From 72785de93272ba74a5b587403cd5097727674115 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 2 Mar 2023 11:09:43 +0100
Subject: feat(connector): make nameIdFormat configurable for earch citizen
 country

---
 .../eidas/v2/handler/AbstractEidProcessor.java     | 16 +++++++
 .../eidas/v2/tasks/GenerateAuthnRequestTask.java   |  4 --
 .../test/tasks/GenerateAuthnRequestTaskTest.java   | 50 +++++++++++++++++++++-
 .../resources/config/junit_config_1.properties     |  2 +
 .../src/main/resources/application.properties      |  2 +
 5 files changed, 69 insertions(+), 5 deletions(-)

diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
index fa26e48f..80348f3d 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java
@@ -78,6 +78,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {
     validateSelectionWithState(pendingReq, countryCode);
     
     // build country-specific authentication request
+    buildNameIdPolicy(authnRequestBuilder, countryCode);
     buildLevelOfAssurance(pendingReq.getServiceProviderConfiguration(), authnRequestBuilder);
     buildProviderNameAndRequesterIdAttribute(pendingReq, authnRequestBuilder);
     buildRequestedAttributes(authnRequestBuilder);
@@ -320,6 +321,21 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor {
     
   }
 
+  private void buildNameIdPolicy(Builder authnRequestBuilder, String countryCode) {
+    String ccSpecificPolicy = basicConfig.getBasicConfiguration(
+        Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT + "." + countryCode.toLowerCase());
+
+    if (StringUtils.isNotEmpty(ccSpecificPolicy)) {
+      log.debug("Using specific nameIdFormat:{} to request: {}", ccSpecificPolicy, countryCode);
+      authnRequestBuilder.nameIdFormat(ccSpecificPolicy);
+
+    } else {
+      log.trace("Using default nameIdFormat to request: {}", countryCode);
+      authnRequestBuilder.nameIdFormat(
+          basicConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT));
+
+    }
+  }
 
   private void buildRequestedAttributes(Builder authnRequestBuilder) {
     // build and add requested attribute set
diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
index cf6ecb8d..82489e25 100644
--- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
+++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java
@@ -181,10 +181,6 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
     final LightRequest.Builder builder = LightRequest.builder();
     builder.id(UUID.randomUUID().toString());
     
-    // set nameIDFormat
-    builder.nameIdFormat(
-        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_EIDAS_NODE_NAMEIDFORMAT));
-
     builder.citizenCountryCode(citizenCountryCode);
     builder.issuer(issuer);
     // Add country-specific information into eIDAS request
diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
index 761738aa..f9bca8e3 100644
--- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
+++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/GenerateAuthnRequestTaskTest.java
@@ -95,7 +95,8 @@ public class GenerateAuthnRequestTaskTest {
     basicConfig.putConfigValue(
         "eidas.ms.auth.eIDAS.node_v2.forward.method", "GET");
     basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat");        
-    basicConfig.removeConfigValue(Constants.CONIG_PROPS_EIDAS_WORKAROUND_STAGING_MS_CONNECTOR);    
+    basicConfig.removeConfigValue(Constants.CONIG_PROPS_EIDAS_WORKAROUND_STAGING_MS_CONNECTOR);
+    basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de");
     
   }
   
@@ -502,6 +503,48 @@ public class GenerateAuthnRequestTaskTest {
     
   }
   
+  @Test
+  public void ccSpecificNameIdFormat() throws TaskExecutionException,
+      SpecificCommunicationException, EaafStorageException, UnsupportedEncodingException {
+    // set-up test
+    executionContext.put(MsEidasNodeConstants.REQ_PARAM_SELECTED_COUNTRY, "DE");
+    executionContext.put("selectedEnvironment", "prod");
+
+    String providerName = RandomStringUtils.randomAlphanumeric(10);
+    pendingReq.setRawDataToTransaction(Constants.DATA_PROVIDERNAME, providerName);
+
+    basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets");
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de",
+        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
+
+    String dynEndPoint = "http://test/" + RandomStringUtils.randomAlphabetic(5);
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.forward.endpoint", dynEndPoint);
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.forward.method", "GET");
+
+    // execute test
+    task.execute(pendingReq, executionContext);
+
+    // validate state
+    Assert.assertEquals("Wrong http statusCode", 302, httpResp.getStatus());
+    Assert.assertNotNull("No redirect header", httpResp.getHeaderValue("Location"));
+    Assert.assertTrue("Wrong redirect endpoint",
+        ((String) httpResp.getHeaderValue("Location")).startsWith(dynEndPoint));
+
+    final ILightRequest eidasReq = commService.getAndRemoveRequest(null, null);
+
+    Assert.assertEquals("no PublicSP", "public", eidasReq.getSpType());
+    Assert.assertEquals("wrong LoA", EaafConstants.EIDAS_LOA_HIGH,
+        eidasReq.getLevelOfAssurance());
+
+    Assert.assertEquals("Wrong req. attr. size", 8, eidasReq.getRequestedAttributes().size());
+
+    Assert.assertEquals("nameIdFormat", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        eidasReq.getNameIdFormat());
+  }
+
   @Test
   public void withEidasNodePostReqNotValidTemplate() throws TaskExecutionException,
       SpecificCommunicationException, EaafStorageException, UnsupportedEncodingException {
@@ -637,6 +680,9 @@ public class GenerateAuthnRequestTaskTest {
     String providerName = RandomStringUtils.randomAlphanumeric(10);
     pendingReq.setRawDataToTransaction(Constants.DATA_PROVIDERNAME, providerName);
     
+    basicConfig.putConfigValue(
+        "eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat",
+        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
     basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets");
     basicConfig.putConfigValue(
         "eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName", "false");
@@ -665,6 +711,8 @@ public class GenerateAuthnRequestTaskTest {
     Assert.assertNull("RequesterId found", eidasReq.getRequesterId());
     Assert.assertEquals("no PublicSP", "public", eidasReq.getSpType());
     Assert.assertEquals("wrong LoA", "http://eidas.europa.eu/LoA/high", eidasReq.getLevelOfAssurance());
+    Assert.assertEquals("nameIdFormat", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        eidasReq.getNameIdFormat());
     
   }
   
diff --git a/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties b/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
index 41f0fe7b..2cd19a01 100644
--- a/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
+++ b/modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_1.properties
@@ -40,6 +40,8 @@ eidas.ms.auth.eIDAS.node_v2.workarounds.useStaticProviderNameForPublicSPs=true
 eidas.ms.auth.eIDAS.node_v2.staticProviderNameForPublicSPs=myNode
 
 eidas.ms.auth.eIDAS.node_v2.loa.requested.minimum=http://eidas.europa.eu/LoA/high
+eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+
 
 eidas.ms.auth.eIDAS.szrclient.useTestService=true
 eidas.ms.auth.eIDAS.szrclient.endpoint.prod=
diff --git a/ms_specific_connector/src/main/resources/application.properties b/ms_specific_connector/src/main/resources/application.properties
index e0260e9c..2c37ffba 100644
--- a/ms_specific_connector/src/main/resources/application.properties
+++ b/ms_specific_connector/src/main/resources/application.properties
@@ -103,6 +103,8 @@ eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName=false
 
 ## set NameIdPolicy to 'unspecified' as work-around for DE Middleware v1.2.x
 eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+#eidas.ms.auth.eIDAS.node_v2.requested.nameIdFormat.de=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
 
 eidas.ms.auth.eIDAS.node_v2.loa.requested.minimum=http://eidas.europa.eu/LoA/high
 
-- 
cgit v1.2.3