diff options
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main')
10 files changed, 161 insertions, 278 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index 83a2afa6..cdc17654 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -51,11 +51,11 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD = CONIG_PROPS_EIDAS_NODE + ".forward.method"; public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_DEFAULT_ONLYNATURAL = - CONIG_PROPS_EIDAS_NODE + ".attributes.requested.onlynatural."; + CONIG_PROPS_EIDAS_NODE + ".attributes.requested.onlynatural"; public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_CC_SPECIFIC_ONLYNATURAL = - CONIG_PROPS_EIDAS_NODE + ".attributes.requested.{0}.onlynatural."; + CONIG_PROPS_EIDAS_NODE + ".attributes.requested.{0}.onlynatural"; public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_REPRESENTATION = - CONIG_PROPS_EIDAS_NODE + ".attributes.requested.representation."; + CONIG_PROPS_EIDAS_NODE + ".attributes.requested.representation"; public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_ADD_ALWAYS_PROVIDERNAME = CONIG_PROPS_EIDAS_NODE + ".workarounds.addAlwaysProviderName"; public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER = @@ -76,6 +76,8 @@ public class Constants { + ".debug.logfullmessages"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY = CONIG_PROPS_EIDAS_SZRCLIENT + ".debug.useDummySolution"; + public static final String CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND = CONIG_PROPS_EIDAS_SZRCLIENT + + ".eidasbind.mds.inject"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION = CONIG_PROPS_EIDAS_SZRCLIENT + ".timeout.connection"; public static final String CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE = CONIG_PROPS_EIDAS_SZRCLIENT @@ -141,6 +143,9 @@ public class Constants { public static final String eIDAS_ATTR_LEGALPERSONIDENTIFIER = "LegalPersonIdentifier"; public static final String eIDAS_ATTR_LEGALNAME = "LegalName"; + public static final String eIDAS_REQ_PARAM_SECTOR_PUBLIC = "public"; + public static final String eIDAS_REQ_PARAM_SECTOR_PRIVATE = "private"; + public static final String POLICY_DEFAULT_ALLOWED_TARGETS = EaafConstants.URN_PREFIX_CDID.replaceAll("\\.", "\\\\.").replaceAll("\\+", "\\\\+") + ".*"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasSignalServlet.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasSignalServlet.java index e9302f6d..d3cac80c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasSignalServlet.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/EidasSignalServlet.java @@ -47,7 +47,7 @@ import eu.eidas.auth.commons.EidasParameterKeys; import eu.eidas.auth.commons.light.ILightResponse; import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; import eu.eidas.specificcommunication.exception.SpecificCommunicationException; -import eu.eidas.specificcommunication.protocol.impl.SpecificConnectorCommunicationServiceImpl; +import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; /** * Controler implementation for eIDAS Node communication. @@ -108,8 +108,8 @@ public class EidasSignalServlet extends AbstractProcessEngineSignalController { } log.trace("Receive eIDAS-node token: " + tokenBase64 + " Starting transaction-restore process ... "); - final SpecificConnectorCommunicationServiceImpl specificConnectorCommunicationService = - (SpecificConnectorCommunicationServiceImpl) context.getBean( + final SpecificCommunicationService specificConnectorCommunicationService = + (SpecificCommunicationService) context.getBean( SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); final ILightResponse eidasResponse = specificConnectorCommunicationService.getAndRemoveResponse( tokenBase64, diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/EidasPersonalIdStoreDao.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/EidasPersonalIdStoreDao.java deleted file mode 100644 index c7acdb15..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/EidasPersonalIdStoreDao.java +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Copyright 2018 A-SIT Plus GmbH - * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, - * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "License"); - * You may not use this work except in compliance with the License. - * You may obtain a copy of the License at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - -package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.Iterator; -import java.util.List; - -import at.gv.egiz.eaaf.core.impl.data.Pair; - -@Deprecated -public class EidasPersonalIdStoreDao { - public static final String NAME = "foreigneIDMap"; - - // Enum with all cols of this table - public enum Cols { - timestamp, transactionId, eidasId, eidasSourceCountry, eidasDestinationCountry, ernbId - } - - public enum T { - ID("INTEGER"), - BIGINT("VARCHAR(265)"), - URI("VARCHAR(256)"), - DATE("Long"), - TEXT("TEXT"), - Long("BIGINT"), - Int("INTEGER"), - BLOB("BLOB"), - CC("CHAR(2)"), - BOOL("INTEGER"); - - private final String type; - - T(String el) { - type = el; - } - - @Override - public String toString() { - return type; - } - } - - // define Cols of the table - public static final List<Pair<String, T>> TABLE_COLS; - - static { - final List<Pair<String, T>> cols = new ArrayList<>(); - cols.add(Pair.newInstance(Cols.timestamp.name(), T.DATE)); - cols.add(Pair.newInstance(Cols.transactionId.name(), T.TEXT)); - cols.add(Pair.newInstance(Cols.eidasId.name(), T.TEXT)); - cols.add(Pair.newInstance(Cols.eidasSourceCountry.name(), T.CC)); - cols.add(Pair.newInstance(Cols.eidasDestinationCountry.name(), T.CC)); - cols.add(Pair.newInstance(Cols.ernbId.name(), T.TEXT)); - - TABLE_COLS = Collections.unmodifiableList(cols); - - } - - public static final String CREATE = "CREATE TABLE " + NAME - + " (" + "id" + " " + T.ID.toString() - + " PRIMARY KEY AUTOINCREMENT, " + buildCreateTableQuery(TABLE_COLS) + ")"; - - public static final String INSERT = "INSERT INTO " + NAME - + "(" + buildInsertQueryKeys(TABLE_COLS) + ")" - + " VALUES (" + buildInsertQueryValues(TABLE_COLS) + ");"; - - public static final String SELECT_BY_ERNB_ID = "SELECT * FROM " + NAME - + " WHERE " + Cols.ernbId.name() + "=?;"; - - public static final String SELECT_BY_EIDAS_RAW_ID = "SELECT * FROM " + NAME - + " WHERE " + Cols.eidasId.name() + "=?" - + " and " + Cols.eidasSourceCountry.name() + "=?" + ";"; - - /** - * Build a part of a SQL query, which contains the cols of a table that should - * be created. - * - * @param cols List of DB col definitions {@link Pair} - * @return Part of a SQL query, which contains cols that should be created - */ - private static String buildCreateTableQuery(List<Pair<String, T>> cols) { - StringBuffer buf = new StringBuffer(); - for (final Pair<String, T> el : cols) { - buf.append(el.getFirst()); - buf.append(" "); - buf.append(el.getSecond()); - buf.append(","); - - } - String sql = buf.toString(); - return sql.substring(0, sql.length() - 1); - - } - - /** - * Build a part of a SQL query, which contains the cols keys of a table for - * insert operation. - * - * @param cols List of DB col definitions {@link Pair} - * @return Part of a SQL query, which contains cols that should be created - */ - protected static String buildInsertQueryKeys(List<Pair<String, T>> cols) { - - StringBuffer buf = new StringBuffer(); - for (final Pair<String, T> el : cols) { - buf.append(el.getFirst()); - buf.append(","); - - } - String sql = buf.toString(); - return sql.substring(0, sql.length() - 1); - } - - /** - * Build a part of a SQL query, which contains the cols values of a table for - * insert operation. - * - * @param cols List of DB col definitions {@link Pair} - * @return Part of a SQL query, which contains cols that should be created - */ - protected static String buildInsertQueryValues(List<Pair<String, T>> cols) { - - StringBuffer buf = new StringBuffer(); - Iterator<Pair<String, T>> it = cols.iterator(); - while (it.hasNext()) { - buf.append("?,"); - it.next(); - - } - - String sql = buf.toString(); - return sql.substring(0, sql.length() - 1); - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java index fe839c37..42dbfeac 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java @@ -32,6 +32,7 @@ import org.joda.time.DateTime; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.lang.NonNull; import com.google.common.collect.ImmutableSortedSet; @@ -43,10 +44,10 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRe import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.impl.data.Triple; -import edu.umd.cs.findbugs.annotations.NonNull; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; @@ -64,11 +65,13 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { @Override public final void preProcess(IRequest pendingReq, Builder authnRequestBuilder) { + buildLevelOfAssurance(pendingReq.getServiceProviderConfiguration(), authnRequestBuilder); buildProviderNameAttribute(pendingReq, authnRequestBuilder); buildRequestedAttributes(authnRequestBuilder); } + @Override public final ErnbEidData postProcess(Map<String, Object> eidasAttrMap) throws EidPostProcessingException, EidasAttributeException { @@ -348,10 +351,36 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { final String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); if (StringUtils.isNotEmpty(providerName)) { authnRequestBuilder.providerName(providerName); + authnRequestBuilder.requesterId(providerName); + } } + } + + private void buildLevelOfAssurance(ISpConfiguration spConfig, Builder authnRequestBuilder) { + // TODO: set matching mode if eIDAS ref. impl. support this method + + // TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA + // schemes + String loa = EaafConstants.EIDAS_LOA_HIGH; + if (spConfig.getRequiredLoA() != null) { + if (spConfig.getRequiredLoA().isEmpty()) { + log.info("No eIDAS LoA requested. Use LoA HIGH as default"); + } else { + if (spConfig.getRequiredLoA().size() > 1) { + log.info( + "Currently only ONE requested LoA is supported for service provider. Use first one ... "); + } + + loa = spConfig.getRequiredLoA().get(0); + + } + } + log.debug("Request eIdAS node with LoA: " + loa); + authnRequestBuilder.levelOfAssurance(loa); + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/EidasAttributeRegistry.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/EidasAttributeRegistry.java index 98c4c2de..e73491ab 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/EidasAttributeRegistry.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/EidasAttributeRegistry.java @@ -35,13 +35,13 @@ import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.lang.NonNull; import org.springframework.stereotype.Service; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; -import edu.umd.cs.findbugs.annotations.NonNull; import eu.eidas.auth.commons.attribute.AttributeRegistries; import eu.eidas.auth.commons.attribute.AttributeRegistry; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index 6de5dae9..1f5837d6 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -78,8 +78,10 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.LoggingHandler; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; @@ -113,7 +115,8 @@ public class SzrClient { private static final String KEY_BC_BIND = "bcBindReq"; private static final String JOSE_HEADER_USERCERTPINNING_TYPE = "urn:at.gv.eid:bindtype"; private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind"; - + public static final String ATTR_NAME_MDS = "urn:eidgvat:mds"; + @Autowired private IConfiguration basicConfig; @@ -244,36 +247,38 @@ public class SzrClient { } - /** - * Signs content. + * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status. * - * @param vsz ? TODO + * @param vsz encryped baseId * @param bindingPubKey binding PublikKey as PKCS1# (ASN.1) container * @param eidStatus Status of the E-ID + * @param eidData eID information that was used for ERnP registration * @return bPK for this person * @throws SzrCommunicationException In case of a SZR error */ - public String getBcBind(final String vsz, final String bindingPubKey, final String eidStatus) - throws SzrCommunicationException { - - final Map<String, Object> bcBindMap = new HashMap<>(); - bcBindMap.put(ATTR_NAME_VSZ, vsz); - bcBindMap.put(ATTR_NAME_STATUS, eidStatus); - bcBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); - + public String getEidsaBind(final String vsz, final String bindingPubKey, final String eidStatus, + ErnbEidData eidData)throws SzrCommunicationException { + + final Map<String, Object> eidsaBindMap = new HashMap<>(); + eidsaBindMap.put(ATTR_NAME_VSZ, vsz); + eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus); + eidsaBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); + eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode()); + injectMdsIfAvailableAndActive(eidsaBindMap, eidData); + try { - final String serializedBcBind = mapper.writeValueAsString(bcBindMap); + final String serializedEidasBind = mapper.writeValueAsString(eidsaBindMap); final SignContent req = new SignContent(); - final SignContentEntry bcBindInfo = new SignContentEntry(); - bcBindInfo.setKey(KEY_BC_BIND); - bcBindInfo.setValue(serializedBcBind); - req.getIn().add(bcBindInfo); + final SignContentEntry eidasBindInfo = new SignContentEntry(); + eidasBindInfo.setKey(KEY_BC_BIND); + eidasBindInfo.setValue(serializedEidasBind); + req.getIn().add(eidasBindInfo); req.setAppendCert(false); - final JwsHeaderParam bcBindJoseHeader = new JwsHeaderParam(); - bcBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); - bcBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); - req.getJWSHeaderParam().add(bcBindJoseHeader); + final JwsHeaderParam eidasBindJoseHeader = new JwsHeaderParam(); + eidasBindJoseHeader.setKey(JOSE_HEADER_USERCERTPINNING_TYPE); + eidasBindJoseHeader.setValue(JOSE_HEADER_USERCERTPINNING_EIDASBIND); + req.getJWSHeaderParam().add(eidasBindJoseHeader); log.trace("Requesting SZR to sign bcBind datastructure ... "); final SignContentResponseType resp = szr.signContent(req.isAppendCert(), req.getJWSHeaderParam(), req.getIn()); @@ -488,6 +493,19 @@ public class SzrClient { } + private void injectMdsIfAvailableAndActive(Map<String, Object> eidsaBindMap, ErnbEidData eidData) { + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_SET_MDS_TO_EIDASBIND, false)) { + log.info("Injecting MDS into eidasBind ... "); + final Map<String, Object> mds = new HashMap<>(); + mds.put(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, eidData.getFamilyName()); + mds.put(PvpAttributeDefinitions.GIVEN_NAME_NAME, eidData.getGivenName()); + mds.put(PvpAttributeDefinitions.BIRTHDATE_NAME, eidData.getFormatedDateOfBirth()); + eidsaBindMap.put(ATTR_NAME_MDS, mds); + + } + } + private byte[] sourceToByteArray(Source result) throws TransformerException { final TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 11f8fc04..b519354c 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -150,37 +150,37 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { // get encrypted baseId String vsz = szrClient.getEncryptedStammzahl(personInfo); - + + //write revision-Log entry and extended infos personal-identifier mapping + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_VSZ_RECEIVED); + writeExtendedRevisionLogEntry(simpleAttrMap, eidData); + + // get eIDAS bind - String signedEidasBind = szrClient.getBcBind(vsz, + String signedEidasBind = szrClient.getEidsaBind(vsz, authBlockSigner.getBase64EncodedPublicKey(), - EID_STATUS); - + EID_STATUS, eidData); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_EIDASBIND_RECEIVED); + authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + //get signed AuthBlock String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq); - - //inject personal-data into session + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.TECH_AUCHBLOCK_CREATED); authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); - authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + + //inject personal-data into session authProcessData.setEidProcess(true); } else { //request SZR SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); - // write ERnB input-data into revision-log - if (basicConfig.getBasicConfigurationBoolean( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, - (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); - - } + //write revision-Log entry for personal-identifier mapping + writeExtendedRevisionLogEntry(simpleAttrMap, eidData); //check result-data and write revision-log based on current state checkStateAndWriteRevisionLog(idlResult); - //inject personal-data into session authProcessData.setIdentityLink(idlResult.getIdentityLink()); authProcessData.setEidProcess(false); @@ -219,6 +219,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } + private void writeExtendedRevisionLogEntry(Map<String, Object> simpleAttrMap, ErnbEidData eidData) { + // write ERnB input-data into revision-log + if (basicConfig.getBasicConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, + (String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); + + } + } + private PersonInfoType generateSzrRequest(ErnbEidData eidData) { log.debug("Starting connecting SZR Gateway"); final PersonInfoType personInfo = new PersonInfoType(); @@ -281,14 +292,18 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); // get bPK from SZR - String bpk; + String bpk = null; if (basicConfig .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - bpk = szrClient + List<String> bpkList = szrClient .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) - .get(0); + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")); + if (!bpkList.isEmpty()) { + bpk = bpkList.get(0); + + } + } else { log.debug("Calculating bPK from baseId ... "); @@ -382,7 +397,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } else { final List<String> natPersonIdObj = EidasResponseUtils - .translateStringListAttribute(el, attributeMap.get(el).asList()); + .translateStringListAttribute(el, attributeMap.get(el)); final String stringAttr = natPersonIdObj.get(0); if (StringUtils.isNotEmpty(stringAttr)) { result.put(el.getFriendlyName(), stringAttr); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java index 0b6e9ee8..92f58877 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java @@ -41,10 +41,8 @@ import at.asitplus.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; @@ -87,9 +85,6 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { throws TaskExecutionException { try { - // get service-provider configuration - final ISpConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); - // get target, environment and validate citizen countryCode final String citizenCountryCode = (String) executionContext.get( MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY); @@ -110,6 +105,13 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { final LightRequest.Builder authnRequestBuilder = LightRequest.builder(); authnRequestBuilder.id(UUID.randomUUID().toString()); + // set nameIDFormat + authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); + + // set citizen country code for foreign uses + authnRequestBuilder.citizenCountryCode(citizenCountryCode); + + //set Issuer final String issur = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); if (StringUtils.isEmpty(issur)) { log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); @@ -119,42 +121,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { } authnRequestBuilder.issuer(issur); - // TODO: set matching mode if eIDAS ref. impl. support this method - - // TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA - // schemes - String loa = EaafConstants.EIDAS_LOA_HIGH; - if (spConfig.getRequiredLoA() != null) { - if (spConfig.getRequiredLoA().isEmpty()) { - log.info("No eIDAS LoA requested. Use LoA HIGH as default"); - } else { - if (spConfig.getRequiredLoA().size() > 1) { - log.info( - "Currently only ONE requested LoA is supported for service provider. Use first one ... "); - } - - loa = spConfig.getRequiredLoA().get(0); - - } - } - - log.debug("Request eIdAS node with LoA: " + loa); - authnRequestBuilder.levelOfAssurance(loa); - - // set nameIDFormat - authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); - - // set citizen country code for foreign uses - authnRequestBuilder.citizenCountryCode(citizenCountryCode); - - // set relay state - /* - * TODO: SecureToken PendingRequestId generates a validation exception in - * eIDASNode because eIDASNode implements limit on size for RelayState - * (80characaters) - */ - // authnRequestBuilder.relayState(pendingReq.getPendingRequestId()); - + // Add country-specific informations into eIDAS request ccSpecificProcessing.preProcess(citizenCountryCode, pendingReq, authnRequestBuilder); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java index ebd2ae78..c8c5a069 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/utils/EidasResponseUtils.java @@ -36,6 +36,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.gv.egiz.eaaf.core.impl.data.Triple; @@ -98,38 +99,44 @@ public class EidasResponseUtils { */ // TODO: check possible problem with nonLatinCharacters public static List<String> translateStringListAttribute(AttributeDefinition<?> attributeDefinition, - ImmutableList<? extends AttributeValue<?>> attributeValues) { + ImmutableSet<? extends AttributeValue<?>> attributeValues) { final List<String> stringListAttribute = new ArrayList<>(); - final AttributeValueMarshaller<?> attributeValueMarshaller = attributeDefinition - .getAttributeValueMarshaller(); - for (final AttributeValue<?> attributeValue : attributeValues) { - String valueString = null; - try { - valueString = attributeValueMarshaller.marshal((AttributeValue) attributeValue); - - log.trace("Find attr: {} with value: {} nonLatinFlag: {} needTransliteration: {}", - attributeDefinition.getFriendlyName(), attributeValue.toString(), - attributeValue.isNonLatinScriptAlternateVersion(), - AttributeValueTransliterator.needsTransliteration(valueString)); - - // if (attributeValue.isNonLatinScriptAlternateVersion()) { - if (!AttributeValueTransliterator.needsTransliteration(valueString)) { - stringListAttribute.add(0, valueString); - - } else { - log.trace("Find 'needsTransliteration' flag. Setting this value at last list element ... "); - stringListAttribute.add(valueString); + if (attributeValues != null) { + final AttributeValueMarshaller<?> attributeValueMarshaller = attributeDefinition + .getAttributeValueMarshaller(); + for (final AttributeValue<?> attributeValue : attributeValues.asList()) { + String valueString = null; + try { + valueString = attributeValueMarshaller.marshal((AttributeValue) attributeValue); - } + log.trace("Find attr: {} with value: {} nonLatinFlag: {} needTransliteration: {}", + attributeDefinition.getFriendlyName(), attributeValue.toString(), + attributeValue.isNonLatinScriptAlternateVersion(), + AttributeValueTransliterator.needsTransliteration(valueString)); + + // if (attributeValue.isNonLatinScriptAlternateVersion()) { + if (!AttributeValueTransliterator.needsTransliteration(valueString)) { + stringListAttribute.add(0, valueString); + + } else { + log.trace("Find 'needsTransliteration' flag. Setting this value at last list element ... "); + stringListAttribute.add(valueString); - } catch (final AttributeValueMarshallingException e) { - throw new IllegalStateException(e); + } + } catch (final AttributeValueMarshallingException e) { + throw new IllegalStateException(e); + + } } - } - log.trace("Extract values: {} for attr: {}", - StringUtils.join(stringListAttribute, ","), attributeDefinition.getFriendlyName()); + log.trace("Extract values: {} for attr: {}", + StringUtils.join(stringListAttribute, ","), attributeDefinition.getFriendlyName()); + + } else { + log.info("Can not extract infos from 'null' attribute value"); + + } return stringListAttribute; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/validator/EidasResponseValidator.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/validator/EidasResponseValidator.java index 1836e87b..9d9a0647 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/validator/EidasResponseValidator.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/validator/EidasResponseValidator.java @@ -29,7 +29,7 @@ import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasValidationException; @@ -98,8 +98,8 @@ public class EidasResponseValidator { */ final AttributeDefinition<?> attrDefinition = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first(); - final ImmutableList<? extends AttributeValue<?>> attributeValues = eidasResponse.getAttributes() - .getAttributeMap().get(attrDefinition).asList(); + final ImmutableSet<? extends AttributeValue<?>> attributeValues = eidasResponse.getAttributes() + .getAttributeMap().get(attrDefinition); final List<String> personalIdObj = EidasResponseUtils.translateStringListAttribute(attrDefinition, attributeValues); |