From 68c46a22406af910838b3ee6bbea5a4e9807ddaa Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Tue, 16 Aug 2022 13:20:02 +0200 Subject: feat(eidas): add advanced SP config post-processing based on requested attributes --- .../handler/EJusticePersonRoleHandler.java | 53 +++++++++++ .../handler/IEidasAttributeHandler.java | 9 ++ .../protocol/EidasProxyServiceController.java | 38 +++++++- .../protocol/EidasProxyServiceControllerTest.java | 106 +++++++++++++++++++++ .../services/ProxyEidasAttributeRegistryTest.java | 2 +- .../resources/config/additional-attributes.xml | 10 ++ .../test/resources/config/idaAttributeMapping.json | 10 +- .../resources/config/junit_config_1.properties | 10 +- .../src/main/resources/application.properties | 7 ++ pom.xml | 2 +- 10 files changed, 242 insertions(+), 5 deletions(-) diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java index f42a7172..52a69944 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java @@ -1,5 +1,17 @@ package at.asitplus.eidas.specific.modules.msproxyservice.handler; +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; + +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import lombok.extern.slf4j.Slf4j; + /** * Attribute handling to integrate BORIS attributes without full IDA support for sector-specific attributes. * @@ -8,6 +20,47 @@ package at.asitplus.eidas.specific.modules.msproxyservice.handler; * @author tlenz * */ +@Slf4j public class EJusticePersonRoleHandler implements IEidasAttributeHandler { + public static final String CONFIG_PROP_IDA_MANDATE_PROFILE = "advanced.atributes.ejusticerole.mandate.profiles"; + public static final String CONFIG_PROP_IDA_MANDATE_MODE = "advanced.atributes.ejusticerole.mandate.mode"; + + @Autowired IConfiguration config; + + private SpMandateModes mandateMode; + private String mandateProfiles; + + @Override + public void performSpConfigPostprocessing(ServiceProviderConfiguration spConfig) { + spConfig.setMandateMode(mandateMode); + spConfig.setMandateProfiles(KeyValueUtils.getListOfCsvValues(mandateProfiles)); + log.info("Enforcing mandate-mode: {} with profile: {}", mandateMode, mandateProfiles); + + } + + + + @PostConstruct + private void initialize() throws EaafConfigurationException { + mandateMode = SpMandateModes.fromString(loadConfigValue(CONFIG_PROP_IDA_MANDATE_MODE)); + mandateProfiles = loadConfigValue(CONFIG_PROP_IDA_MANDATE_PROFILE); + + log.info("Initialize: {} with mandate-profile: {} mandate-mode: {}", + EJusticePersonRoleHandler.class.getSimpleName(), mandateProfiles, mandateMode); + + } + + private String loadConfigValue(String configProp) throws EaafConfigurationException { + String value = config.getBasicConfiguration(configProp); + if (StringUtils.isEmpty(value)) { + throw new EaafConfigurationException("internal.configuration.00", + new Object[]{configProp}); + + } + + return value; + + } + } diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java index 153cf262..02e091ef 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java @@ -1,5 +1,7 @@ package at.asitplus.eidas.specific.modules.msproxyservice.handler; +import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; + /** * Handlers for attribute-processing that requires more features than a simple mapping. * @@ -8,6 +10,13 @@ package at.asitplus.eidas.specific.modules.msproxyservice.handler; */ public interface IEidasAttributeHandler { + /** + * Perform attribute-releated post-processing of internal Service-Provider configuration. + * + * @param spConfig SP configuration that was build from incoming eIDAS Authn. request. + */ + void performSpConfigPostprocessing(ServiceProviderConfiguration spConfig); + } diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java index 32be0e22..d0e3d1ba 100644 --- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java +++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java @@ -8,6 +8,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Objects; +import java.util.Set; import java.util.UUID; import java.util.stream.Collectors; @@ -33,6 +34,7 @@ import at.asitplus.eidas.specific.core.config.ServiceProviderConfiguration; import at.asitplus.eidas.specific.modules.core.eidas.EidasConstants; import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants; import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException; +import at.asitplus.eidas.specific.modules.msproxyservice.handler.IEidasAttributeHandler; import at.asitplus.eidas.specific.modules.msproxyservice.service.ProxyEidasAttributeRegistry; import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils; import at.gv.egiz.components.eventlog.api.EventConstants; @@ -333,7 +335,10 @@ public class EidasProxyServiceController extends AbstractController implements I // map eIDAS attributes to national attributes buildNationalRequestedAttributes(spConfig, eidasRequest); - + + // execute custom attribute-handler + advancedAttributeHandler(spConfig, eidasRequest); + return spConfig; } catch (final EidasProxyServiceException e) { @@ -344,6 +349,37 @@ public class EidasProxyServiceController extends AbstractController implements I } } + + private void advancedAttributeHandler(ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) { + Set requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream() + .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null)) + .filter(Objects::nonNull) + .distinct() + .collect(Collectors.toSet()); + + if (!requiredHandlers.isEmpty()) { + log.info("eIDAS requested attributes requires #{} specific attribute-hander. " + + "Starting advanced attribute-handling ... ", requiredHandlers.size()); + requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig)); + + } else { + log.debug("No advanced eIDAS attribute-handling required."); + + } + } + + private void executeAttributeHandler(String handlerClass, ServiceProviderConfiguration spConfig) { + try { + IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class); + + log.trace("Perfom SP config post-processing by using: {}", handler.getClass().getName()); + handler.performSpConfigPostprocessing(spConfig); + + } catch (Exception e) { + log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e); + + } + } private void buildNationalRequestedAttributes( ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) { diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java index 830360e0..4f62b2eb 100644 --- a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/protocol/EidasProxyServiceControllerTest.java @@ -731,6 +731,112 @@ public class EidasProxyServiceControllerTest { } + + @Test + public void validAuthnRequestWithBorisAttributeLegal() throws IOException, EaafException { + //initialize state + httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10)); + String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); + String issuer = RandomStringUtils.randomAlphabetic(10); + LightRequest.Builder authnReqBuilder = LightRequest.builder() + .id(UUID.randomUUID().toString()) + .issuer(issuer) + .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) + .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) + .spCountryCode(spCountryCode) + .spType("public") + .requestedAttributes(ImmutableAttributeMap.builder() + .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( + EidasConstants.eIDAS_ATTR_LEGALNAME).first()) + .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( + EidasConstants.eIDAS_ATTR_LEGALPERSONIDENTIFIER).first()) + .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( + "eJusticeLegalPersonRole").first()) + .build()); + + proxyService.setiLightRequest(authnReqBuilder.build()); + + + // set default mandate configuration + List mandateProfilesNat = + Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); + List mandateProfilesJur = + Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL, + StringUtils.join(mandateProfilesNat, ",")); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL, + StringUtils.join(mandateProfilesJur, ",")); + + + //execute + controller.receiveEidasAuthnRequest(httpReq, httpResp); + + //validate state + ServiceProviderConfiguration spConfig = + authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); + assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); + assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); + assertEquals("mandateprofile size", 1, spConfig.getMandateProfiles().size()); + assertEquals("mandateprofile", "MUST_BE_UPDATED", spConfig.getMandateProfiles().get(0)); + assertEquals("MandateMode", SpMandateModes.LEGAL, spConfig.getMandateMode()); + + assertEquals("requested IDA attributes", 10, spConfig.getRequestedAttributes().size()); + + } + + @Test + public void validAuthnRequestWithBorisAttributeNat() throws IOException, EaafException { + //initialize state + httpReq.addParameter(EidasParameterKeys.TOKEN.toString(), RandomStringUtils.randomAlphanumeric(10)); + String spCountryCode = RandomStringUtils.randomAlphabetic(2).toUpperCase(); + String issuer = RandomStringUtils.randomAlphabetic(10); + LightRequest.Builder authnReqBuilder = LightRequest.builder() + .id(UUID.randomUUID().toString()) + .issuer(issuer) + .citizenCountryCode(RandomStringUtils.randomAlphabetic(2).toUpperCase()) + .levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH) + .spCountryCode(spCountryCode) + .spType("public") + .requestedAttributes(ImmutableAttributeMap.builder() + .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( + EidasConstants.eIDAS_ATTR_PERSONALIDENTIFIER).first()) + .put(attrRegistry.getCoreAttributeRegistry().getByFriendlyName( + "eJusticeNaturalPersonRole").first()) + .build()); + + proxyService.setiLightRequest(authnReqBuilder.build()); + + + // set default mandate configuration + List mandateProfilesNat = + Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); + List mandateProfilesJur = + Arrays.asList(RandomStringUtils.randomAlphabetic(5), RandomStringUtils.randomAlphabetic(5)); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_ENABLED, "true"); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_NATURAL, + StringUtils.join(mandateProfilesNat, ",")); + config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL, + StringUtils.join(mandateProfilesJur, ",")); + + + //execute + controller.receiveEidasAuthnRequest(httpReq, httpResp); + + //validate state + ServiceProviderConfiguration spConfig = + authService.getPendingReq().getServiceProviderConfiguration(ServiceProviderConfiguration.class); + assertNotNull("mandateprofiles", spConfig.getMandateProfiles()); + assertFalse("mandateprofiles not empty", spConfig.getMandateProfiles().isEmpty()); + assertEquals("mandateprofile size", 1, spConfig.getMandateProfiles().size()); + assertEquals("mandateprofile", "MUST_BE_UPDATED", spConfig.getMandateProfiles().get(0)); + assertEquals("MandateMode", SpMandateModes.LEGAL, spConfig.getMandateMode()); + + assertEquals("requested IDA attributes", 6, spConfig.getRequestedAttributes().size()); + + } + + private void addConnectorConfig(int i, String key, String value) { config.putConfigValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_PREFIX + String.valueOf(i) + "." + key, value); diff --git a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/services/ProxyEidasAttributeRegistryTest.java b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/services/ProxyEidasAttributeRegistryTest.java index d3d1d7b0..b6b8a8df 100644 --- a/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/services/ProxyEidasAttributeRegistryTest.java +++ b/modules/eidas_proxy-sevice/src/test/java/at/asitplus/eidas/specific/modules/msproxyservice/test/services/ProxyEidasAttributeRegistryTest.java @@ -139,7 +139,7 @@ public class ProxyEidasAttributeRegistryTest { assertFalse("find wrong attribute", attrRegistry.mapEidasAttributeToAttributeHandler( - "http://e-justice.europa.eu/attributes/legalperson/eJusticeLegalPersonRole").isPresent()); + "http://e-justice.europa.eu/attributes/legalperson/eJusticePersonRoleNotExist").isPresent()); Optional attr2 = attrRegistry.mapEidasAttributeToAttributeHandler( "http://e-justice.europa.eu/attributes/naturalperson/eJusticeNaturalPersonRole"); diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml b/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml index e40ebdc4..c7b40d90 100644 --- a/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml +++ b/modules/eidas_proxy-sevice/src/test/resources/config/additional-attributes.xml @@ -54,5 +54,15 @@ xs eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller + http://e-justice.europa.eu/attributes/legalperson/eJusticePersonRoleNotExist + eJusticeLegalPersonRole + LegalPerson + false + http://www.w3.org/2001/XMLSchema + string + xs + eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller + + diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/idaAttributeMapping.json b/modules/eidas_proxy-sevice/src/test/resources/config/idaAttributeMapping.json index a3ff1ead..96034d12 100644 --- a/modules/eidas_proxy-sevice/src/test/resources/config/idaAttributeMapping.json +++ b/modules/eidas_proxy-sevice/src/test/resources/config/idaAttributeMapping.json @@ -138,12 +138,20 @@ }, { "eidasAttribute": "http://e-justice.europa.eu/attributes/legalperson/eJusticeLegalPersonRole", - "specificAttributeHandlerClass": "at.asitplus.eidas.specific.modules.msproxyservice.handler.notExist", + "specificAttributeHandlerClass": "at.asitplus.eidas.specific.modules.msproxyservice.handler.EJusticePersonRoleHandler", "type": { "mds": false, "autoIncludeWithMandates": false } }, + { + "eidasAttribute": "http://e-justice.europa.eu/attributes/legalperson/eJusticePersonRoleNotExist", + "specificAttributeHandlerClass": "at.asitplus.eidas.specific.modules.msproxyservice.handler.notExist", + "type": { + "mds": false, + "autoIncludeWithMandates": false + } + }, { "eidasAttribute": "*", "idaAttribute": { diff --git a/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties b/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties index bd4575c3..46e0bb69 100644 --- a/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties +++ b/modules/eidas_proxy-sevice/src/test/resources/config/junit_config_1.properties @@ -5,4 +5,12 @@ eidas.ms.context.url.request.validation=false eidas.ms.auth.eIDAS.node_v2.proxy.entityId=ownSpecificProxy eidas.ms.auth.eIDAS.node_v2.proxy.forward.endpoint=http://eidas.proxy/endpoint -eidas.ms.auth.eIDAS.proxy.attribute.mapping.config=idaAttributeMapping.json \ No newline at end of file +eidas.ms.auth.eIDAS.proxy.attribute.mapping.config=idaAttributeMapping.json + + +############################################################################# +## advanced eIDAS attribute processing + +# BORIS attribute for eJustice +eidas.ms.advanced.atributes.ejusticerole.mandate.profiles=MUST_BE_UPDATED +eidas.ms.advanced.atributes.ejusticerole.mandate.mode=legal diff --git a/ms_specific_proxyservice/src/main/resources/application.properties b/ms_specific_proxyservice/src/main/resources/application.properties index 8d66a7c0..40587815 100644 --- a/ms_specific_proxyservice/src/main/resources/application.properties +++ b/ms_specific_proxyservice/src/main/resources/application.properties @@ -115,4 +115,11 @@ eidas.ms.modules.idaustriaauth.keystore.type=jks #eidas.ms.modules.idaustriaauth.truststore.password= +############################################################################# +## advanced eIDAS attribute processing + +# BORIS attribute for eJustice +eidas.ms.advanced.atributes.ejusticerole.mandate.profiles=MUST_BE_UPDATED +eidas.ms.advanced.atributes.ejusticerole.mandate.mode=legal + diff --git a/pom.xml b/pom.xml index 946dd3ec..e20e076e 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ 0.3 0.4 - 1.3.3-SNAPSHOT + 1.3.4-SNAPSHOT 2.5.13 2.5.6 -- cgit v1.2.3