diff options
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java')
54 files changed, 7017 insertions, 1293 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index 1732a61a..bfb82474 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -27,11 +27,32 @@ import at.gv.egiz.eaaf.core.api.data.EaafConstants; public class Constants { + //TODO: should we make it configurable? + public static final String MATCHING_INTERNAL_BPK_TARGET = EaafConstants.URN_PREFIX_CDID + "ZP"; + + public static final String ERRORCODE_00 = "module.eidasauth.00"; + public static final String DATA_REQUESTERID = "req_requesterId"; public static final String DATA_PROVIDERNAME = "req_providerName"; public static final String DATA_REQUESTED_LOA_LIST = "req_requestedLoA"; public static final String DATA_REQUESTED_LOA_COMPERISON = "req_requestedLoAComperision"; public static final String DATA_FULL_EIDAS_RESPONSE = "resp_fulleIDASResponse"; + public static final String DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE = "resp_fulleIDASResponseAlternative"; + + /** + * Stored before Step 2 from Matching Concept, input from user eIDAS authn. + */ + public static final String DATA_SIMPLE_EIDAS = "matching_simple_eidas_data"; + + /** + * Stored intermediate mathing results where matching is still on-going. + */ + public static final String DATA_INTERMEDIATE_RESULT = "matching_intermediate_result"; + + /** + * Stored after Step 8 from Matching Concept, results from search in registers with MDS. + */ + public static final String DATA_PERSON_MATCH_RESULT = "matching_result"; // templates for post-binding forwarding public static final String TEMPLATE_POST_FORWARD_NAME = "eidas_node_forward.html"; @@ -41,7 +62,7 @@ public class Constants { // configuration properties public static final String CONIG_PROPS_EIDAS_PREFIX = "auth.eIDAS"; - public static final String CONIG_PROPS_EIDAS_IS_TEST_IDENTITY = CONIG_PROPS_EIDAS_PREFIX + public static final String CONIG_PROPS_EIDAS_IS_TEST_IDENTITY = CONIG_PROPS_EIDAS_PREFIX + ".eid.testidentity.default"; public static final String CONIG_PROPS_EIDAS_NODE = CONIG_PROPS_EIDAS_PREFIX + ".node_v2"; public static final String CONIG_PROPS_EIDAS_NODE_COUNTRYCODE = CONIG_PROPS_EIDAS_NODE + ".countrycode"; @@ -58,20 +79,20 @@ public class Constants { CONIG_PROPS_EIDAS_NODE + ".attributes.requested.{0}.onlynatural"; public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_REPRESENTATION = CONIG_PROPS_EIDAS_NODE + ".attributes.requested.representation"; - + public static final String CONIG_PROPS_EIDAS_NODE_REQUESTERID_USE_HASHED_VERSION = CONIG_PROPS_EIDAS_NODE + ".requesterId.useHashedForm"; public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_USE_STATIC_REQUESTERID_FOR_LUX = CONIG_PROPS_EIDAS_NODE + ".requesterId.lu.useStaticRequesterForAll"; - + public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_ADD_ALWAYS_PROVIDERNAME = - CONIG_PROPS_EIDAS_NODE + ".workarounds.addAlwaysProviderName"; + CONIG_PROPS_EIDAS_NODE + ".workarounds.addAlwaysProviderName"; public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER = CONIG_PROPS_EIDAS_NODE + ".workarounds.useRequestIdAsTransactionIdentifier"; - - public static final String CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT = + + public static final String CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT = CONIG_PROPS_EIDAS_NODE + ".requested.nameIdFormat"; - + public static final String CONIG_PROPS_EIDAS_NODE_STATIC_PROVIDERNAME_FOR_PUBLIC_SP = CONIG_PROPS_EIDAS_NODE + ".staticProviderNameForPublicSPs"; public static final String DEFAULT_PROPS_EIDAS_NODE_STATIC_PROVIDERNAME_FOR_PUBLIC_SP = "Austria"; @@ -79,6 +100,46 @@ public class Constants { public static final String FORWARD_METHOD_POST = "POST"; public static final String FORWARD_METHOD_GET = "GET"; + // ZMR Client configuration properties + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT = CONIG_PROPS_EIDAS_PREFIX + ".zmrclient"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_ENDPOINT = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".endpoint"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_DEBUG_TRACEMESSAGES = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".debug.logfullmessages"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_TIMEOUT_CONNECTION = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".timeout.connection"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_TIMEOUT_RESPONSE = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".timeout.response"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_PATH = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.keyStore.path"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_PASSWORD = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.keyStore.password"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_TYPE = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.keyStore.type"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_NAME = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.keyStore.name"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYS_ALIAS = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.key.alias"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEY_PASSWORD = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.key.password"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_PATH = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.trustStore.path"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_PASSWORD = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.trustStore.password"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_TYPE = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.trustStore.type"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_NAME = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".ssl.trustStore.name"; + + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_ORGANIZATION_NR = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".req.organisation.behoerdennr"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_UPDATE_REASON_CODE = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".req.update.reason.code"; + public static final String CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_UPDATE_REASON_TEXT = CONIG_PROPS_EIDAS_ZMRCLIENT + + ".req.update.reason.text"; + + + // SZR Client configuration properties public static final String CONIG_PROPS_EIDAS_SZRCLIENT = CONIG_PROPS_EIDAS_PREFIX + ".szrclient"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE = CONIG_PROPS_EIDAS_SZRCLIENT + ".useTestService"; @@ -100,10 +161,22 @@ public class Constants { + ".ssl.keyStore.path"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PASSWORD = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.keyStore.password"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_TYPE = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.keyStore.type"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_NAME = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.keyStore.name"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYS_ALIAS = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.key.alias"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEY_PASSWORD = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.key.password"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PATH = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.trustStore.path"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PASSWORD = CONIG_PROPS_EIDAS_SZRCLIENT + ".ssl.trustStore.password"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_TYPE = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.trustStore.type"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_NAME = CONIG_PROPS_EIDAS_SZRCLIENT + + ".ssl.trustStore.name"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE = CONIG_PROPS_EIDAS_SZRCLIENT + ".params.documenttype"; @@ -149,13 +222,27 @@ public class Constants { public static final String eIDAS_ATTR_PLACEOFBIRTH = "PlaceOfBirth"; public static final String eIDAS_ATTR_BIRTHNAME = "BirthName"; public static final String eIDAS_ATTR_CURRENTADDRESS = "CurrentAddress"; + public static final String eIDAS_ATTR_TAXREFERENCE = "TaxReference"; public static final String eIDAS_ATTR_LEGALPERSONIDENTIFIER = "LegalPersonIdentifier"; public static final String eIDAS_ATTR_LEGALNAME = "LegalName"; + + //eIDAS attribute URN + public static final String eIDAS_ATTRURN_PREFIX = "http://eidas.europa.eu/attributes/"; + public static final String eIDAS_ATTRURN_PREFIX_NATURAL = eIDAS_ATTRURN_PREFIX + "naturalperson/"; + + public static final String eIDAS_ATTRURN_PERSONALIDENTIFIER = + eIDAS_ATTRURN_PREFIX_NATURAL + eIDAS_ATTR_PERSONALIDENTIFIER; + public static final String eIDAS_ATTRURN_PLACEOFBIRTH = + eIDAS_ATTRURN_PREFIX_NATURAL + eIDAS_ATTR_PLACEOFBIRTH; + public static final String eIDAS_ATTRURN_BIRTHNAME = + eIDAS_ATTRURN_PREFIX_NATURAL + eIDAS_ATTR_BIRTHNAME; + + public static final String eIDAS_REQ_PARAM_SECTOR_PUBLIC = "public"; public static final String eIDAS_REQ_PARAM_SECTOR_PRIVATE = "private"; - + public static final String POLICY_DEFAULT_ALLOWED_TARGETS = EaafConstants.URN_PREFIX_CDID.replaceAll("\\.", "\\\\.").replaceAll("\\+", "\\\\+") + ".*"; @@ -184,4 +271,48 @@ public class Constants { "AJZyj/+sdCMDRq9RkvbFcgSTVn/OfS8EUE81ddwP8MNuJ1kd1SWBUJPaQX2JLJHrL54mkOhrkhH2M/zcuOTu8nW9TOEg" + "XGjrRB/0HpiYKpV+VDJViyyc/GacNLxN4Anw4pima6gHYaJIw9hQkL/nuO2hyh8PGJd7rxeFXJmbLy+X"; + public static final String COUNTRY_CODE_DE = "DE"; + public static final String COUNTRY_CODE_IT = "IT"; + + + // UI options + public static final String HTML_FORM_ADVANCED_MATCHING_FAILED = "advancedMatchingFailed"; + + + // ProcessEngine context + public static final String CONTEXT_FLAG_ADVANCED_MATCHING_FAILED = HTML_FORM_ADVANCED_MATCHING_FAILED; + + /** + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateNewErnpEntryTask}. + */ + public static final String TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK = "TASK_CreateNewErnpEntryTask"; + + /** + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateOtherLoginMethodGuiTask}. + */ + public static final String TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK = + "TASK_GenerateOtherLoginMethodGuiTask"; + + /** + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAustrianResidenceGuiTask}. + */ + public static final String TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK = + "TASK_GenerateAustrianResidenceGuiTask"; + + /** + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateMobilePhoneSignatureRequestTask}. + */ + public static final String TRANSITION_TO_GENERATE_MOBILE_PHONE_SIGNATURE_REQUEST_TASK = + "TASK_GenerateMobilePhoneSignatureRequestTask"; + + /** + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.GenerateAuthnRequestTask}. + */ + public static final String TRANSITION_TO_GENERATE_EIDAS_LOGIN = "TASK_GenerateAlternativeEidasAuthn"; + + + /** + * Stores login selection from user. + */ + public static final String REQ_SELECTED_LOGIN_METHOD_PARAMETER = "loginSelection"; } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java index 535e4f97..e5b10185 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasAuthenticationSpringResourceProvider.java @@ -45,8 +45,10 @@ public class EidasAuthenticationSpringResourceProvider implements SpringResource public Resource[] getResourcesToLoad() { final ClassPathResource eidasAuthConfig = new ClassPathResource("/eidas_v2_auth.beans.xml", EidasAuthenticationSpringResourceProvider.class); - - return new Resource[] { eidasAuthConfig }; + final ClassPathResource eidasRefImplConfig = new ClassPathResource("/eidas_v2_auth_ref_impl_config.beans.xml", + EidasAuthenticationSpringResourceProvider.class); + + return new Resource[] { eidasRefImplConfig, eidasAuthConfig }; } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/AbstractSoapClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/AbstractSoapClient.java new file mode 100644 index 00000000..a039881c --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/AbstractSoapClient.java @@ -0,0 +1,199 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.clients; + +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.net.ssl.SSLContext; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.handler.Handler; + +import org.apache.commons.lang3.StringUtils; +import org.apache.cxf.configuration.jsse.TLSClientParameters; +import org.apache.cxf.endpoint.Client; +import org.apache.cxf.frontend.ClientProxy; +import org.apache.cxf.jaxws.DispatchImpl; +import org.apache.cxf.transport.http.HTTPConduit; +import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; +import org.apache.http.ssl.SSLContextBuilder; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.lang.Nullable; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.HttpUtils; +import lombok.Builder; +import lombok.Getter; +import lombok.extern.slf4j.Slf4j; + +@Slf4j +public class AbstractSoapClient { + + @Autowired + protected IConfiguration basicConfig; + @Autowired + EaafKeyStoreFactory keyStoreFactory; + + @Builder + @Getter + public static class HttpClientConfig { + + private final String clientName; + + private final String clientUrl; + private final String clientType; + + private final String connectionTimeout; + private final String responseTimeout; + + private final KeyStoreConfiguration keyStoreConfig; + private final String keyAlias; + private final String keyPassword; + + private final KeyStoreConfiguration trustStoreConfig; + + @Builder.Default + private final boolean trustAll = false; + + } + + /** + * Build a validated KeyStore Configuration-Object from configuration keys. + * + * @param keyStoreTypeKey Configuration key for type + * @param keyStorePathKey Configuration key for path + * @param keyStorePasswordKey Configuration key for password + * @param keyStoreNameKey Configuration key for name + * @param friendlyName Friendlyname for logging and errorhandling + * @return Valid KeyStore configuration or <code>null</code> if no type was + * defined + * @throws EaafConfigurationException In case of validation error + */ + @Nullable + protected KeyStoreConfiguration buildKeyStoreConfiguration(String keyStoreTypeKey, String keyStorePathKey, + String keyStorePasswordKey, String keyStoreNameKey, String friendlyName) + throws EaafConfigurationException { + if (StringUtils.isNotEmpty(basicConfig.getBasicConfiguration(keyStoreTypeKey))) { + log.debug("Starting configuration of: {} ... ", friendlyName); + final KeyStoreConfiguration config = new KeyStoreConfiguration(); + config.setFriendlyName(friendlyName); + config.setKeyStoreType(basicConfig.getBasicConfiguration(keyStoreTypeKey, KeyStoreType.PKCS12.name())); + config.setKeyStoreName(basicConfig.getBasicConfiguration(keyStoreNameKey)); + config.setSoftKeyStoreFilePath(basicConfig.getBasicConfiguration(keyStorePathKey)); + config.setSoftKeyStorePassword(basicConfig.getBasicConfiguration(keyStorePasswordKey)); + + // validate keystore configuration + config.validate(); + + return config; + + } else { + log.info("Skipping configuration of: {}", friendlyName); + return null; + + } + + } + + protected void injectHttpClient(Object raw, HttpClientConfig config) { + // extract client from implementation + Client client; + if (raw instanceof DispatchImpl<?>) { + client = ((DispatchImpl<?>) raw).getClient(); + } else if (raw instanceof Client) { + client = ClientProxy.getClient(raw); + } else { + throw new RuntimeException("SOAP Client for SZR connection is of UNSUPPORTED type: " + raw.getClass() + .getName()); + } + + // set basic connection policies + final HTTPConduit http = (HTTPConduit) client.getConduit(); + + // set timeout policy + final HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); + httpClientPolicy.setConnectionTimeout(Integer.parseInt(config.getConnectionTimeout()) * 1000L); + httpClientPolicy.setReceiveTimeout(Integer.parseInt(config.getResponseTimeout()) * 1000L); + http.setClient(httpClientPolicy); + + // inject SSL context in case of https + if (config.getClientUrl().toLowerCase().startsWith("https")) { + try { + log.debug("Adding SSLContext to client: " + config.getClientType() + " ... "); + + final TLSClientParameters tlsParams = new TLSClientParameters(); + if (config.getKeyStoreConfig() != null) { + final SSLContext sslContext = HttpUtils.buildSslContextWithSslClientAuthentication( + keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig()), + config.getKeyAlias(), + config.getKeyPassword(), + loadTrustStore(config.getTrustStoreConfig(), config.getClientName()), + config.isTrustAll(), + config.getClientName()); + tlsParams.setSSLSocketFactory(sslContext.getSocketFactory()); + + } else { + log.debug( + "No KeyStore for SSL Client Auth. found. Initializing SSLContext for: {} without authentication ... ", + config.getClientName()); + tlsParams.setSSLSocketFactory(SSLContextBuilder.create().build().getSocketFactory()); + + } + + http.setTlsClientParameters(tlsParams); + log.info("SSLContext initialized for client: " + config.getClientType()); + + } catch (EaafException | KeyManagementException | NoSuchAlgorithmException e) { + log.error("SSLContext initialization FAILED.", e); + throw new RuntimeException("SSLContext initialization FAILED.", e); + + } + } + } + + private Pair<KeyStore, Provider> loadTrustStore(KeyStoreConfiguration trustStoreConfig, String friendlyName) + throws EaafException { + if (trustStoreConfig != null) { + log.info("Build custom SSL truststore for: {}", friendlyName); + return keyStoreFactory.buildNewKeyStore(trustStoreConfig); + + } else { + log.info("Use default SSL truststore for: {}", friendlyName); + return null; + + } + + } + + protected void injectBindingProvider(BindingProvider bindingProvider, String clientType, String szrUrl, + boolean enableTraceLogging) { + final Map<String, Object> requestContext = bindingProvider.getRequestContext(); + requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, szrUrl); + + log.trace("Adding JAX-WS request/response trace handler to client: " + clientType); + List<Handler> handlerList = bindingProvider.getBinding().getHandlerChain(); + if (handlerList == null) { + handlerList = new ArrayList<>(); + bindingProvider.getBinding().setHandlerChain(handlerList); + + } + + // add logging handler to trace messages if required + if (enableTraceLogging) { + final LoggingHandler loggingHandler = new LoggingHandler(); + handlerList.add(loggingHandler); + + } + bindingProvider.getBinding().setHandlerChain(handlerList); + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/szr/SzrClient.java new file mode 100644 index 00000000..397cbe46 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/szr/SzrClient.java @@ -0,0 +1,548 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.szr; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.net.URL; +import java.nio.charset.StandardCharsets; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.annotation.PostConstruct; +import javax.xml.XMLConstants; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; +import javax.xml.transform.Source; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; +import javax.xml.ws.BindingProvider; +import javax.xml.ws.Dispatch; + +import org.apache.commons.lang3.StringUtils; +import org.apache.xpath.XPathAPI; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Service; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.AbstractSoapClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.AbstractSoapClient.HttpClientConfig.HttpClientConfigBuilder; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; +import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; +import at.gv.e_government.reference.namespace.persondata._20020228.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; +import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import szrservices.GetBPK; +import szrservices.GetBPKResponse; +import szrservices.GetIdentityLinkEidas; +import szrservices.GetIdentityLinkEidasResponse; +import szrservices.IdentityLinkType; +import szrservices.JwsHeaderParam; +import szrservices.ObjectFactory; +import szrservices.PersonInfoType; +import szrservices.SZR; +import szrservices.SZRException_Exception; +import szrservices.SignContent; +import szrservices.SignContentEntry; +import szrservices.SignContentResponseType; +import szrservices.TravelDocumentType; + + +@Service("SZRClientForeIDAS") +public class SzrClient extends AbstractSoapClient { + private static final Logger log = LoggerFactory.getLogger(SzrClient.class); + + private static final String CLIENT_DEFAULT = "DefaultClient"; + private static final String CLIENT_RAW = "RawClient"; + + private static final String ATTR_NAME_VSZ = "urn:eidgvat:attributes.vsz.value"; + private static final String ATTR_NAME_PUBKEYS = "urn:eidgvat:attributes.user.pubkeys"; + private static final String ATTR_NAME_STATUS = "urn:eidgvat:attributes.eid.status"; + private static final String KEY_BC_BIND = "bcBindReq"; + private static final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype"; + private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind"; + public static final String ATTR_NAME_MDS = "urn:eidgvat:mds"; + + // client for anything, without identitylink + private SZR szr = null; + + // RAW client is needed for identitylink + private Dispatch<Source> dispatch = null; + + final ObjectMapper mapper = new ObjectMapper(); + + /** + * Get IdentityLink of a person. + * + * + * @param eidData minimum dataset of person + * @return IdentityLink + * @throws SzrCommunicationException In case of a SZR error + */ + public IdentityLinkType getIdentityLinkInRawMode(SimpleEidasData eidData) + throws SzrCommunicationException { + try { + final GetIdentityLinkEidas getIdl = new GetIdentityLinkEidas(); + getIdl.setPersonInfo(generateSzrRequest(eidData)); + + return getIdentityLinkGeneric(getIdl); + + } catch (final Exception e) { + log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + + } + } + + /** + * Get IdentityLink of a person. + * + * + * @param matchedPersonData eID information of an already matched person. + * @return IdentityLink + * @throws SzrCommunicationException In case of a SZR error + */ + public IdentityLinkType getIdentityLinkInRawMode(MatchedPersonResult matchedPersonData) + throws SzrCommunicationException { + try { + final GetIdentityLinkEidas getIdl = new GetIdentityLinkEidas(); + getIdl.setPersonInfo(generateSzrRequest(matchedPersonData)); + + return getIdentityLinkGeneric(getIdl); + + } catch (final Exception e) { + log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + + } + } + + /** + * Get bPK of person. + * + * + * @param eidData Minimum dataset of person + * @param target requested bPK target + * @param vkz Verfahrenskennzeichen + * @return bPK for this person + * @throws SzrCommunicationException In case of a SZR error + */ + public List<String> getBpk(SimpleEidasData eidData, String target, String vkz) + throws SzrCommunicationException { + try { + final GetBPK parameters = new GetBPK(); + parameters.setPersonInfo(generateSzrRequest(eidData)); + parameters.getBereichsKennung().add(target); + parameters.setVKZ(vkz); + final GetBPKResponse result = this.szr.getBPK(parameters); + + return result.getGetBPKReturn(); + + } catch (final SZRException_Exception e) { + log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + + } + + } + + /** + * Creates a new ERnP entry. + * TODO Is this correct? Ask BMI. + * + * @param eidasData Minimum dataset of person + * @return encrypted baseId + * @throws SzrCommunicationException In case of a SZR error + */ + public String createNewErnpEntry(final SimpleEidasData eidasData) throws SzrCommunicationException { + final String resp; + try { + resp = this.szr.getStammzahlEncrypted(generateSzrRequest(eidasData), true); + } catch (SZRException_Exception e) { + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + } + if (StringUtils.isEmpty(resp)) { + throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling + } + return resp; + } + + /** + * Request a encrypted baseId from SZR. + * + * <b>Note</b>: Previously, this method did create a new ERnP entry, if it did not exist. This is + * <b>not</b> the case any more. See {@link #createNewErnpEntry(SimpleEidasData)} for that functionality. + * + * @param eidData Minimum dataset of person + * @return encrypted baseId + * @throws SzrCommunicationException In case of a SZR error + */ + public String getEncryptedStammzahl(final SimpleEidasData eidData) + throws SzrCommunicationException { + final String resp; + try { + resp = this.szr.getStammzahlEncrypted(generateSzrRequest(eidData), false); + } catch (SZRException_Exception e) { + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + } + + if (StringUtils.isEmpty(resp)) { + throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling + } + + return resp; + + } + + /** + * Request a encrypted baseId from SZR. + * + * @param matchedPersonData eID information of an already matched person. + * @return encrypted baseId + * @throws SzrCommunicationException In case of a SZR error + */ + public String getEncryptedStammzahl(MatchedPersonResult matchedPersonData) throws SzrCommunicationException { + final String resp; + try { + resp = this.szr.getStammzahlEncrypted(generateSzrRequest(matchedPersonData), false); + + } catch (SZRException_Exception e) { + throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); + + } + + if (StringUtils.isEmpty(resp)) { + throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling + + } + + return resp; + + } + + /** + * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status. + * + * @param vsz encrypted baseId + * @param bindingPubKey binding PublicKey as PKCS1# (ASN.1) container + * @param eidStatus Status of the E-ID + * @param eidData eID information that was used for ERnP registration + * @return bPK for this person + * @throws SzrCommunicationException In case of a SZR error + */ + public String getEidasBind(final String vsz, final String bindingPubKey, final String eidStatus, + SimpleEidasData eidData)throws SzrCommunicationException { + + final Map<String, Object> eidsaBindMap = new HashMap<>(); + eidsaBindMap.put(ATTR_NAME_VSZ, vsz); + eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus); + eidsaBindMap.put(ATTR_NAME_PUBKEYS, Collections.singletonList(bindingPubKey)); + eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode()); + injectMdsIfAvailableAndActive(eidsaBindMap, eidData); + + try { + final String serializedEidasBind = mapper.writeValueAsString(eidsaBindMap); + final SignContent req = new SignContent(); + final SignContentEntry eidasBindInfo = new SignContentEntry(); + eidasBindInfo.setKey(KEY_BC_BIND); + eidasBindInfo.setValue(serializedEidasBind); + req.getIn().add(eidasBindInfo); + req.setAppendCert(false); + final JwsHeaderParam eidasBindJoseHeader = new JwsHeaderParam(); + eidasBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); + eidasBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); + req.getJWSHeaderParam().add(eidasBindJoseHeader); + + log.trace("Requesting SZR to sign bcBind datastructure ... "); + final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn()); + log.trace("Receive SZR response on bcBind siging operation "); + + if (resp == null || resp.getOut() == null + || resp.getOut().isEmpty() + || StringUtils.isEmpty(resp.getOut().get(0).getValue())) { + throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"}); + } + + return resp.getOut().get(0).getValue(); + + } catch (final JsonProcessingException | SZRException_Exception e) { + log.warn("Requesting bcBind by using SZR FAILED.", e); + throw new SzrCommunicationException("ernb.02", + new Object[]{e.getMessage()}, e); + } + } + + private PersonInfoType generateSzrRequest(MatchedPersonResult matchedPersonData) { + log.trace("Starting connecting SZR Gateway"); + final PersonInfoType personInfo = new PersonInfoType(); + final PersonNameType personName = new PersonNameType(); + final PhysicalPersonType naturalPerson = new PhysicalPersonType(); + IdentificationType bpk = new IdentificationType(); + + naturalPerson.setName(personName); + personInfo.setPerson(naturalPerson); + naturalPerson.setIdentification(bpk); + + // person information + personName.setFamilyName(matchedPersonData.getFamilyName()); + personName.setGivenName(matchedPersonData.getGivenName()); + naturalPerson.setDateOfBirth(matchedPersonData.getDateOfBirth()); + bpk.setValue(matchedPersonData.getBpk()); + bpk.setType(EaafConstants.URN_PREFIX_CDID + "ZP"); + + return personInfo; + } + + private PersonInfoType generateSzrRequest(SimpleEidasData eidData) { + log.trace("Starting connecting SZR Gateway"); + final PersonInfoType personInfo = new PersonInfoType(); + final PersonNameType personName = new PersonNameType(); + final PhysicalPersonType naturalPerson = new PhysicalPersonType(); + final TravelDocumentType eDocument = new TravelDocumentType(); + + naturalPerson.setName(personName); + personInfo.setPerson(naturalPerson); + personInfo.setTravelDocument(eDocument); + + // person information + personName.setFamilyName(eidData.getFamilyName()); + personName.setGivenName(eidData.getGivenName()); + naturalPerson.setDateOfBirth(eidData.getDateOfBirth()); + + //TODO: need to be updated to new eIDAS document interface!!!! + eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); + eDocument.setDocumentNumber(eidData.getPseudonym()); + + // eID document information + String documentType = basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, + Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE); + eDocument.setDocumentType(documentType); + + // set PlaceOfBirth if available + if (eidData.getPlaceOfBirth() != null) { + log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); + boolean setPlaceOfBirth = basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, true); + if (setPlaceOfBirth) { + naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); + log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); + } + } + + // set BirthName if available + if (eidData.getBirthName() != null) { + log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); + boolean setBirthName = basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, true); + if (setBirthName) { + final AlternativeNameType alternativeName = new AlternativeNameType(); + naturalPerson.setAlternativeName(alternativeName); + alternativeName.setFamilyName(eidData.getBirthName()); + log.trace("Adding 'BirthName' to ERnB request ... "); + } + } + + return personInfo; + } + + private IdentityLinkType getIdentityLinkGeneric(GetIdentityLinkEidas getIdl) throws Exception { + final JAXBContext jaxbContext = JAXBContext.newInstance(ObjectFactory.class); + final Marshaller jaxbMarshaller = jaxbContext.createMarshaller(); + + final ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); + jaxbMarshaller.marshal(getIdl, outputStream); + outputStream.flush(); + + final Source source = new StreamSource(new ByteArrayInputStream(outputStream.toByteArray())); + outputStream.close(); + + log.trace("Requesting SZR ... "); + final Source response = dispatch.invoke(source); + log.trace("Receive RAW response from SZR"); + + final byte[] szrResponse = sourceToByteArray(response); + final GetIdentityLinkEidasResponse jaxbElement = (GetIdentityLinkEidasResponse) jaxbContext + .createUnmarshaller().unmarshal(new ByteArrayInputStream(szrResponse)); + + // build response + log.trace(new String(szrResponse, StandardCharsets.UTF_8)); + + // ok, we have success + final Document doc = DomUtils.parseDocument( + new ByteArrayInputStream(szrResponse), + true, + XmlNamespaceConstants.ALL_SCHEMA_LOCATIONS + " " + Constants.SZR_SCHEMA_LOCATIONS, + null, null); + final String xpathExpression = "//saml:Assertion"; + final Element nsNode = doc.createElementNS("urn:oasis:names:tc:SAML:1.0:assertion", "saml:NSNode"); + + log.trace("Selecting signed doc " + xpathExpression); + final Element documentNode = (Element) XPathAPI.selectSingleNode(doc, + xpathExpression, nsNode); + log.trace("Signed document: " + DomUtils.serializeNode(documentNode)); + + final IdentityLinkType idl = new IdentityLinkType(); + idl.setAssertion(documentNode); + idl.setPersonInfo(jaxbElement.getGetIdentityLinkReturn().getPersonInfo()); + + return idl; + + } + + @PostConstruct + private void initialize() throws EaafConfigurationException { + log.info("Starting SZR-Client initialization .... "); + final URL url = SzrClient.class.getResource("/wsdl/szr_client/SZR_v4.0.wsdl"); + + final boolean useTestSzr = basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE, + true); + + SzrService szrService; + QName qname; + String szrUrl; + if (useTestSzr) { + log.debug("Initializing SZR test environment configuration."); + qname = SzrService.SZRTestumgebung; + szrService = new SzrService(url, new QName("urn:SZRServices", "SZRService")); + szr = szrService.getSzrTestumgebung(); + szrUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_TEST); + + } else { + log.debug("Initializing SZR productive configuration."); + qname = SzrService.SZRProduktionsumgebung; + szrService = new SzrService(url, new QName("urn:SZRServices", "SZRService")); + szr = szrService.getSzrProduktionsumgebung(); + szrUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_PROD); + + } + + // create raw client; + dispatch = szrService.createDispatch(qname, Source.class, javax.xml.ws.Service.Mode.PAYLOAD); + + if (StringUtils.isEmpty(szrUrl)) { + log.error("No SZR service-URL found. SZR-Client initalisiation failed."); + throw new RuntimeException("No SZR service URL found. SZR-Client initalisiation failed."); + + } + + // check if Clients can be initialized + if (szr == null) { + log.error("SZR " + CLIENT_DEFAULT + " is 'NULL'. Something goes wrong"); + throw new RuntimeException("SZR " + CLIENT_DEFAULT + " is 'NULL'. Something goes wrong"); + + } + if (dispatch == null) { + log.error("SZR " + CLIENT_RAW + " is 'NULL'. Something goes wrong"); + throw new RuntimeException("SZR " + CLIENT_RAW + " is 'NULL'. Something goes wrong"); + + } + + // inject handler + log.info("Use SZR service-URL: " + szrUrl); + injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT, szrUrl, + basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_TRACEMESSAGES, false)); + injectBindingProvider(dispatch, CLIENT_RAW, szrUrl, + basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_TRACEMESSAGES, false)); + + // inject http parameters and SSL context + log.debug("Inject HTTP client settings ... "); + HttpClientConfigBuilder httpClientBuilder = HttpClientConfig.builder() + .clientName("SZR Client") + .clientUrl(szrUrl) + .connectionTimeout(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION, + Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) + .responseTimeout(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE, + Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) + .keyStoreConfig(buildKeyStoreConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_TYPE, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PATH, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PASSWORD, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_NAME, + "SZR SSL Client-Authentication KeyStore")) + .keyAlias(basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYS_ALIAS)) + .keyPassword(basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEY_PASSWORD)) + .trustAll(false) + .trustStoreConfig(buildKeyStoreConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_TYPE, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PATH, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PASSWORD, + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_NAME, + "SZR SSL Client-Authentication KeyStore")); + + injectHttpClient(szr, httpClientBuilder.clientType(CLIENT_DEFAULT).build()); + injectHttpClient(dispatch, httpClientBuilder.clientType(CLIENT_RAW).build()); + + log.info("SZR-Client initialization successfull"); + } + + private void injectMdsIfAvailableAndActive(Map<String, Object> eidsaBindMap, SimpleEidasData eidData) { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND, false)) { + log.info("Injecting MDS into eidasBind ... "); + final Map<String, Object> mds = new HashMap<>(); + mds.put(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, eidData.getFamilyName()); + mds.put(PvpAttributeDefinitions.GIVEN_NAME_NAME, eidData.getGivenName()); + mds.put(PvpAttributeDefinitions.BIRTHDATE_NAME, eidData.getDateOfBirth()); + eidsaBindMap.put(ATTR_NAME_MDS, mds); + + } + } + + private byte[] sourceToByteArray(Source result) throws TransformerException { + final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + final Transformer transformer = factory.newTransformer(); + transformer.setOutputProperty("omit-xml-declaration", "yes"); + transformer.setOutputProperty("method", "xml"); + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + final StreamResult streamResult = new StreamResult(); + streamResult.setOutputStream(out); + transformer.transform(result, streamResult); + return out.toByteArray(); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/szr/SzrService.java index dde868b1..590f88a4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrService.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/szr/SzrService.java @@ -21,7 +21,7 @@ * that you distribute must include a readable copy of the "NOTICE" text file. */ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.szr; +package at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.szr; import java.net.URL; @@ -52,7 +52,7 @@ public class SzrService extends Service { "SZRBusinesspartnerTestumgebung"); static { - URL url = SzrService.class.getResource("./src/main/resources/szr_client/SZR-1.WSDL"); + URL url = SzrService.class.getResource("./src/main/resources/wsdl/szr_client/SZR-1.WSDL"); if (url == null) { url = SzrService.class.getClassLoader().getResource("/szr_client/SZR-1.WSDL"); } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/IZmrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/IZmrClient.java new file mode 100644 index 00000000..c4e8ece0 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/IZmrClient.java @@ -0,0 +1,98 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.zmr; + +import java.math.BigInteger; + +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.zmr.ZmrSoapClient.ZmrRegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenRequest; + +public interface IZmrClient { + + /** + * Search person based on eIDAS personal identifier. + * + * @param zmrProzessId ProcessId from ZMR or <code>null</code> if no processId exists + * @param personIdentifier Full eIDAS personal identifier with prefix + * @param citizenCountryCode CountryCode of the eIDAS proxy-service + * @return Search result but never <code>null</code> + * @throws EidasSAuthenticationException In case of a communication error + */ + @Nonnull + ZmrRegisterResult searchWithPersonIdentifier(@Nullable BigInteger zmrProzessId, @Nonnull String personIdentifier, + @Nonnull String citizenCountryCode) throws EidasSAuthenticationException; + + /** + * Search person based on eIDSA MDS information. + * + * @param zmrProzessId ProcessId from ZMR or <code>null</code> if no processId exists + * @param givenName eIDAS given name + * @param familyName eIDAS principle name + * @param dateOfBirth eIDAS date-of-birth + * @param citizenCountryCode CountryCode of the eIDAS proxy-service + * @return Search result but never <code>null</code> + * @throws EidasSAuthenticationException In case of a communication error + */ + @Nonnull + ZmrRegisterResult searchWithMds(@Nullable BigInteger zmrProzessId, @Nonnull String givenName, + @Nonnull String familyName, @Nonnull String dateOfBirth, @Nonnull String citizenCountryCode) + throws EidasSAuthenticationException; + + /** + * Search person based on country-specific natural person set. + * + * @param zmrProzessId ProcessId from ZMR or <code>null</code> if no processId exists + * @param personSearchDao Specific set of natural person informations. + * @param citizenCountryCode CountryCode of the eIDAS proxy-service + * @return Search result but never <code>null</code> + * @throws EidasSAuthenticationException In case of a communication error + */ + @Nonnull + ZmrRegisterResult searchCountrySpecific(@Nullable BigInteger zmrProzessId, + @Nonnull PersonSuchenRequest personSearchDao, @Nonnull String citizenCountryCode) + throws EidasSAuthenticationException; + + /** + * Update ZMR entry to KITT existing ZMR identity with this eIDAS authentication. + * + * @param zmrProzessId zmrProzessId ProcessId from ZMR or <code>null</code> if no processId exists + * @param registerResult Already matched eIDAS identity that should be KITT + * @param eidData eIDAS eID information from current authentication process + * @return Update result but never <code>null</code> + * @throws EidasSAuthenticationException In case of a communication error + */ + @Nonnull + ZmrRegisterResult update(@Nullable BigInteger zmrProzessId, RegisterResult registerResult, SimpleEidasData eidData) + throws EidasSAuthenticationException; + + ZmrRegisterResult searchWithResidenceData(@Nullable BigInteger zmrProzessId, String givenName, String familyName, + String dateOfBirth, String zipcode, String city, String street); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/ZmrSoapClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/ZmrSoapClient.java new file mode 100644 index 00000000..711226e2 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/clients/zmr/ZmrSoapClient.java @@ -0,0 +1,794 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.zmr; + +import java.math.BigInteger; +import java.net.URL; +import java.text.MessageFormat; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import java.util.Set; +import java.util.stream.Collectors; + +import javax.annotation.Nonnull; +import javax.annotation.PostConstruct; +import javax.xml.ws.BindingProvider; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.lang.NonNull; +import org.springframework.lang.Nullable; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.AbstractSoapClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ZmrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.VersionHolder; +import at.gv.bmi.namespace.zmr_su.base._20040201.ClientInfoType; +import at.gv.bmi.namespace.zmr_su.base._20040201.Organisation; +import at.gv.bmi.namespace.zmr_su.base._20040201.RequestType; +import at.gv.bmi.namespace.zmr_su.base._20040201.ResponseType; +import at.gv.bmi.namespace.zmr_su.base._20040201.WorkflowInfoClient; +import at.gv.bmi.namespace.zmr_su.base._20040201.WorkflowInfoServer; +import at.gv.bmi.namespace.zmr_su.base._20040201_.Service; +import at.gv.bmi.namespace.zmr_su.base._20040201_.ServiceFault; +import at.gv.bmi.namespace.zmr_su.base._20040201_.ServicePort; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.EidasIdentitaetAnlageType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.EidasIdentitaetErgebnisType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.EidasSuchdatenType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.ErgebniskriterienType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.NatuerlichePersonErgebnisType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonAendernInfoType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonAendernRequest; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonErgebnisSatzType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonErgebnisType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonReferenzType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenRequest; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenResponse; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonensucheInfoType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.SuchkriterienType; +import at.gv.e_government.reference.namespace.persondata.de._20040201.IdentificationType; +import at.gv.e_government.reference.namespace.persondata.de._20040201.NatuerlichePersonTyp; +import at.gv.e_government.reference.namespace.persondata.de._20040201.PersonenNameTyp; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import lombok.AllArgsConstructor; +import lombok.Getter; +import lombok.extern.slf4j.Slf4j; + +/** + * ZMR client implementation for eIDAS matching operations. + * + * @author tlenz + * + */ +@Slf4j +public class ZmrSoapClient extends AbstractSoapClient implements IZmrClient { + + private static final String ERROR_MATCHING_01 = "module.eidasauth.matching.01"; + private static final String ERROR_MATCHING_02 = "module.eidasauth.matching.02"; + private static final String ERROR_MATCHING_99 = "module.eidasauth.matching.99"; + + private static final String LOGMSG_MISSING_CONFIG = "Missing configuration with key: {0}"; + + private static final String LOGMSG_ZMR_ERROR = + "Receive an error from ZMR during '{}' operation with msg: {}"; + private static final String LOGMSG_ZMR_RESP_PROCESS = + "Proces ZMR response during '{}' operation failes with msg: {}"; + + private static final String LOGMSG_ZMR_SOAP_ERROR = + "ZMR anwser for transaction: {0} with code: {1} and message: {2}"; + + private static final String PROCESS_GENERAL = "GP_EIDAS"; + private static final String PROCESS_TASK_SEARCH = "ZPR_VO_Person_suchen_Meldevorgang"; + //private static final String PROCESS_TASK_ADD = "ZPR_VO_Person_anlegen"; + private static final String PROCESS_TASK_UPDATE = "ZPR_VO_Person_aendern"; + + private static final String PROCESS_SEARCH_PERSONAL_IDENTIFIER = + "Searching " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER; + private static final String PROCESS_SEARCH_MDS_ONLY = "Searching with MDS only"; + private static final String PROCESS_SEARCH_COUNTRY_SPECIFIC = "Searching {0} specific"; + + private static final String PROCESS_KITT_GENERAL = "KITT general-processing"; + private static final String PROCESS_KITT_IDENITIES_GET = "KITT get-latest-version"; + private static final String PROCESS_KITT_IDENITIES_UPDATE = "KITT update dataset"; + + private static final String CLIENT_INFO = "eIDAS MS-Connector v{0}"; + private static final String CLIENT_DEFAULT = "ZMR Client"; + + + @Autowired VersionHolder versionHolder; + + private ServicePort zmrClient; + + + @AllArgsConstructor + @Getter + public static class ZmrRegisterResult { + private final List<RegisterResult> personResult; + private final BigInteger processId; + + } + + @Override + public ZmrRegisterResult searchWithPersonIdentifier(BigInteger zmrProzessId, String personPseudonym, + String citizenCountryCode) throws EidasSAuthenticationException { + + try { + // build search request + final RequestType req = new RequestType(); + + // set eIDAS person information + final PersonSuchenRequest searchPersonReq = new PersonSuchenRequest(); + req.setPersonSuchenRequest(searchPersonReq); + final EidasSuchdatenType eidasInfos = new EidasSuchdatenType(); + searchPersonReq.getEidasSuchdaten().add(eidasInfos); + eidasInfos.setEidasArt(Constants.eIDAS_ATTRURN_PERSONALIDENTIFIER); + eidasInfos.setEidasWert(personPseudonym); + eidasInfos.setStaatscode2(citizenCountryCode); + + // set work-flow client information + req.setWorkflowInfoClient(generateWorkFlowInfos(PROCESS_TASK_SEARCH, zmrProzessId)); + req.setClientInfo(generateClientInfos()); + + // set additionl search parameters + searchPersonReq.setPersonensucheInfo(generateSearchCriteria( + PROCESS_SEARCH_PERSONAL_IDENTIFIER, false, true, false)); + + // request ZMR + log.trace("Requesting ZMR for '{}' operation", PROCESS_SEARCH_PERSONAL_IDENTIFIER); + final ResponseType resp = zmrClient.service(req, null); + + // parse ZMR response + return processZmrResponse(resp, citizenCountryCode, true, PROCESS_SEARCH_PERSONAL_IDENTIFIER); + + } catch (final ServiceFault e) { + final String errorMsg = extractReasonFromError(e); + log.warn(LOGMSG_ZMR_ERROR, PROCESS_SEARCH_PERSONAL_IDENTIFIER, errorMsg); + throw new ZmrCommunicationException(ERROR_MATCHING_01, new Object[] { errorMsg }, e); + + } catch (EidasSAuthenticationException e) { + throw e; + + } catch (final Exception e) { + log.warn(LOGMSG_ZMR_RESP_PROCESS, PROCESS_SEARCH_PERSONAL_IDENTIFIER, e.getMessage()); + throw new EidasSAuthenticationException(ERROR_MATCHING_99, new Object[] { e.getMessage() }, e); + + } + } + + @Override + public ZmrRegisterResult searchWithMds(BigInteger zmrProzessId, String givenName, String familyName, + String dateOfBirth, String citizenCountryCode) throws EidasSAuthenticationException { + try { + // build search request + final RequestType req = new RequestType(); + + // set eIDAS person information + final PersonSuchenRequest searchPersonReq = new PersonSuchenRequest(); + req.setPersonSuchenRequest(searchPersonReq); + + final NatuerlichePersonTyp searchNatPerson = new NatuerlichePersonTyp(); + searchPersonReq.setNatuerlichePerson(searchNatPerson); + final PersonenNameTyp searchNatPersonName = new PersonenNameTyp(); + searchNatPerson.setPersonenName(searchNatPersonName); + + searchNatPersonName.setFamilienname(familyName); + searchNatPersonName.setVorname(givenName); + searchNatPerson.setGeburtsdatum(dateOfBirth); + + // set work-flow client information + req.setWorkflowInfoClient(generateWorkFlowInfos(PROCESS_TASK_SEARCH, zmrProzessId)); + req.setClientInfo(generateClientInfos()); + + // set additionl search parameters + searchPersonReq.setPersonensucheInfo(generateSearchCriteria( + PROCESS_SEARCH_MDS_ONLY, false, true, false)); + + // request ZMR + log.trace("Requesting ZMR for '{}' operation", PROCESS_SEARCH_MDS_ONLY); + final ResponseType resp = zmrClient.service(req, null); + + // parse ZMR response + return processZmrResponse(resp, citizenCountryCode, false, PROCESS_SEARCH_MDS_ONLY); + + } catch (final ServiceFault e) { + final String errorMsg = extractReasonFromError(e); + log.warn(LOGMSG_ZMR_ERROR, PROCESS_SEARCH_MDS_ONLY, errorMsg); + throw new ZmrCommunicationException(ERROR_MATCHING_01, new Object[] { errorMsg }, e); + + } catch (EidasSAuthenticationException e) { + throw e; + + } catch (final Exception e) { + log.warn(LOGMSG_ZMR_RESP_PROCESS, PROCESS_SEARCH_MDS_ONLY, e.getMessage()); + throw new EidasSAuthenticationException(ERROR_MATCHING_99, new Object[] { e.getMessage() }, e); + + } + + } + + @Override + public ZmrRegisterResult searchCountrySpecific(BigInteger zmrProzessId, PersonSuchenRequest personSearchDao, + String citizenCountryCode) + throws EidasSAuthenticationException { + final String friendlyMsg = MessageFormat.format(PROCESS_SEARCH_COUNTRY_SPECIFIC, citizenCountryCode); + + try { + // build search request + final RequestType req = new RequestType(); + + // set eIDAS person information + req.setPersonSuchenRequest(personSearchDao); + + // set work-flow client information + req.setWorkflowInfoClient(generateWorkFlowInfos(PROCESS_TASK_SEARCH, zmrProzessId)); + req.setClientInfo(generateClientInfos()); + + // set additionl search parameters + personSearchDao.setPersonensucheInfo(generateSearchCriteria(friendlyMsg, false, true, false)); + + // request ZMR + log.trace("Requesting ZMR for '{}' operation", friendlyMsg); + final ResponseType resp = zmrClient.service(req, null); + + // parse ZMR response + return processZmrResponse(resp, citizenCountryCode, true, + friendlyMsg); + + } catch (final ServiceFault e) { + final String errorMsg = extractReasonFromError(e); + log.warn(LOGMSG_ZMR_ERROR, friendlyMsg, errorMsg); + throw new ZmrCommunicationException(ERROR_MATCHING_01, new Object[] { errorMsg }, e); + + } catch (EidasSAuthenticationException e) { + throw e; + + } catch (final Exception e) { + log.warn(LOGMSG_ZMR_RESP_PROCESS, friendlyMsg, e.getMessage()); + throw new EidasSAuthenticationException(ERROR_MATCHING_99, new Object[] { e.getMessage() }, e); + + } + } + + @Override + public ZmrRegisterResult update(BigInteger zmrProzessId, RegisterResult registerResult, + SimpleEidasData eidData) throws EidasSAuthenticationException { + try { + //search person with register result, because update needs information from search response + PersonErgebnisType zmrPersonToKitt = searchPersonForUpdate(zmrProzessId, registerResult); + + // select elements that have to be updated + Collection<? extends EidasIdentitaetAnlageType> eidasDocumentToAdd = + selectEidasDocumentsToAdd(zmrPersonToKitt, eidData); + + if (eidasDocumentToAdd.isEmpty()) { + log.info("Find no eIDAS document for update during: {}. Looks strange but nothing todo", + PROCESS_KITT_GENERAL); + return new ZmrRegisterResult(Arrays.asList(registerResult), zmrProzessId); + + } else { + log.info("Find #{} eIDAS documents for update during: {}", eidasDocumentToAdd.size(), PROCESS_KITT_GENERAL); + + // update entry based on selected update info's and results from search response + return updatePersonInZmr(zmrProzessId, zmrPersonToKitt, eidasDocumentToAdd, eidData.getCitizenCountryCode()); + + } + + } catch (final ServiceFault e) { + final String errorMsg = extractReasonFromError(e); + log.warn(LOGMSG_ZMR_ERROR, PROCESS_KITT_GENERAL, errorMsg); + throw new ZmrCommunicationException(ERROR_MATCHING_01, new Object[] { errorMsg }, e); + + } catch (EidasSAuthenticationException e) { + throw e; + + } catch (final Exception e) { + log.warn(LOGMSG_ZMR_RESP_PROCESS, PROCESS_KITT_GENERAL, e.getMessage()); + throw new EidasSAuthenticationException(ERROR_MATCHING_99, new Object[] { e.getMessage() }, e); + + } + + } + + @Override + public ZmrRegisterResult searchWithResidenceData(BigInteger zmrProzessId, String givenName, String familyName, + String dateOfBirth, String zipcode, String city, String street) { + // TODO Auto-generated method stub + return null; + } + + @PostConstruct + private void initialize() throws EaafConfigurationException { + // set-up the ZMR client + initializeTechnicalZmrClient(); + + // validate additional ZMR communication parameters + valdiateAdditionalConfigParameters(); + + } + + private void initializeTechnicalZmrClient() throws EaafConfigurationException { + log.info("Starting ZMR-Client initialization .... "); + final URL url = ZmrSoapClient.class.getResource("/wsdl/zmr_client/wsdl/Service.wsdl"); + final Service zmrService = new Service(url); + zmrClient = zmrService.getService(); + + final String zmrServiceUrl = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_ENDPOINT); + if (StringUtils.isEmpty(zmrServiceUrl)) { + log.error("No ZMR service-URL found. ZMR-Client initalisiation failed."); + throw new RuntimeException("No ZMR service URL found. ZMR-Client initalisiation failed."); + + } + + // inject handler + log.info("Use ZMR service-URL: " + zmrServiceUrl); + injectBindingProvider((BindingProvider) zmrClient, CLIENT_DEFAULT, zmrServiceUrl, + basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_DEBUG_TRACEMESSAGES, + false)); + + // inject http parameters and SSL context + log.debug("Inject HTTP client settings ... "); + injectHttpClient(zmrClient, HttpClientConfig.builder() + .clientName(CLIENT_DEFAULT) + .clientType(CLIENT_DEFAULT) + .clientUrl(zmrServiceUrl) + .connectionTimeout(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_TIMEOUT_CONNECTION, + Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) + .responseTimeout(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_TIMEOUT_RESPONSE, + Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) + .keyStoreConfig(buildKeyStoreConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_TYPE, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_PATH, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_PASSWORD, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYSTORE_NAME, + "ZMR SSL Client-Authentication KeyStore")) + .keyAlias(basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEYS_ALIAS)) + .keyPassword(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_KEY_PASSWORD)) + .trustAll(false) + .trustStoreConfig(buildKeyStoreConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_TYPE, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_PATH, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_PASSWORD, + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_SSL_TRUSTSTORE_NAME, + "ZMR SSL Client-Authentication TrustStore")) + .build()); + + } + + private void valdiateAdditionalConfigParameters() { + checkConfigurationValue(Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_ORGANIZATION_NR); + checkConfigurationValue(Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_UPDATE_REASON_CODE); + + } + + private void checkConfigurationValue(String key) { + if (StringUtils.isEmpty(basicConfig.getBasicConfiguration(key))) { + throw new RuntimeException(MessageFormat.format(LOGMSG_MISSING_CONFIG, key)); + + } + } + + @Nonnull + private WorkflowInfoClient generateWorkFlowInfos(@Nonnull String subStepName, + @Nullable BigInteger prozessInstanzId) { + final WorkflowInfoClient infos = new WorkflowInfoClient(); + infos.setProzessName(PROCESS_GENERAL); + infos.setVorgangName(subStepName); + + //set processId that we received from ZMR before, if already available + if (prozessInstanzId != null) { + infos.setProzessInstanzID(prozessInstanzId); + + } + + return infos; + + } + + @Nonnull + private PersonensucheInfoType generateSearchCriteria(String infoElement, boolean searchInErnp, + boolean searchInZmrHistory, boolean includeHistoryResults) { + final PersonensucheInfoType personSearchInfo = new PersonensucheInfoType(); + final SuchkriterienType searchCriteria = new SuchkriterienType(); + final ErgebniskriterienType resultCriteria = new ErgebniskriterienType(); + + personSearchInfo.setBezugsfeld(infoElement); + personSearchInfo.setSuchkriterien(searchCriteria); + personSearchInfo.setErgebniskriterien(resultCriteria); + + // TODO: are these flags valid? + searchCriteria.setInclusivERnP(searchInErnp); + searchCriteria.setInclusivHistorie(searchInZmrHistory); + + // TODO: check 'processSearchPersonResponse' if we change this to 'true' + resultCriteria.setInclusivHistorie(includeHistoryResults); + + // TODO: are these flags valid? + personSearchInfo.setAnzahlSaetze(10); + + return personSearchInfo; + + } + + @Nonnull + private ClientInfoType generateClientInfos() { + final ClientInfoType clientInfo = new ClientInfoType(); + final Organisation clientOrganisation = new Organisation(); + clientInfo.setOrganisation(clientOrganisation); + + // set client information + clientInfo.setClient(MessageFormat.format(CLIENT_INFO, versionHolder.getVersion())); + + // set Behoerdennummer as organization identifier + clientOrganisation.setBehoerdenNr(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_ORGANIZATION_NR)); + + return clientInfo; + } + + @Nonnull + private String extractReasonFromError(ServiceFault e) { + if (e.getFaultInfo() != null) { + return MessageFormat.format(LOGMSG_ZMR_SOAP_ERROR, + e.getFaultInfo().getServerTransaktionNr().toString(), + e.getFaultInfo().getErrorCode(), + e.getFaultInfo().getErrorMessage()); + + } else { + log.error("ZMR response without error code", e); + return e.getMessage(); + + } + } + + @Nonnull + private ZmrRegisterResult processZmrResponse(@Nonnull ResponseType resp, + @Nonnull String citizenCountryCode, + boolean forceSinglePersonMatch, @Nonnull String processStepFiendlyname) + throws EaafAuthenticationException { + final PersonSuchenResponse searchPersonResp = resp.getPersonSuchenResponse(); + if (searchPersonResp.getPersonensuchergebnis() == null + || searchPersonResp.getPersonensuchergebnis().getPersonErgebnisSatz().isEmpty()) { + log.debug("ZMR result contains NO 'Personensuchergebnis' or 'PersonErgebnisSatz' is empty"); + return new ZmrRegisterResult(Collections.emptyList(), extractZmrProcessId(resp.getWorkflowInfoServer())); + + } else { + // TODO: what we to with ERnP results? + log.debug("Get #{} person results from '{}' operation", + searchPersonResp.getPersonensuchergebnis().getGefundeneSaetze(), processStepFiendlyname); + + if (forceSinglePersonMatch) { + return new ZmrRegisterResult(processSearchPersonResponseSingleResult( + searchPersonResp.getPersonensuchergebnis().getPersonErgebnisSatz(), + citizenCountryCode, processStepFiendlyname), + extractZmrProcessId(resp.getWorkflowInfoServer())); + + } else { + return new ZmrRegisterResult(processSearchPersonResponse( + searchPersonResp.getPersonensuchergebnis().getPersonErgebnisSatz(), citizenCountryCode), + extractZmrProcessId(resp.getWorkflowInfoServer())); + + } + } + } + + private BigInteger extractZmrProcessId(WorkflowInfoServer workflowInfoServer) { + return workflowInfoServer != null ? workflowInfoServer.getProzessInstanzID() : null; + + } + + @Nonnull + private List<RegisterResult> processSearchPersonResponse( + @Nonnull List<PersonErgebnisSatzType> personErgebnisSatz, + @Nonnull String citizenCountryCode) throws EaafAuthenticationException { + + return personErgebnisSatz.stream() + .map(el -> { + try { + return processPersonResult(el, citizenCountryCode); + + } catch (final EaafAuthenticationException e) { + log.warn("Skip ZMR person result by reason: {}", e.getMessage(), e); + return null; + + } + }) + .filter(Objects::nonNull) + .collect(Collectors.toList()); + + } + + @NonNull + private List<RegisterResult> processSearchPersonResponseSingleResult( + @Nonnull List<PersonErgebnisSatzType> personErgebnisSatz, + @Nonnull String citizenCountryCode, String processStepFiendlyname) throws EaafAuthenticationException { + if (personErgebnisSatz.size() > 1) { + log.error("Find more-than-one ZMR entry with search criteria that has to be unique"); + throw new WorkflowException(processStepFiendlyname, + "Find more-than-one ZMR entry with search criteria that has to be unique", true); + + } else { + return Arrays.asList(processPersonResult(personErgebnisSatz.get(0), citizenCountryCode)); + + } + } + + @Nonnull + private RegisterResult processPersonResult( + @Nonnull PersonErgebnisSatzType personEl, @Nonnull String citizenCountryCode) + throws EaafAuthenticationException { + // TODO: maybe check on 'null' if ERnP data is also allowed + log.debug("Find #{} data sets in person information", + personEl.getPersonendaten().getPersonErgebnis().size()); + + if (personEl.getPersonendaten().getPersonErgebnis().size() > 1) { + log.error("Find more than on PersoenErgebnis in Personendaten."); + throw new EaafAuthenticationException(ERROR_MATCHING_02, null); + + } else { + return mapZmrResponseToRegisterResult( + personEl.getPersonendaten().getPersonErgebnis().get(0), citizenCountryCode); + + } + + } + + @Nonnull + private RegisterResult mapZmrResponseToRegisterResult(@Nonnull PersonErgebnisType person, + @Nonnull String citizenCountryCode) { + // TODO: kann ich bei historischen daten davon ausgehen dass die Reihenfolge der + // Ergebnisse von aktuell --> alt ist? + + // build result + return RegisterResult.builder() + .pseudonym(selectAllEidasDocument(person, citizenCountryCode, + Constants.eIDAS_ATTRURN_PERSONALIDENTIFIER)) + .familyName(person.getNatuerlichePerson().getPersonenName().getFamilienname()) + .givenName(person.getNatuerlichePerson().getPersonenName().getVorname()) + .dateOfBirth(person.getNatuerlichePerson().getGeburtsdatum()) + .bpk(extractBpkZp(person.getNatuerlichePerson())) + .placeOfBirth(selectSingleEidasDocument(person, citizenCountryCode, + Constants.eIDAS_ATTRURN_PLACEOFBIRTH)) + .birthName(selectSingleEidasDocument(person, citizenCountryCode, + Constants.eIDAS_ATTRURN_BIRTHNAME)) + .build(); + + } + + private String extractBpkZp(NatuerlichePersonErgebnisType natuerlichePerson) { + String bpk = natuerlichePerson.getIdentification().stream() + .filter(el -> Constants.MATCHING_INTERNAL_BPK_TARGET.equals(el.getType())) + .findFirst() + .map(el -> el.getValue()) + .orElse(null); + if (StringUtils.isEmpty(bpk)) { + //TODO: should we throw an error in that case? + log.warn("ZMR response contains no 'bPK' for target: 'ZP'"); + + } + return bpk; + + } + + /** + * Get all eIDAS document with the specified country code and document type. + * + * @param person Person information from ZMR + * @param citizenCountryCode Country code of the eIDAS attribute + * @param eidasAttrurnPersonalidentifier eIDAS attribute identifier + * @return {@link List} of eIDAS attribute values or an empty list if's not + * found + */ + @NonNull + private List<String> selectAllEidasDocument(PersonErgebnisType person, String citizenCountryCode, + String eidasAttrurnPersonalidentifier) { + return person.getEidasIdentitaet().stream() + .filter(el -> eidasAttrurnPersonalidentifier.equals(el.getEidasArt()) + && el.getStaatscode2().equals(citizenCountryCode)) + .map(el -> el.getEidasWert()) + .collect(Collectors.toList()); + + } + + /** + * Get the first eIDAS document with the specified country code and document + * type. + * + * @param person Person information from ZMR + * @param citizenCountryCode Country code of the eIDAS attribute + * @param eidasAttrurnPersonalidentifier eIDAS attribute identifier + * @return Value of this eIDAS attribute or <code>null</code> if's not found + */ + @Nullable + private String selectSingleEidasDocument(PersonErgebnisType person, String citizenCountryCode, + String eidasAttrurnPersonalidentifier) { + return person.getEidasIdentitaet().stream() + .filter(el -> eidasAttrurnPersonalidentifier.equals(el.getEidasArt()) + && el.getStaatscode2().equals(citizenCountryCode)) + .findFirst() + .map(el -> el.getEidasWert()) + .orElse(null); + + } + + private PersonErgebnisType searchPersonForUpdate(BigInteger zmrProzessId, RegisterResult registerResult) + throws ServiceFault, WorkflowException { + // build search request + final RequestType req = new RequestType(); + + // set eIDAS person information + final PersonSuchenRequest searchPersonReq = new PersonSuchenRequest(); + req.setPersonSuchenRequest(searchPersonReq); + NatuerlichePersonTyp natPersonInfos = new NatuerlichePersonTyp(); + searchPersonReq.setNatuerlichePerson(natPersonInfos); + PersonenNameTyp nameInfo = new PersonenNameTyp(); + natPersonInfos.setPersonenName(nameInfo); + IdentificationType bpkInfo = new IdentificationType(); + natPersonInfos.getIdentification().add(bpkInfo); + + // set MDS + nameInfo.setVorname(registerResult.getGivenName()); + nameInfo.setFamilienname(registerResult.getFamilyName()); + natPersonInfos.setGeburtsdatum(registerResult.getDateOfBirth()); + + //set bPK + bpkInfo.setValue(registerResult.getBpk()); + bpkInfo.setType(EaafConstants.URN_PREFIX_CDID + "ZP"); + + // set work-flow client information + req.setWorkflowInfoClient(generateWorkFlowInfos(PROCESS_TASK_SEARCH, zmrProzessId)); + req.setClientInfo(generateClientInfos()); + + // set additionl search parameters + searchPersonReq.setPersonensucheInfo(generateSearchCriteria( + PROCESS_KITT_IDENITIES_GET, false, true, false)); + + // request ZMR + log.trace("Requesting ZMR for '{}' operation", PROCESS_KITT_IDENITIES_GET); + ResponseType resp = zmrClient.service(req, null); + log.trace("Receive response from ZMR for '{}' operation", PROCESS_KITT_IDENITIES_GET); + + return extractPersonResultForUpdaste(resp); + + } + + private PersonErgebnisType extractPersonResultForUpdaste(ResponseType resp) throws WorkflowException { + final PersonSuchenResponse searchPersonResp = resp.getPersonSuchenResponse(); + if (searchPersonResp.getPersonensuchergebnis() == null + || searchPersonResp.getPersonensuchergebnis().getPersonErgebnisSatz().isEmpty()) { + log.error("ZMR result contains NO 'Personensuchergebnis' or 'PersonErgebnisSatz' is empty"); + throw new WorkflowException(PROCESS_KITT_IDENITIES_GET, + "Find NO data-set with already matchted eID during ZMR KITT process"); + + } else { + List<PersonErgebnisSatzType> personErgebnisSatz = + searchPersonResp.getPersonensuchergebnis().getPersonErgebnisSatz(); + if (personErgebnisSatz.size() > 1) { + log.error("Find more than on person with aleady matched information."); + throw new WorkflowException(PROCESS_KITT_IDENITIES_GET, + "Find MORE-THAN-ONE data-sets with already matchted eID during ZMR KITT process"); + + } else { + return personErgebnisSatz.get(0).getPersonendaten().getPersonErgebnis().get(0); + + } + } + } + + private Collection<? extends EidasIdentitaetAnlageType> selectEidasDocumentsToAdd( + PersonErgebnisType zmrPersonToKitt, SimpleEidasData eidData) { + + //TODO: maybe we should re-factor SimpleEidasData to a generic data-model to facilitate arbitrary eIDAS attributes + Set<EidasIdentitaetAnlageType> result = new HashSet<>(); + addEidasDocumentIfNotAvailable(result, zmrPersonToKitt, eidData.getCitizenCountryCode(), + Constants.eIDAS_ATTRURN_PERSONALIDENTIFIER, eidData.getPseudonym(), true); + addEidasDocumentIfNotAvailable(result, zmrPersonToKitt, eidData.getCitizenCountryCode(), + Constants.eIDAS_ATTRURN_PLACEOFBIRTH, eidData.getPlaceOfBirth(), false); + addEidasDocumentIfNotAvailable(result, zmrPersonToKitt, eidData.getCitizenCountryCode(), + Constants.eIDAS_ATTRURN_BIRTHNAME, eidData.getBirthName(), false); + + return result; + + } + + private void addEidasDocumentIfNotAvailable(Set<EidasIdentitaetAnlageType> result, + PersonErgebnisType zmrPersonToKitt, String citizenCountryCode, + String attrName, String attrValue, boolean allowMoreThanOneEntry) { + + if (StringUtils.isEmpty(attrValue)) { + log.trace("No eIDAS document: {}. Nothing todo for KITT process ... ", attrName); + return; + + } + + // check if eIDAS attribute is already includes an eIDAS-Document + boolean alreadyExist = zmrPersonToKitt.getEidasIdentitaet().stream() + .filter(el -> el.getEidasWert().equals(attrValue) + && el.getEidasArt().equals(attrName) + && el.getStaatscode2().equals(citizenCountryCode)) + .findAny() + .isPresent(); + + if (!alreadyExist) { + // check eIDAS documents already contains a document with this pair of country-code and attribute-name + Optional<EidasIdentitaetErgebnisType> oneDocWithNameExists = zmrPersonToKitt.getEidasIdentitaet().stream() + .filter(el -> el.getStaatscode2().equals(citizenCountryCode) + && el.getEidasArt().equals(attrName)) + .findAny(); + + if (!allowMoreThanOneEntry && oneDocWithNameExists.isPresent() + && !oneDocWithNameExists.get().getEidasWert().equals(attrValue)) { + log.warn("eIDAS document: {} already exists for country: {} but attribute-value does not match. " + + "Skip update process because no multi-value allowed for this ... ", + attrName, citizenCountryCode); + + } else { + EidasIdentitaetAnlageType eidasDocToAdd = new EidasIdentitaetAnlageType(); + eidasDocToAdd.setStaatscode2(citizenCountryCode); + eidasDocToAdd.setEidasArt(attrName); + eidasDocToAdd.setEidasWert(attrValue); + log.info("Add eIDAS document: {} for country: {} to ZMR person", attrName, citizenCountryCode); + result.add(eidasDocToAdd); + + } + + } else { + log.debug("eIDAS document: {} already exists for country: {}. Skip update process for this ... ", + attrName, citizenCountryCode); + + } + } + + private ZmrRegisterResult updatePersonInZmr(BigInteger zmrProzessId, PersonErgebnisType zmrPersonToKitt, + Collection<? extends EidasIdentitaetAnlageType> eidasDocumentToAdd, String citizenCountryCode) + throws ServiceFault { + final RequestType req = new RequestType(); + + // set work-flow client information + req.setWorkflowInfoClient(generateWorkFlowInfos(PROCESS_TASK_UPDATE, zmrProzessId)); + req.setClientInfo(generateClientInfos()); + + PersonAendernRequest updateReq = new PersonAendernRequest(); + req.setPersonAendernRequest(updateReq); + + // set reference elements for person update + PersonReferenzType updateRef = new PersonReferenzType(); + updateRef.setTechnisch(zmrPersonToKitt.getEntityErgebnisReferenz().getTechnisch()); + updateRef.setZMRZahl(zmrPersonToKitt.getZMRZahl()); + updateReq.setPersonReferenz(updateRef); + + // set reason from this update + PersonAendernInfoType updateInfo = new PersonAendernInfoType(); + updateInfo.setGrundCode(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_UPDATE_REASON_CODE)); + updateInfo.setGrundFreitext(basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_ZMRCLIENT_REQ_UPDATE_REASON_TEXT)); + updateReq.setPersonAendernInfo(updateInfo); + + // add new eIDAS documents that should be added + updateReq.getEidasIdentitaetAnlage().addAll(eidasDocumentToAdd); + + // request ZMR + log.trace("Requesting ZMR for '{}' operation", PROCESS_KITT_IDENITIES_UPDATE); + ResponseType resp = zmrClient.service(req, null); + log.trace("Receive response from ZMR for '{}' operation", PROCESS_KITT_IDENITIES_UPDATE); + + return new ZmrRegisterResult(Arrays.asList( + mapZmrResponseToRegisterResult(resp.getPersonAendernResponse().getPersonErgebnis(), citizenCountryCode)), + extractZmrProcessId(resp.getWorkflowInfoServer())); + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java new file mode 100644 index 00000000..7a9f472a --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/config/EidasConnectorMessageSource.java @@ -0,0 +1,21 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.config; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +/** + * Inject eIDAS Connector specific messages into Spring based message-source. + * + * @author tlenz + * + */ +public class EidasConnectorMessageSource implements IMessageSourceLocation { + + @Override + public List<String> getMessageSourceLocation() { + return Arrays.asList("classpath:/messages/eidas_connector_message"); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/ErnbEidData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/ErnbEidData.java deleted file mode 100644 index 6c7eeb6b..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/ErnbEidData.java +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright 2018 A-SIT Plus GmbH - * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, - * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "License"); - * You may not use this work except in compliance with the License. - * You may obtain a copy of the License at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; - -import java.text.SimpleDateFormat; - -import org.joda.time.DateTime; - -import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType; - -public class ErnbEidData { - - private String citizenCountryCode = null; - - // MDS - private String pseudonym = null; - private String givenName = null; - private String familyName = null; - private DateTime dateOfBirth = null; - - // additional attributes - private String placeOfBirth = null; - private String birthName = null; - private PostalAddressType address = null; - - public String getCitizenCountryCode() { - return citizenCountryCode; - } - - public void setCitizenCountryCode(String citizenCountryCode) { - this.citizenCountryCode = citizenCountryCode; - } - - public String getPseudonym() { - return pseudonym; - } - - public void setPseudonym(String pseudonym) { - this.pseudonym = pseudonym; - } - - public String getGivenName() { - return givenName; - } - - public void setGivenName(String givenName) { - this.givenName = givenName; - } - - public String getFamilyName() { - return familyName; - } - - public void setFamilyName(String familyName) { - this.familyName = familyName; - } - - public DateTime getDateOfBirth() { - return dateOfBirth; - } - - public void setDateOfBirth(DateTime dateOfBirth) { - this.dateOfBirth = dateOfBirth; - } - - public String getPlaceOfBirth() { - return placeOfBirth; - } - - public void setPlaceOfBirth(String placeOfBirth) { - this.placeOfBirth = placeOfBirth; - } - - public String getBirthName() { - return birthName; - } - - public void setBirthName(String birthName) { - this.birthName = birthName; - } - - public PostalAddressType getAddress() { - return address; - } - - public void setAddress(PostalAddressType address) { - this.address = address; - } - - public String getFormatedDateOfBirth() { - return new SimpleDateFormat("yyyy-MM-dd").format(dateOfBirth.toDate()); - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/MatchedPersonResult.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/MatchedPersonResult.java new file mode 100644 index 00000000..1e8fcecf --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/MatchedPersonResult.java @@ -0,0 +1,41 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; + +import lombok.Builder; +import lombok.Getter; + +/** + * Information about a natural person that is already matched. + * + * @author tlenz + * + */ +@Getter +@Builder +public class MatchedPersonResult { + + /** + * Matched person result from matching result. + * + * @param matchingResult Result of the matching process + * @param citizenCountryCode Country-Code of the eIDAS Proxy-Service + */ + public static MatchedPersonResult generateFormMatchingResult(RegisterResult matchingResult, + String citizenCountryCode) { + return MatchedPersonResult.builder() + .familyName(matchingResult.getFamilyName()) + .givenName(matchingResult.getGivenName()) + .dateOfBirth(matchingResult.getDateOfBirth()) + .bpk(matchingResult.getBpk()) + .countryCode(citizenCountryCode) + .build(); + } + + private final String countryCode; + private final String givenName; + private final String familyName; + private final String dateOfBirth; + private final String bpk; + + private String vsz; + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/RegisterResult.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/RegisterResult.java new file mode 100644 index 00000000..aa82d806 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/RegisterResult.java @@ -0,0 +1,51 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; + +import java.util.List; + +import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType; +import lombok.Builder; +import lombok.Getter; + +@Builder +@Getter +public class RegisterResult { + + // MDS + private final List<String> pseudonym; + private final String givenName; + private final String familyName; + private final String dateOfBirth; + + // additional attributes + private String placeOfBirth; + private String birthName; + private String taxNumber; + private PostalAddressType address; + + private String bpk; + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SelectedLoginMethod.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SelectedLoginMethod.java new file mode 100644 index 00000000..70904e4f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SelectedLoginMethod.java @@ -0,0 +1,5 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; + +public enum SelectedLoginMethod { + EIDAS_LOGIN, MOBILE_PHONE_SIGNATURE_LOGIN, NO_OTHER_LOGIN, ADD_ME_AS_NEW +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java new file mode 100644 index 00000000..5ad92507 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java @@ -0,0 +1,88 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; + +import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType; +import lombok.Builder; +import lombok.Data; +import org.apache.commons.lang3.builder.EqualsBuilder; + +@Data +@Builder +public class SimpleEidasData { + + /** + * Full eIDAS personal identifier with prefix. + */ + private final String personalIdentifier; + + /** + * Citizen country-code from eIDAS personal-identifier. + */ + private final String citizenCountryCode; + + // MDS + /** + * eIDAS personal identifier without prefix. + */ + private final String pseudonym; + private final String givenName; + private final String familyName; + private final String dateOfBirth; + + // additional attributes + private final String placeOfBirth; + private final String birthName; + private final PostalAddressType address; + private final String taxNumber; + + /** + * Compares the register result with the EIDAS data (given name, family name, date of birth, personal identifier). + * + * @param result The register data to use for comparison + * @return whether the data (given name, family name, date of birth, personal identifier) match + */ + public boolean equalsRegisterData(RegisterResult result) { + return new EqualsBuilder() + .append(result.getGivenName(), givenName) + .append(result.getFamilyName(), familyName) + .append(result.getDateOfBirth(), dateOfBirth) + .isEquals() + && result.getPseudonym().stream().anyMatch(el -> el.equals(pseudonym)); + } + + /** + * Checks if the MDS (<code>givenName</code>, <code>familyName</code>, + * <code>dateOfBirth</code>) matches. + */ + public boolean equalsMds(SimpleEidasData other) { + return new EqualsBuilder() + .append(other.givenName, givenName) + .append(other.familyName, familyName) + .append(other.dateOfBirth, dateOfBirth) + .isEquals(); + } + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java new file mode 100644 index 00000000..92e727ea --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java @@ -0,0 +1,53 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; + +import org.apache.commons.lang3.builder.EqualsBuilder; + +import lombok.Builder; +import lombok.Data; + +@Data +@Builder +public class SimpleMobileSignatureData { + + private final String bpk; + private final String givenName; + private final String familyName; + private final String dateOfBirth; + + /** + * Compares the received authentication data from the mobile phone signature with the eid data received via eIDAS. + * + * @param simpleEidasData The extracted eIDAS data + * @return Returns true, if the eIDAS data matches the mobile phone signature data and false otherwise. + */ + public boolean equalsSimpleEidasData(SimpleEidasData simpleEidasData) { + return new EqualsBuilder() + .append(simpleEidasData.getGivenName(), givenName) + .append(simpleEidasData.getFamilyName(), familyName) + .append(simpleEidasData.getDateOfBirth(), dateOfBirth) + .isEquals(); + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/DummyErnpClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/DummyErnpClient.java new file mode 100644 index 00000000..77f5e3cd --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/DummyErnpClient.java @@ -0,0 +1,74 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp; + +import java.util.Collections; +import java.util.List; + +import org.springframework.stereotype.Service; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; + +@Service("ErnbClientForeIDAS") +public class DummyErnpClient implements IErnpClient { + + @Override + public List<RegisterResult> searchWithPersonIdentifier(String personIdentifier) { + return Collections.emptyList(); + } + + @Override + public List<RegisterResult> searchWithMds(String givenName, String familyName, String dateOfBirth) { + //TODO will I only receive matches where all three values match perfectly? + return Collections.emptyList(); + } + + @Override + public List<RegisterResult> searchDeSpecific(String givenName, String familyName, String dateOfBirth, + String birthPlace, String birthName) { + //TODO + return Collections.emptyList(); + } + + @Override + public List<RegisterResult> searchItSpecific(String taxNumber) { + //TODO + return Collections.emptyList(); + } + + @Override + public RegisterResult update(RegisterResult registerResult, SimpleEidasData eidData) { + //TODO + return null; + } + + @Override + public List<RegisterResult> searchWithBpkZp(String bpkzp) { + //TODO + return Collections.emptyList(); + } + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/IErnpClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/IErnpClient.java new file mode 100644 index 00000000..b2a9005b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/ernp/IErnpClient.java @@ -0,0 +1,46 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp; + +import java.util.List; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; + +public interface IErnpClient { + + List<RegisterResult> searchWithPersonIdentifier(String personIdentifier); + + List<RegisterResult> searchWithMds(String givenName, String familyName, String dateOfBirth); + + List<RegisterResult> searchDeSpecific(String givenName, String familyName, String dateOfBirth, + String birthPlace, String birthName); + + List<RegisterResult> searchItSpecific(String taxNumber); + + RegisterResult update(RegisterResult registerResult, SimpleEidasData eidData); + + List<RegisterResult> searchWithBpkZp(String bpkzp); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ManualFixNecessaryException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ManualFixNecessaryException.java new file mode 100644 index 00000000..cf69bd2c --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ManualFixNecessaryException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.exception; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; + +public class ManualFixNecessaryException extends EidasSAuthenticationException { + private static final long serialVersionUID = 1L; + + //TODO: should we pass some infos? + public ManualFixNecessaryException(String personIdentifier) { + super("module.eidasauth.matching.04", new Object[] { personIdentifier }); + } + + public ManualFixNecessaryException(SimpleEidasData eidData) { + super("module.eidasauth.matching.04", new Object[] { eidData.getPseudonym() }); + } + + public ManualFixNecessaryException(SimpleEidasData eidData, Throwable e) { + super("module.eidasauth.matching.04", new Object[] { eidData.getPseudonym() }, e); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/WorkflowException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/WorkflowException.java new file mode 100644 index 00000000..795b4386 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/WorkflowException.java @@ -0,0 +1,94 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.exception; + +import lombok.Getter; + +@Getter +public class WorkflowException extends EidasSAuthenticationException { + private static final long serialVersionUID = 1L; + + private String processStepName; + private String errorReason; + private boolean requiresManualFix = false; + + /** + * In case of a error during matching work-flow. + * + * @param processStep Matching step identifier + * @param errorReason Reason for this error + */ + public WorkflowException(String processStep, String errorReason) { + super("module.eidasauth.matching.03", new Object[]{processStep, errorReason}); + this.processStepName = processStep; + this.errorReason = errorReason; + + } + + /** + * In case of a error during matching work-flow. + * + * @param processStep Matching step identifier + * @param errorReason Reason for this error + * @param e Catched exception + */ + public WorkflowException(String processStep, String errorReason, Throwable e) { + super("module.eidasauth.matching.03", new Object[]{processStep, errorReason}, e); + this.processStepName = processStep; + this.errorReason = errorReason; + + } + + /** + * In case of a error during matching work-flow. + * + * @param processStep Matching step identifier + * @param errorReason Reason for this error + * @param needsManualFix Mark this work-flow as manually fixable + */ + public WorkflowException(String processStep, String errorReason, boolean needsManualFix) { + super("module.eidasauth.matching.03", new Object[]{processStep, errorReason}); + this.processStepName = processStep; + this.errorReason = errorReason; + this.requiresManualFix = needsManualFix; + + } + + /** + * In case of a error during matching work-flow. + * + * @param processStep Matching step identifier + * @param errorReason Reason for this error + * @param needsManualFix Mark this work-flow as manually fixable + * @param e Catched exception + */ + public WorkflowException(String processStep, String errorReason, boolean needsManualFix, Throwable e) { + super("module.eidasauth.matching.03", new Object[]{processStep, errorReason}, e); + this.processStepName = processStep; + this.errorReason = errorReason; + this.requiresManualFix = needsManualFix; + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ZmrCommunicationException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ZmrCommunicationException.java new file mode 100644 index 00000000..a6978458 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/ZmrCommunicationException.java @@ -0,0 +1,38 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.exception; + +public class ZmrCommunicationException extends EidasSAuthenticationException { + + private static final long serialVersionUID = 1L; + + public ZmrCommunicationException(String internalMsgId, Object[] params) { + super(internalMsgId, params); + } + + public ZmrCommunicationException(String internalMsgId, Object[] params, Throwable e) { + super(internalMsgId, params, e); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java index 90be9a7a..64c6adeb 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java @@ -23,6 +23,11 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; + + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils.processCountryCode; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils.processDateOfBirthToString; + import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -33,15 +38,13 @@ import java.util.regex.Pattern; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.lang.NonNull; import com.google.common.collect.ImmutableSortedSet; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; @@ -51,15 +54,14 @@ import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; -import at.gv.egiz.eaaf.core.impl.data.Triple; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; import eu.eidas.auth.commons.protocol.eidas.SpType; -import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; +import lombok.extern.slf4j.Slf4j; +@Slf4j public abstract class AbstractEidProcessor implements INationalEidProcessor { - private static final Logger log = LoggerFactory.getLogger(AbstractEidProcessor.class); @Autowired protected EidasAttributeRegistry attrRegistry; @@ -72,39 +74,40 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { buildLevelOfAssurance(pendingReq.getServiceProviderConfiguration(), authnRequestBuilder); buildProviderNameAndRequesterIdAttribute(pendingReq, authnRequestBuilder); buildRequestedAttributes(authnRequestBuilder); - } @Override - public final ErnbEidData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, + public final SimpleEidasData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, EidasAttributeException { - final ErnbEidData result = new ErnbEidData(); - - final Object eIdentifierObj = eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); - final Triple<String, String, String> eIdentifier = - EidasResponseUtils.parseEidasPersonalIdentifier((String) eIdentifierObj); - result.setCitizenCountryCode(eIdentifier.getFirst()); - - // MDS attributes - result.setPseudonym(processPseudonym(eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))); - result.setFamilyName(processFamilyName(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTFAMILYNAME))); - result.setGivenName(processGivenName(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTGIVENNAME))); - result.setDateOfBirth(processDateOfBirth(eidasAttrMap.get(Constants.eIDAS_ATTR_DATEOFBIRTH))); - - // additional attributes - result.setPlaceOfBirth(processPlaceOfBirth(eidasAttrMap.get(Constants.eIDAS_ATTR_PLACEOFBIRTH))); - result.setBirthName(processBirthName(eidasAttrMap.get(Constants.eIDAS_ATTR_BIRTHNAME))); - result.setAddress(processAddress(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTADDRESS))); - - return result; - + SimpleEidasData.SimpleEidasDataBuilder builder = SimpleEidasData.builder() + .personalIdentifier(EidasResponseUtils.processPersonalIdentifier( + eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))) + + // MDS attributes + .citizenCountryCode(processCountryCode(eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))) + .pseudonym(processPseudonym(eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))) + .familyName(processFamilyName(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTFAMILYNAME))) + .givenName(processGivenName(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTGIVENNAME))) + .dateOfBirth(processDateOfBirthToString(eidasAttrMap.get(Constants.eIDAS_ATTR_DATEOFBIRTH))) + + // additional attributes + .placeOfBirth(processPlaceOfBirth(eidasAttrMap.get(Constants.eIDAS_ATTR_PLACEOFBIRTH))) + .birthName(processBirthName(eidasAttrMap.get(Constants.eIDAS_ATTR_BIRTHNAME))) + .address(processAddress(eidasAttrMap.get(Constants.eIDAS_ATTR_CURRENTADDRESS))); + + if (eidasAttrMap.containsKey(Constants.eIDAS_ATTR_TAXREFERENCE)) { + builder.taxNumber(EidasResponseUtils.processTaxReference(eidasAttrMap.get(Constants.eIDAS_ATTR_TAXREFERENCE))); + + } + + return builder.build(); } - + /** * Get a Map of country-specific requested attributes. - * + * * @return */ @NonNull @@ -112,7 +115,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { /** * Post-Process the eIDAS CurrentAddress attribute. - * + * * @param currentAddressObj eIDAS current address information * @return current address or null if no attribute is available * @throws EidPostProcessingException if post-processing fails @@ -120,34 +123,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected PostalAddressType processAddress(Object currentAddressObj) throws EidPostProcessingException, EidasAttributeException { - - if (currentAddressObj != null) { - if (currentAddressObj instanceof PostalAddress) { - final PostalAddressType result = new PostalAddressType(); - result.setPostalCode(((PostalAddress) currentAddressObj).getPostCode()); - result.setMunicipality(((PostalAddress) currentAddressObj).getPostName()); - - // TODO: add more mappings - - return result; - - } else { - log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_CURRENTADDRESS + " is of WRONG type"); - throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTADDRESS); - - } - - } else { - log.debug("NO '" + Constants.eIDAS_ATTR_CURRENTADDRESS + "' attribute. Post-Processing skipped ... "); - } - - return null; - + return EidasResponseUtils.processAddress(currentAddressObj); } /** * Post-Process the eIDAS BirthName attribute. - * + * * @param birthNameObj eIDAS birthname information * @return birthName or null if no attribute is available * @throws EidPostProcessingException if post-processing fails @@ -155,27 +136,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected String processBirthName(Object birthNameObj) throws EidPostProcessingException, EidasAttributeException { - if (birthNameObj != null) { - if (birthNameObj instanceof String) { - return (String) birthNameObj; - - } else { - log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_BIRTHNAME + " is of WRONG type"); - throw new EidasAttributeException(Constants.eIDAS_ATTR_BIRTHNAME); - - } - - } else { - log.debug("NO '" + Constants.eIDAS_ATTR_BIRTHNAME + "' attribute. Post-Processing skipped ... "); - } - - return null; - + return EidasResponseUtils.processBirthName(birthNameObj); } /** * Post-Process the eIDAS PlaceOfBirth attribute. - * + * * @param placeOfBirthObj eIDAS Place-of-Birth information * @return place of Birth or null if no attribute is available * @throws EidPostProcessingException if post-processing fails @@ -183,27 +149,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected String processPlaceOfBirth(Object placeOfBirthObj) throws EidPostProcessingException, EidasAttributeException { - if (placeOfBirthObj != null) { - if (placeOfBirthObj instanceof String) { - return (String) placeOfBirthObj; - - } else { - log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_PLACEOFBIRTH + " is of WRONG type"); - throw new EidasAttributeException(Constants.eIDAS_ATTR_PLACEOFBIRTH); - - } - - } else { - log.debug("NO '" + Constants.eIDAS_ATTR_PLACEOFBIRTH + "' attribute. Post-Processing skipped ... "); - } - - return null; - + return EidasResponseUtils.processPlaceOfBirth(placeOfBirthObj); } /** * Post-Process the eIDAS DateOfBirth attribute. - * + * * @param dateOfBirthObj eIDAS date-of-birth attribute information * @return formated user's date-of-birth * @throws EidasAttributeException if NO attribute is available @@ -211,17 +162,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected DateTime processDateOfBirth(Object dateOfBirthObj) throws EidPostProcessingException, EidasAttributeException { - if (dateOfBirthObj == null || !(dateOfBirthObj instanceof DateTime)) { - throw new EidasAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); - } - - return (DateTime) dateOfBirthObj; - + return EidasResponseUtils.processDateOfBirth(dateOfBirthObj); } /** * Post-Process the eIDAS GivenName attribute. - * + * * @param givenNameObj eIDAS givenName attribute information * @return formated user's givenname * @throws EidasAttributeException if NO attribute is available @@ -229,17 +175,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected String processGivenName(Object givenNameObj) throws EidPostProcessingException, EidasAttributeException { - if (givenNameObj == null || !(givenNameObj instanceof String)) { - throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTGIVENNAME); - } - - return (String) givenNameObj; - + return EidasResponseUtils.processGivenName(givenNameObj); } /** * Post-Process the eIDAS FamilyName attribute. - * + * * @param familyNameObj eIDAS familyName attribute information * @return formated user's familyname * @throws EidasAttributeException if NO attribute is available @@ -247,17 +188,12 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected String processFamilyName(Object familyNameObj) throws EidPostProcessingException, EidasAttributeException { - if (familyNameObj == null || !(familyNameObj instanceof String)) { - throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTFAMILYNAME); - } - - return (String) familyNameObj; - + return EidasResponseUtils.processFamilyName(familyNameObj); } /** * Post-Process the eIDAS pseudonym to ERnB unique identifier. - * + * * @param personalIdObj eIDAS PersonalIdentifierAttribute * @return Unique personal identifier without country-code information * @throws EidasAttributeException if NO attribute is available @@ -265,15 +201,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected String processPseudonym(Object personalIdObj) throws EidPostProcessingException, EidasAttributeException { - if (personalIdObj == null || !(personalIdObj instanceof String)) { - throw new EidasAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); - } - - final Triple<String, String, String> eIdentifier = - EidasResponseUtils.parseEidasPersonalIdentifier((String) personalIdObj); - - return eIdentifier.getThird(); - + return EidasResponseUtils.processPseudonym(personalIdObj); } /** @@ -389,7 +317,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { return builder.build(); } - + private void buildLevelOfAssurance(ISpConfiguration spConfig, Builder authnRequestBuilder) { // TODO: set matching mode if eIDAS ref. impl. support this method @@ -412,7 +340,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { log.debug("Request eIdAS node with LoA: " + loa); authnRequestBuilder.levelOfAssurance(loa); - + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/CountrySpecificDetailSearchProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/CountrySpecificDetailSearchProcessor.java new file mode 100644 index 00000000..c2a62f5c --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/CountrySpecificDetailSearchProcessor.java @@ -0,0 +1,56 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; + +import javax.annotation.Nonnull; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenRequest; + +public interface CountrySpecificDetailSearchProcessor { + + /** + * Get a friendlyName of this post-processor implementation. + */ + String getName(); + + /** + * Check if this postProcessor is sensitive for a specific country. + * + * @param countryCode of the eID data that should be processed + * @param eidData eID information from eIDAS Proxy-Service + * @return true if this implementation can handle the country, otherwise false + */ + boolean canHandle(String countryCode, SimpleEidasData eidData); + + /** + * Builds a country-specific search person request for ZMR. + * + * @param eidData eID information from eIDAS Proxy-Service + * @return {@link PersonSuchenRequest} but never <code>null</code> + */ + @Nonnull + PersonSuchenRequest generateSearchRequest(SimpleEidasData eidData); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/DeSpecificDetailSearchProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/DeSpecificDetailSearchProcessor.java new file mode 100644 index 00000000..e05fe86b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/DeSpecificDetailSearchProcessor.java @@ -0,0 +1,82 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; + +import org.apache.commons.lang3.StringUtils; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.EidasSuchdatenType; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenRequest; +import at.gv.e_government.reference.namespace.persondata.de._20040201.NatuerlichePersonTyp; +import at.gv.e_government.reference.namespace.persondata.de._20040201.PersonenNameTyp; + +public class DeSpecificDetailSearchProcessor implements CountrySpecificDetailSearchProcessor { + + @Override + public String getName() { + return this.getClass().getSimpleName(); + } + + @Override + public boolean canHandle(String countryCode, SimpleEidasData eidData) { + return countryCode.equalsIgnoreCase(Constants.COUNTRY_CODE_DE) + && StringUtils.isNotEmpty(eidData.getBirthName()) + && StringUtils.isNotEmpty(eidData.getPlaceOfBirth()); + + } + + @Override + public PersonSuchenRequest generateSearchRequest(SimpleEidasData eidData) { + PersonSuchenRequest req = new PersonSuchenRequest(); + + //set basic MDS information + final NatuerlichePersonTyp searchNatPerson = new NatuerlichePersonTyp(); + req.setNatuerlichePerson(searchNatPerson); + final PersonenNameTyp searchNatPersonName = new PersonenNameTyp(); + searchNatPerson.setPersonenName(searchNatPersonName); + searchNatPersonName.setFamilienname(eidData.getFamilyName()); + searchNatPersonName.setVorname(eidData.getGivenName()); + searchNatPerson.setGeburtsdatum(eidData.getDateOfBirth()); + + //add addtional eIDAS attributes from DE + req.getEidasSuchdaten().add(buildEidasSuchData( + Constants.eIDAS_ATTRURN_PLACEOFBIRTH, eidData.getPlaceOfBirth())); + req.getEidasSuchdaten().add(buildEidasSuchData( + Constants.eIDAS_ATTRURN_BIRTHNAME, eidData.getBirthName())); + + return req; + + } + + private EidasSuchdatenType buildEidasSuchData(String attrName, String attrValue) { + EidasSuchdatenType eidasInfos = new EidasSuchdatenType(); + eidasInfos.setStaatscode2(Constants.COUNTRY_CODE_DE); + eidasInfos.setEidasArt(attrName); + eidasInfos.setEidasWert(attrValue); + return eidasInfos; + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java index 577efbcd..79a261fe 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java @@ -25,7 +25,7 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; import java.util.Map; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.gv.egiz.eaaf.core.api.IRequest; @@ -36,7 +36,7 @@ public interface INationalEidProcessor { /** * Get a friendlyName of this post-processor implementation. - * + * * @return */ String getName(); @@ -46,34 +46,34 @@ public interface INationalEidProcessor { * If more than one Post-Processor implementations can handle the eID data, the * post-processor with the highest priority are selected. The Default-Processor * has priority '0' - * + * * @return Priority of this handler */ int getPriority(); /** * Check if this postProcessor is sensitive for a specific country. - * + * * @param countryCode of the eID data that should be processed * @return true if this implementation can handle the country, otherwise false - * + * */ boolean canHandle(String countryCode); /** * Post-Process eIDAS eID data into national format. - * + * * @param eidasAttrMap Map of eIDAS attributes in format friendlyName and * attribute * @throws EidPostProcessingException In case of a post-processing error * @throws EidasAttributeException In case of an invalid eIDAS attribute */ - ErnbEidData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, + SimpleEidasData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, EidasAttributeException; /** * Pre-Process eIDAS Request to national requirements. - * + * * @param pendingReq current pending request * @param authnRequestBuilder eIDAS {@link ILightRequest} builder */ diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/ItSpecificDetailSearchProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/ItSpecificDetailSearchProcessor.java new file mode 100644 index 00000000..b49c355d --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/ItSpecificDetailSearchProcessor.java @@ -0,0 +1,53 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; + +import org.apache.commons.lang3.StringUtils; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.gv.bmi.namespace.zmr_su.zmr._20040201.PersonSuchenRequest; + +public class ItSpecificDetailSearchProcessor implements CountrySpecificDetailSearchProcessor { + + @Override + public String getName() { + return this.getClass().getSimpleName(); + } + + @Override + public boolean canHandle(String countryCode, SimpleEidasData eidData) { + return countryCode.equalsIgnoreCase(Constants.COUNTRY_CODE_IT) + && StringUtils.isNotEmpty(eidData.getTaxNumber()); + + } + + @Override + public PersonSuchenRequest generateSearchRequest(SimpleEidasData eidData) { + + //TODO: add IT specific search request if TaxNumber attribute is defined by IT + return new PersonSuchenRequest(); + + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java new file mode 100644 index 00000000..46d0e77d --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java @@ -0,0 +1,106 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.impl.data.Triple; + + +public class IdAustriaClientAuthConstants { + + private IdAustriaClientAuthConstants() { + + } + + public static final String ERRORCODE_02 = "module.eidasauth.idaustria.02"; + public static final String ERRORCODE_05 = "module.eidasauth.idaustria.05"; + + public static final String SAML2_STATUSCODE_USERSTOP = "1005"; + + public static final String MODULE_NAME_FOR_LOGGING = "ID Austria Client"; + + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + + // public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = + // AuthHandlerConstants.HTTP_PARAM_EIDAS_PROCESS; + + public static final String ENDPOINT_POST = "/sp/idaustria/post"; + public static final String ENDPOINT_REDIRECT = "/sp/idaustria/redirect"; + public static final String ENDPOINT_METADATA = "/sp/idaustria/metadata"; + + public static final String CONFIG_PROPS_PREFIX = "modules.idaustriaclient."; + public static final String CONFIG_PROPS_KEYSTORE_TYPE = CONFIG_PROPS_PREFIX + "keystore.type"; + public static final String CONFIG_PROPS_KEYSTORE_NAME = CONFIG_PROPS_PREFIX + "keystore.name"; + public static final String CONFIG_PROPS_KEYSTORE_PATH = CONFIG_PROPS_PREFIX + "keystore.path"; + public static final String CONFIG_PROPS_KEYSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "metadata.sign.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS = CONFIG_PROPS_PREFIX + + "metadata.sign.alias"; + public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "request.sign.password"; + public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS = CONFIG_PROPS_PREFIX + + "request.sign.alias"; + public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "response.encryption.password"; + public static final String CONFIG_PROPS_ENCRYPTION_ALIAS = CONFIG_PROPS_PREFIX + + "response.encryption.alias"; + + public static final String CONFIG_PROPS_TRUSTSTORE_TYPE = CONFIG_PROPS_PREFIX + "truststore.type"; + public static final String CONFIG_PROPS_TRUSTSTORE_NAME = CONFIG_PROPS_PREFIX + "truststore.name"; + public static final String CONFIG_PROPS_TRUSTSTORE_PATH = CONFIG_PROPS_PREFIX + "truststore.path"; + public static final String CONFIG_PROPS_TRUSTSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "truststore.password"; + + public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + + "required.additional.attributes"; + public static final String CONFIG_PROPS_REQUIRED_LOA = CONFIG_PROPS_PREFIX + + "required.loa"; + public static final String CONFIG_PROPS_ID_AUSTRIA_ENTITYID = CONFIG_PROPS_PREFIX + "idaustria.idp.entityId"; + public static final String CONFIG_PROPS_ID_AUSTRIA_METADATAURL = CONFIG_PROPS_PREFIX + "idaustria.idp.metadataUrl"; + + public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EaafConstants.EIDAS_LOA_HIGH; + + public static final List<Triple<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList<Triple<String, String, Boolean>>() { + private static final long serialVersionUID = 1L; + + { + // add PVP Version attribute + add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, + PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, true)); + + // entity metadata information + add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, + PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); + + add(Triple.newInstance(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, + PvpAttributeDefinitions.PRINCIPAL_NAME_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.GIVEN_NAME_NAME, + PvpAttributeDefinitions.GIVEN_NAME_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.BIRTHDATE_NAME, + PvpAttributeDefinitions.BIRTHDATE_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.BPK_NAME, + PvpAttributeDefinitions.BPK_FRIENDLY_NAME, true)); + + } + }); + + public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = + + Collections.unmodifiableList(new ArrayList<String>() { + private static final long serialVersionUID = 1L; + + { + for (final Triple<String, String, Boolean> el : DEFAULT_REQUIRED_PVP_ATTRIBUTES) { + add(el.getFirst()); + } + } + }); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthEventConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthEventConstants.java new file mode 100644 index 00000000..03e570fc --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthEventConstants.java @@ -0,0 +1,7 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +public class IdAustriaClientAuthEventConstants { + + public static final int AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED = 6202; + public static final int AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED_ERROR = 6203; +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java new file mode 100644 index 00000000..4527ced4 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java @@ -0,0 +1,463 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.ContactPerson; +import org.opensaml.saml.saml2.metadata.Organization; +import org.opensaml.saml.saml2.metadata.RequestedAttribute; +import org.opensaml.security.credential.Credential; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import lombok.extern.slf4j.Slf4j; + +/** + * Configuration object to generate PVP S-Profile metadata for SAML2 client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthMetadataConfiguration implements IPvpMetadataBuilderConfiguration { + + private Collection<RequestedAttribute> additionalAttributes = null; + + private final String authUrl; + private final IdAustriaClientAuthCredentialProvider credentialProvider; + private final IPvp2BasicConfiguration pvpConfiguration; + + /** + * Configuration object to create PVP2 S-Profile metadata information. + * + * @param authUrl Public URL prefix of the application + * @param credentialProvider Credentials used by PVP2 S-Profile end-point + * @param pvpConfiguration Basic PVP2 S-Profile end-point configuration + */ + public IdAustriaClientAuthMetadataConfiguration(String authUrl, + IdAustriaClientAuthCredentialProvider credentialProvider, + IPvp2BasicConfiguration pvpConfiguration) { + this.authUrl = authUrl; + this.credentialProvider = credentialProvider; + this.pvpConfiguration = pvpConfiguration; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return IdAustriaClientAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return false; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildIDPSSODescriptor() + */ + @Override + public boolean buildIdpSsoDescriptor() { + return false; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildSPSSODescriptor() + */ + @Override + public boolean buildSpSsoDescriptor() { + return true; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEntityIDPostfix() + */ + @Override + public String getEntityID() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_METADATA; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getContactPersonInformation() + */ + @Override + public List<ContactPerson> getContactPersonInformation() { + try { + return pvpConfiguration.getIdpContacts(); + + } catch (final EaafException e) { + log.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return pvpConfiguration.getIdpOrganisation(); + + } catch (final EaafException e) { + log.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getMetadataSigningCredentials() + */ + @Override + public EaafX509Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMetaDataSigningCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMessageSigningCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMessageEncryptionCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPWebSSOPostBindingURL() + */ + @Override + public String getIdpWebSsoPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIdpWebSsoRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPSLOPostBindingURL() + */ + @Override + public String getIdpSloPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPSLORedirectBindingURL() + */ + @Override + public String getIdpSloRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSpAssertionConsumerServicePostBindingUrl() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_POST; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSpAssertionConsumerServiceRedirectBindingUrl() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLOPostBindingURL() + */ + @Override + public String getSpSloPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLORedirectBindingURL() + */ + @Override + public String getSpSloRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLOSOAPBindingURL() + */ + @Override + public String getSpSloSoapBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPPossibleAttributes() + */ + @Override + public List<Attribute> getIdpPossibleAttributes() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPPossibleNameITTypes() + */ + @Override + public List<String> getIdpPossibleNameIdTypes() { + return null; + } + + + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPRequiredAttributes() + */ + @Override + public Collection<RequestedAttribute> getSpRequiredAttributes() { + final Map<String, RequestedAttribute> requestedAttributes = new HashMap<>(); + + + log.trace("Build required attributes for ID Austria operaton ... "); + injectDefinedAttributes(requestedAttributes, + IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES); + + + + if (additionalAttributes != null) { + log.trace("Add additional PVP attributes into metadata ... "); + for (final RequestedAttribute el : additionalAttributes) { + if (requestedAttributes.containsKey(el.getName())) { + log.debug("Attribute " + el.getName() + + " is already added by default configuration. Overwrite it by user configuration"); + } + requestedAttributes.put(el.getName(), el); + } + } + + return requestedAttributes.values(); + + } + + + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAllowedNameITTypes() + */ + @Override + public List<String> getSpAllowedNameIdTypes() { + return Arrays.asList(NameIDType.PERSISTENT); + + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#getSPNameForLogging() + */ + @Override + public String getSpNameForLogging() { + return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return false; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + } + + /** + * Add additonal PVP attributes that are required by this deployment. + * + * @param additionalAttr List of PVP attribute name and isRequired flag + */ + public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) { + if (additionalAttr != null && !additionalAttr.isEmpty()) { + additionalAttributes = new ArrayList<>(); + for (final Pair<String, Boolean> el : additionalAttr) { + final Attribute attributBuilder = PvpAttributeBuilder.buildEmptyAttribute(el.getFirst()); + if (attributBuilder != null) { + additionalAttributes.add( + PvpAttributeBuilder.buildReqAttribute( + attributBuilder.getName(), + attributBuilder.getFriendlyName(), + el.getSecond())); + + } else { + log.info("NO PVP attribute with name: " + el.getFirst()); + } + + } + } + } + + private void injectDefinedAttributes(Map<String, RequestedAttribute> requestedAttributes, + List<Triple<String, String, Boolean>> attributes) { + for (final Triple<String, String, Boolean> el : attributes) { + requestedAttributes.put(el.getFirst(), PvpAttributeBuilder.buildReqAttribute(el.getFirst(), el + .getSecond(), el.getThird())); + + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java new file mode 100644 index 00000000..65b6a198 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java @@ -0,0 +1,300 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.util.List; + +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; + +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.w3c.dom.Element; + +public class IdAustriaClientAuthRequestBuilderConfiguration implements IPvpAuthnRequestBuilderConfiguruation { + + private boolean isPassive; + private String spEntityId; + private String qaaLevel; + private EntityDescriptor idpEntity; + private EaafX509Credential signCred; + private String scopeRequesterId; + private String providerName; + private List<EaafRequestedAttribute> requestedAttributes; + private String reqId; + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() + */ + @Override + public Boolean isPassivRequest() { + return this.isPassive; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() + */ + @Override + public Integer getAssertionConsumerServiceId() { + return 0; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getEntityID() + */ + @Override + public String getSpEntityID() { + return this.spEntityId; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public String getNameIdPolicyFormat() { + return NameIDType.PERSISTENT; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public boolean getNameIdPolicyAllowCreation() { + return true; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() + */ + @Override + public String getAuthnContextClassRef() { + return this.qaaLevel; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() + */ + @Override + public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { + return AuthnContextComparisonTypeEnumeration.MINIMUM; + } + + /** + * Set isPassive flag in SAML2 request. + * + * @param isPassive the isPassive to set. + */ + public void setPassive(boolean isPassive) { + this.isPassive = isPassive; + } + + /** + * Set the requester EntityId. + * + * @param spEntityId EntityId of SP + */ + public void setSpEntityID(String spEntityId) { + this.spEntityId = spEntityId; + } + + /** + * Set required LoA. + * + * @param loa the LoA to set. + */ + public void setRequestedLoA(String loa) { + qaaLevel = loa; + } + + /** + * Set EntityId of IDP. + * + * @param idpEntity the idpEntity to set. + */ + public void setIdpEntity(EntityDescriptor idpEntity) { + this.idpEntity = idpEntity; + } + + /** + * Set message signing credentials. + * + * @param signCred the signCred to set. + */ + public void setSignCred(EaafX509Credential signCred) { + this.signCred = signCred; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() + */ + @Override + public EaafX509Credential getAuthnRequestSigningCredential() { + return this.signCred; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() + */ + @Override + public EntityDescriptor getIdpEntityDescriptor() { + return this.idpEntity; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() + */ + @Override + public String getSubjectNameID() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() + */ + @Override + public String getSpNameForLogging() { + return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() + */ + @Override + public String getSubjectNameIdFormat() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getRequestID() + */ + @Override + public String getRequestID() { + return this.reqId; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() + */ + @Override + public String getSubjectNameIdQualifier() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() + */ + @Override + public String getSubjectConformationMethode() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() + */ + @Override + public Element getSubjectConformationDate() { + return null; + } + + @Override + public List<EaafRequestedAttribute> getRequestedAttributes() { + return this.requestedAttributes; + + } + + @Override + public String getProviderName() { + return this.providerName; + } + + @Override + public String getScopeRequesterId() { + return this.scopeRequesterId; + } + + /** + * Set the entityId of the SP that requests the proxy for eIDAS authentication. + * + * @param scopeRequesterId RequestId in SAML2 Proxy extension + */ + public void setScopeRequesterId(String scopeRequesterId) { + this.scopeRequesterId = scopeRequesterId; + } + + /** + * Set a friendlyName for the SP that requests the proxy for eIDAS + * authentication. + * + * @param providerName SAML2 provider-name attribute-value + */ + public void setProviderName(String providerName) { + this.providerName = providerName; + } + + /** + * Set a Set of PVP attributes that a requested by using requested attributes. + * + * @param requestedAttributes Requested SAML2 attributes + */ + public void setRequestedAttributes(List<EaafRequestedAttribute> requestedAttributes) { + this.requestedAttributes = requestedAttributes; + } + + /** + * Set a RequestId for this Authn. Request. + * + * @param reqId SAML2 message requestId + */ + public void setRequestId(String reqId) { + this.reqId = reqId; + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthMetadataController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthMetadataController.java new file mode 100644 index 00000000..1e4b27f7 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthMetadataController.java @@ -0,0 +1,122 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.controller; + + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.common.net.MediaType; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.http.HttpUtils; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; +import lombok.extern.slf4j.Slf4j; + +/** + * Controller that generates SAML2 metadata for eIDAS authentication client. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class IdAustriaClientAuthMetadataController extends AbstractController { + + private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; + + @Autowired + PvpMetadataBuilder metadatabuilder; + @Autowired + IdAustriaClientAuthCredentialProvider credentialProvider; + @Autowired + IPvp2BasicConfiguration pvpConfiguration; + + /** + * Default construction with logging. + * + */ + public IdAustriaClientAuthMetadataController() { + super(); + log.debug("Registering servlet " + getClass().getName() + + " with mappings '" + IdAustriaClientAuthConstants.ENDPOINT_METADATA + + "'."); + + } + + /** + * End-point that produce PVP2 metadata for eIDAS authentication client. + * + * @param req http Request + * @param resp http Response + * @throws IOException In case of an I/O error + * @throws EaafException In case of a metadata generation error + */ + @RequestMapping(value = IdAustriaClientAuthConstants.ENDPOINT_METADATA, + method = { RequestMethod.GET }) + public void getSpMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, + EaafException { + // check PublicURL prefix + try { + final String authUrl = getAuthUrlFromHttpContext(req); + + // initialize metadata builder configuration + final IdAustriaClientAuthMetadataConfiguration metadataConfig = + new IdAustriaClientAuthMetadataConfiguration(authUrl, credentialProvider, pvpConfiguration); + // metadataConfig.setAdditionalRequiredAttributes(getAdditionalRequiredAttributes()); + + // build metadata + final String xmlMetadata = metadatabuilder.buildPvpMetadata(metadataConfig); + + // write response + final byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); + resp.setContentType(MediaType.XML_UTF_8.toString()); + resp.getOutputStream().write(content); + + } catch (final Exception e) { + log.warn("Build federated-authentication PVP metadata FAILED.", e); + protAuthService.handleErrorNoRedirect(e, req, resp, false); + + } + + } + + private String getAuthUrlFromHttpContext(HttpServletRequest req) throws EaafException { + // check if End-Point is valid + final String authUrlString = HttpUtils.extractAuthUrlFromRequest(req); + URL authReqUrl; + try { + authReqUrl = new URL(authUrlString); + + } catch (final MalformedURLException e) { + log.warn("Requested URL: {} is not a valid URL.", authUrlString); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }, e); + + } + + final String idpAuthUrl = authConfig.validateIdpUrl(authReqUrl); + if (idpAuthUrl == null) { + log.warn("Requested URL: {} is NOT found in configuration.", authReqUrl); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }); + + } + + return idpAuthUrl; + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthSignalController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthSignalController.java new file mode 100644 index 00000000..eca21683 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/controller/IdAustriaClientAuthSignalController.java @@ -0,0 +1,95 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.controller; + + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.text.StringEscapeUtils; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; +import lombok.extern.slf4j.Slf4j; + +/** + * IdAustria client controller that receives the response from ID Austria system. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class IdAustriaClientAuthSignalController extends AbstractProcessEngineSignalController { + + public static final String HTTP_PARAM_RELAYSTATE = "RelayState"; + + /** + * Default constructor with logging. + * + */ + public IdAustriaClientAuthSignalController() { + super(); + log.debug("Registering servlet " + getClass().getName() + + " with mappings '" + IdAustriaClientAuthConstants.ENDPOINT_POST + + "' and '" + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT + "'."); + + } + + /** + * HTTP end-point for incoming SAML2 Response from ID Austria system. + * + * @param req HTTP request + * @param resp HTTP response + * @throws IOException In case of a HTTP communication error + * @throws EaafException In case of a state-validation problem + */ + @RequestMapping(value = { IdAustriaClientAuthConstants.ENDPOINT_POST, + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT }, + method = { RequestMethod.POST, RequestMethod.GET }) + public void performAuthentication(HttpServletRequest req, HttpServletResponse resp) + throws IOException, EaafException { + signalProcessManagement(req, resp); + + } + + /** + * Read the PendingRequestId from SAML2 RelayState parameter. + */ + @Override + public String getPendingRequestId(HttpServletRequest request) { + String relayState = StringEscapeUtils.escapeHtml4(request.getParameter(HTTP_PARAM_RELAYSTATE)); + if (StringUtils.isNotEmpty(relayState)) { + try { + String pendingReqId = transactionStorage.get(relayState, String.class); + if (StringUtils.isNotEmpty(pendingReqId)) { + + return pendingReqId; + + } else { + log.info("SAML2 RelayState from request is unknown. Can NOT restore session ... "); + + } + + } catch (EaafException e) { + log.error("Can NOT map SAML2 RelayState to pendingRequestId", e); + + } finally { + transactionStorage.remove(relayState); + + } + + } else { + log.info("No SAML2 relaystate. Can NOT restore session ... "); + + } + + return null; + + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthCredentialProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthCredentialProvider.java new file mode 100644 index 00000000..5b6085c1 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthCredentialProvider.java @@ -0,0 +1,132 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; + +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; + +/** + * Credential provider for eIDAS PVP S-Profile client. + * + * @author tlenz + * + */ +public class IdAustriaClientAuthCredentialProvider extends AbstractCredentialProvider { + + @Autowired + IConfiguration authConfig; + + private static final String FRIENDLYNAME = "ID Austria authentication"; + + @Override + public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException { + final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setFriendlyName(FRIENDLYNAME); + keyStoreConfig.setKeyStoreType( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_TYPE, + KeyStoreType.PKCS12.getKeyStoreType())); + keyStoreConfig.setKeyStoreName( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_NAME)); + keyStoreConfig.setSoftKeyStoreFilePath(getKeyStoreFilePath()); + keyStoreConfig.setSoftKeyStorePassword( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PASSWORD)); + + return keyStoreConfig; + + } + + private String getKeyStoreFilePath() throws EaafConfigurationException { + final String path = authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); + if (path == null) { + throw new EaafConfigurationException(Constants.ERRORCODE_00, + new Object[] { IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH }); + + } + return path; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getMetadataKeyAlias() + */ + @Override + public String getMetadataKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getMetadataKeyPassword() + */ + @Override + public String getMetadataKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getSignatureKeyAlias() + */ + @Override + public String getSignatureKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getSignatureKeyPassword() + */ + @Override + public String getSignatureKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getEncryptionKeyAlias() + */ + @Override + public String getEncryptionKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getEncryptionKeyPassword() + */ + @Override + public String getEncryptionKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java new file mode 100644 index 00000000..b54b501d --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthHealthCheck.java @@ -0,0 +1,56 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.actuate.health.HealthIndicator; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.resolver.ResolverException; + +/** + * Spring Actuator HealthCheck for ID Austria client that evaluates the current status of + * ID Austria SAML2 metadata that are loaded into MS-Connector. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthHealthCheck implements HealthIndicator { + + @Autowired IConfiguration authConfig; + @Autowired IdAustriaClientAuthMetadataProvider metadataService; + + @Override + public Health health() { + String msNodeEntityID = authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + + if (StringUtils.isEmpty(msNodeEntityID)) { + log.trace("No ID Austria EntityId in configuration. Skipping tests ... "); + return Health.unknown().build(); + + } + + try { + EntityDescriptor connectorMetadata = + metadataService.getEntityDescriptor(msNodeEntityID); + if (connectorMetadata != null) { + return Health.up().build(); + + } else { + return Health.outOfService().withDetail("Reason", "No SAML2 metadata").build(); + + } + + } catch (ResolverException e) { + return Health.down(e).build(); + + } + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthMetadataProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthMetadataProvider.java new file mode 100644 index 00000000..7c87548f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/provider/IdAustriaClientAuthMetadataProvider.java @@ -0,0 +1,169 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider; + +import java.io.IOException; +import java.security.KeyStore; +import java.security.Provider; +import java.security.cert.CertificateException; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; +import lombok.extern.slf4j.Slf4j; + +/** + * SAML2 metadata-provider implementation for ID Austria client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadataProvider { + + private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'ID Austria client metadata truststore'"; + private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; + public static final String PROVIDER_ID = "'ID Austria client metadata-provider'"; + + @Autowired + private IConfiguration basicConfig; + + @Autowired + private PvpMetadataResolverFactory metadataProviderFactory; + @Autowired + private IHttpClientFactory httpClientFactory; + + @Autowired + private EaafKeyStoreFactory keyStoreFactory; + + private Pair<KeyStore, Provider> metadataSigningTrustStore; + + @Override + protected String getMetadataUrl(String entityId) throws EaafConfigurationException { + log.trace("ID Austria. uses SAML2 well-known location approach. EntityId is Metadata-URL"); + return entityId; + + } + + @Override + protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, + IOException, CertificateException { + final List<MetadataFilter> filterList = new ArrayList<>(); + filterList.add(new SchemaValidationFilter(true)); + filterList.add(new SimpleMetadataSignatureVerificationFilter( + metadataSigningTrustStore.getFirst(), entityId)); + + final MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); + + try { + return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), + filter, + MessageFormat.format(PROVIDER_ID_PATTERN, entityId), + httpClientFactory.getHttpClient()); + + } catch (final Pvp2MetadataException e) { + log.info("Can NOT build metadata provider for entityId: {}", entityId); + throw new EaafConfigurationException(IdAustriaClientAuthConstants.ERRORCODE_05, + new Object[] { entityId, e.getMessage() }, e); + + } + } + + @Override + protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { + return Collections.emptyList(); + + } + + @Override + protected String getMetadataProviderId() { + return PROVIDER_ID; + + } + + @Override + public void runGarbageCollector() { + log.trace("Garbage collection is NOT supported by: {}", getId()); + } + + @Override + public void doDestroy() { + super.fullyDestroy(); + + } + + @PostConstruct + private void initialize() throws EaafException { + // initialize truststore to validate metadata signing certificates + initializeTrustStore(); + + // load metadata with metadataURL, as backup + initializeFileSystemMetadata(); + + } + + private void initializeFileSystemMetadata() { + try { + final String metadataUrl = basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_METADATAURL); + if (StringUtils.isNotEmpty(metadataUrl)) { + log.info("Use not recommended metadata-provider initialization!" + + " SAML2 'Well-Known-Location' is the preferred methode."); + log.info("Initialize 'ms-specific eIDAS node' metadata-provider with URL: {}", metadataUrl); + + addMetadataResolverIntoChain(createNewMetadataProvider(metadataUrl)); + } + + } catch (final EaafConfigurationException | CertificateException | IOException e) { + log.warn("Can NOT inject static eIDAS Node metadata-soure.", e); + log.warn("eIDAS Node communication can be FAIL."); + + } + } + + private void initializeTrustStore() throws EaafException { + // set configuration + final KeyStoreConfiguration trustStoreConfig = new KeyStoreConfiguration(); + trustStoreConfig.setFriendlyName(FRIENDLYNAME_METADATA_TRUSTSTORE); + trustStoreConfig.setKeyStoreType(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_TYPE, + KeyStoreType.JKS.getKeyStoreType())); + trustStoreConfig.setKeyStoreName(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_NAME)); + trustStoreConfig.setSoftKeyStoreFilePath(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PATH)); + trustStoreConfig.setSoftKeyStorePassword(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PASSWORD)); + + // validate configuration + trustStoreConfig.validate(); + + // open new TrustStore + metadataSigningTrustStore = keyStoreFactory.buildNewKeyStore(trustStoreConfig); + + } + +} + diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java index 230d6052..b5493edb 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java @@ -32,6 +32,7 @@ import java.util.Map.Entry; import javax.annotation.PostConstruct; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -40,7 +41,6 @@ import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.INationalEidProcessor; @@ -104,7 +104,7 @@ public class CcSpecificEidProcessingService implements ICcSpecificEidProcessingS } @Override - public ErnbEidData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, + public SimpleEidasData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, EidasAttributeException { // extract citizen country from eIDAS unique identifier final Object eIdentifierObj = eidasAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java index ebbc15e4..fb9ba318 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java @@ -25,7 +25,7 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; import java.util.Map; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.gv.egiz.eaaf.core.api.IRequest; @@ -36,20 +36,20 @@ public interface ICcSpecificEidProcessingService { /** * Post-process eIDAS eID attributes into national format. - * + * * @param eidasAttrMap Map of eIDAS attributes in format friendlyName and * attribute - * + * * @return eID attributes for SZR request * @throws EidPostProcessingException In case of a post-processing error * @throws EidasAttributeException In case of an invalid eIDAS attribute value */ - ErnbEidData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, + SimpleEidasData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, EidasAttributeException; /** * Pre Process eIDAS request into national requirements. - * + * * @param selectedCC Citizen Country from selection * @param pendingReq current pending request * @param authnRequestBuilder eIDAS {@link ILightRequest} builder diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/RegisterSearchService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/RegisterSearchService.java new file mode 100644 index 00000000..047d75ae --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/RegisterSearchService.java @@ -0,0 +1,387 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; + +import java.math.BigInteger; +import java.util.Collections; +import java.util.List; + +import javax.annotation.Nonnull; + +import org.jetbrains.annotations.Nullable; +import org.springframework.stereotype.Service; + +import com.google.common.collect.Streams; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.zmr.IZmrClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.zmr.ZmrSoapClient.ZmrRegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp.IErnpClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ZmrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.CountrySpecificDetailSearchProcessor; +import lombok.AllArgsConstructor; +import lombok.Getter; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; + +@Slf4j +@Service("registerSearchService") +public class RegisterSearchService { + + private final IZmrClient zmrClient; + private final IErnpClient ernpClient; + + private final List<CountrySpecificDetailSearchProcessor> handlers; + + /** + * Service that combines ZMR and ERnP register search operations. + * + * @param handlers Available country-specific search processors + * @param zmrClient ZMR client + * @param ernpClient ERnP client + */ + public RegisterSearchService(List<CountrySpecificDetailSearchProcessor> handlers, IZmrClient zmrClient, + IErnpClient ernpClient) { + this.zmrClient = zmrClient; + this.ernpClient = ernpClient; + this.handlers = handlers; + log.info("Init with #{} search services for country-specific details", handlers.size()); + + } + + /** + * Search with Person Identifier (eIDAS Pseudonym) in ZMR and ERnP. + * + * @param eidasData Received eIDAS data + * @throws WorkflowException In case of a register interaction error + */ + @Nonnull + public RegisterStatusResults searchWithPersonIdentifier(SimpleEidasData eidasData) + throws WorkflowException { + return searchWithPersonIdentifier(null, eidasData); + + } + + /** + * Search with Person Identifier (eIDAS Pseudonym) in ZMR and ERnP. + * + * @param operationStatus Current register-operation status that contains processing informations + * @param eidasData Received eIDAS data + * @throws WorkflowException In case of a register interaction error + */ + @Nonnull + public RegisterStatusResults searchWithPersonIdentifier(@Nullable RegisterOperationStatus operationStatus, + @Nonnull SimpleEidasData eidasData) throws WorkflowException { + try { + final ZmrRegisterResult resultsZmr = zmrClient.searchWithPersonIdentifier( + operationStatus != null ? operationStatus.getZmrProcessId() : null, + eidasData.getPseudonym(), eidasData.getCitizenCountryCode()); + final List<RegisterResult> resultsErnp = ernpClient.searchWithPersonIdentifier( + eidasData.getPersonalIdentifier()); + + return RegisterStatusResults.fromZmrAndErnp(resultsZmr, resultsErnp); + + } catch (final EidasSAuthenticationException e) { + throw new WorkflowException("searchWithPersonalIdentifier", e.getMessage(), + !(e instanceof ZmrCommunicationException), e); + + } + } + + /** + * Search with MDS (Given Name, Family Name, Date of Birth) in ZMR and ERnP. + * + * @param operationStatus Current register-operation status that contains processing informations + * @param eidasData Received eIDAS data + * @throws WorkflowException In case of a register interaction error + */ + @Nonnull + public RegisterStatusResults searchWithMds(RegisterOperationStatus operationStatus, SimpleEidasData eidasData) + throws WorkflowException { + try { + final ZmrRegisterResult resultsZmr = + zmrClient.searchWithMds(operationStatus.getZmrProcessId(), eidasData.getGivenName(), + eidasData.getFamilyName(), eidasData.getDateOfBirth(), eidasData.getCitizenCountryCode()); + + final List<RegisterResult> resultsErnp = + ernpClient.searchWithMds(eidasData.getGivenName(), eidasData.getFamilyName(), eidasData + .getDateOfBirth()); + + return RegisterStatusResults.fromZmrAndErnp(resultsZmr, resultsErnp); + + } catch (final EidasSAuthenticationException e) { + throw new WorkflowException("searchWithMDSOnly", e.getMessage(), + !(e instanceof ZmrCommunicationException), e); + + } + } + + /** + * Search with country-specific parameters based on information from available + * {@link CountrySpecificDetailSearchProcessor} implementations. + * + * @param operationStatus Current register-operation status that contains processing informations + * @param eidasData Receive eIDAS eID information + * @return Results from ZMR or ERnP search + * @throws WorkflowException In case of a register interaction error + */ + @Nonnull + public RegisterStatusResults searchWithCountrySpecifics(RegisterOperationStatus operationStatus, + SimpleEidasData eidasData) throws WorkflowException { + try { + @Nullable final CountrySpecificDetailSearchProcessor ccSpecificProcessor = findSpecificProcessor(eidasData); + if (ccSpecificProcessor != null) { + log.debug("Selecting country-specific search processor: {}", ccSpecificProcessor.getName()); + final ZmrRegisterResult resultsZmr = + zmrClient.searchCountrySpecific(operationStatus.getZmrProcessId(), + ccSpecificProcessor.generateSearchRequest(eidasData), + eidasData.getCitizenCountryCode()); + return RegisterStatusResults.fromZmr(resultsZmr); + + } else { + // TODO: add search procesfor for ERnP searching + return RegisterStatusResults.fromErnp(operationStatus, Collections.emptyList()); + + } + + } catch (final EidasSAuthenticationException e) { + throw new WorkflowException("searchWithCountrySpecifics", e.getMessage(), + !(e instanceof ZmrCommunicationException), e); + + } + } + + /** + * Search with residence infos. + * + * @param operationStatus Current register-operation status that contains processing informations + * @param zipcode Provided Zipcode + * @param city Provided City + * @param street Provided street + * @return Results from ZMR or ERnP search + */ + public RegisterStatusResults searchWithResidence(RegisterOperationStatus operationStatus, SimpleEidasData eidasData, + String zipcode, String city, String street) { + final ZmrRegisterResult resultsZmr = zmrClient.searchWithResidenceData( + operationStatus.getZmrProcessId(), eidasData.getGivenName(), eidasData.getFamilyName(), + eidasData.getDateOfBirth(), zipcode, city, street); + return RegisterStatusResults.fromZmr(resultsZmr); + + } + + /** + * Automatic process to fix the register entries. + * Called when the initial eIDAS authn leads to a match in a register. + * + * @param registerResult Result of last register search + * @param initialEidasData Received eidas data from initial authn + * @return + */ + public RegisterStatusResults step7aKittProcess(RegisterStatusResults registerResult, + SimpleEidasData initialEidasData) throws WorkflowException { + log.trace("Starting step7aKittProcess"); + // TODO verify with which data this method gets called + if (registerResult.getResultCount() != 1) { + throw new WorkflowException("step7aKittProcess", "getResultCount() != 1"); + } + try { + if (registerResult.getResultsZmr().size() == 1) { + RegisterResult entryZmr = registerResult.getResultsZmr().get(0); + ZmrRegisterResult updateZmr = zmrClient + .update(registerResult.getOperationStatus().getZmrProcessId(), entryZmr, initialEidasData); + return RegisterStatusResults.fromZmr(updateZmr); + } else { + RegisterResult entryErnp = registerResult.getResultsErnp().get(0); + RegisterResult updateErnp = ernpClient.update(entryErnp, initialEidasData); + return RegisterStatusResults.fromErnp(registerResult.operationStatus, Collections.singletonList(updateErnp)); + } + } catch (final EidasSAuthenticationException e) { + throw new WorkflowException("kittMatchedIdentitiess", e.getMessage(), + !(e instanceof ZmrCommunicationException), e); + } + } + + //TODO: check this method, because it's different to 'step7aKittProcess'??? + /** + * Automatic process to fix the register entries. + * Called when the alternative eIDAS authn leads to a match in a register. + * + * @param initialSearchResult Register results from initial authentication + * @param initialEidasData Received eIDAS data from initial authentication + * @param altSearchResult Register results from alternative authentication + * @param altEidasData Received eIDAS data from alternative authentication + * @return + */ + public RegisterStatusResults step7bKittProcess( + RegisterStatusResults initialSearchResult, SimpleEidasData initialEidasData, + RegisterStatusResults altSearchResult, SimpleEidasData altEidasData) throws WorkflowException { + log.trace("Starting step7bKittProcess"); + + // check if alternative authentication ends in a single result + if (altSearchResult.getResultCount() != 1) { + throw new WorkflowException("step7bKittProcess", "getResultCount() != 1"); + + } + + // check if alternative authentication result is part of initialSearchResults + if (!Streams.concat(initialSearchResult.getResultsZmr().stream(), initialSearchResult.getResultsErnp().stream()) + .filter(el -> { + try { + return altSearchResult.getResult().getBpk().equals(el.getBpk()); + + } catch (WorkflowException e1) { + //can not appear because it's already validated above. + return false; + } + }) + .findFirst() + .isPresent()) { + throw new WorkflowException("step7bKittProcess", + "Register result from alternativ authentication does not fit into intermediate state"); + + } + + // perform KITT operations + try { + if (altSearchResult.getResultsZmr().size() == 1) { + RegisterResult entryZmr = altSearchResult.getResultsZmr().get(0); + + // update ZMR entry by using eIDAS information from initial authentication + zmrClient.update(altSearchResult.getOperationStatus().getZmrProcessId(), entryZmr, initialEidasData); + + // update ZMR entry by using eIDAS information from alternative authentication + ZmrRegisterResult updateAlt = zmrClient.update( + altSearchResult.getOperationStatus().getZmrProcessId(), entryZmr, altEidasData); + + return RegisterStatusResults.fromZmr(updateAlt); + + } else { + RegisterResult entryErnp = altSearchResult.getResultsErnp().get(0); + + // update ZMR entry by using eIDAS information from initial authentication + ernpClient.update(entryErnp, initialEidasData); + + // update ZMR entry by using eIDAS information from alternative authentication + RegisterResult updateAlt = ernpClient.update(entryErnp, altEidasData); + + return RegisterStatusResults.fromErnp(altSearchResult.operationStatus, Collections.singletonList(updateAlt)); + } + } catch (final EidasSAuthenticationException e) { + throw new WorkflowException("kittMatchedIdentitiess", e.getMessage(), + !(e instanceof ZmrCommunicationException), e); + } + } + + @Nullable + private CountrySpecificDetailSearchProcessor findSpecificProcessor(SimpleEidasData eidasData) { + final String citizenCountry = eidasData.getCitizenCountryCode(); + for (final CountrySpecificDetailSearchProcessor processor : handlers) { + if (processor.canHandle(citizenCountry, eidasData)) { + log.debug("Found suitable search handler for {} by using: {}", citizenCountry, processor.getName()); + return processor; + } + } + return null; + } + + /** + * Register releated information that are needed for any request. + * + * @author tlenz + */ + @AllArgsConstructor + @Getter + public static class RegisterOperationStatus { + + /** + * ZMR internal processId that is required for any further request in the same process. + */ + private BigInteger zmrProcessId; + + + } + + + /** + * Response container for {@link RegisterSearchService} that holds a set of {@link RegisterResult}. + * + * @author tlenz + */ + @Getter + @RequiredArgsConstructor + public static class RegisterStatusResults { + /** + * Operation status for this result. + */ + private final RegisterOperationStatus operationStatus; + + /** + * Current ZMR search result. + */ + private final List<RegisterResult> resultsZmr; + + /** + * Current ERnP search result. + */ + private final List<RegisterResult> resultsErnp; + + /** + * Get sum of ZMR and ERnP results. + * + * @return number of results + */ + public int getResultCount() { + return resultsZmr.size() + resultsErnp.size(); + } + + /** + * Verifies that there is only one match and returns the bpk. + * + * @return bpk bpk of the match + * @throws WorkflowException if multiple results have been found + */ + public String getBpk() throws WorkflowException { + if (getResultCount() != 1) { + throw new WorkflowException("readRegisterResults", "getResultCount() != 1"); + + } + return getResult().getBpk(); + } + + /** + * Returns the results, if there is exactly one, throws exception otherwise. + * + * @return The result + * @throws WorkflowException Results does not contain exactly one result + */ + public RegisterResult getResult() throws WorkflowException { + if (getResultCount() != 1) { + throw new WorkflowException("readRegisterResults", "getResultCount() != 1"); + } + if (resultsZmr.size() == 1) { + return resultsZmr.get(0); + + } else { + return resultsErnp.get(0); + + } + } + + static RegisterStatusResults fromZmr(ZmrRegisterResult result) { + return new RegisterStatusResults(new RegisterOperationStatus(result.getProcessId()), + result.getPersonResult(), Collections.emptyList()); + } + + static RegisterStatusResults fromZmrAndErnp(ZmrRegisterResult result, List<RegisterResult> resultsErnp) { + return new RegisterStatusResults(new RegisterOperationStatus(result.getProcessId()), + result.getPersonResult(), resultsErnp); + } + + static RegisterStatusResults fromErnp(RegisterOperationStatus status, List<RegisterResult> resultsErnp) { + return new RegisterStatusResults(status, Collections.emptyList(), resultsErnp); + } + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java deleted file mode 100644 index 1f5837d6..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ /dev/null @@ -1,522 +0,0 @@ -/* - * Copyright 2018 A-SIT Plus GmbH - * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, - * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "License"); - * You may not use this work except in compliance with the License. - * You may obtain a copy of the License at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - -package at.asitplus.eidas.specific.modules.auth.eidas.v2.szr; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.net.URL; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.UnrecoverableKeyException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import javax.annotation.PostConstruct; -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import javax.xml.XMLConstants; -import javax.xml.bind.JAXBContext; -import javax.xml.bind.Marshaller; -import javax.xml.namespace.QName; -import javax.xml.transform.Source; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.stream.StreamResult; -import javax.xml.transform.stream.StreamSource; -import javax.xml.ws.BindingProvider; -import javax.xml.ws.Dispatch; -import javax.xml.ws.handler.Handler; - -import org.apache.commons.lang3.StringUtils; -import org.apache.cxf.configuration.jsse.TLSClientParameters; -import org.apache.cxf.endpoint.Client; -import org.apache.cxf.frontend.ClientProxy; -import org.apache.cxf.jaxws.DispatchImpl; -import org.apache.cxf.transport.http.HTTPConduit; -import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; -import org.apache.xpath.XPathAPI; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; -import org.w3c.dom.Document; -import org.w3c.dom.Element; - -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; - -import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; -import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.impl.utils.DomUtils; -import at.gv.egiz.eaaf.core.impl.utils.FileUtils; -import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; -import szrservices.GetBPK; -import szrservices.GetBPKResponse; -import szrservices.GetIdentityLinkEidas; -import szrservices.GetIdentityLinkEidasResponse; -import szrservices.IdentityLinkType; -import szrservices.JwsHeaderParam; -import szrservices.ObjectFactory; -import szrservices.PersonInfoType; -import szrservices.SZR; -import szrservices.SZRException_Exception; -import szrservices.SignContent; -import szrservices.SignContentEntry; -import szrservices.SignContentResponseType; - - -@Service("SZRClientForeIDAS") -public class SzrClient { - private static final Logger log = LoggerFactory.getLogger(SzrClient.class); - - private static final String CLIENT_DEFAULT = "DefaultClient"; - private static final String CLIENT_RAW = "RawClient"; - - private static final String ATTR_NAME_VSZ = "urn:eidgvat:attributes.vsz.value"; - private static final String ATTR_NAME_PUBKEYS = "urn:eidgvat:attributes.user.pubkeys"; - private static final String ATTR_NAME_STATUS = "urn:eidgvat:attributes.eid.status"; - private static final String KEY_BC_BIND = "bcBindReq"; - private static final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype"; - private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind"; - public static final String ATTR_NAME_MDS = "urn:eidgvat:mds"; - - @Autowired - private IConfiguration basicConfig; - - // client for anything, without identitylink - private SZR szr = null; - - // RAW client is needed for identitylink - private Dispatch<Source> dispatch = null; - - private SzrService szrService = null; - private String szrUrl = null; - private QName qname = null; - - final ObjectMapper mapper = new ObjectMapper(); - - /** - * Get IdentityLink of a person. - * - * @param personInfo Person identification information - * @return IdentityLink - * @throws SzrCommunicationException In case of a SZR error - */ - public IdentityLinkType getIdentityLinkInRawMode(PersonInfoType personInfo) - throws SzrCommunicationException { - try { - final GetIdentityLinkEidas getIdl = new GetIdentityLinkEidas(); - getIdl.setPersonInfo(personInfo); - - final JAXBContext jaxbContext = JAXBContext.newInstance(ObjectFactory.class); - final Marshaller jaxbMarshaller = jaxbContext.createMarshaller(); - - final ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - jaxbMarshaller.marshal(getIdl, outputStream); - outputStream.flush(); - - final Source source = new StreamSource(new ByteArrayInputStream(outputStream.toByteArray())); - outputStream.close(); - - log.trace("Requesting SZR ... "); - final Source response = dispatch.invoke(source); - log.trace("Receive RAW response from SZR"); - - final byte[] szrResponse = sourceToByteArray(response); - final GetIdentityLinkEidasResponse jaxbElement = (GetIdentityLinkEidasResponse) jaxbContext - .createUnmarshaller().unmarshal(new ByteArrayInputStream(szrResponse)); - - // build response - log.trace(new String(szrResponse, "UTF-8")); - - // ok, we have success - final Document doc = DomUtils.parseDocument( - new ByteArrayInputStream(szrResponse), - true, - XmlNamespaceConstants.ALL_SCHEMA_LOCATIONS + " " + Constants.SZR_SCHEMA_LOCATIONS, - null, null); - final String xpathExpression = "//saml:Assertion"; - final Element nsNode = doc.createElementNS("urn:oasis:names:tc:SAML:1.0:assertion", "saml:NSNode"); - - log.trace("Selecting signed doc " + xpathExpression); - final Element documentNode = (Element) XPathAPI.selectSingleNode(doc, - xpathExpression, nsNode); - log.trace("Signed document: " + DomUtils.serializeNode(documentNode)); - - final IdentityLinkType idl = new IdentityLinkType(); - idl.setAssertion(documentNode); - idl.setPersonInfo(jaxbElement.getGetIdentityLinkReturn().getPersonInfo()); - - return idl; - - } catch (final Exception e) { - log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); - throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); - - } - - } - - /** - * Get bPK of person. - * - * @param personInfo Person identification information - * @param target requested bPK target - * @param vkz Verfahrenskennzeichen - * @return bPK for this person - * @throws SzrCommunicationException In case of a SZR error - */ - public List<String> getBpk(PersonInfoType personInfo, String target, String vkz) - throws SzrCommunicationException { - try { - final GetBPK parameters = new GetBPK(); - parameters.setPersonInfo(personInfo); - parameters.getBereichsKennung().add(target); - parameters.setVKZ(vkz); - final GetBPKResponse result = this.szr.getBPK(parameters); - - return result.getGetBPKReturn(); - - } catch (final SZRException_Exception e) { - log.warn("SZR communication FAILED. Reason: " + e.getMessage(), e); - throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); - - } - - } - - /** - * Request a encryped baseId from SRZ. - * - * @param personInfo Minimum dataset of person - * @return encrypted baseId - * @throws SzrCommunicationException In case of a SZR error - */ - public String getEncryptedStammzahl(final PersonInfoType personInfo) - throws SzrCommunicationException { - - final String resp; - try { - resp = this.szr.getStammzahlEncrypted(personInfo, true); - } catch (SZRException_Exception e) { - throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); - } - - if (StringUtils.isEmpty(resp)) { - throw new SzrCommunicationException("ernb.01", new Object[]{"Stammzahl response empty"}); // TODO error handling - } - - return resp; - - } - - /** - * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status. - * - * @param vsz encryped baseId - * @param bindingPubKey binding PublikKey as PKCS1# (ASN.1) container - * @param eidStatus Status of the E-ID - * @param eidData eID information that was used for ERnP registration - * @return bPK for this person - * @throws SzrCommunicationException In case of a SZR error - */ - public String getEidsaBind(final String vsz, final String bindingPubKey, final String eidStatus, - ErnbEidData eidData)throws SzrCommunicationException { - - final Map<String, Object> eidsaBindMap = new HashMap<>(); - eidsaBindMap.put(ATTR_NAME_VSZ, vsz); - eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus); - eidsaBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); - eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode()); - injectMdsIfAvailableAndActive(eidsaBindMap, eidData); - - try { - final String serializedEidasBind = mapper.writeValueAsString(eidsaBindMap); - final SignContent req = new SignContent(); - final SignContentEntry eidasBindInfo = new SignContentEntry(); - eidasBindInfo.setKey(KEY_BC_BIND); - eidasBindInfo.setValue(serializedEidasBind); - req.getIn().add(eidasBindInfo); - req.setAppendCert(false); - final JwsHeaderParam eidasBindJoseHeader = new JwsHeaderParam(); - eidasBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); - eidasBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); - req.getJWSHeaderParam().add(eidasBindJoseHeader); - - log.trace("Requesting SZR to sign bcBind datastructure ... "); - final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn()); - log.trace("Receive SZR response on bcBind siging operation "); - - if (resp == null || resp.getOut() == null - || resp.getOut().isEmpty() - || StringUtils.isEmpty(resp.getOut().get(0).getValue())) { - throw new SzrCommunicationException("ernb.01", new Object[]{"BcBind response empty"}); - } - - return resp.getOut().get(0).getValue(); - - } catch (final JsonProcessingException | SZRException_Exception e) { - log.warn("Requesting bcBind by using SZR FAILED. Reason: {}", e.getMessage(), null, e); - throw new SzrCommunicationException("ernb.02", - new Object[]{e.getMessage()}, e); - } - } - - @PostConstruct - private void initialize() { - log.info("Starting SZR-Client initialization .... "); - final URL url = SzrClient.class.getResource("/szr_client/SZR_v4.0.wsdl"); - - final boolean useTestSzr = basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE, - true); - - if (useTestSzr) { - log.debug("Initializing SZR test environment configuration."); - qname = SzrService.SZRTestumgebung; - szrService = new SzrService(url, new QName("urn:SZRServices", "SZRService")); - szr = szrService.getSzrTestumgebung(); - szrUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_TEST); - - } else { - log.debug("Initializing SZR productive configuration."); - qname = SzrService.SZRProduktionsumgebung; - szrService = new SzrService(url, new QName("urn:SZRServices", "SZRService")); - szr = szrService.getSzrProduktionsumgebung(); - szrUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_ENDPOINT_PROD); - - } - - // create raw client; - dispatch = szrService.createDispatch(qname, Source.class, javax.xml.ws.Service.Mode.PAYLOAD); - - if (StringUtils.isEmpty(szrUrl)) { - log.error("No SZR service-URL found. SZR-Client initalisiation failed."); - throw new RuntimeException("No SZR service URL found. SZR-Client initalisiation failed."); - - } - - // check if Clients can be initialized - if (szr == null) { - log.error("SZR " + CLIENT_DEFAULT + " is 'NULL'. Something goes wrong"); - throw new RuntimeException("SZR " + CLIENT_DEFAULT + " is 'NULL'. Something goes wrong"); - - } - if (dispatch == null) { - log.error("SZR " + CLIENT_RAW + " is 'NULL'. Something goes wrong"); - throw new RuntimeException("SZR " + CLIENT_RAW + " is 'NULL'. Something goes wrong"); - - } - - // inject handler - log.info("Use SZR service-URL: " + szrUrl); - injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT); - injectBindingProvider(dispatch, CLIENT_RAW); - - // inject http parameters and SSL context - log.debug("Inject HTTP client settings ... "); - injectHttpClient(szr, CLIENT_DEFAULT); - injectHttpClient(dispatch, CLIENT_RAW); - - log.info("SZR-Client initialization successfull"); - } - - private void injectHttpClient(Object raw, String clientType) { - // extract client from implementation - Client client = null; - if (raw instanceof DispatchImpl<?>) { - client = ((DispatchImpl<?>) raw).getClient(); - } else if (raw instanceof Client) { - client = ClientProxy.getClient(raw); - } else { - throw new RuntimeException("SOAP Client for SZR connection is of UNSUPPORTED type: " + raw.getClass() - .getName()); - } - - // set basic connection policies - final HTTPConduit http = (HTTPConduit) client.getConduit(); - - // set timeout policy - final HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); - httpClientPolicy.setConnectionTimeout( - Integer.parseInt(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION, - Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) * 1000); - httpClientPolicy.setReceiveTimeout( - Integer.parseInt(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE, - Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) * 1000); - http.setClient(httpClientPolicy); - - // inject SSL context in case of https - if (szrUrl.toLowerCase().startsWith("https")) { - log.debug("Adding SSLContext to client: " + clientType + " ... "); - final TLSClientParameters tlsParams = new TLSClientParameters(); - tlsParams.setSSLSocketFactory(createSslContext(clientType).getSocketFactory()); - http.setTlsClientParameters(tlsParams); - log.info("SSLContext initialized for client: " + clientType); - - } - - } - - private void injectBindingProvider(BindingProvider bindingProvider, String clientType) { - final Map<String, Object> requestContext = bindingProvider.getRequestContext(); - requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, szrUrl); - - log.trace("Adding JAX-WS request/response trace handler to client: " + clientType); - List<Handler> handlerList = bindingProvider.getBinding().getHandlerChain(); - if (handlerList == null) { - handlerList = new ArrayList<>(); - bindingProvider.getBinding().setHandlerChain(handlerList); - - } - - // add logging handler to trace messages if required - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_TRACEMESSAGES, - false)) { - final LoggingHandler loggingHandler = new LoggingHandler(); - handlerList.add(loggingHandler); - - } - bindingProvider.getBinding().setHandlerChain(handlerList); - } - - private SSLContext createSslContext(String clientType) { - try { - final SSLContext context = SSLContext.getInstance("TLS"); - - // initialize key-mangager for SSL client-authentication - KeyManager[] keyManager = null; - final String keyStorePath = basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PATH); - final String keyStorePassword = basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_KEYSTORE_PASSWORD); - if (StringUtils.isNotEmpty(keyStorePath)) { - log.trace("Find keyStore path: " + keyStorePath + " Injecting SSL client certificate ... "); - try { - final KeyStore keyStore = KeyStoreUtils.loadKeyStore( - FileUtils.makeAbsoluteUrl(keyStorePath, basicConfig.getConfigurationRootDirectory()), - keyStorePassword); - - final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); - kmf.init(keyStore, keyStorePassword.toCharArray()); - keyManager = kmf.getKeyManagers(); - log.debug("SSL client certificate injected to client: " + clientType); - - } catch (KeyStoreException | IOException | UnrecoverableKeyException e) { - log.error("Can NOT load SSL client certificate from path: " + keyStorePath); - throw new RuntimeException("Can NOT load SSL client certificate from path: " + keyStorePath, e); - - } - } else { - log.debug( - "No KeyStore for SSL Client Auth. found. Initializing SSLContext without authentication ... "); - - } - - // initialize SSL TrustStore - TrustManager[] trustManager = null; - final String trustStorePath = basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PATH); - final String trustStorePassword = basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SSL_TRUSTSTORE_PASSWORD); - if (StringUtils.isNotEmpty(trustStorePath)) { - log.trace("Find trustStore path: " + trustStorePath + " Injecting SSL TrustStore ... "); - try { - final KeyStore trustStore = KeyStoreUtils.loadKeyStore( - FileUtils.makeAbsoluteUrl(trustStorePath, basicConfig.getConfigurationRootDirectory()), - trustStorePassword); - - final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); - tmf.init(trustStore); - trustManager = tmf.getTrustManagers(); - log.debug("SSL TrustStore injected to client: " + clientType); - - } catch (KeyStoreException | IOException e) { - log.error("Can NOT open SSL TrustStore from path: " + trustStorePath); - throw new RuntimeException("Can NOT open SSL TrustStore from path: " + trustStorePath, e); - - } - - } else { - log.debug("No custom SSL TrustStore found. Initializing SSLContext with JVM default truststore ... "); - - } - - context.init(keyManager, trustManager, new SecureRandom()); - return context; - - } catch (NoSuchAlgorithmException | KeyManagementException e) { - log.error("SSLContext initialization FAILED.", e); - throw new RuntimeException("SSLContext initialization FAILED.", e); - - } - - } - - private void injectMdsIfAvailableAndActive(Map<String, Object> eidsaBindMap, ErnbEidData eidData) { - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND, false)) { - log.info("Injecting MDS into eidasBind ... "); - final Map<String, Object> mds = new HashMap<>(); - mds.put(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, eidData.getFamilyName()); - mds.put(PvpAttributeDefinitions.GIVEN_NAME_NAME, eidData.getGivenName()); - mds.put(PvpAttributeDefinitions.BIRTHDATE_NAME, eidData.getFormatedDateOfBirth()); - eidsaBindMap.put(ATTR_NAME_MDS, mds); - - } - } - - private byte[] sourceToByteArray(Source result) throws TransformerException { - final TransformerFactory factory = TransformerFactory.newInstance(); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - final Transformer transformer = factory.newTransformer(); - transformer.setOutputProperty("omit-xml-declaration", "yes"); - transformer.setOutputProperty("method", "xml"); - final ByteArrayOutputStream out = new ByteArrayOutputStream(); - final StreamResult streamResult = new StreamResult(); - streamResult.setOutputStream(out); - transformer.transform(result, streamResult); - return out.toByteArray(); - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java new file mode 100644 index 00000000..f021fae9 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java @@ -0,0 +1,240 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; + +import java.util.Map; +import java.util.Objects; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterOperationStatus; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; + +/** + * Searches registers (ERnP and ZMR) after alternative eIDAS authn, before adding person to SZR. + * Input: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE} data from the alternative eIDAS authn</li> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} data from the initial eIDAS authn</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} results after second search in registers with MDS</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateOtherLoginMethodGuiTask} if no results in registers were found for this user</li> + * <li>{@link CreateIdentityLinkTask} if search in register returned one match, user is uniquely identified</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("AlternativeSearchTask") +@SuppressWarnings("PMD.TooManyStaticImports") +public class AlternativeSearchTask extends AbstractAuthServletTask { + + private final RegisterSearchService registerSearchService; + private final ICcSpecificEidProcessingService eidPostProcessor; + + /** + * Constructor. + * + * @param registerSearchService Service for register search access + * @param eidPostProcessor Country-Specific post processing of attributes + */ + public AlternativeSearchTask(RegisterSearchService registerSearchService, + ICcSpecificEidProcessingService eidPostProcessor) { + this.registerSearchService = registerSearchService; + this.eidPostProcessor = eidPostProcessor; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final SimpleEidasData altEidasData = convertEidasAttrToSimpleData(); + final SimpleEidasData initialEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + final RegisterStatusResults intermediateMatchingState = + MatchingTaskUtils.getIntermediateMatchingResult(pendingReq); + + //pre-validation of eIDAS data + preVerifyAlternativeEidasData(altEidasData, initialEidasData, intermediateMatchingState); + + //perform register search operation based on alterantive eIDAS data + step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData, + intermediateMatchingState, initialEidasData); + + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Initial search failed", e); + + } catch (final Exception e) { + log.error("Initial search failed", e); + throw new TaskExecutionException(pendingReq, "Initial search failed with a generic error", e); + + } + } + + /** + * Pre-validation of eIDAS information. + * + * <p>Check if country-code and MDS (givenName, familyName, dateOfBirth) matches.</p> + * + * @param altEidasData eIDAS data from alternative authentication + * @param initialEidasData eIDAS data from initial authentication + * @param intermediateMatchingState Intermediate matching result + * @throws WorkflowException In case of a validation error + */ + private void preVerifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData, + RegisterStatusResults intermediateMatchingState) throws WorkflowException { + if (initialEidasData == null) { + throw new WorkflowException("step11", "No initial eIDAS authn data", true); + + } + + if (intermediateMatchingState == null) { + throw new WorkflowException("step11", "No intermediate matching-state", true); + + } + + if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) { + throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true); + + } + + if (!altEidasData.equalsMds(initialEidasData)) { + throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true); + + } + } + + private void step11RegisterSearchWithPersonIdentifier( + ExecutionContext executionContext, SimpleEidasData altEidasData, + RegisterStatusResults intermediateMatchingState, SimpleEidasData initialEidasData) + throws WorkflowException, EaafStorageException { + try { + log.trace("Starting step11RegisterSearchWithPersonIdentifier"); + RegisterStatusResults altSearchResult = registerSearchService.searchWithPersonIdentifier( + intermediateMatchingState.getOperationStatus(), altEidasData); + + int resultCount = altSearchResult.getResultCount(); + if (resultCount == 0) { + step12CountrySpecificSearch(executionContext, intermediateMatchingState, initialEidasData, + altSearchResult.getOperationStatus(), altEidasData); + + } else if (resultCount == 1) { + log.debug("step11RegisterSearchWithPersonIdentifier find single result. Starting KITT operation ... "); + RegisterStatusResults matchtedResult = registerSearchService.step7bKittProcess( + intermediateMatchingState, initialEidasData, altSearchResult, altEidasData); + + log.debug("KITT operation finished. Finalize matching process ... "); + foundMatchFinalizeTask(matchtedResult, altEidasData); + + } else { + throw new WorkflowException("step11RegisterSearchWithPersonIdentifier", + "More than one entry with unique personal-identifier", true); + + } + } catch (WorkflowException e) { + log.warn("Workflow error during matching step: {}. Reason: {}", e.getProcessStepName(), e.getErrorReason()); + throw e; + + } + } + + private void step12CountrySpecificSearch(ExecutionContext executionContext, + RegisterStatusResults intermediateMatchingState, + SimpleEidasData initialEidasData, + RegisterOperationStatus registerOperationStatus, + SimpleEidasData altEidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting 'step12CountrySpecificSearch' ... "); + RegisterStatusResults ccAltSearchResult = registerSearchService.searchWithCountrySpecifics( + registerOperationStatus, altEidasData); + + if (ccAltSearchResult.getResultCount() == 0) { + log.trace("'step12CountrySpecificSearch' ends with no result. Forward to GUI based matching step ... "); + log.debug("Forward to GUI based matching steps ... "); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + + } else if (ccAltSearchResult.getResultCount() == 1) { + log.debug("'step12CountrySpecificSearch' find single result. Starting KITT operation ... "); + RegisterStatusResults matchtedResult = registerSearchService.step7bKittProcess( + intermediateMatchingState, initialEidasData, ccAltSearchResult, altEidasData); + + log.debug("KITT operation finished. Finalize matching process ... "); + foundMatchFinalizeTask(matchtedResult, altEidasData); + + } else { + throw new WorkflowException("step12CountrySpecificSearch", + "More than one entry with unique country-specific information", true); + + } + } + + private void foundMatchFinalizeTask(RegisterStatusResults searchResult, SimpleEidasData eidasData) + throws WorkflowException, EaafStorageException { + MatchedPersonResult result = MatchedPersonResult.generateFormMatchingResult( + searchResult.getResult(), eidasData.getCitizenCountryCode()); + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, result); + + //remove intermediate matching-state + MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, null); + + } + + @NotNull + private SimpleEidasData convertEidasAttrToSimpleData() + throws EidasAttributeException, EidPostProcessingException { + final ILightResponse eidasResponse = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq) + .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE, ILightResponse.class); + Map<String, Object> simpleMap = MatchingTaskUtils.convertEidasAttrToSimpleMap( + eidasResponse.getAttributes().getAttributeMap(), log); + return eidPostProcessor.postProcess(simpleMap); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f4849b07..c95c275e 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -25,44 +25,39 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; import java.io.IOException; import java.io.InputStream; -import java.util.HashMap; import java.util.List; -import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.parsers.ParserConfigurationException; -import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; +import org.jetbrains.annotations.Nullable; +import org.jose4j.lang.JoseException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.xml.sax.SAXException; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; +import com.fasterxml.jackson.core.JsonProcessingException; import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.clients.szr.SzrClient; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; -import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; -import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; -import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.builder.BpkBuilder; import at.gv.egiz.eaaf.core.impl.data.Pair; @@ -71,37 +66,45 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; -import eu.eidas.auth.commons.attribute.AttributeDefinition; -import eu.eidas.auth.commons.attribute.AttributeValue; -import eu.eidas.auth.commons.light.ILightResponse; -import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; import lombok.Data; import lombok.extern.slf4j.Slf4j; import szrservices.IdentityLinkType; -import szrservices.PersonInfoType; -import szrservices.TravelDocumentType; /** * Task that creates the IdentityLink for an eIDAS authenticated person. - * + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} the data of the matched entry in a register</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#EIDAS_BIND} the binding block</li> + * <li>{@link Constants#SZR_AUTHBLOCK} the auth block</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link at.gv.egiz.eaaf.core.impl.idp.controller.tasks.FinalizeAuthenticationTask}</li> + * </ul> + * TODO Take Constants#DATA_SIMPLE_EIDAS and Constants#DATA_RESULT_MATCHING_BPK + * TODO Only do VSZ Erstellung and eidasBind -- this is always the end of the whole process + * TODO Move Eintragung to separate Task, as it does not happen every time * @author tlenz */ @Slf4j @Component("CreateIdentityLinkTask") public class CreateIdentityLinkTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired private IConfiguration basicConfig; @Autowired private SzrClient szrClient; @Autowired - private ICcSpecificEidProcessingService eidPostProcessor; - - @Autowired private AuthBlockSigningService authBlockSigner; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - + /* * (non-Javadoc) * @@ -114,98 +117,36 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { try { - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final ILightResponse eidasResponse = authProcessData - .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - final Map<String, Object> simpleAttrMap = convertEidasAttrToSimpleMap( - eidasResponse.getAttributes().getAttributeMap()); + /*TODO: needs more re-factoring if we finalize CreateNewErnpEntryTask and we know how add entries into ERnP + * Maybe, we can fully replace eidData by matchedPersonData, + * because matchedPersonData holds the result after a successful matching process. + * + * Currently, we only add a work-around to operate without new ERnP implementation. + */ + final SimpleEidasData eidData = MatchingTaskUtils.getInitialEidasData(pendingReq); + MatchedPersonResult matchedPersonData = MatchingTaskUtils.getFinalMatchingResult(pendingReq); - // post-process eIDAS attributes - final ErnbEidData eidData = eidPostProcessor.postProcess(simpleAttrMap); - - // write MDS into technical log and revision log writeMdsLogInformation(eidData); - //build IdentityLink or VSZ and eidasBind if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { - SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); - //inject personal-data into session - authProcessData.setIdentityLink(idlResult.getIdentityLink()); - - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( - idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - + buildDummyIdentityLink(eidData); + } else { - //build SZR request from eIDAS data - final PersonInfoType personInfo = generateSzrRequest(eidData); - //request SZR based on IDL or E-ID mode if (pendingReq.getServiceProviderConfiguration() .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { + executeEidMode(eidData, matchedPersonData); - // get encrypted baseId - String vsz = szrClient.getEncryptedStammzahl(personInfo); - - //write revision-Log entry and extended infos personal-identifier mapping - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); - writeExtendedRevisionLogEntry(simpleAttrMap, eidData); - - - // get eIDAS bind - String signedEidasBind = szrClient.getEidsaBind(vsz, - authBlockSigner.getBase64EncodedPublicKey(), - EID_STATUS, eidData); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); - authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); - - //get signed AuthBlock - String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.TECH_AUCHBLOCK_CREATED); - authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); - - //inject personal-data into session - authProcessData.setEidProcess(true); - } else { - //request SZR - SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); - - //write revision-Log entry for personal-identifier mapping - writeExtendedRevisionLogEntry(simpleAttrMap, eidData); - - //check result-data and write revision-log based on current state - checkStateAndWriteRevisionLog(idlResult); - - //inject personal-data into session - authProcessData.setIdentityLink(idlResult.getIdentityLink()); - authProcessData.setEidProcess(false); - - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( - idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - + executeIdlMode(eidData, matchedPersonData); + } } - - //add generic info's into session - authProcessData.setForeigner(true); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); - - // store pending-request + + storeGenericInfoToSession(eidData); requestStoreage.storePendingRequest(pendingReq); - - + } catch (final EidasAttributeException e) { throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); @@ -219,242 +160,225 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - private void writeExtendedRevisionLogEntry(Map<String, Object> simpleAttrMap, ErnbEidData eidData) { - // write ERnB input-data into revision-log + private void storeGenericInfoToSession(SimpleEidasData eidData) throws EaafStorageException { + AuthProcessDataWrapper authProcessData = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessData.setForeigner(true); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + eidData.getCitizenCountryCode()); + } + + private void executeIdlMode(SimpleEidasData eidData, MatchedPersonResult matchedPersonData) throws EaafException { + //request SZR + SzrResultHolder idlResult = requestSzrForIdentityLink(eidData, matchedPersonData); + + //write revision-Log entry for personal-identifier mapping + writeExtendedRevisionLogEntry(eidData, eidData.getPersonalIdentifier()); + //check result-data and write revision-log based on current state + checkStateAndWriteRevisionLog(idlResult); + + //inject personal-data into session + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessDataWrapper.setIdentityLink(idlResult.getIdentityLink()); + authProcessDataWrapper.setEidProcess(false); + + // set bPK and bPKType into auth session + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } + + private void executeEidMode(SimpleEidasData eidData, MatchedPersonResult matchedPersonData) + throws JsonProcessingException, EaafException, JoseException { + // get encrypted baseId + String vsz; + if (matchedPersonData != null) { + log.debug("Requesting encrypted baseId by already matched person information ... "); + vsz = szrClient.getEncryptedStammzahl(matchedPersonData); + + } else { + log.debug("Requesting encrypted baseId by using eIDAS information directly ... "); + vsz = szrClient.createNewErnpEntry(eidData); + + } + + //write revision-Log entry and extended infos personal-identifier mapping + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); + writeExtendedRevisionLogEntry(eidData, eidData.getPersonalIdentifier()); + + // get eIDAS bind + String signedEidasBind = szrClient + .getEidasBind(vsz, authBlockSigner.getBase64EncodedPublicKey(), EID_STATUS, eidData); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + authProcessDataWrapper.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + + //get signed AuthBlock + String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.TECH_AUCHBLOCK_CREATED); + authProcessDataWrapper.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); + + //inject personal-data into session + authProcessDataWrapper.setEidProcess(true); + + } + + private void buildDummyIdentityLink(SimpleEidasData eidData) + throws ParserConfigurationException, SAXException, IOException, EaafException { + AuthProcessDataWrapper authProcessDataWrapper = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq); + SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); + //inject personal-data into session + authProcessDataWrapper.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessDataWrapper.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } + + private void writeExtendedRevisionLogEntry(SimpleEidasData eidData, String personalIdentifier) { + // write ERnP input-data into revision-log if (basicConfig.getBasicConfigurationBoolean( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, - (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, personalIdentifier); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); } } - - private PersonInfoType generateSzrRequest(ErnbEidData eidData) { - log.debug("Starting connecting SZR Gateway"); - final PersonInfoType personInfo = new PersonInfoType(); - final PersonNameType personName = new PersonNameType(); - final PhysicalPersonType naturalPerson = new PhysicalPersonType(); - final TravelDocumentType eDocument = new TravelDocumentType(); - - naturalPerson.setName(personName); - personInfo.setPerson(naturalPerson); - personInfo.setTravelDocument(eDocument); - - // person information - personName.setFamilyName(eidData.getFamilyName()); - personName.setGivenName(eidData.getGivenName()); - naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); - eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); - eDocument.setDocumentNumber(eidData.getPseudonym()); - - // eID document information - eDocument.setDocumentType(basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); - - // set PlaceOfBirth if available - if (eidData.getPlaceOfBirth() != null) { - log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, - true)) { - naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); - log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - } - } + private SzrResultHolder requestSzrForIdentityLink(SimpleEidasData eidData, + MatchedPersonResult matchedPersonData) throws EaafException { + //request IdentityLink from SZR + IdentityLinkType result; - // set BirthName if available - if (eidData.getBirthName() != null) { - log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, - true)) { - final AlternativeNameType alternativeName = new AlternativeNameType(); - naturalPerson.setAlternativeName(alternativeName); - alternativeName.setFamilyName(eidData.getBirthName()); - log.trace("Adding 'BirthName' to ERnB request ... "); + if (matchedPersonData != null) { + log.debug("Requesting encrypted baseId by already matched person information ... "); + result = szrClient.getIdentityLinkInRawMode(matchedPersonData); + + } else { + log.debug("Requesting encrypted baseId by using eIDAS information directly ... "); + result = szrClient.getIdentityLinkInRawMode(eidData); - } } - - return personInfo; - - } - private SzrResultHolder requestSzrForIdentityLink(PersonInfoType personInfo) - throws SzrCommunicationException, EaafException { - //request IdentityLink from SZR - final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); - + final Element idlFromSzr = (Element) result.getAssertion(); - IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); + final IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); // get bPK from SZR String bpk = null; - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - List<String> bpkList = szrClient - .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")); + String targetId = pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(); + boolean debugUseSzrForBpk = basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true); + if (debugUseSzrForBpk) { + String vkz = basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined"); + List<String> bpkList = szrClient.getBpk(eidData, targetId, vkz); if (!bpkList.isEmpty()) { bpk = bpkList.get(0); - } - - } else { log.debug("Calculating bPK from baseId ... "); - new BpkBuilder(); - final Pair<String, String> bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + String idValue = identityLink.getIdentificationValue(); + String idType = identityLink.getIdentificationType(); + final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(idValue, idType, targetId); bpk = bpkCalc.getFirst(); - } - + return new SzrResultHolder(identityLink, bpk); - } - + private void checkStateAndWriteRevisionLog(SzrResultHolder idlResult) throws SzrCommunicationException { // write some infos into revision log if (idlResult.getIdentityLink() == null) { log.error("ERnB did not return an identity link."); throw new SzrCommunicationException("ernb.00", null); - } - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_IDL_RECEIVED, - idlResult.getIdentityLink().getSamlAssertion() - .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); + + String assertionId = idlResult.getIdentityLink().getSamlAssertion() + .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED, assertionId); if (idlResult.getBpK() == null) { log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + .getAreaSpecificTargetIdentifier()); throw new SzrCommunicationException("ernb.01", null); - } + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); log.debug("ERnB communication was successfull"); - } - - private String extendBpkByPrefix(String bpk, String type) { - String bpkType = null; - - if (type.startsWith(EaafConstants.URN_PREFIX_WBPK)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_WBPK.length()); - } else if (type.startsWith(EaafConstants.URN_PREFIX_CDID)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_CDID.length()); - } else if (type.startsWith(EaafConstants.URN_PREFIX_EIDAS)) { - bpkType = type.substring(EaafConstants.URN_PREFIX_EIDAS.length()); - } + private String extendBpkByPrefix(String bpk, String type) { + String bpkType = getBpkType(type); if (bpkType != null) { log.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + bpkType); return bpkType + ":" + bpk; - } else { log.warn("Service Provider Target with: " + type + " is NOT supported. Set bPK as it is ..."); return bpk; - } - } - private Map<String, Object> convertEidasAttrToSimpleMap( - ImmutableMap<AttributeDefinition<?>, ImmutableSet<? extends AttributeValue<?>>> attributeMap) { - final Map<String, Object> result = new HashMap<>(); - - for (final AttributeDefinition<?> el : attributeMap.keySet()) { - - final Class<?> parameterizedType = el.getParameterizedType(); - if (DateTime.class.equals(parameterizedType)) { - final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); - if (attribute != null) { - result.put(el.getFriendlyName(), attribute); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + attribute.toString()); - - } else { - log.info("Ignore empty 'DateTime' attribute"); - } - - } else if (PostalAddress.class.equals(parameterizedType)) { - final PostalAddress addressAttribute = EidasResponseUtils - .translateAddressAttribute(el, attributeMap.get(el).asList()); - if (addressAttribute != null) { - result.put(el.getFriendlyName(), addressAttribute); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + addressAttribute.toString()); - - } else { - log.info("Ignore empty 'PostalAddress' attribute"); - } - - } else { - final List<String> natPersonIdObj = EidasResponseUtils - .translateStringListAttribute(el, attributeMap.get(el)); - final String stringAttr = natPersonIdObj.get(0); - if (StringUtils.isNotEmpty(stringAttr)) { - result.put(el.getFriendlyName(), stringAttr); - log.trace("Find attr '" + el.getFriendlyName() + "' with value: " + stringAttr); - - } else { - log.info("Ignore empty 'String' attribute"); - } - - } + @Nullable + private String getBpkType(String type) { + if (type.startsWith(EaafConstants.URN_PREFIX_WBPK)) { + return type.substring(EaafConstants.URN_PREFIX_WBPK.length()); + } else if (type.startsWith(EaafConstants.URN_PREFIX_CDID)) { + return type.substring(EaafConstants.URN_PREFIX_CDID.length()); + } else if (type.startsWith(EaafConstants.URN_PREFIX_EIDAS)) { + return type.substring(EaafConstants.URN_PREFIX_EIDAS.length()); + } else { + return null; } - - log.debug("Receive #" + result.size() + " attributes with names: " + result.keySet().toString()); - - return result; } - private void writeMdsLogInformation(ErnbEidData eidData) { - // log MDS and country code into technical log - if (basicConfig - .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false)) { + + /** + * write MDS into technical log and revision log. + */ + private void writeMdsLogInformation(SimpleEidasData eidData) { + boolean writeMdsInTechLog = basicConfig + .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_TECHNICALLOG_WRITE_MDS_INTO_TECH_LOG, false); + if (writeMdsInTechLog) { log.info("eIDAS Auth. for user: " + eidData.getGivenName() + " " + eidData.getFamilyName() + " " + eidData - .getFormatedDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode()); + .getDateOfBirth() + " " + "from " + eidData.getCitizenCountryCode()); } - // log MDS and country code into revision log - if (basicConfig + boolean writeMdsInRevLog = basicConfig .getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_REVISIONLOG_WRITE_MDS_INTO_REVISION_LOG, - false)) { + false); + if (writeMdsInRevLog) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_MDSDATA, - "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData - .getFormatedDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}"); + "{" + eidData.getGivenName() + "," + eidData.getFamilyName() + "," + eidData + .getDateOfBirth() + "," + eidData.getCitizenCountryCode() + "}"); } - } - + @Data - private static class SzrResultHolder { + private static class SzrResultHolder { final IIdentityLink identityLink; final String bpK; - + } - + /** * Build a dummy IdentityLink and a dummy bPK based on eIDAS information. - * + * * <br><br> * <b>FOR LOCAL TESTING ONLY!!!</b> - * + * * @param eidData Information from eIDAS response * @return IdentityLink and bPK * @throws ParserConfigurationException In case of an IDL processing error - * @throws SAXException In case of an IDL processing error - * @throws IOException In case of an IDL processing error - * @throws EaafException In case of a bPK generation error + * @throws SAXException In case of an IDL processing error + * @throws IOException In case of an IDL processing error + * @throws EaafException In case of a bPK generation error */ - private SzrResultHolder createDummyIdentityLinkForTestDeployment(ErnbEidData eidData) + private SzrResultHolder createDummyIdentityLinkForTestDeployment(SimpleEidasData eidData) throws ParserConfigurationException, SAXException, IOException, EaafException { log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); // create fake IdL @@ -487,17 +411,16 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final Node prDateOfBirth = XPathUtils .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); - prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); + prDateOfBirth.getFirstChild().setNodeValue(eidData.getDateOfBirth()); identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); - final Pair<String, String> bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); + String idValue = identityLink.getIdentificationValue(); + String idType = identityLink.getIdentificationType(); + String targetId = pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(); + final Pair<String, String> bpkCalc = BpkBuilder.generateAreaSpecificPersonIdentifier(idValue, idType, targetId); return new SzrResultHolder(identityLink, bpkCalc.getFirst()); - + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java new file mode 100644 index 00000000..6fc6d499 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateNewErnpEntryTask.java @@ -0,0 +1,93 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that searches ERnP and ZMR before adding person to SZR. + * This corresponds to Step 9 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS}</li> + * </ul> + * Output: + * <ul> + * <li>TODO MDS, BPK of new entry</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("CreateNewErnbEntryTask") +public class CreateNewErnpEntryTask extends AbstractAuthServletTask { + + //private final SzrClient szrClient; + + ///** + // * Constructor. + // * @param szrClient SZR client for creating a new ERnP entry + // */ + //public CreateNewErnpEntryTask(SzrClient szrClient) { + // this.szrClient = szrClient; + //} + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + //SimpleEidasData simpleEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + + // insert person into ERnP + //TODO: should we insert it directly into ERnP? + //TODO: has to updated to new eIDAS document model in ERnP + //String vsz = szrClient.createNewErnpEntry(simpleEidasData); + + // finish matching process, because new user-entry uniquly matches + //log.info("User successfully registerred into ERnP and matching tasks are finished "); + //MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + // MatchedPersonResult.builder() + // .vsz(vsz) + // .build()); + + log.warn("Skipping new insert ERnP task, because it's currently unknown who we should it"); + + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Initial search FAILED.", e); + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java new file mode 100644 index 00000000..d8266398 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAustrianResidenceGuiTask.java @@ -0,0 +1,76 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +/** + * Show GUI where user can provide an Austrian residence address, to provide further input to match the identity. + * + * @author ckollmann + */ +@Slf4j +@Component("GenerateAustrianResidenceGuiTask") +public class GenerateAustrianResidenceGuiTask extends AbstractAuthServletTask { + + @Autowired + private ISpringMvcGuiFormBuilder guiBuilder; + @Autowired + private IConfiguration basicConfig; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final IGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, + pendingReq, + basicConfig.getBasicConfiguration(//TODO + MsEidasNodeConstants.PROP_CONFIG_WEBCONTENT_TEMPLATES_RESIDENCY, + MsEidasNodeConstants.TEMPLATE_HTML_RESIDENCY), + MsEidasNodeConstants.ENDPOINT_RESIDENCY_INPUT, + resourceLoader); + + guiBuilder.build(request, response, config, "Query Austrian residency"); + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Gui creation FAILED.", e); + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java index 9900fa98..74525e65 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java @@ -19,10 +19,11 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.io.IOException; import java.util.UUID; import javax.servlet.ServletException; @@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Component; @@ -39,6 +41,7 @@ import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; @@ -46,6 +49,8 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.GuiBuildException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import eu.eidas.auth.commons.EidasParameterKeys; @@ -58,146 +63,163 @@ import eu.eidas.specificcommunication.exception.SpecificCommunicationException; import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; import lombok.extern.slf4j.Slf4j; + /** - * Authentication-process task that generates the Authn. Request to eIDAS Node. - * - * @author tlenz + * Generates the authn request to the eIDAS Node. This is the first task in the process. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>none</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveAuthnResponseTask} + * to read the response from the eIDAS Node</li> + * </ul> * + * @author tlenz + * @author ckollmann */ @Slf4j -@Component("ConnecteIDASNodeTask") +@Component("GenerateAuthnRequestTask") public class GenerateAuthnRequestTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired IConfiguration basicConfig; + @Autowired ApplicationContext context; + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired ITransactionStorage transactionStore; + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired ISpringMvcGuiFormBuilder guiBuilder; + @Autowired ICcSpecificEidProcessingService ccSpecificProcessing; @Override - public void execute(ExecutionContext executionContext, - HttpServletRequest request, HttpServletResponse response) + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - try { - // get target, environment and validate citizen countryCode - final String citizenCountryCode = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); - final String environment = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT); - - if (StringUtils.isEmpty(citizenCountryCode)) { - // illegal state; task should not have been executed without a selected country - throw new EidasSAuthenticationException("eidas.03", new Object[] { "" }); - - } - - // TODO: maybe add countryCode validation before request ref. impl. eIDAS node - log.info("Request eIDAS auth. for citizen of country: " + citizenCountryCode); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.COUNTRY_SELECTED, citizenCountryCode); - - // build eIDAS AuthnRequest - final LightRequest.Builder authnRequestBuilder = LightRequest.builder(); - authnRequestBuilder.id(UUID.randomUUID().toString()); - - // set nameIDFormat - authnRequestBuilder.nameIdFormat( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT)); - - // set citizen country code for foreign uses - authnRequestBuilder.citizenCountryCode(citizenCountryCode); - - //set Issuer - final String issur = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); - if (StringUtils.isEmpty(issur)) { - log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); - throw new EaafConfigurationException("config.27", - new Object[] { "Application config containts NO " + Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID }); - - } - authnRequestBuilder.issuer(issur); - + final String citizenCountryCode = extractCitizenCountryCode(executionContext); + final String environment = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT); + final String issuer = loadIssuerFromConfig(); + final LightRequest lightAuthnReq = buildEidasAuthnRequest(citizenCountryCode, issuer); - // Add country-specific informations into eIDAS request - ccSpecificProcessing.preProcess(citizenCountryCode, pendingReq, authnRequestBuilder); - - // build request - final LightRequest lightAuthnReq = authnRequestBuilder.build(); - - // put request into Hazelcast cache final BinaryLightToken token = putRequestInCommunicationCache(lightAuthnReq); final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token); - - // Workaround, because eIDAS node ref. impl. does not return relayState - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER, - false)) { - log.trace("Put lightRequestId into transactionstore as session-handling backup"); - transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); - - } - - // select forward URL regarding the selected environment - String forwardUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); - if (StringUtils.isNotEmpty(environment)) { - forwardUrl = selectedForwardUrlForEnvironment(environment); - } - - if (StringUtils.isEmpty(forwardUrl)) { - log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops"); - throw new EaafConfigurationException("config.08", new Object[] { - environment == null ? Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL - : Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + environment - }); - - } - log.debug("ForwardURL: " + forwardUrl + " selected to forward eIDAS request"); - - if (basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, - Constants.FORWARD_METHOD_GET).equals(Constants.FORWARD_METHOD_GET)) { - - log.debug("Use http-redirect for eIDAS node forwarding ... "); - // send redirect - final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(forwardUrl); - redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); - response.sendRedirect(redirectUrl.build().encode().toString()); - + workaroundRelayState(lightAuthnReq); + final String forwardUrl = selectForwardUrl(environment); + + String configValue = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, Constants.FORWARD_METHOD_GET); + boolean useHttpRedirect = configValue.equals(Constants.FORWARD_METHOD_GET); + if (useHttpRedirect) { + sendRedirect(response, tokenBase64, forwardUrl); } else { - log.debug("Use http-post for eIDAS node forwarding ... "); - final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( - basicConfig, - pendingReq, - Constants.TEMPLATE_POST_FORWARD_NAME, - null, - resourceLoader); - - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_ENDPOINT, forwardUrl); - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, - EidasParameterKeys.TOKEN.toString()); - config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, - tokenBase64); - - guiBuilder.build(request, response, config, "Forward to eIDASNode form"); - + sendPost(request, response, tokenBase64, forwardUrl); } revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.EIDAS_NODE_CONNECTED, lightAuthnReq.getId()); - } catch (final EidasSAuthenticationException e) { throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", e); - } catch (final Exception e) { log.warn("eIDAS AuthnRequest generation FAILED.", e); throw new TaskExecutionException(pendingReq, e.getMessage(), e); + } + } + + @NotNull + private String extractCitizenCountryCode(ExecutionContext executionContext) throws EidasSAuthenticationException { + final String result = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + // illegal state; task should not have been executed without a selected country + if (StringUtils.isEmpty(result)) { + throw new EidasSAuthenticationException("eidas.03", new Object[]{""}); + } + // TODO: maybe add countryCode validation before request ref. impl. eIDAS node + log.info("Request eIDAS auth. for citizen of country: {}", result); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.COUNTRY_SELECTED, result); + return result; + } + + @NotNull + private String loadIssuerFromConfig() throws EaafConfigurationException { + final String result = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); + if (StringUtils.isEmpty(result)) { + log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); + throw new EaafConfigurationException("config.27", + new Object[]{"Application config containts NO " + Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID}); + } + return result; + } + @NotNull + private LightRequest buildEidasAuthnRequest(String citizenCountryCode, String issuer) + throws EidPostProcessingException { + final LightRequest.Builder builder = LightRequest.builder(); + builder.id(UUID.randomUUID().toString()); + + // set nameIDFormat + builder.nameIdFormat( + authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT)); + + builder.citizenCountryCode(citizenCountryCode); + builder.issuer(issuer); + // Add country-specific information into eIDAS request + ccSpecificProcessing.preProcess(citizenCountryCode, pendingReq, builder); + return builder.build(); + } + + private BinaryLightToken putRequestInCommunicationCache(ILightRequest lightRequest) + throws ServletException { + final BinaryLightToken binaryLightToken; + try { + String beanName = SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString(); + final SpecificCommunicationService service = (SpecificCommunicationService) context.getBean(beanName); + binaryLightToken = service.putRequest(lightRequest); + } catch (final SpecificCommunicationException e) { + log.error("Unable to process specific request"); + throw new ServletException(e); } + return binaryLightToken; + } + + /** + * Workaround, because eIDAS node ref. impl. does not return relayState + */ + private void workaroundRelayState(LightRequest lightAuthnReq) throws EaafException { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER, + false)) { + log.trace("Put lightRequestId into transactionstore as session-handling backup"); + transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); + } + } + + @NotNull + private String selectForwardUrl(String environment) throws EaafConfigurationException { + String result = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); + if (StringUtils.isNotEmpty(environment)) { + result = selectedForwardUrlForEnvironment(environment); + } + if (StringUtils.isEmpty(result)) { + log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops"); + throw new EaafConfigurationException("config.08", new Object[]{ + environment == null ? Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + : Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + environment + }); + } + log.debug("ForwardURL: {} selected to forward eIDAS request", result); + return result; } /** @@ -205,51 +227,48 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { * <br> * <b>Info: </b> This method is needed, because eIDAS Ref. Impl only supports * one countrycode on each instance. In consequence, more than one eIDAS Ref. - * Impl nodes are required to support producation, testing, or QS stages for one + * Impl nodes are required to support production, testing, or QS stages for one * country by using one ms-specific eIDAS connector - * + * * @param environment Environment selector from CountrySlection page - * @return + * @return the URL from the configuration */ private String selectedForwardUrlForEnvironment(String environment) { - log.trace("Starting endpoint selection process for environment: " + environment + " ... "); + log.trace("Starting endpoint selection process for environment: {} ... ", environment); if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_PRODUCTION)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS); - } else if (environment.equalsIgnoreCase( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING)) { + } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING); - } else if (environment.equalsIgnoreCase( - MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT)) { + } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT)) { return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT); } - - log.info("Environment selector: " + environment + " is not supported"); + log.info("Environment selector: {} is not supported", environment); return null; - } - private BinaryLightToken putRequestInCommunicationCache(ILightRequest lightRequest) - throws ServletException { - final BinaryLightToken binaryLightToken; - try { - final SpecificCommunicationService springManagedSpecificConnectorCommunicationService = - (SpecificCommunicationService) context.getBean( - SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); - - binaryLightToken = springManagedSpecificConnectorCommunicationService.putRequest(lightRequest); - - } catch (final SpecificCommunicationException e) { - log.error("Unable to process specific request"); - throw new ServletException(e); - - } + private void sendRedirect(HttpServletResponse response, String tokenBase64, String forwardUrl) throws IOException { + log.debug("Use http-redirect for eIDAS node forwarding ... "); + final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(forwardUrl); + redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); + response.sendRedirect(redirectUrl.build().encode().toString()); + + } - return binaryLightToken; + private void sendPost(HttpServletRequest request, HttpServletResponse response, String tokenBase64, String forwardUrl) + throws GuiBuildException { + log.debug("Use http-post for eIDAS node forwarding ... "); + final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, pendingReq, Constants.TEMPLATE_POST_FORWARD_NAME, null, resourceLoader); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_ENDPOINT, forwardUrl); + String token = EidasParameterKeys.TOKEN.toString(); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, token); + config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, tokenBase64); + guiBuilder.build(request, response, config, "Forward to eIDASNode form"); } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java new file mode 100644 index 00000000..715d3672 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java @@ -0,0 +1,147 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import java.text.MessageFormat; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthRequestBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PvpAuthnRequestBuilder; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy; + +/** + * Generate a SAML2 AuthnRequest to authenticate the user at ID Austria system. + * This corresponds to Step 15A in the eIDAS Matching Concept. + * + * @author tlenz + */ +@Slf4j +@Component("GenerateMobilePhoneSignatureRequestTask") +public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServletTask { + + private static final String ERROR_MSG_1 = + "Requested 'ms-specific eIDAS node' {0} has no valid metadata or metadata is not found"; + + @Autowired + PvpAuthnRequestBuilder authnReqBuilder; + @Autowired + IdAustriaClientAuthCredentialProvider credential; + @Autowired + IdAustriaClientAuthMetadataProvider metadataService; + @Autowired + private IConfiguration basicConfig; + @Autowired + protected ITransactionStorage transactionStorage; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + log.trace("Starting GenerateMobilePhoneSignatureRequestTask"); + final String entityId = loadEntityId(); + final EntityDescriptor entityDesc = loadEntityDescriptor(entityId); + final IdAustriaClientAuthRequestBuilderConfiguration authnReqConfig = buildAuthnRequestConfig(entityDesc); + final String relayState = buildRelayState(); + authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig, relayState, response); // also transmits! + } catch (final Exception e) { + throw new TaskExecutionException(pendingReq, "Generation of SAML2 AuthnRequest to ID Austria System FAILED", e); + } + } + + @NotNull + private String loadEntityId() throws EaafConfigurationException { + final String msNodeEntityID = basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + if (StringUtils.isEmpty(msNodeEntityID)) { + log.warn("ID Austria authentication not possible -> NO EntityID for ID Austria System FOUND!"); + throw new EaafConfigurationException(Constants.ERRORCODE_00, + new Object[]{IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID}); + } + return msNodeEntityID; + } + + /** + * Build relayState for session synchronization, because SAML2 only allows RelayState with 80 characters + * but encrypted PendingRequestId is much longer. + */ + @NotNull + private String buildRelayState() throws EaafException { + String relayState = Random.nextProcessReferenceValue(); + transactionStorage.put(relayState, pendingReq.getPendingRequestId(), -1); + return relayState; + } + + @NotNull + private EntityDescriptor loadEntityDescriptor(String msNodeEntityID) + throws ResolverException, EaafConfigurationException { + final EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID); + if (entityDesc == null) { + throw new EaafConfigurationException(IdAustriaClientAuthConstants.ERRORCODE_02, + new Object[]{MessageFormat.format(ERROR_MSG_1, msNodeEntityID)}); + + } + return entityDesc; + } + + @NotNull + private IdAustriaClientAuthRequestBuilderConfiguration buildAuthnRequestConfig(EntityDescriptor entityDesc) + throws CredentialsNotAvailableException { + final IdAustriaClientAuthRequestBuilderConfiguration authnReqConfig = + new IdAustriaClientAuthRequestBuilderConfiguration(); + final SecureRandomIdentifierGenerationStrategy gen = new SecureRandomIdentifierGenerationStrategy(); + authnReqConfig.setRequestId(gen.generateIdentifier()); + authnReqConfig.setIdpEntity(entityDesc); + authnReqConfig.setPassive(false); + authnReqConfig.setSignCred(credential.getMessageSigningCredential()); + authnReqConfig.setSpEntityID( + pendingReq.getAuthUrlWithOutSlash() + IdAustriaClientAuthConstants.ENDPOINT_METADATA); + authnReqConfig.setRequestedLoA(authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_LOA, + IdAustriaClientAuthConstants.CONFIG_DEFAULT_LOA_EIDAS_LEVEL)); + return authnReqConfig; + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java new file mode 100644 index 00000000..7107709f --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateOtherLoginMethodGuiTask.java @@ -0,0 +1,99 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import java.io.Serializable; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.gui.AbstractGuiFormBuilderConfiguration; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that provides GUI for user to select an alternative login method. + * This page is shown when the matching of the eIDAS data to ZMR/ERnP data is ambiguous. + * This corresponds to Steps 10, 14, 16 in the eIDAS Matching Concept. + * The response is handled in {@link ReceiveOtherLoginMethodGuiResponseTask} + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("GenerateOtherLoginMethodGuiTask") +public class GenerateOtherLoginMethodGuiTask extends AbstractAuthServletTask { + + @Autowired + private ISpringMvcGuiFormBuilder guiBuilder; + + @Autowired + private IConfiguration basicConfig; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, + pendingReq, + basicConfig.getBasicConfiguration( + MsEidasNodeConstants.PROP_CONFIG_WEBCONTENT_TEMPLATES_OTHER_LOGIN_METHOD_SELECTION, + MsEidasNodeConstants.TEMPLATE_HTML_OTHERLOGINMETHODS), + MsEidasNodeConstants.ENDPOINT_OTHER_LOGIN_METHOD_SELECTION, + resourceLoader); + + // inject flag to indicate advanced matching error + if (getExecutionContextFlag(executionContext, Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED)) { + config.putCustomParameter(AbstractGuiFormBuilderConfiguration.PARAM_GROUP_UIOPTIONS, + Constants.HTML_FORM_ADVANCED_MATCHING_FAILED, String.valueOf(true)); + + } + + guiBuilder.build(request, response, config, "Other login methods selection form"); + + } catch (final Exception e) { + log.error("Initial search FAILED.", e); + throw new TaskExecutionException(pendingReq, "Gui creation FAILED.", e); + } + } + + private boolean getExecutionContextFlag(ExecutionContext executionContext, String key) { + Serializable value = executionContext.get(key); + return value instanceof Boolean && (boolean)value + || value instanceof String && Boolean.parseBoolean((String) value); + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java new file mode 100644 index 00000000..f295d66b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/InitialSearchTask.java @@ -0,0 +1,206 @@ +/* + * Copyright 2020 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; + +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterOperationStatus; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; + +/** + * Searches registers (ERnP and ZMR) after initial user auth, before adding person to SZR. + * Input: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE}</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} converted from Full eIDAS Response</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from first search in registers with + * PersonIdentifier</li> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} results after second search in registers with MDS</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link CreateNewErnpEntryTask} if no results in registers where found for this user</li> + * <li>{@link GenerateOtherLoginMethodGuiTask} if search with MDS returns more than one match, user may provide + * alternative login methods to get an unique match</li> + * <li>{@link CreateIdentityLinkTask} if search in register returned one match, user is uniquely identified</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("InitialSearchTask") +@SuppressWarnings("PMD.TooManyStaticImports") +public class InitialSearchTask extends AbstractAuthServletTask { + + private final RegisterSearchService registerSearchService; + private final ICcSpecificEidProcessingService eidPostProcessor; + + /** + * Constructor. + * + * @param registerSearchService Service for register search access + * @param eidPostProcessor Country-Specific post processing of attributes + */ + public InitialSearchTask(RegisterSearchService registerSearchService, + ICcSpecificEidProcessingService eidPostProcessor) { + this.registerSearchService = registerSearchService; + this.eidPostProcessor = eidPostProcessor; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + final SimpleEidasData eidasData = convertEidasAttrToSimpleData(); + MatchingTaskUtils.storeInitialEidasData(pendingReq, eidasData); + step2RegisterSearchWithPersonIdentifier(executionContext, eidasData); + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Initial search failed", e); + } catch (final Exception e) { + log.error("Initial search failed", e); + throw new TaskExecutionException(pendingReq, "Initial search failed with a generic error", e); + } + } + + private void step2RegisterSearchWithPersonIdentifier( + ExecutionContext executionContext, SimpleEidasData eidasData) throws WorkflowException, EaafStorageException { + try { + log.trace("Starting step2RegisterSearchWithPersonIdentifier"); + RegisterStatusResults searchResult = registerSearchService.searchWithPersonIdentifier(eidasData); + int resultCount = searchResult.getResultCount(); + if (resultCount == 0) { + step6CountrySpecificSearch(executionContext, searchResult.getOperationStatus(), eidasData); + + } else if (resultCount == 1) { + foundMatchFinalizeTask(searchResult, eidasData); + + } else { + throw new WorkflowException("step2RegisterSearchWithPersonIdentifier", + "More than one entry with unique personal-identifier", true); + + } + } catch (WorkflowException e) { + //TODO: what we do in case of a workflow error and manual matching are necessary?? + log.warn("Workflow error during matching step: {}. Reason: {}", e.getProcessStepName(), e.getErrorReason()); + throw e; + } + } + + private void step6CountrySpecificSearch( + ExecutionContext executionContext, RegisterOperationStatus registerOperationStatus, SimpleEidasData eidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting 'step6CountrySpecificSearch' ... "); + RegisterStatusResults searchResult = registerSearchService.searchWithCountrySpecifics( + registerOperationStatus, eidasData); + if (searchResult.getResultCount() == 0) { + log.trace("'step6CountrySpecificSearch' ends with no result. Forward to next matching step ... "); + step8RegisterSearchWithMds(executionContext, searchResult.getOperationStatus(), eidasData); + } else if (searchResult.getResultCount() == 1) { + log.trace("'step6CountrySpecificSearch' finds a person. Forward to 'step7aKittProcess' step ... "); + registerSearchService.step7aKittProcess(searchResult, eidasData); + foundMatchFinalizeTask(searchResult, eidasData); + } else { + throw new WorkflowException("step6CountrySpecificSearch", + "More than one entry with unique country-specific information", true); + } + } + + private void step8RegisterSearchWithMds(ExecutionContext executionContext, + RegisterOperationStatus registerOperationStatus, SimpleEidasData eidasData) + throws EaafStorageException, WorkflowException { + log.trace("Starting step8RegisterSearchWithMds"); + RegisterStatusResults registerData = registerSearchService.searchWithMds(registerOperationStatus, eidasData); + if (registerData.getResultCount() == 0) { + log.debug("Matching step: 'step8RegisterSearchWithMds' has no result. Forward to create new ERnP entry ... "); + executionContext.put(TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK, true); + } else { + log.debug("Matching step: 'step8RegisterSearchWithMds' has #{} results. " + + "Forward to GUI based matching steps ... ", registerData.getResultCount()); + MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, registerData); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + } + } + + private void foundMatchFinalizeTask(RegisterStatusResults searchResult, SimpleEidasData eidasData) + throws WorkflowException, EaafStorageException { + RegisterResult updatedResult = step3CheckRegisterUpdateNecessary(searchResult.getResult(), eidasData); + MatchedPersonResult result = MatchedPersonResult.generateFormMatchingResult( + updatedResult, eidasData.getCitizenCountryCode()); + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, result); + } + + private RegisterResult step3CheckRegisterUpdateNecessary(RegisterResult searchResult, + SimpleEidasData eidasData) { + log.trace("Starting step3CheckRegisterUpdateNecessary"); + if (!eidasData.equalsRegisterData(searchResult)) { + log.info("Skipping update-register-information step, because it's not supported yet"); + //TODO: return updated search result if updates are allowed + return searchResult; + } else { + log.debug("Register information match to eIDAS information. No update required"); + return searchResult; + } + } + + @NotNull + private SimpleEidasData convertEidasAttrToSimpleData() + throws EidasAttributeException, EidPostProcessingException { + final ILightResponse eidasResponse = MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq) + .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); + Map<String, Object> simpleMap = MatchingTaskUtils.convertEidasAttrToSimpleMap( + eidasResponse.getAttributes().getAttributeMap(), log); + return eidPostProcessor.postProcess(simpleMap); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java new file mode 100644 index 00000000..acf469d3 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAustrianResidenceGuiResponseTask.java @@ -0,0 +1,208 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import java.util.Enumeration; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringEscapeUtils; +import org.jetbrains.annotations.NotNull; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import lombok.AllArgsConstructor; +import lombok.Data; +import lombok.NoArgsConstructor; +import lombok.extern.slf4j.Slf4j; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; + + +/** + * Task receives the response of {@link GenerateAustrianResidenceGuiTask} and handles it. + * This corresponds to Steps 17B, 18, 19 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link CreateNewErnpEntryTask} if no results from search with residency data in registers</li> + * <li>{@link CreateIdentityLinkTask} if one exact match between initial register search (with MDS) and results + * from search with residency data in registers exists</li> + * <li>{@link GenerateOtherLoginMethodGuiTask} if a user input error has happened</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + * @author tlenz + */ +@Slf4j +@Component("ReceiveAustrianResidenceGuiResponseTask") +public class ReceiveAustrianResidenceGuiResponseTask extends AbstractAuthServletTask { + + public static final String PARAM_FORMER_RESIDENCE_AVAILABLE = "formerResidenceAvailable"; + public static final String PARAM_STREET = "street"; + public static final String PARAM_CITY = "city"; + public static final String PARAM_ZIPCODE = "zipcode"; + private final RegisterSearchService registerSearchService; + + public ReceiveAustrianResidenceGuiResponseTask(RegisterSearchService registerSearchService) { + this.registerSearchService = registerSearchService; + } + + @Data + @AllArgsConstructor + @NoArgsConstructor + public static class UserInput { + private boolean formerResidenceAvailable; + private String zipcode; + private String city; + private String street; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + log.trace("Starting ReceiveAustrianResidenceGuiResponseTask"); + + UserInput input = parseHtmlInput(request); + if (!input.isFormerResidenceAvailable()) { + moveToNextTask(executionContext); + return; + + } + + if (input.getStreet().isEmpty() || input.getCity().isEmpty() || input.getZipcode().isEmpty()) { + // HTML form should ensure that mandatory fields are set => this should never happen + executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + return; + + } + + try { + SimpleEidasData eidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + RegisterStatusResults initialSearchResult = MatchingTaskUtils.getIntermediateMatchingResult(pendingReq); + + RegisterStatusResults residencyResult = + registerSearchService.searchWithResidence(initialSearchResult.getOperationStatus(), + eidasData, input.zipcode, input.city, input.street); + if (residencyResult.getResultCount() == 0) { + //TODO: her we should add a GUI step of result is zero to inform user an forward process by click + moveToNextTask(executionContext); + + } else if (residencyResult.getResultCount() == 1) { + compareSearchResultWithInitialData(executionContext, residencyResult, eidasData); + + } else { + /*TODO: align with form generation task and to better error handling in case of more-than-one result. + * Maybe the user has to provide more information. + */ + throw new TaskExecutionException(pendingReq, + "Manual Fix necessary", new ManualFixNecessaryException(eidasData)); + + } + + } catch (EaafStorageException e) { + log.error("Search with residency data failed", e); + throw new TaskExecutionException(pendingReq, "Search with residency data failed", e); + + } + } + + private void compareSearchResultWithInitialData(ExecutionContext executionContext, + RegisterStatusResults residencyResult, SimpleEidasData eidasData) + throws TaskExecutionException, EaafStorageException { + try { + if (eidasData.equalsRegisterData(residencyResult.getResult())) { + // update register information + registerSearchService.step7aKittProcess(residencyResult, eidasData); + + // store search result to re-used in CreateIdentityLink step, because there we need bPK and MDS + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + MatchedPersonResult.generateFormMatchingResult( + residencyResult.getResult(), eidasData.getCitizenCountryCode())); + + } else { + moveToNextTask(executionContext); + + } + + } catch (WorkflowException e) { + throw new TaskExecutionException(pendingReq, "Search failed", new ManualFixNecessaryException(eidasData)); + + } + } + + private void moveToNextTask(ExecutionContext executionContext) { + // Later on, this should transition to Step 20 + executionContext.put(Constants.TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK, true); + + } + + private @NotNull UserInput parseHtmlInput(HttpServletRequest request) { + Enumeration<String> reqParamNames = request.getParameterNames(); + UserInput result = new UserInput(); + while (reqParamNames.hasMoreElements()) { + final String paramName = reqParamNames.nextElement(); + String escaped = StringEscapeUtils.escapeHtml(request.getParameter(paramName)); + if (PARAM_FORMER_RESIDENCE_AVAILABLE.equalsIgnoreCase(paramName)) { + result.setFormerResidenceAvailable(Boolean.parseBoolean(escaped)); + + } else if (PARAM_STREET.equalsIgnoreCase(paramName)) { + result.setStreet(escaped); + + } else if (PARAM_CITY.equalsIgnoreCase(paramName)) { + result.setCity(escaped); + + } else if (PARAM_ZIPCODE.equalsIgnoreCase(paramName)) { + result.setZipcode(escaped); + + } + } + return result; + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java new file mode 100644 index 00000000..aa04f55e --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java @@ -0,0 +1,131 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasValidationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.validator.EidasResponseValidator; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import eu.eidas.auth.commons.light.ILightResponse; +import lombok.extern.slf4j.Slf4j; +import org.jetbrains.annotations.NotNull; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + + +/** + * Receives the authn response from the eIDAS Node, containing the (alternative) eIDAS authentication. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE} the full response details</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link InitialSearchTask} to perform search in registers</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ +@Slf4j +@Component("ReceiveAuthnResponseTask") +public class ReceiveAuthnResponseAlternativeTask extends AbstractAuthServletTask { + + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") + @Autowired + private IConfiguration basicConfig; + + @Autowired + private EidasAttributeRegistry attrRegistry; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, + HttpServletResponse response) throws TaskExecutionException { + try { + final ILightResponse eidasResponse = extractEidasResponse(request); + checkStatusCode(eidasResponse); + validateMsSpecificResponse(executionContext, eidasResponse); + storeInSession(eidasResponse); + } catch (final Exception e) { + log.warn("eIDAS Response processing FAILED.", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), + new EidasSAuthenticationException("eidas.05", new Object[]{e.getMessage()}, e)); + } + } + + @NotNull + private ILightResponse extractEidasResponse(HttpServletRequest request) throws EidasSAuthenticationException { + final ILightResponse eidasResponse = (ILightResponse) request.getAttribute(Constants.DATA_FULL_EIDAS_RESPONSE); + if (eidasResponse == null) { + log.warn("NO eIDAS response-message found."); + throw new EidasSAuthenticationException("eidas.01", null); + } + log.debug("Receive eIDAS response with RespId: {} for ReqId: {}", + eidasResponse.getId(), eidasResponse.getInResponseToId()); + log.trace("Full eIDAS-Resp: {}", eidasResponse); + return eidasResponse; + } + + private void checkStatusCode(ILightResponse eidasResponse) throws EidasSAuthenticationException { + if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { + log.info("Receive eIDAS Response with StatusCode: {} Subcode: {} Msg: {}", + eidasResponse.getStatus().getStatusCode(), + eidasResponse.getStatus().getSubStatusCode(), + eidasResponse.getStatus().getStatusMessage()); + throw new EidasSAuthenticationException("eidas.02", new Object[]{eidasResponse.getStatus() + .getStatusCode(), eidasResponse.getStatus().getStatusMessage()}); + } + } + + private void validateMsSpecificResponse(ExecutionContext executionContext, ILightResponse eidasResponse) + throws EidasValidationException { + final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); + final String citizenCountryCode = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, attrRegistry); + } + + private void storeInSession(ILightResponse eidasResponse) throws EaafException { + log.debug("Store eIDAS response information into pending-request."); + final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE, eidasResponse); + requestStoreage.storePendingRequest(pendingReq); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java index 6cab9214..86cd2164 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseTask.java @@ -19,13 +19,14 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.jetbrains.annotations.NotNull; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -33,6 +34,7 @@ import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasValidationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.validator.EidasResponseValidator; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; @@ -44,87 +46,102 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import eu.eidas.auth.commons.light.ILightResponse; import lombok.extern.slf4j.Slf4j; + +/** + * Receives the authn response from the eIDAS Node, containing the (initial) eIDAS authentication. + * Input: + * <ul> + * <li>none</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_FULL_EIDAS_RESPONSE} the full response details</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link InitialSearchTask} to perform search in registers</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ @Slf4j -@Component("ReceiveResponseFromeIDASNodeTask") +@Component("ReceiveAuthnResponseTask") public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired private IConfiguration basicConfig; + @Autowired private EidasAttributeRegistry attrRegistry; @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, - HttpServletResponse response) throws TaskExecutionException { + HttpServletResponse response) throws TaskExecutionException { try { - final ILightResponse eidasResponse = (ILightResponse) request.getAttribute( - Constants.DATA_FULL_EIDAS_RESPONSE); - if (eidasResponse == null) { - log.warn("NO eIDAS response-message found."); - throw new EidasSAuthenticationException("eidas.01", null); - - } - - log.debug("Receive eIDAS response with RespId:" + eidasResponse.getId() + " for ReqId:" + eidasResponse - .getInResponseToId()); - log.trace("Full eIDAS-Resp: " + eidasResponse.toString()); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE, eidasResponse - .getId()); - - // check response StatusCode - if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { - log.info("Receice eIDAS Response with StatusCode:" + eidasResponse.getStatus().getStatusCode() - + " Subcode:" + eidasResponse.getStatus().getSubStatusCode() + " Msg:" + eidasResponse.getStatus() - .getStatusMessage()); - throw new EidasSAuthenticationException("eidas.02", new Object[] { eidasResponse.getStatus() - .getStatusCode(), eidasResponse.getStatus().getStatusMessage() }); - - } - - // extract all Attributes from response - - // ********************************************************** - // ******* MS-specificresponse validation ********** - // ********************************************************** - final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, - "AT"); - final String citizenCountryCode = (String) executionContext.get( - MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); - EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, - attrRegistry); - - // ********************************************************** - // ******* Store resonse infos into session object ********** - // ********************************************************** - - // update MOA-Session data with received information - log.debug("Store eIDAS response information into pending-request."); - final EidAuthProcessDataWrapper authProcessData = pendingReq.getSessionData(EidAuthProcessDataWrapper.class); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); - authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse); - - - //inject set flag to inject - authProcessData.setTestIdentity( - basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_IS_TEST_IDENTITY, false)); - - // store MOA-session to database - requestStoreage.storePendingRequest(pendingReq); + final ILightResponse eidasResponse = extractEidasResponse(request); + checkStatusCode(eidasResponse); + validateMsSpecificResponse(executionContext, eidasResponse); + storeInSession(eidasResponse); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_VALID); - } catch (final EaafException e) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_NOT_VALID); throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e); - } catch (final Exception e) { log.warn("eIDAS Response processing FAILED.", e); revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE_NOT_VALID); throw new TaskExecutionException(pendingReq, e.getMessage(), - new EidasSAuthenticationException("eidas.05", new Object[] { e.getMessage() }, e)); + new EidasSAuthenticationException("eidas.05", new Object[]{e.getMessage()}, e)); + } + } + @NotNull + private ILightResponse extractEidasResponse(HttpServletRequest request) throws EidasSAuthenticationException { + final ILightResponse eidasResponse = (ILightResponse) request.getAttribute(Constants.DATA_FULL_EIDAS_RESPONSE); + if (eidasResponse == null) { + log.warn("NO eIDAS response-message found."); + throw new EidasSAuthenticationException("eidas.01", null); } + log.debug("Receive eIDAS response with RespId: {} for ReqId: {}", + eidasResponse.getId(), eidasResponse.getInResponseToId()); + log.trace("Full eIDAS-Resp: {}", eidasResponse); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.RESPONSE_FROM_EIDAS_NODE, eidasResponse.getId()); + return eidasResponse; + } + + private void checkStatusCode(ILightResponse eidasResponse) throws EidasSAuthenticationException { + if (!eidasResponse.getStatus().getStatusCode().equals(Constants.SUCCESS_URI)) { + log.info("Receive eIDAS Response with StatusCode: {} Subcode: {} Msg: {}", + eidasResponse.getStatus().getStatusCode(), + eidasResponse.getStatus().getSubStatusCode(), + eidasResponse.getStatus().getStatusMessage()); + throw new EidasSAuthenticationException("eidas.02", new Object[]{eidasResponse.getStatus() + .getStatusCode(), eidasResponse.getStatus().getStatusMessage()}); + } + } + + private void validateMsSpecificResponse(ExecutionContext executionContext, ILightResponse eidasResponse) + throws EidasValidationException { + final String spCountry = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT"); + final String citizenCountryCode = (String) executionContext.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); + EidasResponseValidator.validateResponse(pendingReq, eidasResponse, spCountry, citizenCountryCode, attrRegistry); + } + private void storeInSession(ILightResponse eidasResponse) throws EaafException { + log.debug("Store eIDAS response information into pending-request."); + final EidAuthProcessDataWrapper authProcessData = pendingReq.getSessionData(EidAuthProcessDataWrapper.class); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + + //inject set flag to inject + authProcessData.setTestIdentity( + basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_IS_TEST_IDENTITY, false)); + + + authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, eidasResponse); + requestStoreage.storePendingRequest(pendingReq); + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java new file mode 100644 index 00000000..3e57ea24 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java @@ -0,0 +1,372 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + +import java.io.IOException; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.messaging.decoder.MessageDecodingException; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.springframework.stereotype.Component; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleMobileSignatureData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthEventConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.MatchingTaskUtils; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; +import lombok.extern.slf4j.Slf4j; + +/** + * Task that receives the SAML2 response from ID Austria system. + * This corresponds to Step 15 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Output: + * <ul> + * <li>{@link Constants#DATA_PERSON_MATCH_RESULT} if one register result found</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateAustrianResidenceGuiTask} if no results in registers were found</li> + * <li>{@link CreateIdentityLinkTask} if one exact match between initial register search (with MDS) data and + * register search with MPS data exists</li> + * <li>{@link GenerateOtherLoginMethodGuiTask} if a user input error has happened</li> + * </ul> + * + * @author tlenz + * @author ckollmann + */ +@Slf4j +@Component("ReceiveMobilePhoneSignatureResponseTask") +public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServletTask { + + private final SamlVerificationEngine samlVerificationEngine; + private final RegisterSearchService registerSearchService; + private final IdAustriaClientAuthCredentialProvider credentialProvider; + private final IdAustriaClientAuthMetadataProvider metadataProvider; + + private static final String ERROR_PVP_03 = "sp.pvp2.03"; + private static final String ERROR_PVP_05 = "sp.pvp2.05"; + private static final String ERROR_PVP_06 = "sp.pvp2.06"; + private static final String ERROR_PVP_08 = "sp.pvp2.08"; + private static final String ERROR_PVP_10 = "sp.pvp2.10"; + private static final String ERROR_PVP_11 = "sp.pvp2.11"; + private static final String ERROR_PVP_12 = "sp.pvp2.12"; + + private static final String ERROR_MSG_00 = "Receive INVALID PVP Response from ID Austria system"; + private static final String ERROR_MSG_01 = "Processing PVP response from 'ID Austria system' FAILED."; + private static final String ERROR_MSG_02 = "PVP response decryption FAILED. No credential found."; + private static final String ERROR_MSG_03 = "PVP response validation FAILED."; + + /** + * Creates the new task, with autowired dependencies from Spring. + */ + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") + public ReceiveMobilePhoneSignatureResponseTask(SamlVerificationEngine samlVerificationEngine, + RegisterSearchService registerSearchService, + IdAustriaClientAuthCredentialProvider credentialProvider, + IdAustriaClientAuthMetadataProvider metadataProvider) { + this.samlVerificationEngine = samlVerificationEngine; + this.registerSearchService = registerSearchService; + this.credentialProvider = credentialProvider; + this.metadataProvider = metadataProvider; + } + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + log.trace("Starting ReceiveMobilePhoneSignatureResponseTask"); + IDecoder decoder = loadDecoder(request); + EaafUriCompare comparator = loadComparator(request); + InboundMessage inboundMessage = decodeAndVerifyMessage(request, response, decoder, comparator); + Pair<PvpSProfileResponse, Boolean> processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage); + if (processedMsg.getSecond()) { + // forward to next matching step in case of ID Autria authentication was stopped by user + executionContext.put(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK, true); + return; + + } + + // validate SAML2 response + validateEntityId(inboundMessage); + log.info("Receive a valid assertion from IDP " + inboundMessage.getEntityID()); + + // load already existing information from session + SimpleEidasData eidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); + RegisterStatusResults initialSearchResult = MatchingTaskUtils.getIntermediateMatchingResult(pendingReq); + + // extract user information from ID Austria authentication + AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(processedMsg.getFirst().getResponse()); + SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor); + + // check if MDS from ID Austria authentication matchs to eIDAS authentication + if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) { + executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); + executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + return; + + } + + // search entry in initial search result from steps before and build new RegisterSearchResult + RegisterStatusResults registerResult = new RegisterStatusResults(initialSearchResult.getOperationStatus(), + extractEntriesByBpk(initialSearchResult.getResultsZmr().stream(), simpleMobileSignatureData.getBpk()), + extractEntriesByBpk(initialSearchResult.getResultsErnp().stream(), simpleMobileSignatureData.getBpk())); + + if (registerResult.getResultCount() != 1) { + throw new WorkflowException("matchWithIDAustriaAuthentication", + "Suspect state detected. MDS matches to eIDAS authentication " + + "but register search-result with MDS contains #" + registerResult.getResultCount() + + " entry with bPK from ID Austria authentication", false); + + } else { + // perform kit operation + registerSearchService.step7aKittProcess(registerResult, eidasData); + + // store search result to re-used in CreateIdentityLink step, because there we need bPK and MDS + MatchingTaskUtils.storeFinalMatchingResult(pendingReq, + MatchedPersonResult.generateFormMatchingResult(registerResult.getResult(), + eidasData.getCitizenCountryCode())); + + } + + } catch (final AuthnResponseValidationException e) { + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e); + + } catch (MessageDecodingException | SecurityException | SamlSigningException e) { + //final String samlRequest = request.getParameter("SAMLRequest"); + //log.debug("Receive INVALID PVP Response from 'ms-specific eIDAS node': {}", + // samlRequest, null, e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_00, + new AuthnResponseValidationException(ERROR_PVP_11, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); + + } catch (IOException | MarshallingException | TransformerException e) { + log.debug("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_01, + new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); + + } catch (final CredentialsNotAvailableException e) { + log.debug("PVP response decryption FAILED. No credential found.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_02, + new AuthnResponseValidationException(ERROR_PVP_10, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); + + } catch (final Exception e) { + // todo catch ManualFixNecessaryException in any other way? + log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, + new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); + + } + } + + private List<RegisterResult> extractEntriesByBpk(Stream<RegisterResult> stream, String bpk) { + return stream.filter(el -> bpk.equals(el.getBpk())).collect(Collectors.toList()); + + } + + @NotNull + private InboundMessage decodeAndVerifyMessage(HttpServletRequest request, HttpServletResponse response, + IDecoder decoder, EaafUriCompare comparator) throws Exception { + InboundMessage inboundMessage = (InboundMessage) decoder.decode(request, response, metadataProvider, + IDPSSODescriptor.DEFAULT_ELEMENT_NAME, comparator); + if (!inboundMessage.isVerified()) { + samlVerificationEngine.verify(inboundMessage, TrustEngineFactory.getSignatureKnownKeysTrustEngine( + metadataProvider)); + inboundMessage.setVerified(true); + } + return inboundMessage; + } + + private void validateEntityId(InboundMessage inboundMessage) throws AuthnResponseValidationException { + final String msNodeEntityID = authConfig + .getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID); + final String respEntityId = inboundMessage.getEntityID(); + if (!msNodeEntityID.equals(respEntityId)) { + log.warn("Response Issuer is not from valid 'ID Austria IDP'. Stopping ID Austria authentication ..."); + throw new AuthnResponseValidationException(ERROR_PVP_08, + new Object[]{MODULE_NAME_FOR_LOGGING, + inboundMessage.getEntityID()}); + } + } + + @NotNull + private EaafUriCompare loadComparator(HttpServletRequest request) throws AuthnResponseValidationException { + if (request.getMethod().equalsIgnoreCase("POST")) { + log.trace("Receive PVP Response from 'ID Austria system', by using POST-Binding."); + return new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_POST); + } else if (request.getMethod().equalsIgnoreCase("GET")) { + log.trace("Receive PVP Response from 'ID Austria system', by using Redirect-Binding."); + return new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT); + } else { + log.warn("Receive PVP Response from 'ID Austria system', but Binding {} is not supported.", request.getMethod()); + throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[]{MODULE_NAME_FOR_LOGGING}); + } + } + + @NotNull + private IDecoder loadDecoder(HttpServletRequest request) throws AuthnResponseValidationException { + if (request.getMethod().equalsIgnoreCase("POST")) { + log.trace("Receive PVP Response from 'ID Austria system', by using POST-Binding."); + return new PostBinding(); + } else if (request.getMethod().equalsIgnoreCase("GET")) { + log.trace("Receive PVP Response from 'ID Austria system', by using Redirect-Binding."); + return new RedirectBinding(); + } else { + log.warn("Receive PVP Response from 'ID Austria system', but Binding {} is not supported.", request.getMethod()); + throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[]{MODULE_NAME_FOR_LOGGING}); + } + } + + private Pair<PvpSProfileResponse, Boolean> validateAssertion(PvpSProfileResponse msg) + throws IOException, MarshallingException, TransformerException, + CredentialsNotAvailableException, AuthnResponseValidationException, SamlAssertionValidationExeption { + log.debug("Start PVP21 assertion processing... "); + final Response response = (Response) msg.getResponse(); + if (response.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { + samlVerificationEngine.validateAssertion(response, + credentialProvider.getMessageEncryptionCredential(), + pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_METADATA, + MODULE_NAME_FOR_LOGGING); + msg.setSamlMessage(Saml2Utils.asDomDocument(response).getDocumentElement()); + revisionsLogger.logEvent(pendingReq, + IdAustriaClientAuthEventConstants.AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED, + response.getID()); + return Pair.newInstance(msg, false); + } else { + log.info("Receive StatusCode {} from 'ms-specific eIDAS node'.", response.getStatus().getStatusCode().getValue()); + StatusCode subStatusCode = getSubStatusCode(response); + if (subStatusCode != null + && IdAustriaClientAuthConstants.SAML2_STATUSCODE_USERSTOP.equals(subStatusCode.getValue())) { + log.info("Find 'User-Stop operation' in SAML2 response. Stopping authentication process ... "); + return Pair.newInstance(msg, true); + } + + revisionsLogger.logEvent(pendingReq, + IdAustriaClientAuthEventConstants.AUTHPROCESS_ID_AUSTRIA_RESPONSE_RECEIVED_ERROR); + throw new AuthnResponseValidationException(ERROR_PVP_05, + new Object[]{MODULE_NAME_FOR_LOGGING, + response.getIssuer().getValue(), + response.getStatus().getStatusCode().getValue(), + response.getStatus().getStatusMessage().getValue()}); + } + } + + /** + * Get SAML2 Sub-StatusCode if not <code>null</code>. + * + * @param samlResp SAML2 response + * @return Sub-StatusCode or <code>null</code> if it's not set + */ + private StatusCode getSubStatusCode(Response samlResp) { + if (samlResp.getStatus().getStatusCode().getStatusCode() != null + && StringUtils.isNotEmpty(samlResp.getStatus().getStatusCode().getStatusCode().getValue())) { + return samlResp.getStatus().getStatusCode().getStatusCode(); + } + return null; + } + + private SimpleMobileSignatureData getAuthDataFromInterfederation(AssertionAttributeExtractor extractor) + throws EaafBuilderException { + List<String> requiredAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES; + SimpleMobileSignatureData.SimpleMobileSignatureDataBuilder builder = SimpleMobileSignatureData.builder(); + if (!extractor.containsAllRequiredAttributes(requiredAttributes)) { + log.warn("PVP Response from 'ID Austria node' contains not all requested attributes."); + AssertionValidationExeption e = new AssertionValidationExeption(ERROR_PVP_06, + new Object[]{MODULE_NAME_FOR_LOGGING}); + throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); + } + final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (final String attrName : includedAttrNames) { + if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { + builder.bpk(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) { + builder.givenName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) { + builder.familyName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) { + builder.dateOfBirth(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { + MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq).setQaaLevel( + extractor.getSingleAttributeValue(attrName)); + } + } + MatchingTaskUtils.getAuthProcessDataWrapper(pendingReq).setIssueInstant(extractor.getAssertionIssuingDate()); + return builder.build(); + + } + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java new file mode 100644 index 00000000..f4419c1c --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveOtherLoginMethodGuiResponseTask.java @@ -0,0 +1,113 @@ +/* + * Copyright 2021 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SelectedLoginMethod; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang.StringEscapeUtils; +import org.springframework.stereotype.Component; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Enumeration; + +/** + * Handles user's selection from {@link GenerateOtherLoginMethodGuiTask}. + * This corresponds to Steps 10, 14, 16 in the eIDAS Matching Concept. + * Input: + * <ul> + * <li>{@link Constants#DATA_SIMPLE_EIDAS} initial login data from user</li> + * <li>{@link Constants#DATA_INTERMEDIATE_RESULT} results from search in registers with personIdentifier</li> + * </ul> + * Transitions: + * <ul> + * <li>{@link GenerateMobilePhoneSignatureRequestTask} if selected by user</li> + * <li>{@link GenerateAustrianResidenceGuiTask} if selected by user</li> + * <li>{@link GenerateAuthnRequestTask} if selected by user</li> + * <li>{@link GenerateOtherLoginMethodGuiTask} if a user input error has happened</li> + * </ul> + * + * @author amarsalek + * @author ckollmann + */ +@Slf4j +@Component("ReceiveOtherLoginMethodGuiResponseTask") +public class ReceiveOtherLoginMethodGuiResponseTask extends AbstractLocaleAuthServletTask { + + @Override + public void executeWithLocale(ExecutionContext executionContext, HttpServletRequest request, + HttpServletResponse response) { + try { + SelectedLoginMethod selection = SelectedLoginMethod.valueOf(extractUserSelection(request)); + executionContext.put(Constants.REQ_SELECTED_LOGIN_METHOD_PARAMETER, selection); + executionContext.remove(Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED); + transitionToNextTask(executionContext, selection); + + } catch (final Exception e) { + log.error("Parsing selected login method FAILED.", e); + executionContext.put(Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); + executionContext.put(Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + } + } + + private String extractUserSelection(HttpServletRequest request) { + Enumeration<String> paramNames = request.getParameterNames(); + while (paramNames.hasMoreElements()) { + String paramName = paramNames.nextElement(); + if (Constants.REQ_SELECTED_LOGIN_METHOD_PARAMETER.equalsIgnoreCase(paramName)) { + return StringEscapeUtils.escapeHtml(request.getParameter(paramName)); + } + } + return null; + } + + private void transitionToNextTask(ExecutionContext executionContext, SelectedLoginMethod selection) { + switch (selection) { + case EIDAS_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_EIDAS_LOGIN, true); + return; + + case MOBILE_PHONE_SIGNATURE_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_MOBILE_PHONE_SIGNATURE_REQUEST_TASK, true); + return; + + case NO_OTHER_LOGIN: + executionContext.put(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK, true); + return; + + case ADD_ME_AS_NEW: + executionContext.put(Constants.TRANSITION_TO_CREATE_NEW_ERNP_ENTRY_TASK, true); + return; + + default: + executionContext.put(Constants.CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); + executionContext.put(Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); + return; + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java index c8c5a069..6b541135 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java @@ -19,10 +19,12 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.modules.auth.eidas.v2.utils; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; @@ -39,6 +41,8 @@ import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; +import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType; import at.gv.egiz.eaaf.core.impl.data.Triple; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeValue; @@ -49,13 +53,12 @@ import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; public class EidasResponseUtils { private static final Logger log = LoggerFactory.getLogger(EidasResponseUtils.class); - public static final String PERSONALIDENIFIER_VALIDATION_PATTERN = "^[A-Z,a-z]{2}/[A-Z,a-z]{2}/.*"; /** * Validate a eIDAS PersonalIdentifier attribute value This validation is done * according to eIDAS SAML Attribute Profile - Section 2.2.3 Unique Identifier - * + * * @param uniqueID eIDAS attribute value of a unique identifier * @return true if the uniqueID matches to eIDAS to Unique Identifier * specification, otherwise false @@ -71,9 +74,9 @@ public class EidasResponseUtils { * Parse an eIDAS PersonalIdentifier attribute value into it components. This * processing is done according to eIDAS SAML Attribute Profile - Section 2.2.3 * Unique Identifier - * + * * @param uniqueID eIDAS attribute value of a unique identifier - * @return {@link Trible} that contains: <br> + * @return {@link Triple} that contains: <br> * First : citizen country <br> * Second: destination country <br> * Third : unique identifier <br> @@ -81,37 +84,40 @@ public class EidasResponseUtils { */ public static Triple<String, String, String> parseEidasPersonalIdentifier(String uniqueID) { if (!validateEidasPersonalIdentifier(uniqueID)) { - log.error("eIDAS attribute value for {} looks wrong formated. Value: {}", + log.error("eIDAS attribute value for {} looks wrong formated. Value: {}", Constants.eIDAS_ATTR_PERSONALIDENTIFIER, uniqueID); return null; } return Triple.newInstance(uniqueID.substring(0, 2), uniqueID.substring(3, 5), uniqueID.substring(6)); - } /** - * Get eIDAS attribute-values from eIDAS Node attributes. - * + * Get eIDAS attribute-values from eIDAS Node attributes. + * * @param attributeDefinition eIDAS attribute definition - * @param attributeValues Attributes from eIDAS response - * @return Set of attribute values. If more then one value than the first value contains the 'Latin' value. + * @param attributeValues Attributes from eIDAS response + * @return Set of attribute values. If more then one value than the first value + * contains the 'Latin' value. */ // TODO: check possible problem with nonLatinCharacters public static List<String> translateStringListAttribute(AttributeDefinition<?> attributeDefinition, - ImmutableSet<? extends AttributeValue<?>> attributeValues) { + @Nullable ImmutableSet<? extends AttributeValue<?>> attributeValues) { final List<String> stringListAttribute = new ArrayList<>(); - if (attributeValues != null) { - final AttributeValueMarshaller<?> attributeValueMarshaller = attributeDefinition - .getAttributeValueMarshaller(); - for (final AttributeValue<?> attributeValue : attributeValues.asList()) { + if (attributeValues == null) { + log.info("Can not extract infos from 'null' attribute value"); + + } else { + final AttributeValueMarshaller<?> attributeValueMarshaller = + attributeDefinition.getAttributeValueMarshaller(); + for (final AttributeValue<?> attributeValue : attributeValues) { String valueString = null; try { valueString = attributeValueMarshaller.marshal((AttributeValue) attributeValue); log.trace("Find attr: {} with value: {} nonLatinFlag: {} needTransliteration: {}", attributeDefinition.getFriendlyName(), attributeValue.toString(), - attributeValue.isNonLatinScriptAlternateVersion(), + attributeValue.isNonLatinScriptAlternateVersion(), AttributeValueTransliterator.needsTransliteration(valueString)); // if (attributeValue.isNonLatinScriptAlternateVersion()) { @@ -122,36 +128,47 @@ public class EidasResponseUtils { log.trace("Find 'needsTransliteration' flag. Setting this value at last list element ... "); stringListAttribute.add(valueString); - } + log.trace("Find attr: {} with value: {} nonLatinFlag: {} needTransliteration: {}", + attributeDefinition.getFriendlyName(), attributeValue.toString(), + attributeValue.isNonLatinScriptAlternateVersion(), + AttributeValueTransliterator.needsTransliteration(valueString)); + // if (attributeValue.isNonLatinScriptAlternateVersion()) { + if (!AttributeValueTransliterator.needsTransliteration(valueString)) { + stringListAttribute.add(0, valueString); + + } else { + log.trace("Find 'needsTransliteration' flag. Setting this value at last list element ... "); + stringListAttribute.add(valueString); + + } + } } catch (final AttributeValueMarshallingException e) { throw new IllegalStateException(e); } - } - log.trace("Extract values: {} for attr: {}", + } + log.trace("Extract values: {} for attr: {}", StringUtils.join(stringListAttribute, ","), attributeDefinition.getFriendlyName()); - - } else { - log.info("Can not extract infos from 'null' attribute value"); - + } return stringListAttribute; } + /** - * Convert eIDAS DateTime attribute to Java Object. - * + * Convert eIDAS DateTime attribute to Java Object. + * * @param attributeDefinition eIDAS attribute definition. - * @param attributeValues eIDAS attribute value + * @param attributeValues eIDAS attribute value * @return */ @Nullable public static DateTime translateDateAttribute(AttributeDefinition<?> attributeDefinition, - ImmutableList<? extends AttributeValue<?>> attributeValues) { + ImmutableList<? extends AttributeValue<?>> attributeValues) { if (attributeValues.size() != 0) { final AttributeValue<?> firstAttributeValue = attributeValues.get(0); return (DateTime) firstAttributeValue.getValue(); @@ -163,17 +180,216 @@ public class EidasResponseUtils { /** * Concert eIDAS Address attribute to Java object. - * + * * @param attributeDefinition eIDAS attribute definition - * @param attributeValues eIDAS attribute value + * @param attributeValues eIDAS attribute value * @return */ @Nullable public static PostalAddress translateAddressAttribute(AttributeDefinition<?> attributeDefinition, - ImmutableList<? extends AttributeValue<?>> attributeValues) { + ImmutableList<? extends AttributeValue<?>> attributeValues) { final AttributeValue<?> firstAttributeValue = attributeValues.get(0); return (PostalAddress) firstAttributeValue.getValue(); + } + + /** + * Post-Process the eIDAS CurrentAddress attribute. + * + * @param currentAddressObj eIDAS current address information + * @return current address or null if no attribute is available + * @throws EidasAttributeException if eIDAS attribute is of a wrong type + */ + public static PostalAddressType processAddress(Object currentAddressObj) throws EidasAttributeException { + if (currentAddressObj != null) { + if (currentAddressObj instanceof PostalAddress) { + final PostalAddressType result = new PostalAddressType(); + result.setPostalCode(((PostalAddress) currentAddressObj).getPostCode()); + result.setMunicipality(((PostalAddress) currentAddressObj).getPostName()); + // TODO: add more mappings + return result; + } else { + log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_CURRENTADDRESS + " is of WRONG type"); + throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTADDRESS); + } + } else { + log.debug("NO '" + Constants.eIDAS_ATTR_CURRENTADDRESS + "' attribute. Post-Processing skipped ... "); + } + return null; + } + /** + * Post-Process the eIDAS BirthName attribute. + * + * @param birthNameObj eIDAS birthname information + * @return birthName or null if no attribute is available + * @throws EidasAttributeException if eIDAS attribute is of a wrong type + */ + public static String processBirthName(Object birthNameObj) throws EidasAttributeException { + if (birthNameObj != null) { + if (birthNameObj instanceof String) { + return (String) birthNameObj; + } else { + log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_BIRTHNAME + " is of WRONG type"); + throw new EidasAttributeException(Constants.eIDAS_ATTR_BIRTHNAME); + } + } else { + log.debug("NO '" + Constants.eIDAS_ATTR_BIRTHNAME + "' attribute. Post-Processing skipped ... "); + } + return null; } -} + /** + * Post-Process the eIDAS PlaceOfBirth attribute. + * + * @param placeOfBirthObj eIDAS Place-of-Birth information + * @return place of Birth or null if no attribute is available + * @throws EidasAttributeException if eIDAS attribute is of a wrong type + */ + public static String processPlaceOfBirth(Object placeOfBirthObj) throws EidasAttributeException { + if (placeOfBirthObj != null) { + if (placeOfBirthObj instanceof String) { + return (String) placeOfBirthObj; + + } else { + log.warn("eIDAS attr: " + Constants.eIDAS_ATTR_PLACEOFBIRTH + " is of WRONG type"); + throw new EidasAttributeException(Constants.eIDAS_ATTR_PLACEOFBIRTH); + + } + + } else { + log.debug("NO '" + Constants.eIDAS_ATTR_PLACEOFBIRTH + "' attribute. Post-Processing skipped ... "); + } + return null; + } + + /** + * Post-Process the eIDAS DateOfBirth attribute. + * + * @param dateOfBirthObj eIDAS date-of-birth attribute information + * @return formated user's date-of-birth + * @throws EidasAttributeException if NO attribute is available + */ + public static DateTime processDateOfBirth(Object dateOfBirthObj) throws EidasAttributeException { + if (!(dateOfBirthObj instanceof DateTime)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); + } + return (DateTime) dateOfBirthObj; + } + + /** + * Post-Process the eIDAS DateOfBirth attribute to a string. + * + * @param dateOfBirthObj eIDAS date-of-birth attribute information + * @return formated user's date-of-birth as string + * @throws EidasAttributeException if NO attribute is available + */ + public static String processDateOfBirthToString(Object dateOfBirthObj) throws EidasAttributeException { + if (dateOfBirthObj instanceof String) { + try { + new SimpleDateFormat("yyyy-MM-dd").parse((String) dateOfBirthObj); + return (String) dateOfBirthObj; + } catch (ParseException e) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); + } + } + if (!(dateOfBirthObj instanceof DateTime)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH); + } + return new SimpleDateFormat("yyyy-MM-dd").format(((DateTime) dateOfBirthObj).toDate()); + } + + /** + * Post-Process the eIDAS GivenName attribute. + * + * @param givenNameObj eIDAS givenName attribute information + * @return formated user's givenname + * @throws EidasAttributeException if NO attribute is available + */ + public static String processGivenName(Object givenNameObj) throws EidasAttributeException { + if (!(givenNameObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTGIVENNAME); + } + return (String) givenNameObj; + } + + /** + * Post-Process the eIDAS FamilyName attribute. + * + * @param familyNameObj eIDAS familyName attribute information + * @return formated user's familyname + * @throws EidasAttributeException if NO attribute is available + */ + public static String processFamilyName(Object familyNameObj) throws EidasAttributeException { + if (!(familyNameObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_CURRENTFAMILYNAME); + } + return (String) familyNameObj; + } + + /** + * Post-Process the eIDAS personal identifier attribute. + * + * @param personalIdentifierObj eIDAS personal identifier attribute-information + * @return formated user's full personal identifier + * @throws EidasAttributeException if NO attribute is available + */ + public static String processPersonalIdentifier(Object personalIdentifierObj) throws EidasAttributeException { + if (!(personalIdentifierObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); + } + return (String) personalIdentifierObj; + } + + + /** + * Post-Process the eIDAS pseudonym to ERnB unique identifier. + * + * @param personalIdObj eIDAS PersonalIdentifierAttribute + * @return Unique personal identifier without country-code information + * @throws EidasAttributeException if NO attribute is available + */ + public static String processPseudonym(Object personalIdObj) throws EidasAttributeException { + if (!(personalIdObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); + } + final Triple<String, String, String> eIdentifier = + EidasResponseUtils.parseEidasPersonalIdentifier((String) personalIdObj); + if (eIdentifier == null || eIdentifier.getThird() == null) { + throw new EidasAttributeException("Error processing eIdentifier"); + } + return eIdentifier.getThird(); + } + + /** + * Post-Process the eIDAS pseudonym to citizen country code. + * + * @param personalIdObj eIDAS PersonalIdentifierAttribute + * @return Citizen Country Code + * @throws EidasAttributeException if NO attribute is available + */ + public static String processCountryCode(Object personalIdObj) throws EidasAttributeException { + if (!(personalIdObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); + } + final Triple<String, String, String> eIdentifier = + EidasResponseUtils.parseEidasPersonalIdentifier((String) personalIdObj); + if (eIdentifier == null || eIdentifier.getFirst() == null) { + throw new EidasAttributeException("Error processing eIdentifier"); + } + return eIdentifier.getFirst(); + } + + /** + * Post-Process the eIDAS TaxReference attribute. + * + * @param taxReferenceObj eIDAS TaxReference attribute information + * @return formated user's TaxReference + * @throws EidasAttributeException if NO attribute is available + */ + public static String processTaxReference(Object taxReferenceObj) throws EidasAttributeException { + if (!(taxReferenceObj instanceof String)) { + throw new EidasAttributeException(Constants.eIDAS_ATTR_TAXREFERENCE); + } + return (String) taxReferenceObj; + } +}
\ No newline at end of file diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/LoggingHandler.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/LoggingHandler.java index 70290cd3..10acf3ad 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/LoggingHandler.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/LoggingHandler.java @@ -41,17 +41,23 @@ public class LoggingHandler implements SOAPHandler<SOAPMessageContext> { @Override public boolean handleMessage(SOAPMessageContext context) { - final SOAPMessage msg = context.getMessage(); - final ByteArrayOutputStream bos = new ByteArrayOutputStream(); + // only perform operations if logging is on trace level + if (log.isTraceEnabled()) { + final SOAPMessage msg = context.getMessage(); + final ByteArrayOutputStream bos = new ByteArrayOutputStream(); + final boolean request = ((Boolean) context + .get(SOAPMessageContext.MESSAGE_OUTBOUND_PROPERTY)).booleanValue(); + try { + msg.writeTo(bos); + log.trace("{} Web-Service with content: {}", + request ? "Requesting to" : "Response from", bos.toString("UTF-8")); - try { - msg.writeTo(bos); - log.trace(bos.toString("UTF-8")); - log.trace(new String(bos.toByteArray(), "UTF-8")); - - } catch (final Exception e) { - log.trace(e.getMessage(), e); + } catch (final Exception e) { + log.trace(e.getMessage(), e); + + } } + return true; } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/MatchingTaskUtils.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/MatchingTaskUtils.java new file mode 100644 index 00000000..ad641841 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/MatchingTaskUtils.java @@ -0,0 +1,172 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.utils; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.annotation.Nullable; + +import org.apache.commons.lang3.StringUtils; +import org.joda.time.DateTime; +import org.slf4j.Logger; +import org.springframework.lang.NonNull; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService.RegisterStatusResults; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.AttributeValue; +import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; + +public class MatchingTaskUtils { + + /** + * Get eIDAS log-in information from session. + * + * @param pendingReq Current pendingRequest + * @return eIDAS infos or <code>null</code> if not exist + */ + @Nullable + public static SimpleEidasData getInitialEidasData(IRequest pendingReq) { + return getAuthProcessDataWrapper(pendingReq).getGenericDataFromSession( + Constants.DATA_SIMPLE_EIDAS, SimpleEidasData.class); + + } + + /** + * Set eIDAS log-in information to session. + * + * @param pendingReq Current pendingRequest + * @param eidasData infos from eIDAS Proxy-Service + * @throws EaafStorageException In case of data can not be add into session + */ + @Nullable + public static void storeInitialEidasData(IRequest pendingReq, SimpleEidasData eidasData) + throws EaafStorageException { + getAuthProcessDataWrapper(pendingReq).setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidasData); + + } + + /** + * Get intermediate matching result from session. + * + * @param pendingReq Current pendingRequest + * @return Intermediate matching result or <code>null</code> if not exist + */ + @Nullable + public static RegisterStatusResults getIntermediateMatchingResult(IRequest pendingReq) { + return getAuthProcessDataWrapper(pendingReq).getGenericDataFromSession(Constants.DATA_INTERMEDIATE_RESULT, + RegisterStatusResults.class); + + } + + /** + * Store intermediate matching result into session. + * + * @param pendingReq Current pendingRequest + * @param registerData Intermediate matching result information + * @throws EaafStorageException In case of data can not be add into session + */ + @Nullable + public static void storeIntermediateMatchingResult(IRequest pendingReq, RegisterStatusResults registerData) + throws EaafStorageException { + getAuthProcessDataWrapper(pendingReq).setGenericDataToSession( + Constants.DATA_INTERMEDIATE_RESULT, registerData); + + } + + /** + * Get intermediate matching result from session. + * + * @param pendingReq Current pendingRequest + * @return Intermediate matching result or <code>null</code> if not exist + */ + @Nullable + public static MatchedPersonResult getFinalMatchingResult(IRequest pendingReq) { + return getAuthProcessDataWrapper(pendingReq).getGenericDataFromSession(Constants.DATA_PERSON_MATCH_RESULT, + MatchedPersonResult.class); + + } + + /** + * Store intermediate matching result into session. + * + * @param pendingReq Current pendingRequest + * @param personInfos Person information after a successful match + * @throws EaafStorageException In case of data can not be add into session + */ + @Nullable + public static void storeFinalMatchingResult(IRequest pendingReq, MatchedPersonResult personInfos) + throws EaafStorageException { + getAuthProcessDataWrapper(pendingReq).setGenericDataToSession( + Constants.DATA_PERSON_MATCH_RESULT, personInfos); + + } + + /** + * Get holder for authentication information for the current process. + * + * @param pendingReq Current pendingRequest + * @return {@link AuthProcessDataWrapper} + */ + @NonNull + public static AuthProcessDataWrapper getAuthProcessDataWrapper(IRequest pendingReq) { + return pendingReq.getSessionData(AuthProcessDataWrapper.class); + + } + + /** + * Convert attributes from eIDAS Authn Response into a simple map, to be used from + * {@link ICcSpecificEidProcessingService#postProcess(Map)}. + */ + public static Map<String, Object> convertEidasAttrToSimpleMap( + ImmutableMap<AttributeDefinition<?>, ImmutableSet<? extends AttributeValue<?>>> attributeMap, Logger log) { + final Map<String, Object> result = new HashMap<>(); + for (final AttributeDefinition<?> el : attributeMap.keySet()) { + final Class<?> parameterizedType = el.getParameterizedType(); + if (DateTime.class.equals(parameterizedType)) { + final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); + if (attribute != null) { + result.put(el.getFriendlyName(), attribute); + log.trace("Find attr '{}' with value: {}", el.getFriendlyName(), attribute); + } else { + log.info("Ignore empty 'DateTime' attribute"); + } + } else if (PostalAddress.class.equals(parameterizedType)) { + final PostalAddress addressAttribute = EidasResponseUtils + .translateAddressAttribute(el, attributeMap.get(el).asList()); + if (addressAttribute != null) { + result.put(el.getFriendlyName(), addressAttribute); + log.trace("Find attr '{}' with value: {}", el.getFriendlyName(), addressAttribute); + } else { + log.info("Ignore empty 'PostalAddress' attribute"); + } + } else { + final List<String> natPersonIdObj = EidasResponseUtils.translateStringListAttribute(el, attributeMap.get(el)); + final String stringAttr = natPersonIdObj.get(0); + if (StringUtils.isNotEmpty(stringAttr)) { + result.put(el.getFriendlyName(), stringAttr); + log.trace("Find attr '{}' with value: {}", el.getFriendlyName(), stringAttr); + } else { + log.info("Ignore empty 'String' attribute"); + } + } + } + log.debug("Receive #{} attributes with names: {}", result.size(), result.keySet()); + return result; + } + + private MatchingTaskUtils() { + //hide constructor in case of class contains only static methods + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/VersionHolder.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/VersionHolder.java new file mode 100644 index 00000000..dbe88d33 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/VersionHolder.java @@ -0,0 +1,40 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.utils; + +import java.util.Optional; + +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.context.ApplicationContext; + +/** + * SpringBoot based implementation of an application-version holder. + * + * @author tlenz + * + */ +public class VersionHolder { + + private final String version; + + /** + * Build up a holder that contains the current version of this application. + * + * @param context SprintBoot context + */ + public VersionHolder(ApplicationContext context) { + version = context.getBeansWithAnnotation(SpringBootApplication.class).entrySet().stream() + .findFirst() + .flatMap(es -> Optional.ofNullable(es.getValue().getClass().getPackage().getImplementationVersion())) + .orElse("unknown"); + + } + + /** + * Get version of this application. + * + * @return version + */ + public String getVersion() { + return version; + + } +} |