diff options
Diffstat (limited to 'modules/eidas_proxy-sevice/src/main/java/at/asitplus')
4 files changed, 101 insertions, 2 deletions
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java new file mode 100644 index 00000000..6f855c14 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java @@ -0,0 +1,35 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.handler; + +import at.gv.egiz.eaaf.core.api.idp.IEidAuthData; +import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData; +import lombok.NonNull; +import lombok.extern.slf4j.Slf4j; + + +/** + * eJustic PersonRole attribute-handler for natural-person use-cases only. + * + * <p>In that special case, the legal-person mandate will be ignored and + * eIDAS response looks like a normal authentication without mandates.</p> + * + * @author tlenz + * + */ +@Slf4j +public class EJusticWorkaroundPersonRoleHandler extends EJusticePersonRoleHandler { + + @Override + public void performAuthDataPostprocessing(@NonNull IEidAuthData authData) { + if (authData.isUseMandate()) { + log.info("eJusticeNaturalPersonRole was requested by SP. " + + "Perform work-around and partially ignoring mandate from IDA system ... "); + ((EidAuthenticationData)authData).setUseMandate(false); + + } else { + log.info("eJustice attribute was requested but no mandate from ID Austria. " + + "Something looks wrong, but use it as it is."); + + } + } + +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java index 6a5e4967..f8c14ceb 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java @@ -57,7 +57,13 @@ public class EJusticePersonRoleHandler implements IEidasAttributeHandler { spConfig.getRequestedAttributes().addAll(additionalReqAttributes); log.info("Add additional requested attributes: {}", additionalReqAttributes); - } + } + } + + @Override + public void performAuthDataPostprocessing(@NonNull IEidAuthData authData) { + log.trace("{} needs no post processing of authData, because we are in regular mode of operation.", + EJusticePersonRoleHandler.class.getName()); } diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java index 5a9c8d8c..36deba30 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java @@ -23,6 +23,15 @@ public interface IEidasAttributeHandler { /** + * Perform attribute-specific post-processing of authentication information. + * + * @param authData authentication information from ID Austria system that should be post processed. + */ + @NonNull + void performAuthDataPostprocessing(@NonNull IEidAuthData authData); + + + /** * Build eIDAS attribute-value from authentication data. * * @param eidAuthData Authentication data for current process diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java index f1cb8f0b..7d01deda 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java @@ -1,8 +1,11 @@ package at.asitplus.eidas.specific.modules.msproxyservice.protocol; import java.io.IOException; +import java.util.Objects; import java.util.Optional; +import java.util.Set; import java.util.UUID; +import java.util.stream.Collectors; import javax.annotation.PostConstruct; import javax.servlet.ServletException; @@ -205,9 +208,14 @@ public class ProxyServiceAuthenticationAction implements IAction { } + + private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData, ILightRequest eidasReq) { - final IEidAuthData eidAuthData = (IEidAuthData) authData; + + // eIDAS Out-Going and attribute-specific post-processing of authentication data + final IEidAuthData eidAuthData = performAuthdataPostprocessing(authData, eidasReq); + final ImmutableAttributeMap.Builder attributeMap = ImmutableAttributeMap.builder(); // inject all requested attributres @@ -369,5 +377,46 @@ public class ProxyServiceAuthenticationAction implements IAction { PvpAttributeDefinitions.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class)); } + + /** + * Post-processing of authentication data based on requested attributes. + * + * @param authData Authentication data from ID Austria system. + * @param eidasRequest AuthnRequest from foreign country + * @return AuthnRequest specific modification of authentication data + */ + private IEidAuthData performAuthdataPostprocessing(IAuthData authData, ILightRequest eidasRequest) { + IEidAuthData idaAuthData = (IEidAuthData) authData; + + // select advanced attribute handler + Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream() + .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null)) + .filter(Objects::nonNull) + .distinct() + .collect(Collectors.toSet()); + + if (!requiredHandlers.isEmpty()) { + log.info("eIDAS requested attributes requires #{} specific attribute-hander. " + + "Starting advanced post-processing of authentication data ... ", requiredHandlers.size()); + requiredHandlers.forEach(el -> executeAttributeHandler(el, idaAuthData)); + + } + + return idaAuthData; + + } + + private void executeAttributeHandler(String handlerClass, IEidAuthData authData) { + try { + IEidasAttributeHandler handler = context.getBean(handlerClass, IEidasAttributeHandler.class); + + log.trace("Perfom authData post-processing by using: {}", handler.getClass().getName()); + handler.performAuthDataPostprocessing(authData); + + } catch (Exception e) { + log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e); + + } + } } |