From 1fdf8a0784c70479fbf59c6c3841faeae290b883 Mon Sep 17 00:00:00 2001 From: Christian Kollmann Date: Thu, 15 Jul 2021 14:37:05 +0200 Subject: Verify data of alternative eIDAS authn matches initial authn --- .../modules/auth/eidas/v2/dao/SimpleEidasData.java | 28 +++++++++++++++------- .../auth/eidas/v2/tasks/AlternativeSearchTask.java | 16 ++++++++++++- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java index cedf01e3..35f353f4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java @@ -38,10 +38,10 @@ public class SimpleEidasData { * Full eIDAS personal identifier with prefix. */ private final String personalIdentifier; - + /** * Citizen country-code from eIDAS personal-identifier. - */ + */ private final String citizenCountryCode; // MDS @@ -67,11 +67,11 @@ public class SimpleEidasData { * @throws WorkflowException if multiple results have been found */ public boolean equalsRegisterData(RegisterResult result) throws WorkflowException { - /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName, + /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName, * familyName, dateOfBirth) has to be always available. Any other attributes are optional. - * This check will always evaluate to false if register has more information as current eIDAS process!!! + * This check will always evaluate to false if register has more information as current eIDAS process!!! */ - + return new EqualsBuilder() .append(result.getGivenName(), givenName) .append(result.getFamilyName(), familyName) @@ -80,10 +80,20 @@ public class SimpleEidasData { .append(result.getBirthName(), birthName) .append(result.getTaxNumber(), taxNumber) .isEquals() && result.getPseudonym().stream() - .filter(el -> el.equals(pseudonym)) - .findFirst() - .isPresent(); - + .anyMatch(el -> el.equals(pseudonym)); } + /** + * Checks if the MDS (givenName, familyName, + * dateOfBirth) matches. + */ + public boolean equalsMds(SimpleEidasData other) { + return new EqualsBuilder() + .append(other.givenName, givenName) + .append(other.familyName, familyName) + .append(other.dateOfBirth, dateOfBirth) + .isEquals(); + } + + } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java index 38a7076a..4705c56b 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java @@ -46,6 +46,7 @@ import org.springframework.stereotype.Component; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.Map; +import java.util.Objects; import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK; @@ -97,7 +98,7 @@ public class AlternativeSearchTask extends AbstractAuthServletTask { try { final SimpleEidasData altEidasData = convertEidasAttrToSimpleData(); final SimpleEidasData initialEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq); - // TODO Verify that altEidasData and initialEidasData "match"? + verifyAlternativeEidasData(altEidasData, initialEidasData); step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData, initialEidasData); } catch (WorkflowException e) { throw new TaskExecutionException(pendingReq, "Initial search failed", e); @@ -107,6 +108,19 @@ public class AlternativeSearchTask extends AbstractAuthServletTask { } } + private void verifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData) + throws WorkflowException { + if (initialEidasData == null) { + throw new WorkflowException("step11", "No initial eIDAS authn data"); + } + if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) { + throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true); + } + if (!altEidasData.equalsMds(initialEidasData)) { + throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true); + } + } + private void step11RegisterSearchWithPersonIdentifier( ExecutionContext executionContext, SimpleEidasData initialEidasData, SimpleEidasData altEidasData) throws WorkflowException, EaafStorageException { -- cgit v1.2.3