aboutsummaryrefslogtreecommitdiff
path: root/eidas_modules/authmodule-eIDAS-v2
diff options
context:
space:
mode:
Diffstat (limited to 'eidas_modules/authmodule-eIDAS-v2')
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java66
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java31
-rw-r--r--eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java78
3 files changed, 164 insertions, 11 deletions
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java
new file mode 100644
index 00000000..254b8c70
--- /dev/null
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleMobileSignatureData.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2020 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.modules.auth.eidas.v2.dao;
+
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException;
+import at.gv.e_government.reference.namespace.persondata._20020228.PostalAddressType;
+import lombok.Data;
+
+@Data
+public class SimpleMobileSignatureData {
+
+ private String citizenCountryCode;
+
+ private String bpk;
+ private String givenName;
+ private String familyName;
+ private String dateOfBirth;
+
+
+ public boolean equalsSimpleEidasData(SimpleEidasData result) {
+ if (!result.getGivenName().equals(givenName)) {
+ return false;
+ }
+ if (!result.getFamilyName().equals(familyName)) {
+ return false;
+ }
+ if (!result.getDateOfBirth().equals(dateOfBirth)) {
+ return false;
+ }
+ return true;
+ }
+
+ private boolean equals(String a, String b) {
+ if (a == null && b == null) {
+ return true;
+ }
+ if (a == null) {
+ return false;
+ }
+ if (b == null) {
+ return false;
+ }
+ return a.equals(b);
+ }
+}
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
index d919d229..101e7c29 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java
@@ -27,7 +27,9 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MergedRegisterSearchResult;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleMobileSignatureData;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp.IErnpClient;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.EidasAuthEventConstants;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants;
@@ -35,6 +37,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustri
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.Utils;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.zmr.IZmrClient;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException;
@@ -188,12 +191,16 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
}
-
// initialize Attribute extractor
final AssertionAttributeExtractor extractor =
new AssertionAttributeExtractor(processedMsg.getFirst().getResponse());
- String bpkzp = getAuthDataFromInterfederation(extractor, authProcessData);
+ SimpleMobileSignatureData simpleMobileSignatureData = getAuthDataFromInterfederation(extractor, authProcessData);
+ if(!simpleMobileSignatureData.equalsSimpleEidasData(eidData)) {
+ //User cheated?
+ throw new InvalidUserInputException();//TODO
+ }
+ String bpkzp = simpleMobileSignatureData.getBpk();
MergedRegisterSearchResult result = searchInZmrAndErnp(bpkzp);
if (result.getResultCount() == 0) {
@@ -307,11 +314,12 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
return null;
}
- private String getAuthDataFromInterfederation(AssertionAttributeExtractor extractor,
- AuthProcessDataWrapper authProcessData)
+ private SimpleMobileSignatureData getAuthDataFromInterfederation(AssertionAttributeExtractor extractor,
+ AuthProcessDataWrapper authProcessData)
throws EaafBuilderException {
List<String> requiredAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES;
+ SimpleMobileSignatureData simpleMobileSignatureData = new SimpleMobileSignatureData();
String bpk = null;
try {
// check if all attributes are include
@@ -328,13 +336,20 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
map.put(attrName, extractor.getSingleAttributeValue(attrName));
if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) {
- bpk = extractor.getSingleAttributeValue(attrName);
+ simpleMobileSignatureData.setBpk(extractor.getSingleAttributeValue(attrName));
+ }
+ if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) {
+ simpleMobileSignatureData.setGivenName(extractor.getSingleAttributeValue(attrName));
+ }
+ if (PvpAttributeDefinitions.PRINCIPAL_NAME_NAME.equals(attrName)) {
+ simpleMobileSignatureData.setFamilyName(extractor.getSingleAttributeValue(attrName));
+ }
+ if (PvpAttributeDefinitions.BIRTHDATE_NAME.equals(attrName)) {
+ simpleMobileSignatureData.setDateOfBirth(extractor.getSingleAttributeValue(attrName));
}
if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) {
authProcessData.setQaaLevel(extractor.getSingleAttributeValue(attrName));
}
- //injectAuthInfosIntoSession(session, attrName,
- // extractor.getSingleAttributeValue(attrName));
}
@@ -370,7 +385,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends
throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e);
}
- return bpk;
+ return simpleMobileSignatureData;
}
// private void injectAuthInfosIntoSession(AhAuthProcessDataWrapper session, String attrName, String attrValue)
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
index 2e3da7bc..fbf011b1 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest.java
@@ -6,6 +6,10 @@ import java.util.Base64;
import javax.xml.transform.TransformerException;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MergedRegisterSearchResult;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData;
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.InvalidUserInputException;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider;
@@ -13,6 +17,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.ReceiveMobilePhone
import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyAuthConfigMap;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyOA;
import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummyPendingRequest;
+import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.RandomStringUtils;
@@ -520,7 +525,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
@Test
public void httpPostValidSignedAssertionEidValid() throws IOException, SamlSigningException,
Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
- MarshallingException, TransformerException, TaskExecutionException {
+ MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
oaParam.putGenericConfigurationKey(
IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -536,6 +541,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString(
DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes("UTF-8")));
+ //put SimpleEidasData in session
+ final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+ SimpleEidasData eidData = new SimpleEidasData();
+ eidData.setFamilyName("Mustermann");
+ eidData.setGivenName("Max");
+ eidData.setDateOfBirth("1940-01-01");
+ authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
//perform task
task.execute(pendingReq, executionContext);
@@ -580,9 +593,52 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
}
@Test
+ public void httpPostValidSignedAssertionEidValidButNameMissmatch() throws IOException, SamlSigningException,
+ Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
+ MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
+
+ oaParam.putGenericConfigurationKey(
+ IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
+
+ metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
+ METADATA_PATH, null, "jUnit IDP", null));
+
+ final Response response = initializeResponse(
+ "classpath:/data/idp_metadata_classpath_entity.xml",
+ "/data/Response_with_EID.xml",
+ credentialProvider.getMessageSigningCredential(),
+ true);
+ httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString(
+ DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes("UTF-8")));
+
+ //put SimpleEidasData in session
+ final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+ SimpleEidasData eidData = new SimpleEidasData();
+ eidData.setFamilyName("Mustermann1");
+ eidData.setGivenName("Max");
+ eidData.setDateOfBirth("1940-01-01");
+ authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
+ //perform task
+ try {
+ task.execute(pendingReq, executionContext);
+ Assert.fail("Invalid response not detected");
+
+ } catch (final TaskExecutionException e) {
+ Assert.assertNotNull(e.getPendingRequestID());
+ Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID());
+ Assert.assertNotNull(e.getOriginalException());
+ org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class,
+ e.getOriginalException());
+ Assert.assertTrue(e.getOriginalException().getCause() instanceof InvalidUserInputException);
+ }
+
+ }
+
+ @Test
public void httpPostValidSignedAssertionLegacyValid() throws IOException, SamlSigningException,
Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
- MarshallingException, TransformerException, TaskExecutionException {
+ MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
// authConfig.putConfigValue(AuthHandlerConstants.PROP_CONFIG_LEGACY_ALLOW, "true");
oaParam.putGenericConfigurationKey(
IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -590,6 +646,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
METADATA_PATH, null, "jUnit IDP", null));
+ //put SimpleEidasData in session
+ final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+ SimpleEidasData eidData = new SimpleEidasData();
+ eidData.setFamilyName("Mustermann");
+ eidData.setGivenName("Max");
+ eidData.setDateOfBirth("1940-01-01");
+ authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
final Response response = initializeResponse(
"classpath:/data/idp_metadata_classpath_entity.xml",
"/data/Response_with_legacy.xml",
@@ -647,7 +711,7 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
@Test
public void httpPostValidSignedAssertionWithLegacyAndEid() throws IOException, SamlSigningException,
Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException,
- MarshallingException, TransformerException, TaskExecutionException {
+ MarshallingException, TransformerException, TaskExecutionException, EaafStorageException {
oaParam.putGenericConfigurationKey(
IdAustriaClientAuthConstants.CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL, METADATA_PATH);
@@ -655,6 +719,14 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTaskTest {
metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider(
METADATA_PATH, null, "jUnit IDP", null));
+ //put SimpleEidasData in session
+ final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class);
+ SimpleEidasData eidData = new SimpleEidasData();
+ eidData.setFamilyName("Mustermann");
+ eidData.setGivenName("Max");
+ eidData.setDateOfBirth("1940-01-01");
+ authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData);
+
final Response response = initializeResponse(
"classpath:/data/idp_metadata_classpath_entity.xml",
"/data/Response_with_legacy_and_EID.xml",