IConfiguration basicConfig; + @Autowired private EidasAttributeRegistry attrRegistry; @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, - HttpServletResponse response) throws TaskExecutionException { + HttpServletResponse response) throws TaskExecutionException { try { - final ILightResponse eidasResponse = (ILightResponse) request.getAttribute( - Constants.DATA_FULL_EIDAS_RESPONSE); - if (eidasResponse == null) { - log.warn("NO eIDAS response-message found."); - throw new EidasSAuthenticationException("eidas.01", null); - - } - - log.debug("Receive eIDAS response with RespId:" + eidasResponse.getId() + " for ReqId:" + eidasResponse - .getInResponseToId()); - log.trace("Full eIDAS-Resp: " + eidasResponse.toString()); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE, eidasResponse - .getId()); - - // check response StatusCode - if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { - log.info("Receice eIDAS Response with StatusCode:" + eidasResponse.getStatus().getStatusCode() - + " Subcode:" + eidasResponse.getStatus().getSubStatusCode() + " Msg:" + eidasResponse.getStatus() - .getStatusMessage()); - throw new EidasSAuthenticationException("eidas.02", new Object[] { eidasResponse.getStatus() - .getStatusCode(), eidasResponse.getStatus().getStatusMessage() }); - - } - - // extract all Attributes from response - - // ********************************************************** - // ******* MS-specificresponse validation ********** - // ********************************************************** - final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, - "AT"); - final String citizenCountryCode = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); - EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, - attrRegistry); - - // ********************************************************** - // ******* Store resonse infos into session object ********** - // ********************************************************** - - // update MOA-Session data with received information - log.debug("Store eIDAS response information into pending-request."); - final EidAuthProcessDataWrapper authProcessData = pendingReq.getSessionData(EidAuthProcessDataWrapper.class); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); - authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse); - - - //inject set flag to inject - authProcessData.setTestIdentity( - basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_IS_TEST_IDENTITY, false)); - - // store MOA-session to database - requestStoreage.storePendingRequest(pendingReq); + final ILightResponse eidasResponse = extractEidasResponse(request); + checkStatusCode(eidasResponse); + validateMsSpecificResponse(executionContext, eidasResponse); + storeInSession(eidasResponse); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_VALID); - } catch (final EaafException e) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_NOT_VALID); throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e); - } catch (final Exception e) { log.warn("eIDAS Response processing FAILED.", e); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_NOT_VALID); throw new TaskExecutionException(pendingReq, e.getMessage(), - new EidasSAuthenticationException("eidas.05", new Object[] { e.getMessage() }, e)); + new EidasSAuthenticationException("eidas.05", new Object[]{e.getMessage()}, e)); + } + } + @NotNull + private ILightResponse extractEidasResponse(HttpServletRequest request) throws EidasSAuthenticationException { + final ILightResponse eidasResponse = (ILightResponse) request.getAttribute(Constants.DATA_FULL_EIDAS_RESPONSE); + if (eidasResponse == null) { + log.warn("NO eIDAS response-message found."); + throw new EidasSAuthenticationException("eidas.01", null); } + log.debug("Receive eIDAS response with RespId: {} for ReqId: {}", + eidasResponse.getId(), eidasResponse.getInResponseToId()); + log.trace("Full eIDAS-Resp: {}", eidasResponse); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE, eidasResponse.getId()); + return eidasResponse; + } + + private void checkStatusCode(ILightResponse eidasResponse) throws EidasSAuthenticationException { + if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { + log.info("Receive eIDAS Response with StatusCode: {} Subcode: {} Msg: {}", + eidasResponse.getStatus().getStatusCode(), + eidasResponse.getStatus().getSubStatusCode(), + eidasResponse.getStatus().getStatusMessage()); + throw new EidasSAuthenticationException("eidas.02", new Object[]{eidasResponse.getStatus() + .getStatusCode(), eidasResponse.getStatus().getStatusMessage()}); + } + } + + private void validateMsSpecificResponse(ExecutionContext executionContext, ILightResponse eidasResponse) + throws EidasValidationException { + final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); + final String citizenCountryCode = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, attrRegistry); + } + private void storeInSession(ILightResponse eidasResponse) throws EaafException { + log.debug("Store eIDAS response information into pending-request."); + final EidAuthProcessDataWrapper authProcessData = pendingReq.getSessionData(EidAuthProcessDataWrapper.class); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + + //inject set flag to inject + authProcessData.setTestIdentity( + basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_IS_TEST_IDENTITY, false)); + + + authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse); + requestStoreage.storePendingRequest(pendingReq); + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java new file mode 100644 index 00000000..d43a175f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java @@ -0,0 +1,369 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + +import java.io.IOException; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.messaging.decoder.MessageDecodingException; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleMobileSignatureData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthEventConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that receives the SAML2 response from ID Austria system. + * This corresponds to Step 15 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateAustrianResidenceGuiTask} if no results in registers were found</li> + * <li>{@link CreateIdentityLinkTask} if one exact match between initial register search (with MDS) data and + * register search with MPS data exists</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ +@Slf4j +@Component("ReceiveMobilePhoneSignatureResponseTask") +public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServletTask { + + private final SamlVerificationEngine samlVerificationEngine; + private final RegisterSearchService registerSearchService; + private final IdAustriaClientAuthCredentialProvider credentialProvider; + private final IdAustriaClientAuthMetadataProvider metadataProvider; + + private static final String ERROR_PVP_03 = "sp.pvp2.03"; + private static final String ERROR_PVP_05 = "sp.pvp2.05"; + private static final String ERROR_PVP_06 = "sp.pvp2.06"; + private static final String ERROR_PVP_08 = "sp.pvp2.08"; + private static final String ERROR_PVP_10 = "sp.pvp2.10"; + private static final String ERROR_PVP_11 = "sp.pvp2.11"; + private static final String ERROR_PVP_12 = "sp.pvp2.12"; + + private static final String ERROR_MSG_00 = "Receive INVALID PVP Response from ID Austria system"; + private static final String ERROR_MSG_01 = "Processing PVP response from 'ID Austria system' FAILED."; + private static final String ERROR_MSG_02 = "PVP response decryption FAILED. No credential found."; + private static final String ERROR_MSG_03 = "PVP response validation FAILED."; + + /** + * Creates the new task, with autowired dependencies from Spring. + */ + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") + public ReceiveMobilePhoneSignatureResponseTask(SamlVerificationEngine samlVerificationEngine, + RegisterSearchService registerSearchService, + IdAustriaClientAuthCredentialProvider credentialProvider, + IdAustriaClientAuthMetadataProvider metadataProvider) { + this.samlVerificationEngine = samlVerificationEngine; + this.registerSearchService = registerSearchService; + this.credentialProvider = credentialProvider; + this.metadataProvider = metadataProvider; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + log.trace("Starting ReceiveMobilePhoneSignatureResponseTask"); + IDecoder decoder = loadDecoder(request); + EaafUriCompare comparator = loadComparator(request); + InboundMessage inboundMessage = decodeAndVerifyMessage(request, response, decoder, comparator); + Pair<PvpSProfileResponse, Boolean> processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage); + if (processedMsg.getSecond()) { + // forward to next matching step in case of ID Autria authentication was stopped by user + executionContext.put(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK, true); + return; + + } + + // validate SAML2 response + validateEntityId(inboundMessage); + log.info("Receive a valid assertion from IDP " + inboundMessage.getEntityID()); + + // load already existing information from session + SimpleEidasData eidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + RegisterStatusResults initialSearchResult = MatchingTaskUtils.getIntermediateMatchingResult(pendingReq); + + // extract user information from ID Austria authentication + AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(processedMsg.getFirst().getResponse()); + SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor); + + // check if MDS from ID Austria authentication matchs to eIDAS authentication + if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) { + // user has cheated!? + throw new InvalidUserInputException("module.eidasauth.matching.05"); + + } + + // search entry in initial search result from steps before and build new RegisterSearchResult + RegisterStatusResults registerResult = new RegisterStatusResults(initialSearchResult.getOperationStatus(), + extractEntriesByBpk(initialSearchResult.getResultsZmr().stream(), simpleMobileSignatureData.getBpk()), + extractEntriesByBpk(initialSearchResult.getResultsErnp().stream(), simpleMobileSignatureData.getBpk())); + + if (registerResult.getResultCount() != 1) { + throw new WorkflowException("matchWithIDAustriaAuthentication", + "Suspect state detected. MDS matches to eIDAS authentication " + + "but register search-result with MDS contains #" + registerResult.getResultCount() + + " entry with bPK from ID Austria authentication", false); + + } else { + // perform kit operation + registerSearchService.step7aKittProcess(registerResult, eidasData); + + // store search result to re-used in CreateIdentityLink step, because there we need bPK and MDS + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + MatchedPersonResult.generateFormMatchingResult(registerResult.getResult(), + eidasData.getCitizenCountryCode())); + + } + + } catch (final AuthnResponseValidationException e) { + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e); + + } catch (MessageDecodingException | SecurityException | SamlSigningException e) { + //final String samlRequest = request.getParameter("SAMLRequest"); + //log.debug("Receive INVALID PVP Response from 'ms-specific eIDAS node': {}", + // samlRequest, null, e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_00, + new AuthnResponseValidationException(ERROR_PVP_11, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); + + } catch (IOException | MarshallingException | TransformerException e) { + log.debug("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_01, + new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); + + } catch (final CredentialsNotAvailableException e) { + log.debug("PVP response decryption FAILED. No credential found.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_02, + new AuthnResponseValidationException(ERROR_PVP_10, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); + + } catch (final Exception e) { + // todo catch ManualFixNecessaryException in any other way? + log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, + new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); + + } + } + + private List<RegisterResult> extractEntriesByBpk(Stream<RegisterResult> stream, String bpk) { + return stream.filter(el -> bpk.equals(el.getBpk())).collect(Collectors.toList()); + + } + + @NotNull + private InboundMessage decodeAndVerifyMessage(HttpServletRequest request, HttpServletResponse response, + IDecoder decoder, EaafUriCompare comparator) throws Exception { + InboundMessage inboundMessage = (InboundMessage) decoder.decode(request, response, metadataProvider, + IDPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator); + if (!inboundMessage.isVerified()) { + samlVerificationEngine.verify(inboundMessage, TrustEngineFactory.getSignatureKnownKeysTrustEngine( + metadataProvider)); + inboundMessage.setVerified(true); + } + return inboundMessage; + } + + private void validateEntityId(InboundMessage inboundMessage) throws AuthnResponseValidationException { + final String msNodeEntityID = authConfig + .getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + final String respEntityId = inboundMessage.getEntityID(); + if (!msNodeEntityID.equals(respEntityId)) { + log.warn("Response Issuer is not from valid 'ID Austria IDP'. Stopping ID Austria authentication ..."); + throw new AuthnResponseValidationException(ERROR_PVP_08, + new Object[]{MODULE_NAME_FOR_LOGGING, + inboundMessage.getEntityID()}); + } + } + + @NotNull + private EaafUriCompare loadComparator(HttpServletRequest request) throws AuthnResponseValidationException { + if (request.getMethod().equalsIgnoreCase("POST")) { + log.trace("Receive PVP Response from 'ID Austria system', by using POST-Binding."); + return new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_POST); + } else if (request.getMethod().equalsIgnoreCase("GET")) { + log.trace("Receive PVP Response from 'ID Austria system', by using Redirect-Binding."); + return new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT); + } else { + log.warn("Receive PVP Response from 'ID Austria system', but Binding {} is not supported.", request.getMethod()); + throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[]{MODULE_NAME_FOR_LOGGING}); + } + } + + @NotNull + private IDecoder loadDecoder(HttpServletRequest request) throws AuthnResponseValidationException { + if (request.getMethod().equalsIgnoreCase("POST")) { + log.trace("Receive PVP Response from 'ID Austria system', by using POST-Binding."); + return new PostBinding(); + } else if (request.getMethod().equalsIgnoreCase("GET")) { + log.trace("Receive PVP Response from 'ID Austria system', by using Redirect-Binding."); + return new RedirectBinding(); + } else { + log.warn("Receive PVP Response from 'ID Austria system', but Binding {} is not supported.", request.getMethod()); + throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[]{MODULE_NAME_FOR_LOGGING}); + } + } + + private Pair<PvpSProfileResponse, Boolean> validateAssertion(PvpSProfileResponse msg) + throws IOException, MarshallingException, TransformerException, + CredentialsNotAvailableException, AuthnResponseValidationException, SamlAssertionValidationExeption { + log.debug("Start PVP21 assertion processing... "); + final Response response = (Response) msg.getResponse(); + if (response.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { + samlVerificationEngine.validateAssertion(response, + credentialProvider.getMessageEncryptionCredential(), + pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_METADATA, + MODULE_NAME_FOR_LOGGING); + msg.setSamlMessage(Saml2Utils.asDomDocument(response).getDocumentElement()); + revisionsLogger.logEvent(pendingReq, + IdAustriaClientAuthEventConstants.AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED, + response.getID()); + return Pair.newInstance(msg, false); + } else { + log.info("Receive StatusCode {} from 'ms-specific eIDAS node'.", response.getStatus().getStatusCode().getValue()); + StatusCode subStatusCode = getSubStatusCode(response); + if (subStatusCode != null + && IdAustriaClientAuthConstants.SAML2_STATUSCODE_USERSTOP.equals(subStatusCode.getValue())) { + log.info("Find 'User-Stop operation' in SAML2 response. Stopping authentication process ... "); + return Pair.newInstance(msg, true); + } + + revisionsLogger.logEvent(pendingReq, + IdAustriaClientAuthEventConstants.AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED_ERROR); + throw new AuthnResponseValidationException(ERROR_PVP_05, + new Object[]{MODULE_NAME_FOR_LOGGING, + response.getIssuer().getValue(), + response.getStatus().getStatusCode().getValue(), + response.getStatus().getStatusMessage().getMessage()}); + } + } + + /** + * Get SAML2 Sub-StatusCode if not <code>null</code>. + * + * @param samlResp SAML2 response + * @return Sub-StatusCode or <code>null</code> if it's not set + */ + private StatusCode getSubStatusCode(Response samlResp) { + if (samlResp.getStatus().getStatusCode().getStatusCode() != null + && StringUtils.isNotEmpty(samlResp.getStatus().getStatusCode().getStatusCode().getValue())) { + return samlResp.getStatus().getStatusCode().getStatusCode(); + } + return null; + } + + private SimpleMobileSignatureData getAuthDataFromInterfederation(AssertionAttributeExtractor extractor) + throws EaafBuilderException { + List<String> requiredAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES; + SimpleMobileSignatureData.SimpleMobileSignatureDataBuilder builder = SimpleMobileSignatureData.builder(); + if (!extractor.containsAllRequiredAttributes(requiredAttributes)) { + log.warn("PVP Response from 'ID Austria node' contains not all requested attributes."); + AssertionValidationExeption e = new AssertionValidationExeption(ERROR_PVP_06, + new Object[]{MODULE_NAME_FOR_LOGGING}); + throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); + } + final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (final String attrName : includedAttrNames) { + if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { + builder.bpk(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) { + builder.givenName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) { + builder.familyName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) { + builder.dateOfBirth(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { + MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq).setQaaLevel( + extractor.getSingleAttributeValue(attrName)); + } + } + MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq).setIssueInstant(extractor.getAssertionIssuingDate()); + return builder.build(); + + } + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java new file mode 100644 index 00000000..8431d968 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java @@ -0,0 +1,122 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import java.util.Enumeration; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringEscapeUtils; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SelectedLoginMethod; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask; +import lombok.extern.slf4j.Slf4j; + +/** + * Handles user's selection from {@link GenerateOtherLoginMethodGuiTask}. + * This corresponds to Steps 10, 14, 16 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_RESULT_MATCHING_BPK} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateMobilePhoneSignatureRequestTask} if selected by user</li> + * <li>{@link GenerateAustrianResidenceGuiTask} if selected by user</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("ReceiveOtherLoginMethodGuiResponseTask") +public class ReceiveOtherLoginMethodGuiResponseTask extends AbstractLocaleAuthServletTask { + + @Override + public void executeWithLocale(ExecutionContext executionContext, HttpServletRequest request, + HttpServletResponse response) throws TaskExecutionException { + try { + SelectedLoginMethod selection = SelectedLoginMethod.valueOf(extractUserSelection(request)); + executionContext.put(Constants.REQ_SELECTED_LOGIN_METHOD_PARAMETER, selection); + transitionToNextTask(executionContext, selection); + + } catch (final IllegalArgumentException e) { + log.error("Parsing selected login method FAILED.", e); + throw new TaskExecutionException(pendingReq, "Parsing selected login method FAILED.", + new InvalidUserInputException("module.eidasauth.matching.98")); + + } catch (final Exception e) { + log.error("Parsing selected login method FAILED.", e); + throw new TaskExecutionException(pendingReq, "Parsing selected login method FAILED.", e); + + } + } + + private String extractUserSelection(HttpServletRequest request) throws InvalidUserInputException { + Enumeration<String> paramNames = request.getParameterNames(); + while (paramNames.hasMoreElements()) { + String paramName = paramNames.nextElement(); + if (Constants.REQ_SELECTED_LOGIN_METHOD_PARAMETER.equalsIgnoreCase(paramName)) { + return StringEscapeUtils.escapeHtml(request.getParameter(paramName)); + + } + } + + throw new InvalidUserInputException("module.eidasauth.matching.98"); + + } + + private void transitionToNextTask(ExecutionContext executionContext, SelectedLoginMethod selection) + throws InvalidUserInputException { + switch (selection) { + case EIDAS_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_EIDAS_LOGIN, true); + return; + + case MOBILE_PHONE_SIGNATURE_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_MOBILE_PHONE_SIGNATURE_REQUEST_TASK, true); + return; + + case NO_OTHER_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK, true); + return; + + default: + throw new InvalidUserInputException("module.eidasauth.matching.98"); + + } + } + +} |