From 44464bfe90a47e48cd3a76fb30d38c226f0af786 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Tue, 27 Jul 2021 13:41:47 +0200
Subject: add work-around for representation of legal person in DE4A project.
 Work-around can be removed in a future version

---
 .../msproxyservice/MsProxyServiceConstants.java    |   4 +
 .../protocol/EidasProxyServiceController.java      |  26 +--
 .../protocol/ProxyServiceAuthenticationAction.java |  73 +++++++--
 .../utils/EidasProxyServiceUtils.java              |  45 +++++
 .../ProxyServiceAuthenticationActionTest.java      | 181 ++++++++++++++++++---
 5 files changed, 277 insertions(+), 52 deletions(-)
 create mode 100644 eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java

diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
index 65fb556a..bf71ba64 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
@@ -39,6 +39,10 @@ public class MsProxyServiceConstants {
   public static final String CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL = 
       Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.mandates.profiles.legal.default";
   
+  
+  public static final String CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON = 
+      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.workaround.mandates.legalperson";
+  
   // specific eIDAS-Connector configuration
   public static final String CONIG_PROPS_CONNECTOR_PREFIX = "connector";
   public static final String CONIG_PROPS_CONNECTOR_UNIQUEID = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER;
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
index a9cc998e..56b34257 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
@@ -29,6 +29,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants;
 import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
+import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils;
 import at.gv.egiz.components.eventlog.api.EventConstants;
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
@@ -261,7 +262,8 @@ public class EidasProxyServiceController extends AbstractController implements I
       throws EidasProxyServiceException {    
     // check if natural-person and legal-person attributes requested in parallel
     if (spConfig.isConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_VALIDATION_ATTR_MDS, true) 
-        && isLegalPersonRequested(eidasRequest) && isNaturalPersonRequested(eidasRequest)) {
+        && EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest) 
+        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
       throw new EidasProxyServiceException(ERROR_08, null);
       
     }
@@ -382,7 +384,7 @@ public class EidasProxyServiceController extends AbstractController implements I
       injectMandateInfosIntoSpConfig(spConfig, eidasRequest);
                  
     } else {            
-      if (isLegalPersonRequested(eidasRequest)) {
+      if (EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest)) {
         throw new EidasProxyServiceException(ERROR_09, null);
         
       } 
@@ -400,7 +402,7 @@ public class EidasProxyServiceController extends AbstractController implements I
         spConfig.getUniqueIdentifier());
 
     //check if legal person is requested
-    boolean isLegalPersonRequested = isLegalPersonRequested(eidasRequest);
+    boolean isLegalPersonRequested = EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest);
             
     // set mandate profiles 
     if (isLegalPersonRequested) {
@@ -409,7 +411,7 @@ public class EidasProxyServiceController extends AbstractController implements I
       
       spConfig.setMandateMode(SpMandateModes.LEGAL_FORCE);
       
-    } else if (isNaturalPersonRequested(eidasRequest)) {
+    } else if (EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
       spConfig.setMandateProfiles(KeyValueUtils.getListOfCsvValues(
           spConfig.getConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL)));
       
@@ -433,20 +435,4 @@ public class EidasProxyServiceController extends AbstractController implements I
     }
     
   }
-
-  private boolean isLegalPersonRequested(ILightRequest eidasRequest) {
-    return eidasRequest.getRequestedAttributes().entrySet().stream()
-        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER))
-        .findFirst()
-        .isPresent();
-    
-  }
-  
-  private boolean isNaturalPersonRequested(ILightRequest eidasRequest) {
-    return eidasRequest.getRequestedAttributes().entrySet().stream()
-        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
-        .findFirst()
-        .isPresent();
-    
-  }
 }
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
index 805bbc42..33d9fdc0 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
@@ -20,6 +20,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants;
 import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
+import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils;
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder;
@@ -94,7 +95,7 @@ public class ProxyServiceAuthenticationAction implements IAction {
         lightRespBuilder.issuer(basicConfig.getBasicConfiguration(
             MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
         lightRespBuilder.levelOfAssurance(authData.getEidasQaaLevel());       
-        lightRespBuilder.attributes(buildAttributesFromAuthData(authData));
+        lightRespBuilder.attributes(buildAttributesFromAuthData(authData, eidasReq));
         
         // set SLO response object of EAAF framework
         final SloInformationImpl sloInformation = new SloInformationImpl();
@@ -202,13 +203,18 @@ public class ProxyServiceAuthenticationAction implements IAction {
   }
   
   
-  private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData) {
+  private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData, 
+      ILightRequest eidasReq) {
     IEidAuthData eidAuthData = (IEidAuthData) authData;
     if (eidAuthData.isUseMandate()) {
       log.debug("Building eIDAS Proxy-Service response with mandate ... ");
       final ImmutableAttributeMap.Builder attributeMap = ImmutableAttributeMap.builder();
       injectRepesentativeInformation(attributeMap, eidAuthData);
-      injectMandatorInformation(attributeMap, eidAuthData);  
+      injectMandatorInformation(attributeMap, eidAuthData);
+      
+      // work-around that injects nat. person subject to bypass validation on eIDAS Node
+      injectJurPersonWorkaroundIfRequired(attributeMap, eidasReq, authData);
+      
       return attributeMap.build();
             
     } else {
@@ -217,7 +223,7 @@ public class ProxyServiceAuthenticationAction implements IAction {
       
     }   
   }
-  
+    
   private void injectMandatorInformation(
       ImmutableAttributeMap.Builder attributeMap, IEidAuthData eidAuthData) {    
     String natMandatorId = eidAuthData.getGenericData(
@@ -278,7 +284,39 @@ public class ProxyServiceAuthenticationAction implements IAction {
     
   }
 
-  private ImmutableAttributeMap buildAttributesWithoutMandate(IEidAuthData eidAuthData) {
+  /**
+   * Work-around to inject representative information as nat. person subject to bypass eIDAS Node validation. 
+   * 
+   * <p><b>Injection will only be done if this work-around is enabled by configuration, 
+   * the mandator is a legal person, and both legal and natural person subject's is requested.</b></p>
+   * 
+   * @param attributeMap Attribute set for eIDAS response
+   * @param eidasReq Incoming eIDAS request
+   * @param authData Authentication data
+   */
+  private void injectJurPersonWorkaroundIfRequired(
+      ImmutableAttributeMap.Builder attributeMap, ILightRequest eidasReq, IAuthData authData) {
+    if (isLegalPersonWorkaroundActive() && isLegalPersonMandateAvailable(authData) 
+        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasReq)
+        && EidasProxyServiceUtils.isLegalPersonRequested(eidasReq)) {
+      log.debug("Injecting representative information as nat. person subject to bypass eIDAS Node validation");
+      attributeMap.putAll(buildAttributesWithoutMandate(authData));
+      
+    }        
+  }
+  
+  private ImmutableAttributeMap buildAttributesWithoutMandate(IAuthData eidAuthData) {        
+    //TODO: throw an error in case of SZR Date with month or day = "00"
+    return buildAttributesWithoutMandate(
+        eidAuthData.getGenericData(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class), 
+        eidAuthData.getFamilyName(), 
+        eidAuthData.getGivenName(), 
+        eidAuthData.getDateOfBirth());
+    
+  }
+
+  private ImmutableAttributeMap buildAttributesWithoutMandate(String personalIdentifier, String familyName,
+      String givenName, String dateOfBirth) {
     final AttributeDefinition<?> attrDefPersonalId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(
         Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first();
     final AttributeDefinition<?> attrDefFamilyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(
@@ -290,18 +328,15 @@ public class ProxyServiceAuthenticationAction implements IAction {
    
     final ImmutableAttributeMap.Builder attributeMap = 
         ImmutableAttributeMap.builder()
-        .put(attrDefPersonalId, 
-            eidAuthData.getGenericData(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class))
-        .put(attrDefFamilyName, eidAuthData.getFamilyName())
-        .put(attrDefGivenName, eidAuthData.getGivenName())
-        
-        //TODO: throw an error in case of SZR Date with month or day = "00"
-        .put(attrDefDateOfBirth, eidAuthData.getDateOfBirth());
+        .put(attrDefPersonalId, personalIdentifier)
+        .put(attrDefFamilyName, familyName)
+        .put(attrDefGivenName, givenName)        
+        .put(attrDefDateOfBirth, dateOfBirth);
     
     return attributeMap.build();
     
   }
-
+  
   private BinaryLightToken putResponseInCommunicationCache(ILightResponse lightResponse)
       throws ServletException {
     final BinaryLightToken binaryLightToken;
@@ -322,5 +357,17 @@ public class ProxyServiceAuthenticationAction implements IAction {
     return binaryLightToken;
   }
 
+  private boolean isLegalPersonWorkaroundActive() {
+    return basicConfig.getBasicConfigurationBoolean(
+        MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON, 
+        false);
+    
+  }
+  
+  private boolean isLegalPersonMandateAvailable(IAuthData authData) {
+    return StringUtils.isNoneEmpty(authData.getGenericData(
+          MsProxyServiceConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, String.class));
+    
+  }
 
 }
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java
new file mode 100644
index 00000000..4cd7ba6c
--- /dev/null
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java
@@ -0,0 +1,45 @@
+package at.asitplus.eidas.specific.modules.msproxyservice.utils;
+
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import eu.eidas.auth.commons.light.ILightRequest;
+
+/**
+ * Common utils for eIDAS Proxy-Service implementation.
+ * 
+ * @author tlenz
+ *
+ */
+public class EidasProxyServiceUtils {
+
+  /**
+   * Check if legal person subject is requested by eIDAS Connector.
+   * 
+   * @param eidasRequest Authentication request from eIDAS Connector.
+   * @return <code>true</code> if <i>LegalPersonIdentifier</i> is requested, otherwise <code>false</code>lse
+   */
+  public static boolean isLegalPersonRequested(ILightRequest eidasRequest) {
+    return eidasRequest.getRequestedAttributes().entrySet().stream()
+        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER))
+        .findFirst()
+        .isPresent();
+    
+  }
+  
+  /**
+   * Check if natural person subject is requested by eIDAS Connector.
+   * 
+   * @param eidasRequest Authentication request from eIDAS Connector.
+   * @return <code>true</code> if <i>PersonIdentifier</i> is requested, otherwise <code>false</code>lse
+   */
+  public static boolean isNaturalPersonRequested(ILightRequest eidasRequest) {
+    return eidasRequest.getRequestedAttributes().entrySet().stream()
+        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
+        .findFirst()
+        .isPresent();
+    
+  }
+  
+  private EidasProxyServiceUtils() {
+    //hide constructor for class with static methods only
+  }
+}
diff --git a/eidas_modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java b/eidas_modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java
index a42b30d4..a5c76773 100644
--- a/eidas_modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java
+++ b/eidas_modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/auth/idaustria/test/protocol/ProxyServiceAuthenticationActionTest.java
@@ -4,6 +4,7 @@ import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CON
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
@@ -57,6 +58,7 @@ import eu.eidas.auth.commons.attribute.AttributeDefinition;
 import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
 import eu.eidas.auth.commons.light.ILightResponse;
 import eu.eidas.auth.commons.light.impl.LightRequest;
+import eu.eidas.auth.commons.light.impl.LightRequest.Builder;
 import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames;
 import eu.eidas.specificcommunication.exception.SpecificCommunicationException;
 import eu.eidas.specificcommunication.protocol.SpecificCommunicationService;
@@ -93,7 +95,9 @@ public class ProxyServiceAuthenticationActionTest {
     RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp));
     
     basicConfig.putConfigValue("eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint", 
-        "http://eidas.proxy/endpoint");
+        "http://eidas.proxy/endpoint");    
+    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson", 
+        "false");
     
     final Map<String, String> spConfig = new HashMap<>();
     spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp");
@@ -106,15 +110,7 @@ public class ProxyServiceAuthenticationActionTest {
     pendingReq.initialize(httpReq, basicConfig);
     pendingReq.setOnlineApplicationConfiguration(oaParam);
     
-    LightRequest.Builder eidasRequestBuilder = LightRequest.builder()
-        .id(UUID.randomUUID().toString())
-        .issuer(RandomStringUtils.randomAlphabetic(10))
-        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
-        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH)
-        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
-        .spType("public")
-        .requesterId(RandomStringUtils.randomAlphanumeric(10))
-        .providerName(RandomStringUtils.randomAlphanumeric(10));
+    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest();
     pendingReq.setEidasRequest(eidasRequestBuilder.build());
     
     
@@ -252,6 +248,136 @@ public class ProxyServiceAuthenticationActionTest {
     checkAttrValue(respAttr, Constants.eIDAS_ATTR_LEGALNAME, 
         (String) attr.get(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME));
     
+    assertNull("find nat. person subject: personalId", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+    assertNull("find nat. person subject: familyName", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME));
+    assertNull("find nat. person subject: givenName", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME));
+    assertNull("find nat. person subject: dateOfBirth", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH));
+    
+  }
+  
+  @Test
+  public void responseWithNatMandateWithWorkAround() throws EaafException, SpecificCommunicationException {
+    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson", 
+        "true");
+    
+    //request natural person subject only
+    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest();
+    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder().put(
+        attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first()).build());
+    pendingReq.setEidasRequest(eidasRequestBuilder.build());
+    
+    
+    Map<String, Object> attr = new HashMap<>();
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, 
+        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));    
+    
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_NAT_MANDATOR_PERSONAL_IDENTIFIER,
+        RandomStringUtils.randomAlphabetic(10));
+    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_GIVEN_NAME_NAME,
+        RandomStringUtils.randomAlphabetic(10));
+    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_FAMILY_NAME_NAME,
+        RandomStringUtils.randomAlphabetic(10));
+    attr.put(PvpAttributeDefinitions.MANDATE_NAT_PER_BIRTHDATE_NAME,
+        "1985-11-15");
+    
+    
+    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH,
+        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true);
+    
+    //perform test
+    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData);
+    
+    //validate state
+    Assert.assertNotNull("Result should be not null", result);
+    
+    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData);
+    assertEquals("wrong attr. size", 8, respAttr.size());    
+            
+  }
+  
+  @Test
+  public void responseWithJurMandateWithWorkAround() throws EaafException, SpecificCommunicationException {
+    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson", 
+        "true");
+    
+    //request natural person subject only
+    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest();
+    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder()
+        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first())
+        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first())
+        .build());
+    pendingReq.setEidasRequest(eidasRequestBuilder.build());
+        
+    Map<String, Object> attr = new HashMap<>();
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, 
+        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));    
+    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH,
+        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true);
+    
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER,
+        RandomStringUtils.randomAlphabetic(10));
+    attr.put(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME,
+        RandomStringUtils.randomAlphabetic(10));
+    
+    //perform test
+    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData);
+    
+    //validate state
+    Assert.assertNotNull("Result should be not null", result);
+    
+    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData);
+    assertEquals("wrong attr. size", 10, respAttr.size());  
+    checkAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER, 
+        (String) attr.get(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER));
+    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME, authData.getFamilyName());
+    checkAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME, authData.getGivenName());
+    checkAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH, authData.getDateOfBirth());
+   
+  }
+  
+  @Test
+  public void responseWithJurMandateWithWorkAroundNoNatSubject() throws EaafException, SpecificCommunicationException {
+    basicConfig.putConfigValue("auth.eIDAS.proxy.workaround.mandates.legalperson", 
+        "true");
+    
+    //request natural person subject only
+    LightRequest.Builder eidasRequestBuilder = generateBasicLightRequest();
+    eidasRequestBuilder.requestedAttributes(ImmutableAttributeMap.builder()
+        .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first())
+        .build());
+    pendingReq.setEidasRequest(eidasRequestBuilder.build());
+        
+    Map<String, Object> attr = new HashMap<>();
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, 
+        "AT+XX:" + RandomStringUtils.randomAlphanumeric(10));    
+    IAuthData authData = generateDummyAuthData(attr , EaafConstants.EIDAS_LOA_HIGH,
+        RandomStringUtils.randomAlphanumeric(10), RandomStringUtils.randomAlphanumeric(10), "1945-04-18", true);
+    
+    attr.put(MsProxyServiceConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER,
+        RandomStringUtils.randomAlphabetic(10));
+    attr.put(PvpAttributeDefinitions.MANDATE_LEG_PER_FULL_NAME_NAME,
+        RandomStringUtils.randomAlphabetic(10));
+    
+    //perform test
+    SloInformationInterface result = action.processRequest(pendingReq, httpReq, httpResp, authData);
+    
+    //validate state
+    Assert.assertNotNull("Result should be not null", result);
+    
+    ImmutableAttributeMap respAttr = validateBasicEidasResponse(authData);
+    assertEquals("wrong attr. size", 6, respAttr.size());     
+    assertNull("find nat. person subject: personalId", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+    assertNull("find nat. person subject: familyName", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTFAMILYNAME));
+    assertNull("find nat. person subject: givenName", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_CURRENTGIVENNAME));
+    assertNull("find nat. person subject: dateOfBirth", 
+        getAttrValue(respAttr, Constants.eIDAS_ATTR_DATEOFBIRTH));
     
   }
   
@@ -271,20 +397,24 @@ public class ProxyServiceAuthenticationActionTest {
     
   }
   
-  private void checkAttrValue(ImmutableAttributeMap respAttr, String attrName, String expected) {
+  private Object getAttrValue(ImmutableAttributeMap respAttr, String attrName) {
     final AttributeDefinition<?> attrDef = 
         attrRegistry.getCoreAttributeRegistry().getByFriendlyName(attrName).first();
-    Object value = respAttr.getFirstValue(attrDef);  
-   assertNotNull("not attr value: " + attrName, value);
+    return respAttr.getFirstValue(attrDef); 
+    
+  }
+  
+  private void checkAttrValue(ImmutableAttributeMap respAttr, String attrName, String expected) {
+    Object value = getAttrValue(respAttr, attrName);  
+    assertNotNull("not attr value: " + attrName, value);
    
-   if (value instanceof String) {
-     assertEquals("wrong attr. value: " + attrName, expected, value);
+    if (value instanceof String) {
+      assertEquals("wrong attr. value: " + attrName, expected, value);
      
-   } else if ( value instanceof DateTime) {
-     assertEquals("wrong attr. value: " + attrName, expected, ((DateTime)value).toString("yyyy-MM-dd"));
+    } else if ( value instanceof DateTime) {
+      assertEquals("wrong attr. value: " + attrName, expected, ((DateTime)value).toString("yyyy-MM-dd"));
           
-   }
-        
+    }       
   }
   
   private ImmutableAttributeMap validateBasicEidasResponse(IAuthData authData) throws SpecificCommunicationException {
@@ -308,6 +438,19 @@ public class ProxyServiceAuthenticationActionTest {
     
   }
   
+  private Builder generateBasicLightRequest() {
+    return LightRequest.builder()
+        .id(UUID.randomUUID().toString())
+        .issuer(RandomStringUtils.randomAlphabetic(10))
+        .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
+        .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH)
+        .spCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase())
+        .spType("public")
+        .requesterId(RandomStringUtils.randomAlphanumeric(10))
+        .providerName(RandomStringUtils.randomAlphanumeric(10));
+    
+  }
+  
   private IAuthData generateDummyAuthData(Map<String, Object> attrs, String loa, String familyName, String givenName, String dateOfBirth, 
       boolean useMandates) {
     return new IEidAuthData() {
-- 
cgit v1.2.3