diff options
Diffstat (limited to 'modules/eidas_proxy-sevice')
3 files changed, 105 insertions, 67 deletions
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java index a2a2e78f..418d2799 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java @@ -18,7 +18,9 @@ public class MsProxyServiceConstants { public static final String CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID = EidasConstants.CONIG_PROPS_EIDAS_NODE + ".proxy.entityId"; public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL = EidasConstants.CONIG_PROPS_EIDAS_NODE - + ".proxy.forward.endpoint"; + + ".proxy.forward.endpoint"; + public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS = EidasConstants.CONIG_PROPS_EIDAS_NODE + + ".proxy.forward.errors"; public static final String CONIG_PROPS_EIDAS_PROXY_ATTIBUTE_CONFIGURATION = diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java index b5f6b6d2..4de28956 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java @@ -45,6 +45,7 @@ import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes; import at.gv.egiz.eaaf.core.api.idp.IModulInfo; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.GuiBuildException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; @@ -99,8 +100,7 @@ public class EidasProxyServiceController extends AbstractController implements I */ @RequestMapping(value = { MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_POST, - MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT - }, + MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT }, method = { RequestMethod.POST, RequestMethod.GET }) public void receiveEidasAuthnRequest(HttpServletRequest httpReq, HttpServletResponse httpResp) throws IOException, @@ -196,42 +196,9 @@ public class EidasProxyServiceController extends AbstractController implements I @Override public boolean generateErrorMessage(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq) throws Throwable { - if (pendingReq instanceof ProxyServicePendingRequest) { - try { - final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest(); - - // build eIDAS response - final Builder lightRespBuilder = LightResponse.builder(); - lightRespBuilder.id(UUID.randomUUID().toString()); - lightRespBuilder.inResponseToId(eidasReq.getId()); - lightRespBuilder.relayState(eidasReq.getRelayState()); - lightRespBuilder.issuer(authConfig.getBasicConfiguration( - MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID)); - lightRespBuilder.subject(UUID.randomUUID().toString()); - lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT); - lightRespBuilder.status(ResponseStatus.builder() - .statusCode(StatusCode.RESPONDER) - .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue()) - .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())) - .build()); - - // forward to eIDAS Proxy-Service - responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build()); - - return true; - - } catch (ServletException | IOException | GuiBuildException e1) { - log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1); - - } - - } else { - log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}", - ProxyServicePendingRequest.class.getName()); - - } - - return false; + return authConfig.getBasicConfigurationBoolean( + MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS, false) + && generateAndSendError(e, httpReq, httpResp, pendingReq); } @@ -272,17 +239,17 @@ public class EidasProxyServiceController extends AbstractController implements I .distinct() .collect(Collectors.toSet()); - if (!requiredHandlers.isEmpty()) { + if (!requiredHandlers.isEmpty()) { log.info("eIDAS requested attributes requires #{} specific attribute-hander. " - + "Starting advanced attribute-validation ... ", requiredHandlers.size()); + + "Starting advanced attribute-validation ... ", requiredHandlers.size()); for (String el : requiredHandlers) { executeAdvancedRequestValidation(el, eidasRequest); - + } - + } else { log.debug("No advanced eIDAS attribute-validation required."); - + } } @@ -302,8 +269,8 @@ public class EidasProxyServiceController extends AbstractController implements I && EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) { throw new EidasProxyServiceException(ERROR_08, null); - } - + } + // TODO: validate some other stuff } @@ -354,10 +321,10 @@ public class EidasProxyServiceController extends AbstractController implements I // map eIDAS attributes to national attributes buildNationalRequestedAttributes(spConfig, eidasRequest); - + // execute custom attribute-handler advancedAttributeHandler(spConfig, eidasRequest); - + return spConfig; } catch (final EidasProxyServiceException e) { @@ -368,7 +335,7 @@ public class EidasProxyServiceController extends AbstractController implements I } } - + private void advancedAttributeHandler(ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) { Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream() .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null)) @@ -376,44 +343,46 @@ public class EidasProxyServiceController extends AbstractController implements I .distinct() .collect(Collectors.toSet()); - if (!requiredHandlers.isEmpty()) { + if (!requiredHandlers.isEmpty()) { log.info("eIDAS requested attributes requires #{} specific attribute-hander. " - + "Starting advanced attribute-handling ... ", requiredHandlers.size()); - requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig)); - + + "Starting advanced attribute-handling ... ", requiredHandlers.size()); + requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig)); + } else { log.debug("No advanced eIDAS attribute-handling required."); - - } + + } } private void executeAttributeHandler(String handlerClass, ServiceProviderConfiguration spConfig) { try { IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class); - + log.trace("Perfom SP config post-processing by using: {}", handler.getClass().getName()); handler.performSpConfigPostprocessing(spConfig); - + } catch (Exception e) { - log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e); - - } + log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", + handlerClass, e); + + } } - private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest) + private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest) throws EidasProxyServiceException { try { IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class); - + log.trace("Perfom request-validastion by using: {}", handler.getClass().getName()); handler.validateAuthnRequest(eidasRequest); - + } catch (BeansException e) { - log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e); - - } + log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", + handlerClass, e); + + } } - + private void buildNationalRequestedAttributes( ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) { final boolean mandatesEnabled = !SpMandateModes.NONE.equals(spConfig.getMandateMode()); @@ -552,6 +521,45 @@ public class EidasProxyServiceController extends AbstractController implements I spConfig.getMandateProfiles(), spConfig.getUniqueIdentifier()); } + } + + private boolean generateAndSendError(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp, + IRequest pendingReq) throws EaafConfigurationException { + if (pendingReq instanceof ProxyServicePendingRequest) { + try { + final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest(); + + // build eIDAS response + final Builder lightRespBuilder = LightResponse.builder(); + lightRespBuilder.id(UUID.randomUUID().toString()); + lightRespBuilder.inResponseToId(eidasReq.getId()); + lightRespBuilder.relayState(eidasReq.getRelayState()); + lightRespBuilder.issuer(authConfig.getBasicConfiguration( + MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID)); + lightRespBuilder.subject(UUID.randomUUID().toString()); + lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT); + lightRespBuilder.status(ResponseStatus.builder() + .statusCode(StatusCode.RESPONDER) + .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue()) + .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())) + .build()); + + // forward to eIDAS Proxy-Service + responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build()); + + return true; + + } catch (ServletException | IOException | GuiBuildException e1) { + log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1); + + } + + } else { + log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}", + ProxyServicePendingRequest.class.getName()); + + } + return false; } } diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java index 5894ea45..c23f1d53 100644 --- a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java @@ -93,6 +93,7 @@ public class EidasProxyServiceControllerTest { config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint", "http://eidas.proxy/endpoint"); + config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.errors", "true"); springManagedSpecificConnectorCommunicationService = (SpecificCommunicationService) context.getBean( @@ -155,6 +156,33 @@ public class EidasProxyServiceControllerTest { } @Test + public void generateErrorResponseWithoutForward() throws Throwable { + config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.errors", "false"); + + ProxyServicePendingRequest pendingReq = new ProxyServicePendingRequest(); + pendingReq.initialize(httpReq, config); + + LightRequest.Builder eidasRequestBuilder = LightRequest.builder() + .id(UUID.randomUUID().toString()) + .issuer(RandomStringUtils.randomAlphabetic(10)) + .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) + .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) + .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) + .spType("public") + .requesterId(RandomStringUtils.randomAlphanumeric(10)) + .providerName(RandomStringUtils.randomAlphanumeric(10)); + pendingReq.setEidasRequest(eidasRequestBuilder.build()); + + + // execute test + Assert.assertFalse("wrong statusCode", controller.generateErrorMessage( + new EaafException("1000"), + httpReq, httpResp, + pendingReq)); + + } + + @Test public void missingEidasToken() { EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); |