From 1bb05a848206fb1e3bd77b744068c1ee5b344d73 Mon Sep 17 00:00:00 2001
From: Christian Kollmann <christian.kollmann@a-sit.at>
Date: Thu, 4 Mar 2021 16:02:22 +0100
Subject: Prevent SZRClient from creating ERnP entry if person does not exist

---
 .../modules/auth/eidas/v2/szr/SzrClient.java       | 60 +++++++++++-----------
 1 file changed, 30 insertions(+), 30 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
index dc6df967..5bad738b 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java
@@ -27,6 +27,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -34,7 +35,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -117,6 +118,7 @@ public class SzrClient {
   private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind";
   public static final String ATTR_NAME_MDS = "urn:eidgvat:mds";
 
+  @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
   @Autowired
   private IConfiguration basicConfig;
 
@@ -126,10 +128,6 @@ public class SzrClient {
   // RAW client is needed for identitylink
   private Dispatch<Source> dispatch = null;
 
-  private SzrService szrService = null;
-  private String szrUrl = null;
-  private QName qname = null;
-
   final ObjectMapper mapper = new ObjectMapper();
 
   /**
@@ -164,7 +162,7 @@ public class SzrClient {
           .createUnmarshaller().unmarshal(new ByteArrayInputStream(szrResponse));
 
       // build response
-      log.trace(new String(szrResponse, "UTF-8"));
+      log.trace(new String(szrResponse, StandardCharsets.UTF_8));
 
       // ok, we have success
       final Document doc = DomUtils.parseDocument(
@@ -223,7 +221,11 @@ public class SzrClient {
   }
 
   /**
-   * Request a encryped baseId from SRZ.
+   * Request a encrypted baseId from SZR.
+   *
+   * <b>Note</b>: Previously, this method did create a new ERnP entry, if it did not exist. This is
+   * <b>not</b> the case any more. See
+   * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateNewErnpEntryTask} for that functionality.
    *
    * @param personInfo Minimum dataset of person
    * @return encrypted baseId
@@ -234,10 +236,7 @@ public class SzrClient {
 
     final String resp;
     try {
-      //TODO wirklich immer "insertERnP=true"?
-      // wenn insertErnP=false dann returns vsz oder fehler
-      // wenn insertErnp = true dann returns vsz, ggf vom neuen Eintrag
-      resp = this.szr.getStammzahlEncrypted(personInfo, true);
+      resp = this.szr.getStammzahlEncrypted(personInfo, false);
     } catch (SZRException_Exception e) {
       throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e);
     }
@@ -253,8 +252,8 @@ public class SzrClient {
   /**
    * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status.
    *
-   * @param vsz encryped baseId
-   * @param bindingPubKey  binding PublikKey as PKCS1# (ASN.1) container
+   * @param vsz encrypted baseId
+   * @param bindingPubKey  binding PublicKey as PKCS1# (ASN.1) container
    * @param eidStatus Status of the E-ID
    * @param eidData eID information that was used for ERnP registration
    * @return bPK for this person
@@ -266,7 +265,7 @@ public class SzrClient {
     final Map<String, Object> eidsaBindMap = new HashMap<>();
     eidsaBindMap.put(ATTR_NAME_VSZ, vsz);
     eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus);
-    eidsaBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey));
+    eidsaBindMap.put(ATTR_NAME_PUBKEYS, Collections.singletonList(bindingPubKey));
     eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode());
     injectMdsIfAvailableAndActive(eidsaBindMap, eidData);
 
@@ -296,7 +295,7 @@ public class SzrClient {
       return resp.getOut().get(0).getValue();
 
     } catch (final JsonProcessingException | SZRException_Exception e) {
-      log.warn("Requesting bcBind by using SZR FAILED. Reason: {}", e.getMessage(), null, e);
+      log.warn("Requesting bcBind by using SZR FAILED.", e);
       throw new SzrCommunicationException("ernb.02",
           new Object[]{e.getMessage()}, e);
     }
@@ -311,6 +310,9 @@ public class SzrClient {
         Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE,
         true);
 
+    SzrService szrService;
+    QName qname;
+    String szrUrl;
     if (useTestSzr) {
       log.debug("Initializing SZR test environment configuration.");
       qname = SzrService.SZRTestumgebung;
@@ -350,20 +352,20 @@ public class SzrClient {
 
     // inject handler
     log.info("Use SZR service-URL: " + szrUrl);
-    injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT);
-    injectBindingProvider(dispatch, CLIENT_RAW);
+    injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT, szrUrl);
+    injectBindingProvider(dispatch, CLIENT_RAW, szrUrl);
 
     // inject http parameters and SSL context
     log.debug("Inject HTTP client settings ... ");
-    injectHttpClient(szr, CLIENT_DEFAULT);
-    injectHttpClient(dispatch, CLIENT_RAW);
+    injectHttpClient(szr, CLIENT_DEFAULT, szrUrl);
+    injectHttpClient(dispatch, CLIENT_RAW, szrUrl);
 
     log.info("SZR-Client initialization successfull");
   }
 
-  private void injectHttpClient(Object raw, String clientType) {
+  private void injectHttpClient(Object raw, String clientType, String szrUrl) {
     // extract client from implementation
-    Client client = null;
+    Client client;
     if (raw instanceof DispatchImpl<?>) {
       client = ((DispatchImpl<?>) raw).getClient();
     } else if (raw instanceof Client) {
@@ -378,14 +380,12 @@ public class SzrClient {
 
     // set timeout policy
     final HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
-    httpClientPolicy.setConnectionTimeout(
-        Integer.parseInt(basicConfig.getBasicConfiguration(
-            Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION,
-            Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) * 1000);
-    httpClientPolicy.setReceiveTimeout(
-        Integer.parseInt(basicConfig.getBasicConfiguration(
-            Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE,
-            Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) * 1000);
+    String connectionTimeout = basicConfig.getBasicConfiguration(
+        Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION, Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION);
+    httpClientPolicy.setConnectionTimeout(Integer.parseInt(connectionTimeout) * 1000L);
+    String responseTimeout = basicConfig.getBasicConfiguration(
+        Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE, Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE);
+    httpClientPolicy.setReceiveTimeout(Integer.parseInt(responseTimeout) * 1000L);
     http.setClient(httpClientPolicy);
 
     // inject SSL context in case of https
@@ -400,7 +400,7 @@ public class SzrClient {
 
   }
 
-  private void injectBindingProvider(BindingProvider bindingProvider, String clientType) {
+  private void injectBindingProvider(BindingProvider bindingProvider, String clientType, String szrUrl) {
     final Map<String, Object> requestContext = bindingProvider.getRequestContext();
     requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, szrUrl);
 
-- 
cgit v1.2.3