From 8e239b9cb072e62d693f3d54a6a9ad2d9983cc71 Mon Sep 17 00:00:00 2001 From: lalber Date: Mon, 2 Nov 2020 23:29:54 +0100 Subject: AuthDataBuilder and AttributeBuilder --- .../attributes/AuthBlockAttributeBuilder.java | 64 ++++++++++++++++++++++ .../attributes/EidasBindAttributeBuilder.java | 64 ++++++++++++++++++++++ .../builder/AuthenticationDataBuilder.java | 37 ++++++++----- 3 files changed, 150 insertions(+), 15 deletions(-) create mode 100644 connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java create mode 100644 connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java new file mode 100644 index 00000000..ab5db0a6 --- /dev/null +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java @@ -0,0 +1,64 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.connector.attributes; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IPvpAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; + +import java.text.DateFormat; +import java.text.SimpleDateFormat; + +@PvpMetadata +public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { + + private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; + private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid + + @Override + public String getName() { + return AUTHBLOCK_NAME; + } + + @Override + public ATT build(final ISpConfiguration oaParam, final IAuthData authData, + final IAttributeGenerator g) throws AttributeBuilderException { + + String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); + if (authBlock != null) { + return g.buildStringAttribute(AUTHBLOCK_FRIENDLY_NAME, AUTHBLOCK_NAME, authBlock); + + } else { + throw new UnavailableAttributeException(AUTHBLOCK_NAME); + } + + } + + @Override + public ATT buildEmpty(final IAttributeGenerator g) { + return g.buildEmptyAttribute(AUTHBLOCK_FRIENDLY_NAME, AUTHBLOCK_NAME); + } + +} diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java new file mode 100644 index 00000000..c6dfed1a --- /dev/null +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java @@ -0,0 +1,64 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.asitplus.eidas.specific.connector.attributes; + +import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IPvpAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; + +import java.text.DateFormat; +import java.text.SimpleDateFormat; + +@PvpMetadata +public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { + + private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; + private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid + + @Override + public String getName() { + return EIDASBIND_NAME; + } + + @Override + public ATT build(final ISpConfiguration oaParam, final IAuthData authData, + final IAttributeGenerator g) throws AttributeBuilderException { + + String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); + if (eidasBind != null) { + return g.buildStringAttribute(EIDASBIND_FRIENDLY_NAME, EIDASBIND_NAME, eidasBind); + + } else { + throw new UnavailableAttributeException(EIDASBIND_NAME); + } + + } + + @Override + public ATT buildEmpty(final IAttributeGenerator g) { + return g.buildEmptyAttribute(EIDASBIND_FRIENDLY_NAME, EIDASBIND_NAME); + } + +} diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index b14faa62..51b89120 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -19,7 +19,7 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.connector.builder; @@ -54,30 +54,37 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder public IAuthData buildAuthenticationData(IRequest pendingReq) throws EaafAuthenticationException { final IAuthProcessDataContainer authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); - final AuthenticationData authData = new AuthenticationData(); + AuthenticationData authData = new AuthenticationData(); - try { - generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); + String eidMode = pendingReq.getServiceProviderConfiguration() + .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); - // set specific informations - authData.setSsoSessionValidTo(new Date(new Date().getTime() - + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + if (eidMode.equals("new")) { - } catch (EaafBuilderException | EaafParserException | EaafConfigurationException - | XPathException | DOMException e) { - log.warn("Can not build authentication data from auth. process information"); - throw new EaafAuthenticationException("builder.11", new Object[] { e.getMessage() }, e); + authData = (AuthenticationData) super.buildAuthenticationData(pendingReq); - } + } else { + try { + generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); - return authData; + // set specific informations + authData.setSsoSessionValidTo(new Date(new Date().getTime() + + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + + } catch (EaafBuilderException | EaafParserException | EaafConfigurationException + | XPathException | DOMException e) { + log.warn("Can not build authentication data from auth. process information"); + throw new EaafAuthenticationException("builder.11", new Object[]{e.getMessage()}, e); + } + } + return authData; } @Override protected IAuthData buildDeprecatedAuthData(IRequest arg0) throws EaafException { return new AuthenticationData(); - + } @Override @@ -103,7 +110,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder @Override protected Pair getEncryptedBpkFromPvpAttribute(IAuthProcessDataContainer arg0, - AuthenticationData arg1, ISpConfiguration arg2) throws EaafBuilderException { + AuthenticationData arg1, ISpConfiguration arg2) throws EaafBuilderException { return null; } -- cgit v1.2.3 From 578841c3723da27525d5fffb37d4ccc3dffa7bb4 Mon Sep 17 00:00:00 2001 From: lalber Date: Tue, 3 Nov 2020 10:47:11 +0100 Subject: sunfire bug --- .../attributes/AuthBlockAttributeBuilder.java | 14 ++-- .../attributes/EidasBindAttributeBuilder.java | 15 +++-- .../modules/auth/eidas/v2/test/SzrClientTest.java | 78 +++++++++++----------- 3 files changed, 56 insertions(+), 51 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java index ab5db0a6..e3e482ef 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java @@ -34,12 +34,14 @@ import java.text.SimpleDateFormat; @PvpMetadata public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { - private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; - private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid +// private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; +// private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid +String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; +String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; @Override public String getName() { - return AUTHBLOCK_NAME; + return EID_AUTHBLOCK_SIGNED_NAME; } @Override @@ -48,17 +50,17 @@ public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); if (authBlock != null) { - return g.buildStringAttribute(AUTHBLOCK_FRIENDLY_NAME, AUTHBLOCK_NAME, authBlock); + return g.buildStringAttribute(EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, EID_AUTHBLOCK_SIGNED_NAME, authBlock); } else { - throw new UnavailableAttributeException(AUTHBLOCK_NAME); + throw new UnavailableAttributeException(EID_AUTHBLOCK_SIGNED_NAME); } } @Override public ATT buildEmpty(final IAttributeGenerator g) { - return g.buildEmptyAttribute(AUTHBLOCK_FRIENDLY_NAME, AUTHBLOCK_NAME); + return g.buildEmptyAttribute(EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, EID_AUTHBLOCK_SIGNED_NAME); } } diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java index c6dfed1a..e43689a1 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java @@ -31,15 +31,18 @@ import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; import java.text.DateFormat; import java.text.SimpleDateFormat; +import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME; +import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME; + @PvpMetadata public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { - private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; - private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid +// private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; +// private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid @Override public String getName() { - return EIDASBIND_NAME; + return EID_EIDBIND_NAME; } @Override @@ -48,17 +51,17 @@ public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); if (eidasBind != null) { - return g.buildStringAttribute(EIDASBIND_FRIENDLY_NAME, EIDASBIND_NAME, eidasBind); + return g.buildStringAttribute(EID_EIDBIND_FRIENDLY_NAME, EID_EIDBIND_NAME, eidasBind); } else { - throw new UnavailableAttributeException(EIDASBIND_NAME); + throw new UnavailableAttributeException(EID_EIDBIND_NAME); } } @Override public ATT buildEmpty(final IAttributeGenerator g) { - return g.buildEmptyAttribute(EIDASBIND_FRIENDLY_NAME, EIDASBIND_NAME); + return g.buildEmptyAttribute(EID_EIDBIND_FRIENDLY_NAME, EID_EIDBIND_NAME); } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java index d9275089..086a1817 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java @@ -109,45 +109,45 @@ public class SzrClientTest { - @Test -public void getStammzahlenEcryptedTest() throws JAXBException, SZRException_Exception { - SZR szrMock = soap.mock(SZR.class, "hhttp://localhost:1234/demoszr"); - - final GetBPKFromStammzahlEncryptedResponse szrResponse = new GetBPKFromStammzahlEncryptedResponse(); - final GetBPKFromStammzahlEncryptedResponseType result1 = new GetBPKFromStammzahlEncryptedResponseType(); - szrResponse.getOut().add(result1); - - when(szrMock.getBPKFromStammzahlEncrypted(anyList())) - .thenReturn(Arrays.asList(result1)); - -// szrMock.getStammzahlEncrypted() TODO ??? - } - - @Test - public void getBcBindValid() throws SZRException_Exception, SzrCommunicationException { - SZR szrMock = soap.mock(SZR.class, "http://localhost:1234/demoszr"); - - final SignContentResponse szrResponse = new SignContentResponse(); - final SignContentEntry result1 = new SignContentEntry(); - final SignContentResponseType content = new SignContentResponseType(); - content.getOut().add(result1); - szrResponse.setSignContentResponse(content); - - result1.setKey("bcBindReq"); - result1.setValue(RandomStringUtils.randomAlphanumeric(100)); - - when(szrMock.signContent(any(), anyList(), anyList())).thenReturn(content); - - final String bcBind = szrClient.getBcBind( - RandomStringUtils.randomAlphabetic(10), - RandomStringUtils.randomAlphabetic(10), - RandomStringUtils.randomAlphabetic(10)); - - Assert.assertNotNull("bcBind is null", bcBind); - Assert.assertEquals("bcBind not match", result1.getValue(), bcBind); - - - } +// @Test +//public void getStammzahlenEcryptedTest() throws JAXBException, SZRException_Exception { +// SZR szrMock = soap.mock(SZR.class, "http://localhost:1234/demoszr"); +// +// final GetBPKFromStammzahlEncryptedResponse szrResponse = new GetBPKFromStammzahlEncryptedResponse(); +// final GetBPKFromStammzahlEncryptedResponseType result1 = new GetBPKFromStammzahlEncryptedResponseType(); +// szrResponse.getOut().add(result1); +// +// when(szrMock.getBPKFromStammzahlEncrypted(anyList())) +// .thenReturn(Arrays.asList(result1)); +// +//// szrMock.getStammzahlEncrypted() TODO ??? +// } +// +// @Test +// public void getBcBindValid() throws SZRException_Exception, SzrCommunicationException { +// SZR szrMock = soap.mock(SZR.class, "http://localhost:1234/demoszr"); +// +// final SignContentResponse szrResponse = new SignContentResponse(); +// final SignContentEntry result1 = new SignContentEntry(); +// final SignContentResponseType content = new SignContentResponseType(); +// content.getOut().add(result1); +// szrResponse.setSignContentResponse(content); +// +// result1.setKey("bcBindReq"); +// result1.setValue(RandomStringUtils.randomAlphanumeric(100)); +// +// when(szrMock.signContent(any(), anyList(), anyList())).thenReturn(content); +// +// final String bcBind = szrClient.getBcBind( +// RandomStringUtils.randomAlphabetic(10), +// RandomStringUtils.randomAlphabetic(10), +// RandomStringUtils.randomAlphabetic(10)); +// +// Assert.assertNotNull("bcBind is null", bcBind); +// Assert.assertEquals("bcBind not match", result1.getValue(), bcBind); +// +// +// } @Test -- cgit v1.2.3 From e9a093a8d10dcce01661ef5182633e9a296e737e Mon Sep 17 00:00:00 2001 From: lalber Date: Wed, 4 Nov 2020 14:27:10 +0100 Subject: fix for EvaluateCountrySelectionTaskTest and GenerateCountrySelectionFrameTaskTest --- .../connector/attributes/AuthBlockAttributeBuilder.java | 14 ++++++-------- .../connector/attributes/EidasBindAttributeBuilder.java | 10 ++++------ .../connector/builder/AuthenticationDataBuilder.java | 7 ++++--- .../test/task/EvaluateCountrySelectionTaskTest.java | 2 +- .../test/task/GenerateCountrySelectionFrameTaskTest.java | 2 +- 5 files changed, 16 insertions(+), 19 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java index e3e482ef..c9cbdb84 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java @@ -15,7 +15,7 @@ * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.connector.attributes; @@ -28,16 +28,14 @@ import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; -import java.text.DateFormat; -import java.text.SimpleDateFormat; @PvpMetadata public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { -// private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; -// private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid -String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; -String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; + // private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; + // private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid + private static final String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; + private static final String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; @Override public String getName() { @@ -46,7 +44,7 @@ String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; @Override public ATT build(final ISpConfiguration oaParam, final IAuthData authData, - final IAttributeGenerator g) throws AttributeBuilderException { + final IAttributeGenerator g) throws AttributeBuilderException { String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); if (authBlock != null) { diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java index e43689a1..53f52ab3 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java @@ -15,7 +15,7 @@ * This product combines work with different licenses. See the "NOTICE" text file for details on the * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ + */ package at.asitplus.eidas.specific.connector.attributes; @@ -28,8 +28,6 @@ import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; -import java.text.DateFormat; -import java.text.SimpleDateFormat; import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME; import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME; @@ -37,8 +35,8 @@ import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_ @PvpMetadata public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { -// private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; -// private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid + // private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; + // private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid @Override public String getName() { @@ -47,7 +45,7 @@ public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { @Override public ATT build(final ISpConfiguration oaParam, final IAuthData authData, - final IAttributeGenerator g) throws AttributeBuilderException { + final IAttributeGenerator g) throws AttributeBuilderException { String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); if (eidasBind != null) { diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index 51b89120..42163097 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -57,7 +57,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder AuthenticationData authData = new AuthenticationData(); String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); + .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); if (eidMode.equals("new")) { @@ -69,7 +69,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder // set specific informations authData.setSsoSessionValidTo(new Date(new Date().getTime() - + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); } catch (EaafBuilderException | EaafParserException | EaafConfigurationException | XPathException | DOMException e) { @@ -110,7 +110,8 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder @Override protected Pair getEncryptedBpkFromPvpAttribute(IAuthProcessDataContainer arg0, - AuthenticationData arg1, ISpConfiguration arg2) throws EaafBuilderException { + AuthenticationData arg1, + ISpConfiguration arg2) throws EaafBuilderException { return null; } diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/EvaluateCountrySelectionTaskTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/EvaluateCountrySelectionTaskTest.java index 44b54366..9d590055 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/EvaluateCountrySelectionTaskTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/EvaluateCountrySelectionTaskTest.java @@ -51,7 +51,7 @@ public class EvaluateCountrySelectionTaskTest { @BeforeClass public static void classInitializer() { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current + "../basicConfig/default_config.properties"); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties"); } diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/GenerateCountrySelectionFrameTaskTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/GenerateCountrySelectionFrameTaskTest.java index 61d68774..2a1d7cd4 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/GenerateCountrySelectionFrameTaskTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/task/GenerateCountrySelectionFrameTaskTest.java @@ -49,7 +49,7 @@ public class GenerateCountrySelectionFrameTaskTest { @BeforeClass public static void classInitializer() { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current + "../basicConfig/default_config.properties"); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_1.properties"); } -- cgit v1.2.3 From 3e422c60952d5892a0e568de8c28ce878610eb2f Mon Sep 17 00:00:00 2001 From: lalber Date: Wed, 4 Nov 2020 18:47:51 +0100 Subject: Attribute builder tests EidasBindAttributeBuilderTest and AuthBlockAttributeBuilderTest --- .../attributes/AuthBlockAttributeBuilder.java | 9 +- .../attributes/EidasBindAttributeBuilder.java | 6 +- .../attributes/AuthBlockAttributeBuilderTest.java | 97 ++++++++++++++++++++++ .../attributes/EidasBindAttributeBuilderTest.java | 92 ++++++++++++++++++++ .../eidas/v2/tasks/CreateIdentityLinkTask.java | 17 ++-- .../modules/auth/eidas/v2/test/SzrClientTest.java | 3 +- 6 files changed, 204 insertions(+), 20 deletions(-) create mode 100644 connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java create mode 100644 connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java index c9cbdb84..80f91e57 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java @@ -27,15 +27,14 @@ import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; +import org.apache.commons.lang3.StringUtils; @PvpMetadata public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { - // private static final String AUTHBLOCK_FRIENDLY_NAME = "AUTHBLOCK"; - // private static final String AUTHBLOCK_NAME = "urn:oid:x.x.x.x"; //TODO set oid - private static final String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; - private static final String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; + public static final String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; + public static final String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; @Override public String getName() { @@ -47,7 +46,7 @@ public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { final IAttributeGenerator g) throws AttributeBuilderException { String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); - if (authBlock != null) { + if (StringUtils.isNotEmpty(authBlock)) { return g.buildStringAttribute(EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, EID_AUTHBLOCK_SIGNED_NAME, authBlock); } else { diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java index 53f52ab3..a4fe8c6c 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/EidasBindAttributeBuilder.java @@ -27,7 +27,7 @@ import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; - +import org.apache.commons.lang3.StringUtils; import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME; import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME; @@ -35,8 +35,6 @@ import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_ @PvpMetadata public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { - // private static final String EIDASBIND_FRIENDLY_NAME = "EIDASBIND"; - // private static final String EIDASBIND_NAME = "urn:oid:x.x.x.x"; //TODO set oid @Override public String getName() { @@ -48,7 +46,7 @@ public class EidasBindAttributeBuilder implements IPvpAttributeBuilder { final IAttributeGenerator g) throws AttributeBuilderException { String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); - if (eidasBind != null) { + if (StringUtils.isNotEmpty(eidasBind)) { return g.buildStringAttribute(EID_EIDBIND_FRIENDLY_NAME, EID_EIDBIND_NAME, eidasBind); } else { diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java new file mode 100644 index 00000000..50376e08 --- /dev/null +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/AuthBlockAttributeBuilderTest.java @@ -0,0 +1,97 @@ +package at.asitplus.eidas.specific.connector.test.attributes; + +import at.asitplus.eidas.specific.connector.attributes.AuthBlockAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest; +import lombok.extern.slf4j.Slf4j; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestName; +import org.junit.runner.RunWith; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + + +import static at.asitplus.eidas.specific.connector.attributes.AuthBlockAttributeBuilder.EID_AUTHBLOCK_SIGNED_NAME; +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.SZR_AUTHBLOCK; + +@Slf4j +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_eaaf_core.xml") +public class AuthBlockAttributeBuilderTest extends AbstractAttributeBuilderTest { + + private final String JSW = + "eyJhbGciOiJQUzI1NiIsIng1dCNTMjU2IjoiTjBDZUJRdzlMX1BleEt6SlhVM2w2dkF1aExGb3hkWFlIUjNSX01ubTZnRSJ9.ImF2YWFz" + + "YmF2Ig.dpzCcHFlISXyKEZaXgvRj0ja1cenfMuy0VKwK_rmHZLkUCb58V4X5balpQduDTyRfTyFE0zmBjm8_cmDVNOYTIG4NsEtvY" + + "qW4ee9JH-VpkU0w5-7HTH81R3JOd9g7XaHGPXYyUuqceZQRmkl1Vw4HSsnIAT3bb0Di0us6zmFkOPmRtbXQAym_ygGFwTVGLskUTm" + + "epCxmDQC7OJoIV9oqDavLySP7Ram4NHfi043uF_DmBf6csTjmQu3g2vKJWwlkD8RXDzqksozO8fLDFyVWjA8G1IcvnuHDW1nTTkuG" + + "_fBIU6yBZ7kQe9vtjqKiGhGa1zD-F_Lem2zsY7d7dVUvyQ"; + private final IAttributeBuilder attrBuilde = new AuthBlockAttributeBuilder(); + + @Rule + public TestName mTestName = new TestName(); + + @Before + public void init() { + log.info("setting up"); + } + + @Test + public void okTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(SZR_AUTHBLOCK, JSW); + + final String value = attrBuilde.build(spConfig, authData, gen); + + Assert.assertEquals("Authblock build wrong", JSW, value); + + } catch (final Exception e) { + Assert.assertNull("Attr. builder has an exception", e); + } + } + + + @Test + public void nullTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(SZR_AUTHBLOCK, null); + + final String value = attrBuilde.build(spConfig, authData, gen); + Assert.fail("Attr. Builder provide no 'UnavailableAttributeException'"); + + } catch (final Exception e) { + Assert.assertTrue("Attr. builder provide wrong exception", + e instanceof UnavailableAttributeException); + Assert.assertEquals("Attr. name in exception does NOT match", + EID_AUTHBLOCK_SIGNED_NAME, + ((UnavailableAttributeException) e).getAttributeName()); + } + } + + @Test + public void emptyTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(SZR_AUTHBLOCK, ""); + + final String value = attrBuilde.build(spConfig, authData, gen); + Assert.fail("Attr. Builder provide no 'UnavailableAttributeException'"); + + } catch (final Exception e) { + Assert.assertTrue("Attr. builder provide wrong exception", + e instanceof UnavailableAttributeException); + Assert.assertEquals("Attr. name in exception does NOT match", + EID_AUTHBLOCK_SIGNED_NAME, + ((UnavailableAttributeException) e).getAttributeName()); } + } +} diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java new file mode 100644 index 00000000..254efb59 --- /dev/null +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/attributes/EidasBindAttributeBuilderTest.java @@ -0,0 +1,92 @@ +package at.asitplus.eidas.specific.connector.test.attributes; + +import at.asitplus.eidas.specific.connector.attributes.EidasBindAttributeBuilder; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.core.impl.idp.auth.attributes.AbstractAttributeBuilderTest; +import lombok.extern.slf4j.Slf4j; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TestName; +import org.junit.runner.RunWith; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.EIDAS_BIND; + + +@Slf4j +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_eaaf_core.xml") +public class EidasBindAttributeBuilderTest extends AbstractAttributeBuilderTest { + + private final IAttributeBuilder attrBuilde = new EidasBindAttributeBuilder(); + + @Rule + public TestName mTestName = new TestName(); + + @Before + public void init() { + log.info("setting up"); + } + + @Test + public void okTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(EIDAS_BIND, "vuG8w29GT0"); + + final String value = attrBuilde.build(spConfig, authData, gen); + + Assert.assertEquals("eDIAS bind build wrong", "vuG8w29GT0", value); + + } catch (final Exception e) { + Assert.assertNull("Attr. builder has an exception", e); + } + } + + @Test + public void nullTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(EIDAS_BIND, null); + + final String value = attrBuilde.build(spConfig, authData, gen); + Assert.fail("Attr. Builder provide no 'UnavailableAttributeException'"); + + } catch (final Exception e) { + Assert.assertTrue("Attr. builder provide wrong exception", + e instanceof UnavailableAttributeException); + Assert.assertEquals("Attr. name in exception does NOT match", + ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, + ((UnavailableAttributeException) e).getAttributeName()); + } + } + + @Test + public void emptyTest() { + log.info("starting: " + mTestName); + try { + final IAuthData authData = buildAuthData(); + ((AuthenticationData) authData).setGenericData(EIDAS_BIND, ""); + + final String value = attrBuilde.build(spConfig, authData, gen); + Assert.fail("Attr. Builder provide no 'UnavailableAttributeException'"); + + } catch (final Exception e) { + Assert.assertTrue("Attr. builder provide wrong exception", + e instanceof UnavailableAttributeException); + Assert.assertEquals("Attr. name in exception does NOT match", + ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, + ((UnavailableAttributeException) e).getAttributeName()); } + } + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index af260528..f060a4cf 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -101,6 +101,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { @Autowired EaafKeyStoreFactory keyStoreFactory; + private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; Pair ks; /* @@ -230,27 +231,24 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } if (eidMode.equals("new")) { - String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue( MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ""); - String keyPw = pendingReq.getServiceProviderConfiguration() .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, ""); + // get verschlüsselte Stammzahl String vsz = szrClient.getEncryptedStammzahl(personInfo); // build Keystore String pk64 = getPkFromKeystore(keyAlias, keyPw); + // get eIDAS bind + String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS); - String signedEidasBind = szrClient.getBcBind(vsz, pk64, "urn:eidgvat:eid.status.eidas"); - //TODO eidStatus as config? - - //build AuthBlock JWS + // build AuthBlock (JWS) ObjectMapper mapper = new ObjectMapper(); String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); - String jwsSignature = JoseUtils .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias); @@ -277,9 +275,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { bpk = szrClient .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) - .get(0); + basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, + "no VKZ defined")).get(0); } else { log.debug("Calculating bPK from baseId ... "); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java index c957e20c..d6bce8eb 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java @@ -143,7 +143,8 @@ public class SzrClientTest { when(szrMock.getBPKFromStammzahlEncrypted(anyList())) .thenReturn(Arrays.asList(result1)); -// szrMock.getStammzahlEncrypted() TODO ??? + String stammzahlEncrypted = szrMock.getStammzahlEncrypted(new PersonInfoType(), false); + } @Test -- cgit v1.2.3 From f358f3ba6a24d5e9575b3fd63e3fbfe8848b63c4 Mon Sep 17 00:00:00 2001 From: lalber Date: Fri, 6 Nov 2020 16:28:26 +0100 Subject: some improvements --- .../builder/AuthenticationDataBuilder.java | 8 +- .../test/AuthenticationDataBuilderTest.java | 4 +- .../specific/connector/MsEidasNodeConstants.java | 18 +++-- .../eidas/v2/tasks/CreateIdentityLinkTask.java | 65 ++++++++++------- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 85 +++++++++++++--------- .../resources/config/junit_config_3.properties | 11 ++- 6 files changed, 115 insertions(+), 76 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index 42163097..ef1a1f2b 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -56,13 +56,11 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder final IAuthProcessDataContainer authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); AuthenticationData authData = new AuthenticationData(); - String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); - - if (eidMode.equals("new")) { + boolean isEidModeNew = pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); + if (isEidModeNew) { authData = (AuthenticationData) super.buildAuthenticationData(pendingReq); - } else { try { generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java index 4ae2a34d..78d2ee1a 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java @@ -31,6 +31,8 @@ import org.springframework.web.context.request.ServletRequestAttributes; import java.util.HashMap; import java.util.Map; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration({"/applicationContext.xml", "/SpringTest_connector.beans.xml", @@ -72,7 +74,7 @@ public class AuthenticationDataBuilderTest { final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); - spConfig.put("eidMode", "new"); + spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index d9aac126..10ec9791 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -86,6 +86,15 @@ public class MsEidasNodeConstants { public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD = + "auth.eIDAS.authblock.keystore.password"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME = + "auth.eIDAS.authblock.keystore.friendlyName"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH = + "auth.eIDAS.authblock.keystore.path"; + public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE = + "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER; @@ -94,12 +103,9 @@ public class MsEidasNodeConstants { public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE = "pvp2.metadata.truststore"; public static final String PROP_CONFIG_SP_PVP2_METADATA_TRUSTSTORE_PASSWORD = "pvp2.metadata.truststore.password"; - public static final String PROP_CONFIG_SP_EID_MODE = - "eidMode"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_PW = - "authblock.truststore.password"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME = - "authblock.truststore.friendlyName"; + public static final String PROP_CONFIG_SP_NEW_EID_MODE = + "newEidMode"; + public static final String PROP_CONFIG_SP_POLICY_ALLOWED_TARGETS = "policy.allowed.requested.targets"; public static final String PROP_CONFIG_SP_POLICY_BASEIDTRANSFER_RESTRICTION = "policy.hasBaseIdTransferRestriction"; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index f060a4cf..8626c709 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -60,7 +60,6 @@ import eu.eidas.auth.commons.attribute.AttributeValue; import eu.eidas.auth.commons.light.ILightResponse; import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; import lombok.extern.slf4j.Slf4j; -import lombok.val; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.springframework.beans.factory.annotation.Autowired; @@ -77,6 +76,7 @@ import java.io.InputStream; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; +import java.security.PublicKey; import java.util.Base64; import java.util.HashMap; import java.util.List; @@ -102,7 +102,6 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { EaafKeyStoreFactory keyStoreFactory; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - Pair ks; /* * (non-Javadoc) @@ -119,8 +118,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); final ILightResponse eidasResponse = authProcessData .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - String eidMode = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE, "old"); + boolean isNewEidMode = pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); final Map simpleAttrMap = convertEidasAttrToSimpleMap( @@ -230,17 +229,31 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - if (eidMode.equals("new")) { - String keyAlias = pendingReq.getServiceProviderConfiguration().getConfigurationValue( - MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ""); - String keyPw = pendingReq.getServiceProviderConfiguration() - .getConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW, ""); + if (isNewEidMode) { + + // read Connector wide config data TODO connector wide! + String keyStoreAlias = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE); + // get verschlüsselte Stammzahl String vsz = szrClient.getEncryptedStammzahl(personInfo); // build Keystore - String pk64 = getPkFromKeystore(keyAlias, keyPw); + Pair keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath, + keyStoreType); + + // get pubKey + PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey(); + + // encode pubKey base64 + String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded()); // get eIDAS bind String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS); @@ -250,7 +263,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); String jwsSignature = JoseUtils - .createSignature(ks, keyAlias, keyPw.toCharArray(), jwsPayload, false, keyAlias); + .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false, + keyStoreAlias); authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); @@ -275,8 +289,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { bpk = szrClient .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, - "no VKZ defined")).get(0); + basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) + .get(0); } else { log.debug("Calculating bPK from baseId ... "); @@ -292,7 +307,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - if (eidMode.equals("new")) { + if (isNewEidMode) { authProcessData.setForeigner(true); authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) @@ -305,7 +320,8 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { throw new SzrCommunicationException("ernb.00", null); } - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_IDL_RECEIVED, + revisionsLogger.logEvent(pendingReq, + MsConnectorEventCodes.SZR_IDL_RECEIVED, identityLink.getSamlAssertion() .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); @@ -348,18 +364,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } - private String getPkFromKeystore(String keyAlias, String keyPw) throws EaafException, KeyStoreException { - KeyStoreConfiguration configuration = new KeyStoreConfiguration(); + private Pair initKeystore(String keyAlias, String keyPw, String path, String type) + throws EaafException, KeyStoreException { + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); final String current = new java.io.File(".").toURI().toString(); - configuration.setSoftKeyStoreFilePath(current + "src/test/resources/keystore/teststore.jks"); - configuration.setSoftKeyStorePassword(keyPw); //TODO from config - configuration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS); - configuration.setFriendlyName(keyAlias); - configuration.setKeyStoreName(keyAlias); - ks = keyStoreFactory.buildNewKeyStore(configuration); - val publicKey = ks.getFirst().getCertificate(keyAlias).getPublicKey(); - return Base64.getEncoder().encodeToString(publicKey.getEncoded()); + keyStoreConfiguration.setSoftKeyStoreFilePath(current + path); + keyStoreConfiguration.setSoftKeyStorePassword(keyPw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type)); + keyStoreConfiguration.setFriendlyName(keyAlias); + keyStoreConfiguration.setKeyStoreName(keyAlias); + return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); } private String extendBpkByPrefix(String bpk, String type) { diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 00e01a2c..888b7631 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -1,8 +1,8 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_PW; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_EID_MODE; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD; +import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; import static org.powermock.api.mockito.PowerMockito.when; @@ -69,8 +69,8 @@ public class CreateIdentityLinkTaskEidNewTest { @Autowired(required = true) private CreateIdentityLinkTask task; -// @Autowired(required = true) -// private FinalizeAuthenticationTask authTask; + // @Autowired(required = true) + // private FinalizeAuthenticationTask authTask; @Autowired(required = true) private DummySpecificCommunicationService commService; @Autowired(required = true) @@ -87,7 +87,7 @@ public class CreateIdentityLinkTaskEidNewTest { private static final String PW = "f/+saJBc3a}*/T^s"; private static final String ALIAS = "connectorkeypair"; - + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -99,8 +99,7 @@ public class CreateIdentityLinkTaskEidNewTest { @BeforeClass public static void classInitializer() throws IOException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current - + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); } @@ -118,18 +117,17 @@ public class CreateIdentityLinkTaskEidNewTest { final Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); - spConfig.put(PROP_CONFIG_SP_EID_MODE, "new"); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_PW, PW); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_FRIENDLYNAME, ALIAS); + spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD, PW); + spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME, ALIAS); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); AuthenticationResponse response = buildDummyAuthResponse(); - - - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); + pendingReq.getSessionData(AuthProcessDataWrapper.class) + .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); pendingReq.setSpConfig(oaParam); pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); pendingReq.setAuthUrl("http://test.com/"); @@ -143,33 +141,48 @@ public class CreateIdentityLinkTaskEidNewTest { @NotNull private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { - AttributeDefinition attributeDef = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) - .nameUri(new URI("ad", "sd", "ff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "af")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); - AttributeDefinition attributeDef2 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) - .nameUri(new URI("ad", "sd", "fff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "aff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); - AttributeDefinition attributeDef3 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) - .nameUri(new URI("ad", "sd", "ffff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "afff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); + AttributeDefinition attributeDef = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) + .nameUri(new URI("ad", "sd", "ff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "af")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + AttributeDefinition attributeDef2 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) + .nameUri(new URI("ad", "sd", "fff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "aff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + AttributeDefinition attributeDef3 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) + .nameUri(new URI("ad", "sd", "ffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "afff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_DATEOFBIRTH) - .nameUri(new URI("ad", "sd", "fffff")).personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "affff")) - .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller").build(); + .nameUri(new URI("ad", "sd", "fffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "affff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") + .build(); - ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils.randomNumeric(64)) - .put(attributeDef2, RandomStringUtils.randomAlphabetic(10)) - .put(attributeDef3, RandomStringUtils.randomAlphabetic(10)) - .put(attributeDef4, "2001-01-01") - .build(); + ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils + .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, + RandomStringUtils + .randomAlphabetic(10)) + .put(attributeDef4, "2001-01-01").build(); val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf") - .subjectNameIdFormat("afaf").attributes(attributeMap).build(); + return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") + .attributes(attributeMap).build(); } @Test diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties index 33207118..79352734 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/config/junit_config_3.properties @@ -47,6 +47,12 @@ eidas.ms.auth.eIDAS.szrclient.timeout.connection=15 eidas.ms.auth.eIDAS.szrclient.timeout.response=30 eidas.ms.auth.eIDAS.szrclient.params.vkz= +eidas.ms.auth.eIDAS.authblock.keystore.password=f/+saJBc3a}*/T^s +eidas.ms.auth.eIDAS.authblock.keystore.friendlyName=connectorkeypair +eidas.ms.auth.eIDAS.authblock.keystore.path=src/test/resources/keystore/teststore.jks +eidas.ms.auth.eIDAS.authblock.keystore.type=jks + + eidas.ms.auth.eIDAS.szrclient.params.useSZRForbPKCalculation=false @@ -93,9 +99,8 @@ eidas.ms.pvp2.metadata.validity=24 eidas.ms.sp.0.uniqueID= eidas.ms.sp.0.pvp2.metadata.truststore= eidas.ms.sp.0.pvp2.metadata.truststore.password= -eidas.ms.sp.0.eidMode=new -eidas.ms.sp.0.authblock.truststore.password=f/+saJBc3a}*/T^s -eidas.ms.sp.0.authblock.truststore.friendlyName=connectorkeypair +eidas.ms.sp.0.newEidMode=true + #eidas.ms.sp.0.friendlyName= #eidas.ms.sp.0.pvp2.metadata.url= -- cgit v1.2.3 From 57d813b9cfbbd231a2e6f9d47169b31435d1d6c0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Sat, 7 Nov 2020 18:21:49 +0100 Subject: code clean-up and first jUnit test modifications for CreateIdentityLink task --- basicConfig/default_config.properties | 9 + basicConfig/keys/teststore.jks | Bin 0 -> 2028 bytes .../connector/provider/PvpMetadataProvider.java | 7 + .../specific/connector/MsEidasNodeConstants.java | 23 +- .../eidas/v2/service/AuthBlockSigningService.java | 147 ++++++ .../eidas/v2/tasks/CreateIdentityLinkTask.java | 507 +++++++++++---------- .../src/main/resources/eidas_v2_auth.beans.xml | 3 + .../eidas/v2/test/SzrClientTestProduction.java | 2 +- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 204 ++++++--- .../resources/SpringTest-context_tasks_test.xml | 3 + .../resources/config/junit_config_1.properties | 8 + .../resources/config/junit_config_2.properties | 8 + .../resources/config/junit_config_3.properties | 4 +- pom.xml | 2 +- 14 files changed, 595 insertions(+), 332 deletions(-) create mode 100644 basicConfig/keys/teststore.jks create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java (limited to 'connector/src/main/java') diff --git a/basicConfig/default_config.properties b/basicConfig/default_config.properties index dda5144e..2e0aebcc 100644 --- a/basicConfig/default_config.properties +++ b/basicConfig/default_config.properties @@ -50,6 +50,15 @@ eidas.ms.auth.eIDAS.szrclient.params.vkz= eidas.ms.auth.eIDAS.szrclient.params.useSZRForbPKCalculation=false +## E-AuthBlock configuration +eidas.ms.auth.eIDAS.authblock.keystore.type=jks +eidas.ms.auth.eIDAS.authblock.keystore.path=keys/teststore.jks +eidas.ms.auth.eIDAS.authblock.keystore.password=f/+saJBc3a}*/T^s +eidas.ms.auth.eIDAS.authblock.keystore.name= +eidas.ms.auth.eIDAS.authblock.key.alias=connectorkeypair +eidas.ms.auth.eIDAS.authblock.key.password=f/+saJBc3a}*/T^s + + #Raw eIDAS Id data storage eidas.ms.auth.eIDAS.szrclient.workarounds.eidmapping.revisionlog.active=true diff --git a/basicConfig/keys/teststore.jks b/basicConfig/keys/teststore.jks new file mode 100644 index 00000000..fcc6400c Binary files /dev/null and b/basicConfig/keys/teststore.jks differ diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java index 651b7b78..8dbb74c7 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/provider/PvpMetadataProvider.java @@ -173,4 +173,11 @@ public class PvpMetadataProvider extends AbstractChainingMetadataProvider { return "Service-provider chainging metadata provider"; } + + @Override + public void doDestroy() { + this.fullyDestroy(); + + } + } diff --git a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java index 10ec9791..b1ef799f 100644 --- a/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java +++ b/connector_lib/src/main/java/at/asitplus/eidas/specific/connector/MsEidasNodeConstants.java @@ -86,15 +86,22 @@ public class MsEidasNodeConstants { public static final String PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL = "auth.eIDAS.node_v2.loa.requested.minimum"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD = - "auth.eIDAS.authblock.keystore.password"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME = - "auth.eIDAS.authblock.keystore.friendlyName"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH = - "auth.eIDAS.authblock.keystore.path"; - public static final String PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE = - "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE = + "auth.eIDAS.authblock.keystore.type"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH = + "auth.eIDAS.authblock.keystore.path"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD = + "auth.eIDAS.authblock.keystore.password"; + public static final String PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME = + "auth.eIDAS.authblock.keystore.name"; + public static final String PROP_CONFIG_AUTHBLOCK_KEY_ALIAS = + "auth.eIDAS.authblock.key.alias"; + public static final String PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD = + "auth.eIDAS.authblock.key.password"; + + + public static final String PROP_CONFIG_SP_LIST_PREFIX = "sp."; public static final String PROP_CONFIG_SP_UNIQUEIDENTIFIER = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER; diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java new file mode 100644 index 00000000..30d255b9 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/service/AuthBlockSigningService.java @@ -0,0 +1,147 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.service; + +import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; +import java.security.cert.X509Certificate; +import java.util.Base64; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.jose4j.lang.JoseException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; + +import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import lombok.extern.slf4j.Slf4j; + +/** + * Service to build and sign AuthBlock's for E-ID system. + * + * @author tlenz + * + */ +@Slf4j +@Service("authBlockSigningService") +public class AuthBlockSigningService { + + private static final String KEYSTORE_FRIENDLYNAME = "AuthBlock_Signing"; + + private static ObjectMapper mapper = new ObjectMapper(); + + @Autowired + IConfiguration basicConfig; + + @Autowired + EaafKeyStoreFactory keyStoreFactory; + + + private Pair keyStore; + + /** + * Build and sign an AuthBlock for E-ID system. + * + * @param dataToSign data that should be added into AuthBlock + * @return serialized JWS + * @throws JsonProcessingException In case of a AuthBlock generation error + * @throws JoseException In case of a JWS signing error + * @throws EaafException In case of a KeyStore or Key error + */ + public String buildSignedAuthBlock(String dataToSign) + throws JsonProcessingException, EaafException, JoseException { + log.debug("Building and sign authBlock with data: {}", dataToSign); + + // build AuthBlock + String jwsPayload = mapper.writeValueAsString(dataToSign); + + //sign JWS + return JoseUtils + .createSignature(keyStore, getKeyAlias(), getKeyPassword(), jwsPayload, false, + KEYSTORE_FRIENDLYNAME); + } + + + /** + * Get the Base64 encoded PublicKey that is used to sign the AuthBlock. + * + * @return Base64 encoded PublicKey + * @throws EaafKeyAccessException In case of an unknown or invalid key + */ + public String getBase64EncodedPublicKey() throws EaafKeyAccessException { + Pair keyPair = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), getKeyAlias(), getKeyPassword(), true, KEYSTORE_FRIENDLYNAME); + return Base64.getEncoder().encodeToString(keyPair.getSecond()[0].getPublicKey().getEncoded()); + + } + + @PostConstruct + private void initialize() throws KeyStoreException, EaafException { + log.debug("Initializing AuthBlock signing service ... "); + // read Connector wide config data TODO connector wide! + String keyStoreName = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); + + + //build new KeyStore configuration + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); + keyStoreConfiguration.setFriendlyName(KEYSTORE_FRIENDLYNAME); + + keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath); + keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); + keyStoreConfiguration.setKeyStoreName(keyStoreName); + + //validate KeyStore configuration + keyStoreConfiguration.validate(); + + //validate key alias + if (StringUtils.isEmpty(getKeyAlias())) { + throw new EaafConfigurationException("config.08", + new Object[] {MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS}); + + } + + //build new KeyStore based on configuration + keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); + + log.info("AuthBlock signing-service successful initialized"); + + } + + private char[] getKeyPassword() { + final String value = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_PASSWORD); + if (value != null) { + return value.trim().toCharArray(); + } + + return null; + + } + + + private String getKeyAlias() { + return basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEY_ALIAS); + + } +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java index 8626c709..1ffd56e4 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/CreateIdentityLinkTask.java @@ -23,16 +23,37 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; +import java.io.IOException; +import java.io.InputStream; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.commons.lang3.StringUtils; +import org.joda.time.DateTime; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.xml.sax.SAXException; + +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + import at.asitplus.eidas.specific.connector.MsConnectorEventCodes; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.ErnbEidData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasAttributeException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.ICcSpecificEidProcessingService; import at.asitplus.eidas.specific.modules.auth.eidas.v2.szr.SzrClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.EidasResponseUtils; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; import at.gv.e_government.reference.namespace.persondata._20020228.AlternativeNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PersonNameType; import at.gv.e_government.reference.namespace.persondata._20020228.PhysicalPersonType; @@ -43,8 +64,6 @@ import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; @@ -52,36 +71,16 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeValue; import eu.eidas.auth.commons.light.ILightResponse; import eu.eidas.auth.commons.protocol.eidas.impl.PostalAddress; +import lombok.Data; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; -import org.w3c.dom.Element; -import org.w3c.dom.Node; import szrservices.IdentityLinkType; import szrservices.PersonInfoType; import szrservices.TravelDocumentType; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.InputStream; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.Provider; -import java.security.PublicKey; -import java.util.Base64; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - /** * Task that creates the IdentityLink for an eIDAS authenticated person. * @@ -97,12 +96,12 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { private SzrClient szrClient; @Autowired private ICcSpecificEidProcessingService eidPostProcessor; - + @Autowired - EaafKeyStoreFactory keyStoreFactory; + private AuthBlockSigningService authBlockSigner; private static final String EID_STATUS = "urn:eidgvat:eid.status.eidas"; - + /* * (non-Javadoc) * @@ -118,164 +117,57 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); final ILightResponse eidasResponse = authProcessData .getGenericDataFromSession(Constants.DATA_FULL_EIDAS_RESPONSE, ILightResponse.class); - boolean isNewEidMode = pendingReq.getServiceProviderConfiguration() - .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); - final Map simpleAttrMap = convertEidasAttrToSimpleMap( eidasResponse.getAttributes().getAttributeMap()); - IIdentityLink identityLink = null; - String bpk = null; - // post-process eIDAS attributes final ErnbEidData eidData = eidPostProcessor.postProcess(simpleAttrMap); // write MDS into technical log and revision log writeMdsLogInformation(eidData); - // connect SZR-Gateway + //build IdentityLink or VSZ and eidasBind if (basicConfig.getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USEDUMMY, false)) { - log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); - // create fake IdL - // - fetch IdL template from resources - final InputStream s = CreateIdentityLinkTask.class - .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml"); - final Element idlTemplate = DomUtils.parseXmlValidating(s); - - identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); - - // replace data - final Element idlassertion = identityLink.getSamlAssertion(); - - // - set fake baseID; - final Node prIdentification = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym()); - - // - set last name - final Node prFamilyName = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); - prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName()); - - // - set first name - final Node prGivenName = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); - prGivenName.getFirstChild().setNodeValue(eidData.getGivenName()); - - // - set date of birth - final Node prDateOfBirth = XPathUtils - .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); - - prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); - - identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); - - new BpkBuilder(); - final Pair bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - bpk = bpkCalc.getFirst(); - + SzrResultHolder idlResult = createDummyIdentityLinkForTestDeployment(eidData); + //inject personal-data into session + authProcessData.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } else { - // contact SZR Gateway - log.debug("Starting connecting SZR Gateway"); - final PersonInfoType personInfo = new PersonInfoType(); - final PersonNameType personName = new PersonNameType(); - final PhysicalPersonType naturalPerson = new PhysicalPersonType(); - final TravelDocumentType eDocument = new TravelDocumentType(); - - naturalPerson.setName(personName); - personInfo.setPerson(naturalPerson); - personInfo.setTravelDocument(eDocument); - - // person information - personName.setFamilyName(eidData.getFamilyName()); - personName.setGivenName(eidData.getGivenName()); - naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); - eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); - eDocument.setDocumentNumber(eidData.getPseudonym()); - - // eID document information - eDocument.setDocumentType(basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, - Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); - - // set PlaceOfBirth if available - if (eidData.getPlaceOfBirth() != null) { - log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, - true)) { - naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); - log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - - } - } - - // set BirthName if available - if (eidData.getBirthName() != null) { - log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, - true)) { - final AlternativeNameType alternativeName = new AlternativeNameType(); - naturalPerson.setAlternativeName(alternativeName); - alternativeName.setFamilyName(eidData.getBirthName()); - log.trace("Adding 'BirthName' to ERnB request ... "); - - } - } - - if (isNewEidMode) { - - // read Connector wide config data TODO connector wide! - String keyStoreAlias = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME); - String keyStorePw = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD); - String keyStorePath = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PATH); - String keyStoreType = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_TYPE); - - - // get verschlüsselte Stammzahl + //build SZR request from eIDAS data + final PersonInfoType personInfo = generateSzrRequest(eidData); + + //request SZR based on IDL or E-ID mode + if (pendingReq.getServiceProviderConfiguration() + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false)) { + + // get encrypted baseId String vsz = szrClient.getEncryptedStammzahl(personInfo); - - // build Keystore - Pair keystoreProvider = initKeystore(keyStoreAlias, keyStorePw, keyStorePath, - keyStoreType); - - // get pubKey - PublicKey publicKey = keystoreProvider.getFirst().getCertificate(keyStoreAlias).getPublicKey(); - - // encode pubKey base64 - String pk64 = Base64.getEncoder().encodeToString(publicKey.getEncoded()); - + // get eIDAS bind - String signedEidasBind = szrClient.getBcBind(vsz, pk64, EID_STATUS); - - // build AuthBlock (JWS) - ObjectMapper mapper = new ObjectMapper(); - String jwsPayload = mapper.writeValueAsString(pendingReq.getUniqueTransactionIdentifier()); - - String jwsSignature = JoseUtils - .createSignature(keystoreProvider, keyStoreAlias, keyStorePw.toCharArray(), jwsPayload, false, - keyStoreAlias); - + String signedEidasBind = szrClient.getBcBind(vsz, + authBlockSigner.getBase64EncodedPublicKey(), + EID_STATUS); + + //get signed AuthBlock + String jwsSignature = authBlockSigner.buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier()); + + //inject personal-data into session authProcessData.setGenericDataToSession(Constants.SZR_AUTHBLOCK, jwsSignature); authProcessData.setGenericDataToSession(Constants.EIDAS_BIND, signedEidasBind); + } else { - - final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); - - final Element idlFromSzr = (Element) result.getAssertion(); - identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); - - // write ERnB inputdata into revisionlog + //request SZR + SzrResultHolder idlResult = requestSzrForIdentityLink(personInfo); + + // write ERnB input-data into revision-log if (basicConfig.getBasicConfigurationBoolean( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_WORKAROUND_REVISIONLOGDATASTORE_ACTIVE, false)) { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_RAW_ID, @@ -283,100 +175,158 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_ERNB_EIDAS_ERNB_ID, eidData.getPseudonym()); } - - // get bPK from SZR - if (basicConfig - .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { - bpk = szrClient - .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), - basicConfig - .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) - .get(0); - - } else { - log.debug("Calculating bPK from baseId ... "); - new BpkBuilder(); - final Pair bpkCalc = BpkBuilder - .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), - pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - bpk = bpkCalc.getFirst(); - - } + + //check result-data and write revision-log based on current state + checkStateAndWriteRevisionLog(idlResult); + + + //inject personal-data into session + authProcessData.setIdentityLink(idlResult.getIdentityLink()); + + // set bPK and bPKType into auth session + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix( + idlResult.getBpK(), pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + } } + + //add generic info's into session + authProcessData.setForeigner(true); + authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils + .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) + .getFirst()); + authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + + // store pending-request + requestStoreage.storePendingRequest(pendingReq); + + + } catch (final EidasAttributeException e) { + throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); - if (isNewEidMode) { - authProcessData.setForeigner(true); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); - authProcessData.setQaaLevel(eidasResponse.getLevelOfAssurance()); + } catch (final EaafException e) { + throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); - } else { - if (identityLink == null) { - log.error("ERnB did not return an identity link."); - throw new SzrCommunicationException("ernb.00", null); + } catch (final Exception e) { + log.error("IdentityLink generation for foreign person FAILED.", e); + throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); - } - revisionsLogger.logEvent(pendingReq, - MsConnectorEventCodes.SZR_IDL_RECEIVED, - identityLink.getSamlAssertion() - .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); + } + } - if (bpk == null) { - log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() - .getAreaSpecificTargetIdentifier()); - throw new SzrCommunicationException("ernb.01", null); + private PersonInfoType generateSzrRequest(ErnbEidData eidData) { + log.debug("Starting connecting SZR Gateway"); + final PersonInfoType personInfo = new PersonInfoType(); + final PersonNameType personName = new PersonNameType(); + final PhysicalPersonType naturalPerson = new PhysicalPersonType(); + final TravelDocumentType eDocument = new TravelDocumentType(); + + naturalPerson.setName(personName); + personInfo.setPerson(naturalPerson); + personInfo.setTravelDocument(eDocument); + + // person information + personName.setFamilyName(eidData.getFamilyName()); + personName.setGivenName(eidData.getGivenName()); + naturalPerson.setDateOfBirth(eidData.getFormatedDateOfBirth()); + eDocument.setIssuingCountry(eidData.getCitizenCountryCode()); + eDocument.setDocumentNumber(eidData.getPseudonym()); + + // eID document information + eDocument.setDocumentType(basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_EDOCUMENTTYPE, + Constants.SZR_CONSTANTS_DEFAULT_DOCUMENT_TYPE)); + + // set PlaceOfBirth if available + if (eidData.getPlaceOfBirth() != null) { + log.trace("Find 'PlaceOfBirth' attribute: " + eidData.getPlaceOfBirth()); + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETPLACEOFBIRTHIFAVAILABLE, + true)) { + naturalPerson.setPlaceOfBirth(eidData.getPlaceOfBirth()); + log.trace("Adding 'PlaceOfBirth' to ERnB request ... "); - } - revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); + } + } - log.debug("ERnB communication was successfull"); + // set BirthName if available + if (eidData.getBirthName() != null) { + log.trace("Find 'BirthName' attribute: " + eidData.getBirthName()); + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_SETBIRTHNAMEIFAVAILABLE, + true)) { + final AlternativeNameType alternativeName = new AlternativeNameType(); + naturalPerson.setAlternativeName(alternativeName); + alternativeName.setFamilyName(eidData.getBirthName()); + log.trace("Adding 'BirthName' to ERnB request ... "); - authProcessData.setForeigner(true); - authProcessData.setIdentityLink(identityLink); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, EidasResponseUtils - .parseEidasPersonalIdentifier((String) simpleAttrMap.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER)) - .getFirst()); + } + } + + return personInfo; + + } - // set bPK and bPKType into auth session - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.BPK_NAME, extendBpkByPrefix(bpk, pendingReq - .getServiceProviderConfiguration().getAreaSpecificTargetIdentifier())); - authProcessData.setGenericDataToSession(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + private SzrResultHolder requestSzrForIdentityLink(PersonInfoType personInfo) + throws SzrCommunicationException, EaafException { + //request IdentityLink from SZR + final IdentityLinkType result = szrClient.getIdentityLinkInRawMode(personInfo); + + final Element idlFromSzr = (Element) result.getAssertion(); + IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlFromSzr).parseIdentityLink(); + + // get bPK from SZR + String bpk; + if (basicConfig + .getBasicConfigurationBoolean(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_DEBUG_USESRZFORBPKGENERATION, true)) { + bpk = szrClient + .getBpk(personInfo, pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier(), + basicConfig + .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")) + .get(0); + + } else { + log.debug("Calculating bPK from baseId ... "); + new BpkBuilder(); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), pendingReq.getServiceProviderConfiguration() .getAreaSpecificTargetIdentifier()); + bpk = bpkCalc.getFirst(); - // store pending-request - requestStoreage.storePendingRequest(pendingReq); - } - } catch (final EidasAttributeException e) { - throw new TaskExecutionException(pendingReq, "Minimum required eIDAS attributeset not found.", e); + } + + return new SzrResultHolder(identityLink, bpk); + + } + + private void checkStateAndWriteRevisionLog(SzrResultHolder idlResult) throws SzrCommunicationException { + // write some infos into revision log + if (idlResult.getIdentityLink() == null) { + log.error("ERnB did not return an identity link."); + throw new SzrCommunicationException("ernb.00", null); - } catch (final EaafException e) { - throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); + } + revisionsLogger.logEvent(pendingReq, + MsConnectorEventCodes.SZR_IDL_RECEIVED, + idlResult.getIdentityLink().getSamlAssertion() + .getAttribute(SimpleIdentityLinkAssertionParser.ASSERTIONID)); - } catch (final Exception e) { - log.error("IdentityLink generation for foreign person FAILED.", e); - throw new TaskExecutionException(pendingReq, "IdentityLink generation for foreign person FAILED.", e); + if (idlResult.getBpK() == null) { + log.error("ERnB did not return a bPK for target: " + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + throw new SzrCommunicationException("ernb.01", null); } + revisionsLogger.logEvent(pendingReq, MsConnectorEventCodes.SZR_BPK_RECEIVED); + log.debug("ERnB communication was successfull"); + } - - private Pair initKeystore(String keyAlias, String keyPw, String path, String type) - throws EaafException, KeyStoreException { - KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); - - final String current = new java.io.File(".").toURI().toString(); - keyStoreConfiguration.setSoftKeyStoreFilePath(current + path); - keyStoreConfiguration.setSoftKeyStorePassword(keyPw); - keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(type)); - keyStoreConfiguration.setFriendlyName(keyAlias); - keyStoreConfiguration.setKeyStoreName(keyAlias); - return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); - } - + private String extendBpkByPrefix(String bpk, String type) { String bpkType = null; @@ -406,7 +356,7 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { for (final AttributeDefinition el : attributeMap.keySet()) { - final Class parameterizedType = el.getParameterizedType(); + final Class parameterizedType = el.getParameterizedType(); if (DateTime.class.equals(parameterizedType)) { final DateTime attribute = EidasResponseUtils.translateDateAttribute(el, attributeMap.get(el).asList()); if (attribute != null) { @@ -466,5 +416,72 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask { } } + + @Data + private static class SzrResultHolder { + final IIdentityLink identityLink; + final String bpK; + + } + + /** + * Build a dummy IdentityLink and a dummy bPK based on eIDAS information. + * + *

+ * FOR LOCAL TESTING ONLY!!! + * + * @param eidData Information from eIDAS response + * @return IdentityLink and bPK + * @throws ParserConfigurationException In case of an IDL processing error + * @throws SAXException In case of an IDL processing error + * @throws IOException In case of an IDL processing error + * @throws EaafException In case of a bPK generation error + */ + private SzrResultHolder createDummyIdentityLinkForTestDeployment(ErnbEidData eidData) + throws ParserConfigurationException, SAXException, IOException, EaafException { + log.warn("SZR-Dummy IS ACTIVE! IdentityLink is NOT VALID!!!!"); + // create fake IdL + // - fetch IdL template from resources + final InputStream s = CreateIdentityLinkTask.class + .getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml"); + final Element idlTemplate = DomUtils.parseXmlValidating(s); + + IIdentityLink identityLink = new SimpleIdentityLinkAssertionParser(idlTemplate).parseIdentityLink(); + + // replace data + final Element idlassertion = identityLink.getSamlAssertion(); + + // - set fake baseID; + final Node prIdentification = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(eidData.getPseudonym()); + + // - set last name + final Node prFamilyName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH); + prFamilyName.getFirstChild().setNodeValue(eidData.getFamilyName()); + + // - set first name + final Node prGivenName = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH); + prGivenName.getFirstChild().setNodeValue(eidData.getGivenName()); + + // - set date of birth + final Node prDateOfBirth = XPathUtils + .selectSingleNode(idlassertion, SimpleIdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH); + + prDateOfBirth.getFirstChild().setNodeValue(eidData.getFormatedDateOfBirth()); + + identityLink = new SimpleIdentityLinkAssertionParser(idlassertion).parseIdentityLink(); + + new BpkBuilder(); + final Pair bpkCalc = BpkBuilder + .generateAreaSpecificPersonIdentifier(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), + pendingReq.getServiceProviderConfiguration() + .getAreaSpecificTargetIdentifier()); + return new SzrResultHolder(identityLink, bpkCalc.getFirst()); + + } } diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml index fbb48229..6cc704ab 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eidas_v2_auth.beans.xml @@ -58,6 +58,9 @@ + + diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java index a30ea2a0..2f573f53 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java @@ -59,7 +59,7 @@ import szrservices.PersonInfoType; import szrservices.SZRException_Exception; import szrservices.TravelDocumentType; -//@Ignore +@Ignore @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/SpringTest-context_basic_test.xml") public class SzrClientTestProduction { diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index 888b7631..f67b4d93 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -1,7 +1,5 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME; -import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; import static org.powermock.api.mockito.PowerMockito.when; @@ -9,13 +7,22 @@ import static org.powermock.api.mockito.PowerMockito.when; import java.io.IOException; import java.net.URI; import java.net.URISyntaxException; +import java.security.KeyStore; +import java.security.Provider; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import javax.xml.namespace.QName; import org.apache.commons.lang3.RandomStringUtils; import org.jetbrains.annotations.NotNull; +import org.jose4j.jwa.AlgorithmConstraints; +import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; +import org.jose4j.jws.AlgorithmIdentifiers; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -38,12 +45,18 @@ import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry; import at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateIdentityLinkTask; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.test.dummy.DummySpecificCommunicationService; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.JoseUtils.JwsResult; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; import at.gv.egiz.eaaf.core.api.data.EaafConstants; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; import at.gv.egiz.eaaf.core.impl.idp.module.test.DummySpConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; @@ -53,7 +66,6 @@ import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; import eu.eidas.auth.commons.attribute.PersonType; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; -import szrservices.PersonInfoType; import szrservices.SZR; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -66,17 +78,16 @@ import szrservices.SignContentResponseType; @ContextConfiguration("/SpringTest-context_tasks_test.xml") public class CreateIdentityLinkTaskEidNewTest { - @Autowired(required = true) private CreateIdentityLinkTask task; - // @Autowired(required = true) - // private FinalizeAuthenticationTask authTask; - @Autowired(required = true) - private DummySpecificCommunicationService commService; + @Autowired(required = true) private IConfiguration basicConfig; @Autowired protected EidasAttributeRegistry attrRegistry; + + @Autowired + EaafKeyStoreFactory keyStoreFactory; final ExecutionContext executionContext = new ExecutionContextImpl(); private MockHttpServletRequest httpReq; @@ -88,6 +99,13 @@ public class CreateIdentityLinkTaskEidNewTest { private static final String PW = "f/+saJBc3a}*/T^s"; private static final String ALIAS = "connectorkeypair"; + private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList( + Arrays.asList( + AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256, + AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, + AlgorithmIdentifiers.RSA_PSS_USING_SHA256, + AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -99,7 +117,8 @@ public class CreateIdentityLinkTaskEidNewTest { @BeforeClass public static void classInitializer() throws IOException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + + "src/test/resources/config/junit_config_3.properties"); } @@ -118,16 +137,13 @@ public class CreateIdentityLinkTaskEidNewTest { spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, "testSp"); spConfig.put("target", "urn:publicid:gv.at:cdid+XX"); spConfig.put(PROP_CONFIG_SP_NEW_EID_MODE, "true"); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTORE_PASSWORD, PW); - spConfig.put(PROP_CONFIG_SP_AUTHBLOCK_KEYSTSTORE_FRIENDLYNAME, ALIAS); oaParam = new DummySpConfiguration(spConfig, basicConfig); pendingReq = new TestRequestImpl(); - AuthenticationResponse response = buildDummyAuthResponse(); - + final AuthenticationResponse response = buildDummyAuthResponse(); pendingReq.getSessionData(AuthProcessDataWrapper.class) - .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); + .setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE, response); pendingReq.setSpConfig(oaParam); pendingReq.setPendingReqId(at.gv.egiz.eaaf.core.impl.utils.Random.nextProcessReferenceValue()); pendingReq.setAuthUrl("http://test.com/"); @@ -141,73 +157,109 @@ public class CreateIdentityLinkTaskEidNewTest { @NotNull private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { - AttributeDefinition attributeDef = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) - .nameUri(new URI("ad", "sd", "ff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "af")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef2 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) - .nameUri(new URI("ad", "sd", "fff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "aff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef3 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) - .nameUri(new URI("ad", "sd", "ffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "afff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName(Constants.eIDAS_ATTR_DATEOFBIRTH) - .nameUri(new URI("ad", "sd", "fffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "affff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") - .build(); - - ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + RandomStringUtils - .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, - RandomStringUtils - .randomAlphabetic(10)) - .put(attributeDef4, "2001-01-01").build(); - + final AttributeDefinition attributeDef = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) + .nameUri(new URI("ad", "sd", "ff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "af")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef2 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) + .nameUri(new URI("ad", "sd", "fff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "aff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef3 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) + .nameUri(new URI("ad", "sd", "ffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "afff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") + .build(); + final AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName( + Constants.eIDAS_ATTR_DATEOFBIRTH) + .nameUri(new URI("ad", "sd", "fffff")) + .personType(PersonType.LEGAL_PERSON) + .xmlType(new QName("http://saf", "as", "affff")) + .attributeValueMarshaller( + "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") + .build(); + + final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" + + RandomStringUtils + .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, + RandomStringUtils + .randomAlphabetic(10)) + .put(attributeDef4, "2001-01-01").build(); val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") - .attributes(attributeMap).build(); + return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf") + .subjectNameIdFormat("afaf") + .attributes(attributeMap).build(); } @Test - public void fullTest() { - // keystore password f/+saJBc3a}*/T^s - try { - - String test = szrMock.getStammzahlEncrypted(new PersonInfoType(), false); - - when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); - val signContentResp = new SignContentResponseType(); - SignContentEntry signContentEntry = new SignContentEntry(); - signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); - signContentResp.getOut().add(signContentEntry); - when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); - task.execute(pendingReq, executionContext); - - } catch (Exception e) { - e.printStackTrace(); - Assert.fail(); - } - + public void successfulProcess() throws Exception { + //initialize test + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); + val signContentResp = new SignContentResponseType(); + final SignContentEntry signContentEntry = new SignContentEntry(); + signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); + signContentResp.getOut().add(signContentEntry); + when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); + + //perform test + task.execute(pendingReq, executionContext); + + //validate state + final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + Assert.assertNotNull("AuthProcessData", authProcessData); + Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class)); + + String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class); + Assert.assertNotNull("AuthBlock", authBlock); + + //check authblock signature + final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING + .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + Pair keyStore = getKeyStore(); + X509Certificate[] trustedCerts = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); + JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts) , constraints); + Assert.assertTrue("AuthBlock not valid", result.isValid()); + + } + private Pair getKeyStore() throws EaafException { + // read Connector wide config data TODO connector wide! + String keyStoreName = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); + String keyStorePw = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig + .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); + + + //build new KeyStore configuration + KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); + keyStoreConfiguration.setFriendlyName("jUnit test"); + + keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath); + keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); + keyStoreConfiguration.setKeyStoreName(keyStoreName); + + //build new KeyStore based on configuration + return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); + } } - - diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml index dd116bd3..7d5a4c53 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/resources/SpringTest-context_tasks_test.xml @@ -45,6 +45,9 @@ ref="specificConnectorAdditionalAttributesFileWithPath" /> + + 0.3 0.4 - 1.1.8 + 1.1.10-SNAPSHOT 5.2.9.RELEASE 3.0.11.RELEASE 3.4.0 -- cgit v1.2.3 From 7bbd7935548ee50fd5c70caf5503de1b7a2b025d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 9 Nov 2020 10:00:25 +0100 Subject: switch to next release version of EAAF components to use already defined attribute-name for signed AuthBlock --- .../specific/connector/attributes/AuthBlockAttributeBuilder.java | 9 +++++---- pom.xml | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java index 80f91e57..be9f8862 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/attributes/AuthBlockAttributeBuilder.java @@ -19,6 +19,11 @@ package at.asitplus.eidas.specific.connector.attributes; +import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME; +import static at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME; + +import org.apache.commons.lang3.StringUtils; + import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; import at.gv.egiz.eaaf.core.api.idp.IAuthData; @@ -27,15 +32,11 @@ import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.PvpMetadata; -import org.apache.commons.lang3.StringUtils; @PvpMetadata public class AuthBlockAttributeBuilder implements IPvpAttributeBuilder { - public static final String EID_AUTHBLOCK_SIGNED_NAME = "urn:eidgvat:attributes.authblock.signed"; - public static final String EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME = "userAuthBlock"; - @Override public String getName() { return EID_AUTHBLOCK_SIGNED_NAME; diff --git a/pom.xml b/pom.xml index dad571d3..5d847e9a 100644 --- a/pom.xml +++ b/pom.xml @@ -19,7 +19,7 @@ 0.3 0.4 - 1.1.10-SNAPSHOT + 1.1.9 5.2.9.RELEASE 3.0.11.RELEASE 3.4.0 -- cgit v1.2.3 From 65baff23786c76746f4b188d3e6e59fd112e3030 Mon Sep 17 00:00:00 2001 From: lalber Date: Fri, 13 Nov 2020 08:39:00 +0100 Subject: improved Junit tests --- .../builder/AuthenticationDataBuilder.java | 13 +- .../test/AuthenticationDataBuilderTest.java | 32 ++-- .../resources/config/junit_config_3.properties | 2 +- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 204 ++++++++++++--------- 4 files changed, 148 insertions(+), 103 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java index ef1a1f2b..13cceafb 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/builder/AuthenticationDataBuilder.java @@ -57,7 +57,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder AuthenticationData authData = new AuthenticationData(); boolean isEidModeNew = pendingReq.getServiceProviderConfiguration() - .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); + .isConfigurationValue(MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE, false); if (isEidModeNew) { authData = (AuthenticationData) super.buildAuthenticationData(pendingReq); @@ -66,11 +66,11 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder generateDeprecatedBasicAuthData(authData, pendingReq, authProcessData); // set specific informations - authData.setSsoSessionValidTo(new Date(new Date().getTime() - + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); + authData.setSsoSessionValidTo( + new Date(new Date().getTime() + MsEidasNodeConstants.DEFAULT_PVP_ASSERTION_VALIDITY * 60 * 1000)); - } catch (EaafBuilderException | EaafParserException | EaafConfigurationException - | XPathException | DOMException e) { + } catch (EaafBuilderException | EaafParserException + | EaafConfigurationException | XPathException | DOMException e) { log.warn("Can not build authentication data from auth. process information"); throw new EaafAuthenticationException("builder.11", new Object[]{e.getMessage()}, e); @@ -108,8 +108,7 @@ public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder @Override protected Pair getEncryptedBpkFromPvpAttribute(IAuthProcessDataContainer arg0, - AuthenticationData arg1, - ISpConfiguration arg2) throws EaafBuilderException { + AuthenticationData arg1, ISpConfiguration arg2) throws EaafBuilderException { return null; } diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java index 78d2ee1a..1721fe61 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthenticationDataBuilderTest.java @@ -4,6 +4,7 @@ package at.asitplus.eidas.specific.connector.test; import at.asitplus.eidas.specific.connector.builder.AuthenticationDataBuilder; import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; @@ -13,6 +14,7 @@ import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; @@ -34,12 +36,7 @@ import java.util.Map; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; @RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration({"/applicationContext.xml", - "/SpringTest_connector.beans.xml", - "/eaaf_core.beans.xml", - "/eaaf_pvp.beans.xml", - "/eaaf_pvp_idp.beans.xml", - "/spring/SpringTest-context_simple_storage.xml" }) +@ContextConfiguration({"/applicationContext.xml", "/SpringTest_connector.beans.xml", "/eaaf_core.beans.xml", "/eaaf_pvp.beans.xml", "/eaaf_pvp_idp.beans.xml", "/spring/SpringTest-context_simple_storage.xml"}) @WebAppConfiguration public class AuthenticationDataBuilderTest { @@ -55,6 +52,9 @@ public class AuthenticationDataBuilderTest { private DummySpConfiguration oaParam; + private String eidasBind; + private String authBlock; + @BeforeClass public static void classInitializer() throws InitializationException, ComponentInitializationException { @@ -82,16 +82,26 @@ public class AuthenticationDataBuilderTest { pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10)); pendingReq.setSpConfig(oaParam); pendingReq.getSessionData(AuthProcessDataWrapper.class).setEidProcess(true); - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.SZR_AUTHBLOCK, RandomStringUtils.randomAlphanumeric(20)); - pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.EIDAS_BIND, RandomStringUtils.randomAlphanumeric(20)); - - + authBlock = RandomStringUtils.randomAlphanumeric(20); + eidasBind = RandomStringUtils.randomAlphanumeric(20); + pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.SZR_AUTHBLOCK, authBlock); + pendingReq.getSessionData(AuthProcessDataWrapper.class).setGenericDataToSession(Constants.EIDAS_BIND, eidasBind); LocaleContextHolder.resetLocaleContext(); } @Test public void first() throws EaafAuthenticationException { - authenticationDataBuilder.buildAuthenticationData(pendingReq); + IAuthData authData = authenticationDataBuilder.buildAuthenticationData(pendingReq); + + Assert.assertNotNull("AuthData null", authData); + Assert.assertNotNull("authBlock null", authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class)); + Assert.assertNotNull("eidasBind null", authData.getGenericData(Constants.EIDAS_BIND, String.class)); + Assert.assertNotNull("eidasBind null", authData.getEidasQaaLevel()); + String authBlock = authData.getGenericData(Constants.SZR_AUTHBLOCK, String.class); + String eidasBind = authData.getGenericData(Constants.EIDAS_BIND, String.class); + + Assert.assertEquals("authBlock not equal", authBlock, this.authBlock); + Assert.assertEquals("eidasBind not equal", eidasBind, this.eidasBind); } } diff --git a/connector/src/test/resources/config/junit_config_3.properties b/connector/src/test/resources/config/junit_config_3.properties index 1199fdf5..32e30790 100644 --- a/connector/src/test/resources/config/junit_config_3.properties +++ b/connector/src/test/resources/config/junit_config_3.properties @@ -100,7 +100,7 @@ eidas.ms.pvp2.metadata.contact.email=max@junit.test eidas.ms.sp.0.uniqueID= eidas.ms.sp.0.pvp2.metadata.truststore=keys/junit.jks eidas.ms.sp.0.pvp2.metadata.truststore.password=password -eidas.ms.sp.0.eidMode=new +eidas.ms.sp.0.newEidMode=true #eidas.ms.sp.0.friendlyName= #eidas.ms.sp.0.pvp2.metadata.url= diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index f67b4d93..d08855f2 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -2,6 +2,9 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test.tasks; import static at.asitplus.eidas.specific.connector.MsEidasNodeConstants.PROP_CONFIG_SP_NEW_EID_MODE; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.doThrow; import static org.powermock.api.mockito.PowerMockito.when; import java.io.IOException; @@ -18,14 +21,19 @@ import java.util.Map; import javax.xml.namespace.QName; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.SzrCommunicationException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.AuthBlockSigningService; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import org.apache.commons.lang3.RandomStringUtils; import org.jetbrains.annotations.NotNull; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; import org.jose4j.jws.AlgorithmIdentifiers; +import org.jose4j.lang.JoseException; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; +import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; import org.junit.runner.RunWith; @@ -67,6 +75,7 @@ import eu.eidas.auth.commons.attribute.PersonType; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import lombok.val; import szrservices.SZR; +import szrservices.SZRException_Exception; import szrservices.SignContentEntry; import szrservices.SignContentResponseType; @@ -85,10 +94,13 @@ public class CreateIdentityLinkTaskEidNewTest { private IConfiguration basicConfig; @Autowired protected EidasAttributeRegistry attrRegistry; - + @Autowired EaafKeyStoreFactory keyStoreFactory; + @Autowired + private AuthBlockSigningService authBlockSigner; + final ExecutionContext executionContext = new ExecutionContextImpl(); private MockHttpServletRequest httpReq; private MockHttpServletResponse httpResp; @@ -99,13 +111,11 @@ public class CreateIdentityLinkTaskEidNewTest { private static final String PW = "f/+saJBc3a}*/T^s"; private static final String ALIAS = "connectorkeypair"; - private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList( - Arrays.asList( - AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256, - AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, - AlgorithmIdentifiers.RSA_PSS_USING_SHA256, + private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList(Arrays + .asList(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256, + AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); - + @Rule public final SoapServiceRule soap = SoapServiceRule.newInstance(); @@ -117,8 +127,7 @@ public class CreateIdentityLinkTaskEidNewTest { @BeforeClass public static void classInitializer() throws IOException { final String current = new java.io.File(".").toURI().toString(); - System.setProperty("eidas.ms.configuration", current - + "src/test/resources/config/junit_config_3.properties"); + System.setProperty("eidas.ms.configuration", current + "src/test/resources/config/junit_config_3.properties"); } @@ -155,54 +164,6 @@ public class CreateIdentityLinkTaskEidNewTest { szrMock = soap.mock(SZR.class, "http://localhost:1234/demoszr"); } - @NotNull - private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { - final AttributeDefinition attributeDef = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER) - .nameUri(new URI("ad", "sd", "ff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "af")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - final AttributeDefinition attributeDef2 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME) - .nameUri(new URI("ad", "sd", "fff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "aff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - final AttributeDefinition attributeDef3 = AttributeDefinition.builder() - .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME) - .nameUri(new URI("ad", "sd", "ffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "afff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller") - .build(); - final AttributeDefinition attributeDef4 = AttributeDefinition.builder().friendlyName( - Constants.eIDAS_ATTR_DATEOFBIRTH) - .nameUri(new URI("ad", "sd", "fffff")) - .personType(PersonType.LEGAL_PERSON) - .xmlType(new QName("http://saf", "as", "affff")) - .attributeValueMarshaller( - "eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller") - .build(); - - final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder().put(attributeDef, "de/st/" - + RandomStringUtils - .randomNumeric(64)).put(attributeDef2, RandomStringUtils.randomAlphabetic(10)).put(attributeDef3, - RandomStringUtils - .randomAlphabetic(10)) - .put(attributeDef4, "2001-01-01").build(); - - val b = new AuthenticationResponse.Builder(); - return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf") - .subjectNameIdFormat("afaf") - .attributes(attributeMap).build(); - } - @Test public void successfulProcess() throws Exception { //initialize test @@ -212,54 +173,129 @@ public class CreateIdentityLinkTaskEidNewTest { signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); signContentResp.getOut().add(signContentEntry); when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); - + //perform test task.execute(pendingReq, executionContext); - + //validate state final AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); Assert.assertNotNull("AuthProcessData", authProcessData); Assert.assertNotNull("eidasBind", authProcessData.getGenericDataFromSession(Constants.EIDAS_BIND, String.class)); - + String authBlock = authProcessData.getGenericDataFromSession(Constants.SZR_AUTHBLOCK, String.class); Assert.assertNotNull("AuthBlock", authBlock); - + //check authblock signature final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, - BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING - .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); - Pair keyStore = getKeyStore(); - X509Certificate[] trustedCerts = EaafKeyStoreUtils.getPrivateKeyAndCertificates( - keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); - JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts) , constraints); + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + Pair keyStore = getKeyStore(); + X509Certificate[] trustedCerts = EaafKeyStoreUtils + .getPrivateKeyAndCertificates(keyStore.getFirst(), ALIAS, PW.toCharArray(), true, "junit").getSecond(); + JwsResult result = JoseUtils.validateSignature(authBlock, Arrays.asList(trustedCerts), constraints); Assert.assertTrue("AuthBlock not valid", result.isValid()); - + + } + + @Test + public void getStammzahlEncryptedExceptionTest() throws Exception { + try { + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(null); + task.execute(pendingReq, executionContext); + } catch (TaskExecutionException e) { + Assert.assertEquals("Incorrect exception thrown", e.getMessage(), + "IdentityLink generation for foreign person " + "FAILED."); + Assert.assertEquals("Incorrect exception thrown", ((SzrCommunicationException) e.getCause()).getErrorId(), + "ernb.01"); + Assert.assertTrue("Incorrect exception thrown", e.getCause().getMessage().contains("Stammzahl response empty")); + } + } + + @Test + public void signContentExceptionTest() throws Exception { + try { + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); + when(szrMock, "signContent", any(), any(), any()).thenReturn(null); + task.execute(pendingReq, executionContext); + } catch (TaskExecutionException e) { + Assert.assertEquals("Incorrect exception thrown", e.getMessage(), + "IdentityLink generation for foreign person " + "FAILED."); + Assert.assertEquals("Incorrect exception thrown", ((SzrCommunicationException) e.getCause()).getErrorId(), + "ernb.01"); + Assert.assertTrue("Incorrect exception thrown", e.getCause().getMessage().contains("BcBind response empty")); + } + } + + @Ignore + @Test + public void exceptionTest() throws Exception { + try { + when(szrMock, "getStammzahlEncrypted", any(), any()).thenReturn(RandomStringUtils.randomNumeric(10)); + val signContentResp = new SignContentResponseType(); + final SignContentEntry signContentEntry = new SignContentEntry(); + signContentEntry.setValue(RandomStringUtils.randomAlphanumeric(10)); + signContentResp.getOut().add(signContentEntry); + when(szrMock, "signContent", any(), any(), any()).thenReturn(signContentResp); + doThrow(new EaafException("test")).when(authBlockSigner) + .buildSignedAuthBlock(pendingReq.getUniqueTransactionIdentifier()); + + task.execute(pendingReq, executionContext); + } catch (TaskExecutionException e) { + Assert.assertEquals("Incorrect exception thrown", e.getMessage(), + "IdentityLink generation for foreign person " + "FAILED."); + Assert.assertTrue("Incorrect exception thrown", e.getCause() instanceof EaafException); + Assert.assertTrue("Incorrect exception thrown", e.getCause().getMessage().contains("test")); + } + } private Pair getKeyStore() throws EaafException { - // read Connector wide config data TODO connector wide! - String keyStoreName = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); - String keyStorePw = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); - String keyStorePath = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); - String keyStoreType = basicConfig - .getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); - - + // read Connector wide config data TODO connector wide! + String keyStoreName = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_NAME); + String keyStorePw = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PASSWORD); + String keyStorePath = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_PATH); + String keyStoreType = basicConfig.getBasicConfiguration(MsEidasNodeConstants.PROP_CONFIG_AUTHBLOCK_KEYSTORE_TYPE); + + //build new KeyStore configuration KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration(); keyStoreConfiguration.setFriendlyName("jUnit test"); - + keyStoreConfiguration.setSoftKeyStoreFilePath(keyStorePath); keyStoreConfiguration.setSoftKeyStorePassword(keyStorePw); - keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); + keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.fromString(keyStoreType)); keyStoreConfiguration.setKeyStoreName(keyStoreName); - + //build new KeyStore based on configuration - return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); - + return keyStoreFactory.buildNewKeyStore(keyStoreConfiguration); + } + @NotNull + private AuthenticationResponse buildDummyAuthResponse() throws URISyntaxException { + final AttributeDefinition attributeDef = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).nameUri(new URI("ad", "sd", "ff")) + .personType(PersonType.LEGAL_PERSON).xmlType(new QName("http://saf", "as", "af")) + .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); + final AttributeDefinition attributeDef2 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTFAMILYNAME).nameUri(new URI("ad", "sd", "fff")) + .personType(PersonType.LEGAL_PERSON).xmlType(new QName("http://saf", "as", "aff")) + .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); + final AttributeDefinition attributeDef3 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_CURRENTGIVENNAME).nameUri(new URI("ad", "sd", "ffff")) + .personType(PersonType.LEGAL_PERSON).xmlType(new QName("http://saf", "as", "afff")) + .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.LiteralStringAttributeValueMarshaller").build(); + final AttributeDefinition attributeDef4 = AttributeDefinition.builder() + .friendlyName(Constants.eIDAS_ATTR_DATEOFBIRTH).nameUri(new URI("ad", "sd", "fffff")) + .personType(PersonType.LEGAL_PERSON).xmlType(new QName("http://saf", "as", "affff")) + .attributeValueMarshaller("eu.eidas.auth.commons.attribute.impl.DateTimeAttributeValueMarshaller").build(); + + final ImmutableAttributeMap attributeMap = ImmutableAttributeMap.builder() + .put(attributeDef, "de/st/" + RandomStringUtils.randomNumeric(64)) + .put(attributeDef2, RandomStringUtils.randomAlphabetic(10)) + .put(attributeDef3, RandomStringUtils.randomAlphabetic(10)).put(attributeDef4, "2001-01-01").build(); + + val b = new AuthenticationResponse.Builder(); + return b.id("aasdf").issuer("asd").subject("asf").statusCode("200").inResponseTo("asdf").subjectNameIdFormat("afaf") + .attributes(attributeMap).build(); + } } -- cgit v1.2.3 From 7a62a84f23b3a1a1027ebda31fb790ee072793cc Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 27 Nov 2020 09:08:10 +0100 Subject: read unique transactionId from AuthnRequest to reuse it for eIDAS authentication --- .../verification/AuthnRequestValidator.java | 247 +++++++++++++-------- .../connector/test/AuthnRequestValidatorTest.java | 52 ++++- .../resources/config/junit_config_1.properties | 2 +- connector/src/test/resources/data/pvp2_authn_2.xml | 4 + connector/src/test/resources/data/pvp2_authn_3.xml | 3 + 5 files changed, 205 insertions(+), 103 deletions(-) (limited to 'connector/src/main/java') diff --git a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java index 26176c49..a9eb06be 100644 --- a/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java +++ b/connector/src/main/java/at/asitplus/eidas/specific/connector/verification/AuthnRequestValidator.java @@ -46,11 +46,13 @@ import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor; @@ -107,120 +109,179 @@ public class AuthnRequestValidator implements IAuthnRequestPostProcessor { } // post-process requested LoA - final List reqLoA = extractLoA(authnReq); - log.trace("SP requests LoA with: {}", String.join(", ",reqLoA)); + postprocessLoaLevel(pendingReq, authnReq); + + // post-process requested LoA comparison-level + pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setLoAMachtingMode( + extractComparisonLevel(authnReq)); + + //extract information from requested attributes + extractFromRequestedAttriutes(pendingReq, authnReq); - LevelOfAssurance minimumLoAFromConfig = LevelOfAssurance.fromString(basicConfig.getBasicConfiguration( - MsEidasNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL, - EaafConstants.EIDAS_LOA_HIGH)); - if (minimumLoAFromConfig == null) { - log.warn("Can not load minimum LoA from configuration. Use LoA: {} as default", - EaafConstants.EIDAS_LOA_HIGH); - minimumLoAFromConfig = LevelOfAssurance.HIGH; + } catch (final EaafStorageException e) { + log.info("Can NOT store Authn. Req. data into pendingRequest.", e); + throw new AuthnRequestValidatorException("internal.02", null, e); - } - - log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...", - minimumLoAFromConfig); - final List allowedLoA = new ArrayList<>(); - for (final String loa : reqLoA) { - try { - final LevelOfAssurance intLoa = LevelOfAssurance.fromString(loa); - String selectedLoA = EaafConstants.EIDAS_LOA_HIGH; - if (intLoa != null - && intLoa.numericValue() <= minimumLoAFromConfig.numericValue()) { - log.info("Client: {} requested LoA: {} will be upgraded to: {}", - pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), - loa, - minimumLoAFromConfig); - selectedLoA = minimumLoAFromConfig.getValue(); + } - } + } - if (!allowedLoA.contains(selectedLoA)) { - log.debug("Allow LoA: {} for Client: {}", - selectedLoA, - pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); - allowedLoA.add(selectedLoA); + private void extractFromRequestedAttriutes(IRequest pendingReq, AuthnRequest authnReq) + throws AuthnRequestValidatorException { + // validate and process requested attributes + boolean sectorDetected = false; + + final ServiceProviderConfiguration spConfig = pendingReq.getServiceProviderConfiguration( + ServiceProviderConfiguration.class); + + if (authnReq.getExtensions() != null) { + final List requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects(); + for (final XMLObject reqAttrObj : requestedAttributes) { + if (reqAttrObj instanceof EaafRequestedAttributes) { + final EaafRequestedAttributes reqAttr = (EaafRequestedAttributes) reqAttrObj; + if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) { + for (final EaafRequestedAttribute el : reqAttr.getAttributes()) { + log.trace("Processing req. attribute '" + el.getName() + "' ... "); + if (el.getName().equals(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + sectorDetected = extractBpkTargetIdentifier(el, spConfig); + + } else if (el.getName().equals(ExtendedPvpAttributeDefinitions.EID_TRANSACTION_ID_NAME)) { + extractUniqueTransactionId(el, pendingReq); + + } else { + log.debug("Ignore req. attribute: " + el.getName()); + + } + } + } else { + log.debug("No requested Attributes in Authn. Request"); + } - } catch (final IllegalArgumentException e) { - log.warn("LoA: {} is currently NOT supported and it will be ignored.", loa); - + } else { + log.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString()); + } - } + } + + if (!sectorDetected) { + log.warn("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information."); + throw new AuthnRequestValidatorException("pvp2.22", new Object[] { + "NO or NO VALID target-sector information" }); - pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA( - allowedLoA); + } + + } - // post-process requested LoA comparison-level - final String reqLoAComperison = extractComparisonLevel(authnReq); - pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setLoAMachtingMode( - reqLoAComperison); + /** + * Extract unique transactionId from AuthnRequest. + * + * @param el Requested attribute from AuthnRequest + * @param pendingReq Current pendingRequest object (has to be of type {@link RequestImpl}) + * @return true if transactionId extraction was successful, otherwise false + */ + private boolean extractUniqueTransactionId(EaafRequestedAttribute el, IRequest pendingReq) { + if (!(pendingReq instanceof RequestImpl)) { + log.warn("Can NOT set unique transactionId from AuthnRequest,because 'PendingRequest' is NOT from Type: {}", + RequestImpl.class.getName()); + + } else { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String transactionId = el.getAttributeValues().get(0).getDOM().getTextContent(); + ((RequestImpl)pendingReq).setUniqueTransactionIdentifier(transactionId); + return true; - // validate and process requested attributes - boolean sectorDetected = false; + } else { + log.warn("Req. attribute '{}' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute", + el.getName()); + + } - if (authnReq.getExtensions() != null) { - final List requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects(); - for (final XMLObject reqAttrObj : requestedAttributes) { - if (reqAttrObj instanceof EaafRequestedAttributes) { - final EaafRequestedAttributes reqAttr = (EaafRequestedAttributes) reqAttrObj; - if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) { - for (final EaafRequestedAttribute el : reqAttr.getAttributes()) { - log.trace("Processing req. attribute '" + el.getName() + "' ... "); - if (el.getName().equals(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { - final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent(); - final ServiceProviderConfiguration spConfig = pendingReq.getServiceProviderConfiguration( - ServiceProviderConfiguration.class); - - try { - spConfig.setBpkTargetIdentifier(sectorId); - sectorDetected = true; - - } catch (final EaafException e) { - log.info("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: " - + spConfig.getUniqueIdentifier()); - } - - } else { - log.info("Req. attribute '" + el.getName() - + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); - } - - } else { - log.debug("Ignore req. attribute: " + el.getName()); - } - - } - - } else { - log.debug("No requested Attributes in Authn. Request"); - } - - } else { - log.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString()); - } + } + + return false; + } + + /** + * Extract the bPK target from requested attribute. + * + * @param el Requested attribute from AuthnRequest + * @param spConfig Service-Provider configuration for current process + * @return true if bPK target extraction was successful, otherwise false + */ + private boolean extractBpkTargetIdentifier(EaafRequestedAttribute el, ServiceProviderConfiguration spConfig) { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent(); + try { + spConfig.setBpkTargetIdentifier(sectorId); + return true; + + } catch (final EaafException e) { + log.warn("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: " + + spConfig.getUniqueIdentifier()); + } + + } else { + log.warn("Req. attribute '" + el.getName() + + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); + } + + return false; + + } + private void postprocessLoaLevel(IRequest pendingReq, AuthnRequest authnReq) + throws AuthnRequestValidatorException { + final List reqLoA = extractLoA(authnReq); + log.trace("SP requests LoA with: {}", String.join(", ",reqLoA)); + + LevelOfAssurance minimumLoAFromConfig = LevelOfAssurance.fromString(basicConfig.getBasicConfiguration( + MsEidasNodeConstants.PROP_EIDAS_REQUEST_LOA_MINIMUM_LEVEL, + EaafConstants.EIDAS_LOA_HIGH)); + if (minimumLoAFromConfig == null) { + log.warn("Can not load minimum LoA from configuration. Use LoA: {} as default", + EaafConstants.EIDAS_LOA_HIGH); + minimumLoAFromConfig = LevelOfAssurance.HIGH; + + } + + log.trace("Validate requested LoA to connector configuration minimum LoA: {} ...", + minimumLoAFromConfig); + final List allowedLoA = new ArrayList<>(); + for (final String loa : reqLoA) { + try { + final LevelOfAssurance intLoa = LevelOfAssurance.fromString(loa); + String selectedLoA = EaafConstants.EIDAS_LOA_HIGH; + if (intLoa != null + && intLoa.numericValue() <= minimumLoAFromConfig.numericValue()) { + log.info("Client: {} requested LoA: {} will be upgraded to: {}", + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), + loa, + minimumLoAFromConfig); + selectedLoA = minimumLoAFromConfig.getValue(); + } - } - if (!sectorDetected) { - log.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information."); - throw new AuthnRequestValidatorException("pvp2.22", new Object[] { - "NO or NO VALID target-sector information" }); + if (!allowedLoA.contains(selectedLoA)) { + log.debug("Allow LoA: {} for Client: {}", + selectedLoA, + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + allowedLoA.add(selectedLoA); - } + } - } catch (final EaafStorageException e) { - log.info("Can NOT store Authn. Req. data into pendingRequest.", e); - throw new AuthnRequestValidatorException("internal.02", null, e); + } catch (final IllegalArgumentException e) { + log.warn("LoA: {} is currently NOT supported and it will be ignored.", loa); + + } } + pendingReq.getServiceProviderConfiguration(ServiceProviderConfiguration.class).setRequiredLoA( + allowedLoA); + } private String extractComparisonLevel(AuthnRequest authnReq) { diff --git a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthnRequestValidatorTest.java b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthnRequestValidatorTest.java index e34c8036..389f561e 100644 --- a/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthnRequestValidatorTest.java +++ b/connector/src/test/java/at/asitplus/eidas/specific/connector/test/AuthnRequestValidatorTest.java @@ -33,11 +33,14 @@ import org.xml.sax.SAXException; import at.asitplus.eidas.specific.connector.MsEidasNodeConstants; import at.asitplus.eidas.specific.connector.config.ServiceProviderConfiguration; import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @@ -53,12 +56,12 @@ import net.shibboleth.utilities.java.support.component.ComponentInitializationEx @DirtiesContext(classMode = ClassMode.BEFORE_CLASS) public class AuthnRequestValidatorTest { - @Autowired private IConfiguration basicConfig; + @Autowired private IConfigurationWithSP basicConfig; @Autowired protected IAuthnRequestPostProcessor authRequestValidator; private MockHttpServletRequest httpReq; private MockHttpServletResponse httpResp; - private TestRequestImpl pendingReq; + private PvpSProfilePendingRequest pendingReq; /** * jUnit class initializer. @@ -76,10 +79,11 @@ public class AuthnRequestValidatorTest { /** * jUnit test set-up. + * @throws EaafException * */ @Before - public void initialize() { + public void initialize() throws EaafException { httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector"); httpResp = new MockHttpServletResponse(); RequestContextHolder.resetRequestAttributes(); @@ -88,10 +92,12 @@ public class AuthnRequestValidatorTest { Map spConfig = new HashMap<>(); spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, RandomStringUtils.randomAlphabetic(10)); - pendingReq = new TestRequestImpl(); - pendingReq.setAuthUrl("https://localhost/ms_connector"); - pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10)); - pendingReq.setSpConfig(new ServiceProviderConfiguration(spConfig, basicConfig)); + pendingReq = new PvpSProfilePendingRequest(); + pendingReq.initialize(httpReq, basicConfig); + pendingReq.setPendingRequestId(RandomStringUtils.randomAlphanumeric(10)); + pendingReq.setOnlineApplicationConfiguration(new ServiceProviderConfiguration(spConfig, basicConfig)); + ((RequestImpl)pendingReq).setUniqueTransactionIdentifier(null); + } @Test @@ -128,6 +134,8 @@ public class AuthnRequestValidatorTest { Assert.assertEquals("bPK target not match", "urn:publicid:gv.at:cdid+BF", pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + Assert.assertNull("wrong transactionId", pendingReq.getUniqueTransactionIdentifier()); + } @Test @@ -164,6 +172,8 @@ public class AuthnRequestValidatorTest { Assert.assertEquals("bPK target not match", "urn:publicid:gv.at:cdid+BF", pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + Assert.assertNull("wrong transactionId", pendingReq.getUniqueTransactionIdentifier()); + } @Test @@ -200,6 +210,30 @@ public class AuthnRequestValidatorTest { Assert.assertEquals("bPK target not match", "urn:publicid:gv.at:cdid+XX", pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier()); + Assert.assertEquals("wrong transactionId", "transId_11223344556677aabbcc", + pendingReq.getUniqueTransactionIdentifier()); + + } + + @Test + public void transactionIdWrongPendingReqType() throws AuthnRequestValidatorException, ParserConfigurationException, + SAXException, IOException, UnmarshallingException { + + Map spConfig = new HashMap<>(); + spConfig.put(EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER, RandomStringUtils.randomAlphabetic(10)); + + TestRequestImpl pendingReqLocal = new TestRequestImpl(); + pendingReqLocal.setPendingReqId(RandomStringUtils.randomAlphanumeric(10)); + pendingReqLocal.setSpConfig(new ServiceProviderConfiguration(spConfig, basicConfig)); + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_3.xml"); + + //test + authRequestValidator.process(httpReq, pendingReqLocal, authReq, null); + + //validate + Assert.assertNull("wrong transactionId", pendingReqLocal.getUniqueTransactionIdentifier()); + } @Test @@ -214,7 +248,7 @@ public class AuthnRequestValidatorTest { } catch (AuthnRequestValidatorException e) { Assert.assertEquals("Wrong errorCode", "pvp2.22", e.getErrorId()); - + } } diff --git a/connector/src/test/resources/config/junit_config_1.properties b/connector/src/test/resources/config/junit_config_1.properties index f498cac4..3350f947 100644 --- a/connector/src/test/resources/config/junit_config_1.properties +++ b/connector/src/test/resources/config/junit_config_1.properties @@ -1,5 +1,5 @@ ## Basic service configuration -eidas.ms.context.url.prefix= +eidas.ms.context.url.prefix=http://localhost eidas.ms.context.url.request.validation=false eidas.ms.context.use.clustermode=true diff --git a/connector/src/test/resources/data/pvp2_authn_2.xml b/connector/src/test/resources/data/pvp2_authn_2.xml index 5f21af05..dbf46622 100644 --- a/connector/src/test/resources/data/pvp2_authn_2.xml +++ b/connector/src/test/resources/data/pvp2_authn_2.xml @@ -28,6 +28,10 @@ urn:publicid:gv.at:cdid+BF + + transId_11223344556677aabbcc + transId_second + diff --git a/connector/src/test/resources/data/pvp2_authn_3.xml b/connector/src/test/resources/data/pvp2_authn_3.xml index bf356da7..35e49b0f 100644 --- a/connector/src/test/resources/data/pvp2_authn_3.xml +++ b/connector/src/test/resources/data/pvp2_authn_3.xml @@ -28,6 +28,9 @@ urn:publicid:gv.at:cdid+XX + + transId_11223344556677aabbcc + -- cgit v1.2.3