diff options
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2/src')
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java | 18 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java (renamed from eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java) | 105 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml | 2 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java | 543 | ||||
-rw-r--r-- | eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java | 371 |
5 files changed, 436 insertions, 603 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java index 2a7beb3b..e7a5547a 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java @@ -24,12 +24,12 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao; import lombok.Data; +import org.apache.commons.lang3.builder.EqualsBuilder; @Data public class SimpleMobileSignatureData { private String citizenCountryCode; - private String bpk; private String givenName; private String familyName; @@ -37,19 +37,15 @@ public class SimpleMobileSignatureData { /** * Compares the received authentication data from the mobile phone signature with the eid data received via eIDAS. + * * @param simpleEidasData The extracted eIDAS data * @return Returns true, if the eIDAS data matches the mobile phone signature data and false otherwise. */ public boolean equalsSimpleEidasData(SimpleEidasData simpleEidasData) { - if (!simpleEidasData.getGivenName().equals(givenName)) { - return false; - } - if (!simpleEidasData.getFamilyName().equals(familyName)) { - return false; - } - if (!simpleEidasData.getDateOfBirth().equals(dateOfBirth)) { - return false; - } - return true; + return new EqualsBuilder() + .append(simpleEidasData.getGivenName(), givenName) + .append(simpleEidasData.getFamilyName(), familyName) + .append(simpleEidasData.getDateOfBirth(), dateOfBirth) + .isEquals(); } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java index 81be04b5..0f40b337 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java @@ -64,7 +64,6 @@ import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.StatusCode; import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import javax.servlet.http.HttpServletRequest; @@ -86,16 +85,12 @@ import static at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.I */ @Slf4j @Component("ReceiveMobilePhoneSignatureResponseTask") -public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends AbstractAuthServletTask { +public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServletTask { - @Autowired - private SamlVerificationEngine samlVerificationEngine; - @Autowired - private RegisterSearchService registerSearchService; - @Autowired - private IdAustriaClientAuthCredentialProvider credentialProvider; - @Autowired - IdAustriaClientAuthMetadataProvider metadataProvider; + private final SamlVerificationEngine samlVerificationEngine; + private final RegisterSearchService registerSearchService; + private final IdAustriaClientAuthCredentialProvider credentialProvider; + private final IdAustriaClientAuthMetadataProvider metadataProvider; private static final String ERROR_PVP_03 = "sp.pvp2.03"; private static final String ERROR_PVP_05 = "sp.pvp2.05"; @@ -107,9 +102,22 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends private static final String ERROR_MSG_00 = "Receive INVALID PVP Response from ID Austria system"; private static final String ERROR_MSG_01 = "Processing PVP response from 'ID Austria system' FAILED."; - private static final String ERROR_MSG_02 = "PVP response decrytion FAILED. No credential found."; + private static final String ERROR_MSG_02 = "PVP response decryption FAILED. No credential found."; private static final String ERROR_MSG_03 = "PVP response validation FAILED."; + /** + * Creates the new task, with autowired dependencies from Spring. + */ + public ReceiveMobilePhoneSignatureResponseTask(SamlVerificationEngine samlVerificationEngine, + RegisterSearchService registerSearchService, + IdAustriaClientAuthCredentialProvider credentialProvider, + IdAustriaClientAuthMetadataProvider metadataProvider) { + this.samlVerificationEngine = samlVerificationEngine; + this.registerSearchService = registerSearchService; + this.credentialProvider = credentialProvider; + this.metadataProvider = metadataProvider; + } + @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { @@ -118,7 +126,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends IDecoder decoder = loadDecoder(request); EaafUriCompare comparator = loadComparator(request); InboundMessage inboundMessage = decodeAndVerifyMessage(request, response, decoder, comparator); - final Pair<PvpSProfileResponse, Boolean> processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage); + Pair<PvpSProfileResponse, Boolean> processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage); if (processedMsg.getSecond()) { stopProcessFromUserDecision(executionContext, request, response); return; @@ -138,30 +146,22 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends * */ - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); MergedRegisterSearchResult initialSearchResult = authProcessData.getGenericDataFromSession(DATA_INITIAL_REGISTER_RESULT, MergedRegisterSearchResult.class); SimpleEidasData eidasData = authProcessData.getGenericDataFromSession(DATA_SIMPLE_EIDAS, SimpleEidasData.class); + String bpkZp = extractBpkZp(extractor, authProcessData, eidasData); - SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor, authProcessData); - if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) { - //TODO User has cheated? - throw new InvalidUserInputException(); - } - - String bpkZp = simpleMobileSignatureData.getBpk(); MergedRegisterSearchResult result = registerSearchService.searchWithBpkZp(bpkZp); if (result.getResultCount() == 0) { - //go to step 16 executionContext.put(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK, true); return; } else if (result.getResultCount() == 1) { String bpk = registerSearchService.step7aKittProcess(initialSearchResult, result, eidasData, pendingReq); authProcessData.setGenericDataToSession(Constants.DATA_RESULT_MATCHING_BPK, bpk); return; - //node 110 } else if (result.getResultCount() > 1) { - throw new ManualFixNecessaryException("bpkZp: " + bpkZp);// node 108 + throw new ManualFixNecessaryException("bpkZp: " + bpkZp); } // set NeedConsent to false, because user gives consent during authentication @@ -180,7 +180,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends throw new TaskExecutionException(pendingReq, ERROR_MSG_01, new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); } catch (final CredentialsNotAvailableException e) { - log.debug("PVP response decrytion FAILED. No credential found.", e); + log.debug("PVP response decryption FAILED. No credential found.", e); throw new TaskExecutionException(pendingReq, ERROR_MSG_02, new AuthnResponseValidationException(ERROR_PVP_10, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); } catch (final Exception e) { @@ -191,6 +191,17 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends } } + private String extractBpkZp(AssertionAttributeExtractor extractor, + AuthProcessDataWrapper authProcessData, + SimpleEidasData eidasData) throws EaafBuilderException, InvalidUserInputException { + SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor, authProcessData); + if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) { + //TODO User has cheated? + throw new InvalidUserInputException(); + } + return simpleMobileSignatureData.getBpk(); + } + @NotNull private InboundMessage decodeAndVerifyMessage(HttpServletRequest request, HttpServletResponse response, IDecoder decoder, EaafUriCompare comparator) throws Exception { @@ -297,33 +308,31 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends throws EaafBuilderException { List<String> requiredAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES; SimpleMobileSignatureData result = new SimpleMobileSignatureData(); - try { - if (!extractor.containsAllRequiredAttributes(requiredAttributes)) { - log.warn("PVP Response from 'ID Austria node' contains not all requested attributes."); - throw new AssertionValidationExeption(ERROR_PVP_06, new Object[]{MODULE_NAME_FOR_LOGGING}); + if (!extractor.containsAllRequiredAttributes(requiredAttributes)) { + log.warn("PVP Response from 'ID Austria node' contains not all requested attributes."); + AssertionValidationExeption e = new AssertionValidationExeption(ERROR_PVP_06, + new Object[]{MODULE_NAME_FOR_LOGGING}); + throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); + } + final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (final String attrName : includedAttrNames) { + if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { + result.setBpk(extractor.getSingleAttributeValue(attrName)); } - final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); - for (final String attrName : includedAttrNames) { - if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { - result.setBpk(extractor.getSingleAttributeValue(attrName)); - } - if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) { - result.setGivenName(extractor.getSingleAttributeValue(attrName)); - } - if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) { - result.setFamilyName(extractor.getSingleAttributeValue(attrName)); - } - if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) { - result.setDateOfBirth(extractor.getSingleAttributeValue(attrName)); - } - if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { - authProcessData.setQaaLevel(extractor.getSingleAttributeValue(attrName)); - } + if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) { + result.setGivenName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) { + result.setFamilyName(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) { + result.setDateOfBirth(extractor.getSingleAttributeValue(attrName)); + } + if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { + authProcessData.setQaaLevel(extractor.getSingleAttributeValue(attrName)); } - authProcessData.setIssueInstant(extractor.getAssertionIssuingDate()); - } catch (final AssertionValidationExeption e) { - throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); } + authProcessData.setIssueInstant(extractor.getAssertionIssuingDate()); return result; } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml index 34046e55..ed086493 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml @@ -121,7 +121,7 @@ scope="prototype" /> <bean id="ReceiveMobilePhoneSignatureResponseTask" - class="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask" + class="at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhoneSignatureResponseTask" scope="prototype" /> <bean id="GenerateAustrianResidenceGuiTask" diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java deleted file mode 100644 index 42dd3ddc..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java +++ /dev/null @@ -1,543 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; - -import at.asitplus.eidas.specific.connector.test.config.dummy.MsConnectorDummyConfigMap; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyOA; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyPendingRequest; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; -import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; -import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; -import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; -import at.gv.egiz.eaaf.core.impl.utils.DomUtils; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; -import net.shibboleth.utilities.java.support.xml.XMLParserException; -import org.apache.commons.io.IOUtils; -import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; -import org.opensaml.core.xml.io.MarshallingException; -import org.opensaml.core.xml.io.UnmarshallingException; -import org.opensaml.core.xml.util.XMLObjectSupport; -import org.opensaml.saml.saml2.core.Issuer; -import org.opensaml.saml.saml2.core.Response; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; -import org.springframework.mock.web.MockHttpServletRequest; -import org.springframework.mock.web.MockHttpServletResponse; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import org.springframework.web.context.request.RequestContextHolder; -import org.springframework.web.context.request.ServletRequestAttributes; - -import javax.xml.transform.TransformerException; -import java.io.IOException; -import java.util.Base64; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThrows; -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; -import static org.springframework.util.Assert.isInstanceOf; - -@RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration(locations = { - "/SpringTest-context_tasks_test.xml", - "/SpringTest-context_basic_mapConfig.xml" -}) -public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest { - - private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml"; - - @Autowired - private ApplicationContext context; - @Autowired - protected MsConnectorDummyConfigMap authConfig; - @Autowired - private IdAustriaClientAuthMetadataProvider metadataProvider; - @Autowired - private IdAustriaClientAuthCredentialProvider credentialProvider; - @Autowired - private PvpMetadataResolverFactory metadataFactory; - - private final ExecutionContext executionContext = new ExecutionContextImpl(); - private MockHttpServletRequest httpReq; - private MockHttpServletResponse httpResp; - private DummyPendingRequest pendingReq; - - private ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask task; - - /** - * JUnit class initializer. - * - * @throws Exception In case of an OpenSAML3 initialization error - */ - @BeforeClass - public static void initialize() throws Exception { - EaafOpenSaml3xInitializer.eaafInitialize(); - - } - - /** - * jUnit test set-up. - * - * @throws Exception In case of an set-up error - */ - @Before - public void setUp() throws Exception { - task = (ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask) context.getBean( - "ReceiveMobilePhoneSignatureResponseTask"); - - httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); - httpReq.setScheme("https"); - httpReq.setServerPort(443); - httpReq.setContextPath("/authhandler"); - httpResp = new MockHttpServletResponse(); - RequestContextHolder.resetRequestAttributes(); - RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); - - authConfig.putConfigValue(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID, METADATA_PATH); - - DummyOA oaParam = new DummyOA(); - oaParam.setUniqueAppId("http://test.com/test"); - oaParam.setTargetIdentifier(EaafConstants.URN_PREFIX_CDID + RandomStringUtils.randomAlphabetic(2)); - - pendingReq = new DummyPendingRequest(); - pendingReq.initialize(httpReq, authConfig); - pendingReq.setPendingRequestId(RandomStringUtils.randomAlphanumeric(10)); - pendingReq.setOnlineApplicationConfiguration(oaParam); - - metadataProvider.fullyDestroy(); - } - - @Test - public void unsupportedHttpMethode() { - httpReq = new MockHttpServletRequest("PUT", "https://localhost/authhandler"); - RequestContextHolder.resetRequestAttributes(); - RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.03", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); - } - - @Test - public void httpGetNoMessage() { - httpReq = new MockHttpServletRequest("GET", "https://localhost/authhandler"); - RequestContextHolder.resetRequestAttributes(); - RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostNoMessage() { - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); - } - - @Test - public void httpPostMessageNotSigned() throws IOException { - - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - IOUtils.toByteArray(ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.class - .getResourceAsStream( - "/data/Response_without_sig_classpath_entityid.xml")))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostMessageWrongDestinationEndpoint() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - TransformerException, MarshallingException { - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_with_wrong_destination_endpoint.xml", - credentialProvider.getMessageSigningCredential(), true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostValidSignedNoMetadata() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_classpath_entityid.xml", - credentialProvider.getMessageSigningCredential(), true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.11", ((EaafException) e.getOriginalException()).getErrorId()); - } - - @Test - public void httpPostValidSignedAssertionOutDated() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_classpath_entityid.xml", - credentialProvider.getMessageSigningCredential(), false); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((EaafException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostValidSignedAssertionFromWrongIdp() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - authConfig.putConfigValue(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID, - "http://wrong.idp/" + RandomStringUtils.randomAlphabetic(5)); - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_classpath_entityid.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.08", ((EaafException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostValidSignedAssertionMissingAttributes() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_classpath_entityid.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.12", ((EaafException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostValidSignedWithError() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_with_error.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - final TaskExecutionException e = assertThrows(TaskExecutionException.class, - () -> task.execute(pendingReq, executionContext)); - - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); - - } - - @Test - public void httpPostValidSignedWitUserStopErrorCode() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException, TaskExecutionException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_with_error_userstop.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - // perform test - task.execute(pendingReq, executionContext); - - // validate state - assertTrue("process not cancelled", executionContext.isProcessCancelled()); - assertTrue("process not stopped by user", pendingReq.isAbortedByUser()); - assertFalse("should not authenticated", pendingReq.isAuthenticated()); - - } - - @Test - public void httpPostValidSignedWithErrorAndNoSubCode() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_with_error_without_subcode.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - try { - task.execute(pendingReq, executionContext); - fail("Invalid response not detected"); - - } catch (final TaskExecutionException e) { - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); - } - } - - @Test - public void httpPostValidSignedWithErrorAndEmptySubCode() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_without_sig_with_error_empty_subcode.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - try { - task.execute(pendingReq, executionContext); - fail("Invalid response not detected"); - - } catch (final TaskExecutionException e) { - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); - - } - } - - @Test - public void httpPostValidSignedAssertionEidValid() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException, TaskExecutionException, EaafStorageException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_with_EID.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - // put SimpleEidasData in session - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final SimpleEidasData eidData = new SimpleEidasData(); - eidData.setFamilyName("Mustermann"); - eidData.setGivenName("Max"); - eidData.setDateOfBirth("1940-01-01"); - authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData); - - // perform task - task.execute(pendingReq, executionContext); - - // validate state - final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); - assertEquals("LoA", "http://eidas.europa.eu/LoA/low", session.getQaaLevel()); - assertEquals("IssueInstant", "2014-03-05T06:39:51Z", session.getIssueInstantString()); - - //TODO: - - } - - @Test - public void httpPostValidSignedAssertionEidValidButNameMissmatch() throws IOException, SamlSigningException, - Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, - MarshallingException, TransformerException, TaskExecutionException, EaafStorageException { - - metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( - METADATA_PATH, null, "jUnit IDP", null)); - - final Response response = initializeResponse( - "classpath:/data/idp_metadata_classpath_entity.xml", - "/data/Response_with_EID.xml", - credentialProvider.getMessageSigningCredential(), - true); - httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( - DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( - "UTF-8"))); - - // put SimpleEidasData in session - final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final SimpleEidasData eidData = new SimpleEidasData(); - eidData.setFamilyName("Mustermann1"); - eidData.setGivenName("Max"); - eidData.setDateOfBirth("1940-01-01"); - authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData); - - // perform task - try { - task.execute(pendingReq, executionContext); - fail("Invalid response not detected"); - - } catch (final TaskExecutionException e) { - assertNotNull(e.getPendingRequestID()); - assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); - assertNotNull(e.getOriginalException()); - isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); - assertTrue(e.getOriginalException().getCause() instanceof InvalidUserInputException); - } - - } - - private Response initializeResponse(String idpEntityId, String responsePath, EaafX509Credential credential, - boolean validConditions) throws SamlSigningException, XMLParserException, UnmarshallingException, - Pvp2MetadataException { - - final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.class.getResourceAsStream( - responsePath)); - response.setIssueInstant(DateTime.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(idpEntityId); - response.setIssuer(issuer); - - if (validConditions) { - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(5)); - - } - - return Saml2Utils.signSamlObject(response, credential, true); - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java new file mode 100644 index 00000000..5ea7b59b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java @@ -0,0 +1,371 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; + +import at.asitplus.eidas.specific.connector.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.provider.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.RegisterSearchService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhoneSignatureResponseTask; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyOA; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyPendingRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import net.shibboleth.utilities.java.support.xml.ParserPool; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.RandomStringUtils; +import org.jetbrains.annotations.NotNull; +import org.joda.time.DateTime; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import javax.xml.transform.TransformerException; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import java.util.Objects; + +import static org.junit.Assert.*; +import static org.springframework.util.Assert.isInstanceOf; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { + "/SpringTest-context_tasks_test.xml", + "/SpringTest-context_basic_mapConfig.xml" +}) +public class ReceiveMobilePhoneSignatureResponseTaskTest { + + private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml"; + + @Autowired + protected MsConnectorDummyConfigMap authConfig; + @Autowired + private IdAustriaClientAuthMetadataProvider metadataProvider; + @Autowired + private IdAustriaClientAuthCredentialProvider credentialProvider; + @Autowired + private PvpMetadataResolverFactory metadataFactory; + @Autowired + private ReceiveMobilePhoneSignatureResponseTask task; + + private final ExecutionContext executionContext = new ExecutionContextImpl(); + private MockHttpServletRequest httpReq; + private MockHttpServletResponse httpResp; + private DummyPendingRequest pendingReq; + + /** + * JUnit class initializer. + * + * @throws Exception In case of an OpenSAML3 initialization error + */ + @BeforeClass + public static void initialize() throws Exception { + EaafOpenSaml3xInitializer.eaafInitialize(); + } + + /** + * jUnit test set-up. + * + * @throws Exception In case of an set-up error + */ + @Before + public void setUp() throws Exception { + httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); + httpReq.setScheme("https"); + httpReq.setServerPort(443); + httpReq.setContextPath("/authhandler"); + httpResp = new MockHttpServletResponse(); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + authConfig.putConfigValue(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID, METADATA_PATH); + + DummyOA oaParam = new DummyOA(); + oaParam.setUniqueAppId("http://test.com/test"); + oaParam.setTargetIdentifier(EaafConstants.URN_PREFIX_CDID + RandomStringUtils.randomAlphabetic(2)); + + pendingReq = new DummyPendingRequest(); + pendingReq.initialize(httpReq, authConfig); + pendingReq.setPendingRequestId(RandomStringUtils.randomAlphanumeric(10)); + pendingReq.setOnlineApplicationConfiguration(oaParam); + + metadataProvider.fullyDestroy(); + } + + @Test + public void unsupportedHttpMethod() { + httpReq = new MockHttpServletRequest("PUT", "https://localhost/authhandler"); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.03", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpGetNoMessage() { + httpReq = new MockHttpServletRequest("GET", "https://localhost/authhandler"); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + + } + + @Test + public void httpPostNoMessage() { + httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostMessageNotSigned() throws IOException { + byte[] bytes = IOUtils.toByteArray(ReceiveMobilePhoneSignatureResponseTask.class + .getResourceAsStream("/data/Response_without_sig_classpath_entityid.xml")); + httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString(bytes)); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + + } + + @Test + public void httpPostMessageWrongDestinationEndpoint() throws Exception { + initResponse("/data/Response_with_wrong_destination_endpoint.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + + } + + @Test + public void httpPostValidSignedNoMetadata() throws Exception { + initResponse("/data/Response_without_sig_classpath_entityid.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.11", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedAssertionOutDated() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_classpath_entityid.xml", false); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedAssertionFromWrongIdp() throws Exception { + authConfig.putConfigValue(IdAustriaClientAuthConstants.CONFIG_PROPS_ID_AUSTRIA_ENTITYID, + "http://wrong.idp/" + RandomStringUtils.randomAlphabetic(5)); + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_classpath_entityid.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.08", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedAssertionMissingAttributes() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_classpath_entityid.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.12", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedWithError() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_with_error.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedWitUserStopErrorCode() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_with_error_userstop.xml", true); + + task.execute(pendingReq, executionContext); + + assertTrue("process not cancelled", executionContext.isProcessCancelled()); + assertTrue("process not stopped by user", pendingReq.isAbortedByUser()); + assertFalse("should not authenticated", pendingReq.isAuthenticated()); + } + + @Test + public void httpPostValidSignedWithErrorAndNoSubCode() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_with_error_without_subcode.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedWithErrorAndEmptySubCode() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_without_sig_with_error_empty_subcode.xml", true); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + assertEquals("sp.pvp2.05", ((EaafException) e.getOriginalException()).getErrorId()); + } + + @Test + public void httpPostValidSignedAssertionEidValidButNameMismatch() throws Exception { + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_with_EID.xml", true); + AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + SimpleEidasData eidData = createEidasDataMatchingToSamlResponse(); + eidData.setFamilyName(eidData.getFamilyName() + "notmatching"); + authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData); + + TaskExecutionException e = assertThrows(TaskExecutionException.class, + () -> task.execute(pendingReq, executionContext)); + + assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); + isInstanceOf(AuthnResponseValidationException.class, e.getOriginalException()); + isInstanceOf(InvalidUserInputException.class, e.getOriginalException().getCause()); + } + + @Test + public void httpPostValidSignedAssertionEidValid() throws Exception { + // klar darstellen: was ist input, was ist dann expected output ... eigentlich für alle tasks! + metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( + METADATA_PATH, null, "jUnit IDP", null)); + initResponse("/data/Response_with_EID.xml", true); + AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + SimpleEidasData eidData = createEidasDataMatchingToSamlResponse(); + authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData); + + task.execute(pendingReq, executionContext); + + AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); + assertEquals("LoA", "http://eidas.europa.eu/LoA/low", session.getQaaLevel()); + assertEquals("IssueInstant", "2014-03-05T06:39:51Z", session.getIssueInstantString()); + + //TODO this is the good case + } + + @NotNull + private SimpleEidasData createEidasDataMatchingToSamlResponse() { + // data from "/data/Response_with_EID.xml" + SimpleEidasData result = new SimpleEidasData(); + result.setFamilyName("Mustermann"); + result.setGivenName("Max"); + result.setDateOfBirth("1940-01-01"); + return result; + } + + private void addSamlResponseToHttpReq(Response response) throws TransformerException, IOException, MarshallingException { + String node = DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)); + String base64encoded = Base64.getEncoder().encodeToString(node.getBytes(StandardCharsets.UTF_8)); + httpReq.addParameter("SAMLResponse", base64encoded); + } + + private void initResponse(String responsePath, boolean validConditions) throws Exception { + InputStream inputStream = ReceiveMobilePhoneSignatureResponseTaskTest.class.getResourceAsStream(responsePath); + ParserPool parserPool = Objects.requireNonNull(XMLObjectProviderRegistrySupport.getParserPool()); + Response response = (Response) XMLObjectSupport.unmarshallFromInputStream(parserPool, inputStream); + response.setIssueInstant(DateTime.now()); + Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue("classpath:/data/idp_metadata_classpath_entity.xml"); + response.setIssuer(issuer); + if (validConditions) { + response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(5)); + } + Response signedResponse = Saml2Utils.signSamlObject(response, credentialProvider.getMessageSigningCredential(), true); + addSamlResponseToHttpReq(signedResponse); + } + +} |