diff options
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus')
13 files changed, 255 insertions, 398 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index b603774b..e7190ab4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -27,6 +27,8 @@ import at.gv.egiz.eaaf.core.api.data.EaafConstants; public class Constants { + public static final String ERRORCODE_00 = "module.eidasauth.00"; + public static final String DATA_REQUESTERID = "req_requesterId"; public static final String DATA_PROVIDERNAME = "req_providerName"; public static final String DATA_REQUESTED_LOA_LIST = "req_requestedLoA"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java index 535e4f97..e5b10185 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java @@ -45,8 +45,10 @@ public class EidasAuthenticationSpringResourceProvider implements SpringResource public Resource[] getResourcesToLoad() { final ClassPathResource eidasAuthConfig = new ClassPathResource("/eidas_v2_auth.beans.xml", EidasAuthenticationSpringResourceProvider.class); - - return new Resource[] { eidasAuthConfig }; + final ClassPathResource eidasRefImplConfig = new ClassPathResource("/eidas_v2_auth_ref_impl_config.beans.xml", + EidasAuthenticationSpringResourceProvider.class); + + return new Resource[] { eidasRefImplConfig, eidasAuthConfig }; } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java new file mode 100644 index 00000000..7a9f472a --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java @@ -0,0 +1,21 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.config; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +/** + * Inject eIDAS Connector specific messages into Spring based message-source. + * + * @author tlenz + * + */ +public class EidasConnectorMessageSource implements IMessageSourceLocation { + + @Override + public List<String> getMessageSourceLocation() { + return Arrays.asList("classpath:/messages/eidas_connector_message"); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaAuthPvpConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaAuthPvpConfiguration.java deleted file mode 100644 index 30c8b65f..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaAuthPvpConfiguration.java +++ /dev/null @@ -1,121 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; - -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml.saml2.metadata.ContactPerson; -import org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration; -import org.opensaml.saml.saml2.metadata.EmailAddress; -import org.opensaml.saml.saml2.metadata.GivenName; -import org.opensaml.saml.saml2.metadata.Organization; -import org.opensaml.saml.saml2.metadata.OrganizationDisplayName; -import org.opensaml.saml.saml2.metadata.OrganizationName; -import org.opensaml.saml.saml2.metadata.OrganizationURL; -import org.opensaml.saml.saml2.metadata.SurName; -import org.springframework.beans.factory.annotation.Autowired; - -import java.util.Arrays; -import java.util.List; - -public class IdAustriaAuthPvpConfiguration implements IPvp2BasicConfiguration { - - private static final String DEFAULT_XML_LANG = "en"; - - @Autowired - private IConfiguration basicConfig; - - @Override - public String getIdpEntityId(String authUrl) throws EaafException { - return authUrl + IdAustriaClientAuthConstants.ENDPOINT_METADATA; - - } - - @Override - public String getIdpSsoPostService(String authUrl) throws EaafException { - return null; - - } - - @Override - public String getIdpSsoRedirectService(String authUrl) throws EaafException { - return null; - - } - - @Override - public String getIdpSsoSoapService(String extractAuthUrlFromRequest) throws EaafException { - return null; - - } - - @Override - public List<ContactPerson> getIdpContacts() throws EaafException { - final ContactPerson contactPerson = Saml2Utils.createSamlObject(ContactPerson.class); - final GivenName givenName = Saml2Utils.createSamlObject(GivenName.class); - final SurName surname = Saml2Utils.createSamlObject(SurName.class); - final EmailAddress emailAddress = Saml2Utils.createSamlObject(EmailAddress.class); - - givenName.setName(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_CONTACT_GIVENNAME)); - surname.setName(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_CONTACT_SURNAME)); - emailAddress.setAddress(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_CONTACT_EMAIL)); - - contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL); - contactPerson.setGivenName(givenName); - contactPerson.setSurName(surname); - contactPerson.getEmailAddresses().add(emailAddress); - - return Arrays.asList(contactPerson); - - } - - @Override - public Organization getIdpOrganisation() throws EaafException { - final Organization organisation = Saml2Utils.createSamlObject(Organization.class); - final OrganizationName orgName = Saml2Utils.createSamlObject(OrganizationName.class); - final OrganizationDisplayName orgDisplayName = Saml2Utils.createSamlObject(OrganizationDisplayName.class); - final OrganizationURL orgUrl = Saml2Utils.createSamlObject(OrganizationURL.class); - - orgName.setXMLLang(DEFAULT_XML_LANG); - orgName.setValue(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_ORGANISATION_NAME)); - - orgDisplayName.setXMLLang(DEFAULT_XML_LANG); - orgDisplayName.setValue(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME)); - - orgUrl.setXMLLang(DEFAULT_XML_LANG); - orgUrl.setValue(getAndVerifyFromConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_METADATA_ORGANISATION_URL)); - - - organisation.getOrganizationNames().add(orgName); - organisation.getDisplayNames().add(orgDisplayName); - organisation.getURLs().add(orgUrl); - - return organisation; - } - - - @Override - public IConfiguration getBasicConfiguration() { - return basicConfig; - - } - - private String getAndVerifyFromConfiguration(String configKey) throws EaafConfigurationException { - final String value = basicConfig.getBasicConfiguration(configKey); - if (StringUtils.isEmpty(value)) { - throw new EaafConfigurationException("module.eidasauth.00", - new Object[]{configKey}); - - } - - return value; - } -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java index 8cbfb5f8..46d0e77d 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java @@ -1,21 +1,24 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.impl.data.Triple; - import java.util.ArrayList; import java.util.Collections; import java.util.List; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.impl.data.Triple; + public class IdAustriaClientAuthConstants { private IdAustriaClientAuthConstants() { } - + + public static final String ERRORCODE_02 = "module.eidasauth.idaustria.02"; + public static final String ERRORCODE_05 = "module.eidasauth.idaustria.05"; + public static final String SAML2_STATUSCODE_USERSTOP = "1005"; public static final String MODULE_NAME_FOR_LOGGING = "ID Austria Client"; @@ -25,16 +28,15 @@ public class IdAustriaClientAuthConstants { // public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = // AuthHandlerConstants.HTTP_PARAM_EIDAS_PROCESS; - public static final String ENDPOINT_POST = "/idAustriaSp/post"; - public static final String ENDPOINT_REDIRECT = "/idAustriaSp/redirect"; - public static final String ENDPOINT_METADATA = "/idAustriaSp/metadata"; + public static final String ENDPOINT_POST = "/sp/idaustria/post"; + public static final String ENDPOINT_REDIRECT = "/sp/idaustria/redirect"; + public static final String ENDPOINT_METADATA = "/sp/idaustria/metadata"; public static final String CONFIG_PROPS_PREFIX = "modules.idaustriaclient."; public static final String CONFIG_PROPS_KEYSTORE_TYPE = CONFIG_PROPS_PREFIX + "keystore.type"; public static final String CONFIG_PROPS_KEYSTORE_NAME = CONFIG_PROPS_PREFIX + "keystore.name"; public static final String CONFIG_PROPS_KEYSTORE_PATH = CONFIG_PROPS_PREFIX + "keystore.path"; public static final String CONFIG_PROPS_KEYSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; - public static final String CONFIG_PROPS_AUTH_URL = CONFIG_PROPS_PREFIX + "authurl"; public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password"; public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS = CONFIG_PROPS_PREFIX @@ -57,28 +59,9 @@ public class IdAustriaClientAuthConstants { + "required.additional.attributes"; public static final String CONFIG_PROPS_REQUIRED_LOA = CONFIG_PROPS_PREFIX + "required.loa"; - public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId"; - public static final String CONFIG_PROPS_SP_ENTITYID = CONFIG_PROPS_PREFIX + "sp.entityId"; - public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; - public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; - - - public static final String CONFIG_PROPS_METADATA_CONTACT_GIVENNAME = - CONFIG_PROPS_PREFIX + "metadata.contact.givenname"; - public static final String CONFIG_PROPS_METADATA_CONTACT_SURNAME = - CONFIG_PROPS_PREFIX + "metadata.contact.surname"; - public static final String CONFIG_PROPS_METADATA_CONTACT_EMAIL = - CONFIG_PROPS_PREFIX + "metadata.contact.email"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_NAME = - CONFIG_PROPS_PREFIX + "metadata.organisation.name"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME = - CONFIG_PROPS_PREFIX + "metadata.organisation.friendyname"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_URL = - CONFIG_PROPS_PREFIX + "metadata.organisation.url"; - - public static final String CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL = "auth.eidas.node.entityId"; - - + public static final String CONFIG_PROPS_ID_AUSTRIA_ENTITYID = CONFIG_PROPS_PREFIX + "idaustria.idp.entityId"; + public static final String CONFIG_PROPS_ID_AUSTRIA_METADATAURL = CONFIG_PROPS_PREFIX + "idaustria.idp.metadataUrl"; + public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EaafConstants.EIDAS_LOA_HIGH; public static final List<Triple<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = @@ -105,16 +88,6 @@ public class IdAustriaClientAuthConstants { add(Triple.newInstance(PvpAttributeDefinitions.BPK_NAME, PvpAttributeDefinitions.BPK_FRIENDLY_NAME, true)); - // entity eID information - // add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, - // ExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME, true)); - // add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, - // ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, true)); - - //request pII transactionId from MS-Connector - // add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, - // ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_FRIENDLY_NAME, false)); - } }); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java index 4e7f86f1..4527ced4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java @@ -8,6 +8,14 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.ContactPerson; +import org.opensaml.saml.saml2.metadata.Organization; +import org.opensaml.saml.saml2.metadata.RequestedAttribute; +import org.opensaml.security.credential.Credential; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.Triple; @@ -16,14 +24,6 @@ import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; - -import org.opensaml.saml.saml2.core.Attribute; -import org.opensaml.saml.saml2.core.NameIDType; -import org.opensaml.saml.saml2.metadata.ContactPerson; -import org.opensaml.saml.saml2.metadata.Organization; -import org.opensaml.saml.saml2.metadata.RequestedAttribute; -import org.opensaml.security.credential.Credential; - import lombok.extern.slf4j.Slf4j; /** @@ -357,7 +357,7 @@ public class IdAustriaClientAuthMetadataConfiguration implements IPvpMetadataBui final Map<String, RequestedAttribute> requestedAttributes = new HashMap<>(); - log.trace("Build required attributes for E-ID operaton ... "); + log.trace("Build required attributes for ID Austria operaton ... "); injectDefinedAttributes(requestedAttributes, IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthMetadataController.java index 00b742dd..1e4b27f7 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthMetadataController.java @@ -1,21 +1,30 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.controller; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; -import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; -import com.google.common.net.MediaType; -import lombok.extern.slf4j.Slf4j; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; +import com.google.common.net.MediaType; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.http.HttpUtils; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; +import lombok.extern.slf4j.Slf4j; /** * Controller that generates SAML2 metadata for eIDAS authentication client. @@ -27,7 +36,7 @@ import java.io.IOException; @Controller public class IdAustriaClientAuthMetadataController extends AbstractController { - //private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; + private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; @Autowired PvpMetadataBuilder metadatabuilder; @@ -35,8 +44,6 @@ public class IdAustriaClientAuthMetadataController extends AbstractController { IdAustriaClientAuthCredentialProvider credentialProvider; @Autowired IPvp2BasicConfiguration pvpConfiguration; - @Autowired - private IConfiguration basicConfig; /** * Default construction with logging. @@ -64,8 +71,7 @@ public class IdAustriaClientAuthMetadataController extends AbstractController { EaafException { // check PublicURL prefix try { - final String authUrl = basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_AUTH_URL); + final String authUrl = getAuthUrlFromHttpContext(req); // initialize metadata builder configuration final IdAustriaClientAuthMetadataConfiguration metadataConfig = @@ -90,29 +96,27 @@ public class IdAustriaClientAuthMetadataController extends AbstractController { } + private String getAuthUrlFromHttpContext(HttpServletRequest req) throws EaafException { + // check if End-Point is valid + final String authUrlString = HttpUtils.extractAuthUrlFromRequest(req); + URL authReqUrl; + try { + authReqUrl = new URL(authUrlString); - // private List<Pair<String, Boolean>> getAdditionalRequiredAttributes() { - // final List<Pair<String, Boolean>> result = new ArrayList<>(); - // - // // load attributes from configuration - // final Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix( - // IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); - // for (final String el : addReqAttributes.values()) { - // if (StringUtils.isNotEmpty(el)) { - // log.trace("Parse additional attr. definition: " + el); - // final List<String> attr = KeyValueUtils.getListOfCsvValues(el.trim()); - // if (attr.size() == 2) { - // result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1)))); - // - // } else { - // log.info("IGNORE additional attr. definition: " + el - // + " Reason: Format not valid"); - // } - // } - // } - // - // return result; - // - // } + } catch (final MalformedURLException e) { + log.warn("Requested URL: {} is not a valid URL.", authUrlString); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }, e); + + } + + final String idpAuthUrl = authConfig.validateIdpUrl(authReqUrl); + if (idpAuthUrl == null) { + log.warn("Requested URL: {} is NOT found in configuration.", authReqUrl); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }); + + } + + return idpAuthUrl; + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthSignalController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthSignalController.java index 1aceb88e..eca21683 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthSignalController.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthSignalController.java @@ -1,4 +1,4 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.controller; import java.io.IOException; @@ -12,13 +12,13 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import lombok.extern.slf4j.Slf4j; /** - * IdAustria client controller that receives the response from national - * IdAustria node. + * IdAustria client controller that receives the response from ID Austria system. * * @author tlenz * @@ -28,7 +28,6 @@ import lombok.extern.slf4j.Slf4j; public class IdAustriaClientAuthSignalController extends AbstractProcessEngineSignalController { public static final String HTTP_PARAM_RELAYSTATE = "RelayState"; - public static final String HTTP_PARAM_PENDINGREQUESTID = "pendingid"; /** * Default constructor with logging. @@ -43,7 +42,7 @@ public class IdAustriaClientAuthSignalController extends AbstractProcessEngineSi } /** - * HTTP end-point for incoming SAML2 Response from ID Austria node. + * HTTP end-point for incoming SAML2 Response from ID Austria system. * * @param req HTTP request * @param resp HTTP response diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthCredentialProvider.java index 2608cad1..5b6085c1 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthCredentialProvider.java @@ -1,13 +1,15 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; -import org.springframework.beans.factory.annotation.Autowired; - /** * Credential provider for eIDAS PVP S-Profile client. * @@ -42,7 +44,7 @@ public class IdAustriaClientAuthCredentialProvider extends AbstractCredentialPro final String path = authConfig.getBasicConfiguration( IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); if (path == null) { - throw new EaafConfigurationException("module.eidasauth.00", + throw new EaafConfigurationException(Constants.ERRORCODE_00, new Object[] { IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH }); } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java new file mode 100644 index 00000000..b54b501d --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java @@ -0,0 +1,56 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.actuate.health.HealthIndicator; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.resolver.ResolverException; + +/** + * Spring Actuator HealthCheck for ID Austria client that evaluates the current status of + * ID Austria SAML2 metadata that are loaded into MS-Connector. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthHealthCheck implements HealthIndicator { + + @Autowired IConfiguration authConfig; + @Autowired IdAustriaClientAuthMetadataProvider metadataService; + + @Override + public Health health() { + String msNodeEntityID = authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + + if (StringUtils.isEmpty(msNodeEntityID)) { + log.trace("No ID Austria EntityId in configuration. Skipping tests ... "); + return Health.unknown().build(); + + } + + try { + EntityDescriptor connectorMetadata = + metadataService.getEntityDescriptor(msNodeEntityID); + if (connectorMetadata != null) { + return Health.up().build(); + + } else { + return Health.outOfService().withDetail("Reason", "No SAML2 metadata").build(); + + } + + } catch (ResolverException e) { + return Health.down(e).build(); + + } + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthMetadataProvider.java index 46278ad8..7c87548f 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthMetadataProvider.java @@ -1,4 +1,4 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; import java.io.IOException; import java.security.KeyStore; @@ -11,6 +11,13 @@ import java.util.List; import javax.annotation.PostConstruct; +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; @@ -24,17 +31,10 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvid import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; - -import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml.metadata.resolver.MetadataResolver; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; -import org.springframework.beans.factory.annotation.Autowired; - import lombok.extern.slf4j.Slf4j; /** - * SAML2 metadata-provider implementation for eIDAS client. + * SAML2 metadata-provider implementation for ID Austria client. * * @author tlenz * @@ -42,9 +42,9 @@ import lombok.extern.slf4j.Slf4j; @Slf4j public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadataProvider { - private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'eIDAS_client metadata truststore'"; + private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'ID Austria client metadata truststore'"; private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; - public static final String PROVIDER_ID = "'eIDAS_client metadata provider'"; + public static final String PROVIDER_ID = "'ID Austria client metadata-provider'"; @Autowired private IConfiguration basicConfig; @@ -61,7 +61,7 @@ public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadat @Override protected String getMetadataUrl(String entityId) throws EaafConfigurationException { - log.trace("eIDAS Auth. uses SAML2 well-known location approach. EntityId is Metadata-URL"); + log.trace("ID Austria. uses SAML2 well-known location approach. EntityId is Metadata-URL"); return entityId; } @@ -85,7 +85,7 @@ public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadat } catch (final Pvp2MetadataException e) { log.info("Can NOT build metadata provider for entityId: {}", entityId); - throw new EaafConfigurationException("module.eidasauth.04", + throw new EaafConfigurationException(IdAustriaClientAuthConstants.ERRORCODE_05, new Object[] { entityId, e.getMessage() }, e); } @@ -127,7 +127,7 @@ public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadat private void initializeFileSystemMetadata() { try { final String metadataUrl = basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_METADATAURL); + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_METADATAURL); if (StringUtils.isNotEmpty(metadataUrl)) { log.info("Use not recommended metadata-provider initialization!" + " SAML2 'Well-Known-Location' is the preferred methode."); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java index b4fe8bd7..4d305c7d 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java @@ -23,13 +23,21 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.text.MessageFormat; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider; import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthRequestBuilderConfiguration; -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; @@ -37,36 +45,19 @@ import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PvpAuthnRequestBuilder; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy; -import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml.saml2.core.Attribute; -import org.opensaml.saml.saml2.metadata.EntityDescriptor; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.List; /** - * Task that searches ErnB and ZMR before adding person to SZR. + * Generate a SAML2 AuthnRequest to authenticate the user at ID Austria system. * - * @author amarsalek + * @author tlenz */ @Slf4j @Component("GenerateMobilePhoneSignatureRequestTask") public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServletTask { - - private static final String ERROR_CODE_02 = "module.eidasauth.02"; - private static final String ERROR_MSG_1 = "Requested 'ms-specific eIDAS node' {0} has no valid metadata or metadata is not found"; @@ -89,21 +80,20 @@ public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServlet //step 15a // get entityID for ms-specific ID Austria node - //TODO load from config final String msNodeEntityID = basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_ENTITYID); - // final String msNodeEntityID = "classpath:/data/idp_metadata_classpath_entity.xml"; + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); if (StringUtils.isEmpty(msNodeEntityID)) { - log.info("eIDAS authentication not possible -> NO EntityID for central eIDAS node FOUND!"); - throw new TaskExecutionException(pendingReq, "", null); + log.warn("ID Austria authentication not possible -> NO EntityID for ID Austria System FOUND!"); + throw new EaafConfigurationException(Constants.ERRORCODE_00, + new Object[]{IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID}); } // load IDP SAML2 entitydescriptor final EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID); if (entityDesc == null) { - throw new EaafConfigurationException(ERROR_CODE_02, + throw new EaafConfigurationException(IdAustriaClientAuthConstants.ERRORCODE_02, new Object[]{MessageFormat.format(ERROR_MSG_1, msNodeEntityID)}); } @@ -117,16 +107,12 @@ public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServlet authnReqConfig.setIdpEntity(entityDesc); authnReqConfig.setPassive(false); authnReqConfig.setSignCred(credential.getMessageSigningCredential()); - authnReqConfig.setSpEntityID(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_METADATA); + authnReqConfig.setSpEntityID( + pendingReq.getAuthUrlWithOutSlash() + IdAustriaClientAuthConstants.ENDPOINT_METADATA); authnReqConfig.setRequestedLoA(authConfig.getBasicConfiguration( IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_LOA, IdAustriaClientAuthConstants.CONFIG_DEFAULT_LOA_EIDAS_LEVEL)); - authnReqConfig.setScopeRequesterId(authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_SP_ENTITYID)); - authnReqConfig.setProviderName(pendingReq.getServiceProviderConfiguration().getFriendlyName()); - authnReqConfig.setRequestedAttributes(buildRequestedAttributes(pendingReq)); - /*build relayState for session synchronization, because SAML2 only allows RelayState with 80 characters * but encrypted PendingRequestId is much longer. */ @@ -136,37 +122,10 @@ public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServlet // build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig, relayState, response); - - //TODO } catch (final Exception e) { - e.printStackTrace(); - log.error("Initial search FAILED.", e); - throw new TaskExecutionException(pendingReq, "Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, + "Generation of SAML2 AuthnRequest to ID Austria System FAILED", e); + } } - - private List<EaafRequestedAttribute> buildRequestedAttributes(IRequest pendingReq) { - final List<EaafRequestedAttribute> attributes = new ArrayList<>(); - - //build TransactionId attribute - final Attribute attrTransId = PvpAttributeBuilder.buildEmptyAttribute( - ExtendedPvpAttributeDefinitions.EID_TRANSACTION_ID_NAME); - final EaafRequestedAttribute attrTransIdReqAttr = Saml2Utils.generateReqAuthnAttributeSimple( - attrTransId, - true, - pendingReq.getUniqueTransactionIdentifier()); - attributes.add(attrTransIdReqAttr); - - // build EID sector for identification attribute - final Attribute attr = PvpAttributeBuilder.buildEmptyAttribute( - PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME); - final EaafRequestedAttribute bpkTargetReqAttr = Saml2Utils.generateReqAuthnAttributeSimple( - attr, - true, - pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); - attributes.add(bpkTargetReqAttr); - - return attributes; - } - } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java index 1dc8befd..44e13d78 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java @@ -23,6 +23,24 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.io.IOException; +import java.util.HashMap; +import java.util.List; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.messaging.decoder.MessageDecodingException; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MergedRegisterSearchResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; @@ -31,10 +49,10 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleMobileSignatur import at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp.IErnpClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthEventConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthEventConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.Utils; import at.asitplus.eidas.specific.modules.auth.eidas.v2.zmr.IZmrClient; import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; @@ -60,27 +78,11 @@ import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.StringUtils; -import org.opensaml.core.xml.io.MarshallingException; -import org.opensaml.messaging.decoder.MessageDecodingException; -import org.opensaml.saml.saml2.core.Response; -import org.opensaml.saml.saml2.core.StatusCode; -import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.xml.transform.TransformerException; -import java.io.IOException; -import java.util.HashMap; -import java.util.List; -import java.util.Set; /** - * Task that searches ErnB and ZMR before adding person to SZR. + * Task that receives the SAML2 response from ID Austria system. * - * @author amarsalek + * @author tlenz */ @Slf4j @Component("ReceiveMobilePhoneSignatureResponseTask") @@ -102,9 +104,9 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends private static final String ERROR_PVP_12 = "sp.pvp2.12"; private static final String ERROR_MSG_00 = - "Receive INVALID PVP Response from federated IDP"; + "Receive INVALID PVP Response from ID Austria system"; private static final String ERROR_MSG_01 = - "Processing PVP response from 'ms-specific eIDAS node' FAILED."; + "Processing PVP response from 'ID Austria system' FAILED."; private static final String ERROR_MSG_02 = "PVP response decrytion FAILED. No credential found."; private static final String ERROR_MSG_03 = @@ -124,29 +126,21 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends throws TaskExecutionException { try { log.trace("Starting ReceiveMobilePhoneSignatureResponseTask");//Node 15 - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - MergedRegisterSearchResult initialSearchResult = - authProcessData.getGenericDataFromSession(Constants.DATA_INITIAL_REGISTER_RESULT, - MergedRegisterSearchResult.class); - SimpleEidasData eidData = authProcessData.getGenericDataFromSession(Constants.DATA_SIMPLE_EIDAS, - SimpleEidasData.class); - - InboundMessage msg = null; - IDecoder decoder = null; EaafUriCompare comperator = null; + // select Response Binding if (request.getMethod().equalsIgnoreCase("POST")) { decoder = new PostBinding(); comperator = new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_POST); - log.trace("Receive PVP Response from 'ID Austria node', by using POST-Binding."); + log.trace("Receive PVP Response from 'ID Austria system', by using POST-Binding."); } else if (request.getMethod().equalsIgnoreCase("GET")) { decoder = new RedirectBinding(); comperator = new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT); - log.trace("Receive PVP Response from 'ID Austria node', by using Redirect-Binding."); + log.trace("Receive PVP Response from 'ID Austria system', by using Redirect-Binding."); } else { log.warn("Receive PVP Response, but Binding (" @@ -180,10 +174,10 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends } else { // validate entityId of response final String msNodeEntityID = authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_ENTITYID); + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); final String respEntityId = msg.getEntityID(); if (!msNodeEntityID.equals(respEntityId)) { - log.warn("Response Issuer is not a 'ID Austria node'. Stopping eIDAS authentication ..."); + log.warn("Response Issuer is not from valid 'ID Austria IDP'. Stopping ID Austria authentication ..."); throw new AuthnResponseValidationException(ERROR_PVP_08, new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING, msg.getEntityID()}); @@ -194,6 +188,29 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends final AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(processedMsg.getFirst().getResponse()); + + + + /* + * SAML2 response ist bereits vollständig validiert und die Attribute können aus dem + * <AssertionAttributeExtractor extractor> ausgelesen werden. + * Die AttributeNamen sind entsprechend PVP Spezifikation, z.B. PvpAttributeDefinitions.GIVEN_NAME_NAME + * + * --------------------------------------------------------------------------------------------- + * + * TODO: ab hier müssen wir wohl was anpassen + * + */ + + //load additional search-data from pendingRequest + final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + MergedRegisterSearchResult initialSearchResult = + authProcessData.getGenericDataFromSession(Constants.DATA_INITIAL_REGISTER_RESULT, + MergedRegisterSearchResult.class); + SimpleEidasData eidData = authProcessData.getGenericDataFromSession(Constants.DATA_SIMPLE_EIDAS, + SimpleEidasData.class); + + SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor, authProcessData); if (!simpleMobileSignatureData.equalsSimpleEidasData(eidData)) { @@ -278,8 +295,8 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends return Pair.newInstance(msg, false); } else { - log.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() - + " from 'ms-specific eIDAS node'."); + log.info("Receive StatusCode {} from 'ms-specific eIDAS node'.", + samlResp.getStatus().getStatusCode().getValue()); StatusCode subStatusCode = getSubStatusCode(samlResp); if (subStatusCode != null && IdAustriaClientAuthConstants.SAML2_STATUSCODE_USERSTOP.equals(subStatusCode.getValue())) { @@ -311,6 +328,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends && StringUtils.isNotEmpty(samlResp.getStatus().getStatusCode().getStatusCode().getValue())) { return samlResp.getStatus().getStatusCode().getStatusCode(); } + return null; } @@ -352,34 +370,8 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends } - //set piiTransactionId from eIDAS Connector - // String piiTransactionId = extractor.getSingleAttributeValue( - // ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME); - // if (StringUtils.isNotEmpty(piiTransactionId) && pendingReq instanceof RequestImpl) { - // log.info("Receive piiTransactionId from Austrian eIDAS Connector. Use this for further processing"); - // ((RequestImpl) pendingReq).setUniquePiiTransactionIdentifier(piiTransactionId); - // - // } else { - // log.debug("Receive no piiTransactionId from Austrian eIDAS Connector."); - // - // } - - // set foreigner flag - // session.setForeigner(true); - - // set IssuerInstant from Assertion authProcessData.setIssueInstant(extractor.getAssertionIssuingDate()); - // set CCE URL - //if (extractor.getFullAssertion().getIssuer() != null - //&& StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue())) { - // session.setVdaUrl(extractor.getFullAssertion().getIssuer().getValue()); - - //} //else { - // session.setVdaUrl("eIDAS_Authentication"); - - //} - } catch (final AssertionValidationExeption e) { throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); @@ -387,39 +379,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends return simpleMobileSignatureData; } - // private void injectAuthInfosIntoSession(AhAuthProcessDataWrapper session, String attrName, String attrValue) - // throws EaafStorageException, MisException, IOException { - // log.trace("Inject attribute: {} with value: {} into AuthSession", attrName, attrValue); - // log.debug("Inject attribute: {} into AuthSession", attrName); - // - // if (ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME.equals(attrName)) { - // log.debug("Find eidasBind attribute. Switching to E-ID mode ... "); - // session.setEidProcess(true); - // session.setQcBind(attrValue); - // // session.setVsz(extractVszFromEidasBind(attrValue)); - // //T - // - // } else if (ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME.equals(attrName)) { - // session.setSignedAuthBlock(Base64.getDecoder().decode(attrValue)); - // session.setSignedAuthBlockType(AuthHandlerConstants.AuthBlockType.JWS); - // - // } else if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { - // session.setQaaLevel(attrValue); - // - // // } else if (ExtendedPvpAttributeDefinitions.EID_MIS_MANDATE_NAME.equals(attrName) - // // && authConfig.getBasicConfigurationBoolean( - // // IdAustriaClientAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { - // // session.setMandateDate(new SignedMandateDao(attrValue)); - // // session.setUseMandates(true); - // // - // } else { - // session.setGenericDataToSession(attrName, attrValue); - // - // } - // - // } - - + private MergedRegisterSearchResult searchInZmrAndErnp(String bpkzp) { List<RegisterResult> resultsZmr = zmrClient.searchWithBpkZp(bpkzp); List<RegisterResult> resultsErnp = ernpClient.searchWithBpkZp(bpkzp); |