From aacc2545abb12328a09cef2cf20ca80a61374836 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 17 Nov 2022 16:48:29 +0100 Subject: feat(connector): add validation to disable private-SP support for specific countries --- .../specific/modules/auth/eidas/v2/Constants.java | 3 ++ .../v2/exception/EidPostProcessingException.java | 1 - .../v2/exception/EidPreProcessingException.java | 39 +++++++++++++++++ .../eidas/v2/handler/AbstractEidProcessor.java | 49 ++++++++++++++++----- .../eidas/v2/handler/INationalEidProcessor.java | 7 ++- .../v2/service/CcSpecificEidProcessingService.java | 9 ++-- .../service/ICcSpecificEidProcessingService.java | 7 +-- .../eidas/v2/tasks/GenerateAuthnRequestTask.java | 4 +- .../messages/eidas_connector_message.properties | 2 +- .../AlternativeSearchTaskWithRegisterTest.java | 6 ++- .../eidas/v2/test/tasks/InitialSearchTaskTest.java | 6 ++- .../tasks/InitialSearchTaskWithRegistersTest.java | 6 ++- .../EidasRequestPreProcessingFirstTest.java | 8 +++- .../EidasRequestPreProcessingSecondTest.java | 51 +++++++++++++++++++++- .../src/main/resources/application.properties | 2 + 15 files changed, 167 insertions(+), 33 deletions(-) create mode 100644 modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPreProcessingException.java diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java index 70a1e69a..a9125849 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/Constants.java @@ -91,6 +91,9 @@ public class Constants { EidasConstants.CONIG_PROPS_EIDAS_NODE + ".attributes.requested.representation"; + public static final String CONIG_PROPS_EIDAS_NODE_NOT_SUPPORT_PRIVATE_SP = + EidasConstants.CONIG_PROPS_EIDAS_NODE + ".proxyservices.privatesp.notsupported"; + public static final String CONIG_PROPS_EIDAS_NODE_REQUESTERID_USE_HASHED_VERSION = EidasConstants.CONIG_PROPS_EIDAS_NODE + ".requesterId.useHashedForm"; public static final String CONIG_PROPS_EIDAS_NODE_WORKAROUND_USE_STATIC_REQUESTERID_FOR_LUX = diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPostProcessingException.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPostProcessingException.java index f4c0be67..f1f9a9f6 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPostProcessingException.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPostProcessingException.java @@ -36,5 +36,4 @@ public class EidPostProcessingException extends EidasSAuthenticationException { super(internalMsgId, params, e); } - } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPreProcessingException.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPreProcessingException.java new file mode 100644 index 00000000..75e03f21 --- /dev/null +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/exception/EidPreProcessingException.java @@ -0,0 +1,39 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.modules.auth.eidas.v2.exception; + +public class EidPreProcessingException extends EidasSAuthenticationException { + + private static final long serialVersionUID = 6780652273831172456L; + + public EidPreProcessingException(String internalMsgId, Object[] params) { + super(internalMsgId, params); + + } + + public EidPreProcessingException(String internalMsgId, Object[] params, Throwable e) { + super(internalMsgId, params, e); + + } +} diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java index 61d5ded2..d97ed807 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/AbstractEidProcessor.java @@ -47,6 +47,7 @@ import com.google.common.collect.ImmutableSortedSet; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ConnectorEidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; @@ -56,6 +57,7 @@ import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; @@ -71,14 +73,18 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { protected IConfigurationWithSP basicConfig; @Override - public final void preProcess(IRequest pendingReq, Builder authnRequestBuilder) { + public final void preProcess(IRequest pendingReq, Builder authnRequestBuilder, String countryCode) + throws EidPreProcessingException { + // validate current state + validateSelectionWithState(pendingReq, countryCode); + + // build country-specific authentication request buildLevelOfAssurance(pendingReq.getServiceProviderConfiguration(), authnRequestBuilder); buildProviderNameAndRequesterIdAttribute(pendingReq, authnRequestBuilder); buildRequestedAttributes(authnRequestBuilder); } - @Override public final SimpleEidasData postProcess(Map eidasAttrMap) throws EidPostProcessingException, EidasAttributeException { @@ -224,15 +230,8 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { */ protected void buildProviderNameAndRequesterIdAttribute(IRequest pendingReq, Builder authnRequestBuilder) { final ISpConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); - - // set correct SPType for requested target sector - final String publicSectorTargetSelector = basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS, - Constants.POLICY_DEFAULT_ALLOWED_TARGETS); - final Pattern p = Pattern.compile(publicSectorTargetSelector); - final Matcher m = p.matcher(spConfig.getAreaSpecificTargetIdentifier()); - if (m.matches()) { - log.debug("Map " + spConfig.getAreaSpecificTargetIdentifier() + " to 'PublicSector'"); + if (isPublicServiceProvider(pendingReq)) { + log.debug("Map {} to 'PublicSector'", spConfig.getAreaSpecificTargetIdentifier()); authnRequestBuilder.spType(SpType.PUBLIC.getValue()); final String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); @@ -269,7 +268,7 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { } } - + /** * Build LoA based on Service-Provider configuration. * @@ -361,4 +360,30 @@ public abstract class AbstractEidProcessor implements INationalEidProcessor { } + private void validateSelectionWithState(IRequest pendingReq, String countryCode) throws EidPreProcessingException { + boolean psNotSupportPrivate = KeyValueUtils.getListOfCsvValues( + basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_NOT_SUPPORT_PRIVATE_SP)) + .stream() + .filter(el-> el.equalsIgnoreCase(countryCode)) + .findFirst() + .isPresent(); + + if (!isPublicServiceProvider(pendingReq) && psNotSupportPrivate) { + log.warn("Selected country: {} does not support private service providers.", countryCode); + throw new EidPreProcessingException("module.eidasauth.07", null); + + } + } + + private boolean isPublicServiceProvider(IRequest pendingReq) { + final ISpConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + final String publicSectorTargetSelector = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS, + Constants.POLICY_DEFAULT_ALLOWED_TARGETS); + final Pattern p = Pattern.compile(publicSectorTargetSelector); + final Matcher m = p.matcher(spConfig.getAreaSpecificTargetIdentifier()); + return m.matches(); + + } + } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java index 79a261fe..b6f67ca8 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/handler/INationalEidProcessor.java @@ -26,8 +26,9 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.handler; import java.util.Map; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.gv.egiz.eaaf.core.api.IRequest; import eu.eidas.auth.commons.light.ILightRequest; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; @@ -76,6 +77,8 @@ public interface INationalEidProcessor { * * @param pendingReq current pending request * @param authnRequestBuilder eIDAS {@link ILightRequest} builder + * @param countryCode of the eID data that should be processed + * @throws EidPreProcessingException In case of a pre-processing error */ - void preProcess(IRequest pendingReq, Builder authnRequestBuilder); + void preProcess(IRequest pendingReq, Builder authnRequestBuilder, String countryCode) throws EidPreProcessingException; } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java index bbfcb5ff..620e7a9c 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/CcSpecificEidProcessingService.java @@ -41,6 +41,7 @@ import org.springframework.stereotype.Service; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.INationalEidProcessor; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; @@ -84,7 +85,7 @@ public class CcSpecificEidProcessingService implements ICcSpecificEidProcessingS @Override public void preProcess(String selectedCitizenCountry, IRequest pendingReq, Builder authnRequestBuilder) - throws EidPostProcessingException { + throws EidPreProcessingException { if (StringUtils.isEmpty(selectedCitizenCountry)) { log.info("No CountryCode for eID Pre-Processor. Default Pre-Processor will be used"); } @@ -92,14 +93,14 @@ public class CcSpecificEidProcessingService implements ICcSpecificEidProcessingS for (final INationalEidProcessor el : handlers) { if (el.canHandle(selectedCitizenCountry)) { log.debug("Pre-Process eIDAS request for " + selectedCitizenCountry + " by using: " + el.getName()); - el.preProcess(pendingReq, authnRequestBuilder); + el.preProcess(pendingReq, authnRequestBuilder, selectedCitizenCountry); return; } } - log.error("NO eID PostProcessor FOUND. Looks like a depentency problem!"); - throw new EidPostProcessingException("internal.00", null); + log.error("NO eID PreProcessor FOUND. Looks like a depentency problem!"); + throw new EidPreProcessingException("internal.00", null); } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java index fb9ba318..85255398 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/ICcSpecificEidProcessingService.java @@ -26,8 +26,9 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; import java.util.Map; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.gv.egiz.eaaf.core.api.IRequest; import eu.eidas.auth.commons.light.ILightRequest; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; @@ -53,9 +54,9 @@ public interface ICcSpecificEidProcessingService { * @param selectedCC Citizen Country from selection * @param pendingReq current pending request * @param authnRequestBuilder eIDAS {@link ILightRequest} builder - * @throws EidPostProcessingException In case of a pre-processing error + * @throws EidPreProcessingException In case of a pre-processing error */ void preProcess(String selectedCC, IRequest pendingReq, Builder authnRequestBuilder) - throws EidPostProcessingException; + throws EidPreProcessingException; } diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java index 535c2958..93e1033d 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateAuthnRequestTask.java @@ -41,7 +41,7 @@ import at.asitplus.eidas.specific.core.MsConnectorEventCodes; import at.asitplus.eidas.specific.core.MsEidasNodeConstants; import at.asitplus.eidas.specific.core.gui.StaticGuiBuilderConfiguration; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; import at.asitplus.eidas.specific.modules.core.eidas.EidasConstants; @@ -170,7 +170,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { @NotNull private LightRequest buildEidasAuthnRequest(String citizenCountryCode, String issuer) - throws EidPostProcessingException { + throws EidPreProcessingException { final LightRequest.Builder builder = LightRequest.builder(); builder.id(UUID.randomUUID().toString()); diff --git a/modules/authmodule-eIDAS-v2/src/main/resources/messages/eidas_connector_message.properties b/modules/authmodule-eIDAS-v2/src/main/resources/messages/eidas_connector_message.properties index dafa7ce3..615f5f07 100644 --- a/modules/authmodule-eIDAS-v2/src/main/resources/messages/eidas_connector_message.properties +++ b/modules/authmodule-eIDAS-v2/src/main/resources/messages/eidas_connector_message.properties @@ -9,7 +9,7 @@ module.eidasauth.01=eIDAS module has an error in configuration: {0}. Reason: {1} module.eidasauth.03=eIDAS module has a general error during request pre-processing. Reason: {0} module.eidasauth.04=eIDAS module has a general error during response post-processing. module.eidasauth.06=eIDAS module was selected, but eIDAS is NOT enabled for SP: {0} - +module.eidasauth.07=Selected country does not allow authentication for service-providers of type private. module.eidasauth.98=eIDAS module has an internal error. Reason: {0} module.eidasauth.99=eIDAS module has an generic internal error. diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/AlternativeSearchTaskWithRegisterTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/AlternativeSearchTaskWithRegisterTest.java index 2506a9b6..305220cf 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/AlternativeSearchTaskWithRegisterTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/AlternativeSearchTaskWithRegisterTest.java @@ -56,6 +56,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.handler.CountrySpecificDetailSearchProcessor; @@ -871,8 +872,9 @@ public class AlternativeSearchTaskWithRegisterTest { } @Override - public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) { - genericEidProcessor.preProcess(pendingReq, authnRequestBuilder); + public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) + throws EidPreProcessingException { + genericEidProcessor.preProcess(pendingReq, authnRequestBuilder, selectedCC); } }; } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskTest.java index 6292a0e1..ca78e156 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskTest.java @@ -74,6 +74,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; @@ -172,8 +173,9 @@ public class InitialSearchTaskTest { } @Override - public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) { - genericEidProcessor.preProcess(pendingReq, authnRequestBuilder); + public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) + throws EidPreProcessingException { + genericEidProcessor.preProcess(pendingReq, authnRequestBuilder, selectedCC); } }; } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskWithRegistersTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskWithRegistersTest.java index 4b9e9fe2..ead276f9 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskWithRegistersTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/InitialSearchTaskWithRegistersTest.java @@ -76,6 +76,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.MatchedPersonResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.WorkflowException; @@ -536,8 +537,9 @@ public class InitialSearchTaskWithRegistersTest { } @Override - public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) { - genericEidProcessor.preProcess(pendingReq, authnRequestBuilder); + public void preProcess(String selectedCC, IRequest pendingReq, LightRequest.Builder authnRequestBuilder) + throws EidPreProcessingException { + genericEidProcessor.preProcess(pendingReq, authnRequestBuilder, selectedCC); } }; } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java index ca292d4c..f3863ce0 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingFirstTest.java @@ -50,6 +50,7 @@ import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; import eu.eidas.auth.commons.light.impl.LightRequest; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; +import lombok.SneakyThrows; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration(locations = { @@ -110,7 +111,8 @@ public class EidasRequestPreProcessingFirstTest { } @Test - public void prePreProcessGeneric() throws EidPostProcessingException { + @SneakyThrows + public void prePreProcessGeneric() { final String testCountry = "XX"; authnRequestBuilder.citizenCountryCode(testCountry); preProcessor.preProcess(testCountry, pendingReq, authnRequestBuilder); @@ -125,6 +127,7 @@ public class EidasRequestPreProcessingFirstTest { } @Test + @SneakyThrows public void prePreProcessGenericNoCountryCode() throws EidPostProcessingException { final String testCountry = "XX"; authnRequestBuilder.citizenCountryCode(testCountry); @@ -140,6 +143,7 @@ public class EidasRequestPreProcessingFirstTest { } @Test + @SneakyThrows public void prePreProcessDE() throws EidPostProcessingException { final String testCountry = "DE"; @@ -157,6 +161,7 @@ public class EidasRequestPreProcessingFirstTest { } @Test + @SneakyThrows public void prePreProcessNlWithUpgrade() throws EidPostProcessingException { final String testCountry = "NL"; @@ -177,6 +182,7 @@ public class EidasRequestPreProcessingFirstTest { } @Test + @SneakyThrows public void prePreProcessNlWithOutUpgrade() throws EidPostProcessingException { final String testCountry = "NL"; diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingSecondTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingSecondTest.java index 9b061b55..0453ca1d 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingSecondTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/validation/EidasRequestPreProcessingSecondTest.java @@ -23,6 +23,9 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.validation; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; + import java.util.HashMap; import java.util.Map; import java.util.UUID; @@ -39,6 +42,7 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.asitplus.eidas.specific.core.test.config.dummy.MsConnectorDummyConfigMap; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPostProcessingException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidPreProcessingException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.CcSpecificEidProcessingService; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; import at.gv.egiz.eaaf.core.api.data.EaafConstants; @@ -46,6 +50,7 @@ import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; import eu.eidas.auth.commons.light.impl.LightRequest; import eu.eidas.auth.commons.light.impl.LightRequest.Builder; +import lombok.SneakyThrows; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration(locations = { @@ -85,13 +90,55 @@ public class EidasRequestPreProcessingSecondTest { authnRequestBuilder.id(UUID.randomUUID().toString()); authnRequestBuilder.issuer("Test"); authnRequestBuilder.levelOfAssurance(EaafConstants.EIDAS_LOA_HIGH); + + basicConfig.putConfigValue( + "eidas.ms.auth.eIDAS.node_v2.publicSectorTargets", ".*"); + basicConfig.putConfigValue( + "eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll", "true"); + basicConfig.putConfigValue( + "eidas.ms.auth.eIDAS.node_v2.proxyservices.privatesp.notsupported", ""); + + } + @Test + @SneakyThrows + public void privateSpAllowed() { basicConfig.putConfigValue( - "eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll", "true"); + "eidas.ms.auth.eIDAS.node_v2.proxyservices.privatesp.notsupported", "XX,XY"); + basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets"); + + oaParam.getFullConfiguration().put("target", "urn:publicid:gv.at:wbpk+XFN+123456a"); + final String testCountry = "DE"; + authnRequestBuilder.citizenCountryCode(testCountry); + preProcessor.preProcess(testCountry, pendingReq, authnRequestBuilder); + + final LightRequest lightReq = authnRequestBuilder.build(); + Assert.assertEquals("no PublicSP", "private", lightReq.getSpType()); + } + + @Test + @SneakyThrows + public void privateSpNotAllowed() { + basicConfig.putConfigValue( + "eidas.ms.auth.eIDAS.node_v2.proxyservices.privatesp.notsupported", "XX,XY"); + basicConfig.removeConfigValue("eidas.ms.auth.eIDAS.node_v2.publicSectorTargets"); + + oaParam.getFullConfiguration().put("target", "urn:publicid:gv.at:wbpk+XFN+123456a"); + + final String testCountry = "XY"; + authnRequestBuilder.citizenCountryCode(testCountry); + + EidPreProcessingException error = assertThrows("validation error not detected", EidPreProcessingException.class, + () -> preProcessor.preProcess(testCountry, pendingReq, authnRequestBuilder)); + assertEquals("wrong errorId", "module.eidasauth.07", error.getErrorId()); + + } + @Test + @SneakyThrows public void prePreProcessDeUnknownAttribute() throws EidPostProcessingException { basicConfig.putConfigValue("eidas.ms.auth.eIDAS.node_v2.staticProviderNameForPublicSPs", "myNode"); basicConfig.putConfigValue( @@ -114,6 +161,7 @@ public class EidasRequestPreProcessingSecondTest { * Set ProviderName according to general configuration */ @Test + @SneakyThrows public void prePreProcessLuPublicSpWithoutRequestId() throws EidPostProcessingException { basicConfig.putConfigValue( @@ -136,6 +184,7 @@ public class EidasRequestPreProcessingSecondTest { * Always set requesterId and providername in case of country LU */ @Test + @SneakyThrows public void prePreProcessLuPublicSpWithStaticRequesterId() throws EidPostProcessingException { diff --git a/ms_specific_connector/src/main/resources/application.properties b/ms_specific_connector/src/main/resources/application.properties index 64367880..a2a0ca67 100644 --- a/ms_specific_connector/src/main/resources/application.properties +++ b/ms_specific_connector/src/main/resources/application.properties @@ -95,6 +95,8 @@ eidas.ms.auth.eIDAS.node_v2.requesterId.useHashedForm=true ## user static requesterId for all SP's in case of LU eidas.ms.auth.eIDAS.node_v2.requesterId.lu.useStaticRequesterForAll=true +## List of country-codes as CSV that not support private service-providers +eidas.ms.auth.eIDAS.node_v2.proxyservices.privatesp.notsupported= ## set provider name for all public SPs eidas.ms.auth.eIDAS.node_v2.workarounds.addAlwaysProviderName=false -- cgit v1.2.3