diff options
Diffstat (limited to 'modules')
103 files changed, 9839 insertions, 60 deletions
| diff --git a/modules/authmodule-eIDAS-v2/pom.xml b/modules/authmodule-eIDAS-v2/pom.xml index 94c46e63..ff9cc5ce 100644 --- a/modules/authmodule-eIDAS-v2/pom.xml +++ b/modules/authmodule-eIDAS-v2/pom.xml @@ -30,7 +30,7 @@          <repository>            <id>eIDASNode-local</id>            <name>local</name> -          <url>file:${basedir}/repository</url> +          <url>file:${basedir}/../../repository</url>          </repository>        </repositories>      </profile> @@ -292,4 +292,4 @@        </plugin>      </plugins>    </build> -</project>
\ No newline at end of file +</project> diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index be20e632..9ceb08ee 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -52,8 +52,9 @@ public class Constants {    public static final String CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS = CONIG_PROPS_EIDAS_NODE        + ".publicSectorTargets";    public static final String CONIG_PROPS_EIDAS_NODE_ENTITYID = CONIG_PROPS_EIDAS_NODE + ".entityId"; -  public static final String CONIG_PROPS_EIDAS_NODE_FORWARD_URL = CONIG_PROPS_EIDAS_NODE +  public static final String CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL = CONIG_PROPS_EIDAS_NODE        + ".forward.endpoint"; +        public static final String CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD = CONIG_PROPS_EIDAS_NODE        + ".forward.method";    public static final String CONIG_PROPS_EIDAS_NODE_ATTRIBUTES_REQUESTED_DEFAULT_ONLYNATURAL = @@ -159,6 +160,12 @@ public class Constants {    public static final String eIDAS_ATTR_LEGALPERSONIDENTIFIER = "LegalPersonIdentifier";    public static final String eIDAS_ATTR_LEGALNAME = "LegalName"; +  public static final String eIDAS_ATTR_REPRESENTATIVE_PERSONALIDENTIFIER = "RepresentativePersonIdentifier"; +  public static final String eIDAS_ATTR_REPRESENTATIVE_DATEOFBIRTH = "RepresentativeDateOfBirth"; +  public static final String eIDAS_ATTR_REPRESENTATIVE_CURRENTGIVENNAME = "RepresentativeFirstName"; +  public static final String eIDAS_ATTR_REPRESENTATIVE_CURRENTFAMILYNAME = "RepresentativeFamilyName"; +   +      public static final String eIDAS_REQ_PARAM_SECTOR_PUBLIC = "public";    public static final String eIDAS_REQ_PARAM_SECTOR_PRIVATE = "private"; @@ -167,6 +174,7 @@ public class Constants {    // SAML2 Constants    public static final String SUCCESS_URI = "urn:oasis:names:tc:SAML:2.0:status:Success"; +  public static final String ERROR_URI = "urn:oasis:names:tc:SAML:2.0:status:Responder";    public static final String HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION = "30"; // seconds    public static final String HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE = "60"; // seconds diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java index 323a37e2..1fdd3d5b 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java @@ -26,6 +26,7 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler;  import java.nio.charset.StandardCharsets;  import java.security.MessageDigest;  import java.security.NoSuchAlgorithmException; +import java.util.Arrays;  import java.util.Base64;  import java.util.Map;  import java.util.regex.Matcher; @@ -280,7 +281,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {     * Set ProviderName and RequestId into eIDAS AuthnRequest.     *      * @param pendingReq Current pendingRequest -   * @param authnRequestBuilder AuthnREquest builer +   * @param authnRequestBuilder AuthnRequest builder     */    protected void buildProviderNameAndRequesterIdAttribute(IRequest pendingReq, Builder authnRequestBuilder) {      final ISpConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); @@ -330,6 +331,37 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {      }    } +  /** +   * Build LoA based on Service-Provider configuration. +   *  +   * @param spConfig Current SP configuration +   * @param authnRequestBuilder AuthnRequest builder +   */ +  protected void buildLevelOfAssurance(ISpConfiguration spConfig, Builder authnRequestBuilder) { +    // TODO: set matching mode if eIDAS ref. impl. support this method + +    // TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA +    // schemes +    String loa = EaafConstants.EIDAS_LOA_HIGH; +    if (spConfig.getRequiredLoA() != null) { +      if (spConfig.getRequiredLoA().isEmpty()) { +        log.info("No eIDAS LoA requested. Use LoA HIGH as default"); +      } else { +        if (spConfig.getRequiredLoA().size() > 1) { +          log.info( +              "Currently only ONE requested LoA is supported for service provider. Use first one ... "); +        } + +        loa = spConfig.getRequiredLoA().get(0); + +      } +    } + +    log.debug("Request eIdAS node with LoA: " + loa); +    authnRequestBuilder.levelsOfAssuranceValues(Arrays.asList(loa)); +     +  } +      private String generateRequesterId(String requesterId) {      if (requesterId != null && basicConfig.getBasicConfigurationBoolean(          Constants.CONIG_PROPS_EIDAS_NODE_REQUESTERID_USE_HASHED_VERSION, true)) {             @@ -389,30 +421,4 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {      return builder.build();    } -   -  protected void buildLevelOfAssurance(ISpConfiguration spConfig, Builder authnRequestBuilder) { -    // TODO: set matching mode if eIDAS ref. impl. support this method - -    // TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA -    // schemes -    String loa = EaafConstants.EIDAS_LOA_HIGH; -    if (spConfig.getRequiredLoA() != null) { -      if (spConfig.getRequiredLoA().isEmpty()) { -        log.info("No eIDAS LoA requested. Use LoA HIGH as default"); -      } else { -        if (spConfig.getRequiredLoA().size() > 1) { -          log.info( -              "Currently only ONE requested LoA is supported for service provider. Use first one ... "); -        } - -        loa = spConfig.getRequiredLoA().get(0); - -      } -    } - -    log.debug("Request eIdAS node with LoA: " + loa); -    authnRequestBuilder.levelOfAssurance(loa); -     -  } -  } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java index 0f1b5432..b6f028a4 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java @@ -147,7 +147,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {        }        // select forward URL regarding the selected environment -      String forwardUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); +      String forwardUrl = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL);        if (StringUtils.isNotEmpty(environment)) {          forwardUrl = selectedForwardUrlForEnvironment(environment);        } @@ -155,8 +155,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {        if (StringUtils.isEmpty(forwardUrl)) {          log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops");          throw new EaafConfigurationException("config.08", new Object[] { -            environment == null ? Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL -                : Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + environment +            environment == null ? Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL +                : Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL + "." + environment          });        } @@ -233,17 +233,17 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {    private String selectedForwardUrlForEnvironment(String environment) {      log.trace("Starting endpoint selection process for environment: " + environment + " ... ");      if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_PRODUCTION)) { -      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL); +      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL);      } else if (environment.equalsIgnoreCase(MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS)) { -      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL +      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL            + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_QS);      } else if (environment.equalsIgnoreCase(          MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING)) { -      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL +      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL            + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_TESTING);      } else if (environment.equalsIgnoreCase(          MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT)) { -      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL +      return basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL            + "." + MsEidasNodeConstants.REQ_PARAM_SELECTED_ENVIRONMENT_VALUE_DEVELOPMENT);      } diff --git a/modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml b/modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml index 3b0cee54..f37516f8 100644 --- a/modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml +++ b/modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml @@ -65,17 +65,22 @@      class="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.CcSpecificEidProcessingService" />    <bean id="DE-Processor" -    class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.DeEidProcessor"> +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.DeEidProcessor">      <property name="priority" value="1" />    </bean>    <bean id="LU-Processor" -    class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.LuEidProcessor"> +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.LuEidProcessor"> +    <property name="priority" value="1" /> +  </bean> + +  <bean id="NL-Processor" +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.NlEidProcessor">      <property name="priority" value="1" />    </bean>    <bean id="Default-Processor" -    class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.GenericEidProcessor"> +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.GenericEidProcessor">      <property name="priority" value="0" />    </bean> diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/dummy/DummySpecificCommunicationService.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/dummy/DummySpecificCommunicationService.java index d2b0c1ae..78294047 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/dummy/DummySpecificCommunicationService.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/dummy/DummySpecificCommunicationService.java @@ -9,12 +9,16 @@ import eu.eidas.auth.commons.tx.BinaryLightToken;  import eu.eidas.specificcommunication.BinaryLightTokenHelper;  import eu.eidas.specificcommunication.exception.SpecificCommunicationException;  import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; +import lombok.Setter;  public class DummySpecificCommunicationService implements SpecificCommunicationService {    private ILightRequest lightRequest;    private ILightResponse lightResponse; +  @Setter +  private SpecificCommunicationException error; +      @Override    public BinaryLightToken putRequest(ILightRequest lightRequest) throws SpecificCommunicationException {      this.lightRequest = lightRequest; @@ -24,6 +28,10 @@ public class DummySpecificCommunicationService implements SpecificCommunicationS    @Override    public ILightRequest getAndRemoveRequest(String tokenBase64, Collection<AttributeDefinition<?>> registry)        throws SpecificCommunicationException { +    if (error != null) { +      throw error; +       +    }      return lightRequest;    } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java index 763d7d39..9521e348 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java @@ -138,7 +138,7 @@ public class GenerateAuthnRequestTaskTest {            .getErrorId());        Assert.assertEquals("wrong parameter size", 1, ((EaafException) e.getOriginalException())            .getParams().length); -      Assert.assertEquals("wrong errorMsg", Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL, ((EaafException) e +      Assert.assertEquals("wrong errorMsg", Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL, ((EaafException) e            .getOriginalException()).getParams()[0]);      } @@ -163,7 +163,7 @@ public class GenerateAuthnRequestTaskTest {            .getErrorId());        Assert.assertEquals("wrong parameter size", 1, ((EaafException) e.getOriginalException())            .getParams().length); -      Assert.assertEquals("wrong errorMsg", Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL + "." + stage, ((EaafException) e +      Assert.assertEquals("wrong errorMsg", Constants.CONIG_PROPS_EIDAS_CONNECTOR_NODE_FORWARD_URL + "." + stage, ((EaafException) e            .getOriginalException()).getParams()[0]);      } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java index 7ac41500..610801a6 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java @@ -66,8 +66,9 @@ public class EidasRequestPreProcessingFirstTest {    private TestRequestImpl pendingReq;    private DummySpConfiguration oaParam; -  private Builder authnRequestBuilder; - +  private Builder authnRequestBuilder;   +  private Map<String, String> spConfig; +      /**     * jUnit class initializer.     *  @@ -88,9 +89,9 @@ public class EidasRequestPreProcessingFirstTest {    @Before    public void setUp() { -    final Map<String, String> spConfig = new HashMap<>(); +    spConfig = new HashMap<>();      spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); -    spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); +    spConfig.put("target", "urn:publicid:gv.at:cdid+XX");          oaParam = new DummySpConfiguration(spConfig, basicConfig);      pendingReq = new TestRequestImpl(); @@ -151,5 +152,42 @@ public class EidasRequestPreProcessingFirstTest {      Assert.assertEquals("Requested attribute size not match", 8, lightReq.getRequestedAttributes().size());    } +   +  @Test +  public void prePreProcessNlWithUpgrade() throws EidPostProcessingException { + +    final String testCountry = "NL"; +    spConfig.put("loa", EaafConstants.EIDAS_LOA_LOW); +    authnRequestBuilder.citizenCountryCode(testCountry); +    authnRequestBuilder.levelOfAssurance(EaafConstants.EIDAS_LOA_LOW); +     +    preProcessor.preProcess(testCountry, pendingReq, authnRequestBuilder); + +    final LightRequest lightReq = authnRequestBuilder.build(); + +    Assert.assertNotSame("RequesterId was set", lightReq.getRequesterId()); +    Assert.assertEquals("no PublicSP", "public", lightReq.getSpType()); +    Assert.assertEquals("Requested attribute size not match", 4, lightReq.getRequestedAttributes().size()); + +    Assert.assertEquals("wrong LoA", EaafConstants.EIDAS_LOA_SUBSTANTIAL, lightReq.getLevelOfAssurance()); +  } +    +  @Test +  public void prePreProcessNlWithOutUpgrade() throws EidPostProcessingException { + +    final String testCountry = "NL"; +    authnRequestBuilder.citizenCountryCode(testCountry); +    preProcessor.preProcess(testCountry, pendingReq, authnRequestBuilder); + +    final LightRequest lightReq = authnRequestBuilder.build(); + +    Assert.assertNotSame("RequesterId was set", lightReq.getRequesterId()); +    Assert.assertEquals("no PublicSP", "public", lightReq.getSpType()); +    Assert.assertEquals("Requested attribute size not match", 4, lightReq.getRequestedAttributes().size()); + +    Assert.assertEquals("wrong LoA", EaafConstants.EIDAS_LOA_HIGH, lightReq.getLevelOfAssurance()); +     +  } +    } diff --git a/modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml b/modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml index cd2888c1..f31e5063 100644 --- a/modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml +++ b/modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_basic_test.xml @@ -55,6 +55,11 @@      <property name="priority" value="1" />    </bean> +  <bean id="NL-Processor" +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.NlEidProcessor"> +    <property name="priority" value="1" /> +  </bean> +   <bean id="eIDASAuthModule"      class="at.asitplus.eidas.specific.modules.auth.eidas.v2.EidasAuthenticationModulImpl">      <property name="priority" value="2" /> diff --git a/modules/authmodule_id-austria/checks/spotbugs-exclude.xml b/modules/authmodule_id-austria/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..366c7aca --- /dev/null +++ b/modules/authmodule_id-austria/checks/spotbugs-exclude.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> +  <Match> +    <!-- CSRF protection is implicit available by request token --> +    <Class name="at.asitplus.eidas.specific.modules.auth.idaustria.controller.IdAustriaAuthSignalController" /> +    <Method name="performEidasAuthentication" /> +    <OR> +      <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />                        +    </OR> +  </Match> +  <!-- Logging of invalid SAML2 responses are allowed on debug level --> +  <Match> +    <Class name="at.asitplus.eidas.specific.modules.auth.idaustria.tasks.ReceiveFromIdAustriaSystemTask"/> +    <Method name="execute" /> +    <OR> +      <Bug pattern="CRLF_INJECTION_LOGS" />                        +    </OR> +  </Match> +  <Match> +    <!-- Builder pattern does not expose date elements --> +    <OR> +      <Class name="at.asitplus.eidas.specific.modules.auth.idaustria.config.IdAustriaAuthRequestBuilderConfiguration" /> +    </OR> +    <OR> +      <Bug pattern="EI_EXPOSE_REP" /> +      <Bug pattern="EI_EXPOSE_REP2" /> +    </OR> +  </Match>          +</FindBugsFilter> diff --git a/modules/authmodule_id-austria/pom.xml b/modules/authmodule_id-austria/pom.xml new file mode 100644 index 00000000..c61cb13a --- /dev/null +++ b/modules/authmodule_id-austria/pom.xml @@ -0,0 +1,157 @@ +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> +  <modelVersion>4.0.0</modelVersion> +  <parent> +    <groupId>at.asitplus.eidas.ms_specific</groupId> +    <artifactId>modules</artifactId> +    <version>1.3.0-SNAPSHOT</version> +  </parent> +  <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +  <artifactId>authmodule_id-austria</artifactId> +  <name>eIDAS-Outging IDA bridge</name> +   +  <repositories> +    <repository> +      <id>eIDASNode-local</id> +      <name>local</name> +      <url>file:${basedir}/../../repository</url> +    </repository> +  </repositories> +   +  <dependencies> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific</groupId> +      <artifactId>core_common_lib</artifactId> +    </dependency> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +      <artifactId>eidas_proxy-sevice</artifactId> +    </dependency> +     +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf-core</artifactId> +    </dependency> +     +    <!-- Third party libs -->        +    <dependency> +      <groupId>eu.eidas</groupId> +      <artifactId>eidas-jcache-ignite-specific-communication</artifactId> +    </dependency>     +    <dependency> +      <groupId>org.springframework.boot</groupId> +      <artifactId>spring-boot-starter-actuator</artifactId> +    </dependency> +    <dependency> +      <groupId>org.thymeleaf</groupId> +      <artifactId>thymeleaf-spring5</artifactId> +    </dependency>     +     +    <dependency> +      <groupId>javax.servlet</groupId> +      <artifactId>javax.servlet-api</artifactId> +      <scope>provided</scope> +    </dependency> +     +     +    <!-- Testing --> +    <dependency> +      <groupId>junit</groupId> +      <artifactId>junit</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.springframework</groupId> +      <artifactId>spring-test</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-module-junit4</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-api-mockito2</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>com.squareup.okhttp3</groupId> +      <artifactId>mockwebserver</artifactId> +      <scope>test</scope> +    </dependency>   +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific</groupId> +      <artifactId>core_common_lib</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency>     +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_core_utils</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf-core</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_module_pvp2_sp</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_module_pvp2_idp</artifactId> +      <scope>test</scope>    +    </dependency>     +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_module_pvp2_idp</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>com.squareup.okhttp3</groupId> +      <artifactId>mockwebserver</artifactId> +      <scope>test</scope> +    </dependency>     +     +     +  </dependencies> +   +  <build> +    <finalName>core_common_webapp</finalName> + +    <plugins> +      <!-- enable co-existence of testng and junit --> +      <plugin> +        <artifactId>maven-surefire-plugin</artifactId> +        <configuration> +          <threadCount>1</threadCount> +        </configuration> +        <dependencies> +          <dependency> +            <groupId>org.apache.maven.surefire</groupId> +            <artifactId>surefire-junit47</artifactId> +            <version>${surefire.version}</version> +          </dependency> +        </dependencies> +      </plugin> + +      <plugin> +        <groupId>com.github.spotbugs</groupId> +        <artifactId>spotbugs-maven-plugin</artifactId> +        <version>${spotbugs-maven-plugin.version}</version> +        <configuration> +          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> +        </configuration> +      </plugin> + +    </plugins> +  </build> +   +</project> diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthConstants.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthConstants.java new file mode 100644 index 00000000..57e5c706 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthConstants.java @@ -0,0 +1,123 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.impl.data.Triple; + +/** + * Constant values for ID Austria authentication module. + * + * @author tlenz + * + */ +public class IdAustriaAuthConstants { + +  private IdAustriaAuthConstants() { + +  } + +  public static final String ERRORTYPE_00 = "module.idaustria.00"; +  public static final String ERRORTYPE_01 = "module.idaustria.01"; +  public static final String ERRORTYPE_02 = "module.idaustria.02"; +  public static final String ERRORTYPE_03 = "module.idaustria.03"; +  public static final String ERRORTYPE_04 = "module.idaustria.04"; +  public static final String ERRORTYPE_05 = "module.idaustria.05"; +  public static final String ERRORTYPE_06 = "module.idaustria.06";   +  public static final String ERRORTYPE_98 = "module.idaustria.98"; +  public static final String ERRORTYPE_99 = "module.idaustria.99"; +   +     +  public static final String SAML2_STATUSCODE_USERSTOP = "1005"; +   +  public static final int METADATA_VALIDUNTIL_IN_HOURS = 24 * 365; +  public static final String MODULE_NAME_FOR_LOGGING = "ID Austria based eIDAS authentication"; + +  public static final String ENDPOINT_POST = "/sp/idaustria/eidas/post"; +  public static final String ENDPOINT_REDIRECT = "/sp/idaustria/eidas/redirect"; +  public static final String ENDPOINT_METADATA = "/sp/idaustria/eidas/metadata"; + +  public static final String CONFIG_PROPS_PREFIX = "modules.idaustriaauth."; +   +  public static final String CONFIG_PROPS_IDAUSTRIA_ENTITYID = CONFIG_PROPS_PREFIX + "idp.entityId"; +  public static final String CONFIG_PROPS_IDAUSTRIA_METADATAURL = CONFIG_PROPS_PREFIX + "idp.metadataUrl"; +     +  public static final String CONFIG_PROPS_KEYSTORE_TYPE = CONFIG_PROPS_PREFIX + "keystore.type"; +  public static final String CONFIG_PROPS_KEYSTORE_NAME = CONFIG_PROPS_PREFIX + "keystore.name"; +  public static final String CONFIG_PROPS_KEYSTORE_PATH = CONFIG_PROPS_PREFIX + "keystore.path"; +  public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; +  public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX +      + "metadata.sign.password"; +  public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS = CONFIG_PROPS_PREFIX +      + "metadata.sign.alias"; +  public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX +      + "request.sign.password"; +  public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS = CONFIG_PROPS_PREFIX +      + "request.sign.alias"; +  public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX +      + "response.encryption.password"; +  public static final String CONFIG_PROPS_ENCRYPTION_ALIAS = CONFIG_PROPS_PREFIX +      + "response.encryption.alias"; + +  public static final String CONFIG_PROPS_TRUSTSTORE_TYPE = CONFIG_PROPS_PREFIX + "truststore.type"; +  public static final String CONFIG_PROPS_TRUSTSTORE_NAME = CONFIG_PROPS_PREFIX + "truststore.name"; +  public static final String CONFIG_PROPS_TRUSTSTORE_PATH = CONFIG_PROPS_PREFIX + "truststore.path"; +  public static final String CONFIG_PROPS_TRUSTSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "truststore.password"; + +  public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX +      + "required.additional.attributes"; + +   +  /** +   * SP specific EntityId of the ID Austria.  +   */ +  public static final String CONFIG_PROPS_APPSPECIFIC_IDAUSTRIA_NODE_URL = "auth.idaustria.entityId"; +   +     +  public static final List<Triple<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = +      Collections.unmodifiableList(new ArrayList<Triple<String, String, Boolean>>() { +        private static final long serialVersionUID = 1L; +        { +          // add PVP Version attribute +          add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, +              PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, false)); + +          // entity information +          add(Triple.newInstance(PvpAttributeDefinitions.GIVEN_NAME_NAME, +              PvpAttributeDefinitions.GIVEN_NAME_FRIENDLY_NAME, true)); +          add(Triple.newInstance(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, +              PvpAttributeDefinitions.PRINCIPAL_NAME_FRIENDLY_NAME, true)); +          add(Triple.newInstance(PvpAttributeDefinitions.BIRTHDATE_NAME, +              PvpAttributeDefinitions.BIRTHDATE_FRIENDLY_NAME, true)); +          add(Triple.newInstance(PvpAttributeDefinitions.BPK_NAME, +              PvpAttributeDefinitions.BPK_FRIENDLY_NAME, true)); +           +          // entity metadata information +          add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, +              PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); +          add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, +              PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false)); +           +          // mandate attributes +          add(Triple.newInstance(PvpAttributeDefinitions.MANDATE_TYPE_NAME, +              PvpAttributeDefinitions.MANDATE_TYPE_FRIENDLY_NAME, false)); +          add(Triple.newInstance(PvpAttributeDefinitions.MANDATE_TYPE_OID_NAME, +              PvpAttributeDefinitions.MANDATE_TYPE_OID_FRIENDLY_NAME, false));           +          addAll(MsEidasNodeConstants.DEFAULT_REQUIRED_MANDATE_JUR_PVP_ATTRIBUTES); +          addAll(MsEidasNodeConstants.DEFAULT_REQUIRED_MANDATE_NAT_PVP_ATTRIBUTES); +                     +        } +      }); + +  public static final Set<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = +      DEFAULT_REQUIRED_PVP_ATTRIBUTES.stream() +        .filter(el -> el.getThird()) +        .map(el -> el.getFirst()) +        .collect(Collectors.toSet()); +         +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthenticationSpringResourceProvider.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthenticationSpringResourceProvider.java new file mode 100644 index 00000000..2240b843 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaAuthenticationSpringResourceProvider.java @@ -0,0 +1,56 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.idaustria; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +public class IdAustriaAuthenticationSpringResourceProvider implements SpringResourceProvider { + +  @Override +  public String getName() { +    return "Auth. module for ID Austria based authentication"; +  } + +  @Override +  public String[] getPackagesToScan() { +    return null; +     +  } + +  @Override +  public Resource[] getResourcesToLoad() { +    final ClassPathResource idAustriaAuthConfig =  +        new ClassPathResource("/spring/id_austria_auth.beans.xml",  +            IdAustriaAuthenticationSpringResourceProvider.class); +    final ClassPathResource idAustriaTaskConfig =  +        new ClassPathResource("/spring/id_austria_task.beans.xml",                 +            IdAustriaAuthenticationSpringResourceProvider.class); +         +    return new Resource[] { idAustriaAuthConfig, idAustriaTaskConfig }; +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaEidasProxyAuthenticationModulImpl.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaEidasProxyAuthenticationModulImpl.java new file mode 100644 index 00000000..6f90569c --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/IdAustriaEidasProxyAuthenticationModulImpl.java @@ -0,0 +1,91 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.idaustria; + +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import lombok.extern.slf4j.Slf4j; + +/** + * Authentication-process selection to start ID Austria authentication for eIDAS Proxy-Service requests. + *  + * @author tlenz + * + */ +@Slf4j +public class IdAustriaEidasProxyAuthenticationModulImpl implements AuthModule { + +  private static final String ID_AUSTRIA_EIDAS_PROXY_AUTHPROCESS_NAME = "idAustriaForEidasProxyService"; +   +  private int priority = 1; + +  @Override +  public int getPriority() { +    return priority; +  } + +  /** +   * Sets the priority of this module. Default value is {@code 0}. +   *  +   * @param priority The priority. +   */ +  public void setPriority(int priority) { +    this.priority = priority; +  } + +  /* +   * (non-Javadoc) +   *  +   * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv. +   * egovernment.moa.id.process.api.ExecutionContext) +   */ +  @Override +  public String selectProcess(ExecutionContext context, IRequest pendingReq) { +    if (pendingReq instanceof ProxyServicePendingRequest) { +      log.info("Find eIDAS Proxy-Service request. Starting ID Austria based user authentication ... "); +      return ID_AUSTRIA_EIDAS_PROXY_AUTHPROCESS_NAME;   +       +    } else { +      log.trace("No {} request. Ignore it for ID Austria authentication", +          ProxyServicePendingRequest.class.getName()); +       +    } +     +    return null; +     +  } + +  /* +   * (non-Javadoc) +   *  +   * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions() +   */ +  @Override +  public String[] getProcessDefinitions() { +    return new String[] { "classpath:/process/id_austria.Authentication.process.xml" }; +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/builder/attributes/EidasConnecorUniqueIdAttributeBuilder.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/builder/attributes/EidasConnecorUniqueIdAttributeBuilder.java new file mode 100644 index 00000000..89e06991 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/builder/attributes/EidasConnecorUniqueIdAttributeBuilder.java @@ -0,0 +1,52 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.idaustria.builder.attributes; + +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; + +public class EidasConnecorUniqueIdAttributeBuilder +    implements IAttributeBuilder, ExtendedPvpAttributeDefinitions { + +  @Override +  public String getName() { +    return EIDAS_CONNECTOR_UNIQUEID_NAME; +  } + +  @Override +  public <ATT> ATT build(final ISpConfiguration oaParam, final IAuthData authData, +      final IAttributeGenerator<ATT> g) +      throws AttributeBuilderException { +    return g.buildStringAttribute(EIDAS_CONNECTOR_UNIQUEID_FRIENDLY_NAME, EIDAS_CONNECTOR_UNIQUEID_NAME, +        oaParam.getUniqueIdentifier()); + +  } + +  @Override +  public <ATT> ATT buildEmpty(final IAttributeGenerator<ATT> g) { +    return g.buildEmptyAttribute(EIDAS_CONNECTOR_UNIQUEID_FRIENDLY_NAME, EIDAS_CONNECTOR_UNIQUEID_NAME); + +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMessageSource.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMessageSource.java new file mode 100644 index 00000000..697c4496 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMessageSource.java @@ -0,0 +1,22 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.config; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +/** + * i18n message-source for ID Austria authentication errors. + *  + * @author tlenz + * + */ +public class IdAustriaAuthMessageSource implements IMessageSourceLocation { + +  @Override +  public List<String> getMessageSourceLocation() { +    return Arrays.asList("classpath:messages/idaustria_auth_messages"); + +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMetadataConfiguration.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMetadataConfiguration.java new file mode 100644 index 00000000..41990363 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthMetadataConfiguration.java @@ -0,0 +1,462 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.config; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.ContactPerson; +import org.opensaml.saml.saml2.metadata.Organization; +import org.opensaml.saml.saml2.metadata.RequestedAttribute; +import org.opensaml.security.credential.Credential; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import lombok.extern.slf4j.Slf4j; + +/** + * Configuration object to generate PVP S-Profile metadata for SAML2 client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaAuthMetadataConfiguration implements IPvpMetadataBuilderConfiguration { + +  private Collection<RequestedAttribute> additionalAttributes = null; + +  private final String authUrl; +  private final IdAustriaAuthCredentialProvider credentialProvider; +  private final IPvp2BasicConfiguration pvpConfiguration; + +  /** +   * Configuration object to create PVP2 S-Profile metadata information. +   * +   * @param authUrl            Public URL prefix of the application +   * @param credentialProvider Credentials used by PVP2 S-Profile end-point +   * @param pvpConfiguration   Basic PVP2 S-Profile end-point configuration +   */ +  public IdAustriaAuthMetadataConfiguration(String authUrl, +      IdAustriaAuthCredentialProvider credentialProvider, +      IPvp2BasicConfiguration pvpConfiguration) { +    this.authUrl = authUrl; +    this.credentialProvider = credentialProvider; +    this.pvpConfiguration = pvpConfiguration; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getMetadataValidUntil() +   */ +  @Override +  public int getMetadataValidUntil() { +    return IdAustriaAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * buildEntitiesDescriptorAsRootElement() +   */ +  @Override +  public boolean buildEntitiesDescriptorAsRootElement() { +    return false; + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * buildIDPSSODescriptor() +   */ +  @Override +  public boolean buildIdpSsoDescriptor() { +    return false; + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * buildSPSSODescriptor() +   */ +  @Override +  public boolean buildSpSsoDescriptor() { +    return true; + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getEntityIDPostfix() +   */ +  @Override +  public String getEntityID() { +    return authUrl + IdAustriaAuthConstants.ENDPOINT_METADATA; + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getEntityFriendlyName() +   */ +  @Override +  public String getEntityFriendlyName() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getContactPersonInformation() +   */ +  @Override +  public List<ContactPerson> getContactPersonInformation() { +    try { +      return pvpConfiguration.getIdpContacts(); + +    } catch (final EaafException e) { +      log.warn("Can not load Metadata entry: Contect Person", e); +      return null; + +    } + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getOrgansiationInformation() +   */ +  @Override +  public Organization getOrgansiationInformation() { +    try { +      return pvpConfiguration.getIdpOrganisation(); + +    } catch (final EaafException e) { +      log.warn("Can not load Metadata entry: Organisation", e); +      return null; + +    } +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getMetadataSigningCredentials() +   */ +  @Override +  public EaafX509Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { +    return credentialProvider.getMetaDataSigningCredential(); + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getRequestorResponseSigningCredentials() +   */ +  @Override +  public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { +    return credentialProvider.getMessageSigningCredential(); + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getEncryptionCredentials() +   */ +  @Override +  public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { +    return credentialProvider.getMessageEncryptionCredential(); + +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPWebSSOPostBindingURL() +   */ +  @Override +  public String getIdpWebSsoPostBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPWebSSORedirectBindingURL() +   */ +  @Override +  public String getIdpWebSsoRedirectBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPSLOPostBindingURL() +   */ +  @Override +  public String getIdpSloPostBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPSLORedirectBindingURL() +   */ +  @Override +  public String getIdpSloRedirectBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPAssertionConsumerServicePostBindingURL() +   */ +  @Override +  public String getSpAssertionConsumerServicePostBindingUrl() { +    return authUrl + IdAustriaAuthConstants.ENDPOINT_POST; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPAssertionConsumerServiceRedirectBindingURL() +   */ +  @Override +  public String getSpAssertionConsumerServiceRedirectBindingUrl() { +    return authUrl + IdAustriaAuthConstants.ENDPOINT_REDIRECT; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPSLOPostBindingURL() +   */ +  @Override +  public String getSpSloPostBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPSLORedirectBindingURL() +   */ +  @Override +  public String getSpSloRedirectBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPSLOSOAPBindingURL() +   */ +  @Override +  public String getSpSloSoapBindingUrl() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPPossibleAttributes() +   */ +  @Override +  public List<Attribute> getIdpPossibleAttributes() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getIDPPossibleNameITTypes() +   */ +  @Override +  public List<String> getIdpPossibleNameIdTypes() { +    return null; +  } + + + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPRequiredAttributes() +   */ +  @Override +  public Collection<RequestedAttribute> getSpRequiredAttributes() { +    final Map<String, RequestedAttribute> requestedAttributes = new HashMap<>(); +    log.trace("Build required attributes for ID Austria operaton ... "); +    injectDefinedAttributes(requestedAttributes, +        IdAustriaAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES); + + +    if (additionalAttributes != null) { +      log.trace("Add additional PVP attributes into metadata ... "); +      for (final RequestedAttribute el : additionalAttributes) { +        if (requestedAttributes.containsKey(el.getName())) { +          log.debug("Attribute " + el.getName() +              + " is already added by default configuration. Overwrite it by user configuration"); +        } + +        requestedAttributes.put(el.getName(), el); + +      } +    } + +    return requestedAttributes.values(); + +  } + + + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# +   * getSPAllowedNameITTypes() +   */ +  @Override +  public List<String> getSpAllowedNameIdTypes() { +    return Arrays.asList(NameIDType.PERSISTENT); + +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPMetadataBuilderConfiguration#getSPNameForLogging() +   */ +  @Override +  public String getSpNameForLogging() { +    return IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPMetadataBuilderConfiguration#wantAssertionSigned() +   */ +  @Override +  public boolean wantAssertionSigned() { +    return false; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() +   */ +  @Override +  public boolean wantAuthnRequestSigned() { +    return true; +  } + +  /** +   * Add additonal PVP attributes that are required by this deployment. +   * +   * @param additionalAttr List of PVP attribute name and isRequired flag +   */ +  public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) { +    if (additionalAttr != null && !additionalAttr.isEmpty()) { +      additionalAttributes = new ArrayList<>(); +      for (final Pair<String, Boolean> el : additionalAttr) { +        final Attribute attributBuilder = PvpAttributeBuilder.buildEmptyAttribute(el.getFirst()); +        if (attributBuilder != null) { +          additionalAttributes.add( +              PvpAttributeBuilder.buildReqAttribute( +                  attributBuilder.getName(), +                  attributBuilder.getFriendlyName(), +                  el.getSecond())); + +        } else { +          log.info("NO PVP attribute with name: " + el.getFirst()); +        } + +      } +    } +  } + +  private void injectDefinedAttributes(Map<String, RequestedAttribute> requestedAttributes, +      List<Triple<String, String, Boolean>> attributes) { +    for (final Triple<String, String, Boolean> el : attributes) { +      requestedAttributes.put(el.getFirst(), PvpAttributeBuilder.buildReqAttribute(el.getFirst(), el +          .getSecond(), el.getThird())); + +    } +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthRequestBuilderConfiguration.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthRequestBuilderConfiguration.java new file mode 100644 index 00000000..52bd1c5f --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/config/IdAustriaAuthRequestBuilderConfiguration.java @@ -0,0 +1,307 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.config; + +import java.util.List; + +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.w3c.dom.Element; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; + +/** + * ID Austria client-specific implementation of an {@link IPvpAuthnRequestBuilderConfiguruation}. + * + * @author tlenz + * + */ +public class IdAustriaAuthRequestBuilderConfiguration implements IPvpAuthnRequestBuilderConfiguruation { + +  private boolean isPassive; +  private String spEntityId; +  private String qaaLevel; +  private EntityDescriptor idpEntity; +  private EaafX509Credential signCred; +  private String scopeRequesterId; +  private String providerName; +  private List<EaafRequestedAttribute> requestedAttributes; +  private String reqId; + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() +   */ +  @Override +  public Boolean isPassivRequest() { +    return this.isPassive; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() +   */ +  @Override +  public Integer getAssertionConsumerServiceId() { +    return 0; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getEntityID() +   */ +  @Override +  public String getSpEntityID() { +    return this.spEntityId; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() +   */ +  @Override +  public String getNameIdPolicyFormat() { +    return NameIDType.PERSISTENT; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() +   */ +  @Override +  public boolean getNameIdPolicyAllowCreation() { +    return true; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() +   */ +  @Override +  public String getAuthnContextClassRef() { +    return this.qaaLevel; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() +   */ +  @Override +  public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { +    return AuthnContextComparisonTypeEnumeration.MINIMUM; +  } + +  /** +   * Set isPassive flag in SAML2 request. +   * +   * @param isPassive the isPassive to set. +   */ +  public void setPassive(boolean isPassive) { +    this.isPassive = isPassive; +  } + +  /** +   * Set the requester EntityId. +   * +   * @param spEntityId EntityId of SP +   */ +  public void setSpEntityID(String spEntityId) { +    this.spEntityId = spEntityId; +  } + +  /** +   * Set required LoA. +   * +   * @param loa the LoA to set. +   */ +  public void setRequestedLoA(String loa) { +    qaaLevel = loa; +  } + +  /** +   * Set EntityId of IDP. +   * +   * @param idpEntity the idpEntity to set. +   */ +  public void setIdpEntity(EntityDescriptor idpEntity) { +    this.idpEntity = idpEntity; +  } + +  /** +   * Set message signing credentials. +   * +   * @param signCred the signCred to set. +   */ +  public void setSignCred(EaafX509Credential signCred) { +    this.signCred = signCred; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() +   */ +  @Override +  public EaafX509Credential getAuthnRequestSigningCredential() { +    return this.signCred; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() +   */ +  @Override +  public EntityDescriptor getIdpEntityDescriptor() { +    return this.idpEntity; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() +   */ +  @Override +  public String getSubjectNameID() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() +   */ +  @Override +  public String getSpNameForLogging() { +    return IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() +   */ +  @Override +  public String getSubjectNameIdFormat() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getRequestID() +   */ +  @Override +  public String getRequestID() { +    return this.reqId; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() +   */ +  @Override +  public String getSubjectNameIdQualifier() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() +   */ +  @Override +  public String getSubjectConformationMethode() { +    return null; +  } + +  /* +   * (non-Javadoc) +   * +   * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. +   * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() +   */ +  @Override +  public Element getSubjectConformationDate() { +    return null; +  } + +  @Override +  public List<EaafRequestedAttribute> getRequestedAttributes() { +    return this.requestedAttributes; + +  } + +  @Override +  public String getProviderName() { +    return this.providerName; +  } + +  @Override +  public String getScopeRequesterId() { +    return this.scopeRequesterId; +  } + +  /** +   * Set the entityId of the SP that requests the proxy for eIDAS authentication. +   * +   * @param scopeRequesterId RequestId in SAML2 Proxy extension +   */ +  public void setScopeRequesterId(String scopeRequesterId) { +    this.scopeRequesterId = scopeRequesterId; +  } + +  /** +   * Set a friendlyName for the SP that requests the proxy for eIDAS +   * authentication. +   * +   * @param providerName SAML2 provider-name attribute-value +   */ +  public void setProviderName(String providerName) { +    this.providerName = providerName; +  } + +  /** +   * Set a Set of PVP attributes that a requested by using requested attributes. +   * +   * @param requestedAttributes Requested SAML2 attributes +   */ +  public void setRequestedAttributes(List<EaafRequestedAttribute> requestedAttributes) { +    this.requestedAttributes = requestedAttributes; +  } + +  /** +   * Set a RequestId for this Authn. Request. +   * +   * @param reqId SAML2 message requestId +   */ +  public void setRequestId(String reqId) { +    this.reqId = reqId; +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthMetadataController.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthMetadataController.java new file mode 100644 index 00000000..ad708d30 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthMetadataController.java @@ -0,0 +1,150 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.controller; + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.common.net.MediaType; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.config.IdAustriaAuthMetadataConfiguration; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.HttpUtils; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; +import lombok.extern.slf4j.Slf4j; + +/** + * Controller that generates SAML2 metadata for ID Austria authentication client. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class IdAustriaAuthMetadataController extends AbstractController { + +  private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; + +  @Autowired +  PvpMetadataBuilder metadatabuilder; +  @Autowired +  IdAustriaAuthCredentialProvider credentialProvider; +  @Autowired +  IPvp2BasicConfiguration pvpConfiguration; + +  /** +   * Default construction with logging. +   * +   */ +  public IdAustriaAuthMetadataController() { +    super(); +    log.debug("Registering servlet " + getClass().getName() +        + " with mappings '" + IdAustriaAuthConstants.ENDPOINT_METADATA +        + "'."); + +  } + +  /** +   * End-point that produce PVP2 metadata for ID Austria authentication client. +   * +   * @param req  http Request +   * @param resp http Response +   * @throws IOException   In case of an I/O error +   * @throws EaafException In case of a metadata generation error +   */ +  @RequestMapping(value = IdAustriaAuthConstants.ENDPOINT_METADATA, +      method = { RequestMethod.GET }) +  public void getSpMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, +      EaafException { +    // check PublicURL prefix +    try { +      final String authUrl = getAuthUrlFromHttpContext(req); + +      // initialize metadata builder configuration +      final IdAustriaAuthMetadataConfiguration metadataConfig = +          new IdAustriaAuthMetadataConfiguration(authUrl, credentialProvider, pvpConfiguration); +      metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); + +      // build metadata +      final String xmlMetadata = metadatabuilder.buildPvpMetadata(metadataConfig); + +      // write response +      final byte[] content = xmlMetadata.getBytes("UTF-8"); +      resp.setStatus(HttpServletResponse.SC_OK); +      resp.setContentLength(content.length); +      resp.setContentType(MediaType.XML_UTF_8.toString()); +      resp.getOutputStream().write(content); + +    } catch (final Exception e) { +      log.warn("Build PVP metadata for ID Austria client FAILED.", e); +      protAuthService.handleErrorNoRedirect(e, req, resp, false); + +    } + +  } + +  private String getAuthUrlFromHttpContext(HttpServletRequest req) throws EaafException { +    // check if End-Point is valid +    final String authUrlString = HttpUtils.extractAuthUrlFromRequest(req); +    URL authReqUrl; +    try { +      authReqUrl = new URL(authUrlString); + +    } catch (final MalformedURLException e) { +      log.warn("Requested URL: {} is not a valid URL.", authUrlString); +      throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }, e); + +    } + +    final String idpAuthUrl = authConfig.validateIdpUrl(authReqUrl); +    if (idpAuthUrl == null) { +      log.warn("Requested URL: {} is NOT found in configuration.", authReqUrl); +      throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }); + +    } + +    return idpAuthUrl; +  } + +  private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() { +    final List<Pair<String, Boolean>> result = new ArrayList<>(); +    // load attributes from configuration +    final Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix( +        IdAustriaAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); +    for (final String el : addReqAttributes.values()) { +      if (StringUtils.isNotEmpty(el)) { +        log.trace("Parse additional attr. definition: " + el); +        final List<String> attr = KeyValueUtils.getListOfCsvValues(el.trim()); +        if (attr.size() == 2) { +          result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1)))); + +        } else { +          log.info("IGNORE additional attr. definition: " + el +              + " Reason: Format not valid"); +        } +      } +    } + +    return result; + +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthSignalController.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthSignalController.java new file mode 100644 index 00000000..2e7868fd --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/controller/IdAustriaAuthSignalController.java @@ -0,0 +1,94 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.controller; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.text.StringEscapeUtils; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; +import lombok.extern.slf4j.Slf4j; + +/** + * Controller that receives the response from ID Austria system. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class IdAustriaAuthSignalController extends AbstractProcessEngineSignalController { + +  public static final String HTTP_PARAM_RELAYSTATE = "RelayState"; + +  /** +   * Default constructor with logging. +   * +   */ +  public IdAustriaAuthSignalController() { +    super(); +    log.debug("Registering servlet " + getClass().getName() +        + " with mappings '" + IdAustriaAuthConstants.ENDPOINT_POST +        + "' and '" + IdAustriaAuthConstants.ENDPOINT_REDIRECT + "'."); + +  } + +  /** +   * HTTP end-point for incoming SAML2 Respone from ID Austrian System. +   * +   * @param req HTTP request +   * @param resp HTTP response +   * @throws IOException In case of a HTTP communication error +   * @throws EaafException In case of a state-validation problem +   */ +  @RequestMapping(value = { IdAustriaAuthConstants.ENDPOINT_POST, +      IdAustriaAuthConstants.ENDPOINT_REDIRECT }, +      method = { RequestMethod.POST, RequestMethod.GET }) +  public void performEidasAuthentication(HttpServletRequest req, HttpServletResponse resp) +      throws IOException, EaafException { +    signalProcessManagement(req, resp); + +  } + +  /** +   * Read the PendingRequestId from SAML2 RelayState parameter. +   */ +  @Override +  public String getPendingRequestId(HttpServletRequest request) { +    String relayState = StringEscapeUtils.escapeHtml4(request.getParameter(HTTP_PARAM_RELAYSTATE)); +    if (StringUtils.isNotEmpty(relayState)) { +      try { +        String pendingReqId = transactionStorage.get(relayState, String.class); +        if (StringUtils.isNotEmpty(pendingReqId)) { +           +          return pendingReqId;   +           +        } else { +          log.info("SAML2 RelayState from request is unknown. Can NOT restore session ... "); +           +        } +                                 +      } catch (EaafException e) { +        log.error("Can NOT map SAML2 RelayState to pendingRequestId", e); +         +      } finally { +        transactionStorage.remove(relayState); +         +      } +       +    } else { +      log.info("No SAML2 relaystate. Can NOT restore session ... "); +       +    } +         +    return null;  + +  } +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/ReceiveFromIdAustriaSystemTask.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/ReceiveFromIdAustriaSystemTask.java new file mode 100644 index 00000000..e486b851 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/ReceiveFromIdAustriaSystemTask.java @@ -0,0 +1,393 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.tasks; + +import java.io.IOException; +import java.util.Set; + +import javax.naming.ConfigurationException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.messaging.decoder.MessageDecodingException; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.Utils; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; +import lombok.extern.slf4j.Slf4j; + +/** + * ID Austria authentication task that receives the SAML2 response from ID + * Austria system. + * + * @author tlenz + * + */ +@Slf4j +public class ReceiveFromIdAustriaSystemTask extends AbstractAuthServletTask { + +  private static final String ERROR_PVP_03 = "sp.pvp2.03"; +  private static final String ERROR_PVP_05 = "sp.pvp2.05"; +  private static final String ERROR_PVP_06 = "sp.pvp2.06"; +  private static final String ERROR_PVP_08 = "sp.pvp2.08"; +  private static final String ERROR_PVP_10 = "sp.pvp2.10"; +  private static final String ERROR_PVP_11 = "sp.pvp2.11"; +  private static final String ERROR_PVP_12 = "sp.pvp2.12"; + +  private static final String ERROR_MSG_00 = +      "Receive INVALID PVP Response from federated IDP"; +  private static final String ERROR_MSG_01 = +      "Processing PVP response from 'ms-specific eIDAS node' FAILED."; +  private static final String ERROR_MSG_02 = +      "PVP response decrytion FAILED. No credential found."; +  private static final String ERROR_MSG_03 = +      "PVP response validation FAILED."; + +  @Autowired +  private SamlVerificationEngine samlVerificationEngine; +  @Autowired +  private IdAustriaAuthCredentialProvider credentialProvider; +  @Autowired(required = true) +  IdAustriaAuthMetadataProvider metadataProvider; + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv. +   * egovernment.moa.id.process.api.ExecutionContext, +   * javax.servlet.http.HttpServletRequest, +   * javax.servlet.http.HttpServletResponse) +   */ +  @Override +  public void execute(ExecutionContext executionContext, HttpServletRequest request, +      HttpServletResponse response) +      throws TaskExecutionException { +    InboundMessage msg = null; + +    try { + +      IDecoder decoder = null; +      EaafUriCompare comperator = null; +      // select Response Binding +      if (request.getMethod().equalsIgnoreCase("POST")) { +        decoder = new PostBinding(); +        comperator = new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaAuthConstants.ENDPOINT_POST); +        log.trace("Receive PVP Response from 'ID Austria', by using POST-Binding."); + +      } else if (request.getMethod().equalsIgnoreCase("GET")) { +        decoder = new RedirectBinding(); +        comperator = new EaafUriCompare(pendingReq.getAuthUrl() +            + IdAustriaAuthConstants.ENDPOINT_REDIRECT); +        log.trace("Receive PVP Response from 'ID Austria', by using Redirect-Binding."); + +      } else { +        log.warn("Receive PVP Response, but Binding (" +            + request.getMethod() + ") is not supported."); +        throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[] { +            IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }); + +      } + +      // decode PVP response object +      msg = (InboundMessage) decoder.decode( +          request, response, metadataProvider, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, +          comperator); + +      // validate response signature +      if (!msg.isVerified()) { +        samlVerificationEngine.verify(msg, +            TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); +        msg.setVerified(true); + +      } + +      // validate assertion +      final Pair<PvpSProfileResponse, Boolean> processedMsg = +          preProcessAuthResponse((PvpSProfileResponse) msg); + +      // check if SAML2 response contains user-stop decision +      if (processedMsg.getSecond()) { +        stopProcessFromUserDecision(executionContext, request, response); + +      } else { +        // validate entityId of response +        final String idAustriaEntityID = +            Utils.getIdAustriaEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);  +        final String respEntityId = msg.getEntityID(); +        if (!idAustriaEntityID.equals(respEntityId)) { +          log.warn("Response Issuer is not a 'ID Austria System'. Stopping eIDAS authentication ..."); +          throw new AuthnResponseValidationException(ERROR_PVP_08, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING, +                  msg.getEntityID() }); + +        } + +        // initialize Attribute extractor +        final AssertionAttributeExtractor extractor = +            new AssertionAttributeExtractor(processedMsg.getFirst().getResponse()); + +        getAuthDataFromInterfederation(extractor); + +        // set NeedConsent to false, because user gives consont during authentication +        pendingReq.setNeedUserConsent(false); + +        // store pending-request +        requestStoreage.storePendingRequest(pendingReq); + +        // write log entries +        // revisionsLogger.logEvent(pendingReq, +        // EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_MDS_VALID); +        log.info("Receive a valid assertion from IDP " + msg.getEntityID()); + +      } + +    } catch (final AuthnResponseValidationException e) { +      throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e); + +    } catch (MessageDecodingException | SecurityException | SamlSigningException e) { +      final String samlRequest = request.getParameter("SAMLRequest"); +      log.debug("Receive INVALID PVP Response from 'ID Austria System': {}", +          samlRequest, null, e); +      throw new TaskExecutionException(pendingReq, ERROR_MSG_00, +          new AuthnResponseValidationException(ERROR_PVP_11, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }, e)); + +    } catch (IOException | MarshallingException | TransformerException e) { +      log.debug("Processing PVP response from 'ID Austria System' FAILED.", e); +      throw new TaskExecutionException(pendingReq, ERROR_MSG_01, +          new AuthnResponseValidationException(ERROR_PVP_12, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage() }, +              e)); + +    } catch (final CredentialsNotAvailableException e) { +      log.debug("PVP response decrytion FAILED. No credential found.", e); +      throw new TaskExecutionException(pendingReq, ERROR_MSG_02, +          new AuthnResponseValidationException(ERROR_PVP_10, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }, e)); + +    } catch (final Exception e) { +      log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e); +      throw new TaskExecutionException(pendingReq, ERROR_MSG_03, +          new AuthnResponseValidationException(ERROR_PVP_12, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage() }, e)); + +    } + +  } + +  private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor) +      throws EaafBuilderException, ConfigurationException { + +    final Set<String> requiredEidasNodeAttributes = +        IdAustriaAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES; +    try { +      // check if all attributes are include +      if (!extractor.containsAllRequiredAttributes() +          || !extractor.containsAllRequiredAttributes( +              requiredEidasNodeAttributes)) { +        log.warn("PVP Response from 'ID Austria System' contains not all requested attributes."); +        throw new AssertionValidationExeption(ERROR_PVP_06, new Object[] { +            IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }); + +      } + +      // copy attributes into MOASession +      final AuthProcessDataWrapper session = pendingReq.getSessionData( +          AuthProcessDataWrapper.class); + +      // validate response attributes +      validateResponseAttributes(extractor); + +      // inject all attributes into session +      final Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); +      for (final String attrName : includedAttrNames) { +        injectAuthInfosIntoSession(session, attrName, +            extractor.getSingleAttributeValue(attrName)); + +      } +       +      // set foreigner flag +      session.setForeigner(false); + +      // mark it as ID Austria process, because we have no baseId +      session.setEidProcess(true); + +      // set IssuerInstant from Assertion +      session.setIssueInstant(extractor.getAssertionIssuingDate()); + +      // set mandate flag +      session.setUseMandates(checkIfMandateInformationIsAvailable(extractor)); +       + +    } catch (final EaafException | IOException e) { +      throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); + +    } +  } + +   +  /** +   * Check if mandate information is available. +   *  +   * @param extractor Assertion from ID Austria system. +   * @return <code>true</code> if mandate was used, otherwise <code>false</code> +   */ +  private boolean checkIfMandateInformationIsAvailable(AssertionAttributeExtractor extractor) { +    boolean isMandateIncluded = extractor.containsAttribute(PvpAttributeDefinitions.MANDATE_TYPE_NAME); +    log.debug("Response from ID-Austria system contains mandate information. Switch to mandate-mode ... "); +    return isMandateIncluded; +     +  } + +  private void validateResponseAttributes(AssertionAttributeExtractor extractor) +      throws EaafAuthenticationException { +    final String bpkTarget = extractor.getSingleAttributeValue( +        PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME); +    final String spTarget = pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(); +    if (StringUtils.isNotEmpty(bpkTarget) && bpkTarget.equals(spTarget)) { +      log.debug("Find attr: {} that matches to requested bPK target. bPK should be valid", +          PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); + +    } else { +      log.trace("Find not attr: {}. Validation bPK attribute ... ", +          PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); +      final String bpk = extractor.getSingleAttributeValue(PvpAttributeDefinitions.BPK_NAME); +      final String[] split = bpk.split(":", 2); +      if (split.length == 2) { +        if (!spTarget.endsWith(split[0])) { +          log.error("bPK from response: {} does not match to SP target: {}", bpk, spTarget); +          throw new EaafAuthenticationException(IdAustriaAuthConstants.ERRORTYPE_06, null); + +        } else { +          log.trace("Prefix of PVP bPK attribte matches to SP configuration. bPK looks valid"); + +        } + +      } else { +        log.warn("Find suspect bPK that has no prefix. Use it as it is ... "); + +      } +    } +  } + +  private void injectAuthInfosIntoSession(AuthProcessDataWrapper session, +      String attrName, String attrValue) throws EaafStorageException, IOException { +    log.trace("Inject attribute: {} with value: {} into  AuthSession", attrName, attrValue); +    log.debug("Inject attribute: {} into  AuthSession", attrName); +    if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { +      log.trace("Find bPK attribute. Extract eIDAS identifier ... "); +      session.setGenericDataToSession(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, +          extractBpkFromResponse(attrValue)); +       +    } else {       +      session.setGenericDataToSession(attrName, attrValue); + +    } + +  } +   +  private String extractBpkFromResponse(String pvpBpkAttrValue) { +    final String[] split = pvpBpkAttrValue.split(":", 2); +    if (split.length == 2) { +      return split[1]; + +    } else { +      log.warn("PVP bPK attribute: {} has wrong format. Use it as it is.", pvpBpkAttrValue); +      return pvpBpkAttrValue; + +    } +  } + +  private Pair<PvpSProfileResponse, Boolean> preProcessAuthResponse(PvpSProfileResponse msg) +      throws IOException, MarshallingException, TransformerException, +      CredentialsNotAvailableException, AuthnResponseValidationException, SamlAssertionValidationExeption { +    log.debug("Start PVP-2x assertion processing... "); +    final Response samlResp = (Response) msg.getResponse(); + +    // check SAML2 response status-code +    if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { +      // validate PVP 2.1 assertion +      samlVerificationEngine.validateAssertion(samlResp, +          credentialProvider.getMessageEncryptionCredential(), +          pendingReq.getAuthUrl() + IdAustriaAuthConstants.ENDPOINT_METADATA, +          IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING); + +      msg.setSamlMessage(Saml2Utils.asDomDocument(samlResp).getDocumentElement()); +      // revisionsLogger.logEvent(pendingReq, +      // EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED, +      // samlResp.getID()); +      return Pair.newInstance(msg, false); + +    } else { +      log.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() +          + " from 'ms-specific eIDAS node'."); +      final StatusCode subStatusCode = getSubStatusCode(samlResp); +      if (subStatusCode != null +          && IdAustriaAuthConstants.SAML2_STATUSCODE_USERSTOP.equals(subStatusCode.getValue())) { +        log.info("Find 'User-Stop operation' in SAML2 response. Stopping authentication process ... "); +        return Pair.newInstance(msg, true); + +      } + +      // revisionsLogger.logEvent(pendingReq, +      // EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR); +      throw new AuthnResponseValidationException(ERROR_PVP_05, +          new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING, +              samlResp.getIssuer().getValue(), +              samlResp.getStatus().getStatusCode().getValue(), +              samlResp.getStatus().getStatusMessage().getValue() }); + +    } + +  } + +  /** +   * Get SAML2 Sub-StatusCode if not <code>null</code>. +   * +   * @param samlResp SAML2 response +   * @return Sub-StatusCode or <code>null</code> if it's not set +   */ +  private StatusCode getSubStatusCode(Response samlResp) { +    if (samlResp.getStatus().getStatusCode().getStatusCode() != null +        && StringUtils.isNotEmpty(samlResp.getStatus().getStatusCode().getStatusCode().getValue())) { +      return samlResp.getStatus().getStatusCode().getStatusCode(); + +    } +    return null; + +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/RequestIdAustriaSystemTask.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/RequestIdAustriaSystemTask.java new file mode 100644 index 00000000..66aadde6 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/tasks/RequestIdAustriaSystemTask.java @@ -0,0 +1,205 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.tasks; + +import java.security.NoSuchAlgorithmException; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.messaging.encoder.MessageEncodingException; +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.config.IdAustriaAuthRequestBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.Utils; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PvpAuthnRequestBuilder; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy; + +/** + * eIDAS Authentication task that generates PVP2 S-Profile request to central + * Austrian MS-Connector. + * + * @author tlenz  + * + */ +@Slf4j +public class RequestIdAustriaSystemTask extends AbstractAuthServletTask { + +  private static final String ERROR_PVP_02 = "sp.pvp2.02"; +  private static final String ERROR_PVP_13 = "sp.pvp2.13"; + +  private static final String ERROR_MSG_1 = +      "Requested 'ms-specific eIDAS node' {0} has no valid metadata or metadata is not found"; +  private static final String ERROR_MSG_4 = +      "Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED."; + +  @Autowired PvpAuthnRequestBuilder authnReqBuilder; +  @Autowired IdAustriaAuthCredentialProvider credential; +  @Autowired IdAustriaAuthMetadataProvider metadataService; +  @Autowired ITransactionStorage transactionStorage; +   +  @Override +  public void execute(ExecutionContext executionContext, HttpServletRequest request, +      HttpServletResponse response) +      throws TaskExecutionException { +    try { +      //revisionsLogger.logEvent(pendingReq, EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_SELECTED); + +      // get entityID for central ID Austria system +      final String idAustriaEntityID = +          Utils.getIdAustriaEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);            +      if (StringUtils.isEmpty(idAustriaEntityID)) { +        log.info("ID Austria authentication not possible -> NO EntityID for central central ID Austria System FOUND!"); +        throw new EaafConfigurationException(IdAustriaAuthConstants.ERRORTYPE_00, +            new Object[] { IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID }); + +      } + +      // load IDP SAML2 entitydescriptor +      final EntityDescriptor entityDesc = metadataService.getEntityDescriptor(idAustriaEntityID); +      if (entityDesc == null) { +        throw new EaafConfigurationException(IdAustriaAuthConstants.ERRORTYPE_05, +            new Object[] { MessageFormat.format(ERROR_MSG_1, idAustriaEntityID) }); + +      } + +      // setup AuthnRequestBuilder configuration +      final IdAustriaAuthRequestBuilderConfiguration authnReqConfig = +          new IdAustriaAuthRequestBuilderConfiguration(); +      final SecureRandomIdentifierGenerationStrategy gen = +          new SecureRandomIdentifierGenerationStrategy(); +       +      // set basic infos +      authnReqConfig.setRequestId(gen.generateIdentifier()); +      authnReqConfig.setIdpEntity(entityDesc); +      authnReqConfig.setPassive(false); +      authnReqConfig.setSignCred(credential.getMessageSigningCredential()); +      authnReqConfig.setSpEntityID(pendingReq.getAuthUrl() + IdAustriaAuthConstants.ENDPOINT_METADATA);       + +      // set eIDAS Proxy-Service specific information for ID Austria system            +      authnReqConfig.setRequestedAttributes(buildRequestedAttributes(pendingReq)); + +       +      /*build relayState for session synchronization, because SAML2 only allows RelayState with 80 characters  +       * but encrypted PendingRequestId is much longer. +       */ +      String relayState = Random.nextProcessReferenceValue(); +      transactionStorage.put(relayState, pendingReq.getPendingRequestId(), -1); +       +      // build and transmit AuthnRequest +      authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig, relayState, response); + +      //revisionsLogger.logEvent(pendingReq, +      //    EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_REQUESTED, +      //    authnReqConfig.getRequestID()); + +    } catch (final EaafException e) { +      throw new TaskExecutionException(pendingReq, e.getMessage(), e); + +    } catch (final ResolverException e) { +      throw new TaskExecutionException(pendingReq, +          ERROR_MSG_4, +          new AuthnRequestBuildException(ERROR_PVP_02, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }, e)); + +    } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) { +      throw new TaskExecutionException(pendingReq, +          e.getMessage(), +          new AuthnRequestBuildException(ERROR_PVP_13, +              new Object[] { IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING }, e)); + +    } catch (final Exception e) { +      throw new TaskExecutionException(pendingReq, e.getMessage(), e); + +    } +  } + +  private String selectHighestLoa(List<String> requiredLoA) { +    //TODO: implement LoA selection +    return requiredLoA.get(0); +     +  } + +  private List<EaafRequestedAttribute> buildRequestedAttributes(IRequest pendingReq) { +    final List<EaafRequestedAttribute> attributs = new ArrayList<>(); +     +    //build attribute that contains the unique identifier of the eIDAS-Connector +    injectAttribute(attributs, ExtendedPvpAttributeDefinitions.EIDAS_CONNECTOR_UNIQUEID_NAME,  +        pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); +         +    // build EID sector for identification attribute +    injectAttribute(attributs, PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, +        pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + +    // set requested LoA as attribute  +    injectAttribute(attributs, PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, +        selectHighestLoa(pendingReq.getServiceProviderConfiguration().getRequiredLoA())); +         +    //set ProviderName if available +    String providerName = ((ProxyServicePendingRequest)pendingReq).getEidasRequest().getProviderName(); +    if (StringUtils.isNotEmpty(providerName)) { +      injectAttribute(attributs, ExtendedPvpAttributeDefinitions.SP_FRIENDLYNAME_NAME, providerName); +             +    } +         +    //set ProviderName if available +    String requesterId = ((ProxyServicePendingRequest)pendingReq).getEidasRequest().getRequesterId(); +    if (StringUtils.isNotEmpty(requesterId)) { +      injectAttribute(attributs, ExtendedPvpAttributeDefinitions.SP_UNIQUEID_NAME, requesterId); +             +    } + +    //set mandate profiles +    List<String> mandateProfiles =  +        pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).getMandateProfiles(); +    if (mandateProfiles != null && !mandateProfiles.isEmpty()) { +      log.debug("Set mandate-profiles attribute into ID-Austria request"); +      injectAttribute(attributs, ExtendedPvpAttributeDefinitions.SP_USED_MANDATE_PROFILES_NAME,  +          StringUtils.join(mandateProfiles, ",")); +                   +    } +       +    // inject mandate mode attribute +    injectAttribute(attributs, ExtendedPvpAttributeDefinitions.SP_USED_MANDATE_TYPE_NAME,  +        pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).getMandateMode().getMode()); +     +     +    return attributs; +  } + +  private void injectAttribute(List<EaafRequestedAttribute> attributs, String attributeName, String attributeValue) { +    final Attribute requesterIdAttr = PvpAttributeBuilder.buildEmptyAttribute(attributeName); +    final EaafRequestedAttribute requesterIdReqAttr = Saml2Utils.generateReqAuthnAttributeSimple( +        requesterIdAttr, +        true, +        attributeValue); +    attributs.add(requesterIdReqAttr); +     +  } +   +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthCredentialProvider.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthCredentialProvider.java new file mode 100644 index 00000000..7da306b5 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthCredentialProvider.java @@ -0,0 +1,130 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.utils; + +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; + +/** + * Credential provider for ID Austria PVP S-Profile client. + * + * @author tlenz + * + */ +public class IdAustriaAuthCredentialProvider extends AbstractCredentialProvider { + +  @Autowired +  IConfiguration authConfig; + + +  @Override +  public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException { +    final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); +    keyStoreConfig.setFriendlyName(IdAustriaAuthConstants.MODULE_NAME_FOR_LOGGING); +    keyStoreConfig.setKeyStoreType( +        authConfig.getBasicConfiguration(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_TYPE, +            KeyStoreType.PKCS12.getKeyStoreType())); +    keyStoreConfig.setKeyStoreName( +        authConfig.getBasicConfiguration(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_NAME)); +    keyStoreConfig.setSoftKeyStoreFilePath(getKeyStoreFilePath()); +    keyStoreConfig.setSoftKeyStorePassword( +        authConfig.getBasicConfiguration(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD)); + +    return keyStoreConfig; + +  } + +  private String getKeyStoreFilePath() throws EaafConfigurationException { +    final String path = authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); +    if (path == null) { +      throw new EaafConfigurationException(IdAustriaAuthConstants.ERRORTYPE_00, +          new Object[] { IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH }); + +    } +    return path; +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getMetadataKeyAlias() +   */ +  @Override +  public String getMetadataKeyAlias() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS); +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getMetadataKeyPassword() +   */ +  @Override +  public String getMetadataKeyPassword() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD); +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getSignatureKeyAlias() +   */ +  @Override +  public String getSignatureKeyAlias() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS); +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getSignatureKeyPassword() +   */ +  @Override +  public String getSignatureKeyPassword() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD); +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getEncryptionKeyAlias() +   */ +  @Override +  public String getEncryptionKeyAlias() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS); +  } + +  /* +   * (non-Javadoc) +   * +   * @see +   * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# +   * getEncryptionKeyPassword() +   */ +  @Override +  public String getEncryptionKeyPassword() { +    return authConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD); +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthMetadataProvider.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthMetadataProvider.java new file mode 100644 index 00000000..72c52488 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/IdAustriaAuthMetadataProvider.java @@ -0,0 +1,168 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.utils; + +import java.io.IOException; +import java.security.KeyStore; +import java.security.Provider; +import java.security.cert.CertificateException; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; +import lombok.extern.slf4j.Slf4j; + +/** + * SAML2 metadata-provider implementation for ID Austria client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaAuthMetadataProvider extends AbstractChainingMetadataProvider { + +  private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'ID Austria client-metadata truststore'"; +  private static final String PROVIDER_ID_PATTERN = "ID Austria resolver: {0}"; +  public static final String PROVIDER_ID = "ID Austria_client metadata provider'"; + +  @Autowired +  private IConfiguration basicConfig; + +  @Autowired +  private PvpMetadataResolverFactory metadataProviderFactory; +  @Autowired +  private IHttpClientFactory httpClientFactory; + +  @Autowired +  private EaafKeyStoreFactory keyStoreFactory; + +  private Pair<KeyStore, Provider> metadataSigningTrustStore; + +  @Override +  protected String getMetadataUrl(String entityId) throws EaafConfigurationException { +    log.trace("ID Austria uses SAML2 well-known location approach. EntityId is Metadata-URL"); +    return entityId; + +  } + +  @Override +  protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, +      IOException, CertificateException { +    final List<MetadataFilter> filterList = new ArrayList<>(); +    filterList.add(new SchemaValidationFilter(true)); +    filterList.add(new SimpleMetadataSignatureVerificationFilter( +        metadataSigningTrustStore.getFirst(), entityId)); + +    final MetadataFilterChain filter = new MetadataFilterChain(); +    filter.setFilters(filterList); + +    try { +      return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), +          filter, +          MessageFormat.format(PROVIDER_ID_PATTERN, entityId), +          httpClientFactory.getHttpClient()); + +    } catch (final Pvp2MetadataException e) { +      log.info("Can NOT build metadata provider for entityId: {}", entityId); +      throw new EaafConfigurationException(IdAustriaAuthConstants.ERRORTYPE_04, +          new Object[] { entityId, e.getMessage() }, e); + +    } +  } + +  @Override +  protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { +    return Collections.emptyList(); + +  } + +  @Override +  protected String getMetadataProviderId() { +    return PROVIDER_ID; + +  } + +  @Override +  public void runGarbageCollector() { +    log.trace("Garbage collection is NOT supported by: {}", getId()); +  } + +  @Override +  public void doDestroy() { +    super.fullyDestroy(); + +  } + +  @PostConstruct +  private void initialize() throws EaafException { +    // initialize truststore to validate metadata signing certificates +    initializeTrustStore(); + +    // load metadata with metadataURL, as backup +    initializeFileSystemMetadata(); + +  } + +  private void initializeFileSystemMetadata() { +    try { +      final String metadataUrl = basicConfig.getBasicConfiguration( +          IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_METADATAURL); +      if (StringUtils.isNotEmpty(metadataUrl)) { +        log.info("Use not recommended metadata-provider initialization!" +            + " SAML2 'Well-Known-Location' is the preferred methode."); +        log.info("Initialize 'ID Austria' metadata-provider with URL: {}", metadataUrl); + +        addMetadataResolverIntoChain(createNewMetadataProvider(metadataUrl)); +      } + +    } catch (final EaafConfigurationException | CertificateException | IOException e) { +      log.warn("Can NOT inject static eIDAS Node metadata-soure.", e); +      log.warn("Communication with ID Austria can be FAIL."); + +    } +  } + +  private void initializeTrustStore() throws EaafException { +    // set configuration +    final KeyStoreConfiguration trustStoreConfig = new KeyStoreConfiguration(); +    trustStoreConfig.setFriendlyName(FRIENDLYNAME_METADATA_TRUSTSTORE); +    trustStoreConfig.setKeyStoreType(basicConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_TRUSTSTORE_TYPE, +        KeyStoreType.JKS.getKeyStoreType())); +    trustStoreConfig.setKeyStoreName(basicConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_TRUSTSTORE_NAME)); +    trustStoreConfig.setSoftKeyStoreFilePath(basicConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_TRUSTSTORE_PATH)); +    trustStoreConfig.setSoftKeyStorePassword(basicConfig.getBasicConfiguration( +        IdAustriaAuthConstants.CONFIG_PROPS_TRUSTSTORE_PASSWORD)); + +    // validate configuration +    trustStoreConfig.validate(); + +    // open new TrustStore +    metadataSigningTrustStore = keyStoreFactory.buildNewKeyStore(trustStoreConfig); + +  } + +} diff --git a/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/Utils.java b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/Utils.java new file mode 100644 index 00000000..1de6c33f --- /dev/null +++ b/modules/authmodule_id-austria/src/main/java/at/asitplus/eidas/specific/modules/auth/idaustria/utils/Utils.java @@ -0,0 +1,44 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.utils; + +import javax.annotation.Nullable; + +import org.apache.commons.lang3.StringUtils; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; + +public class Utils { + +  /** +   * Get the EntityId of the ID Austria system that +   * should be used in this process. +   * +   * @param spConfiguration Service-Provider configuration that can include +   *    {@linkplain IdAustriaAuthConstants.CONFIG_PROPS_APPSPECIFIC_IDAUSTRIA_NODE_URL} +   * @param authConfig Basic application configuration that include +   *    {@linkplain IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID} +   * @return EntityId, or <code>null</code> if no EntityId was found in configuration +   */ +  @Nullable +  public static String getIdAustriaEntityId( +      ISpConfiguration spConfiguration, IConfiguration authConfig) { +    // load from service-provider configuration +    String msNodeEntityID = spConfiguration.getConfigurationValue( +        IdAustriaAuthConstants.CONFIG_PROPS_APPSPECIFIC_IDAUSTRIA_NODE_URL); + +    if (StringUtils.isEmpty(msNodeEntityID)) { +      msNodeEntityID = authConfig.getBasicConfiguration( +          IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID); + +    } + +    return msNodeEntityID; +  } +   +  private Utils() { +    //hide constructor of private class +     +  } +   +} diff --git a/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider new file mode 100644 index 00000000..6bf41f6f --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider @@ -0,0 +1 @@ +at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthenticationSpringResourceProvider
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder b/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder new file mode 100644 index 00000000..65e9482c --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder @@ -0,0 +1 @@ +at.asitplus.eidas.specific.modules.auth.idaustria.builder.attributes.EidasConnecorUniqueIdAttributeBuilder diff --git a/modules/authmodule_id-austria/src/main/resources/messages/idaustria_auth_messages.properties b/modules/authmodule_id-austria/src/main/resources/messages/idaustria_auth_messages.properties new file mode 100644 index 00000000..6de6e0dc --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/messages/idaustria_auth_messages.properties @@ -0,0 +1,10 @@ +module.idaustria.00=ID Austria authentication-module has an error in configuration. Missing: {0} +module.idaustria.01=ID Austria authentication-module has an error in configuration: {0}. Reason: {1} +module.idaustria.02=ID Austria authentication-module has an error in configuration. Reason: {0} +module.idaustria.03=ID Austria authentication-module has a general error during request pre-processing. Reason: {0} +module.idaustria.04=ID Austria authentication-module has a general error during response post-processing. +module.idaustria.05=ID Austria authentication-module can not initialize SAML2 metadata provider for entityId: {0}. Reason: {1} +module.idaustria.06=ID Austria authentication-module receives an invalid eIDAS bPK, which does NOT match to country-code of eIDAS Proxy-Service   + +module.idaustria.98=ID Austria authentication-module has an internal error. Reason: {0} +module.idaustria.99=ID Austria authentication-module has an generic internal error.
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/main/resources/process/id_austria.Authentication.process.xml b/modules/authmodule_id-austria/src/main/resources/process/id_austria.Authentication.process.xml new file mode 100644 index 00000000..e8a83e68 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/process/id_austria.Authentication.process.xml @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="UTF-8"?> +<pd:ProcessDefinition id="idAustriaForEidasProxyService" +                      xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1"> + +  <pd:Task id="createAuthnRequestTask"    class="createIdAustriaAuthnRequestTask" /> +  <pd:Task id="receiveAuthnResponseTask"  class="receiveIdAustriaAuthnResponseTask"   async="true" /> +  <pd:Task id="finalizeAuthentication"    class="FinalizeAuthenticationTask" /> + +  <pd:StartEvent id="start" /> +     +  <pd:Transition  from="start"                              to="createAuthnRequestTask" /> +  <pd:Transition  from="createAuthnRequestTask"             to="receiveAuthnResponseTask" /> +  <pd:Transition  from="receiveAuthnResponseTask"           to="finalizeAuthentication" />  +  <pd:Transition  from="finalizeAuthentication"             to="end" />   +   +  <pd:EndEvent  id="end" /> + +</pd:ProcessDefinition> diff --git a/modules/authmodule_id-austria/src/main/resources/spring/id_austria_auth.beans.xml b/modules/authmodule_id-austria/src/main/resources/spring/id_austria_auth.beans.xml new file mode 100644 index 00000000..d2d16bf9 --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/spring/id_austria_auth.beans.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +  <context:annotation-config /> + +  <bean id="idAustriaEidasProxyAuthModule" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaEidasProxyAuthenticationModulImpl" /> +   +  <bean id="eiAustriaAuthMessageSource" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.config.IdAustriaAuthMessageSource" /> +   +  <bean id="idAustriaAuthCredentialProvider" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider" /> +  +  <bean id="idAustriaAuthMetadataController" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.controller.IdAustriaAuthMetadataController" /> + +  <bean id="idAustriaAuthSignalController" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.controller.IdAustriaAuthSignalController" /> +         +  <bean id="idAustriaAuthMetadataProvider" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider" /> +   +  <!-- bean id="eidasAuthHealthCheck" +        class="at.gv.egiz.eid.authhandler.modules.auth.eidas.utils.EidasCentralAuthHealthCheck" /--> + +   +</beans>
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/main/resources/spring/id_austria_task.beans.xml b/modules/authmodule_id-austria/src/main/resources/spring/id_austria_task.beans.xml new file mode 100644 index 00000000..9da9145d --- /dev/null +++ b/modules/authmodule_id-austria/src/main/resources/spring/id_austria_task.beans.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +  <context:annotation-config /> + +  <!-- eIDAS Authentication Process Tasks -->  +  <bean id="createIdAustriaAuthnRequestTask" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.tasks.RequestIdAustriaSystemTask" +        scope="prototype" /> + +  <bean id="receiveIdAustriaAuthnResponseTask" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.tasks.ReceiveFromIdAustriaSystemTask" +        scope="prototype" /> + +</beans>
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaAuthSpringResourceProviderTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaAuthSpringResourceProviderTest.java new file mode 100644 index 00000000..478a3ad4 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaAuthSpringResourceProviderTest.java @@ -0,0 +1,56 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test; + +import java.io.IOException; +import java.io.InputStream; + +import org.apache.commons.io.IOUtils; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; +import org.springframework.core.io.Resource; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthenticationSpringResourceProvider; +import at.gv.egiz.eaaf.core.test.TestConstants; + + + +@RunWith(BlockJUnit4ClassRunner.class) +public class IdAustriaAuthSpringResourceProviderTest { + +  @Test +  public void testSpringConfig() { +    final IdAustriaAuthenticationSpringResourceProvider test = +        new IdAustriaAuthenticationSpringResourceProvider(); +    for (final Resource el : test.getResourcesToLoad()) { +      try { +        IOUtils.toByteArray(el.getInputStream()); + +      } catch (final IOException e) { +        Assert.fail("Ressouce: " + el.getFilename() + " not found"); +      } + +    } + +    Assert.assertNotNull("no Name", test.getName()); +    Assert.assertNull("Find package definitions", test.getPackagesToScan()); + +  } +  +  @Test +  public void testSpILoaderConfig() { +    final InputStream el = this.getClass().getResourceAsStream(TestConstants.TEST_SPI_LOADER_PATH); +    try { +      final String spiFile = IOUtils.toString(el, "UTF-8"); + +      Assert.assertEquals("Wrong classpath in SPI file", +          IdAustriaAuthenticationSpringResourceProvider.class.getName(), spiFile); + + +    } catch (final IOException e) { +      Assert.fail("Ressouce: " + TestConstants.TEST_SPI_LOADER_PATH + " not found"); + +    } +  } + +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaEidasProxyAuthenticationModulImplTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaEidasProxyAuthenticationModulImplTest.java new file mode 100644 index 00000000..5a4c8b7e --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/IdAustriaEidasProxyAuthenticationModulImplTest.java @@ -0,0 +1,102 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test; + +import java.util.HashMap; +import java.util.Map; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaEidasProxyAuthenticationModulImpl; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.idp.process.ProcessEngine; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.ModuleRegistration; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyConfiguration; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml"}) +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) +public class IdAustriaEidasProxyAuthenticationModulImplTest { + +  @Autowired ModuleRegistration moduleReg;  +  @Autowired ResourceLoader loader; +  @Autowired ProcessEngine processEngine; +   +   +  private final ExecutionContext executionContext = new ExecutionContextImpl(); +  private DummySpConfiguration oaParam; +  private IdAustriaEidasProxyAuthenticationModulImpl authProcess =  +      new IdAustriaEidasProxyAuthenticationModulImpl(); + +   +  /** +   * jUnit test set-up. +   *  +   */ +  @Before +  public void initialize() { +    Map<String, String> configMap = new HashMap<String, String>(); +    configMap.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "http://test.com/test");     +    IConfiguration basicConfig = new DummyConfiguration(); +    oaParam = new DummySpConfiguration(configMap, basicConfig); + +  } + +  @Test +  public void checkProcessDefinition() { +    Assert.assertNotNull("AuthModule is null", authProcess); +    Assert.assertNotNull("AuthModule process is null", authProcess.getProcessDefinitions()); +     +    for (String el : authProcess.getProcessDefinitions()) { +      Resource res = loader.getResource(el); +      Assert.assertTrue("AuthProcess description not extist", res.exists()); +       +    }     +  } +   +  @Test +  public void idAustriaAuthSelected() throws Exception {     +    ProxyServicePendingRequest pendingReq = new ProxyServicePendingRequest();     +    pendingReq.setOnlineApplicationConfiguration(oaParam); +     +    //execute test +    final String result = moduleReg.selectProcess(executionContext, pendingReq);    +     +    //validate state +    Assert.assertNotNull("Process is null", result); +    Assert.assertEquals("Process Id not match", "idAustriaForEidasProxyService", result); + +    Assert.assertNotNull("Can not initalize process", processEngine.createProcessInstance(result)); +     +  } +   +  @Test +  public void wrongPendingRequestType() throws Exception {     +    TestRequestImpl pendingReq = new TestRequestImpl();     +    pendingReq.setSpConfig(oaParam); +     +    //execute test +    final String result = moduleReg.selectProcess(executionContext, pendingReq);    +     +    //validate state +    Assert.assertNull("AuthProcessName", result); + +  } +   +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/builder/attributes/EidasConnecorUniqueIdAttributeBuilderTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/builder/attributes/EidasConnecorUniqueIdAttributeBuilderTest.java new file mode 100644 index 00000000..9f42f5e5 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/builder/attributes/EidasConnecorUniqueIdAttributeBuilderTest.java @@ -0,0 +1,54 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.builder.attributes; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.asitplus.eidas.specific.modules.auth.idaustria.builder.attributes.EidasConnecorUniqueIdAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest; + +/** + * Attribute builder to generate an attribute that holds the unique eIDSA-Connector identifier for this process.  + * <br> + * The attribute-value is read from {@link ISpConfiguration} with method <code>getUniqueIdentifier()</code> + *  + * @author tlenz + * + */ +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_mapConfig.xml", +    "/spring/SpringTest-context_basic_test.xml", +}) +public class EidasConnecorUniqueIdAttributeBuilderTest extends AbstractAttributeBuilderTest { + +  private final IAttributeBuilder attrBuilder = new EidasConnecorUniqueIdAttributeBuilder(); +   +  @Test +  public void attributeName() { +    Assert.assertEquals("Wrong attribute name",  +        "urn:eidgvat:attributes.eidas.uniqueId", attrBuilder.getName()); +     +  } +   +  @Test +  public void checkEmptyAttribute() {     +    String value = attrBuilder.buildEmpty(gen);     +    Assert.assertNull("Attr. not null", value); +         +  } +  +   +  @Test +  public void withAttributeValue() throws AttributeBuilderException, Exception {       +    String value = attrBuilder.build(spConfig, buildAuthData(), gen);     +    Assert.assertEquals("wrong attributeValue", spConfig.getUniqueIdentifier(), value); +         +  } +   +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/config/IdAustriaAuthMessageSourceTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/config/IdAustriaAuthMessageSourceTest.java new file mode 100644 index 00000000..2a92c01e --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/config/IdAustriaAuthMessageSourceTest.java @@ -0,0 +1,50 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.config; + +import java.util.List; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.asitplus.eidas.specific.modules.auth.idaustria.config.IdAustriaAuthMessageSource; +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml", +  }) +public class IdAustriaAuthMessageSourceTest { + +  @Autowired +  private ResourceLoader loader; +  @Autowired(required = false) +  private List<IMessageSourceLocation> messageSources; + +  @Test +  public void checkMessageSources() { +    Assert.assertNotNull("No messageSource", messageSources); +    Assert.assertFalse("No message source", messageSources.isEmpty()); +     +    boolean found = false; +     +    for (final IMessageSourceLocation messageSource : messageSources) { +      found = found ? found : messageSource instanceof IdAustriaAuthMessageSource; + +      Assert.assertNotNull("No sourcePath", messageSource.getMessageSourceLocation()); +      for (final String el : messageSource.getMessageSourceLocation()) { +        final Resource messages = loader.getResource(el + ".properties"); +        Assert.assertTrue("Source not exist", messages.exists()); + +      } +    } +     +    Assert.assertTrue("Internal messagesource not found", found); +     +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthMetadataControllerFirstTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthMetadataControllerFirstTest.java new file mode 100644 index 00000000..0df74f7b --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthMetadataControllerFirstTest.java @@ -0,0 +1,186 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.controller; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.metadata.resolver.filter.FilterException; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.x509.BasicX509Credential; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.servlet.config.annotation.EnableWebMvc; + +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.controller.IdAustriaAuthMetadataController; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; +import net.shibboleth.utilities.java.support.xml.XMLParserException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_mapConfig.xml", +    "/spring/SpringTest-context_basic_test.xml" +}) +@EnableWebMvc +public class IdAustriaAuthMetadataControllerFirstTest { + +  private MockHttpServletRequest httpReq; +  private MockHttpServletResponse httpResp; + +  @Autowired private IdAustriaAuthMetadataController controller; +  @Autowired private IdAustriaAuthCredentialProvider credProvider; +  @Autowired private MsConnectorDummyConfigMap config; + +  /** +   * JUnit class initializer. +   * +   * @throws Exception In case of an OpenSAML3 initialization error +   */ +  @BeforeClass +  public static void initialize() throws Exception { +    EaafOpenSaml3xInitializer.eaafInitialize(); + +  } + +  /** +   * Single jUnit-test set-up. +   */ +  @Before +  public void testSetup() { +    httpReq = new MockHttpServletRequest("GET", "https://localhost/authhandler"); +    httpReq.setContextPath("/authhandler"); +    httpResp = new MockHttpServletResponse(); + +    //remove additional attributes +    Map<String, String> attr = config.getBasicConfigurationWithPrefix( +        "eidas.ms.modules.idaustriaauth.required.additional.attributes."); +    for (String el : attr.keySet()) { +      config.removeConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes." + el); +       +    } +     + +  } + +  @Test +  public void buildMetadataValid() throws IOException, EaafException, +      XMLParserException, UnmarshallingException, FilterException { + +    //build metdata +     controller.getSpMetadata(httpReq, httpResp); + +    //check result +    validateResponse(16); + +  } + +  @Test +  public void buildMetadataValidWithAdditionalAttributes() throws IOException, EaafException, +      XMLParserException, UnmarshallingException, FilterException { +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.1", +        PvpAttributeDefinitions.BPK_LIST_NAME + ",true"); +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.2", +        PvpAttributeDefinitions.PVP_VERSION_NAME + ",false"); +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.7", +        PvpAttributeDefinitions.EID_SIGNER_CERTIFICATE_NAME + ",true"); +     +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.3", "bbbbb"); +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.4", "bbbbb,false,test"); +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.5", "bbbbb,nichts"); +    config.putConfigValue("eidas.ms.modules.idaustriaauth.required.additional.attributes.6", ""); + +    //build metdata +     controller.getSpMetadata(httpReq, httpResp); + +    //check result +    validateResponse(17); + +  } + +  private void validateResponse(int numberOfRequestedAttributes) throws UnsupportedEncodingException, +      XMLParserException, UnmarshallingException, FilterException, CredentialsNotAvailableException { +    Assert.assertEquals("HTTP Statuscode", 200, httpResp.getStatus()); +    Assert.assertEquals("ContentType", "text/xml; charset=utf-8", httpResp.getContentType()); +    Assert.assertEquals("ContentEncoding", "UTF-8", httpResp.getCharacterEncoding()); + +    final String metadataXml = httpResp.getContentAsString(); +    Assert.assertNotNull("XML Metadata", metadataXml); + +    final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( +        XMLObjectProviderRegistrySupport.getParserPool(), new ByteArrayInputStream(metadataXml.getBytes("UTF-8"))); + +    Assert.assertEquals("EntityId", +        "http://localhost/authhandler" + IdAustriaAuthConstants.ENDPOINT_METADATA, +        metadata.getEntityID()); + +    MetadataFilterContext filterContext = new MetadataFilterContext(); +     +    //check XML scheme +    final SchemaValidationFilter schemaFilter = new SchemaValidationFilter(); +    schemaFilter.filter(metadata, filterContext); + +    //check signature +    final SimpleMetadataSignatureVerificationFilter sigFilter = +        new SimpleMetadataSignatureVerificationFilter(credProvider.getKeyStore().getFirst(), +            metadata.getEntityID()); +    sigFilter.filter(metadata, filterContext); + +    //check content +    final SPSSODescriptor spSsoDesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); +    Assert.assertNotNull("SPSSODescr.", spSsoDesc); + +    Assert.assertFalse("AssertionConsumerServices", +        spSsoDesc.getAssertionConsumerServices().isEmpty()); +    Assert.assertTrue("ContactPersons", metadata.getContactPersons().isEmpty()); +    Assert.assertNull("ContactPersons", metadata.getOrganization()); + +    Assert.assertFalse("KeyDescriptors", +        spSsoDesc.getKeyDescriptors().isEmpty()); +    Assert.assertEquals("#KeyDescriptors", 2, spSsoDesc.getKeyDescriptors().size()); + +    Assert.assertFalse("NameIDFormats", +        spSsoDesc.getNameIDFormats().isEmpty()); +    Assert.assertEquals("wrong NameIDFormats", "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", +        spSsoDesc.getNameIDFormats().get(0).getURI()); + +    Assert.assertFalse("AttributeConsumingServices", +        spSsoDesc.getAttributeConsumingServices().isEmpty()); +    Assert.assertEquals("#RequestAttributes", numberOfRequestedAttributes, +        spSsoDesc.getAttributeConsumingServices().get(0).getRequestedAttributes().size()); + +  } + +  private List<BasicX509Credential> convertX509Certs(List<X509Certificate> certs) { +    final List<BasicX509Credential> result = new ArrayList<>(); +    for (final X509Certificate cert : certs) { +      result.add(new BasicX509Credential(cert)); + +    } +    return result; +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthSignalControllerTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthSignalControllerTest.java new file mode 100644 index 00000000..e9ecbc58 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/controller/IdAustriaAuthSignalControllerTest.java @@ -0,0 +1,200 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.controller; + +import java.io.IOException; +import java.util.HashMap; +import java.util.Map; + +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.util.SerializationUtils; +import org.springframework.web.servlet.config.annotation.EnableWebMvc; + +import at.asitplus.eidas.specific.modules.auth.idaustria.controller.IdAustriaAuthSignalController; +import at.gv.egiz.eaaf.core.api.IRequestStorage; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.ExceptionContainer; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyProtocolAuthService; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.core.impl.idp.process.spring.test.DummyTransactionStorage.DummyDbEntry; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_mapConfig.xml", +    "/spring/SpringTest-context_basic_test.xml" +}) +@EnableWebMvc +public class IdAustriaAuthSignalControllerTest { + +  @Autowired(required = true) +  private IdAustriaAuthSignalController controller; +  @Autowired(required = true) +  private ITransactionStorage cache; +  @Autowired(required = true) +  private IPendingRequestIdGenerationStrategy pendingReqGeneration; +  @Autowired(required = true) +  private IRequestStorage reqStorage; +  @Autowired(required = true) +  private IConfiguration basicConfig; +  @Autowired private ITransactionStorage transactionStorage; +   +  @Autowired private DummyProtocolAuthService protAuthService; + +  @Test +  public void noRelayState() throws IOException, EaafException { +    final MockHttpServletRequest httpReq = +        new MockHttpServletRequest("POST", "https://localhost/ms_connectoror"); +    final MockHttpServletResponse httpResp = new MockHttpServletResponse(); + +    controller.performEidasAuthentication(httpReq, httpResp); +    Assert.assertEquals("httpStausCode", 200, httpResp.getStatus()); + +    final String errorId = protAuthService.getErrorKey(); +    final Object error = cache.get(errorId); +    Assert.assertNotNull("Error is null", error); +    org.springframework.util.Assert.isInstanceOf(byte[].class, +        ((DummyDbEntry) error).getObj()); +    final Object errorObj = SerializationUtils.deserialize((byte[]) ((DummyDbEntry) error).getObj()); +    org.springframework.util.Assert.isInstanceOf(ExceptionContainer.class, errorObj); +    org.springframework.util.Assert.isInstanceOf(EaafException.class, +        ((ExceptionContainer) errorObj).getExceptionThrown()); + +  } + +  @Test +  public void validRelayStateNoPendingReqId() throws EaafException, IOException { +    final String pendingReqId = pendingReqGeneration.generateExternalPendingRequestId(); +    final MockHttpServletRequest httpReq = +        new MockHttpServletRequest("POST", "https://localhost/ms_connectoror"); +    httpReq.addParameter(IdAustriaAuthSignalController.HTTP_PARAM_RELAYSTATE, pendingReqId); +    final MockHttpServletResponse httpResp = new MockHttpServletResponse(); + +    controller.performEidasAuthentication(httpReq, httpResp); +    Assert.assertEquals("httpStausCode", 200, httpResp.getStatus()); + +    final String errorId = protAuthService.getErrorKey(); +    final Object error = cache.get(errorId); +    Assert.assertNotNull("Error is null", error); +    org.springframework.util.Assert.isInstanceOf(byte[].class, +        ((DummyDbEntry) error).getObj()); +    final Object errorObj = SerializationUtils.deserialize((byte[]) ((DummyDbEntry) error).getObj()); +    org.springframework.util.Assert.isInstanceOf(ExceptionContainer.class, errorObj); +    org.springframework.util.Assert.isInstanceOf(EaafException.class, +        ((ExceptionContainer) errorObj).getExceptionThrown()); +    //TODO: +    Assert.assertEquals("ErrorCode not match", "auth.26", +        ((EaafException) ((ExceptionContainer) errorObj).getExceptionThrown()).getErrorId()); + +  } + +  @Test +  public void validRelayStateSuspectPendingReqId() throws EaafException, IOException { +    String relayState = RandomStringUtils.randomAlphanumeric(10);     +    transactionStorage.put(relayState, false, -1); +     +    final MockHttpServletRequest httpReq = +        new MockHttpServletRequest("POST", "https://localhost/ms_connectoror"); +    httpReq.addParameter(IdAustriaAuthSignalController.HTTP_PARAM_RELAYSTATE, relayState); +    final MockHttpServletResponse httpResp = new MockHttpServletResponse(); + +    controller.performEidasAuthentication(httpReq, httpResp); +    Assert.assertEquals("httpStausCode", 200, httpResp.getStatus()); + +    final String errorId = protAuthService.getErrorKey(); +    final Object error = cache.get(errorId); +    Assert.assertNotNull("Error is null", error); +    org.springframework.util.Assert.isInstanceOf(byte[].class, +        ((DummyDbEntry) error).getObj()); +    final Object errorObj = SerializationUtils.deserialize((byte[]) ((DummyDbEntry) error).getObj()); +    org.springframework.util.Assert.isInstanceOf(ExceptionContainer.class, errorObj); +    org.springframework.util.Assert.isInstanceOf(EaafException.class, +        ((ExceptionContainer) errorObj).getExceptionThrown()); +    //TODO: +    Assert.assertEquals("ErrorCode not match", "auth.26", +        ((EaafException) ((ExceptionContainer) errorObj).getExceptionThrown()).getErrorId()); +     +    Assert.assertNull("RelayState was not removed", transactionStorage.get(relayState)); + +  } +   +  @Test +  public void validRelayStateNoPendingReq() throws EaafException, IOException { +    final String pendingReqId = pendingReqGeneration.generateExternalPendingRequestId(); +    String relayState = RandomStringUtils.randomAlphanumeric(10);     +    transactionStorage.put(relayState, pendingReqId, -1); +     +    final MockHttpServletRequest httpReq = +        new MockHttpServletRequest("POST", "https://localhost/ms_connectoror"); +    httpReq.addParameter(IdAustriaAuthSignalController.HTTP_PARAM_RELAYSTATE, relayState); +    final MockHttpServletResponse httpResp = new MockHttpServletResponse(); + +    controller.performEidasAuthentication(httpReq, httpResp); +    Assert.assertEquals("httpStausCode", 200, httpResp.getStatus()); + +    final String errorId = protAuthService.getErrorKey(); +    final Object error = cache.get(errorId); +    Assert.assertNotNull("Error is null", error); +    org.springframework.util.Assert.isInstanceOf(byte[].class, +        ((DummyDbEntry) error).getObj()); +    final Object errorObj = SerializationUtils.deserialize((byte[]) ((DummyDbEntry) error).getObj()); +    org.springframework.util.Assert.isInstanceOf(ExceptionContainer.class, errorObj); +    org.springframework.util.Assert.isInstanceOf(EaafException.class, +        ((ExceptionContainer) errorObj).getExceptionThrown()); +    //TODO: +    Assert.assertEquals("ErrorCode not match", "auth.28", +        ((EaafException) ((ExceptionContainer) errorObj).getExceptionThrown()).getErrorId()); + +    Assert.assertNull("RelayState was not removed", transactionStorage.get(relayState)); +     +  } +   +  @Test +  public void validRelayStateWithPendingReq() throws EaafException, IOException { +    final String pendingReqId = pendingReqGeneration.generateExternalPendingRequestId(); + +    String relayState = RandomStringUtils.randomAlphanumeric(10);     +    transactionStorage.put(relayState, pendingReqId, -1); +     +    final TestRequestImpl pendingReq = new TestRequestImpl(); +    pendingReq.setPendingReqId(pendingReqId); +    pendingReq.setAuthUrl("http://localhost/idp"); +    final Map<String, String> spConfigMap = new HashMap<>(); +    spConfigMap.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "http://test.sp"); +    final DummySpConfiguration spConfig = new DummySpConfiguration(spConfigMap, basicConfig); +    pendingReq.setSpConfig(spConfig); +    reqStorage.storePendingRequest(pendingReq); + +    final MockHttpServletRequest httpReq = +        new MockHttpServletRequest("POST", "https://localhost/ms_connectoror"); +    httpReq.addParameter(IdAustriaAuthSignalController.HTTP_PARAM_RELAYSTATE, relayState); +    final MockHttpServletResponse httpResp = new MockHttpServletResponse(); + +    controller.performEidasAuthentication(httpReq, httpResp); + +    Assert.assertEquals("httpStausCode", 200, httpResp.getStatus()); + +    final String errorId = protAuthService.getErrorKey(); +    final Object error = cache.get(errorId); +    Assert.assertNotNull("Error is null", error); +    org.springframework.util.Assert.isInstanceOf(byte[].class, +        ((DummyDbEntry) error).getObj()); +    final Object errorObj = SerializationUtils.deserialize((byte[]) ((DummyDbEntry) error).getObj()); +    org.springframework.util.Assert.isInstanceOf(ExceptionContainer.class, errorObj); +    org.springframework.util.Assert.isInstanceOf(EaafException.class, +        ((ExceptionContainer) errorObj).getExceptionThrown()); +    Assert.assertEquals("ErrorCode not match", +        "PendingRequest object is not of type 'RequestImpl.class'", +        ((EaafException) ((ExceptionContainer) errorObj).getExceptionThrown()).getErrorId()); +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/ReceiveAuthnResponseTaskTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/ReceiveAuthnResponseTaskTest.java new file mode 100644 index 00000000..c452fe22 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/ReceiveAuthnResponseTaskTest.java @@ -0,0 +1,792 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.task; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +import java.io.IOException; +import java.time.Instant; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +import javax.xml.transform.TransformerException; + +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.tasks.ReceiveFromIdAustriaSystemTask; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.IRequestStorage; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import net.shibboleth.utilities.java.support.xml.XMLParserException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_mapConfig.xml", +    "/spring/SpringTest-context_basic_test.xml", +}) +public class ReceiveAuthnResponseTaskTest { + +  private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml"; + +  @Autowired ApplicationContext context; +  @Autowired MsConnectorDummyConfigMap config; + +  @Autowired IdAustriaAuthMetadataProvider metadataProvider; +  @Autowired IdAustriaAuthCredentialProvider credentialProvider; +  @Autowired PvpMetadataResolverFactory metadataFactory; +  @Autowired IRequestStorage storage; + +  final ExecutionContext executionContext = new ExecutionContextImpl(); +  private MockHttpServletRequest httpReq; +  private MockHttpServletResponse httpResp; + +  private ProxyServicePendingRequest pendingReq; +  private ServiceProviderConfiguration oaParam; +  private Map<String, String> spConfig; + +  private ReceiveFromIdAustriaSystemTask task; + +  /** +   * JUnit class initializer. +   * +   * @throws Exception In case of an OpenSAML3 initialization error +   */ +  @BeforeClass +  public static void initialize() throws Exception { +    EaafOpenSaml3xInitializer.eaafInitialize(); + +  } + +  /** +   * jUnit test set-up. +   * +   * @throws Exception In case of an set-up error +   */ +  @Before +  public void setUp() throws Exception { +    task = (ReceiveFromIdAustriaSystemTask) context.getBean("receiveIdAustriaAuthnResponseTask"); + +    httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector"); +    httpReq.setScheme("https"); +    httpReq.setServerPort(443); +    httpReq.setContextPath("/authhandler"); +    httpResp = new MockHttpServletResponse(); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID, +        "classpath:/data/idp_metadata_classpath_entity.xml"); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, "sig"); + +    spConfig = new HashMap<>(); +    spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "http://test.com/test"); +    oaParam = new ServiceProviderConfiguration(spConfig, config); +    oaParam.setRequiredLoA(Arrays.asList(EaafConstants.EIDAS_LOA_HIGH)); + +    pendingReq = new ProxyServicePendingRequest(); +    pendingReq.initialize(httpReq, config); +    pendingReq.setPendingRequestId(RandomStringUtils.randomAlphanumeric(10)); +    pendingReq.setOnlineApplicationConfiguration(oaParam); + +    metadataProvider.fullyDestroy(); + +  } + +  @Test +  public void unsupportedHttpMethode() { +    httpReq = new MockHttpServletRequest("PUT", "https://localhost/ms_connector"); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.03", +        ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpGetNoMessage() { +    httpReq = new MockHttpServletRequest("GET", "https://localhost/ms_connector"); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostNoMessage() { + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostMessageNotSigned() throws IOException { + +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        IOUtils.toByteArray(ReceiveAuthnResponseTaskTest.class.getResourceAsStream( +            "/data/Response_without_sig_classpath_entityid.xml")))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostMessageWrongDestinationEndpoint() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      TransformerException, MarshallingException { + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_wrong_destination_endpoint.xml", +        credentialProvider.getMessageSigningCredential(), true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((AuthnResponseValidationException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedNoMetadata() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_classpath_entityid.xml", +        credentialProvider.getMessageSigningCredential(), true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.11", +        ((EaafException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedAssertionOutDated() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_classpath_entityid.xml", +        credentialProvider.getMessageSigningCredential(), false); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((EaafException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedAssertionFromWrongIdp() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID, +        RandomStringUtils.randomAlphabetic(10)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_classpath_entityid.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.08", +        ((EaafException) e.getOriginalException()).getErrorId()); +     +  } + +  @Test +  public void httpPostValidSignedWitError() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_with_error.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.05", +        ((EaafException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedWitUserStopErrorCode() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_with_error_userstop.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform test +    task.execute(pendingReq, executionContext); + +    // validate state +    Assert.assertTrue("process not cancelled", executionContext.isProcessCancelled()); +    Assert.assertTrue("process not stopped by user", pendingReq.isAbortedByUser()); +    Assert.assertFalse("should not authenticated", pendingReq.isAuthenticated()); + +  } + +  @Test +  public void httpPostValidSignedWithErrorAndNoSubCode() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_with_error_without_subcode.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.05", +        ((EaafException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedWithErrorAndEmptySubCode() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_without_sig_with_error_empty_subcode.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.05", +        ((EaafException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedAssertionMissingAttributes() throws IOException, SamlSigningException, +      Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException { + +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_wrong_data.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((EaafException) e.getOriginalException()).getErrorId()); +    Assert.assertEquals("sp.pvp2.06", +        ((EaafException) ((EaafException) e.getOriginalException()).getCause()).getErrorId()); + +  } + +  @Test +  public void httpPostValidSignedAssertionWrongBpkTarget() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+ZZ"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    final TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext)); + +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(AuthnResponseValidationException.class, +        e.getOriginalException()); +    Assert.assertEquals("sp.pvp2.12", +        ((EaafException) e.getOriginalException()).getErrorId()); +    Assert.assertEquals("sp.pvp2.06", +        ((EaafException) ((EaafException) e.getOriginalException()).getCause()).getErrorId()); +    Assert.assertEquals("module.idaustria.06", +        ((EaafException) ((EaafException) ((EaafException) e.getOriginalException()) +            .getCause()).getCause()).getErrorId()); + +  } +   +  @Test +  public void httpPostValidSignedAssertionEidValid() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+XX"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +    assertTrue("eidProcess flag", session.isEidProcess()); +    assertFalse("useMandate flag", session.isMandateUsed()); +     +    checkAttributeInSession(session,PvpAttributeDefinitions.GIVEN_NAME_NAME, "Max"); +    checkAttributeInSession(session,PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Mustermann"); +    checkAttributeInSession(session,PvpAttributeDefinitions.BIRTHDATE_NAME, "1940-01-01"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, "http://eidas.europa.eu/LoA/high"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    //pre-generated eIDAS identifer +    checkAttributeInSession(session, MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, "QVGm48cqcM4UcyhDTNGYmVdrIoY="); +         +  } + + + +  @Test +  public void httpPostValidSignedAssertionMinimumAttributes() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+CC"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_minimum.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +     +    checkAttributeInSession(session,PvpAttributeDefinitions.GIVEN_NAME_NAME, "Max"); +    checkAttributeInSession(session,PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Mustermann"); +    checkAttributeInSession(session,PvpAttributeDefinitions.BIRTHDATE_NAME, "1940-01-01"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    checkAttributeInSession(session,MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, "QVGm48cqcM4UcyhDTNGYmVdrIoY="); + +  } +   +  @Test +  public void httpPostValidSignedAssertionEidBpkWithoutPrefix() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+XX"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_bpk_without_prefix.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +     +    checkAttributeInSession(session,PvpAttributeDefinitions.GIVEN_NAME_NAME, "Susi"); +    checkAttributeInSession(session,PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Heinz"); +    checkAttributeInSession(session,PvpAttributeDefinitions.BIRTHDATE_NAME, "1955-01-01"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, "http://eidas.europa.eu/LoA/aabbcc"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    //pre-generated eIDAS identifer +    checkAttributeInSession(session,MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, "QVGm48cqcasfasfsafsafdM4UcyhDTNGYmVdrIoY="); +         +  } +   +  @Test +  public void httpPostValidSignedAssertionEidWithEidSectorAttr() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+AB"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_with_eid_sector_attr.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +     +    checkAttributeInSession(session,PvpAttributeDefinitions.GIVEN_NAME_NAME, "Susi"); +    checkAttributeInSession(session,PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Heinz"); +    checkAttributeInSession(session,PvpAttributeDefinitions.BIRTHDATE_NAME, "1955-01-01"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, "http://eidas.europa.eu/LoA/aabbcc"); +    checkAttributeInSession(session,PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    //pre-generated eIDAS identifer +    checkAttributeInSession(session,MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, "QVGm48cqcasfasfsafsafdM4UcyhDTNGYmVdrIoY="); +         +  } +   +  @Test +  public void httpPostValidSignedAssertionEidValidWithJurMandate() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+XX"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_with_mandate_jur.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +    assertTrue("eidProcess flag", session.isEidProcess()); +    assertTrue("useMandate flag", session.isMandateUsed()); +     +    checkAttributeInSession(session, PvpAttributeDefinitions.GIVEN_NAME_NAME, "Max"); +    checkAttributeInSession(session, PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Mustermann"); +    checkAttributeInSession(session, PvpAttributeDefinitions.BIRTHDATE_NAME, "1940-01-01"); +    checkAttributeInSession(session, PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, "http://eidas.europa.eu/LoA/high"); +    checkAttributeInSession(session, PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_TYPE_NAME, "Generalvollmacht"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME, "Testfirma"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_LEG_PER_SOURCE_PIN_NAME, "999999m"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, "urn:publicid:gv.at:baseid+XERSB"); +     +    //pre-generated eIDAS identifer +    checkAttributeInSession(session, MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, "QVGm48cqcM4UcyhDTNGYmVdrIoY="); +    assertNull("find nat. person bpk for mandator", session.getGenericDataFromSession( +        PvpAttributeDefinitions.MANDATE_NAT_PER_BPK_NAME, String.class)); +     +     +  } +   +  @Test +  public void httpPostValidSignedAssertionEidValidWithNatMandate() throws IOException, XMLParserException, UnmarshallingException, +      MarshallingException, TransformerException, TaskExecutionException, EaafException { + +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+XX"); +     +    metadataProvider.addMetadataResolverIntoChain(metadataFactory.createMetadataProvider( +        METADATA_PATH, null, "jUnit IDP", null)); + +    final Response response = initializeResponse( +        "classpath:/data/idp_metadata_classpath_entity.xml", +        "/data/Response_with_EID_with_mandate_nat.xml", +        credentialProvider.getMessageSigningCredential(), +        true); +    httpReq.addParameter("SAMLResponse", Base64.getEncoder().encodeToString( +        DomUtils.serializeNode(XMLObjectSupport.getMarshaller(response).marshall(response)).getBytes( +            "UTF-8"))); + +    // perform task +    task.execute(pendingReq, executionContext); + +    // validate state +    IRequest storedReq = storage.getPendingRequest(pendingReq.getPendingRequestId()); +    Assert.assertNotNull("pendingReq not stored", storedReq); +    final AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); +    Assert.assertFalse("foreigner flag", session.isForeigner()); +    assertTrue("eidProcess flag", session.isEidProcess()); +    assertTrue("useMandate flag", session.isMandateUsed()); +     +    checkAttributeInSession(session, PvpAttributeDefinitions.GIVEN_NAME_NAME, "Max"); +    checkAttributeInSession(session, PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, "Mustermann"); +    checkAttributeInSession(session, PvpAttributeDefinitions.BIRTHDATE_NAME, "1940-01-01"); +    checkAttributeInSession(session, PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, "http://eidas.europa.eu/LoA/high"); +    checkAttributeInSession(session, PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, "AT"); +     +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_TYPE_NAME, "GeneralvollmachtBilateral"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME, "Gerti"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME, "Musterfrau"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME, "01-02-1941"); +    checkAttributeInSession(session, PvpAttributeDefinitions.MANDATE_NAT_PER_BPK_NAME, "AT+XX:AFSDAFSDFDSFCSDAFASDF="); + +         +    //pre-generated eIDAS identifer +    checkAttributeInSession(session, MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "QVGm48cqcM4UcyhDTNGYmVdrIoY="); +     +     +  } +   +  private void checkAttributeInSession(AuthProcessDataWrapper session, String attrName, String expected) { +    String value = session.getGenericDataFromSession(attrName, String.class); +    Assert.assertEquals("wrong attr. value", expected, value); +     +  } +   +  private Response initializeResponse(String idpEntityId, String responsePath, EaafX509Credential credential, +      boolean validConditions) throws SamlSigningException, XMLParserException, UnmarshallingException, +      Pvp2MetadataException { + +    final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( +        XMLObjectProviderRegistrySupport.getParserPool(), +        ReceiveAuthnResponseTaskTest.class.getResourceAsStream(responsePath)); +    response.setIssueInstant(Instant.now()); +    final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); +    issuer.setValue(idpEntityId); +    response.setIssuer(issuer); + +    if (validConditions) { +      response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plusSeconds(5*60)); + +    } + +    return Saml2Utils.signSamlObject(response, credential, true); +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/RequestIdAustriaSystemTaskTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/RequestIdAustriaSystemTaskTest.java new file mode 100644 index 00000000..f6ffc729 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/task/RequestIdAustriaSystemTaskTest.java @@ -0,0 +1,454 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.task; + +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.UUID; + +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.schema.XSString; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.tasks.RequestIdAustriaSystemTask; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory; +import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import eu.eidas.auth.commons.light.impl.LightRequest; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_mapConfig.xml", +    "/spring/SpringTest-context_basic_test.xml", +}) +public class RequestIdAustriaSystemTaskTest { + +  private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml"; +  private static final String METADATA_SP_PATH = "classpath:/data/sp_metadata_junit.xml"; + +  @Autowired ApplicationContext context; +  @Autowired MsConnectorDummyConfigMap config; +  @Autowired IdAustriaAuthMetadataProvider metadataProvider; +  @Autowired PvpMetadataResolverFactory metadataFactory; +  @Autowired DummyGuiBuilderConfigurationFactory guiBuilderConfigFactory; +  @Autowired SamlVerificationEngine samlVerifyEngine; +  @Autowired ITransactionStorage transactionStorage; + +  final ExecutionContext executionContext = new ExecutionContextImpl(); +  private MockHttpServletRequest httpReq; +  private MockHttpServletResponse httpResp; +  private ProxyServicePendingRequest pendingReq; +  private ServiceProviderConfiguration oaParam; +  private Map<String, String> spConfig; +   +  private RequestIdAustriaSystemTask task; + +  /** +   * JUnit class initializer. +   * +   * @throws Exception In case of an OpenSAML3 initialization error +   */ +  @BeforeClass +  public static void initialize() throws Exception { +    EaafOpenSaml3xInitializer.eaafInitialize(); + +  } + +  /** +   * jUnit test set-up. +   * +   * @throws Exception In case of an set-up error +   */ +  @Before +  public void setUp() throws Exception { +    task = (RequestIdAustriaSystemTask) context.getBean("createIdAustriaAuthnRequestTask"); + +    httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); +    httpResp = new MockHttpServletResponse(); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, "sig"); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID, METADATA_PATH); +     +    spConfig = new HashMap<>(); +    spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "http://test.com/test"); +    oaParam = new ServiceProviderConfiguration(spConfig, config);     +    oaParam.setRequiredLoA(Arrays.asList(EaafConstants.EIDAS_LOA_HIGH)); +     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    oaParam.setBpkTargetIdentifier(EaafConstants.URN_PREFIX_EIDAS + "AT+"  +        + spCountryCode); +     +    pendingReq = new ProxyServicePendingRequest(); +    pendingReq.initialize(httpReq, config); +    pendingReq.setPendingRequestId(RandomStringUtils.randomAlphanumeric(10)); +    pendingReq.setOnlineApplicationConfiguration(oaParam); +     +    metadataProvider.fullyDestroy(); +    guiBuilderConfigFactory.setVelocityBuilderConfig(createDummyGuiConfig()); + +  } + +  @Test +  public void missingIdAustriaSystemEntiryId() { +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID); + +     +    TaskExecutionException e = assertThrows(TaskExecutionException.class, +        () -> task.execute(pendingReq, executionContext));   +     +    Assert.assertNotNull(e.getPendingRequestID()); +    Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +    Assert.assertNotNull(e.getOriginalException()); +    org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, +        e.getOriginalException()); +    Assert.assertEquals("module.idaustria.00", +        ((EaafConfigurationException) e.getOriginalException()).getErrorId()); + + +  } + +  @Test +  public void noMetadataAvailableOnGlobalConfig() { +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_IDAUSTRIA_ENTITYID, +        RandomStringUtils.randomAlphabetic(10)); + + +      TaskExecutionException e = assertThrows(TaskExecutionException.class, +          () -> task.execute(pendingReq, executionContext)); + +      Assert.assertNotNull(e.getPendingRequestID()); +      Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +      Assert.assertNotNull(e.getOriginalException()); +      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, +          e.getOriginalException()); +      Assert.assertEquals("module.idaustria.05", +          ((EaafConfigurationException) e.getOriginalException()).getErrorId()); + + +  } + +  @Test +  public void noMetadataSigningKeyStore() throws Pvp2MetadataException {     +    config.removeConfigValue("eidas.ms.modules.idaustriaauth.request.sign.alias"); + +    metadataProvider.addMetadataResolverIntoChain( +        metadataFactory.createMetadataProvider(METADATA_PATH, null, "jUnitTest", null)); + +      TaskExecutionException e = assertThrows(TaskExecutionException.class, +          () -> task.execute(pendingReq, executionContext)); + +      Assert.assertNotNull(e.getPendingRequestID()); +      Assert.assertEquals(pendingReq.getPendingRequestId(), e.getPendingRequestID()); +      Assert.assertNotNull(e.getOriginalException()); +      org.springframework.util.Assert.isInstanceOf(CredentialsNotAvailableException.class, +          e.getOriginalException()); +      Assert.assertEquals("internal.pvp.01", +          ((CredentialsNotAvailableException) e.getOriginalException()).getErrorId()); + +  } + +  @Test +  public void successWithoutSpInfos() throws Pvp2InternalErrorException, SecurityException, Exception { +    metadataProvider.addMetadataResolverIntoChain( +        metadataFactory.createMetadataProvider(METADATA_PATH, null, "jUnitTest", null)); +     +    LightRequest.Builder eidasRequestBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public"); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +     +    //execute test +    task.execute(pendingReq, executionContext); + +    //validate state +    final EaafRequestedAttributes reqAttr = validate(); +    Assert.assertEquals("#Req Attribute", 4, reqAttr.getAttributes().size()); + +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.eidas.uniqueId", +        reqAttr.getAttributes().get(0).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(0).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(0).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(0).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value", pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), +        ((XSString)reqAttr.getAttributes().get(0).getAttributeValues().get(0)).getValue()); +     +    Assert.assertEquals("Wrong req attr.", "urn:oid:1.2.40.0.10.2.1.1.261.34", +        reqAttr.getAttributes().get(1).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(1).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(1).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(1).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value", oaParam.getAreaSpecificTargetIdentifier(), +        ((XSString)reqAttr.getAttributes().get(1).getAttributeValues().get(0)).getValue()); + +    Assert.assertEquals("Wrong req attr.", "urn:oid:1.2.40.0.10.2.1.1.261.108", +        reqAttr.getAttributes().get(2).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(1).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(2).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(2).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value", "http://eidas.europa.eu/LoA/high", +        ((XSString)reqAttr.getAttributes().get(2).getAttributeValues().get(0)).getValue()); +     +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.ServiceProviderMandateType", +        reqAttr.getAttributes().get(3).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(3).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(3).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(3).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value",  +        pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).getMandateMode().getMode(), +        ((XSString)reqAttr.getAttributes().get(3).getAttributeValues().get(0)).getValue()); +     +  } + +  @Test +  public void successWithSpInfos() throws Pvp2InternalErrorException, SecurityException, Exception { +    metadataProvider.addMetadataResolverIntoChain( +        metadataFactory.createMetadataProvider(METADATA_PATH, null, "jUnitTest", null)); +     +    LightRequest.Builder eidasRequestBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requesterId(RandomStringUtils.randomAlphanumeric(10)) +        .providerName(RandomStringUtils.randomAlphanumeric(10)); +    LightRequest eidasReq = eidasRequestBuilder.build(); +    pendingReq.setEidasRequest(eidasReq); +     +    //execute test +    task.execute(pendingReq, executionContext); + +    //validate state +    final EaafRequestedAttributes reqAttr = validate(); +    Assert.assertEquals("#Req Attribute", 6, reqAttr.getAttributes().size()); +     +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.ServiceProviderFriendlyName", +        reqAttr.getAttributes().get(3).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(1).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(3).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(3).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value", eidasReq.getProviderName(), +        ((XSString)reqAttr.getAttributes().get(3).getAttributeValues().get(0)).getValue()); +     +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.ServiceProviderUniqueId", +        reqAttr.getAttributes().get(4).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(1).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(4).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(4).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value", eidasReq.getRequesterId(), +        ((XSString)reqAttr.getAttributes().get(4).getAttributeValues().get(0)).getValue()); +     +  } +   +  @Test +  public void successWithMandates() throws Pvp2InternalErrorException, SecurityException, Exception { +    metadataProvider.addMetadataResolverIntoChain( +        metadataFactory.createMetadataProvider(METADATA_PATH, null, "jUnitTest", null)); +     +    LightRequest.Builder eidasRequestBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requesterId(RandomStringUtils.randomAlphanumeric(10)) +        .providerName(RandomStringUtils.randomAlphanumeric(10)); +    LightRequest eidasReq = eidasRequestBuilder.build(); +    pendingReq.setEidasRequest(eidasReq); +     +    List<String> mandateProfiles = Arrays.asList( +        RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5));     +    oaParam.setMandateProfiles(mandateProfiles); +    oaParam.setMandateMode(SpMandateModes.LEGAL_FORCE);    +    //execute test +    task.execute(pendingReq, executionContext); + +    //validate state +    final EaafRequestedAttributes reqAttr = validate(); +    Assert.assertEquals("#Req Attribute", 7, reqAttr.getAttributes().size()); +     +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.ServiceProviderMandateProfiles", +        reqAttr.getAttributes().get(5).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(1).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(5).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(5).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +     +    List<String> reqProfiles = KeyValueUtils.getListOfCsvValues( +        ((XSString)reqAttr.getAttributes().get(5).getAttributeValues().get(0)).getValue()); +    reqProfiles.stream().forEach(el -> assertTrue("missing profile: " + el, mandateProfiles.contains(el))); +     +     +    Assert.assertEquals("Wrong req attr.", "urn:eidgvat:attributes.ServiceProviderMandateType", +        reqAttr.getAttributes().get(6).getName()); +    Assert.assertNotNull("Req. Attr value element", reqAttr.getAttributes().get(6).getAttributeValues()); +    Assert.assertEquals("#Req. Attr value", 1, +        reqAttr.getAttributes().get(6).getAttributeValues().size()); +    org.springframework.util.Assert.isInstanceOf(XSString.class, +        reqAttr.getAttributes().get(6).getAttributeValues().get(0), "Wrong requested Attributes Value type"); +    Assert.assertEquals("Req. Attr. Value",  +        SpMandateModes.LEGAL_FORCE.getMode(), +        ((XSString)reqAttr.getAttributes().get(6).getAttributeValues().get(0)).getValue()); +     +  } +   +  private EaafRequestedAttributes validate() throws Pvp2InternalErrorException, SecurityException, Exception { +    Assert.assertEquals("HTTP Statuscode", 200, httpResp.getStatus()); +    Assert.assertEquals("ContentType", "text/html;charset=UTF-8", httpResp.getContentType()); +    Assert.assertEquals("ContentEncoding", "UTF-8", httpResp.getCharacterEncoding()); + +    final String html = httpResp.getContentAsString(); +    Assert.assertNotNull("XML Metadata", html); + +    final int startIndex = html.indexOf("SAMLRequest="); +    Assert.assertTrue("No SAMLRequest in html", startIndex >= 0); +    final String authnXml = html.substring(startIndex + "SAMLRequest=".length()); +     +    //check if relaystate was stored +    final int startIndexRelayState = html.indexOf("RelayState="); +    Assert.assertTrue("wrong RelayState in HTML", +        startIndexRelayState >= 0); +    String relayState = html.substring(startIndexRelayState + "RelayState=".length(), startIndex);     +    String storedPendingReqId = transactionStorage.get(relayState, String.class); +    Assert.assertEquals("relayStore not map to pendingRequestId",  +        pendingReq.getPendingRequestId(), storedPendingReqId); +     +     +    final AuthnRequest authnRequest = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( +        XMLObjectProviderRegistrySupport.getParserPool(), new ByteArrayInputStream( +            Base64.getDecoder().decode(authnXml))); + +    Assert.assertNotNull("AuthnReq", authnRequest); +    Assert.assertNotNull("Issuer", authnRequest.getIssuer()); +    Assert.assertEquals("EntityId", +        "http://localhost" + IdAustriaAuthConstants.ENDPOINT_METADATA, +        authnRequest.getIssuer().getValue()); + +    //check XML scheme +    Saml2Utils.schemeValidation(authnRequest); + +    //check signature +    final PvpSProfileRequest msg = new PvpSProfileRequest( +        authnRequest, +        SAMLConstants.SAML2_POST_BINDING_URI); +    msg.setEntityID(authnRequest.getIssuer().getValue()); +    metadataProvider.addMetadataResolverIntoChain( +        metadataFactory.createMetadataProvider(METADATA_SP_PATH, null, "jUnit SP", null)); +    samlVerifyEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + +    //check other elements +    Assert.assertNotNull("Extensions", authnRequest.getExtensions()); +    Assert.assertFalse("No Requested attributes", +        authnRequest.getExtensions().getUnknownXMLObjects().isEmpty()); + +    Assert.assertEquals("#ReqAttributes", 1,  authnRequest.getExtensions().getUnknownXMLObjects().size()); +    org.springframework.util.Assert.isInstanceOf(EaafRequestedAttributes.class, +        authnRequest.getExtensions().getUnknownXMLObjects().get(0), "No Requested Attributes object"); + +    return (EaafRequestedAttributes) authnRequest.getExtensions().getUnknownXMLObjects().get(0); +     +  } + +  private IVelocityGuiBuilderConfiguration createDummyGuiConfig() { +    return new IVelocityGuiBuilderConfiguration() { + +      @Override +      public Map<String, Object> getViewParameters() { +        return null; +      } + +      @Override +      public String getViewName() { +        return "SAML2 Post-Binding"; +      } + +      @Override +      public String getDefaultContentType() { +        return null; +      } + +      @Override +      public InputStream getTemplate(String viewName) { +        return RequestIdAustriaSystemTaskTest.class.getResourceAsStream("/data/pvp_postbinding_template.html"); +      } + +      @Override +      public String getClasspathTemplateDir() { +        return null; + +      } + +      @Override +      public boolean isWriteAsynch() { +        return false; +         +      } +    }; +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthCredentialProviderTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthCredentialProviderTest.java new file mode 100644 index 00000000..a0d6c988 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthCredentialProviderTest.java @@ -0,0 +1,413 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.utils; + +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.BeansException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import com.google.common.base.Optional; +import com.google.common.base.Predicates; +import com.google.common.base.Throwables; +import com.google.common.collect.FluentIterable; + +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.idaustria.IdAustriaAuthConstants; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = {  +    "/spring/SpringTest-context_basic_mapConfig.xml",  +    "/spring/SpringTest-context_lazy.xml"  +    }) +@DirtiesContext +public class IdAustriaAuthCredentialProviderTest { + +  private static final String PATH_JKS = "pvp.jks"; +  private static final String ALIAS_METADATA = "metadata"; +  private static final String ALIAS_SIGN = "signing"; +  private static final String ALIAS_ENC = "encryption"; +  private static final String PASSWORD = "password"; + +  @Autowired +  private ApplicationContext context; +  @Autowired +  private MsConnectorDummyConfigMap config; + +  /** +   * jUnit test initializer. +   */ +  @Before +  public void initialize() { +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH, PATH_JKS); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD, PASSWORD); + +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS); +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD); + +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS); +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD); + +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS); +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD); + +  } + +  @Test +  @DirtiesContext +  public void noKeyStoreUrl() { +    config.removeConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); +    try { +      context.getBean(IdAustriaAuthCredentialProvider.class); +      Assert.fail("No KeyStore not detected"); + +    } catch (final BeansException e) { +      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, +          e.getCause(), "Wrong exception"); +    } + +  } + +  @Test +  @DirtiesContext +  public void noKeyStore() { +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH, +        "src/test/resources/config/notExist.p12"); +    try { +      context.getBean(IdAustriaAuthCredentialProvider.class); +      Assert.fail("No KeyStore not detected"); + +    } catch (final BeansException e) { +      final Optional<Throwable> eaafException = FluentIterable.from( +          Throwables.getCausalChain(e)).filter( +              Predicates.instanceOf(EaafConfigurationException.class)).first(); +      Assert.assertTrue("Wrong exception", eaafException.isPresent()); +      Assert.assertEquals("Wrong errorId", "internal.keystore.06", +          ((EaafException) eaafException.get()).getErrorId()); + +    } + +  } + +  @Test +  @DirtiesContext +  public void noWrongKeyStorePassword() { +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD, "test"); +    try { +      context.getBean(IdAustriaAuthCredentialProvider.class); +      Assert.fail("No KeyStore not detected"); + +    } catch (final BeansException e) { +      final Optional<Throwable> eaafException = FluentIterable.from( +          Throwables.getCausalChain(e)).filter( +              Predicates.instanceOf(EaafFactoryException.class)).first(); +      Assert.assertTrue("Wrong exception", eaafException.isPresent()); +      Assert.assertEquals("Wrong errorId", "internal.keystore.06", +          ((EaafException) eaafException.get()).getErrorId()); + +    } + +  } + +  @Test +  @DirtiesContext +  public void notKeyConfigurationWrongAlias() { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMessageSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMessageEncryptionCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +  } + +  @Test +  @DirtiesContext +  public void notKeyConfigurationWrongPassword() { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMessageSigningCredential(); +      Assert.fail("No message signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      final EaafX509Credential encCred = credential.getMessageEncryptionCredential(); +      Assert.assertNull("No encryption signing credentials not detected", encCred); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +  } + +  @Test +  @DirtiesContext +  public void notKeyConfigurationValidAliasWrongPassword() { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS, +          ALIAS_METADATA); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, +          ALIAS_SIGN); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMessageSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS, +          ALIAS_ENC); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD, +          RandomStringUtils.randomAlphabetic(5)); +      credential.getMessageEncryptionCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } +  } + +  @Test +  @DirtiesContext +  public void notKeyConfigurationWrongAliasValidPassword() { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD, +          PASSWORD); +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD, +          PASSWORD); +      credential.getMessageSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS, +          RandomStringUtils.randomAlphabetic(5)); +      config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD, +          PASSWORD); +      credential.getMessageEncryptionCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } +  } + +  @Test +  @DirtiesContext +  public void validonfiguration() throws CredentialsNotAvailableException { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS, +        ALIAS_METADATA); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD, +        PASSWORD); +    credential.getMetaDataSigningCredential(); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS, +        ALIAS_SIGN); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD, +        PASSWORD); +    credential.getMessageSigningCredential(); + +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS, +        ALIAS_ENC); +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD, +        PASSWORD); +    credential.getMessageEncryptionCredential(); + +  } + +  @Test +  @DirtiesContext +  public void notKeyConfiguration() { +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      credential.getMessageSigningCredential(); +      Assert.fail("No message signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      final EaafX509Credential encCred = credential.getMessageEncryptionCredential(); +      Assert.assertNull("No encryption signing credentials not detected", encCred); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +  } + +  @Test +  @DirtiesContext +  public void notKeyConfigurationPkcs12() { +    config.putConfigValue(IdAustriaAuthConstants.CONFIG_PROPS_KEYSTORE_PATH, "pvp.p12"); +    final IdAustriaAuthCredentialProvider credential = context.getBean( +        IdAustriaAuthCredentialProvider.class); + +    Assert.assertNotNull("Credetialprovider", credential); +    Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + +    try { +      credential.getMetaDataSigningCredential(); +      Assert.fail("No Metadata signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      credential.getMessageSigningCredential(); +      Assert.fail("No message signing credentials not detected"); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } + +    try { +      final EaafX509Credential encCred = credential.getMessageEncryptionCredential(); +      Assert.assertNull("No encryption signing credentials not detected", encCred); + +    } catch (final CredentialsNotAvailableException e) { +      Assert.assertTrue("Wrong errorCode", e.getMessage().contains("internal.pvp.01")); + +    } +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderFirstTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderFirstTest.java new file mode 100644 index 00000000..d9e73db1 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderFirstTest.java @@ -0,0 +1,236 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.utils; + +import java.io.IOException; +import java.time.Instant; +import java.time.temporal.ChronoUnit; + +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.core.criterion.EntityIdCriterion; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.w3c.dom.Element; + +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import net.shibboleth.utilities.java.support.resolver.CriteriaSet; +import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.utilities.java.support.xml.SerializeSupport; +import net.shibboleth.utilities.java.support.xml.XMLParserException; +import okhttp3.HttpUrl; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = {   +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml" }) +public class IdAustriaAuthMetadataProviderFirstTest { + +  @Autowired IPvp2CredentialProvider credentialProvider; +  @Autowired IdAustriaAuthMetadataProvider provider; +  @Autowired PvpMetadataResolverFactory resolverFactory; +  @Autowired MsConnectorDummyConfigMap config; +   +  private static MockWebServer mockWebServer; +  private static HttpUrl mockServerUrl; + +  /** +   * JUnit class initializer. +   * +   * @throws Exception In case of an OpenSAML3 initialization error +   */ +  @BeforeClass +  public static void classInitializer() throws Exception { +    EaafOpenSaml3xInitializer.eaafInitialize(); + +    mockWebServer = new MockWebServer(); +    mockServerUrl = mockWebServer.url("/sp/metadata"); + +  } + +  /** +   * jUnit test set-up. +   *  +   * @throws ResolverException +   * +   */ +  @Before +  public void testSetup() { +    provider.fullyDestroy(); +     +  } + +  @Test +  public void simpleManuelAddingTest() throws Pvp2MetadataException, ResolverException { +    final IPvp2MetadataProvider resolver1 = resolverFactory.createMetadataProvider( +        "classpath:/data/idp_metadata_sig_notvalid.xml", +        null, "junit", null); +    Assert.assertNotNull("Resolver 1 is null", resolver1); +    provider.addMetadataResolverIntoChain(resolver1); + +    final IPvp2MetadataProvider resolver2 = resolverFactory.createMetadataProvider( +        "classpath:/data/idp_metadata_sig_valid_wrong_alg.xml", +        null, "junit", null); +    Assert.assertNotNull("Resolver 2 is null", resolver2); +    provider.addMetadataResolverIntoChain(resolver2); + +    final EntityDescriptor entity1 = provider.getEntityDescriptor("https://localEntity"); +    Assert.assertNotNull("Entity 1 not found", entity1); + +    final EntityDescriptor entity2 = provider.getEntityDescriptor( +        "https://vidp.gv.at/ms_connector/pvp/metadata"); +    Assert.assertNotNull("Entity 2 not found", entity2); + +    final EntityDescriptor entity3 = provider.getEntityDescriptor("https://egiz.gv.at/abababa"); +    Assert.assertNull("Entity 3 found", entity3); + +  } + +  @Test +  public void dynamicLoadingNoValidSignature() throws ResolverException { +    final EntityDescriptor entity = provider.getEntityDescriptor("classpath:/data/idp_metadata_no_sig2.xml"); +    Assert.assertNull("Entity found", entity); + +  } + +  @Test +  public void dynamicLoadingValidSignature() throws XMLParserException, UnmarshallingException, +      SamlSigningException, CredentialsNotAvailableException, MarshallingException, ResolverException { + +    final String entityId = injectValidHttpMetadata(); +    final EntityDescriptor entity = provider.getEntityDescriptor(entityId); +    Assert.assertNotNull("Entity not found", entity); + +  } + +  @Test +  public void reloadNotPossible() throws XMLParserException, UnmarshallingException, +      SamlSigningException, CredentialsNotAvailableException, MarshallingException, ResolverException { + +    final String entityId = injectValidHttpMetadata(); +    final EntityDescriptor entity = provider.getEntityDescriptor(entityId); +    Assert.assertNotNull("Entity not found", entity); +    Assert.assertNotNull("Entity not found", +        provider.resolveSingle(generateEntityIdCreteria(entityId))); + +    Assert.assertFalse("Refresh should not be possible", +        provider.refreshMetadataProvider(entityId)); + +    final EntityDescriptor entity2 = provider.getEntityDescriptor(entityId); +    Assert.assertNull("Entity not found", entity2); +    Assert.assertNull("Entity not found", +        provider.resolveSingle(generateEntityIdCreteria(entityId))); + +    Assert.assertFalse("Last refresh", provider.wasLastRefreshSuccess()); + +  } + +  @Test +  public void refeshTest() throws Pvp2MetadataException, ResolverException { +    Assert.assertFalse("Last refresh", provider.wasLastRefreshSuccess()); +    Assert.assertNull("LastRefresh", provider.getLastRefresh()); +    Assert.assertNull("LastSuccessfulRefresh", provider.getLastSuccessfulRefresh()); +    Assert.assertNull("LastUpdate", provider.getLastUpdate()); + +    final IPvp2MetadataProvider resolver1 = resolverFactory.createMetadataProvider( +        "classpath:/data/idp_metadata_sig_notvalid.xml", +        null, "junit", null); +    Assert.assertNotNull("Resolver 1 is null", resolver1); +    provider.addMetadataResolverIntoChain(resolver1); + +    final IPvp2MetadataProvider resolver2 = resolverFactory.createMetadataProvider( +        "classpath:/data/idp_metadata_sig_valid_wrong_alg.xml", +        null, "junit", null); +    Assert.assertNotNull("Resolver 2 is null", resolver2); +    provider.addMetadataResolverIntoChain(resolver2); + +    provider.refresh(); + +    Assert.assertTrue("Last refresh", provider.wasLastRefreshSuccess()); +    Assert.assertNotNull("LastRefresh", provider.getLastRefresh()); +    Assert.assertNotNull("LastSuccessfulRefresh", provider.getLastSuccessfulRefresh()); +    Assert.assertNotNull("LastUpdate", provider.getLastUpdate()); + +  } + +  @Test +  public void reloadPossible() throws XMLParserException, UnmarshallingException, +      SamlSigningException, CredentialsNotAvailableException, MarshallingException, ResolverException, +      IOException { + +    mockWebServer.shutdown(); +    mockWebServer = new MockWebServer(); +    mockServerUrl = mockWebServer.url("/sp/metadata"); + +    final String entityId = injectValidHttpMetadata(); +    final EntityDescriptor entity = provider.getEntityDescriptor(entityId); +    Assert.assertNotNull("Entity not found", entity); +    Assert.assertNotNull("Entity not found", +        provider.resolveSingle(generateEntityIdCreteria(entityId))); + +    Assert.assertFalse("Last refresh", provider.wasLastRefreshSuccess()); + +    injectValidHttpMetadata(entityId); +    Assert.assertTrue("Refresh should not be possible", +        provider.refreshMetadataProvider(entityId)); + +    final EntityDescriptor entity2 = provider.getEntityDescriptor(entityId); +    Assert.assertNotNull("Entity not found", entity2); +    Assert.assertNotNull("Entity not found", +        provider.resolveSingle(generateEntityIdCreteria(entityId))); + +    Assert.assertFalse("Last refresh", provider.wasLastRefreshSuccess()); + +  } + +  private String injectValidHttpMetadata() throws SamlSigningException, CredentialsNotAvailableException, +      XMLParserException, UnmarshallingException, MarshallingException { +    return injectValidHttpMetadata(mockServerUrl.url().toString() +        + "/" + RandomStringUtils.randomAlphabetic(5)); +  } + +  private String injectValidHttpMetadata(String dynEntityId) throws XMLParserException, +      UnmarshallingException, +      MarshallingException, SamlSigningException, CredentialsNotAvailableException { +    final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( +        XMLObjectProviderRegistrySupport.getParserPool(), +        IdAustriaAuthMetadataProviderFirstTest.class.getResourceAsStream("/data/idp_metadata_no_sig.xml")); +    metadata.setValidUntil(Instant.now().plus(1, ChronoUnit.DAYS)); +    metadata.setSignature(null); +    metadata.setEntityID(dynEntityId); +    Saml2Utils.signSamlObject(metadata, credentialProvider.getMetaDataSigningCredential(), true); +    final Element metadataElement = XMLObjectSupport.marshall(metadata); +    mockWebServer.enqueue(new MockResponse().setResponseCode(200) +        .setBody(SerializeSupport.nodeToString(metadataElement)) +        .setHeader("Content-Type", "text/html;charset=utf-8")); + +    return dynEntityId; + +  } + +  private CriteriaSet generateEntityIdCreteria(String entityId) { +    final CriteriaSet result = new CriteriaSet(); +    result.add(new EntityIdCriterion(entityId)); +    return result; + +  } +} diff --git a/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderSecondTest.java b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderSecondTest.java new file mode 100644 index 00000000..9b3c1a34 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/utils/IdAustriaAuthMetadataProviderSecondTest.java @@ -0,0 +1,65 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.utils; + +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import net.shibboleth.utilities.java.support.resolver.ResolverException; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = {   +        "/spring/SpringTest-context_basic_test.xml", +        "/spring/SpringTest-context_basic_mapConfig.xml" }) +public class IdAustriaAuthMetadataProviderSecondTest { + +  @Autowired +  IdAustriaAuthMetadataProvider provider; + +  /** +   * JUnit class initializer. +   * +   * @throws Exception In case of an OpenSAML3 initialization error +   */ +  @BeforeClass +  public static void classInitializer() throws Exception { +    EaafOpenSaml3xInitializer.eaafInitialize(); + +  } + +  /** +   * jUnit test set-up. +   * +   * @throws ResolverException +   * +   */ +  @Before +  public void testSetup() { +    provider.fullyDestroy(); + +  } + +  @Test +  public void notTrustedX509CertsInTrustStore() throws ResolverException { +    final EntityDescriptor entity = provider.getEntityDescriptor("classpath:/data/idp_metadata_no_sig2.xml"); +    Assert.assertNull("Entity found", entity); + +  } + +  @Test +  public void readStaticInfos() { +    Assert.assertEquals("wrong providerId", +        IdAustriaAuthMetadataProvider.PROVIDER_ID, provider.getId()); + +    provider.runGarbageCollector(); + +  } + +} diff --git a/modules/authmodule_id-austria/src/test/resources/config/junit.jks b/modules/authmodule_id-austria/src/test/resources/config/junit.jksBinary files differ new file mode 100644 index 00000000..59e6ad13 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/junit.jks diff --git a/modules/authmodule_id-austria/src/test/resources/config/junit_config_1.properties b/modules/authmodule_id-austria/src/test/resources/config/junit_config_1.properties new file mode 100644 index 00000000..66c13dbc --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/junit_config_1.properties @@ -0,0 +1,44 @@ +## HTTP-client defaults +eidas.ms.client.http.connection.timeout.socket=1 +eidas.ms.client.http.connection.timeout.connection=1 +eidas.ms.client.http.connection.timeout.request=1 + + +## PVP2 S-Profile communication with ID Austria System  +# EntityId and optional metadata of ID Austria System +eidas.ms.modules.idaustriaauth.idp.entityId=http://junit.idaustria.at/idp +#eidas.ms.modules.idaustriaauth.idp.metadataUrl=http://junit.idaustria.at/idp/metadata + +# SAML2 client configuration +eidas.ms.modules.idaustriaauth.keystore.type=jks +#eidas.ms.modules.idaustriaauth.keystore.name= +eidas.ms.modules.idaustriaauth.keystore.path=junit_test.jks +eidas.ms.modules.idaustriaauth.keystore.password=password +eidas.ms.modules.idaustriaauth.metadata.sign.alias=meta +eidas.ms.modules.idaustriaauth.metadata.sign.password=password +eidas.ms.modules.idaustriaauth.request.sign.alias=sig +eidas.ms.modules.idaustriaauth.request.sign.password=password +eidas.ms.modules.idaustriaauth.response.encryption.alias=enc +eidas.ms.modules.idaustriaauth.response.encryption.password=password + +# TrustStore to validate SAML2 metadata from ID Austria  +eidas.ms.modules.idaustriaauth.truststore.type=jks +eidas.ms.modules.idaustriaauth.truststore.name= +eidas.ms.modules.idaustriaauth.truststore.path=junit_test.jks +eidas.ms.modules.idaustriaauth.truststore.password=password + +# Additional requested attributes in SAML2 metadata +#eidas.ms.modules.idaustriaauth.required.additional.attributes.1= +#eidas.ms.modules.idaustriaauth.required.additional.attributes.2= +#eidas.ms.modules.idaustriaauth.required.additional.attributes.3= +#eidas.ms.modules.idaustriaauth.required.additional.attributes.4= + + + +## General PVP2 metadata configuration +eidas.ms.pvp2.metadata.organisation.name=JUnit +eidas.ms.pvp2.metadata.organisation.friendyname=For testing with jUnit +eidas.ms.pvp2.metadata.organisation.url=http://junit.test +eidas.ms.pvp2.metadata.contact.givenname=Max +eidas.ms.pvp2.metadata.contact.surname=Mustermann +eidas.ms.pvp2.metadata.contact.email=max@junit.test
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/resources/config/junit_test.jks b/modules/authmodule_id-austria/src/test/resources/config/junit_test.jksBinary files differ new file mode 100644 index 00000000..ee6254a9 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/junit_test.jks diff --git a/modules/authmodule_id-austria/src/test/resources/config/junit_test_no_trust_certs.jks b/modules/authmodule_id-austria/src/test/resources/config/junit_test_no_trust_certs.jksBinary files differ new file mode 100644 index 00000000..8fe3b03c --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/junit_test_no_trust_certs.jks diff --git a/modules/authmodule_id-austria/src/test/resources/config/pvp.jks b/modules/authmodule_id-austria/src/test/resources/config/pvp.jksBinary files differ new file mode 100644 index 00000000..f0a5a09a --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/pvp.jks diff --git a/modules/authmodule_id-austria/src/test/resources/config/pvp.p12 b/modules/authmodule_id-austria/src/test/resources/config/pvp.p12Binary files differ new file mode 100644 index 00000000..183342f7 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/config/pvp.p12 diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID.xml new file mode 100644 index 00000000..8d3c1c66 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/high</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+XX:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute>       +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_bpk_without_prefix.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_bpk_without_prefix.xml new file mode 100644 index 00000000..ec4f451e --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_bpk_without_prefix.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/aabbcc</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Heinz</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Susi</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1955-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">QVGm48cqcasfasfsafsafdM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute>       +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_minimum.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_minimum.xml new file mode 100644 index 00000000..be8e7cc3 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_minimum.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+CC:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute>       +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_eid_sector_attr.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_eid_sector_attr.xml new file mode 100644 index 00000000..6b86c6f1 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_eid_sector_attr.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/aabbcc</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Heinz</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Susi</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1955-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+AB:QVGm48cqcasfasfsafsafdM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute>       +            <saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+AB</saml2:AttributeValue>        +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_jur.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_jur.xml new file mode 100644 index 00000000..da97bbf4 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_jur.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/high</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+XX:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute> +       +            <saml2:Attribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Generalvollmacht</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">999999m</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:baseid+XERSB</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Testfirma</saml2:AttributeValue> +            </saml2:Attribute> +             +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_nat.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_nat.xml new file mode 100644 index 00000000..8a84503d --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_with_mandate_nat.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/high</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+XX:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue>        +			</saml2:Attribute> +       +            <saml2:Attribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GeneralvollmachtBilateral</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-BPK" Name="urn:oid:1.2.40.0.10.2.1.1.261.98" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT+XX:AFSDAFSDFDSFCSDAFASDF=</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-GIVEN-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.78" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Gerti</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-FAMILY-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.80" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Musterfrau</saml2:AttributeValue> +            </saml2:Attribute> +            <saml2:Attribute FriendlyName="MANDATOR-NATURAL-PERSON-BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.82" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">01-02-1941</saml2:AttributeValue> +            </saml2:Attribute> +             +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_wrong_data.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_wrong_data.xml new file mode 100644 index 00000000..cc534d09 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_EID_wrong_data.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2035-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2035-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +            <saml2:Attribute FriendlyName="piiTransactionId" Name="urn:eidgvat:attributes.piiTransactionId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">piiId_112233445566</saml2:AttributeValue> +            </saml2:Attribute> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aabbccddeeffgghh</saml2:AttributeValue> +			</saml2:Attribute> +            <saml2:Attribute FriendlyName="userAuthBlock" Name="urn:eidgvat:attributes.authblock.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue> +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_with_wrong_destination_endpoint.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_with_wrong_destination_endpoint.xml new file mode 100644 index 00000000..2ae05ca1 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_with_wrong_destination_endpoint.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/demoapp/sp/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://www.stork.gov.eu/1.0/citizenQAALevel/4</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BF:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.94" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:integer">4</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:cdid+BF</saml2:AttributeValue> +			</saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_classpath_entityid.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_classpath_entityid.xml new file mode 100644 index 00000000..0fd675e2 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_classpath_entityid.xml @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1940-01-01</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BF:QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/high</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:cdid+BF</saml2:AttributeValue> +			</saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error.xml new file mode 100644 index 00000000..ee5920dc --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> +          <saml2p:StatusCode Value="9199"/> +        </saml2p:StatusCode> +        <saml2p:StatusMessage>Der Anmeldevorgang wurde durch den Benutzer abgebrochen.</saml2p:StatusMessage> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aabbccddeeffgghh</saml2:AttributeValue> +			</saml2:Attribute> +            <saml2:Attribute FriendlyName="userConsent" Name="urn:eidgvat:attributes.consent.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue> +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_empty_subcode.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_empty_subcode.xml new file mode 100644 index 00000000..dd3f7908 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_empty_subcode.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> +          <saml2p:StatusCode Value=""/> +        </saml2p:StatusCode> +        <saml2p:StatusMessage>Der Anmeldevorgang wurde durch den Benutzer abgebrochen.</saml2p:StatusMessage> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aabbccddeeffgghh</saml2:AttributeValue> +			</saml2:Attribute> +            <saml2:Attribute FriendlyName="userConsent" Name="urn:eidgvat:attributes.consent.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue> +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_userstop.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_userstop.xml new file mode 100644 index 00000000..1783cbab --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_userstop.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> +          <saml2p:StatusCode Value="1005"/> +        </saml2p:StatusCode> +        <saml2p:StatusMessage>Der Anmeldevorgang wurde durch den Benutzer abgebrochen.</saml2p:StatusMessage> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aabbccddeeffgghh</saml2:AttributeValue> +			</saml2:Attribute> +            <saml2:Attribute FriendlyName="userConsent" Name="urn:eidgvat:attributes.consent.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue> +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_without_subcode.xml b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_without_subcode.xml new file mode 100644 index 00000000..1c7a8433 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/Response_without_sig_with_error_without_subcode.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/authhandler/sp/idaustria/eidas/post" InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> +	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">classpath:/data/idp_metadata_classpath_entity.xml</saml2:Issuer> +	<saml2p:Status> +		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> +        </saml2p:StatusCode> +        <saml2p:StatusMessage>Der Anmeldevorgang wurde durch den Benutzer abgebrochen.</saml2p:StatusMessage> +	</saml2p:Status> +	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_602c3236bffaf71ac3ac88674e76ff9f" IssueInstant="2014-03-05T06:39:51.017Z" Version="2.0"> +		<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata</saml2:Issuer> +		<saml2:Subject> +			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="urn:publicid:gv.at:cdid+BF">QVGm48cqcM4UcyhDTNGYmVdrIoY=</saml2:NameID> +			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> +				<saml2:SubjectConfirmationData InResponseTo="_aeebfae3ce681fe3ddcaf213a42f01d3" NotOnOrAfter="2014-03-05T06:44:51.017Z" Recipient="https://localhost/authhandler/sp/eidas/post"/> +			</saml2:SubjectConfirmation> +		</saml2:Subject> +		<saml2:Conditions NotBefore="2014-03-05T06:39:51.017Z" NotOnOrAfter="2014-03-05T06:44:51.017Z"> +			<saml2:AudienceRestriction> +				<saml2:Audience>https://localhost/authhandler/sp/idaustria/eidas/metadata</saml2:Audience> +			</saml2:AudienceRestriction> +		</saml2:Conditions> +		<saml2:AuthnStatement AuthnInstant="2014-03-05T06:39:51.017Z" SessionIndex="_c0c683509a8ff6ac372a9cf9c5c5a406"> +			<saml2:AuthnContext> +				<saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef> +			</saml2:AuthnContext> +		</saml2:AuthnStatement> +		<saml2:AttributeStatement> +			<saml2:Attribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">2.1</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-CITIZEN-QAA- EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://eidas.europa.eu/LoA/low</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT</saml2:AttributeValue> +			</saml2:Attribute> +			<saml2:Attribute FriendlyName="eidBind" Name="urn:eidgvat:attributes.eidbind" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +				<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aabbccddeeffgghh</saml2:AttributeValue> +			</saml2:Attribute> +            <saml2:Attribute FriendlyName="userConsent" Name="urn:eidgvat:attributes.consent.signed" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> +              <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA==</saml2:AttributeValue> +            </saml2:Attribute> +		</saml2:AttributeStatement> +	</saml2:Assertion> +</saml2p:Response> diff --git a/modules/authmodule_id-austria/src/test/resources/data/eidas_node_siging.crt b/modules/authmodule_id-austria/src/test/resources/data/eidas_node_siging.crt new file mode 100644 index 00000000..95843ea9 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/eidas_node_siging.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIEFTCCAn0CBFtIcMwwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxMTAvBgNVBAMMKG5hdGlvbmFsIGNlbnRyYWwgZUlEQVMgbm9kZSAtIHRlc3RzeXN0ZW0wHhcN +MTgwNzEzMDkyODQ0WhcNMjEwNDA3MDkyODQ0WjBPMQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJ +WjExMC8GA1UEAwwobmF0aW9uYWwgY2VudHJhbCBlSURBUyBub2RlIC0gdGVzdHN5c3RlbTCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALK4bdf5OremKkj0+xCjU0eN7RUd1A2VqoGnvFUs +t7xjLQ1PspHiDf9Pm2cwOIJabSnuZ01hYAGz9X+lU3Z3fwhVc+tEsuzsaAml/LPw3i3+ppoSTJDM +iDvhCoUKTzJ8HBQj2gTvXNlqPljyGneuCJ+uBMr7Okq/XjMTJj2xzvutrHS3qIO+/w+OkY967QLV +RXh0bdFqYqnyAnlYcWJPIwjanOJtE2difPYqers7ZW1F9djP0+IZRoyaook5rpLYvuQTHuvulgIE +3zGlTuOx3sk8zMyInMndqi75Eh+ROnndSZE7gN3u5CfFpuO5pxFa2jj1h/AnR39Tg8/sU+Se+AwH +rNvee3IWhxk5LkelYevfeCQos7Dv2ASE9XMCCs7FoE47w8fDalECh09MFKDiotpklbq3OrPg9NQ4 +D//k0GXlW5jYUKP/Wq/+suAI6mfhSnNkjOGMcMlzNTmwxGD/v7Py6OVA+YcJQsqYalLrqbvT2tXV +mYBVO3oqafg+kfevfwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCioM8k0EEBFtY4QyxOYFufPDLw +9PNPct01ltnTVjNEEt/L6/8zYlDwrDeULEkJS7mV9zV3657NPQ5IPT/Ib93Uk/RPi0iOA2CGWIMa +DQIODN3BUYr+zPUqhbKS6OWOhTgV8GiRCUbxrT1uc1AiacP63pga3TJX8k8WFnfW+Dqm2MfWWlxr +4X2YB9VUW55X5sBNy035jYhEpp8NCK/fTAhoEQNCG+rm3T9qhT6YyOnbW2kXU747+ZwXT2qA5o4y +a/9+6dDc+LUlHCEm4X7c6bcGvCfNezB4k56FzbAJlOLf2VDGzvEQBf0hsB+kElezm1VBlEkZ4Mjz +pBpHBMoR21SwTpcvrbR4ig0Bk1eEHNK44sw0F32K5yww3gnJftMIZtPhjhk8UdG2/H6vs9s/to2V +j4V6wN4o79RTULoQ8RjL6MPWEWzwOvOZXJAo2XJEECvDivSjIJvNC0lfrK3zI3LH3c1JR6q2EfeC +Z50wTJMFoChSaqunJQXKo81g6wNhP00= +-----END CERTIFICATE----- diff --git a/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_classpath_entity.xml b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_classpath_entity.xml new file mode 100644 index 00000000..de565887 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_classpath_entity.xml @@ -0,0 +1,146 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor +  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" +  ID="_1a48ec3432f2f3ba6222724a5b06f873" +  entityID="classpath:/data/idp_metadata_classpath_entity.xml" +  validUntil="2045-02-06T08:47:26.211Z"> +  <md:IDPSSODescriptor +    WantAuthnRequestsSigned="true" +    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +    <md:KeyDescriptor use="signing"> +      <ds:KeyInfo +        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +        <ds:X509Data> +          <ds:X509Certificate>MIIDMzCCAhsCBFtIcPowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +            SVoxJDAiBgNVBAsMG2NlbnRyYWwgbmF0aW9uYWwgZUlEQVMgbm9kZTEaMBgGA1UEAwwRQXNzZXJ0 +            aW9uIHNpZ25pbmcwHhcNMTgwNzEzMDkyOTMwWhcNMjEwNDA3MDkyOTMwWjBeMQswCQYDVQQGEwJB +            VDENMAsGA1UECgwERUdJWjEkMCIGA1UECwwbY2VudHJhbCBuYXRpb25hbCBlSURBUyBub2RlMRow +            GAYDVQQDDBFBc3NlcnRpb24gc2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +            AJ5zDYxMPRcz6AHaev1tS46Tq8sdgbGFM56uxk6c7LmMDC+HTzNX/3Q5S/YwSzgL3ue5TSw1ltOf +            yMXMZ6D0+buWWcsxGEkQ8M3adKRFdQrEwafzwTA7pguq5WiHOkr4qwR7dLMome9z5cc3LRcwdOPP +            gq7ahb5jM3hRqc5xkMWIuvql0NFXPzlHrjDLwy5nIWPOhL5abhVt4YsXbpbjXxFSGkDEAZ32K3EU +            LNBr9FSUmJfbrVX9AU2T+BKIwiqXP8e/3UJHgPHQ0l5ljWp5P6u5+tvM21o8sUM4eArRa8BkdRsP +            C92GVuASSUz2ZJ3JhAK1cSM8bnvaZVLQtTvPMAcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAp7z +            TubWXW6YMpyLSvWBdZiiQ3X66XpSZLZJDIAkoPzEY0DSBp8I5YASIx4JTR5XJt+6MI9acgNIAYW8 +            DhtRwUMVaRWEtuCrfKhGLWm5KSxnhPcD3lzRZhY4ZcA7dUlirjf6hnqo2TFEmJ9fkM+rxwy1GkDD +            7j2YDSOFmSq9/Ud9/IbIfSnRu/lO0dh7iRrmg3y0Y/+plPxYmp4AHqehP11OchTz2FGGHVsSC2Vs +            IVBQI6ANZYyOlicgfEEFHA06jP9OnA0EwEFr2P+di9caZg8vfibyzxMGeuf6CY0c0eLHokBCn2W8 +            vkzvWiER3pozRvCmXFjCVZfRjUunaJf2ow== +          </ds:X509Certificate> +        </ds:X509Data> +        <ds:X509Data> +          <ds:X509Certificate>MIIC+DCCAeCgAwIBAgIEXh7TbTANBgkqhkiG9w0BAQsFADA+MQswCQYDVQQGEwJB +            VDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxEDAOBgNVBAMMB3NpZ25p +            bmcwHhcNMjAwMTE1MDg1NTA5WhcNMjkwMTE0MDg1NTA5WjA+MQswCQYDVQQGEwJB +            VDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxEDAOBgNVBAMMB3NpZ25p +            bmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUSiRjnDvPafZfhJ+L +            1wM86FKJX3VIAV/8TD9qJ6HOBkn5WwYfpheyCfRb6XVDyIGpO8qnMWAgC17Ngbmh +            zj8d8HXNQ2l3uppMv24oUTfXyYhQfZWAghx0sTlRIx/ZmlnduJilx2S53Sa7ruJw +            lQcBFXj9h9B8dtyegc86Sx6D9BumP1xU7+mEBk8Gv9rR5Khg0Y7qGfZWB0t4aikg +            aupWveVwiGifOOSfR8czqIg9qUpMYfZiTEBTSRmN6sPiNWhd4J0GyAI9Rn5C9jz/ +            sSlQrxpN+4DXzsqSU5F6gzq3yRux6wyOzDlt2birf21VPQ9HIy4YCjZXwgDWG7AO +            821pAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADnwdaxUtQU6SIpYwIb2c0ljTmQi +            7ryUcUpNHtK0M0E5Mw5Ex8zwrWbNQZ2sUyc4r07M66iOIqHsYZUQlRYvVKHifDpA +            r8TCgD7iGGdB3By8Ou0RaNW+03w1fwmi98CufbHCGvpv0o2KxlejoHZminNdQ79i +            bN+01nhocezJQATEQlnwHLiQSjilXpZeLYDk8HbrcUXNRxezN4ChdH+uU54vf+Ux +            qcj9QHcmBe1+BM8EXfqS1DbTwZl+NTCnh5OYl8fvIFSOHMBxwFrI4pyY0faxg9Uc +            rCogn/oQ+mV1gnVUDaDhvvEnVGZQtrlt7heVId2BeNellVgsrcmdW8j4U9U= +          </ds:X509Certificate> +        </ds:X509Data> +        <ds:X509Data> +          <ds:X509Certificate>MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDEN +            MAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRh +            MB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQx +            DTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0 +            YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SY +            O4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYI +            KoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImn +            AiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA== +          </ds:X509Certificate> +        </ds:X509Data> +      </ds:KeyInfo> +    </md:KeyDescriptor> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent +    </md:NameIDFormat> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient +    </md:NameIDFormat> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified +    </md:NameIDFormat> +    <md:SingleSignOnService +      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" +      Location="https://vidp.gv.at/ms_connector/pvp/post" /> +    <md:SingleSignOnService +      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" +      Location="https://vidp.gv.at/ms_connector/pvp/redirect" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="PRINCIPAL-NAME" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.20" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-ISSUING-NATION" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.32" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-SOURCE-PIN" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.36" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-SIGNER-CERTIFICATE" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.66" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-SECTOR-FOR-IDENTIFIER" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.34" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-SOURCE-PIN-TYPE" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.104" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-E-ID-TOKEN" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.39" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-IDENTITY-LINK" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.38" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.108" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +    <saml2:Attribute +      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" +      FriendlyName="EID-IDENTITY-STATUS-LEVEL" +      Name="urn:oid:1.2.40.0.10.2.1.1.261.109" +      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" /> +  </md:IDPSSODescriptor> +</md:EntityDescriptor> diff --git a/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig.xml b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig.xml new file mode 100644 index 00000000..bc55fe62 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1a48ec3432f2f3ba6222724a5b06f873" entityID="https://vidp.gv.at/ms_connector/pvp/metadata" validUntil="2045-02-06T08:47:26.211Z"> +	<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +		<md:KeyDescriptor use="signing"> +			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +				<ds:X509Data> +					<ds:X509Certificate>MIIDMzCCAhsCBFtIcPowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxJDAiBgNVBAsMG2NlbnRyYWwgbmF0aW9uYWwgZUlEQVMgbm9kZTEaMBgGA1UEAwwRQXNzZXJ0 +aW9uIHNpZ25pbmcwHhcNMTgwNzEzMDkyOTMwWhcNMjEwNDA3MDkyOTMwWjBeMQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEkMCIGA1UECwwbY2VudHJhbCBuYXRpb25hbCBlSURBUyBub2RlMRow +GAYDVQQDDBFBc3NlcnRpb24gc2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJ5zDYxMPRcz6AHaev1tS46Tq8sdgbGFM56uxk6c7LmMDC+HTzNX/3Q5S/YwSzgL3ue5TSw1ltOf +yMXMZ6D0+buWWcsxGEkQ8M3adKRFdQrEwafzwTA7pguq5WiHOkr4qwR7dLMome9z5cc3LRcwdOPP +gq7ahb5jM3hRqc5xkMWIuvql0NFXPzlHrjDLwy5nIWPOhL5abhVt4YsXbpbjXxFSGkDEAZ32K3EU +LNBr9FSUmJfbrVX9AU2T+BKIwiqXP8e/3UJHgPHQ0l5ljWp5P6u5+tvM21o8sUM4eArRa8BkdRsP +C92GVuASSUz2ZJ3JhAK1cSM8bnvaZVLQtTvPMAcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAp7z +TubWXW6YMpyLSvWBdZiiQ3X66XpSZLZJDIAkoPzEY0DSBp8I5YASIx4JTR5XJt+6MI9acgNIAYW8 +DhtRwUMVaRWEtuCrfKhGLWm5KSxnhPcD3lzRZhY4ZcA7dUlirjf6hnqo2TFEmJ9fkM+rxwy1GkDD +7j2YDSOFmSq9/Ud9/IbIfSnRu/lO0dh7iRrmg3y0Y/+plPxYmp4AHqehP11OchTz2FGGHVsSC2Vs +IVBQI6ANZYyOlicgfEEFHA06jP9OnA0EwEFr2P+di9caZg8vfibyzxMGeuf6CY0c0eLHokBCn2W8 +vkzvWiER3pozRvCmXFjCVZfRjUunaJf2ow==</ds:X509Certificate> +				</ds:X509Data> +			</ds:KeyInfo> +		</md:KeyDescriptor> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vidp.gv.at/ms_connector/pvp/post"/> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vidp.gv.at/ms_connector/pvp/redirect"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.104" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-E-ID-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.39" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +	</md:IDPSSODescriptor> +</md:EntityDescriptor> diff --git a/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig2.xml b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig2.xml new file mode 100644 index 00000000..bdc176a0 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_no_sig2.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1a48ec3432f2f3ba6222724a5b06f873" entityID="classpath:/data/idp_metadata_no_sig2.xml" validUntil="2045-02-06T08:47:26.211Z"> +	<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +		<md:KeyDescriptor use="signing"> +			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +				<ds:X509Data> +					<ds:X509Certificate>MIIDMzCCAhsCBFtIcPowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxJDAiBgNVBAsMG2NlbnRyYWwgbmF0aW9uYWwgZUlEQVMgbm9kZTEaMBgGA1UEAwwRQXNzZXJ0 +aW9uIHNpZ25pbmcwHhcNMTgwNzEzMDkyOTMwWhcNMjEwNDA3MDkyOTMwWjBeMQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEkMCIGA1UECwwbY2VudHJhbCBuYXRpb25hbCBlSURBUyBub2RlMRow +GAYDVQQDDBFBc3NlcnRpb24gc2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJ5zDYxMPRcz6AHaev1tS46Tq8sdgbGFM56uxk6c7LmMDC+HTzNX/3Q5S/YwSzgL3ue5TSw1ltOf +yMXMZ6D0+buWWcsxGEkQ8M3adKRFdQrEwafzwTA7pguq5WiHOkr4qwR7dLMome9z5cc3LRcwdOPP +gq7ahb5jM3hRqc5xkMWIuvql0NFXPzlHrjDLwy5nIWPOhL5abhVt4YsXbpbjXxFSGkDEAZ32K3EU +LNBr9FSUmJfbrVX9AU2T+BKIwiqXP8e/3UJHgPHQ0l5ljWp5P6u5+tvM21o8sUM4eArRa8BkdRsP +C92GVuASSUz2ZJ3JhAK1cSM8bnvaZVLQtTvPMAcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAp7z +TubWXW6YMpyLSvWBdZiiQ3X66XpSZLZJDIAkoPzEY0DSBp8I5YASIx4JTR5XJt+6MI9acgNIAYW8 +DhtRwUMVaRWEtuCrfKhGLWm5KSxnhPcD3lzRZhY4ZcA7dUlirjf6hnqo2TFEmJ9fkM+rxwy1GkDD +7j2YDSOFmSq9/Ud9/IbIfSnRu/lO0dh7iRrmg3y0Y/+plPxYmp4AHqehP11OchTz2FGGHVsSC2Vs +IVBQI6ANZYyOlicgfEEFHA06jP9OnA0EwEFr2P+di9caZg8vfibyzxMGeuf6CY0c0eLHokBCn2W8 +vkzvWiER3pozRvCmXFjCVZfRjUunaJf2ow==</ds:X509Certificate> +				</ds:X509Data> +			</ds:KeyInfo> +		</md:KeyDescriptor> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vidp.gv.at/ms_connector/pvp/post"/> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vidp.gv.at/ms_connector/pvp/redirect"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.104" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-E-ID-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.39" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +	</md:IDPSSODescriptor> +</md:EntityDescriptor> diff --git a/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_notvalid.xml b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_notvalid.xml new file mode 100644 index 00000000..86665a9c --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_notvalid.xml @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1a48ec3432f2f3ba6222724a5b06f873" entityID="https://localEntity" validUntil="2045-02-06T08:47:26.211Z"> +  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +    <ds:SignedInfo> +      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> +      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> +      <ds:Reference URI="#_1a48ec3432f2f3ba6222724a5b06f873"> +        <ds:Transforms> +          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> +          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> +        </ds:Transforms> +        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> +        <ds:DigestValue>e6DiHa9scuvxJFBUipZ8PQcD4kAkmSIDZgZV+0/7glg=</ds:DigestValue> +      </ds:Reference> +    </ds:SignedInfo> +    <ds:SignatureValue>Czr2EwhK/0ZUZ5blQpJfNoOFEscLlxlmHPjmOJUIsxlB2pUn+ApULrjVpR1ViUcGZ0PVi2KChSNoSn09YKjtgPFBiSY010VYdaACgqluxUt6AwESObaqcyHVBzMDUr/g6jkRFEJV4vqnZQQDdDfTH4MXNqunORegS1saBHw4nJSOX4YfoVmIuT5uOlRrxvoG7srnGShvF7DmvIHBUBF5Tq9FyeSgwTM8udxl8Yl9FB2pREuR83CcbgjPrYKtzi6TiSfrWkcD0L5BvmMxN/BdaGDAorxYOnk41sWDJjrkY8C2SC1YDy6XT4SM06uFwstUrRn8QPg1hfbLHAyQNoaR8ecgapk5DkxmbATMcGY+SM4yQWkBdYT7GtufNmF8sIVaL6JOOTKAE9qqX/1N6N4zOPmm8rpIqVEQZtQ5usN/ubxbxLxUoTdDeo8RwkktW6zQ3Zv9+Iyf0DASYmK1IxN+fMw/qyeVy9r6o15ITHTqTmT/7BidKZ58m4HxIK52E3DU</ds:SignatureValue> +    <ds:KeyInfo> +      <ds:X509Data> +        <ds:X509Certificate>MIIEFTCCAn0CBFtIcMwwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxMTAvBgNVBAMMKG5hdGlvbmFsIGNlbnRyYWwgZUlEQVMgbm9kZSAtIHRlc3RzeXN0ZW0wHhcN +MTgwNzEzMDkyODQ0WhcNMjEwNDA3MDkyODQ0WjBPMQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJ +WjExMC8GA1UEAwwobmF0aW9uYWwgY2VudHJhbCBlSURBUyBub2RlIC0gdGVzdHN5c3RlbTCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALK4bdf5OremKkj0+xCjU0eN7RUd1A2VqoGnvFUs +t7xjLQ1PspHiDf9Pm2cwOIJabSnuZ01hYAGz9X+lU3Z3fwhVc+tEsuzsaAml/LPw3i3+ppoSTJDM +iDvhCoUKTzJ8HBQj2gTvXNlqPljyGneuCJ+uBMr7Okq/XjMTJj2xzvutrHS3qIO+/w+OkY967QLV +RXh0bdFqYqnyAnlYcWJPIwjanOJtE2difPYqers7ZW1F9djP0+IZRoyaook5rpLYvuQTHuvulgIE +3zGlTuOx3sk8zMyInMndqi75Eh+ROnndSZE7gN3u5CfFpuO5pxFa2jj1h/AnR39Tg8/sU+Se+AwH +rNvee3IWhxk5LkelYevfeCQos7Dv2ASE9XMCCs7FoE47w8fDalECh09MFKDiotpklbq3OrPg9NQ4 +D//k0GXlW5jYUKP/Wq/+suAI6mfhSnNkjOGMcMlzNTmwxGD/v7Py6OVA+YcJQsqYalLrqbvT2tXV +mYBVO3oqafg+kfevfwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBgQCioM8k0EEBFtY4QyxOYFufPDLw +9PNPct01ltnTVjNEEt/L6/8zYlDwrDeULEkJS7mV9zV3657NPQ5IPT/Ib93Uk/RPi0iOA2CGWIMa +DQIODN3BUYr+zPUqhbKS6OWOhTgV8GiRCUbxrT1uc1AiacP63pga3TJX8k8WFnfW+Dqm2MfWWlxr +4X2YB9VUW55X5sBNy035jYhEpp8NCK/fTAhoEQNCG+rm3T9qhT6YyOnbW2kXU747+ZwXT2qA5o4y +a/9+6dDc+LUlHCEm4X7c6bcGvCfNezB4k56FzbAJlOLf2VDGzvEQBf0hsB+kElezm1VBlEkZ4Mjz +pBpHBMoR21SwTpcvrbR4ig0Bk1eEHNK44sw0F32K5yww3gnJftMIZtPhjhk8UdG2/H6vs9s/to2V +j4V6wN4o79RTULoQ8RjL6MPWEWzwOvOZXJAo2XJEECvDivSjIJvNC0lfrK3zI3LH3c1JR6q2EfeC +Z50wTJMFoChSaqunJQXKo81g6wNhP00=</ds:X509Certificate> +      </ds:X509Data> +    </ds:KeyInfo> +  </ds:Signature> +  <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +    <md:KeyDescriptor use="signing"> +      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +        <ds:X509Data> +          <ds:X509Certificate>MIIDMzCCAhsCBFtIcPowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxJDAiBgNVBAsMG2NlbnRyYWwgbmF0aW9uYWwgZUlEQVMgbm9kZTEaMBgGA1UEAwwRQXNzZXJ0 +aW9uIHNpZ25pbmcwHhcNMTgwNzEzMDkyOTMwWhcNMjEwNDA3MDkyOTMwWjBeMQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEkMCIGA1UECwwbY2VudHJhbCBuYXRpb25hbCBlSURBUyBub2RlMRow +GAYDVQQDDBFBc3NlcnRpb24gc2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJ5zDYxMPRcz6AHaev1tS46Tq8sdgbGFM56uxk6c7LmMDC+HTzNX/3Q5S/YwSzgL3ue5TSw1ltOf +yMXMZ6D0+buWWcsxGEkQ8M3adKRFdQrEwafzwTA7pguq5WiHOkr4qwR7dLMome9z5cc3LRcwdOPP +gq7ahb5jM3hRqc5xkMWIuvql0NFXPzlHrjDLwy5nIWPOhL5abhVt4YsXbpbjXxFSGkDEAZ32K3EU +LNBr9FSUmJfbrVX9AU2T+BKIwiqXP8e/3UJHgPHQ0l5ljWp5P6u5+tvM21o8sUM4eArRa8BkdRsP +C92GVuASSUz2ZJ3JhAK1cSM8bnvaZVLQtTvPMAcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAp7z +TubWXW6YMpyLSvWBdZiiQ3X66XpSZLZJDIAkoPzEY0DSBp8I5YASIx4JTR5XJt+6MI9acgNIAYW8 +DhtRwUMVaRWEtuCrfKhGLWm5KSxnhPcD3lzRZhY4ZcA7dUlirjf6hnqo2TFEmJ9fkM+rxwy1GkDD +7j2YDSOFmSq9/Ud9/IbIfSnRu/lO0dh7iRrmg3y0Y/+plPxYmp4AHqehP11OchTz2FGGHVsSC2Vs +IVBQI6ANZYyOlicgfEEFHA06jP9OnA0EwEFr2P+di9caZg8vfibyzxMGeuf6CY0c0eLHokBCn2W8 +vkzvWiER3pozRvCmXFjCVZfRjUunaJf2ow==</ds:X509Certificate> +        </ds:X509Data> +      </ds:KeyInfo> +    </md:KeyDescriptor> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> +    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> +    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vidp.gv.at/ms_connector/pvp/post"/> +    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vidp.gv.at/ms_connector/pvp/redirect"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.104" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-E-ID-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.39" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +    <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +  </md:IDPSSODescriptor> +</md:EntityDescriptor> diff --git a/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_valid_wrong_alg.xml b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_valid_wrong_alg.xml new file mode 100644 index 00000000..2187aa5f --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/idp_metadata_sig_valid_wrong_alg.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1a48ec3432f2f3ba6222724a5b06f873" entityID="https://vidp.gv.at/ms_connector/pvp/metadata" validUntil="2045-02-06T08:47:26.211Z"> +	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="signature-1-1"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference Id="reference-1-1" URI=""><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><dsig:DigestValue>dhkHkgZ1OOHG0nYWiRXrpZhIAx41103CG6DKDbBra8o=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>AkxnEu9g3QgYC0JwuJXMYFrnNn6UMtrbtVn5YzkKBXxyYqZui4pEi/TRSM9r7Gt+ +4UqHrJVkYMbbuoO2kpiDnluPG+vHYzYFvF0agQ+gfGjpVQNRORN0FU7JPX+KPjpr +sMU8wVZITSPU0GBBccvzrcpq7DQt0VbV5U7/Vq3KM/fop4ytAkUbTltUj/XxvAd1 +XdhB/zyeTTR2dafJ6Z2CKyM7MMmxwXYD1NrPGciPvTJ9ASHAT0lJM1dxrRNbeAja +KTrNVj78MhSluRm5g7N1pMZzgMSpqN66AUg8pkSTvcRaNImPzYDcMQzHl2Tr362M +RudjSgaEljK98TbBdgLFTg==</dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD +ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD +VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD +VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5 +IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ +bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE +BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE +AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH +mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR +yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI +Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL +STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI +6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD +VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB +TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI +KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG +AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ +S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56 +QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ +KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb +gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W +ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></dsig:Signature><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +		<md:KeyDescriptor use="signing"> +			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +				<ds:X509Data> +					<ds:X509Certificate>MIIDMzCCAhsCBFtIcPowDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxJDAiBgNVBAsMG2NlbnRyYWwgbmF0aW9uYWwgZUlEQVMgbm9kZTEaMBgGA1UEAwwRQXNzZXJ0 +aW9uIHNpZ25pbmcwHhcNMTgwNzEzMDkyOTMwWhcNMjEwNDA3MDkyOTMwWjBeMQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEkMCIGA1UECwwbY2VudHJhbCBuYXRpb25hbCBlSURBUyBub2RlMRow +GAYDVQQDDBFBc3NlcnRpb24gc2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AJ5zDYxMPRcz6AHaev1tS46Tq8sdgbGFM56uxk6c7LmMDC+HTzNX/3Q5S/YwSzgL3ue5TSw1ltOf +yMXMZ6D0+buWWcsxGEkQ8M3adKRFdQrEwafzwTA7pguq5WiHOkr4qwR7dLMome9z5cc3LRcwdOPP +gq7ahb5jM3hRqc5xkMWIuvql0NFXPzlHrjDLwy5nIWPOhL5abhVt4YsXbpbjXxFSGkDEAZ32K3EU +LNBr9FSUmJfbrVX9AU2T+BKIwiqXP8e/3UJHgPHQ0l5ljWp5P6u5+tvM21o8sUM4eArRa8BkdRsP +C92GVuASSUz2ZJ3JhAK1cSM8bnvaZVLQtTvPMAcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAp7z +TubWXW6YMpyLSvWBdZiiQ3X66XpSZLZJDIAkoPzEY0DSBp8I5YASIx4JTR5XJt+6MI9acgNIAYW8 +DhtRwUMVaRWEtuCrfKhGLWm5KSxnhPcD3lzRZhY4ZcA7dUlirjf6hnqo2TFEmJ9fkM+rxwy1GkDD +7j2YDSOFmSq9/Ud9/IbIfSnRu/lO0dh7iRrmg3y0Y/+plPxYmp4AHqehP11OchTz2FGGHVsSC2Vs +IVBQI6ANZYyOlicgfEEFHA06jP9OnA0EwEFr2P+di9caZg8vfibyzxMGeuf6CY0c0eLHokBCn2W8 +vkzvWiER3pozRvCmXFjCVZfRjUunaJf2ow==</ds:X509Certificate> +				</ds:X509Data> +			</ds:KeyInfo> +		</md:KeyDescriptor> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vidp.gv.at/ms_connector/pvp/post"/> +		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vidp.gv.at/ms_connector/pvp/redirect"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CCS-URL" Name="urn:oid:1.2.40.0.10.2.1.1.261.64" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.36" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SIGNER-CERTIFICATE" Name="urn:oid:1.2.40.0.10.2.1.1.261.66" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.104" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-E-ID-TOKEN" Name="urn:oid:1.2.40.0.10.2.1.1.261.39" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +		<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="EID-IDENTITY-STATUS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.109" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> +	</md:IDPSSODescriptor> +</md:EntityDescriptor>
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_metadata.crt b/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_metadata.crt new file mode 100644 index 00000000..35831d03 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_metadata.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDEN +MAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRh +MB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQx +DTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0 +YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SY +O4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYI +KoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImn +AiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA== +-----END CERTIFICATE----- + diff --git a/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_signing.crt b/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_signing.crt new file mode 100644 index 00000000..35a82125 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/junit_keystore_signing.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+DCCAeCgAwIBAgIEXh7TbTANBgkqhkiG9w0BAQsFADA+MQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxEDAOBgNVBAMMB3NpZ25p +bmcwHhcNMjAwMTE1MDg1NTA5WhcNMjkwMTE0MDg1NTA5WjA+MQswCQYDVQQGEwJB +VDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxEDAOBgNVBAMMB3NpZ25p +bmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUSiRjnDvPafZfhJ+L +1wM86FKJX3VIAV/8TD9qJ6HOBkn5WwYfpheyCfRb6XVDyIGpO8qnMWAgC17Ngbmh +zj8d8HXNQ2l3uppMv24oUTfXyYhQfZWAghx0sTlRIx/ZmlnduJilx2S53Sa7ruJw +lQcBFXj9h9B8dtyegc86Sx6D9BumP1xU7+mEBk8Gv9rR5Khg0Y7qGfZWB0t4aikg +aupWveVwiGifOOSfR8czqIg9qUpMYfZiTEBTSRmN6sPiNWhd4J0GyAI9Rn5C9jz/ +sSlQrxpN+4DXzsqSU5F6gzq3yRux6wyOzDlt2birf21VPQ9HIy4YCjZXwgDWG7AO +821pAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADnwdaxUtQU6SIpYwIb2c0ljTmQi +7ryUcUpNHtK0M0E5Mw5Ex8zwrWbNQZ2sUyc4r07M66iOIqHsYZUQlRYvVKHifDpA +r8TCgD7iGGdB3By8Ou0RaNW+03w1fwmi98CufbHCGvpv0o2KxlejoHZminNdQ79i +bN+01nhocezJQATEQlnwHLiQSjilXpZeLYDk8HbrcUXNRxezN4ChdH+uU54vf+Ux +qcj9QHcmBe1+BM8EXfqS1DbTwZl+NTCnh5OYl8fvIFSOHMBxwFrI4pyY0faxg9Uc +rCogn/oQ+mV1gnVUDaDhvvEnVGZQtrlt7heVId2BeNellVgsrcmdW8j4U9U= +-----END CERTIFICATE----- diff --git a/modules/authmodule_id-austria/src/test/resources/data/moa_sig_signing.crt b/modules/authmodule_id-austria/src/test/resources/data/moa_sig_signing.crt new file mode 100644 index 00000000..fda99f2b --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/moa_sig_signing.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqzCCBBSgAwIBAgIHANux81oNezANBgkqhkiG9w0BAQUFADBAMSIwIAYDVQQD +ExlJQUlLIFRlc3QgSW50ZXJtZWRpYXRlIENBMQ0wCwYDVQQKEwRJQUlLMQswCQYD +VQQGEwJBVDAeFw0xMzA5MjcwNTMzMzdaFw0yMzA5MjcwNTMzMzdaMIHkMQswCQYD +VQQGEwJBVDENMAsGA1UEBxMER3JhejEmMCQGA1UEChMdR3JheiBVbml2ZXJzaXR5 +IG9mIFRlY2hub2xvZ3kxSDBGBgNVBAsTP0luc3RpdHV0ZSBmb3IgQXBwbGllZCBJ +bmZvcm1hdGlvbiBQcm9jZXNzaW5nIGFuZCBDb21tdW5pY2F0aW9uczEUMBIGA1UE +BBMLTU9BLVNTIFRlc3QxGDAWBgNVBCoTD0VHSVogVGVzdHBvcnRhbDEkMCIGA1UE +AxMbRUdJWiBUZXN0cG9ydGFsIE1PQS1TUyBUZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuDjOyf+mY+oQL2FQzzuaiC8C23vVKbq/n2Zi7BqSibZH +mtqMJfmj4pT+hWSNHvVvWsaxFcx4KeNqdCMzwnw1r4P3Sf+2o5uFku5KHEMLMokR +yYQG9VqY/KkB94ye7Pv6zT8gvKqxGFg96UamECep4swPaSZrA8AOER5WAtyGDzKI +Tz+a5zfFaTXDoba7f98PCWR96yKiFjVOhzp38WVz4VJgz+b8ZSY7Xsv5Kn7DXjOL +STX4MevFLki3rFPup3+4vGToaMBW3PEj67HXBdqR855Le6+E6rVxORqsXqlVwhsI +6nuS0CO2LWYmBNR1IB0mXteeYH/HfxvuZc+7yDjdPQIDAQABo4IBhDCCAYAwDgYD +VR0PAQH/BAQDAgbAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEmcH6VY4BG1EAGB +TLoNR9vH/g6yMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9jcmxzL0lBSUtUZXN0X0ludGVybWVkaWF0ZUNBLmNybDCBqgYI +KwYBBQUHAQEEgZ0wgZowSgYIKwYBBQUHMAGGPmh0dHA6Ly9jYS5pYWlrLnR1Z3Jh +ei5hdC9jYXBzby9PQ1NQP2NhPUlBSUtUZXN0X0ludGVybWVkaWF0ZUNBMEwGCCsG +AQUFBzAChkBodHRwOi8vY2EuaWFpay50dWdyYXouYXQvY2Fwc28vY2VydHMvSUFJ +S1Rlc3RfSW50ZXJtZWRpYXRlQ0EuY2VyMCEGA1UdEQQaMBiBFnRob21hcy5sZW56 +QGVnaXouZ3YuYXQwHwYDVR0jBBgwFoAUaKJeEdreL4BrRES/jfplNoEkp28wDQYJ +KoZIhvcNAQEFBQADgYEAlFGjUxXLs7SAT8NtXSrv2WrjlklaRnHTFHLQwyVo8JWb +gvRkHHDUv2o8ofXUY2R2WJ38dxeDoccgbXrJb/Qhi8IY7YhCwv/TuIZDisyAqo8W +ORKSip/6HWlGCSR/Vgoet1GtCmF0FoUxFUIGSAuQ2yyt4fIzt5GJrU1X5ujjI1w= +-----END CERTIFICATE----- diff --git a/modules/authmodule_id-austria/src/test/resources/data/pvp_postbinding_template.html b/modules/authmodule_id-austria/src/test/resources/data/pvp_postbinding_template.html new file mode 100644 index 00000000..5c65e25a --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/pvp_postbinding_template.html @@ -0,0 +1,3 @@ +#if($RelayState)RelayState=${RelayState}#end  +#if($SAMLRequest)SAMLRequest=${SAMLRequest}#end +#if($SAMLResponse)SAMLResponse=${SAMLResponse}#end
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/resources/data/sp_metadata_junit.xml b/modules/authmodule_id-austria/src/test/resources/data/sp_metadata_junit.xml new file mode 100644 index 00000000..32e90604 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/data/sp_metadata_junit.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_1a48ec3432f2f3ba6222724a5b06f873" entityID="http://localhost/sp/idaustria/eidas/metadata" validUntil="2045-02-06T08:47:26.211Z"> +	<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +		<md:KeyDescriptor use="signing"> +			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +				<ds:X509Data> +					<ds:X509Certificate>MIIC+DCCAeCgAwIBAgIEXh7TbTANBgkqhkiG9w0BAQsFADA+MQswCQYDVQQGEwJBVDENMAsGA1UE +CgwERUdJWjEOMAwGA1UECwwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwHhcNMjAwMTE1MDg1NTA5 +WhcNMjkwMTE0MDg1NTA5WjA+MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwF +alVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU +SiRjnDvPafZfhJ+L1wM86FKJX3VIAV/8TD9qJ6HOBkn5WwYfpheyCfRb6XVDyIGpO8qnMWAgC17N +gbmhzj8d8HXNQ2l3uppMv24oUTfXyYhQfZWAghx0sTlRIx/ZmlnduJilx2S53Sa7ruJwlQcBFXj9 +h9B8dtyegc86Sx6D9BumP1xU7+mEBk8Gv9rR5Khg0Y7qGfZWB0t4aikgaupWveVwiGifOOSfR8cz +qIg9qUpMYfZiTEBTSRmN6sPiNWhd4J0GyAI9Rn5C9jz/sSlQrxpN+4DXzsqSU5F6gzq3yRux6wyO +zDlt2birf21VPQ9HIy4YCjZXwgDWG7AO821pAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADnwdaxU +tQU6SIpYwIb2c0ljTmQi7ryUcUpNHtK0M0E5Mw5Ex8zwrWbNQZ2sUyc4r07M66iOIqHsYZUQlRYv +VKHifDpAr8TCgD7iGGdB3By8Ou0RaNW+03w1fwmi98CufbHCGvpv0o2KxlejoHZminNdQ79ibN+0 +1nhocezJQATEQlnwHLiQSjilXpZeLYDk8HbrcUXNRxezN4ChdH+uU54vf+Uxqcj9QHcmBe1+BM8E +XfqS1DbTwZl+NTCnh5OYl8fvIFSOHMBxwFrI4pyY0faxg9UcrCogn/oQ+mV1gnVUDaDhvvEnVGZQ +trlt7heVId2BeNellVgsrcmdW8j4U9U=</ds:X509Certificate> +				</ds:X509Data> +			</ds:KeyInfo> +		</md:KeyDescriptor> +		<md:KeyDescriptor use="encryption"> +			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> +				<ds:X509Data> +					<ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH +SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W +ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w +CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ +RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq +UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ +M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F +Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt +1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq +nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC +VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq +itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc +2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O +fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy +4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> +				</ds:X509Data> +			</ds:KeyInfo> +		</md:KeyDescriptor> +		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> +		<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/post" index="0" isDefault="true"/> +		<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/sp/eidas/redirect" index="1"/> +		<md:AttributeConsumingService index="0" isDefault="true"> +			<md:ServiceName xml:lang="en">Default Service</md:ServiceName> +			<md:RequestedAttribute FriendlyName="BPK" Name="urn:oid:1.2.40.0.10.2.1.1.149" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="PRINCIPAL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="BIRTHDATE" Name="urn:oid:1.2.40.0.10.2.1.1.55" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="PVP-VERSION" Name="urn:oid:1.2.40.0.10.2.1.1.261.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="EID-ISSUING-NATION" Name="urn:oid:1.2.40.0.10.2.1.1.261.32" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.76" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-FULL-NAME" Name="urn:oid:1.2.40.0.10.2.1.1.261.84" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="MANDATE-TYPE" Name="urn:oid:1.2.40.0.10.2.1.1.261.68" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="MANDATOR-LEGAL-PERSON-SOURCE-PIN" Name="urn:oid:1.2.40.0.10.2.1.1.261.100" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="GIVEN-NAME" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +			<md:RequestedAttribute FriendlyName="MANDATE-TYPE-OID" Name="urn:oid:1.2.40.0.10.2.1.1.261.106" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="EID-IDENTITY-LINK" Name="urn:oid:1.2.40.0.10.2.1.1.261.38" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="false"/> +			<md:RequestedAttribute FriendlyName="EID-CITIZEN-QAA-EIDAS-LEVEL" Name="urn:oid:1.2.40.0.10.2.1.1.261.108" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/> +		</md:AttributeConsumingService> +	</md:SPSSODescriptor> +</md:EntityDescriptor> diff --git a/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml new file mode 100644 index 00000000..fe9ff441 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +  <context:annotation-config /> + +  <bean id="dummyMapBasedConfiguration" +        class="at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap"> +    <constructor-arg value="/config/junit_config_1.properties" /> +    <property name="configRootDirSufix" value="src/test/resources/config" /> +  </bean> + +</beans>
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_test.xml b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_test.xml new file mode 100644 index 00000000..99778839 --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_basic_test.xml @@ -0,0 +1,32 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + +  <import resource="classpath:/SpringTest-context_authManager.xml" /> +  <import resource="classpath:/eaaf_pvp.beans.xml" /> +  <import resource="classpath:/spring/id_austria_auth.beans.xml" /> +  <import resource="classpath:/spring/id_austria_task.beans.xml" /> +  <import resource="classpath:/eaaf_pvp_sp.beans.xml" /> + +  <bean id="dummyPvpConfig" +        class="at.gv.egiz.eaaf.modules.pvp2.idp.test.dummy.DummyPvpConfiguration" /> + +  <bean id="dummyGuiConfigFactory" +        class="at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyGuiBuilderConfigurationFactory" /> +   +  <bean id="dummyVelocityBuilder" +        class="at.gv.egiz.eaaf.core.impl.idp.module.gui.DummyVelocityGuiFormBuilder" /> + +  <bean id="FinalizeAuthenticationTask" +        class="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.FinalizeAuthenticationTask" +        scope="prototype" /> + +</beans>
\ No newline at end of file diff --git a/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_lazy.xml b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_lazy.xml new file mode 100644 index 00000000..5360960b --- /dev/null +++ b/modules/authmodule_id-austria/src/test/resources/spring/SpringTest-context_lazy.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd" > + +  <context:annotation-config /> + +  <import resource="classpath:/spring/eaaf_utils.beans.xml"/> + +  <bean id="idAustriaAuthCredentialProvider" +        class="at.asitplus.eidas.specific.modules.auth.idaustria.utils.IdAustriaAuthCredentialProvider"  +        lazy-init="true" /> + +  <bean id="dummyPvpConfig" +        class="at.gv.egiz.eaaf.modules.pvp2.idp.test.dummy.DummyPvpConfiguration" +        lazy-init="true" /> + +</beans> diff --git a/modules/core_common_lib/src/main/java/at/asitplus/eidas/specific/core/config/ServiceProviderConfiguration.java b/modules/core_common_lib/src/main/java/at/asitplus/eidas/specific/core/config/ServiceProviderConfiguration.java index 423ca4e1..5ca1c8c5 100644 --- a/modules/core_common_lib/src/main/java/at/asitplus/eidas/specific/core/config/ServiceProviderConfiguration.java +++ b/modules/core_common_lib/src/main/java/at/asitplus/eidas/specific/core/config/ServiceProviderConfiguration.java @@ -34,9 +34,12 @@ import org.slf4j.LoggerFactory;  import at.asitplus.eidas.specific.core.MsEidasNodeConstants;  import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes;  import at.gv.egiz.eaaf.core.api.idp.IConfiguration;  import at.gv.egiz.eaaf.core.exceptions.EaafException;  import at.gv.egiz.eaaf.core.impl.idp.conf.SpConfigurationImpl; +import lombok.Getter; +import lombok.Setter;  public class ServiceProviderConfiguration extends SpConfigurationImpl {    private static final long serialVersionUID = 1L; @@ -46,6 +49,14 @@ public class ServiceProviderConfiguration extends SpConfigurationImpl {    private String bpkTargetIdentifier;    private String loaMachtingMode = EaafConstants.EIDAS_LOA_MATCHING_MINIMUM; +  @Setter +  @Getter +  private List<String> mandateProfiles;   +   +  @Getter +  @Setter +  private SpMandateModes mandateMode = SpMandateModes.NONE; +      public ServiceProviderConfiguration(Map<String, String> spConfig, IConfiguration authConfig) {      super(spConfig, authConfig); diff --git a/modules/core_common_lib/src/test/java/at/asitplus/eidas/specific/core/test/config/dummy/MsConnectorDummyConfigMap.java b/modules/core_common_lib/src/test/java/at/asitplus/eidas/specific/core/test/config/dummy/MsConnectorDummyConfigMap.java index b4c532d9..59ae5aff 100644 --- a/modules/core_common_lib/src/test/java/at/asitplus/eidas/specific/core/test/config/dummy/MsConnectorDummyConfigMap.java +++ b/modules/core_common_lib/src/test/java/at/asitplus/eidas/specific/core/test/config/dummy/MsConnectorDummyConfigMap.java @@ -4,10 +4,12 @@ import java.io.IOException;  import java.io.InputStream;  import java.net.URI;  import java.net.URISyntaxException; +import java.net.URL;  import java.util.Map;  import org.apache.commons.lang3.StringUtils; +import at.gv.egiz.eaaf.core.exceptions.EaafException;  import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;  import lombok.Setter; @@ -62,6 +64,12 @@ public class MsConnectorDummyConfigMap extends DummyAuthConfigMap {    }    @Override +  public String validateIdpUrl(final URL authReqUrl) throws EaafException { +    return authReqUrl.toExternalForm(); +     +  } +   +  @Override    public Map<String, String> getBasicConfigurationWithPrefix(final String prefix) {      return super.getBasicConfigurationWithPrefix(addPrefixToKey(prefix)); diff --git a/modules/core_common_webapp/pom.xml b/modules/core_common_webapp/pom.xml index a7090761..4121a8f3 100644 --- a/modules/core_common_webapp/pom.xml +++ b/modules/core_common_webapp/pom.xml @@ -21,6 +21,10 @@        <groupId>at.asitplus.eidas.ms_specific</groupId>        <artifactId>core_common_lib</artifactId>      </dependency> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +      <artifactId>eidas_proxy-sevice</artifactId> +    </dependency>      <dependency>        <groupId>at.gv.egiz.eaaf</groupId> @@ -60,9 +64,25 @@        <scope>test</scope>      </dependency>      <dependency> -      <groupId>org.springframework.boot</groupId> -      <artifactId>spring-boot-starter-test</artifactId> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-module-junit4</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-api-mockito2</artifactId>        <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>com.squareup.okhttp3</groupId> +      <artifactId>mockwebserver</artifactId> +      <scope>test</scope> +    </dependency>   +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific</groupId> +      <artifactId>core_common_lib</artifactId> +      <scope>test</scope> +      <type>test-jar</type>      </dependency>          <dependency>        <groupId>at.gv.egiz.eaaf</groupId> @@ -92,14 +112,7 @@        <artifactId>eaaf_module_pvp2_idp</artifactId>        <scope>test</scope>        <type>test-jar</type> -    </dependency> -    <dependency> -      <groupId>com.squareup.okhttp3</groupId> -      <artifactId>mockwebserver</artifactId> -      <scope>test</scope>      </dependency>     -     -        </dependencies>    <build> diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/provider/StatusMessageProvider.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/provider/StatusMessageProvider.java index 39543fe4..cd913af2 100644 --- a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/provider/StatusMessageProvider.java +++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/provider/StatusMessageProvider.java @@ -44,6 +44,7 @@ import lombok.extern.slf4j.Slf4j;  @Slf4j  public class StatusMessageProvider implements IStatusMessenger, MessageSourceAware { +    private static final String ERROR_MESSAGES_UNAVAILABLE =        "Error messages can NOT be load from application. Only errorCode: {0} is availabe";    private static final String ERROR_NO_MESSAGE = "No errormesseage for error with number.={0}"; @@ -56,14 +57,15 @@ public class StatusMessageProvider implements IStatusMessenger, MessageSourceAwa    private static final String MSG_WARN_NO_SOURCE = "MessageCode: {} is NOT SET for locale: {}";    private static final String MSG_INFO = "Use locale: {} as default"; -  private MessageSource messageSource; -      // external error codes    private static final String DEFAULT_EXTERNALERROR_RESOURCES = "properties/external_statuscodes_map";    private static final Locale DEFAULT_EXTERNALERROR_LOCALES = new Locale("en", "GB");    private ResourceBundle externalError = null; +  //internal messanges +  private MessageSource messageSource; +    @Override    public String getMessageWithoutDefault(final String messageId, final Object[] parameters) {      if (messageSource == null) { @@ -86,6 +88,7 @@ public class StatusMessageProvider implements IStatusMessenger, MessageSourceAwa          } +        } catch (final MissingResourceException e2) {          log.warn("No message source", e2); @@ -101,6 +104,7 @@ public class StatusMessageProvider implements IStatusMessenger, MessageSourceAwa      if (messageSource == null) {        return MessageFormat.format(ERROR_MESSAGES_UNAVAILABLE, new Object[]{messageId}); +      } else {        try {          final Locale locale = LocaleContextHolder.getLocale(); @@ -124,7 +128,7 @@ public class StatusMessageProvider implements IStatusMessenger, MessageSourceAwa        }      }    } - +      @Override    public String getResponseErrorCode(Throwable throwable) {      String errorCode = IStatusMessenger.CODES_EXTERNAL_ERROR_GENERIC; diff --git a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/storage/EidasCacheTransactionStoreDecorator.java b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/storage/EidasCacheTransactionStoreDecorator.java index 9b1c8eae..5a59a4e0 100644 --- a/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/storage/EidasCacheTransactionStoreDecorator.java +++ b/modules/core_common_webapp/src/main/java/at/asitplus/eidas/specific/core/storage/EidasCacheTransactionStoreDecorator.java @@ -171,7 +171,7 @@ public class EidasCacheTransactionStoreDecorator implements ITransactionStorage,    @Override    public void remove(String key) {      if (containsKey(key)) { -      log.debug("Remove element with key: " + key + " from " + ITransactionStorage.class.getName()); +      log.trace("Remove element with key: " + key + " from " + ITransactionStorage.class.getName());        boolean delResult = storage.remove(key);        log.trace("Object: {} removed from cache: {}", key, delResult); diff --git a/modules/eidas_proxy-sevice/checks/spotbugs-exclude.xml b/modules/eidas_proxy-sevice/checks/spotbugs-exclude.xml new file mode 100644 index 00000000..cdc9fa95 --- /dev/null +++ b/modules/eidas_proxy-sevice/checks/spotbugs-exclude.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<FindBugsFilter> +    <Match> +      <!-- CSRF protection is implicit available by request token from eIDAS Node and tokens only be logged on trace level --> +      <Class name="at.asitplus.eidas.specific.modules.msproxyservice.protocol.EidasProxyServiceController" /> +      <Method name="receiveEidasAuthnRequest" /> +      <OR> +        <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> +        <Bug pattern="CRLF_INJECTION_LOGS" />                        +      </OR> +    </Match> +    <Match> +      <!-- Redirect-URL is set by configuration only. Therefore it's trusted --> +      <Class name="at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServiceAuthenticationAction" /> +      <Method name="forwardToEidasProxy" /> +      <OR> +        <Bug pattern="UNVALIDATED_REDIRECT" />                 +      </OR> +    </Match>     +</FindBugsFilter> diff --git a/modules/eidas_proxy-sevice/pom.xml b/modules/eidas_proxy-sevice/pom.xml new file mode 100644 index 00000000..553b67ca --- /dev/null +++ b/modules/eidas_proxy-sevice/pom.xml @@ -0,0 +1,182 @@ +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> +  <modelVersion>4.0.0</modelVersion> +  <parent> +    <groupId>at.asitplus.eidas.ms_specific</groupId> +    <artifactId>modules</artifactId> +    <version>1.3.0-SNAPSHOT</version> +  </parent> +  <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +  <artifactId>eidas_proxy-sevice</artifactId> +  <name>eIDAS specific proxy-service</name> +  <description>Austrian specific eIDAS Proxy-Service to handle eIDAS Proxy-Service requests from other member states</description> +   +  <repositories> +    <repository> +      <id>eIDASNode-local</id> +      <name>local</name> +      <url>file:${basedir}/../../repository</url> +    </repository> +  </repositories> +   +  <dependencies> +    <dependency> +      <groupId>at.gv.egiz.components</groupId> +      <artifactId>egiz-spring-api</artifactId> +    </dependency> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific</groupId> +      <artifactId>core_common_lib</artifactId> +    </dependency> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +      <artifactId>authmodule-eIDAS-v2</artifactId> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf-core</artifactId> +    </dependency>     +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_module_pvp2_sp</artifactId> +    </dependency> + +    <dependency> +      <groupId>eu.eidas</groupId> +      <artifactId>eidas-light-commons</artifactId> +    </dependency> +    <dependency> +      <groupId>eu.eidas</groupId> +      <artifactId>eidas-specific-communication-definition</artifactId> +    </dependency> +    <dependency> +      <groupId>eu.eidas</groupId> +      <artifactId>eidas-jcache-ignite-specific-communication</artifactId> +    </dependency> +         +    <dependency> +      <groupId>org.apache.commons</groupId> +      <artifactId>commons-lang3</artifactId> +    </dependency> +    <dependency> +      <groupId>com.google.guava</groupId> +      <artifactId>guava</artifactId> +    </dependency> +    <dependency> +      <groupId>org.apache.commons</groupId> +      <artifactId>commons-text</artifactId> +    </dependency> + +    <dependency> +      <groupId>javax.servlet</groupId> +      <artifactId>javax.servlet-api</artifactId> +      <scope>provided</scope> +    </dependency> + +    <!-- Testing --> +    <dependency> +      <groupId>junit</groupId> +      <artifactId>junit</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.springframework</groupId> +      <artifactId>spring-test</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-module-junit4</artifactId> +      <scope>test</scope> +    </dependency> +    <dependency> +      <groupId>org.powermock</groupId> +      <artifactId>powermock-api-mockito2</artifactId> +      <scope>test</scope> +    </dependency> +     +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific</groupId> +      <artifactId>core_common_lib</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>at.asitplus.eidas.ms_specific.modules</groupId> +      <artifactId>authmodule-eIDAS-v2</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency>       +     +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf_core_utils</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +    <dependency> +      <groupId>at.gv.egiz.eaaf</groupId> +      <artifactId>eaaf-core</artifactId> +      <scope>test</scope> +      <type>test-jar</type> +    </dependency> +     +  </dependencies> +   +<build> +    <resources> +      <resource> +        <directory>src/main/resources</directory> +      </resource> +    </resources> + +    <plugins> +      <plugin> +        <groupId>org.apache.maven.plugins</groupId> +        <artifactId>maven-compiler-plugin</artifactId> +      </plugin> +       +      <plugin> +        <groupId>com.github.spotbugs</groupId> +        <artifactId>spotbugs-maven-plugin</artifactId> +        <version>${spotbugs-maven-plugin.version}</version> +        <configuration> +          <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile> +        </configuration> +      </plugin> + +      <plugin> +        <groupId>org.jacoco</groupId> +        <artifactId>jacoco-maven-plugin</artifactId> +        <executions> +          <execution> +            <id>post-unit-check</id> +            <phase>test</phase> +            <goals> +              <goal>check</goal> +              <goal>report</goal> +            </goals> +            <configuration> +              <haltOnFailure>true</haltOnFailure>                          +            </configuration> +          </execution> +        </executions> +      </plugin> + +      <!-- enable co-existence of testng and junit --> +      <plugin> +        <artifactId>maven-surefire-plugin</artifactId> +        <configuration> +          <threadCount>1</threadCount> +        </configuration> +        <dependencies> +          <dependency> +            <groupId>org.apache.maven.surefire</groupId> +            <artifactId>surefire-junit47</artifactId> +            <version>${surefire.version}</version> +          </dependency> +        </dependencies> +      </plugin> +    </plugins> +  </build>     +   +</project>
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/EidasProxyMessageSource.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/EidasProxyMessageSource.java new file mode 100644 index 00000000..23390da8 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/EidasProxyMessageSource.java @@ -0,0 +1,22 @@ +package at.asitplus.eidas.specific.modules.msproxyservice; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +/** + * i18n Message-Source for eIDAS Proxy-Service messages. + *  + * @author tlenz + * + */ +public class EidasProxyMessageSource implements IMessageSourceLocation { + +  @Override +  public List<String> getMessageSourceLocation() { +    return Arrays.asList("classpath:messages/eidasproxy_messages"); +     +  } + +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java new file mode 100644 index 00000000..f6a88aa3 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java @@ -0,0 +1,54 @@ +package at.asitplus.eidas.specific.modules.msproxyservice; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; + +/** + * Constants for MS-specific eIDAS Proxy-Service. + *  + * @author tlenz + * + */ +public class MsProxyServiceConstants { + +  // general constants +  public static final String TEMPLATE_SP_UNIQUE_ID = "eidasProxyAuth_from_{0}_type_{1}"; +   +  // configuration constants +  public static final String CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID = Constants.CONIG_PROPS_EIDAS_NODE +      + ".proxy.entityId"; +  public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL = Constants.CONIG_PROPS_EIDAS_NODE +      + ".proxy.forward.endpoint"; +   +  // mandate configuration +  public static final String CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED =  +      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.mandates.enabled";   +  public static final String CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL =  +      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.mandates.profiles.natural.default"; +  public static final String CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL =  +      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.mandates.profiles.legal.default"; +   +   +  public static final String CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON =  +      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.workaround.mandates.legalperson"; +   +  // specific eIDAS-Connector configuration +  public static final String CONIG_PROPS_CONNECTOR_PREFIX = "connector"; +  public static final String CONIG_PROPS_CONNECTOR_UNIQUEID = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER; +  public static final String CONIG_PROPS_CONNECTOR_COUNTRYCODE = "countryCode";   +  public static final String CONIG_PROPS_CONNECTOR_MANDATES_ENABLED = "mandates.enabled"; +  public static final String CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL = "mandates.natural";  +  public static final String CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL = "mandates.legal"; +  public static final String CONIG_PROPS_CONNECTOR_VALIDATION_ATTR_MDS = "validation.attributes.mds"; +   +   +  //http end-points +  public static final String EIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/light/idp/post"; +  public static final String EIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/light/idp/redirect"; +   +  private MsProxyServiceConstants() { +   //private constructor for class with only constant values +     +  } +   +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceSpringResourceProvider.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceSpringResourceProvider.java new file mode 100644 index 00000000..d36e4712 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceSpringResourceProvider.java @@ -0,0 +1,52 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.msproxyservice; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +public class MsProxyServiceSpringResourceProvider implements SpringResourceProvider { + +  @Override +  public String getName() { +    return "MS-specific eIDAS Proxy-Service module"; +  } + +  @Override +  public String[] getPackagesToScan() { +    return null; +     +  } + +  @Override +  public Resource[] getResourcesToLoad() { +    final ClassPathResource eidasProxyServiceConfig =  +        new ClassPathResource("/spring/eidas_proxy-service.beans.xml", MsProxyServiceSpringResourceProvider.class); +         +    return new Resource[] { eidasProxyServiceConfig }; +  } + +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/exception/EidasProxyServiceException.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/exception/EidasProxyServiceException.java new file mode 100644 index 00000000..43592a28 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/exception/EidasProxyServiceException.java @@ -0,0 +1,19 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.exception; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; + +public class EidasProxyServiceException extends EaafException { + +  private static final long serialVersionUID = 1L; + +  public EidasProxyServiceException(String errorId, Object[] params) { +    super(errorId, params); + +  } + +  public EidasProxyServiceException(String errorId, Object[] params, Throwable e) { +    super(errorId, params, e); +     +  } + +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java new file mode 100644 index 00000000..e24c753e --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java @@ -0,0 +1,443 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.protocol; + +import java.io.IOException; +import java.text.MessageFormat; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.UUID; +import java.util.stream.Collectors; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.core.StatusCode; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.common.collect.ImmutableSortedSet; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants; +import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException; +import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils; +import at.gv.egiz.components.eventlog.api.EventConstants; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes; +import at.gv.egiz.eaaf.core.api.idp.IModulInfo; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.GuiBuildException; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import eu.eidas.auth.commons.EIDASSubStatusCode; +import eu.eidas.auth.commons.EidasParameterKeys; +import eu.eidas.auth.commons.light.ILightRequest; +import eu.eidas.auth.commons.light.impl.LightResponse; +import eu.eidas.auth.commons.light.impl.LightResponse.Builder; +import eu.eidas.auth.commons.light.impl.ResponseStatus; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; +import lombok.extern.slf4j.Slf4j; + +/** + * End-point implementation for authentication requests from eIDAS Proxy-Service + * to MS-specific eIDAS Proxy-Service. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class EidasProxyServiceController extends AbstractController implements IModulInfo { + +  private static final String ERROR_01 = "eidas.proxyservice.01"; +  private static final String ERROR_02 = "eidas.proxyservice.02"; +  private static final String ERROR_03 = "eidas.proxyservice.03"; +  private static final String ERROR_04 = "eidas.proxyservice.04"; +  private static final String ERROR_05 = "eidas.proxyservice.05"; +  private static final String ERROR_07 = "eidas.proxyservice.07"; +  private static final String ERROR_08 = "eidas.proxyservice.08"; +  private static final String ERROR_09 = "eidas.proxyservice.09"; +  private static final String ERROR_10 = "eidas.proxyservice.10"; +  private static final String ERROR_11 = "eidas.proxyservice.11"; +   +  public static final String PROTOCOL_ID = "eidasProxy"; + +  @Autowired EidasAttributeRegistry attrRegistry;   +  @Autowired ProxyServiceAuthenticationAction responseAction; + +  /** +   * End-point that receives authentication requests from eIDAS Node. +   * +   * @param httpReq  Http request +   * @param httpResp Http response +   * @throws IOException   In case of general error +   * @throws EaafException In case of a validation or processing error +   */ +  @RequestMapping(value = { +        MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_POST, +        MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT +      }, +      method = { RequestMethod.POST, RequestMethod.GET }) +  public void receiveEidasAuthnRequest(HttpServletRequest httpReq, HttpServletResponse httpResp) +      throws IOException, +      EaafException { +    log.trace("Receive request on eidas proxy-service end-points"); +    ProxyServicePendingRequest pendingReq = null; +    try { +      // get token from Request +      final String tokenBase64 = httpReq.getParameter(EidasParameterKeys.TOKEN.toString()); +      if (StringUtils.isEmpty(tokenBase64)) { +        log.warn("NO eIDAS message token found."); +        throw new EidasProxyServiceException(ERROR_02, null); + +      } +      log.trace("Receive eIDAS-node token: {}. Searching authentication request from eIDAS Proxy-Service ...", +          tokenBase64); + +      // read authentication request from shared cache +      final SpecificCommunicationService specificProxyCommunicationService = +          (SpecificCommunicationService) applicationContext.getBean( +              SpecificCommunicationDefinitionBeanNames.SPECIFIC_PROXYSERVICE_COMMUNICATION_SERVICE +                  .toString()); +      final ILightRequest eidasRequest = specificProxyCommunicationService.getAndRemoveRequest( +          tokenBase64, +          ImmutableSortedSet.copyOf(attrRegistry.getCoreAttributeRegistry().getAttributes())); +      if (eidasRequest == null) { +        log.info("Find no eIDAS Authn. Request with stated token."); +        throw new EidasProxyServiceException(ERROR_11, null); +         +      }       +       +      log.debug("Received eIDAS auth. request from: {}, Initializing authentication environment ... ", +          eidasRequest.getSpCountryCode() != null ? eidasRequest.getSpCountryCode() : "'missing SP-country'"); +      log.trace("Received eIDAS requst: {}", eidasRequest); +       +      // create pendingRequest object +      pendingReq = applicationContext.getBean(ProxyServicePendingRequest.class); +      pendingReq.initialize(httpReq, authConfig); +      pendingReq.setModule(getName()); + +      // log 'transaction created' event +      revisionsLogger.logEvent(EventConstants.TRANSACTION_CREATED, +          pendingReq.getUniqueTransactionIdentifier()); +      revisionsLogger.logEvent(pendingReq.getUniqueSessionIdentifier(), +          pendingReq.getUniqueTransactionIdentifier(), EventConstants.TRANSACTION_IP, +          httpReq.getRemoteAddr()); +       +      // validate eIDAS Authn. request and set into pending-request +      validateEidasAuthnRequest(eidasRequest); +      pendingReq.setEidasRequest(eidasRequest); + +      // generate Service-Provider configuration from eIDAS request +      final ISpConfiguration spConfig = generateSpConfigurationFromEidasRequest(eidasRequest); + +      // validate eIDAS Authn. request by using eIDAS Connector specifc parameters  +      validateEidasAuthnRequest(spConfig, eidasRequest); +                   +      // populate pendingRequest with parameters +      pendingReq.setOnlineApplicationConfiguration(spConfig); +      pendingReq.setSpEntityId(spConfig.getUniqueIdentifier()); +      pendingReq.setPassiv(false); +      pendingReq.setForce(true); + +      // AuthnRequest needs authentication +      pendingReq.setNeedAuthentication(true); + +      // set protocol action, which should be executed after authentication +      pendingReq.setAction(ProxyServiceAuthenticationAction.class.getName()); + +      // switch to session authentication +      protAuthService.performAuthentication(httpReq, httpResp, pendingReq); + +    } catch (final EidasProxyServiceException e) { +      throw e; + +    } catch (final SpecificCommunicationException e) { +      log.error("Can not read eIDAS Authn request from shared cache. Reason: {}", e.getMessage()); +      throw new EidasProxyServiceException(ERROR_03, new Object[] { e.getMessage() }, e); + +    } catch (final Throwable e) { +      // write revision log entries +      if (pendingReq != null) { +        revisionsLogger.logEvent(pendingReq, EventConstants.TRANSACTION_ERROR, +            pendingReq.getUniqueTransactionIdentifier()); +      } + +      throw new EidasProxyServiceException(ERROR_01, new Object[] { e.getMessage() }, e); +    } + +  } + +  @Override +  public boolean generateErrorMessage(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp, +      IRequest pendingReq) throws Throwable { +    if (pendingReq instanceof ProxyServicePendingRequest) { +      try {         +        ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest(); +         +        //build eIDAS response +        Builder lightRespBuilder = LightResponse.builder(); +        lightRespBuilder.id(UUID.randomUUID().toString()); +        lightRespBuilder.inResponseToId(eidasReq.getId()); +        lightRespBuilder.relayState(eidasReq.getRelayState()); +        lightRespBuilder.issuer(authConfig.getBasicConfiguration( +            MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));         +        lightRespBuilder.subject(UUID.randomUUID().toString()); +        lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT); +        lightRespBuilder.status(ResponseStatus.builder() +            .statusCode(StatusCode.RESPONDER) +            .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue()) +            .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())) +            .build()); + +        // forward to eIDAS Proxy-Service +        responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build()); + +        return true; + +      } catch (ServletException | IOException | GuiBuildException e1) { +        log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1); + +      } + +    } else { +      log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}", +          ProxyServicePendingRequest.class.getName()); + +    } +     +    return false; + +  } + +  @Override +  public String getName() { +    return EidasProxyServiceController.class.getName(); + +  } + +  @Override +  public String getAuthProtocolIdentifier() { +    return PROTOCOL_ID; + +  } + +  @Override +  public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { +    return true; + +  } + +  /** +   * Generic validation of incoming eIDAS request. +   * +   * @param eidasRequest Incoming eIDAS authentication request +   * @throws EidasProxyServiceException In case of a validation error +   */ +  private void validateEidasAuthnRequest(ILightRequest eidasRequest) throws EidasProxyServiceException { +    if (StringUtils.isEmpty(eidasRequest.getIssuer())) {             +      throw new EidasProxyServiceException(ERROR_05, null); + +    } +         +    // TODO: validate some other stuff + +  } + +  /** +   * eIDAS Connector specific validation of incoming eIDAS request. +   * +   * @param eidasRequest Incoming eIDAS authentication request +   * @param spConfig eIDAS Connector configuration +   * @throws EidasProxyServiceException In case of a validation error +   */ +  private void validateEidasAuthnRequest(ISpConfiguration spConfig, ILightRequest eidasRequest)  +      throws EidasProxyServiceException {     +    // check if natural-person and legal-person attributes requested in parallel +    if (spConfig.isConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_VALIDATION_ATTR_MDS, true)  +        && EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest)  +        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) { +      throw new EidasProxyServiceException(ERROR_08, null); +       +    } +         +    // TODO: validate some other stuff + +  } +   +  /** +   * Generate a dummy Service-Provider configuration for processing. +   * +   * @param eidasRequest Incoming eIDAS authentication request +   * @return Service-Provider configuration that can be used for authentication +   * @throws EidasProxyServiceException In case of a configuration error +   */ +  private ISpConfiguration generateSpConfigurationFromEidasRequest(ILightRequest eidasRequest) +      throws EidasProxyServiceException { +    try { +       +      Map<String, String> connectorConfigMap = extractRawConnectorConfiguration(eidasRequest);       +       +      // check if country-code is available +      String spCountry = connectorConfigMap.get(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_COUNTRYCODE); +      if (StringUtils.isEmpty(spCountry)) {             +        throw new EidasProxyServiceException(ERROR_07, null); + +      } +            +      // build FriendyName from CountryCode and SPType  +      connectorConfigMap.put(MsEidasNodeConstants.PROP_CONFIG_SP_FRIENDLYNAME, +          MessageFormat.format(MsProxyServiceConstants.TEMPLATE_SP_UNIQUE_ID, +              spCountry, eidasRequest.getSpType())); + +      // build Service-Provider configuration object  +      final ServiceProviderConfiguration spConfig = new ServiceProviderConfiguration(connectorConfigMap, authConfig); + +      // build bPK target from Country-Code  +      final String ccCountry = authConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, +          Constants.DEFAULT_MS_NODE_COUNTRY_CODE); +      spConfig.setBpkTargetIdentifier( +          EaafConstants.URN_PREFIX_EIDAS + ccCountry + "+" + spCountry); +       +      // set required LoA from eIDAS request +      spConfig.setRequiredLoA( +          eidasRequest.getLevelsOfAssurance().stream().map(el -> el.getValue()).collect(Collectors.toList())); + +      //build mandate profiles for this specific request +      buildMandateProfileConfiguration(spConfig, eidasRequest); +           +      return spConfig; + +    } catch (EidasProxyServiceException e) { +      throw e; +       +    } catch (final EaafException e) { +      throw new EidasProxyServiceException(ERROR_04, new Object[] { e.getMessage() }, e); + +    } +  } + +   +  private Map<String, String> extractRawConnectorConfiguration(ILightRequest eidasRequest) {     +    Map<String, String> allConnectorConfigs = authConfig.getBasicConfigurationWithPrefix( +        MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_PREFIX); +    if (log.isTraceEnabled()) { +      log.trace("Full-connector configuration:"); +      allConnectorConfigs.entrySet().stream().forEach( +          el -> log.trace("Key: {} -> Value: {}", el.getKey(), el.getValue())); +       +    } +       +     +    Map<String, String> connectorConfig = allConnectorConfigs.entrySet().stream() +        .filter(el -> el.getKey().endsWith(MsEidasNodeConstants.PROP_CONFIG_SP_UNIQUEIDENTIFIER)  +            && el.getValue().equals(eidasRequest.getIssuer())) +        .findFirst() +        .map(el -> KeyValueUtils.getSubSetWithPrefix(allConnectorConfigs,  +            KeyValueUtils.getParentKey(el.getKey()) + KeyValueUtils.KEY_DELIMITER)) +        .orElse(new HashMap<>()); + +     +    if (connectorConfig.isEmpty()) { +      log.debug("No specific configuration for eIDAS Connector: {} Using default configuration ... ",  +          eidasRequest.getIssuer()); +       +      // set EntityId of the requesting eIDAS Connector +      connectorConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, eidasRequest.getIssuer()); +       +      // set country-code from eIDAS request +      connectorConfig.put(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_COUNTRYCODE,  +          eidasRequest.getSpCountryCode()); +       +      // set default mandate configuration +      connectorConfig.put(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_ENABLED,  +          String.valueOf(authConfig.getBasicConfigurationBoolean( +              MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, false)));         +      connectorConfig.put(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL,  +          authConfig.getBasicConfiguration( +              MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL)); +      connectorConfig.put(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL,  +          authConfig.getBasicConfiguration( +              MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL)); +               +    } else { +      log.debug("Find specific configuration for eIDAS Connector: {}", eidasRequest.getIssuer()); +       +    } +     +    return connectorConfig; +     +  } +   +     +  private void buildMandateProfileConfiguration(ServiceProviderConfiguration spConfig, ILightRequest eidasRequest)  +      throws EidasProxyServiceException { +    // check if mandates are enabled +    if (spConfig.isConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_ENABLED, false)) { +      injectMandateInfosIntoSpConfig(spConfig, eidasRequest); +                  +    } else {             +      if (EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest)) { +        throw new EidasProxyServiceException(ERROR_09, null); +         +      }  +       +      spConfig.setMandateProfiles(Collections.emptyList()); +      spConfig.setMandateMode(SpMandateModes.NONE);       +       +    } + +  } + +  private void injectMandateInfosIntoSpConfig(ServiceProviderConfiguration spConfig, +      ILightRequest eidasRequest) throws EidasProxyServiceException { +    log.trace("eIDAS Proxy-Service allows mandates for Connector: {}. Selecting profiles ... ",  +        spConfig.getUniqueIdentifier()); + +    //check if legal person is requested  +    if (EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest)) { +      spConfig.setMandateProfiles(KeyValueUtils.getListOfCsvValues( +          spConfig.getConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL)));       +      spConfig.setMandateMode(SpMandateModes.LEGAL_FORCE); +       +      if (spConfig.getMandateProfiles().isEmpty()) { +        throw new EidasProxyServiceException(ERROR_10, null); +         +      } +       +    } else if (EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) { +      spConfig.setMandateProfiles(KeyValueUtils.getListOfCsvValues( +          spConfig.getConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL))); +       +      spConfig.setMandateMode(SpMandateModes.NATURAL); +       +    } +     +     +    if (spConfig.getMandateProfiles().isEmpty()) { +      log.debug("No mandate-profiles for issure: {}. Set mandate-mode to 'none'",   +          spConfig.getUniqueIdentifier()); +      spConfig.setMandateMode(SpMandateModes.NONE); +       +    } else { +      log.debug("Set mandate-profiles: {} to request from issuer: {}", +          spConfig.getMandateProfiles(), spConfig.getUniqueIdentifier()); +      +    } +     +  } +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java new file mode 100644 index 00000000..15524005 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java @@ -0,0 +1,374 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.protocol; + +import java.io.IOException; +import java.util.UUID; + +import javax.annotation.PostConstruct; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.saml2.core.NameIDType; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.core.io.ResourceLoader; +import org.springframework.web.util.UriComponentsBuilder; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.asitplus.eidas.specific.core.gui.StaticGuiBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants; +import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException; +import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAction; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.IEidAuthData; +import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.GuiBuildException; +import at.gv.egiz.eaaf.core.impl.data.SloInformationImpl; +import eu.eidas.auth.commons.EidasParameterKeys; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; +import eu.eidas.auth.commons.light.ILightRequest; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.auth.commons.light.impl.LightResponse; +import eu.eidas.auth.commons.light.impl.LightResponse.Builder; +import eu.eidas.auth.commons.light.impl.ResponseStatus; +import eu.eidas.auth.commons.tx.BinaryLightToken; +import eu.eidas.specificcommunication.BinaryLightTokenHelper; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; +import lombok.extern.slf4j.Slf4j; + +/** + * Result action of a successfully performed eIDAS Proxy-Service authentication. + * + * @author tlenz + * + */ +@Slf4j +public class ProxyServiceAuthenticationAction implements IAction { + +  private static final String PROXYSERVICE_AUTH_ACTION_NAME = "MS-specific eIDAS-Proxy action"; + +  @Autowired +  ApplicationContext context; +  @Autowired +  IConfiguration basicConfig; +  @Autowired +  ResourceLoader resourceLoader; +  @Autowired +  ISpringMvcGuiFormBuilder guiBuilder; +  @Autowired +  EidasAttributeRegistry attrRegistry; + +  @Override +  public SloInformationInterface processRequest(IRequest pendingReq, HttpServletRequest httpReq, +      HttpServletResponse httpResp, IAuthData authData) throws EaafException { +    if (pendingReq instanceof ProxyServicePendingRequest) { +      try {         +        ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest(); +         +        //build eIDAS response +        Builder lightRespBuilder = LightResponse.builder(); +        lightRespBuilder.id(UUID.randomUUID().toString()); +        lightRespBuilder.inResponseToId(eidasReq.getId()); +        lightRespBuilder.relayState(eidasReq.getRelayState()); +         +        lightRespBuilder.status(ResponseStatus.builder() +            .statusCode(Constants.SUCCESS_URI) +            .build()); +         +        //TODO: check if we can use transient subjectNameIds +        lightRespBuilder.subject(UUID.randomUUID().toString()); +        lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT); +         +        //TODO: +        lightRespBuilder.issuer(basicConfig.getBasicConfiguration( +            MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID)); +        lightRespBuilder.levelOfAssurance(authData.getEidasQaaLevel());        +        lightRespBuilder.attributes(buildAttributesFromAuthData(authData, eidasReq)); +         +        // set SLO response object of EAAF framework +        final SloInformationImpl sloInformation = new SloInformationImpl(); +        sloInformation.setProtocolType(pendingReq.requestedModule()); +        sloInformation +            .setSpEntityID(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + +        // forward to eIDAS Proxy-Service +        forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build()); + +        return sloInformation; + +      } catch (ServletException | IOException | GuiBuildException e) { +        throw new EidasProxyServiceException("eidas.proxyservice.06", null, e); + +      } + +    } else { +      log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}", +          ProxyServicePendingRequest.class.getName()); +      throw new EaafException("eidas.proxyservice.99"); + +    } +  } +   +  @Override +  public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { +    return true; + +  } + +  @Override +  public String getDefaultActionName() { +    return PROXYSERVICE_AUTH_ACTION_NAME; + +  } +   + +  /** +   * Forward eIDAS Light response to eIDAS node. +   *      +   * @param pendingReq Current pending request. +   * @param httpReq Current HTTP request +   * @param httpResp  Current HTTP response +   * @param lightResponse eIDAS LightResponse +   * @throws EaafConfigurationException In case of a configuration error +   * @throws IOException In case of a general error +   * @throws GuiBuildException In case of a GUI rendering error, if http POST binding is used +   * @throws ServletException In case of a general error +   */ +  public void forwardToEidasProxy(IRequest pendingReq, HttpServletRequest httpReq, +      HttpServletResponse httpResp, LightResponse lightResponse) throws EaafConfigurationException, IOException, +      GuiBuildException, ServletException { + +    // put request into shared cache +    final BinaryLightToken token = putResponseInCommunicationCache(lightResponse); +    final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token); +         +    // select forward URL regarding the selected environment +    final String forwardUrl = basicConfig.getBasicConfiguration( +        MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL); + +    if (StringUtils.isEmpty(forwardUrl)) { +      log.warn("NO ForwardURL defined in configuration. Can NOT forward to eIDAS node! Process stops"); +      throw new EaafConfigurationException("config.08", +          new Object[] { MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL }); + +    } +    log.debug("ForwardURL: " + forwardUrl + " selected to forward eIDAS request"); + +    if (basicConfig.getBasicConfiguration( +        Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, +        Constants.FORWARD_METHOD_GET).equals(Constants.FORWARD_METHOD_GET)) { + +      log.debug("Use http-redirect for eIDAS node forwarding ...  "); +      // send redirect +      final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(forwardUrl); +      redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); +      httpResp.sendRedirect(redirectUrl.build().encode().toString()); + +    } else { +      log.debug("Use http-post for eIDAS node forwarding ...  "); +      final StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( +          basicConfig, +          pendingReq, +          Constants.TEMPLATE_POST_FORWARD_NAME, +          null, +          resourceLoader); + +      config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_ENDPOINT, forwardUrl); +      config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, +          EidasParameterKeys.TOKEN.toString()); +      config.putCustomParameter(null, Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, +          tokenBase64); + +      guiBuilder.build(httpReq, httpResp, config, "Forward to eIDASNode form"); + +    } +  } +   +  @PostConstruct  +  private void checkConfiguration() { +    //TODO: validate configuration on start-up +     +  } +   +   +  private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData,  +      ILightRequest eidasReq) { +    IEidAuthData eidAuthData = (IEidAuthData) authData; +    if (eidAuthData.isUseMandate()) { +      log.debug("Building eIDAS Proxy-Service response with mandate ... "); +      final ImmutableAttributeMap.Builder attributeMap = ImmutableAttributeMap.builder(); +      injectRepesentativeInformation(attributeMap, eidAuthData); +      injectMandatorInformation(attributeMap, eidAuthData); +       +      // work-around that injects nat. person subject to bypass validation on eIDAS Node +      injectJurPersonWorkaroundIfRequired(attributeMap, eidasReq, authData); +       +      return attributeMap.build(); +             +    } else { +      log.debug("Building eIDAS Proxy-Service response without mandates ... "); +      return buildAttributesWithoutMandate(eidAuthData); +       +    }    +  } +     +  private void injectMandatorInformation( +      ImmutableAttributeMap.Builder attributeMap, IEidAuthData eidAuthData) {     +    String natMandatorId = eidAuthData.getGenericData( +        MsEidasNodeConstants.ATTR_EIDAS_NAT_MANDATOR_PERSONAL_IDENTIFIER, String.class); +     +    if (StringUtils.isNotEmpty(natMandatorId)) { +      log.debug("Injecting natural mandator informations ... "); +      final AttributeDefinition<?> attrDefPersonalId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first(); +      final AttributeDefinition<?> attrDefFamilyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_CURRENTFAMILYNAME).first(); +      final AttributeDefinition<?> attrDefGivenName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_CURRENTGIVENNAME).first(); +      final AttributeDefinition<?> attrDefDateOfBirth = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_DATEOFBIRTH).first(); +       +      attributeMap.put(attrDefPersonalId, natMandatorId); +      attributeMap.put(attrDefFamilyName, eidAuthData.getGenericData( +          PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class)); +      attributeMap.put(attrDefGivenName, eidAuthData.getGenericData( +          PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class)); +      attributeMap.put(attrDefDateOfBirth, eidAuthData.getGenericData( +          PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME, String.class)); +       +    } else { +      log.debug("Injecting legal mandator informations ... "); +      final AttributeDefinition<?> commonName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_LEGALNAME).first(); +      final AttributeDefinition<?> legalPersonId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +          Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first(); +       +      attributeMap.put(commonName, eidAuthData.getGenericData( +          PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME, String.class)); +      attributeMap.put(legalPersonId, eidAuthData.getGenericData( +          MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, String.class)); +             +    }             +  } + +  private void injectRepesentativeInformation( +      ImmutableAttributeMap.Builder attributeMap, IEidAuthData eidAuthData) { +    final AttributeDefinition<?> attrDefPersonalId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_REPRESENTATIVE_PERSONALIDENTIFIER).first(); +    final AttributeDefinition<?> attrDefFamilyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTFAMILYNAME).first(); +    final AttributeDefinition<?> attrDefGivenName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTGIVENNAME).first(); +    final AttributeDefinition<?> attrDefDateOfBirth = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_REPRESENTATIVE_DATEOFBIRTH).first(); +    +    attributeMap.put(attrDefPersonalId,  +            eidAuthData.getGenericData(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class)); +    attributeMap.put(attrDefFamilyName, eidAuthData.getFamilyName()); +    attributeMap.put(attrDefGivenName, eidAuthData.getGivenName()); +     +    //TODO: throw an error in case of SZR Date with month or day = "00" +    attributeMap.put(attrDefDateOfBirth, eidAuthData.getDateOfBirth()); +     +  } + +  /** +   * Work-around to inject representative information as nat. person subject to bypass eIDAS Node validation.  +   *  +   * <p><b>Injection will only be done if this work-around is enabled by configuration,  +   * the mandator is a legal person, and both legal and natural person subject's is requested.</b></p> +   *  +   * @param attributeMap Attribute set for eIDAS response +   * @param eidasReq Incoming eIDAS request +   * @param authData Authentication data +   */ +  private void injectJurPersonWorkaroundIfRequired( +      ImmutableAttributeMap.Builder attributeMap, ILightRequest eidasReq, IAuthData authData) { +    if (isLegalPersonWorkaroundActive() && isLegalPersonMandateAvailable(authData)  +        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasReq) +        && EidasProxyServiceUtils.isLegalPersonRequested(eidasReq)) { +      log.debug("Injecting representative information as nat. person subject to bypass eIDAS Node validation"); +      attributeMap.putAll(buildAttributesWithoutMandate(authData)); +       +    }         +  } +   +  private ImmutableAttributeMap buildAttributesWithoutMandate(IAuthData eidAuthData) {         +    //TODO: throw an error in case of SZR Date with month or day = "00" +    return buildAttributesWithoutMandate( +        eidAuthData.getGenericData(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class),  +        eidAuthData.getFamilyName(),  +        eidAuthData.getGivenName(),  +        eidAuthData.getDateOfBirth()); +     +  } + +  private ImmutableAttributeMap buildAttributesWithoutMandate(String personalIdentifier, String familyName, +      String givenName, String dateOfBirth) { +    final AttributeDefinition<?> attrDefPersonalId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first(); +    final AttributeDefinition<?> attrDefFamilyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_CURRENTFAMILYNAME).first(); +    final AttributeDefinition<?> attrDefGivenName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_CURRENTGIVENNAME).first(); +    final AttributeDefinition<?> attrDefDateOfBirth = attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +        Constants.eIDAS_ATTR_DATEOFBIRTH).first(); +    +    final ImmutableAttributeMap.Builder attributeMap =  +        ImmutableAttributeMap.builder() +        .put(attrDefPersonalId, personalIdentifier) +        .put(attrDefFamilyName, familyName) +        .put(attrDefGivenName, givenName)         +        .put(attrDefDateOfBirth, dateOfBirth); +     +    return attributeMap.build(); +     +  } +   +  private BinaryLightToken putResponseInCommunicationCache(ILightResponse lightResponse) +      throws ServletException { +    final BinaryLightToken binaryLightToken; +    try { +      final SpecificCommunicationService springManagedSpecificConnectorCommunicationService = +          (SpecificCommunicationService) context.getBean( +              SpecificCommunicationDefinitionBeanNames.SPECIFIC_PROXYSERVICE_COMMUNICATION_SERVICE +                  .toString()); + +      binaryLightToken = springManagedSpecificConnectorCommunicationService.putResponse(lightResponse); + +    } catch (final SpecificCommunicationException e) { +      log.error("Unable to process specific request"); +      throw new ServletException(e); + +    } + +    return binaryLightToken; +  } + +  private boolean isLegalPersonWorkaroundActive() { +    return basicConfig.getBasicConfigurationBoolean( +        MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON,  +        false); +     +  } +   +  private boolean isLegalPersonMandateAvailable(IAuthData authData) { +    return StringUtils.isNoneEmpty(authData.getGenericData( +        MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, String.class)); +     +  } + +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServicePendingRequest.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServicePendingRequest.java new file mode 100644 index 00000000..a3b5007a --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServicePendingRequest.java @@ -0,0 +1,28 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.protocol; + +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.Scope; +import org.springframework.stereotype.Component; + +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import eu.eidas.auth.commons.light.ILightRequest; +import lombok.Getter; +import lombok.Setter; + +/** + * Pending-request of an authentication process from eIDAS Proxy-Service.  + *  + * @author tlenz + * + */ +@Component("ProxyServicePendingRequest") +@Scope(value = BeanDefinition.SCOPE_PROTOTYPE) +public class ProxyServicePendingRequest extends RequestImpl { + +  private static final long serialVersionUID = 4227378344716277935L; + +  @Getter +  @Setter +  ILightRequest eidasRequest; +     +} diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java new file mode 100644 index 00000000..4cd7ba6c --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java @@ -0,0 +1,45 @@ +package at.asitplus.eidas.specific.modules.msproxyservice.utils; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import eu.eidas.auth.commons.light.ILightRequest; + +/** + * Common utils for eIDAS Proxy-Service implementation. + *  + * @author tlenz + * + */ +public class EidasProxyServiceUtils { + +  /** +   * Check if legal person subject is requested by eIDAS Connector. +   *  +   * @param eidasRequest Authentication request from eIDAS Connector. +   * @return <code>true</code> if <i>LegalPersonIdentifier</i> is requested, otherwise <code>false</code>lse +   */ +  public static boolean isLegalPersonRequested(ILightRequest eidasRequest) { +    return eidasRequest.getRequestedAttributes().entrySet().stream() +        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER)) +        .findFirst() +        .isPresent(); +     +  } +   +  /** +   * Check if natural person subject is requested by eIDAS Connector. +   *  +   * @param eidasRequest Authentication request from eIDAS Connector. +   * @return <code>true</code> if <i>PersonIdentifier</i> is requested, otherwise <code>false</code>lse +   */ +  public static boolean isNaturalPersonRequested(ILightRequest eidasRequest) { +    return eidasRequest.getRequestedAttributes().entrySet().stream() +        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) +        .findFirst() +        .isPresent(); +     +  } +   +  private EidasProxyServiceUtils() { +    //hide constructor for class with static methods only +  } +} diff --git a/modules/eidas_proxy-sevice/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/modules/eidas_proxy-sevice/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider new file mode 100644 index 00000000..9158d2e6 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider @@ -0,0 +1 @@ +at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceSpringResourceProvider
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/main/resources/messages/eidasproxy_messages.properties b/modules/eidas_proxy-sevice/src/main/resources/messages/eidasproxy_messages.properties new file mode 100644 index 00000000..3f92d58a --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/resources/messages/eidasproxy_messages.properties @@ -0,0 +1,14 @@ +eidas.proxyservice.01=General error on request-validation from national eIDAS Proxy-Service +eidas.proxyservice.02=Authentication request contains not communication token. +eidas.proxyservice.03=General error during eIDAS-Node communication. Reason: {} +eidas.proxyservice.04=Validation of eIDAS Authn request failed. Reason: {} +eidas.proxyservice.05=No eIDAS-Connector Issuer in Authn. request. Authentication not possible +eidas.proxyservice.06=Can not build eIDAS Proxy-Service response. Authentication FAILED. +eidas.proxyservice.07=Can not determine eIDAS-Connector CountryCode. Authentication not possible +eidas.proxyservice.08=Validation of eIDAS Authn request failed. Reason: Legal person and natural person can not be requested at once. +eidas.proxyservice.09=eIDAS authentication not possible, because legal person is requested but mandates are disabled in general +eidas.proxyservice.10=eIDAS authentication not possible, because legal person is requested but not mandate profiles are defined +eidas.proxyservice.11=No Authentication request with stated communication token. + + +eidas.proxyservice.99=Internal error during eIDAS Proxy-Service authentication
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml b/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml new file mode 100644 index 00000000..2055b5a9 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +  <context:annotation-config /> + +  <bean id="ProxyServicePendingRequest"  +        class="at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest" +        scope="prototype"/> + +  <bean id="ProxyServiceAuthenticationAction"  +        class="at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServiceAuthenticationAction"/> + +  <bean id="msSpecificProxyController" +        class="at.asitplus.eidas.specific.modules.msproxyservice.protocol.EidasProxyServiceController"/> +   +  <bean id="eidasProxyMessageSource" +        class="at.asitplus.eidas.specific.modules.msproxyservice.EidasProxyMessageSource"/> +   +   +</beans>
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/EidasProxyMessageSourceTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/EidasProxyMessageSourceTest.java new file mode 100644 index 00000000..efe572b5 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/EidasProxyMessageSourceTest.java @@ -0,0 +1,50 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test; + +import java.util.List; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.asitplus.eidas.specific.modules.msproxyservice.EidasProxyMessageSource; +import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml", +  }) +public class EidasProxyMessageSourceTest { + +  @Autowired +  private ResourceLoader loader; +  @Autowired(required = false) +  private List<IMessageSourceLocation> messageSources; + +  @Test +  public void checkMessageSources() { +    Assert.assertNotNull("No messageSource", messageSources); +    Assert.assertFalse("No message source", messageSources.isEmpty()); +     +    boolean found = false; +     +    for (final IMessageSourceLocation messageSource : messageSources) { +      found = found ? found : messageSource instanceof EidasProxyMessageSource; + +      Assert.assertNotNull("No sourcePath", messageSource.getMessageSourceLocation()); +      for (final String el : messageSource.getMessageSourceLocation()) { +        final Resource messages = loader.getResource(el + ".properties"); +        Assert.assertTrue("Source not exist", messages.exists()); + +      } +    } +     +    Assert.assertTrue("Internal messagesource not found", found); +     +  } +} diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/MsProxyServiceSpringResourceProviderTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/MsProxyServiceSpringResourceProviderTest.java new file mode 100644 index 00000000..8c6da366 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/MsProxyServiceSpringResourceProviderTest.java @@ -0,0 +1,56 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test; + +import java.io.IOException; +import java.io.InputStream; + +import org.apache.commons.io.IOUtils; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; +import org.springframework.core.io.Resource; + +import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceSpringResourceProvider; +import at.gv.egiz.eaaf.core.test.TestConstants; + + + +@RunWith(BlockJUnit4ClassRunner.class) +public class MsProxyServiceSpringResourceProviderTest { + +  @Test +  public void testSpringConfig() { +    final MsProxyServiceSpringResourceProvider test = +        new MsProxyServiceSpringResourceProvider(); +    for (final Resource el : test.getResourcesToLoad()) { +      try { +        IOUtils.toByteArray(el.getInputStream()); + +      } catch (final IOException e) { +        Assert.fail("Ressouce: " + el.getFilename() + " not found"); +      } + +    } + +    Assert.assertNotNull("no Name", test.getName()); +    Assert.assertNull("Find package definitions", test.getPackagesToScan()); + +  } +  +  @Test +  public void testSpILoaderConfig() { +    final InputStream el = this.getClass().getResourceAsStream(TestConstants.TEST_SPI_LOADER_PATH); +    try { +      final String spiFile = IOUtils.toString(el, "UTF-8"); + +      Assert.assertEquals("Wrong classpath in SPI file", +          MsProxyServiceSpringResourceProvider.class.getName(), spiFile); + + +    } catch (final IOException e) { +      Assert.fail("Ressouce: " + TestConstants.TEST_SPI_LOADER_PATH + " not found"); + +    } +  } + +} diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/EidasProxyServiceControllerTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/EidasProxyServiceControllerTest.java new file mode 100644 index 00000000..55958d9e --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/EidasProxyServiceControllerTest.java @@ -0,0 +1,666 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.protocol; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +import java.io.IOException; +import java.net.URISyntaxException; +import java.net.URLDecoder; +import java.text.MessageFormat; +import java.util.Arrays; +import java.util.List; +import java.util.UUID; + +import org.apache.commons.lang3.RandomStringUtils; +import org.apache.commons.lang3.StringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.core.StatusCode; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; +import org.springframework.web.servlet.config.annotation.EnableWebMvc; + +import com.google.common.collect.ImmutableSortedSet; + +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummySpecificCommunicationService; +import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants; +import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.EidasProxyServiceController; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyProtocolAuthService; +import eu.eidas.auth.commons.EidasParameterKeys; +import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.auth.commons.light.impl.LightRequest; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; + +@RunWith(SpringJUnit4ClassRunner.class) +@PrepareForTest(CreateIdentityLinkTask.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml", +  }) +@EnableWebMvc +public class EidasProxyServiceControllerTest { + +  @Autowired private EidasProxyServiceController controller; +   +  @Autowired private DummySpecificCommunicationService proxyService; +  @Autowired private DummyProtocolAuthService authService; +  @Autowired private EidasAttributeRegistry attrRegistry; +  @Autowired private ApplicationContext context; +   +  @Autowired MsConnectorDummyConfigMap config; +   +  private MockHttpServletRequest httpReq; +  private MockHttpServletResponse httpResp; +   +  private SpecificCommunicationService springManagedSpecificConnectorCommunicationService; +   +  /** +   * jUnit test set-up. +   */ +  @Before +  public void setUp() throws EaafStorageException, URISyntaxException { +    httpReq = new MockHttpServletRequest("POST", "http://localhost/ms_connector/eidas/light/idp/redirect"); +    httpResp = new MockHttpServletResponse(); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); +        +    proxyService.setiLightRequest(null); +    proxyService.setError(null); +             +    config.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint",  +        "http://eidas.proxy/endpoint"); +     +    springManagedSpecificConnectorCommunicationService = +        (SpecificCommunicationService) context.getBean( +            SpecificCommunicationDefinitionBeanNames.SPECIFIC_PROXYSERVICE_COMMUNICATION_SERVICE +                .toString()); +     +  } +   +  @Test +  public void generateErrorResponseWrongPendingReq() throws Throwable {     +    Assert.assertFalse("wrong statusCode", controller.generateErrorMessage( +        new EaafException("1000"),  +        httpReq, httpResp, null));     +     +  } +   +  @Test +  public void generateErrorResponse() throws Throwable {     +    ProxyServicePendingRequest pendingReq = new ProxyServicePendingRequest(); +    pendingReq.initialize(httpReq, config); +     +    LightRequest.Builder eidasRequestBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requesterId(RandomStringUtils.randomAlphanumeric(10)) +        .providerName(RandomStringUtils.randomAlphanumeric(10)); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +     +     +    // execute test +    Assert.assertTrue("wrong statusCode", controller.generateErrorMessage( +        new EaafException("1000"),  +        httpReq, httpResp,  +        pendingReq));     +     +    // validate state +    assertNotNull("not redirct Header", httpResp.getHeader("Location")); +    assertTrue("wrong redirect URL", httpResp.getHeader("Location").startsWith("http://eidas.proxy/endpoint?token="));     +    String token = httpResp.getHeader("Location").substring("http://eidas.proxy/endpoint?token=".length()); +     +    ILightResponse resp = springManagedSpecificConnectorCommunicationService.getAndRemoveResponse(URLDecoder.decode(token, "UTF-8"),  +        ImmutableSortedSet.copyOf(attrRegistry.getCoreAttributeRegistry().getAttributes()));     +     +    assertNotNull("responseId", resp.getId()); +    assertEquals("inResponseTo", pendingReq.getEidasRequest().getId(), resp.getInResponseToId()); +    assertEquals("relayState", pendingReq.getEidasRequest().getRelayState(), resp.getRelayState()); +     +    assertNotNull("subjectNameId", resp.getSubject()); +    assertEquals("subjectNameIdFormat", NameIDType.TRANSIENT, resp.getSubjectNameIdFormat());   +    assertTrue("not attributes", resp.getAttributes().isEmpty());     + +    assertEquals("StatusCode", StatusCode.RESPONDER, resp.getStatus().getStatusCode()); +    //assertEquals("SubStatusCode", "", resp.getStatus().getSubStatusCode()); +    //assertEquals("StatusMsg", "", resp.getStatus().getStatusMessage()); +     +  } +   +  @Test +  public void missingEidasToken() {        +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.02", exception.getErrorId()); +    +  } +   +  @Test +  public void wrongEidasTokenWithNullpointerException() {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10)); +     +    //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.11", exception.getErrorId()); +    +  } +   +  @Test +  public void wrongEidasTokenCacheCommunicationError() {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    proxyService.setError(new SpecificCommunicationException(RandomStringUtils.randomAlphanumeric(10))); +     +    //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.03", exception.getErrorId()); +    Assert.assertTrue("Wrong exception", (exception.getCause() instanceof SpecificCommunicationException)); +     +  } +     +  @Test +  public void missingServiceProviderCountry() {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.07", exception.getErrorId()); +     +  } +     +  @Test +  public void requestingLegalAndNaturalPerson() {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()) +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()) +            .build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.08", exception.getErrorId()); +     +  } +   +  @Test +  public void requestLegalPersonButNoMandates() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()).build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "false"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +     +  //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.09", exception.getErrorId());   +   +  } +   +  @Test +  public void validAuthnRequest() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "false"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +     +     +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    Assert.assertNotNull("pendingRequest", authService.getPendingReq()); +    Assert.assertTrue("wrong pendingRequest", authService.getPendingReq() instanceof ProxyServicePendingRequest); +    ProxyServicePendingRequest pendingReq = (ProxyServicePendingRequest) authService.getPendingReq();         +    Assert.assertNotNull("missing uniqueSpId", pendingReq.getSpEntityId());         +    Assert.assertNotNull("missing eidasReq", pendingReq.getEidasRequest()); +     +    Assert.assertFalse("isPassive", pendingReq.isPassiv()); +    Assert.assertTrue("isPassive", pendingReq.forceAuth()); +    Assert.assertFalse("isPassive", pendingReq.isAuthenticated()); +    Assert.assertFalse("isPassive", pendingReq.isAbortedByUser()); +    Assert.assertTrue("isPassive", pendingReq.isNeedAuthentication()); + +    Assert.assertNotNull("missing spConfig", pendingReq.getServiceProviderConfiguration()); +    ServiceProviderConfiguration spConfig =  +        pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    Assert.assertNotNull("uniqueId", spConfig.getUniqueIdentifier()); +    Assert.assertEquals("uniqueId wrong pattern",  +        authnReqBuilder.build().getIssuer(),  +        spConfig.getUniqueIdentifier());     +    Assert.assertEquals("friendlyName wrong pattern",  +        MessageFormat.format(MsProxyServiceConstants.TEMPLATE_SP_UNIQUE_ID, spCountryCode, "public"),  +        spConfig.getFriendlyName()); +     +    Assert.assertEquals("uniqueId not match to pendingReq",  +        pendingReq.getSpEntityId(), spConfig.getUniqueIdentifier()); +    Assert.assertNotNull("bpkTarget", spConfig.getAreaSpecificTargetIdentifier()); +    Assert.assertEquals("wrong bPK Target",  +        EaafConstants.URN_PREFIX_EIDAS + "AT+" + spCountryCode,  +        spConfig.getAreaSpecificTargetIdentifier()); +     +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertTrue("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("MandateMode", SpMandateModes.NONE, spConfig.getMandateMode()); +         +  } + +  @Test +  public void validAuthnRequestWithMandatesDefaultProfilesNat() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +     +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    List<String> mandateProfilesNat =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    List<String> mandateProfilesJur =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(mandateProfilesNat, ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL,  +        StringUtils.join(mandateProfilesJur, ",")); +     +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("mandateprofile size", mandateProfilesNat.size(), spConfig.getMandateProfiles().size()); +    spConfig.getMandateProfiles().stream() +        .forEach(el -> assertTrue("missing mandateProfile: " + el, mandateProfilesNat.contains(el))); +    assertEquals("MandateMode", SpMandateModes.NATURAL, spConfig.getMandateMode()); +     +  } +   +  @Test +  public void validAuthnRequestWithMandatesDefaultProfilesJur() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()).build()); +     +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    List<String> mandateProfilesNat =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    List<String> mandateProfilesJur =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(mandateProfilesNat, ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL,  +        StringUtils.join(mandateProfilesJur, ",")); +     +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("mandateprofile size", mandateProfilesJur.size(), spConfig.getMandateProfiles().size()); +    spConfig.getMandateProfiles().stream() +        .forEach(el -> assertTrue("missing mandateProfile: " + el, mandateProfilesJur.contains(el))); +    assertEquals("MandateMode", SpMandateModes.LEGAL_FORCE, spConfig.getMandateMode()); +     +  } +   +  @Test +  public void validAuthnRequestWithMandatesDefaultNoJurProfiles() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()).build()); +     +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    List<String> mandateProfilesNat =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(mandateProfilesNat, ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL, ""); +     +    //validate state +    EidasProxyServiceException exception = assertThrows(EidasProxyServiceException.class, +        () -> controller.receiveEidasAuthnRequest(httpReq, httpResp)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.10", exception.getErrorId()); +         +  } +   +  @Test +  public void validAuthnRequestWithMandatesDefaultNoNatProfiles() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(spCountryCode) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +     +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL, "");  +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL, ""); +     +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertTrue("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("MandateMode", SpMandateModes.NONE, spConfig.getMandateMode()); +         +  } +   +  @Test +  public void validAuthnRequestIssueSpecificNoMandates() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +     +    String issuer = RandomStringUtils.randomAlphabetic(10);     +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(issuer) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +     +    // set default mandate configuration     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +     +    // set specific mandate configuration +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_UNIQUEID, issuer); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_COUNTRYCODE, spCountryCode); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_ENABLED, "false"); +     +    List<String> mandateProfiles =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL,  +        StringUtils.join(mandateProfiles, ",")); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL,  +        StringUtils.join(Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +         +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertTrue("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("MandateMode", SpMandateModes.NONE, spConfig.getMandateMode()); +     +  } +   +  @Test +  public void validAuthnRequestIssueSpecificMandatesNat() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +     +    String issuer = "https://apps.egiz.gv.at/EidasNode//ConnectorMetadata";     +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(issuer) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +     +    // set default mandate configuration     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "false"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +     +    // set specific mandate configuration +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_UNIQUEID, issuer); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_COUNTRYCODE, spCountryCode); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_ENABLED, "true"); +     +    List<String> mandateProfiles =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL,  +        StringUtils.join(mandateProfiles, ",")); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL,  +        StringUtils.join(Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +         +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("mandateprofile size", mandateProfiles.size(), spConfig.getMandateProfiles().size()); +    spConfig.getMandateProfiles().stream() +        .forEach(el -> assertTrue("missing mandateProfile: " + el, mandateProfiles.contains(el))); +    assertEquals("MandateMode", SpMandateModes.NATURAL, spConfig.getMandateMode()); +     +  } +   +  @Test +  public void validAuthnRequestIssueSpecificMandatesJur() throws IOException, EaafException {        +    //initialize state +    httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10));     +     +    String issuer = RandomStringUtils.randomAlphabetic(10);     +    LightRequest.Builder authnReqBuilder = LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(issuer) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requestedAttributes(ImmutableAttributeMap.builder() +            .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( +                Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()).build()); +     +    proxyService.setiLightRequest(authnReqBuilder.build()); +     +     +    // set default mandate configuration     +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL,  +        StringUtils.join(Arrays.asList( +            RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +     +    // set specific mandate configuration +    String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_UNIQUEID, issuer); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_COUNTRYCODE, spCountryCode); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_ENABLED, "true"); +     +    List<String> mandateProfiles =  +        Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_LEGAL,  +        StringUtils.join(mandateProfiles, ",")); +    addConnectorConfig(0,  MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL,  +        StringUtils.join(Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)), ",")); +         +    //execute +    controller.receiveEidasAuthnRequest(httpReq, httpResp); +     +    //validate state +    ServiceProviderConfiguration spConfig =  +        authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); +    assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); +    assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); +    assertEquals("mandateprofile size", mandateProfiles.size(), spConfig.getMandateProfiles().size()); +    spConfig.getMandateProfiles().stream() +        .forEach(el -> assertTrue("missing mandateProfile: " + el, mandateProfiles.contains(el))); +    assertEquals("MandateMode", SpMandateModes.LEGAL_FORCE, spConfig.getMandateMode()); +     +  } +   +  private void addConnectorConfig(int i, String key, String value) { +    config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_PREFIX + String.valueOf(i)  + "." + key,  +        value);  +     +  } +   +} + + diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java new file mode 100644 index 00000000..52cc01d4 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java @@ -0,0 +1,637 @@ +package at.asitplus.eidas.specific.modules.auth.idaustria.test.protocol; + +import static at.asitplus.eidas.specific.core.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertThrows; +import static org.junit.Assert.assertTrue; + +import java.net.URISyntaxException; +import java.net.URLDecoder; +import java.util.Arrays; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; +import java.util.UUID; + +import org.apache.commons.lang3.RandomStringUtils; +import org.joda.time.DateTime; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.saml.saml2.core.NameIDType; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; + +import com.google.common.collect.ImmutableSortedSet; + +import at.asitplus.eidas.specific.core.MsEidasNodeConstants; +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; +import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummySpConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServiceAuthenticationAction; +import at.asitplus.eidas.specific.modules.msproxyservice.protocol.ProxyServicePendingRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions.EidIdentityStatusLevelValues; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IEidAuthData; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import eu.eidas.auth.commons.attribute.AttributeDefinition; +import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; +import eu.eidas.auth.commons.light.ILightResponse; +import eu.eidas.auth.commons.light.impl.LightRequest; +import eu.eidas.auth.commons.light.impl.LightRequest.Builder; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.SpecificCommunicationService; + +@RunWith(SpringJUnit4ClassRunner.class) +@PrepareForTest(CreateIdentityLinkTask.class) +@ContextConfiguration(locations = { +    "/spring/SpringTest-context_basic_test.xml", +    "/spring/SpringTest-context_basic_mapConfig.xml", +  }) +public class ProxyServiceAuthenticationActionTest { + +  @Autowired private MsConnectorDummyConfigMap basicConfig; +  @Autowired private ProxyServiceAuthenticationAction action; +  @Autowired private ApplicationContext context; +  @Autowired EidasAttributeRegistry attrRegistry; +   +  private MockHttpServletRequest httpReq; +  private MockHttpServletResponse httpResp; +  private ProxyServicePendingRequest pendingReq; +  private MsConnectorDummySpConfiguration oaParam; +  private SpecificCommunicationService springManagedSpecificConnectorCommunicationService; +   +    +  /** +   * jUnit test set-up. +   * @throws EaafException In case of an error +   */ +  @Before +  public void setUp() throws URISyntaxException, EaafException { +    httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); +    httpResp = new MockHttpServletResponse(); +    RequestContextHolder.resetRequestAttributes(); +    RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); +     +    basicConfig.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint",  +        "http://eidas.proxy/endpoint");     +    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson",  +        "false"); +     +    final Map<String, String> spConfig = new HashMap<>(); +    spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); +    spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); +    spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); +    oaParam = new MsConnectorDummySpConfiguration(spConfig, basicConfig); +    oaParam.setLoa(Arrays.asList(EaafConstants.EIDAS_LOA_HIGH)); +         +    pendingReq = new ProxyServicePendingRequest(); +    pendingReq.initialize(httpReq, basicConfig); +    pendingReq.setOnlineApplicationConfiguration(oaParam); +     +    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest(); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +     +     +    springManagedSpecificConnectorCommunicationService = +        (SpecificCommunicationService) context.getBean( +            SpecificCommunicationDefinitionBeanNames.SPECIFIC_PROXYSERVICE_COMMUNICATION_SERVICE +                .toString()); +     +  } +   +  @Test +  public void wrongPendingRequestType() {     +    IAuthData authData = generateDummyAuthData(); +    TestRequestImpl internalPendingReq = new TestRequestImpl(); +     +    EaafException exception = assertThrows(EaafException.class, +        () ->  action.processRequest(internalPendingReq, httpReq, httpResp, authData)); +    Assert.assertEquals("wrong errorCode", "eidas.proxyservice.99", exception.getErrorId()); +     +  } + +  @Test +  public void missingForwardUrl() {         +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", false); +    basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint"); +         +    EaafException exception = assertThrows(EaafException.class, +        () ->  action.processRequest(pendingReq, httpReq, httpResp, authData)); +    Assert.assertEquals("wrong errorCode", "config.08", exception.getErrorId()); +     +  } +   +  @Test  +  public void responseWithoutMandate() throws EaafException, SpecificCommunicationException { +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", false); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 4, respAttr.size());     +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME, authData.getFamilyName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME, authData.getGivenName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH,  +        authData.getDateOfBirth()); +         +  } +   +  @Test  +  public void responseWithNatMandate() throws EaafException, SpecificCommunicationException { +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +     +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_NAT_MANDATOR_PERSONAL_IDENTIFIER, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME, +        "1985-11-15"); +     +     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 8, respAttr.size());     +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_PERSONALIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTFAMILYNAME, authData.getFamilyName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTGIVENNAME, authData.getGivenName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_DATEOFBIRTH, authData.getDateOfBirth()); + +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_NAT_MANDATOR_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME,  +        (String) attr.get(PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME,  +        (String) attr.get(PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH,  +        (String) attr.get(PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME)); +            +  } +   +  @Test  +  public void responseWithJurMandate() throws EaafException, SpecificCommunicationException { +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true); +     +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 6, respAttr.size());   +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_PERSONALIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTFAMILYNAME, authData.getFamilyName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_CURRENTGIVENNAME, authData.getGivenName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_REPRESENTATIVE_DATEOFBIRTH, authData.getDateOfBirth()); +    +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_LEGALNAME,  +        (String) attr.get(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME)); +     +    assertNull("find nat. person subject: personalId",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); +    assertNull("find nat. person subject: familyName",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME)); +    assertNull("find nat. person subject: givenName",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME)); +    assertNull("find nat. person subject: dateOfBirth",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH)); +     +  } +   +  @Test +  public void responseWithNatMandateWithWorkAround() throws EaafException, SpecificCommunicationException { +    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson",  +        "true"); +     +    //request natural person subject only +    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest(); +    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder().put( +        attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build()); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +     +     +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +     +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_NAT_MANDATOR_PERSONAL_IDENTIFIER, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME, +        "1985-11-15"); +     +     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 8, respAttr.size());     +             +  } +   +  @Test +  public void responseWithJurMandateWithWorkAround() throws EaafException, SpecificCommunicationException { +    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson",  +        "true"); +     +    //request natural person subject only +    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest(); +    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder() +        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()) +        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()) +        .build()); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +         +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true); +     +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 10, respAttr.size());   +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER,  +        (String) attr.get(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER)); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME, authData.getFamilyName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME, authData.getGivenName()); +    checkAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH, authData.getDateOfBirth()); +    +  } +   +  @Test +  public void responseWithJurMandateWithWorkAroundNoNatSubject() throws EaafException, SpecificCommunicationException { +    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson",  +        "true"); +     +    //request natural person subject only +    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest(); +    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder() +        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()) +        .build()); +    pendingReq.setEidasRequest(eidasRequestBuilder.build()); +         +    Map<String, Object> attr = new HashMap<>(); +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER,  +        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));     +    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH, +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true); +     +    attr.put(MsEidasNodeConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, +        RandomStringUtils.randomAlphabetic(10)); +    attr.put(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME, +        RandomStringUtils.randomAlphabetic(10)); +     +    //perform test +    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData); +     +    //validate state +    Assert.assertNotNull("Result should be not null", result); +     +    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData); +    assertEquals("wrong attr. size", 6, respAttr.size());      +    assertNull("find nat. person subject: personalId",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER)); +    assertNull("find nat. person subject: familyName",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME)); +    assertNull("find nat. person subject: givenName",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME)); +    assertNull("find nat. person subject: dateOfBirth",  +        getAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH)); +     +  } +   +  @Test +  public void checkBasicConstrainsInAction() { +     +    Assert.assertTrue("Wrong NeedAuthentication", action.needAuthentication(pendingReq, httpReq, httpResp)); +    Assert.assertNotNull("Missing ActionName", action.getDefaultActionName()); +     +    Assert.assertNotNull("missing ActionBean", context.getBean(ProxyServiceAuthenticationAction.class)); +     +  } +   +  private IAuthData generateDummyAuthData() { +    return generateDummyAuthData(Collections.emptyMap(), EaafConstants.EIDAS_LOA_LOW,  +        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1940-01-01", false); +     +  } +   +  private Object getAttrValue(ImmutableAttributeMap respAttr, String attrName) { +    final AttributeDefinition<?> attrDef =  +        attrRegistry.getCoreAttributeRegistry().getByFriendlyName(attrName).first(); +    return respAttr.getFirstValue(attrDef);  +     +  } +   +  private void checkAttrValue(ImmutableAttributeMap respAttr, String attrName, String expected) { +    Object value = getAttrValue(respAttr, attrName);   +    assertNotNull("not attr value: " + attrName, value); +    +    if (value instanceof String) { +      assertEquals("wrong attr. value: " + attrName, expected, value); +      +    } else if ( value instanceof DateTime) { +      assertEquals("wrong attr. value: " + attrName, expected, ((DateTime)value).toString("yyyy-MM-dd")); +           +    }        +  } +   +  private ImmutableAttributeMap validateBasicEidasResponse(IAuthData authData) throws SpecificCommunicationException { +    assertNotNull("not redirct Header", httpResp.getHeader("Location")); +    assertTrue("wrong redirect URL", httpResp.getHeader("Location").startsWith("http://eidas.proxy/endpoint?token="));     +    String token = httpResp.getHeader("Location").substring("http://eidas.proxy/endpoint?token=".length()); +     +    ILightResponse resp = springManagedSpecificConnectorCommunicationService.getAndRemoveResponse(URLDecoder.decode(token),  +        ImmutableSortedSet.copyOf(attrRegistry.getCoreAttributeRegistry().getAttributes()));     +     +    assertNotNull("responseId", resp.getId()); +    assertEquals("inResponseTo", pendingReq.getEidasRequest().getId(), resp.getInResponseToId()); +    assertEquals("relayState", pendingReq.getEidasRequest().getRelayState(), resp.getRelayState()); +    assertEquals("LoA", authData.getEidasQaaLevel(), resp.getLevelOfAssurance()); +     +    assertNotNull("subjectNameId", resp.getSubject()); +    assertEquals("subjectNameIdFormat", NameIDType.TRANSIENT, resp.getSubjectNameIdFormat()); +     +    assertFalse("not attributes", resp.getAttributes().isEmpty());     +    return resp.getAttributes(); +     +  } +   +  private Builder generateBasicLightRequest() { +    return LightRequest.builder() +        .id(UUID.randomUUID().toString()) +        .issuer(RandomStringUtils.randomAlphabetic(10)) +        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) +        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) +        .spType("public") +        .requesterId(RandomStringUtils.randomAlphanumeric(10)) +        .providerName(RandomStringUtils.randomAlphanumeric(10)); +     +  } +   +  private IAuthData generateDummyAuthData(Map<String, Object> attrs, String loa, String familyName, String givenName, String dateOfBirth,  +      boolean useMandates) { +    return new IEidAuthData() { +       +      @Override +      public boolean isSsoSession() { +        // TODO Auto-generated method stub +        return false; +      } +       +      @Override +      public boolean isForeigner() { +        // TODO Auto-generated method stub +        return false; +      } +       +      @Override +      public boolean isBaseIdTransferRestrication() { +        // TODO Auto-generated method stub +        return false; +      } +       +      @Override +      public Date getSsoSessionValidTo() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getSessionIndex() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getNameIdFormat() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getNameID() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public IIdentityLink getIdentityLink() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getIdentificationValue() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getIdentificationType() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getGivenName() { +        return givenName; +      } +       +      @Override +      public <T> T getGenericData(String key, Class<T> clazz) { +        if (attrs.containsKey(key)) { +          return (T) attrs.get(key); +           +        } else { +          return null;   +        } +         +      } +       +      @Override +      public String getDateOfBirth() { +        return dateOfBirth; +      } +       +      @Override +      public String getFamilyName() { +        return familyName; +      } +       +      @Override +      public String getEncryptedSourceIdType() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getEncryptedSourceId() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getEidasQaaLevel() { +        return loa; +         +      } +       +       +      @Override +      public String getCiticenCountryCode() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getBpkType() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getBpk() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getAuthenticationIssuer() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public String getAuthenticationIssueInstantString() { +        // TODO Auto-generated method stub +        return null; +      } +       +      @Override +      public Date getAuthenticationIssueInstant() { +        // TODO Auto-generated method stub +        return null; +      } + +      @Override +      public byte[] getSignerCertificate() { +        // TODO Auto-generated method stub +        return null; +      } + +      @Override +      public byte[] getEidToken() { +        // TODO Auto-generated method stub +        return null; +      } + +      @Override +      public EidIdentityStatusLevelValues getEidStatus() { +        // TODO Auto-generated method stub +        return null; +      } + +      @Override +      public String getVdaEndPointUrl() { +        // TODO Auto-generated method stub +        return null; +      } + +      @Override +      public boolean isUseMandate() { +        return useMandates; +         +      } + +      @Override +      public String getDateOfBirthFormated(String pattern) { +        // TODO Auto-generated method stub +        return null; +      } +    }; +     +  } +} diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml b/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml new file mode 100644 index 00000000..6510546e --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!--  +#   Copyright (c) 2017 European Commission   +#   Licensed under the EUPL, Version 1.2 or – as soon they will be  +#   approved by the European Commission - subsequent versions of the  +#    EUPL (the "Licence");  +#    You may not use this work except in compliance with the Licence.  +#    You may obtain a copy of the Licence at:  +#    * https://joinup.ec.europa.eu/page/eupl-text-11-12   +#    * +#    Unless required by applicable law or agreed to in writing, software  +#    distributed under the Licence is distributed on an "AS IS" basis,  +#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  +#    See the Licence for the specific language governing permissions and limitations under the Licence. + --> + +<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> +<properties> +    <comment>Dynamic attributes</comment> + +    <entry key="1.NameUri">http://eidas.europa.eu/attributes/naturalperson/AdditionalAttribute</entry> +    <entry key="1.FriendlyName">AdditionalAttribute</entry> +    <entry key="1.PersonType">NaturalPerson</entry> +    <entry key="1.Required">false</entry> +    <entry key="1.XmlType.NamespaceUri">http://www.w3.org/2001/XMLSchema</entry> +    <entry key="1.XmlType.LocalPart">string</entry> +    <entry key="1.XmlType.NamespacePrefix">xs</entry> +    <entry key="1.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="2.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalAdditionalAttribute</entry> +    <entry key="2.FriendlyName">LegalAdditionalAttribute</entry> +    <entry key="2.PersonType">LegalPerson</entry> +    <entry key="2.Required">false</entry> +    <entry key="2.XmlType.NamespaceUri">http://www.w3.org/2001/XMLSchema</entry> +    <entry key="2.XmlType.LocalPart">string</entry> +    <entry key="2.XmlType.NamespacePrefix">xs</entry> +    <entry key="2.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +</properties> diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/eidas-attributes.xml b/modules/eidas_proxy-sevice/src/test/resources/config/eidas-attributes.xml new file mode 100644 index 00000000..cbae35db --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/resources/config/eidas-attributes.xml @@ -0,0 +1,376 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!--  +#   Copyright (c) 2017 European Commission   +#   Licensed under the EUPL, Version 1.2 or – as soon they will be  +#   approved by the European Commission - subsequent versions of the  +#    EUPL (the "Licence");  +#    You may not use this work except in compliance with the Licence.  +#    You may obtain a copy of the Licence at:  +#    * https://joinup.ec.europa.eu/page/eupl-text-11-12   +#    * +#    Unless required by applicable law or agreed to in writing, software  +#    distributed under the Licence is distributed on an "AS IS" basis,  +#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  +#    See the Licence for the specific language governing permissions and limitations under the Licence. + --> + +<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> +<properties> +    <comment>eIDAS attributes</comment> + +    <entry key="1.NameUri">http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier</entry> +    <entry key="1.FriendlyName">PersonIdentifier</entry> +    <entry key="1.PersonType">NaturalPerson</entry> +    <entry key="1.Required">true</entry> +    <entry key="1.UniqueIdentifier">true</entry> +    <entry key="1.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="1.XmlType.LocalPart">PersonIdentifierType</entry> +    <entry key="1.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="1.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="2.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName</entry> +    <entry key="2.FriendlyName">FamilyName</entry> +    <entry key="2.PersonType">NaturalPerson</entry> +    <entry key="2.Required">true</entry> +    <entry key="2.TransliterationMandatory">true</entry> +    <entry key="2.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="2.XmlType.LocalPart">CurrentFamilyNameType</entry> +    <entry key="2.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="2.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="3.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName</entry> +    <entry key="3.FriendlyName">FirstName</entry> +    <entry key="3.PersonType">NaturalPerson</entry> +    <entry key="3.Required">true</entry> +    <entry key="3.TransliterationMandatory">true</entry> +    <entry key="3.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="3.XmlType.LocalPart">CurrentGivenNameType</entry> +    <entry key="3.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="3.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="4.NameUri">http://eidas.europa.eu/attributes/naturalperson/DateOfBirth</entry> +    <entry key="4.FriendlyName">DateOfBirth</entry> +    <entry key="4.PersonType">NaturalPerson</entry> +    <entry key="4.Required">true</entry> +    <entry key="4.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="4.XmlType.LocalPart">DateOfBirthType</entry> +    <entry key="4.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="4.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller</entry> + +    <entry key="5.NameUri">http://eidas.europa.eu/attributes/naturalperson/BirthName</entry> +    <entry key="5.FriendlyName">BirthName</entry> +    <entry key="5.PersonType">NaturalPerson</entry> +    <entry key="5.Required">false</entry> +    <entry key="5.TransliterationMandatory">true</entry> +    <entry key="5.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="5.XmlType.LocalPart">BirthNameType</entry> +    <entry key="5.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="5.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="6.NameUri">http://eidas.europa.eu/attributes/naturalperson/PlaceOfBirth</entry> +    <entry key="6.FriendlyName">PlaceOfBirth</entry> +    <entry key="6.PersonType">NaturalPerson</entry> +    <entry key="6.Required">false</entry> +    <entry key="6.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="6.XmlType.LocalPart">PlaceOfBirthType</entry> +    <entry key="6.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="6.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="7.NameUri">http://eidas.europa.eu/attributes/naturalperson/CurrentAddress</entry> +    <entry key="7.FriendlyName">CurrentAddress</entry> +    <entry key="7.PersonType">NaturalPerson</entry> +    <entry key="7.Required">false</entry> +    <entry key="7.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="7.XmlType.LocalPart">CurrentAddressType</entry> +    <entry key="7.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="7.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.CurrentAddressAttributeValueMarshaller</entry> + +    <entry key="8.NameUri">http://eidas.europa.eu/attributes/naturalperson/Gender</entry> +    <entry key="8.FriendlyName">Gender</entry> +    <entry key="8.PersonType">NaturalPerson</entry> +    <entry key="8.Required">false</entry> +    <entry key="8.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson</entry> +    <entry key="8.XmlType.LocalPart">GenderType</entry> +    <entry key="8.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="8.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.GenderAttributeValueMarshaller</entry> + +    <entry key="9.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalPersonIdentifier</entry> +    <entry key="9.FriendlyName">LegalPersonIdentifier</entry> +    <entry key="9.PersonType">LegalPerson</entry> +    <entry key="9.Required">true</entry> +    <entry key="9.UniqueIdentifier">true</entry> +    <entry key="9.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="9.XmlType.LocalPart">LegalPersonIdentifierType</entry> +    <entry key="9.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="9.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="10.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalName</entry> +    <entry key="10.FriendlyName">LegalName</entry> +    <entry key="10.PersonType">LegalPerson</entry> +    <entry key="10.Required">true</entry> +    <entry key="10.TransliterationMandatory">true</entry> +    <entry key="10.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="10.XmlType.LocalPart">LegalNameType</entry> +    <entry key="10.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="10.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="11.NameUri">http://eidas.europa.eu/attributes/legalperson/LegalPersonAddress</entry> +    <entry key="11.FriendlyName">LegalAddress</entry> +    <entry key="11.PersonType">LegalPerson</entry> +    <entry key="11.Required">false</entry> +    <entry key="11.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="11.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="11.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="11.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.LegalAddressAttributeValueMarshaller</entry> + +    <entry key="12.NameUri">http://eidas.europa.eu/attributes/legalperson/VATRegistrationNumber</entry> +    <entry key="12.FriendlyName">VATRegistration</entry> +    <entry key="12.PersonType">LegalPerson</entry> +    <entry key="12.Required">false</entry> +    <entry key="12.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="12.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="12.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="12.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="13.NameUri">http://eidas.europa.eu/attributes/legalperson/TaxReference</entry> +    <entry key="13.FriendlyName">TaxReference</entry> +    <entry key="13.PersonType">LegalPerson</entry> +    <entry key="13.Required">false</entry> +    <entry key="13.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="13.XmlType.LocalPart">TaxReferenceType</entry> +    <entry key="13.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="13.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="14.NameUri">http://eidas.europa.eu/attributes/legalperson/D-2012-17-EUIdentifier</entry> +    <entry key="14.FriendlyName">D-2012-17-EUIdentifier</entry> +    <entry key="14.PersonType">LegalPerson</entry> +    <entry key="14.Required">false</entry> +    <entry key="14.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="14.XmlType.LocalPart">D-2012-17-EUIdentifierType</entry> +    <entry key="14.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="14.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="15.NameUri">http://eidas.europa.eu/attributes/legalperson/LEI</entry> +    <entry key="15.FriendlyName">LEI</entry> +    <entry key="15.PersonType">LegalPerson</entry> +    <entry key="15.Required">false</entry> +    <entry key="15.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="15.XmlType.LocalPart">LEIType</entry> +    <entry key="15.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="15.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="16.NameUri">http://eidas.europa.eu/attributes/legalperson/EORI</entry> +    <entry key="16.FriendlyName">EORI</entry> +    <entry key="16.PersonType">LegalPerson</entry> +    <entry key="16.Required">false</entry> +    <entry key="16.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="16.XmlType.LocalPart">EORIType</entry> +    <entry key="16.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="16.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="17.NameUri">http://eidas.europa.eu/attributes/legalperson/SEED</entry> +    <entry key="17.FriendlyName">SEED</entry> +    <entry key="17.PersonType">LegalPerson</entry> +    <entry key="17.Required">false</entry> +    <entry key="17.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="17.XmlType.LocalPart">SEEDType</entry> +    <entry key="17.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="17.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="18.NameUri">http://eidas.europa.eu/attributes/legalperson/SIC</entry> +    <entry key="18.FriendlyName">SIC</entry> +    <entry key="18.PersonType">LegalPerson</entry> +    <entry key="18.Required">false</entry> +    <entry key="18.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson</entry> +    <entry key="18.XmlType.LocalPart">SICType</entry> +    <entry key="18.XmlType.NamespacePrefix">eidas-legal</entry> +    <entry key="18.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="19.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/PersonIdentifier</entry> +    <entry key="19.FriendlyName">RepresentativePersonIdentifier</entry> +    <entry key="19.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="19.Required">false</entry> +    <entry key="19.UniqueIdentifier">true</entry> +    <entry key="19.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="19.XmlType.LocalPart">PersonIdentifierType</entry> +    <entry key="19.XmlType.NamespacePrefix">eidas-natural</entry> +    <entry key="19.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="20.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentFamilyName</entry> +    <entry key="20.FriendlyName">RepresentativeFamilyName</entry> +    <entry key="20.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="20.Required">false</entry> +    <entry key="20.TransliterationMandatory">true</entry> +    <entry key="20.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="20.XmlType.LocalPart">CurrentFamilyNameType</entry> +    <entry key="20.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="20.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="21.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentGivenName</entry> +    <entry key="21.FriendlyName">RepresentativeFirstName</entry> +    <entry key="21.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="21.Required">false</entry> +    <entry key="21.TransliterationMandatory">true</entry> +    <entry key="21.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="21.XmlType.LocalPart">CurrentGivenNameType</entry> +    <entry key="21.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="21.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="22.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/DateOfBirth</entry> +    <entry key="22.FriendlyName">RepresentativeDateOfBirth</entry> +    <entry key="22.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="22.Required">false</entry> +    <entry key="22.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="22.XmlType.LocalPart">DateOfBirthType</entry> +    <entry key="22.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="22.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller</entry> + +    <entry key="23.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/BirthName</entry> +    <entry key="23.FriendlyName">RepresentativeBirthName</entry> +    <entry key="23.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="23.Required">false</entry> +    <entry key="23.TransliterationMandatory">true</entry> +    <entry key="23.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="23.XmlType.LocalPart">BirthNameType</entry> +    <entry key="23.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="23.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="24.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/PlaceOfBirth</entry> +    <entry key="24.FriendlyName">RepresentativePlaceOfBirth</entry> +    <entry key="24.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="24.Required">false</entry> +    <entry key="24.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="24.XmlType.LocalPart">PlaceOfBirthType</entry> +    <entry key="24.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="24.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="25.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/CurrentAddress</entry> +    <entry key="25.FriendlyName">RepresentativeCurrentAddress</entry> +    <entry key="25.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="25.Required">false</entry> +    <entry key="25.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="25.XmlType.LocalPart">CurrentAddressType</entry> +    <entry key="25.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="25.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvCurrentAddressAttributeValueMarshaller</entry> + +    <entry key="26.NameUri">http://eidas.europa.eu/attributes/naturalperson/representative/Gender</entry> +    <entry key="26.FriendlyName">RepresentativeGender</entry> +    <entry key="26.PersonType">RepresentativeNaturalPerson</entry> +    <entry key="26.Required">false</entry> +    <entry key="26.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/naturalperson/representative</entry> +    <entry key="26.XmlType.LocalPart">GenderType</entry> +    <entry key="26.XmlType.NamespacePrefix">eidas-reprentative-natural</entry> +    <entry key="26.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.GenderAttributeValueMarshaller</entry> + +    <entry key="27.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonIdentifier</entry> +    <entry key="27.FriendlyName">RepresentativeLegalPersonIdentifier</entry> +    <entry key="27.PersonType">RepresentativeLegalPerson</entry> +    <entry key="27.Required">false</entry> +    <entry key="27.UniqueIdentifier">true</entry> +    <entry key="27.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="27.XmlType.LocalPart">LegalPersonIdentifierType</entry> +    <entry key="27.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="27.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="28.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalName</entry> +    <entry key="28.FriendlyName">RepresentativeLegalName</entry> +    <entry key="28.PersonType">RepresentativeLegalPerson</entry> +    <entry key="28.Required">false</entry> +    <entry key="28.TransliterationMandatory">true</entry> +    <entry key="28.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="28.XmlType.LocalPart">LegalNameType</entry> +    <entry key="28.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="28.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="29.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonAddress</entry> +    <entry key="29.FriendlyName">RepresentativeLegalAddress</entry> +    <entry key="29.PersonType">RepresentativeLegalPerson</entry> +    <entry key="29.Required">false</entry> +    <entry key="29.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="29.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="29.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="29.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvLegalAddressAttributeValueMarshaller</entry> + +    <entry key="30.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/VATRegistrationNumber</entry> +    <entry key="30.FriendlyName">RepresentativeVATRegistration</entry> +    <entry key="30.PersonType">RepresentativeLegalPerson</entry> +    <entry key="30.Required">false</entry> +    <entry key="30.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="30.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="30.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="30.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="31.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/TaxReference</entry> +    <entry key="31.FriendlyName">RepresentativeTaxReference</entry> +    <entry key="31.PersonType">RepresentativeLegalPerson</entry> +    <entry key="31.Required">false</entry> +    <entry key="31.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="31.XmlType.LocalPart">TaxReferenceType</entry> +    <entry key="31.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="31.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="32.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/D-2012-17-EUIdentifier</entry> +    <entry key="32.FriendlyName">RepresentativeD-2012-17-EUIdentifier</entry> +    <entry key="32.PersonType">RepresentativeLegalPerson</entry> +    <entry key="32.Required">false</entry> +    <entry key="32.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="32.XmlType.LocalPart">D-2012-17-EUIdentifierType</entry> +    <entry key="32.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="32.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="33.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LEI</entry> +    <entry key="33.FriendlyName">RepresentativeLEI</entry> +    <entry key="33.PersonType">RepresentativeLegalPerson</entry> +    <entry key="33.Required">false</entry> +    <entry key="33.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="33.XmlType.LocalPart">LEIType</entry> +    <entry key="33.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="33.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="34.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/EORI</entry> +    <entry key="34.FriendlyName">RepresentativeEORI</entry> +    <entry key="34.PersonType">RepresentativeLegalPerson</entry> +    <entry key="34.Required">false</entry> +    <entry key="34.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="34.XmlType.LocalPart">EORIType</entry> +    <entry key="34.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="34.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="35.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/SEED</entry> +    <entry key="35.FriendlyName">RepresentativeSEED</entry> +    <entry key="35.PersonType">RepresentativeLegalPerson</entry> +    <entry key="35.Required">false</entry> +    <entry key="35.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="35.XmlType.LocalPart">SEEDType</entry> +    <entry key="35.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="35.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="36.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/SIC</entry> +    <entry key="36.FriendlyName">RepresentativeSIC</entry> +    <entry key="36.PersonType">RepresentativeLegalPerson</entry> +    <entry key="36.Required">false</entry> +    <entry key="36.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="36.XmlType.LocalPart">SICType</entry> +    <entry key="36.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="36.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + +    <entry key="39.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/LegalPersonAddress</entry> +    <entry key="39.FriendlyName">RepresentativeLegalAddress</entry> +    <entry key="39.PersonType">RepresentativeLegalPerson</entry> +    <entry key="39.Required">false</entry> +    <entry key="39.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="39.XmlType.LocalPart">LegalPersonAddressType</entry> +    <entry key="39.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="39.AttributeValueMarshaller">eu.eidas.auth.commons.protocol.eidas.impl.RepvLegalAddressAttributeValueMarshaller</entry> + +    <entry key="40.NameUri">http://eidas.europa.eu/attributes/legalperson/representative/VATRegistrationNumber</entry> +    <entry key="40.FriendlyName">RepresentativeVATRegistration</entry> +    <entry key="40.PersonType">RepresentativeLegalPerson</entry> +    <entry key="40.Required">false</entry> +    <entry key="40.XmlType.NamespaceUri">http://eidas.europa.eu/attributes/legalperson/representative</entry> +    <entry key="40.XmlType.LocalPart">VATRegistrationNumberType</entry> +    <entry key="40.XmlType.NamespacePrefix">eidas-reprentative-legal</entry> +    <entry key="40.AttributeValueMarshaller">eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller</entry> + + +</properties> diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties b/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties new file mode 100644 index 00000000..4f3b82b5 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties @@ -0,0 +1,6 @@ +## Basic service configuration +eidas.ms.context.url.prefix=http://localhost +eidas.ms.context.url.request.validation=false + +eidas.ms.auth.eIDAS.node_v2.proxy.entityId=ownSpecificProxy +eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint=http://eidas.proxy/endpoint
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml b/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml new file mode 100644 index 00000000..fe9ff441 --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_mapConfig.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + +  <context:annotation-config /> + +  <bean id="dummyMapBasedConfiguration" +        class="at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap"> +    <constructor-arg value="/config/junit_config_1.properties" /> +    <property name="configRootDirSufix" value="src/test/resources/config" /> +  </bean> + +</beans>
\ No newline at end of file diff --git a/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_test.xml b/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_test.xml new file mode 100644 index 00000000..9870d22a --- /dev/null +++ b/modules/eidas_proxy-sevice/src/test/resources/spring/SpringTest-context_basic_test.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" +  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +  xmlns:context="http://www.springframework.org/schema/context" +  xmlns:tx="http://www.springframework.org/schema/tx" +  xmlns:aop="http://www.springframework.org/schema/aop" +  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd +    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd +    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd +    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + +  <import resource="classpath:/SpringTest-context_authManager.xml" /> +  <import resource="classpath:/spring/eidas_proxy-service.beans.xml"/> + +  <bean id="springManagedSpecificProxyserviceCommunicationService" +        class="at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummySpecificCommunicationService" /> + + <bean id="mvcGUIBuilderImpl" +    class="at.gv.egiz.eaaf.core.impl.gui.builder.SpringMvcGuiFormBuilderImpl" /> + +  <bean id="specificConnectorAttributesFileWithPath" +    class="java.lang.String"> +    <constructor-arg +      value="src/test/resources/config/eidas-attributes.xml" /> +  </bean> + +  <bean id="specificConnectorAdditionalAttributesFileWithPath" +    class="java.lang.String"> +    <constructor-arg +      value="src/test/resources/config/additional-attributes.xml" /> +  </bean> + +  <bean id="attributeRegistry" +    class="at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry"> +    <property name="eidasAttributesFile" +      ref="specificConnectorAttributesFileWithPath" /> +    <property name="additionalAttributesFile" +      ref="specificConnectorAdditionalAttributesFileWithPath" /> +  </bean> + +</beans>
\ No newline at end of file diff --git a/modules/pom.xml b/modules/pom.xml index a6e9c696..a431d429 100644 --- a/modules/pom.xml +++ b/modules/pom.xml @@ -15,7 +15,9 @@  	<modules>      <module>core_common_lib</module>      <module>core_common_webapp</module>     -		<module>authmodule-eIDAS-v2</module> +    <module>authmodule-eIDAS-v2</module> +    <module>authmodule_id-austria</module> +    <module>eidas_proxy-sevice</module>  	</modules>  </project> | 
