aboutsummaryrefslogtreecommitdiff
path: root/ms_specific_connector/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'ms_specific_connector/src/main/java/at')
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificEidasNodeSpringResourceProvider.java54
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificSpringBootApplicationContextInitializer.java82
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/SpringBootApplicationInitializer.java105
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java68
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java64
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/builder/PvpSubjectNameGenerator.java40
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/MsConnectorMessageSource.java21
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java158
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpMetadataConfiguration.java269
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/ProcessEngineSignalController.java59
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/Pvp2SProfileEndpoint.java80
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/health/Saml2MetadataHealthIndicator.java44
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/CountrySelectionProcessImpl.java68
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/EvaluateCountrySelectionTask.java83
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/GenerateCountrySelectionFrameTask.java84
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java97
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java51
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java183
-rw-r--r--ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java382
19 files changed, 1992 insertions, 0 deletions
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificEidasNodeSpringResourceProvider.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificEidasNodeSpringResourceProvider.java
new file mode 100644
index 00000000..45e5c7d4
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificEidasNodeSpringResourceProvider.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.connector;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+public class MsSpecificEidasNodeSpringResourceProvider implements SpringResourceProvider {
+
+ @Override
+ public Resource[] getResourcesToLoad() {
+ final ClassPathResource generic =
+ new ClassPathResource("/applicationContext.xml", MsSpecificEidasNodeSpringResourceProvider.class);
+ final ClassPathResource msEidasNode = new ClassPathResource(
+ "/specific_eIDAS_connector.beans.xml", MsSpecificEidasNodeSpringResourceProvider.class);
+
+ return new Resource[] { generic, msEidasNode};
+
+ }
+
+ @Override
+ public String[] getPackagesToScan() {
+ return null;
+ }
+
+ @Override
+ public String getName() {
+ return "MS-specific eIDAS-Connector SpringResourceProvider";
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificSpringBootApplicationContextInitializer.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificSpringBootApplicationContextInitializer.java
new file mode 100644
index 00000000..399d1286
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/MsSpecificSpringBootApplicationContextInitializer.java
@@ -0,0 +1,82 @@
+package at.asitplus.eidas.specific.connector;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Properties;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.core.env.MutablePropertySources;
+import org.springframework.core.env.PropertiesPropertySource;
+
+import at.gv.egiz.components.spring.api.SpringBootApplicationContextInitializer;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class MsSpecificSpringBootApplicationContextInitializer extends
+ SpringBootApplicationContextInitializer {
+
+ private static final String SYSTEMD_PROP_NAME = "eidas.ms.configuration";
+ private static final String PATH_FILE_PREFIX = "file:";
+
+ @Override
+ public void initialize(ConfigurableApplicationContext applicationContext) {
+ String configPath = System.getProperty(SYSTEMD_PROP_NAME);
+ if (StringUtils.isNotEmpty(configPath)) {
+ log.debug("Find configuration-source from SystemD Property: '{}' ...", SYSTEMD_PROP_NAME);
+ if (configPath.startsWith(PATH_FILE_PREFIX)) {
+ configPath = configPath.substring(PATH_FILE_PREFIX.length());
+
+ }
+ injectConfiguration(configPath, applicationContext);
+
+ } else {
+ log.info("Find NO SystemD Property: '{}' Maybe no configuration available", SYSTEMD_PROP_NAME);
+
+ }
+
+ super.initialize(applicationContext);
+
+ }
+
+ private void injectConfiguration(String configPath, ConfigurableApplicationContext applicationContext) {
+ InputStream is = null;
+ try {
+ Path path = Paths.get(configPath);
+ if (Files.exists(path)) {
+ File file = new File(configPath);
+ Properties props = new Properties();
+ is = new FileInputStream(file);
+ props.load(is);
+ MutablePropertySources sources = applicationContext.getEnvironment().getPropertySources();
+ sources.addFirst(new PropertiesPropertySource(SYSTEMD_PROP_NAME, props));
+ log.info("Set configuration-source from SystemD-Property: {}", SYSTEMD_PROP_NAME);
+
+ } else {
+ log.error("Configuration from SystemD Property: '{}' at Location: {} DOES NOT exist",
+ SYSTEMD_PROP_NAME, configPath);
+
+ }
+
+ } catch (IOException e) {
+ log.error("Configuration from SystemD Property: '{}' at Location: {} CAN NOT be loaded",
+ SYSTEMD_PROP_NAME, configPath, e);
+
+ } finally {
+ try {
+ if (is != null) {
+ is.close();
+
+ }
+ } catch (IOException e) {
+ log.error("Can not close InputStream of configLoader: {}", configPath, e);
+
+ }
+ }
+ }
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/SpringBootApplicationInitializer.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/SpringBootApplicationInitializer.java
new file mode 100644
index 00000000..6616db23
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/SpringBootApplicationInitializer.java
@@ -0,0 +1,105 @@
+package at.asitplus.eidas.specific.connector;
+
+import org.opensaml.core.config.InitializationException;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.web.context.WebApplicationContext;
+
+import at.gv.egiz.eaaf.core.api.IStatusMessenger;
+import at.gv.egiz.eaaf.core.impl.logging.LogMessageProviderFactory;
+import at.gv.egiz.eaaf.core.impl.logging.SimpleStatusMessager;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import lombok.extern.slf4j.Slf4j;
+import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
+
+@Slf4j
+@SpringBootApplication(scanBasePackages = {
+ "at.asitplus.eidas.specific.connector",
+ "at.gv.egiz.eaaf.utils.springboot.ajp"
+ })
+public class SpringBootApplicationInitializer extends SpringBootServletInitializer {
+
+ private static ConfigurableApplicationContext ctx;
+
+ /**
+ * Starts MS-specific eIDAS-Implementation SpringBoot application.
+ *
+ * @param args Starting parameters
+ * @throws Throwable In case of a start-up error
+ */
+ public static void main(final String[] args) throws Throwable {
+ try {
+ log.info("=============== Initializing Spring-Boot context! ===============");
+ LogMessageProviderFactory.setStatusMessager(new SimpleStatusMessager());
+ final SpringApplication springApp =
+ new SpringApplication(SpringBootApplicationInitializer.class);
+ springApp.addInitializers(new MsSpecificSpringBootApplicationContextInitializer());
+
+ log.info("Bootstrap openSAML .... ");
+ EaafOpenSaml3xInitializer.eaafInitialize();
+
+ log.debug("Run SpringBoot initialization process ... ");
+ ctx = springApp.run(args);
+
+ // initialize status messenger
+ LogMessageProviderFactory.setStatusMessager(ctx.getBean(IStatusMessenger.class));
+
+ log.info("Initialization of MS-specific eIDAS-Connector finished.");
+
+ } catch (final Throwable e) {
+ log.error("MS-specific eIDAS-Connector initialization FAILED!", e);
+ throw e;
+
+ }
+
+ }
+
+
+ protected SpringApplicationBuilder createSpringApplicationBuilder() {
+ try {
+ log.info("Bootstrap openSAML .... ");
+ EaafOpenSaml3xInitializer.eaafInitialize();
+
+ } catch (InitializationException | ComponentInitializationException e) {
+ throw new RuntimeException(e);
+
+ }
+
+ SpringApplicationBuilder builder = new SpringApplicationBuilder();
+ builder.initializers(new MsSpecificSpringBootApplicationContextInitializer());
+ return builder;
+
+ }
+
+ protected WebApplicationContext run(SpringApplication application) {
+ WebApplicationContext internalContext = (WebApplicationContext) application.run();
+
+ // initialize status messenger
+ LogMessageProviderFactory.setStatusMessager(internalContext.getBean(IStatusMessenger.class));
+
+ log.info("Initialization of MS-specific eIDAS-Connector finished.");
+
+ return internalContext;
+ }
+
+ /**
+ * Stops SpringBoot application of MS-specific eIDAS-Implementation.
+ *
+ */
+ public static void exit() {
+ if (ctx != null) {
+ log.info("Stopping SpringBoot application ... ");
+ SpringApplication.exit(ctx, () -> 0);
+ ctx = null;
+
+ } else {
+ log.info("No SpringBoot context. Nothing todo");
+
+ }
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java
new file mode 100644
index 00000000..17eb0704
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.connector.attributes;
+
+import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME;
+import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPvpAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata;
+
+
+@PvpMetadata
+public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder {
+
+ @Override
+ public String getName() {
+ return EID_AUTHBLOCK_SIGNED_NAME;
+ }
+
+ @Override
+ public <ATT> ATT build(final ISpConfiguration oaParam, final IAuthData authData,
+ final IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+
+ String authBlock = authData.getGenericData(MsEidasNodeConstants.AUTH_DATA_SZR_AUTHBLOCK, String.class);
+ if (StringUtils.isNotEmpty(authBlock)) {
+ return g.buildStringAttribute(EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, EID_AUTHBLOCK_SIGNED_NAME,
+ Base64.getEncoder().encodeToString(authBlock.getBytes(StandardCharsets.UTF_8)));
+
+ } else {
+ throw new UnavailableAttributeException(EID_AUTHBLOCK_SIGNED_NAME);
+ }
+
+ }
+
+ @Override
+ public <ATT> ATT buildEmpty(final IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, EID_AUTHBLOCK_SIGNED_NAME);
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java
new file mode 100644
index 00000000..18eb74f8
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
+ * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
+ * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
+ * compliance with the Licence. You may obtain a copy of the Licence at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the Licence
+ * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the Licence for the specific language governing permissions and limitations under
+ * the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text file for details on the
+ * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
+ * works that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.connector.attributes;
+
+import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME;
+import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IPvpAttributeBuilder;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata;
+
+@PvpMetadata
+public class EidasBindAttributeBuilder implements IPvpAttributeBuilder {
+
+
+ @Override
+ public String getName() {
+ return EID_EIDBIND_NAME;
+ }
+
+ @Override
+ public <ATT> ATT build(final ISpConfiguration oaParam, final IAuthData authData,
+ final IAttributeGenerator<ATT> g) throws AttributeBuilderException {
+
+ String eidasBind = authData.getGenericData(MsEidasNodeConstants.AUTH_DATA_EIDAS_BIND, String.class);
+ if (StringUtils.isNotEmpty(eidasBind)) {
+ return g.buildStringAttribute(EID_EIDBIND_FRIENDLY_NAME, EID_EIDBIND_NAME, eidasBind);
+
+ } else {
+ throw new UnavailableAttributeException(EID_EIDBIND_NAME);
+ }
+
+ }
+
+ @Override
+ public <ATT> ATT buildEmpty(final IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(EID_EIDBIND_FRIENDLY_NAME, EID_EIDBIND_NAME);
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/builder/PvpSubjectNameGenerator.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/builder/PvpSubjectNameGenerator.java
new file mode 100644
index 00000000..d4e97433
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/builder/PvpSubjectNameGenerator.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.builder;
+
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
+
+public class PvpSubjectNameGenerator implements ISubjectNameIdGenerator {
+
+ @Override
+ public Pair<String, String> generateSubjectNameId(IAuthData authData, ISpConfiguration spConfig)
+ throws Pvp2Exception {
+ return Pair.newInstance(authData.getBpk(), authData.getBpkType());
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/MsConnectorMessageSource.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/MsConnectorMessageSource.java
new file mode 100644
index 00000000..59df6375
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/MsConnectorMessageSource.java
@@ -0,0 +1,21 @@
+package at.asitplus.eidas.specific.connector.config;
+
+import java.util.Arrays;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.logging.IMessageSourceLocation;
+
+/**
+ * Inject eIDAS Connector specific messages into Spring based message-source.
+ *
+ * @author tlenz
+ *
+ */
+public class MsConnectorMessageSource implements IMessageSourceLocation {
+
+ @Override
+ public List<String> getMessageSourceLocation() {
+ return Arrays.asList("classpath:/properties/messages");
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java
new file mode 100644
index 00000000..81c37bd0
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpEndPointConfiguration.java
@@ -0,0 +1,158 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.config;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml.saml2.metadata.ContactPerson;
+import org.opensaml.saml.saml2.metadata.ContactPersonTypeEnumeration;
+import org.opensaml.saml.saml2.metadata.EmailAddress;
+import org.opensaml.saml.saml2.metadata.GivenName;
+import org.opensaml.saml.saml2.metadata.Organization;
+import org.opensaml.saml.saml2.metadata.OrganizationDisplayName;
+import org.opensaml.saml.saml2.metadata.OrganizationName;
+import org.opensaml.saml.saml2.metadata.OrganizationURL;
+import org.opensaml.saml.saml2.metadata.SurName;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+
+@Service("PVPEndPointConfiguration")
+public class PvpEndPointConfiguration implements IPvp2BasicConfiguration {
+ private static final Logger log = LoggerFactory.getLogger(PvpEndPointConfiguration.class);
+
+ private static final String DEFAULT_XML_LANG = "en";
+
+ @Autowired(required = true)
+ IConfiguration basicConfiguration;
+
+ @Override
+ public String getIdpEntityId(String authUrl) throws EaafException {
+ return removePostFix(authUrl) + MsEidasNodeConstants.ENDPOINT_PVP_METADATA;
+
+ }
+
+ @Override
+ public String getIdpSsoPostService(String authUrl) throws EaafException {
+ return removePostFix(authUrl) + MsEidasNodeConstants.ENDPOINT_PVP_POST;
+
+ }
+
+ @Override
+ public String getIdpSsoRedirectService(String authUrl) throws EaafException {
+ return removePostFix(authUrl) + MsEidasNodeConstants.ENDPOINT_PVP_REDIRECT;
+
+ }
+
+ @Override
+ public String getIdpSsoSoapService(String extractAuthUrlFromRequest) throws EaafException {
+ log.warn("PVP S-Profile End-Point does NOT support SOAP Binding");
+ return null;
+
+ }
+
+ @Override
+ public List<ContactPerson> getIdpContacts() throws EaafException {
+ final ContactPerson contactPerson = Saml2Utils.createSamlObject(ContactPerson.class);
+ final GivenName givenName = Saml2Utils.createSamlObject(GivenName.class);
+ final SurName surname = Saml2Utils.createSamlObject(SurName.class);
+ final EmailAddress emailAddress = Saml2Utils.createSamlObject(EmailAddress.class);
+
+ givenName.setValue(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_GIVENNAME));
+ surname.setValue(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_SURNAME));
+ emailAddress.setURI(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_CONTACT_EMAIL));
+
+ contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL);
+ contactPerson.setGivenName(givenName);
+ contactPerson.setSurName(surname);
+ contactPerson.getEmailAddresses().add(emailAddress);
+
+ return Arrays.asList(contactPerson);
+
+ }
+
+ @Override
+ public Organization getIdpOrganisation() throws EaafException {
+ final Organization organisation = Saml2Utils.createSamlObject(Organization.class);
+ final OrganizationName orgName = Saml2Utils.createSamlObject(OrganizationName.class);
+ final OrganizationDisplayName orgDisplayName = Saml2Utils.createSamlObject(OrganizationDisplayName.class);
+ final OrganizationURL orgUrl = Saml2Utils.createSamlObject(OrganizationURL.class);
+
+ orgName.setXMLLang(DEFAULT_XML_LANG);
+ orgName.setValue(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_ORGANISATION_NAME));
+
+ orgDisplayName.setXMLLang(DEFAULT_XML_LANG);
+ orgDisplayName.setValue(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME));
+
+ orgUrl.setXMLLang(DEFAULT_XML_LANG);
+ orgUrl.setURI(getAndVerifyFromConfiguration(
+ MsEidasNodeConstants.CONFIG_PROPS_METADATA_ORGANISATION_URL));
+
+
+ organisation.getOrganizationNames().add(orgName);
+ organisation.getDisplayNames().add(orgDisplayName);
+ organisation.getURLs().add(orgUrl);
+
+ return organisation;
+ }
+
+ @Override
+ public IConfiguration getBasicConfiguration() {
+ return basicConfiguration;
+ }
+
+ private String removePostFix(String url) {
+ if (url != null && url.endsWith("/")) {
+ return url.substring(0, url.length() - 1);
+ } else {
+ return url;
+ }
+ }
+
+ private String getAndVerifyFromConfiguration(String configKey) throws EaafConfigurationException {
+ final String value = basicConfiguration.getBasicConfiguration(configKey);
+ if (StringUtils.isEmpty(value)) {
+ throw new EaafConfigurationException("config.08",
+ new Object[] {configKey});
+
+ }
+
+ return value;
+ }
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpMetadataConfiguration.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpMetadataConfiguration.java
new file mode 100644
index 00000000..e83fd4cf
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/config/PvpMetadataConfiguration.java
@@ -0,0 +1,269 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.config;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.NameIDType;
+import org.opensaml.saml.saml2.metadata.ContactPerson;
+import org.opensaml.saml.saml2.metadata.Organization;
+import org.opensaml.saml.saml2.metadata.RequestedAttribute;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
+
+public class PvpMetadataConfiguration implements IPvpMetadataBuilderConfiguration {
+ private static final Logger log = LoggerFactory.getLogger(PvpMetadataConfiguration.class);
+
+ private final IConfiguration basicConfig;
+ private final String authUrl;
+ private final IPvp2CredentialProvider pvpIdpCredentials;
+ private final IPvp2BasicConfiguration pvpBasicConfig;
+
+ /**
+ * Configuration object to create PVP2 S-Profile metadata.
+ *
+ * @param basicConfig Application configuration
+ * @param authUrl Public-URL Prefix of the application
+ * @param pvpBasicConfig PVP2 configuration object
+ * @param pvpIdpCredentials2 PVP2 credentials
+ */
+ public PvpMetadataConfiguration(IConfiguration basicConfig, String authUrl,
+ IPvp2BasicConfiguration pvpBasicConfig, IPvp2CredentialProvider pvpIdpCredentials2) {
+ this.authUrl = authUrl;
+ this.pvpIdpCredentials = pvpIdpCredentials2;
+ this.basicConfig = basicConfig;
+ this.pvpBasicConfig = pvpBasicConfig;
+
+ }
+
+ @Override
+ public String getSpNameForLogging() {
+ return "PVP2 S-Profile IDP";
+ }
+
+ @Override
+ public int getMetadataValidUntil() {
+ return Integer.parseInt(basicConfig.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_PVP2_METADATA_VALIDITY,
+ String.valueOf(MsEidasNodeConstants.DEFAULT_PVP_METADATA_VALIDITY)));
+
+ }
+
+ @Override
+ public boolean buildEntitiesDescriptorAsRootElement() {
+ return false;
+
+ }
+
+ @Override
+ public boolean buildIdpSsoDescriptor() {
+ return true;
+
+ }
+
+ @Override
+ public boolean buildSpSsoDescriptor() {
+ return false;
+
+ }
+
+ @Override
+ public String getEntityID() {
+ try {
+ return pvpBasicConfig.getIdpEntityId(authUrl);
+
+ } catch (final EaafException e) {
+ log.error("Can NOT build PVP metadata configuration.", e);
+ throw new RuntimeException("Can NOT build PVP metadata configuration.");
+
+ }
+
+ }
+
+ @Override
+ public String getEntityFriendlyName() {
+ return null;
+
+ }
+
+ @Override
+ public List<ContactPerson> getContactPersonInformation() {
+ try {
+ return pvpBasicConfig.getIdpContacts();
+
+ } catch (final EaafException e) {
+ log.error("Can NOT build PVP metadata configuration.", e);
+ throw new RuntimeException("Can NOT build PVP metadata configuration.");
+
+ }
+
+ }
+
+ @Override
+ public Organization getOrgansiationInformation() {
+ try {
+ return pvpBasicConfig.getIdpOrganisation();
+
+ } catch (final EaafException e) {
+ log.error("Can NOT build PVP metadata configuration.", e);
+ throw new RuntimeException("Can NOT build PVP metadata configuration.");
+
+ }
+ }
+
+ @Override
+ public EaafX509Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+ return pvpIdpCredentials.getMetaDataSigningCredential();
+
+ }
+
+ @Override
+ public EaafX509Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+ return pvpIdpCredentials.getMessageSigningCredential();
+
+ }
+
+ @Override
+ public EaafX509Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+ return null;
+
+ }
+
+ @Override
+ public String getIdpWebSsoPostBindingUrl() {
+ try {
+ return pvpBasicConfig.getIdpSsoPostService(authUrl);
+
+ } catch (final EaafException e) {
+ log.error("Can NOT build PVP metadata configuration.", e);
+ throw new RuntimeException("Can NOT build PVP metadata configuration.");
+
+ }
+
+ }
+
+ @Override
+ public String getIdpWebSsoRedirectBindingUrl() {
+ try {
+ return pvpBasicConfig.getIdpSsoRedirectService(authUrl);
+
+ } catch (final EaafException e) {
+ log.error("Can NOT build PVP metadata configuration.", e);
+ throw new RuntimeException("Can NOT build PVP metadata configuration.");
+
+ }
+ }
+
+ @Override
+ public String getIdpSloPostBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getIdpSloRedirectBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getSpAssertionConsumerServicePostBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getSpAssertionConsumerServiceRedirectBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getSpSloPostBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getSpSloRedirectBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public String getSpSloSoapBindingUrl() {
+ return null;
+
+ }
+
+ @Override
+ public List<Attribute> getIdpPossibleAttributes() {
+ return PvpAttributeBuilder.buildSupportedEmptyAttributes();
+
+ }
+
+ @Override
+ public List<String> getIdpPossibleNameIdTypes() {
+ return Arrays.asList(NameIDType.PERSISTENT,
+ NameIDType.TRANSIENT,
+ NameIDType.UNSPECIFIED);
+ }
+
+ @Override
+ public List<RequestedAttribute> getSpRequiredAttributes() {
+ return null;
+
+ }
+
+ @Override
+ public List<String> getSpAllowedNameIdTypes() {
+ return null;
+
+ }
+
+ @Override
+ public boolean wantAssertionSigned() {
+ return false;
+
+ }
+
+ @Override
+ public boolean wantAuthnRequestSigned() {
+ return true;
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/ProcessEngineSignalController.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/ProcessEngineSignalController.java
new file mode 100644
index 00000000..f360185b
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/ProcessEngineSignalController.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+package at.asitplus.eidas.specific.connector.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController;
+
+/**
+ * Default process-engine signaling controller.
+ *
+ * @author tlenz
+ *
+ */
+@Controller
+public class ProcessEngineSignalController extends AbstractProcessEngineSignalController {
+
+ @RequestMapping(value = {
+ MsEidasNodeConstants.ENDPOINT_COUNTRYSELECTION,
+ MsEidasNodeConstants.ENDPOINT_OTHER_LOGIN_METHOD_SELECTION,
+ MsEidasNodeConstants.ENDPOINT_RESIDENCY_INPUT
+ },
+ method = { RequestMethod.POST, RequestMethod.GET })
+ public void performGenericAuthenticationProcess(HttpServletRequest req, HttpServletResponse resp)
+ throws IOException, EaafException {
+ signalProcessManagement(req, resp);
+
+ }
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/Pvp2SProfileEndpoint.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/Pvp2SProfileEndpoint.java
new file mode 100644
index 00000000..923864cc
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/controller/Pvp2SProfileEndpoint.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.controller;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
+
+@Controller
+public class Pvp2SProfileEndpoint extends AbstractPvp2XProtocol {
+
+ public static final String NAME = Pvp2SProfileEndpoint.class.getName();
+ public static final String PROTOCOL_ID = "pvp2-s";
+
+ @RequestMapping(value = MsEidasNodeConstants.ENDPOINT_PVP_METADATA, method = { RequestMethod.POST,
+ RequestMethod.GET })
+ public void pvpMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws EaafException {
+ super.pvpMetadataRequest(req, resp);
+
+ }
+
+ @RequestMapping(value = MsEidasNodeConstants.ENDPOINT_PVP_POST, method = { RequestMethod.POST })
+ public void pvpIdpPostRequest(HttpServletRequest req, HttpServletResponse resp) throws EaafException {
+ super.pvpIdpPostRequest(req, resp);
+
+ }
+
+ @RequestMapping(value = MsEidasNodeConstants.ENDPOINT_PVP_REDIRECT, method = { RequestMethod.GET })
+ public void pvpIdpRedirecttRequest(HttpServletRequest req, HttpServletResponse resp) throws EaafException {
+ super.pvpIdpRedirecttRequest(req, resp);
+
+ }
+
+ @Override
+ public String getAuthProtocolIdentifier() {
+ return PROTOCOL_ID;
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ protected boolean childPreProcess(HttpServletRequest arg0, HttpServletResponse arg1,
+ PvpSProfilePendingRequest arg2)
+ throws Throwable {
+ return false;
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/health/Saml2MetadataHealthIndicator.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/health/Saml2MetadataHealthIndicator.java
new file mode 100644
index 00000000..592231b0
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/health/Saml2MetadataHealthIndicator.java
@@ -0,0 +1,44 @@
+package at.asitplus.eidas.specific.connector.health;
+
+import javax.xml.transform.TransformerFactoryConfigurationError;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.actuate.health.Health;
+import org.springframework.boot.actuate.health.HealthIndicator;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataConfigurationFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class Saml2MetadataHealthIndicator implements HealthIndicator {
+
+ @Autowired
+ private PvpMetadataBuilder metadatabuilder;
+ @Autowired
+ private IPvpMetadataConfigurationFactory configFactory;
+
+ @Setter
+ private AbstractCredentialProvider pvpIdpCredentials;
+
+ @Override
+ public Health health() {
+ try {
+ // build metadata
+ final IPvpMetadataBuilderConfiguration metadataConfig =
+ configFactory.generateMetadataBuilderConfiguration(
+ "http://localhost/monitoring",
+ pvpIdpCredentials);
+ metadatabuilder.buildPvpMetadata(metadataConfig);
+ return Health.up().build();
+
+ } catch (Exception | TransformerFactoryConfigurationError e) {
+ return Health.down().down(e).build();
+
+ }
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/CountrySelectionProcessImpl.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/CountrySelectionProcessImpl.java
new file mode 100644
index 00000000..2ec86f53
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/CountrySelectionProcessImpl.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.processes;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+
+/**
+ * Auth-Process selector for User's country selection.
+ *
+ * @author tlenz
+ *
+ */
+public class CountrySelectionProcessImpl implements AuthModule {
+
+ @Override
+ public int getPriority() {
+ return 0;
+
+ }
+
+ @Override
+ public String selectProcess(ExecutionContext context, IRequest pendingReq) {
+ final Object selectedCountryObj = context.get(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY);
+ if (selectedCountryObj != null && selectedCountryObj instanceof String) {
+ final String selectedCountry = (String) selectedCountryObj;
+ if (StringUtils.isNotEmpty(selectedCountry)) {
+ return null;
+ }
+
+ }
+
+ return "CountrySelectionProcess";
+
+ }
+
+ @Override
+ public String[] getProcessDefinitions() {
+ return new String[] { "classpath:processes/CountrySelection.process.xml" };
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/EvaluateCountrySelectionTask.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/EvaluateCountrySelectionTask.java
new file mode 100644
index 00000000..b2c5c51d
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/EvaluateCountrySelectionTask.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.processes.tasks;
+
+import java.util.Enumeration;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask;
+
+/**
+ * Evaluate the User's country selection.
+ *
+ * @author tlenz
+ *
+ */
+@Component("EvaluateCountrySelectionTask")
+public class EvaluateCountrySelectionTask extends AbstractLocaleAuthServletTask {
+ private static final Logger log = LoggerFactory.getLogger(EvaluateCountrySelectionTask.class);
+
+ @Override
+ public void executeWithLocale(ExecutionContext executionContext, HttpServletRequest request,
+ HttpServletResponse response)
+ throws TaskExecutionException {
+ try {
+
+ // set parameter execution context
+ final Enumeration<String> reqParamNames = request.getParameterNames();
+ while (reqParamNames.hasMoreElements()) {
+ final String paramName = reqParamNames.nextElement();
+ if (StringUtils.isNotEmpty(paramName)
+ && !EaafConstants.PROCESS_ENGINE_PENDINGREQUESTID.equalsIgnoreCase(paramName)) {
+ for (final String el : MsEidasNodeConstants.COUNTRY_SELECTION_PARAM_WHITELIST) {
+ if (el.equalsIgnoreCase(paramName)) {
+ executionContext.put(paramName,
+ StringEscapeUtils.escapeHtml(request.getParameter(paramName)));
+ }
+ }
+ }
+ }
+
+ log.info("Country selection finished. Starting auth. process for country ... ");
+
+ } catch (final Exception e) {
+ log.warn("EvaluateBKUSelectionTask has an internal error", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/GenerateCountrySelectionFrameTask.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/GenerateCountrySelectionFrameTask.java
new file mode 100644
index 00000000..57a4c19a
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/processes/tasks/GenerateCountrySelectionFrameTask.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.processes.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.asitplus.eidas.specific.core.MsConnectorEventCodes;
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.asitplus.eidas.specific.core.gui.StaticGuiBuilderConfiguration;
+import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfiguration;
+import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask;
+
+/**
+ * Create country-selection page.
+ *
+ * @author tlenz
+ *
+ */
+@Component("GenerateCountrySelectionFrameTask")
+public class GenerateCountrySelectionFrameTask extends AbstractLocaleAuthServletTask {
+
+ @Autowired
+ ISpringMvcGuiFormBuilder guiBuilder;
+ @Autowired
+ IConfiguration basicConfig;
+
+
+ @Override
+ public void executeWithLocale(ExecutionContext executionContext, HttpServletRequest request,
+ HttpServletResponse response) throws TaskExecutionException {
+ try {
+ revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.STARTING_COUNTRY_SELECTION);
+
+ final IGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration(
+ basicConfig,
+ pendingReq,
+ basicConfig.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_WEBCONTENT_TEMPLATES_CCSELECTION,
+ MsEidasNodeConstants.TEMPLATE_HTML_COUNTRYSELECTION),
+ MsEidasNodeConstants.ENDPOINT_COUNTRYSELECTION,
+ resourceLoader);
+
+ guiBuilder.build(request, response, config, "BKU-Selection form");
+
+ } catch (final Exception e) {
+ throw new TaskExecutionException(pendingReq,
+ "Can not build GUI. Msg:" + e.getMessage(),
+ new EaafException("gui.00", new Object[] { e.getMessage() }, e));
+
+ }
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java
new file mode 100644
index 00000000..98e88eff
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpEndPointCredentialProvider.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.provider;
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+
+public class PvpEndPointCredentialProvider extends AbstractCredentialProvider {
+
+ @Autowired(required = true)
+ IConfiguration basicConfiguration;
+
+ @Override
+ public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException {
+ final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
+ keyStoreConfig.setFriendlyName("PVP2 S-Profile EndPoint");
+ keyStoreConfig.setKeyStoreType(
+ basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.CONFIG_PROPS_KEYSTORE_TYPE,
+ KeyStoreType.PKCS12.getKeyStoreType()));
+ keyStoreConfig.setKeyStoreName(
+ basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.CONFIG_PROPS_KEYSTORE_NAME));
+ keyStoreConfig.setSoftKeyStoreFilePath(basicConfiguration.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PATH));
+ keyStoreConfig.setSoftKeyStorePassword(
+ basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEYSTORE_PASSWORD));
+
+ keyStoreConfig.validate();
+
+ return keyStoreConfig;
+ }
+
+
+ @Override
+ public String getMetadataKeyAlias() {
+ return basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEY_METADATA_ALIAS);
+ }
+
+ @Override
+ public String getMetadataKeyPassword() {
+ return basicConfiguration.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_PVP2_KEY_METADATA_PASSWORD);
+
+ }
+
+ @Override
+ public String getSignatureKeyAlias() {
+ return basicConfiguration.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_PVP2_KEY_SIGNING_ALIAS);
+
+ }
+
+ @Override
+ public String getSignatureKeyPassword() {
+ return basicConfiguration.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_CONFIG_PVP2_KEY_SIGNING_PASSWORD);
+
+ }
+
+ @Override
+ public String getEncryptionKeyAlias() {
+ return null;
+
+ }
+
+ @Override
+ public String getEncryptionKeyPassword() {
+ return null;
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java
new file mode 100644
index 00000000..e8bc4eb8
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataConfigurationFactory.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.provider;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.asitplus.eidas.specific.connector.config.PvpMetadataConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataConfigurationFactory;
+import at.gv.egiz.eaaf.modules.pvp2.api.utils.IPvp2CredentialProvider;
+
+@Service("PVPMetadataConfigurationFactory")
+public class PvpMetadataConfigurationFactory implements IPvpMetadataConfigurationFactory {
+
+ @Autowired
+ private IConfiguration basicConfig;
+ @Autowired
+ private IPvp2BasicConfiguration pvpBasicConfig;
+
+ @Override
+ public IPvpMetadataBuilderConfiguration generateMetadataBuilderConfiguration(String authUrl,
+ IPvp2CredentialProvider pvpIdpCredentials) {
+ return new PvpMetadataConfiguration(basicConfig, authUrl, pvpBasicConfig, pvpIdpCredentials);
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java
new file mode 100644
index 00000000..6161c271
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java
@@ -0,0 +1,183 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.provider;
+
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml.metadata.resolver.MetadataResolver;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PvpEntityCategoryFilter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter;
+
+@Service("PVPMetadataProvider")
+public class PvpMetadataProvider extends AbstractChainingMetadataProvider {
+ private static final Logger log = LoggerFactory.getLogger(PvpMetadataProvider.class);
+
+ private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}";
+
+ @Autowired(required = true)
+ IConfigurationWithSP basicConfig;
+ @Autowired
+ private PvpMetadataResolverFactory metadataProviderFactory;
+ @Autowired
+ private IHttpClientFactory httpClientFactory;
+
+ @Autowired
+ private EaafKeyStoreFactory keyStoreFactory;
+
+
+ @Override
+ protected String getMetadataUrl(String entityId) throws EaafConfigurationException {
+ final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId);
+ if (spConfig != null) {
+ String metadataUrl = entityId;
+
+ final String metadataUrlFromConfig = spConfig.getConfigurationValue(
+ MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_URL);
+ if (StringUtils.isNotEmpty(metadataUrlFromConfig)) {
+ log.debug("Use metdataURL from configuration for EntityId: " + entityId);
+ metadataUrl = metadataUrlFromConfig;
+
+ }
+
+ return metadataUrl;
+
+ } else {
+ log.info("No ServiceProvider with entityId: " + entityId + " in configuration.");
+ }
+
+ return null;
+ }
+
+ @Override
+ protected MetadataResolver createNewMetadataProvider(String entityId)
+ throws EaafConfigurationException, IOException, CertificateException {
+ final ISpConfiguration spConfig = basicConfig.getServiceProviderConfiguration(entityId);
+ if (spConfig != null) {
+ try {
+ String metadataUrl = spConfig.getConfigurationValue(
+ MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_URL);
+ if (StringUtils.isEmpty(metadataUrl)) {
+ log.debug("Use EntityId: " + entityId + " instead of explicite metadataURL ... ");
+ metadataUrl = entityId;
+
+ }
+
+ KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration();
+ keyStoreConfig.setFriendlyName(MessageFormat.format(PROVIDER_ID_PATTERN, entityId));
+ keyStoreConfig.setKeyStoreType(KeyStoreType.JKS);
+ keyStoreConfig.setSoftKeyStoreFilePath(
+ spConfig.getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE));
+ keyStoreConfig.setSoftKeyStorePassword(spConfig.getConfigurationValue(
+ MsEidasNodeConstants.PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD));
+
+ keyStoreConfig.validate();
+
+ Pair<KeyStore, Provider> keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig);
+
+ final List<MetadataFilter> filterList = new ArrayList<>();
+ filterList.add(new SchemaValidationFilter(true));
+ filterList.add(new SimpleMetadataSignatureVerificationFilter(
+ keyStore.getFirst(), entityId));
+ filterList.add(new PvpEntityCategoryFilter(
+ basicConfig.getBasicConfigurationBoolean(MsEidasNodeConstants.PROP_CONFIG_PVP_ENABLE_ENTITYCATEGORIES,
+ true)));
+
+ final MetadataFilterChain filter = new MetadataFilterChain();
+ filter.setFilters(filterList);
+
+ try {
+ return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId),
+ filter,
+ MessageFormat.format(PROVIDER_ID_PATTERN, entityId),
+ httpClientFactory.getHttpClient());
+
+ } catch (final Pvp2MetadataException e) {
+ log.info("Can NOT build metadata provider for entityId: {}", entityId);
+ throw new EaafConfigurationException("module.eidasauth.04",
+ new Object[] { entityId, e.getMessage() }, e);
+
+ }
+
+ } catch (final EaafException e) {
+ log.info("Can NOT initialize Metadata signature-verification filter. Reason: " + e.getMessage());
+ throw new EaafConfigurationException("config.27",
+ new Object[] { "Can NOT initialize Metadata signature-verification filter. Reason: " + e
+ .getMessage() }, e);
+
+ }
+
+ } else {
+ log.info("No ServiceProvider with entityId: " + entityId + " in configuration.");
+ }
+
+ return null;
+ }
+
+ @Override
+ protected List<String> getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException {
+ return Collections.emptyList();
+ }
+
+ @Override
+ protected String getMetadataProviderId() {
+ return "Service-provider chainging metadata provider";
+
+ }
+
+ @Override
+ public void doDestroy() {
+ this.fullyDestroy();
+
+ }
+
+}
diff --git a/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
new file mode 100644
index 00000000..23702264
--- /dev/null
+++ b/ms_specific_connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java
@@ -0,0 +1,382 @@
+/*
+ * Copyright 2018 A-SIT Plus GmbH
+ * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ,
+ * A-SIT Plus GmbH, A-SIT, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "License");
+ * You may not use this work except in compliance with the License.
+ * You may obtain a copy of the License at:
+ * https://joinup.ec.europa.eu/news/understanding-eupl-v12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+*/
+
+package at.asitplus.eidas.specific.connector.verification;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.core.xml.XMLObject;
+import org.opensaml.saml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.NameIDPolicy;
+import org.opensaml.saml.saml2.core.NameIDType;
+import org.opensaml.saml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml.saml2.core.Scoping;
+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.asitplus.eidas.specific.core.MsEidasNodeConstants;
+import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.EaafStorageException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.TransactionIdUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
+import at.gv.egiz.eaaf.modules.pvp2.exception.NameIdFormatNotSupportedException;
+import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;
+
+public class AuthnRequestValidator implements IAuthnRequestPostProcessor {
+
+ private static final Logger log = LoggerFactory.getLogger(AuthnRequestValidator.class);
+
+ @Autowired(required = true)
+ private IConfiguration basicConfig;
+
+ @Override
+ public void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq,
+ SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException {
+ try {
+ // validate NameIDPolicy
+ final NameIDPolicy nameIdPolicy = authnReq.getNameIDPolicy();
+ if (nameIdPolicy != null) {
+ final String nameIdFormat = nameIdPolicy.getFormat();
+ if (nameIdFormat != null) {
+ if (!(NameIDType.TRANSIENT.equals(nameIdFormat)
+ || NameIDType.PERSISTENT.equals(nameIdFormat))) {
+
+ throw new NameIdFormatNotSupportedException(nameIdFormat);
+
+ }
+
+ } else {
+ log.trace("Find NameIDPolicy, but NameIDFormat is 'null'");
+ }
+ } else {
+ log.trace("AuthnRequest includes no 'NameIDPolicy'");
+ }
+
+ // post-process RequesterId
+ final String spEntityId = extractScopeRequsterId(authnReq);
+ if (StringUtils.isEmpty(spEntityId)) {
+ log.info("NO service-provider entityID in Authn. request. Stop authn. process ... ");
+ throw new AuthnRequestValidatorException("pvp2.22",
+ new Object[] { "NO relaying-party entityID in Authn. request" }, pendingReq);
+
+ } else {
+ pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_REQUESTERID, spEntityId);
+ }
+
+ // post-process ProviderName
+ final String providerName = authnReq.getProviderName();
+ if (StringUtils.isEmpty(providerName)) {
+ log.info("Authn. request contains NO SP friendlyName");
+ } else {
+ pendingReq.setRawDataToTransaction(MsEidasNodeConstants.DATA_PROVIDERNAME, providerName);
+ }
+
+ // post-process requested LoA
+ postprocessLoaLevel(pendingReq, authnReq);
+
+ // post-process requested LoA comparison-level
+ pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setLoAMachtingMode(
+ extractComparisonLevel(authnReq));
+
+ // extract information from requested attributes
+ extractFromRequestedAttriutes(pendingReq, authnReq);
+
+ } catch (final EaafStorageException e) {
+ log.info("Can NOT store Authn. Req. data into pendingRequest.", e);
+ throw new AuthnRequestValidatorException("internal.02", null, e);
+
+ }
+
+ }
+
+ private void extractFromRequestedAttriutes(IRequest pendingReq, AuthnRequest authnReq)
+ throws AuthnRequestValidatorException, EaafStorageException {
+ // validate and process requested attributes
+ boolean sectorDetected = false;
+
+ final ServiceProviderConfiguration spConfig = pendingReq.getServiceProviderConfiguration(
+ ServiceProviderConfiguration.class);
+
+ if (authnReq.getExtensions() != null) {
+ final List<XMLObject> requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects();
+ for (final XMLObject reqAttrObj : requestedAttributes) {
+ if (reqAttrObj instanceof EaafRequestedAttributes) {
+ final EaafRequestedAttributes reqAttr = (EaafRequestedAttributes) reqAttrObj;
+ if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) {
+ for (final EaafRequestedAttribute el : reqAttr.getAttributes()) {
+ log.trace("Processing req. attribute '" + el.getName() + "' ... ");
+ if (el.getName().equals(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+ sectorDetected = extractBpkTargetIdentifier(el, spConfig);
+
+ } else if (el.getName().equals(ExtendedPvpAttributeDefinitions.EID_TRANSACTION_ID_NAME)) {
+ extractUniqueTransactionId(el, pendingReq);
+
+ } else if (el.getName().equals(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME)) {
+ extractBindingPublicKey(el, pendingReq);
+
+ } else {
+ log.debug("Ignore req. attribute: " + el.getName());
+
+ }
+ }
+
+ } else {
+ log.debug("No requested Attributes in Authn. Request");
+
+ }
+
+ } else {
+ log.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString());
+
+ }
+ }
+ }
+
+ if (!sectorDetected) {
+ log.warn("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information.");
+ throw new AuthnRequestValidatorException("pvp2.22", new Object[] {
+ "NO or NO VALID target-sector information" });
+
+ }
+
+ }
+
+ private void extractBindingPublicKey(EaafRequestedAttribute el, IRequest pendingReq)
+ throws EaafStorageException {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String bindingPubKey = el.getAttributeValues().get(0).getDOM().getTextContent();
+ pendingReq.setRawDataToTransaction(MsEidasNodeConstants.EID_BINDING_PUBLIC_KEY_NAME, bindingPubKey);
+ log.info("Find Binding Public-Key. eIDAS authentication will be used to create an ID Austria Binding");
+
+ } else {
+ log.warn(
+ "Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute",
+ el.getName());
+
+ }
+ }
+
+ /**
+ * Extract unique transactionId from AuthnRequest.
+ *
+ * @param el Requested attribute from AuthnRequest
+ * @param pendingReq Current pendingRequest object (has to be of type
+ * {@link RequestImpl})
+ * @return <code>true</code> if transactionId extraction was successful,
+ * otherwise <code>false</code>
+ */
+ private boolean extractUniqueTransactionId(EaafRequestedAttribute el, IRequest pendingReq) {
+ if (!(pendingReq instanceof RequestImpl)) {
+ log.warn(
+ "Can NOT set unique transactionId from AuthnRequest,because 'PendingRequest' is NOT from Type: {}",
+ RequestImpl.class.getName());
+
+ } else {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String transactionId = el.getAttributeValues().get(0).getDOM().getTextContent();
+ ((RequestImpl) pendingReq).setUniqueTransactionIdentifier(transactionId);
+ log.info("Find transactionId: {} from requesting service. Replace old id: {} ",
+ transactionId, TransactionIdUtils.getTransactionId());
+ TransactionIdUtils.setTransactionId(transactionId);
+
+ return true;
+
+ } else {
+ log.warn(
+ "Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute",
+ el.getName());
+
+ }
+
+ }
+
+ return false;
+ }
+
+ /**
+ * Extract the bPK target from requested attribute.
+ *
+ * @param el Requested attribute from AuthnRequest
+ * @param spConfig Service-Provider configuration for current process
+ * @return <code>true</code> if bPK target extraction was successful, otherwise
+ * <code>false</code>
+ */
+ private boolean extractBpkTargetIdentifier(EaafRequestedAttribute el,
+ ServiceProviderConfiguration spConfig) {
+ if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+ final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent();
+ try {
+ spConfig.setBpkTargetIdentifier(sectorId);
+ return true;
+
+ } catch (final EaafException e) {
+ log.warn("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: "
+ + spConfig.getUniqueIdentifier());
+ }
+
+ } else {
+ log.warn("Req. attribute '" + el.getName()
+ + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
+ }
+
+ return false;
+
+ }
+
+ private void postprocessLoaLevel(IRequest pendingReq, AuthnRequest authnReq)
+ throws AuthnRequestValidatorException {
+ final List<String> reqLoA = extractLoA(authnReq);
+ log.trace("SP requests LoA with: {}", String.join(", ", reqLoA));
+
+ LevelOfAssurance minimumLoAFromConfig = LevelOfAssurance.fromString(basicConfig.getBasicConfiguration(
+ MsEidasNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL,
+ EaafConstants.EIDAS_LOA_HIGH));
+ if (minimumLoAFromConfig == null) {
+ log.warn("Can not load minimum LoA from configuration. Use LoA: {} as default",
+ EaafConstants.EIDAS_LOA_HIGH);
+ minimumLoAFromConfig = LevelOfAssurance.HIGH;
+
+ }
+
+ log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...",
+ minimumLoAFromConfig);
+ final List<String> allowedLoA = new ArrayList<>();
+ for (final String loa : reqLoA) {
+ try {
+ final LevelOfAssurance intLoa = LevelOfAssurance.fromString(loa);
+ String selectedLoA = EaafConstants.EIDAS_LOA_HIGH;
+ if (intLoa != null
+ && intLoa.numericValue() <= minimumLoAFromConfig.numericValue()) {
+ log.info("Client: {} requested LoA: {} will be upgraded to: {}",
+ pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(),
+ loa,
+ minimumLoAFromConfig);
+ selectedLoA = minimumLoAFromConfig.getValue();
+
+ }
+
+ if (!allowedLoA.contains(selectedLoA)) {
+ log.debug("Allow LoA: {} for Client: {}",
+ selectedLoA,
+ pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+ allowedLoA.add(selectedLoA);
+
+ }
+
+ } catch (final IllegalArgumentException e) {
+ log.warn("LoA: {} is currently NOT supported and it will be ignored.", loa);
+
+ }
+
+ }
+
+ pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA(
+ allowedLoA);
+
+ }
+
+ private String extractComparisonLevel(AuthnRequest authnReq) {
+ if (authnReq.getRequestedAuthnContext() != null) {
+ final RequestedAuthnContext authContext = authnReq.getRequestedAuthnContext();
+ return authContext.getComparison().toString();
+
+ }
+
+ return null;
+ }
+
+ private List<String> extractLoA(AuthnRequest authnReq) throws AuthnRequestValidatorException {
+ final List<String> result = new ArrayList<>();
+ if (authnReq.getRequestedAuthnContext() != null) {
+ final RequestedAuthnContext authContext = authnReq.getRequestedAuthnContext();
+ if (authContext.getComparison().equals(AuthnContextComparisonTypeEnumeration.MINIMUM)) {
+ if (authContext.getAuthnContextClassRefs().isEmpty()) {
+ log.debug("Authn. Req. contains no requested LoA");
+
+ } else if (authContext.getAuthnContextClassRefs().size() > 1) {
+ log.info("Authn. Req. contains MORE THAN ONE requested LoA, but "
+ + AuthnContextComparisonTypeEnumeration.MINIMUM + " allows only one");
+ throw new AuthnRequestValidatorException("pvp2.22",
+ new Object[] { "Authn. Req. contains MORE THAN ONE requested LoA, but "
+ + AuthnContextComparisonTypeEnumeration.MINIMUM + " allows only one" });
+
+ } else {
+ result.add(authContext.getAuthnContextClassRefs().get(0).getAuthnContextClassRef());
+ }
+
+ } else if (authContext.getComparison().equals(AuthnContextComparisonTypeEnumeration.EXACT)) {
+ for (final AuthnContextClassRef el : authContext.getAuthnContextClassRefs()) {
+ result.add(el.getAuthnContextClassRef());
+ }
+
+ } else {
+ log.info("Currently only '" + AuthnContextComparisonTypeEnumeration.MINIMUM + "' and '"
+ + AuthnContextComparisonTypeEnumeration.EXACT + "' are supported");
+ throw new AuthnRequestValidatorException("pvp2.22",
+ new Object[] { "Currently only '" + AuthnContextComparisonTypeEnumeration.MINIMUM + "' and '"
+ + AuthnContextComparisonTypeEnumeration.EXACT + "' are supported" });
+
+ }
+
+ }
+
+ return result;
+ }
+
+ private String extractScopeRequsterId(AuthnRequest authnReq) {
+ if (authnReq.getScoping() != null) {
+ final Scoping scoping = authnReq.getScoping();
+ if (scoping.getRequesterIDs() != null
+ && scoping.getRequesterIDs().size() > 0) {
+ if (scoping.getRequesterIDs().size() == 1) {
+ return scoping.getRequesterIDs().get(0).getRequesterID();
+ } else {
+ log.info("Authn. request contains more than on RequesterIDs! Only use first one");
+ return scoping.getRequesterIDs().get(0).getRequesterID();
+
+ }
+ }
+ }
+
+ return null;
+ }
+
+}