From 17ed45c5d47d8b23a36c0088c2922c0f0fefe234 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Fri, 29 Jan 2021 09:37:44 +0100 Subject: fixed package name, added JCE --- .../AhExtendedPvpAttributeDefinitions.java | 24 -- .../v2/idAustriaClient/AuthHandlerConstants.java | 141 ------ .../v2/idAustriaClient/IAhSpConfiguration.java | 151 ------- .../IdAustriaClientAuthConstants.java | 166 -------- .../IdAustriaClientAuthCredentialProvider.java | 130 ------ .../IdAustriaClientAuthMetadataConfiguration.java | 471 --------------------- .../IdAustriaClientAuthMetadataController.java | 149 ------- .../IdAustriaClientAuthMetadataProvider.java | 169 -------- ...striaClientAuthRequestBuilderConfiguration.java | 300 ------------- .../AhAuthProcessDataConstants.java | 9 + .../idaustriaclient/AhAuthProcessDataWrapper.java | 224 ++++++++++ .../AhExtendedPvpAttributeDefinitions.java | 24 ++ .../v2/idaustriaclient/AuthHandlerConstants.java | 141 ++++++ .../idaustriaclient/EidasAuthEventConstants.java | 10 + .../v2/idaustriaclient/IAhAuthProcessData.java | 190 +++++++++ .../v2/idaustriaclient/IAhSpConfiguration.java | 151 +++++++ .../eidas/v2/idaustriaclient/IRawMandateDao.java | 32 ++ .../eidas/v2/idaustriaclient/ISignedMandate.java | 19 + .../IdAustriaClientAuthConstants.java | 166 ++++++++ .../IdAustriaClientAuthCredentialProvider.java | 130 ++++++ .../IdAustriaClientAuthMetadataConfiguration.java | 471 +++++++++++++++++++++ .../IdAustriaClientAuthMetadataController.java | 149 +++++++ .../IdAustriaClientAuthMetadataProvider.java | 169 ++++++++ ...striaClientAuthRequestBuilderConfiguration.java | 300 +++++++++++++ .../eidas/v2/idaustriaclient/MisException.java | 17 + .../GenerateMobilePhoneSignatureRequestTask.java | 16 +- ...eSignatureResponseAndSearchInRegistersTask.java | 342 +++++++++++++++ 27 files changed, 2549 insertions(+), 1712 deletions(-) delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AhExtendedPvpAttributeDefinitions.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AuthHandlerConstants.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IAhSpConfiguration.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthConstants.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthCredentialProvider.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataConfiguration.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataController.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataProvider.java delete mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthRequestBuilderConfiguration.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataConstants.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataWrapper.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhExtendedPvpAttributeDefinitions.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AuthHandlerConstants.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/EidasAuthEventConstants.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhAuthProcessData.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhSpConfiguration.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IRawMandateDao.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/ISignedMandate.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java create mode 100644 eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/MisException.java (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus') diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AhExtendedPvpAttributeDefinitions.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AhExtendedPvpAttributeDefinitions.java deleted file mode 100644 index 8dea6df3..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AhExtendedPvpAttributeDefinitions.java +++ /dev/null @@ -1,24 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - -import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class AhExtendedPvpAttributeDefinitions implements ExtendedPvpAttributeDefinitions { - private static final Logger log = - LoggerFactory.getLogger(AhExtendedPvpAttributeDefinitions.class); - - private AhExtendedPvpAttributeDefinitions() { - log.trace("Instance class: {} for SonarQube", - AhExtendedPvpAttributeDefinitions.class.getName()); - - } - - public static final String EID_BCBIND_NAME = "urn:eidgvat:attributes.bcbind"; - public static final String EID_BCBIND_FRIENDLY_NAME = "bcBind"; - - public static final String EID_BINDING_PUBKEY_NAME = "urn:eidgvat:attributes.binding.pubkey"; - public static final String EID_BINDING_PUBKEY_FRIENDLY_NAME = "BindingPubKey"; - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AuthHandlerConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AuthHandlerConstants.java deleted file mode 100644 index 9c6929c2..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/AuthHandlerConstants.java +++ /dev/null @@ -1,141 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - - -public class AuthHandlerConstants { - - private AuthHandlerConstants() { - - } - - // TODO: maybe update to another target - public static final String DEFAULT_INTERNAL_BPK_TARGET = "urn:publicid:gv.at:cdid+ZP-MH"; - - // configuration parameters - public static final String PROP_CONFIG_APPLICATION_PREFIX = "authhandler."; - public static final String PROP_CONFIG_APPLICATION_PUBLIC_URL_PREFIX = "core.context.url.prefix"; - public static final String PROP_CONFIG_APPLICATION_PUBLIC_URL_REQUEST_VALIDATION = - "core.context.url.request.validation"; - public static final String PROP_CONFIG_LEGACY_ALLOW = "core.legacy.allowLegacyMode"; - - public static final String PROP_CONFIG_WEBCONTENT_STATIC_PATH = - "core.webcontent.static.directory"; - public static final String PROP_CONFIG_WEBCONTENT_TEMPLATES_PATH = "core.webcontent.templates"; - public static final String PROP_CONFIG_WEBCONTENT_PROPERTIES_PATH = "core.webcontent.properties"; - - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_NAME = "core.cache.transaction.name"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_ENABLED = - "core.cache.transaction.encryption.enabled"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEY_TYPE = - "core.cache.transaction.encryption.type"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_PASSPHRASE = - "core.cache.transaction.encryption.passphrase"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_SALT = - "core.cache.transaction.encryption.salt"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEYSTORE_NAME = - "core.cache.transaction.encryption.keystore.name"; - public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEY_ALIAS = - "core.cache.transaction.encryption.key.alias"; - - public static final String PROP_CONFIG_CACHE_ATTRIBUTEPROXY_NAME = - "core.cache.attributeproxy.name"; - - public static final String PROP_CONFIG_BACKEND_ENDPOINT_GETALLSUPPORTEDATTRIBUTES = - "backend.endpoints.getallsupportedattributes"; - public static final String PROP_CONFIG_BACKEND_ENDPOINT_GETAPPLICATIONCONFIGURATION = - "backend.endpoints.getapplicationconfiguration"; - - public static final String PROP_CONFIG_INTERNAL_BPK_TARGET = "core.internal.bpk.target"; - - public static final String PROP_CONFIG_INTERNAL_FRONTEND_ONLY_MODE = "core.internal.frontend.only.mode"; - public static final boolean PROP_DEFAULT_CONFIG_INTERNAL_FRONTEND_ONLY_MODE = false; - - // Servlet End-Points - public static final String ENDPOINT_PROCESSENGINE_CONTROLLER = "/api/process"; - public static final String ENDPOINT_ERROR_IFRAME_HOPPING = "/error/parenthop"; - - - // GUI template directories - public static final String CLASSPATH_TEMPLATE_DIR = "/templates/"; - public static final String FILESYSTEM_TEMPLATE_DIR = "./templates/"; - public static final String TEMPLATE_HTML_ERROR = "error_message.html"; - - // GUI template defaultfiles - public static final String TEMPLATE_AUTHPROCESS_SELECTION_VDA_FULLFRAME = "authSelection.html"; - public static final String TEMPLATE_AUTHPROCESS_SELECTION_VDA_IFRAME = "authSelection_iframe.html"; - public static final String TEMPLATE_USER_CONSENT_REQUEST = "userConsent.html"; - public static final String TEMPLATE_IFRAME_TO_PARENT_HOPE = "iframe_parent_hope.html"; - public static final String TEMPLATE_MANDATE_SELECTION = "mandateSelection.html"; - public static final String TEMPLATE_PROF_REP_MANDATE_SELECTION = "profRepMandateSelection.html"; - public static final String TEMPLATE_MANDATE_SELECTION_DUMMY = "mandateSelection_dummy.html"; - - - - // http request parameters - public static final String HTTP_PARAM_APPLICATION_ID = "appId"; - public static final String HTTP_PARAM_STOP_PROCESS = "stopAuthProcess"; - public static final String HTTP_PARAM_EIDAS_PROCESS = "useeIDAS"; - public static final String HTTP_PARAM_EID_PROCESS = "useeID"; - public static final String HTTP_PARAM_EID_BINDING_AUTH_PROCESS = "useBindingAuth"; - public static final String HTTP_PARAM_USE_MANDATES = "useMandate"; - public static final String HTTP_PARAM_AUTHMETHOD = "authMethod"; - public static final String HTTP_PARAM_CONSENT_RELEASE_ATTRIBUTES = "releaseAttributes"; - public static final String HTTP_PARAM_CONSENT_STORE_CONSENT = "storeConsent"; - - @Deprecated - public static final String HTTP_PARAM_EIDMIGRATIONPILOT_PROCESS = "pilotMigration"; - @Deprecated - public static final String HTTP_PARAM_EIDMIGRATIONPILOT_SHOW_INFO_PAGE = "pilotMigrationInfoPage"; - @Deprecated - public static final String HTTP_PARAM_MOBILESIGNATURE_PROCESS = "usemobileSig"; - - // UI options - public static final String UI_PARAM_USE_MANDATES = HTTP_PARAM_USE_MANDATES; - public static final String UI_PARAM_USE_ONLY_MANDATES = "useOnlyMandate"; - public static final String UI_PARAM_USE_EIDAS = HTTP_PARAM_EIDAS_PROCESS; - public static final String UI_PARAM_DSGVO_SHORT_INFO = "dsgvoShortText"; - public static final String UI_PARAM_DSGVO_SP_PRIVACY_STATEMENT_URL = "dsgvoPrivacyStatementUrl"; - public static final String UI_PARAM_DSGVO_SP_SERVICE_URL = "dsgvoServiceUrl"; - public static final String UI_PARAM_DSGVO_SP_LOGO = "dsgvoSpLogo"; - public static final String UI_PARAM_DSGVO_SP_LOGO_SET = "dsgvoSpLogoSet"; - public static final String UI_PARAM_DSGVO_SP_LOGO_SET_DATAURL = "dataUrl"; - public static final String UI_PARAM_DSGVO_SP_LOGO_SET_THEME = "theme"; - public static final String UI_PARAM_DSGVO_SP_LOGO_SET_RESOLUTION = "resolution"; - public static final String UI_PARAM_DSGVO_SP_LOGO_SET_TYPE = "type"; - - public enum LogoType { SVG, PNG, UNKNOWN } - - public enum AuthBlockType { - CADES("CAdES"), JWS("JWS"), NONE("none"); - - private final String internalType; - - AuthBlockType(final String type) { - this.internalType = type; - - } - - /** - * Get Type identifier for this AuthBlock. - * - * @return - */ - public String getAuthBlockType() { - return this.internalType; - } - - @Override - public String toString() { - return getAuthBlockType(); - - } - } - - // process context parameters - public static final String PROCESSCONTEXT_USERCONSENT_NEEDED = "userConsentNeeded"; - public static final String PROCESSCONTEXT_AUTHPROCESSSELECTION_DONE = "authProcSelectDone"; - public static final String PROCESSCONTEXT_SWITCH_LANGUAGE = "changeLanguage"; - public static final String PROCESSCONTEXT_IFRAME_PARENT_NEEDED = "iframeParentNeeded"; - - public static final String PROCESSCONTEXT_WAS_EID_PROCESS = "wasEidProcess"; - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IAhSpConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IAhSpConfiguration.java deleted file mode 100644 index 2a54f541..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IAhSpConfiguration.java +++ /dev/null @@ -1,151 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - -import java.util.List; - -import javax.annotation.Nonnull; -import javax.annotation.Nullable; - -import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; -import at.gv.egiz.eaaf.core.impl.data.Pair; - -public interface IAhSpConfiguration extends ISpConfiguration { - - - /** - * Flag if this Service Provider is enabled. - * - * @return true if the SP is enabled, otherwise false - */ - boolean isEnabled(); - - /** - * Get unique identifier that is used in Application-Register from BM.I. - * - *

If no BM.I specific identifier is available then this method returns - * the same identifier as getUniqueIdentifier()

- * - * @return unique identifier from BM.I AppReg, or generic uniqueId of no specific exists - */ - String getUniqueApplicationRegisterIdentifier(); - - /** - * Flag that marks this Service-Provider as public or private. - * - *

Default: If it is not set or has an unknown value, its private by default

- * - * @return true if it is from public, otherwise false - */ - boolean isPublicServiceProvider(); - - /** - * Enable test identities for this Service Provider. - * - * @return true if test identities are allowed, otherwise false - */ - boolean isTestCredentialEnabled(); - - /** - * Get a List of OID's that refine the set of allowed test identities. - * - * @return @link {@link List} of test-identity OID's - */ - @Nullable - List getTestCredentialOids(); - - - /** - * Get a List of unique attribute URI's that are required by this SP. - * - * @return {@link List} of attribute URI's / parameter {@link Pair}s - */ - List> getRequiredAttributes(); - - - /** - * Get the CountryCode for this service.
- *
- * Default: AT - * - * @return - */ - String getCountryCode(); - - /** - * Set the CountryCode for this service. If not countryCode is set, AT is used as default. - * - * @param cc Service-Provider country-code - */ - void setCountryCode(String cc); - - /** - * Enable mandates for this service provider. - * - * @return true if mandates are enabled, otherwise false - */ - boolean isMandateEnabled(); - - /** - * Enables multi-mandates for this service-provider. - * - * @return true if multi-mandates are enabled, otherwise false - */ - boolean isMultiMandateEnabled(); - - /** - * Only mandates are allowed for this service provider. - * - * @return true if only mandates are allowed, otherwise false - */ - boolean isOnlyMandateEnabled(); - - /** - * Get a {@link List} of mandate profiles that are supported by this Service provider. - * - * @return - */ - @Nonnull List getMandateProfiles(); - - - /** - * eIDAS authentication allowed flag. - * - * @return true if eIDAS authentication is enabled, otherwise false - */ - boolean isEidasEnabled(); - - /** - * Get a List of targets for additional bPKs that are required by this service provider. - * - * @return List of prefixed bPK targets - */ - @Nonnull List getAdditionalBpkTargets(); - - /** - * Get a list of foreign bPK targets that are required by this service provider. - * - * @return List of pairs with prefixed bPK targets as first element and VKZ as second element - */ - @Nonnull List> getAdditionalForeignBpkTargets(); - - /** - * Flag that indicates that service-provider as restricted or unrestricted. - * - *

A restricted service-provider can only used by test-identities that contains a - * valid application-restriction in User-Certificate Pinning

- * - *

Default: true

- * - * @return true if it is restricted, otherwise false - */ - boolean isRestrictedServiceProvider(); - - - /** - * Defines the time in minutes how long the last VDA registration h@Override - ave passed as maximum. - * - * @return time in minutes - */ - long lastVdaAuthenticationDelay(); - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthConstants.java deleted file mode 100644 index 22910614..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthConstants.java +++ /dev/null @@ -1,166 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - - -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; -import at.gv.egiz.eaaf.core.impl.data.Triple; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - - -public class IdAustriaClientAuthConstants { - - private IdAustriaClientAuthConstants() { - - } - - public static final String SAML2_STATUSCODE_USERSTOP = "1005"; - - public static final String MODULE_NAME_FOR_LOGGING = "ID Austria Client"; - - public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; - - // public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = - // AuthHandlerConstants.HTTP_PARAM_EIDAS_PROCESS; - - public static final String ENDPOINT_POST = "/idAustriaSp/post"; - public static final String ENDPOINT_REDIRECT = "/idAustriaSp/redirect"; - public static final String ENDPOINT_METADATA = "/idAustriaSp/metadata"; - - public static final String CONFIG_PROPS_PREFIX = "modules.idaustriaclient."; - public static final String CONFIG_PROPS_KEYSTORE_TYPE = CONFIG_PROPS_PREFIX + "keystore.type"; - public static final String CONFIG_PROPS_KEYSTORE_NAME = CONFIG_PROPS_PREFIX + "keystore.name"; - public static final String CONFIG_PROPS_KEYSTORE_PATH = CONFIG_PROPS_PREFIX + "keystore.path"; - public static final String CONFIG_PROPS_KEYSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; - public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX - + "metadata.sign.password"; - public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS = CONFIG_PROPS_PREFIX - + "metadata.sign.alias"; - public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX - + "request.sign.password"; - public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS = CONFIG_PROPS_PREFIX - + "request.sign.alias"; - public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX - + "response.encryption.password"; - public static final String CONFIG_PROPS_ENCRYPTION_ALIAS = CONFIG_PROPS_PREFIX - + "response.encryption.alias"; - - public static final String CONFIG_PROPS_TRUSTSTORE_TYPE = CONFIG_PROPS_PREFIX + "truststore.type"; - public static final String CONFIG_PROPS_TRUSTSTORE_NAME = CONFIG_PROPS_PREFIX + "truststore.name"; - public static final String CONFIG_PROPS_TRUSTSTORE_PATH = CONFIG_PROPS_PREFIX + "truststore.path"; - public static final String CONFIG_PROPS_TRUSTSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "truststore.password"; - - public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX - + "required.additional.attributes"; - public static final String CONFIG_PROPS_REQUIRED_LOA = CONFIG_PROPS_PREFIX - + "required.loa"; - public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId"; - public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; - public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; - - - public static final String CONFIG_PROPS_METADATA_CONTACT_GIVENNAME = - CONFIG_PROPS_PREFIX + "metadata.contact.givenname"; - public static final String CONFIG_PROPS_METADATA_CONTACT_SURNAME = - CONFIG_PROPS_PREFIX + "metadata.contact.surname"; - public static final String CONFIG_PROPS_METADATA_CONTACT_EMAIL = - CONFIG_PROPS_PREFIX + "metadata.contact.email"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_NAME = - CONFIG_PROPS_PREFIX + "metadata.organisation.name"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME = - CONFIG_PROPS_PREFIX + "metadata.organisation.friendyname"; - public static final String CONFIG_PROPS_METADATA_ORGANISATION_URL = - CONFIG_PROPS_PREFIX + "metadata.organisation.url"; - - public static final String CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL = "auth.eidas.node.entityId"; - - public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX - + "semper.mandates.active"; - public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX - + "semper.msproxy.list"; - - public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EaafConstants.EIDAS_LOA_HIGH; - - @Deprecated - public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES_WITHOUT_EID = - Collections.unmodifiableList(new ArrayList>() { - private static final long serialVersionUID = 1L; - { - // add PVP Version attribute - add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, - PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, true)); - - // request entity information - add(Triple.newInstance(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, - PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false)); - add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, - PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true)); - add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, - PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); - - // entity eID information - add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, - AhExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME, false)); - add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, - AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, false)); - - // Deprecated information - add(Triple.newInstance(PvpAttributeDefinitions.GIVEN_NAME_NAME, - PvpAttributeDefinitions.GIVEN_NAME_FRIENDLY_NAME, false)); - add(Triple.newInstance(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, - PvpAttributeDefinitions.PRINCIPAL_NAME_FRIENDLY_NAME, false)); - add(Triple.newInstance(PvpAttributeDefinitions.BIRTHDATE_NAME, - PvpAttributeDefinitions.BIRTHDATE_FRIENDLY_NAME, false)); - add(Triple.newInstance(PvpAttributeDefinitions.BPK_NAME, PvpAttributeDefinitions.BPK_FRIENDLY_NAME, - false)); - add(Triple.newInstance(PvpAttributeDefinitions.EID_IDENTITY_LINK_NAME, - PvpAttributeDefinitions.EID_IDENTITY_LINK_FRIENDLY_NAME, false)); - - //request pII transactionId from MS-Connector - add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, - ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_FRIENDLY_NAME, false)); - - } - }); - - public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES = - Collections.unmodifiableList(new ArrayList>() { - private static final long serialVersionUID = 1L; - { - // add PVP Version attribute - add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, - PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, true)); - - // entity metadata information - add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, - PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true)); - add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, - PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); - - // entity eID information - add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, - AhExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME, true)); - add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, - AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, true)); - - //request pII transactionId from MS-Connector - add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, - ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_FRIENDLY_NAME, false)); - - } - }); - - public static final List DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = - Collections.unmodifiableList(new ArrayList() { - private static final long serialVersionUID = 1L; - { - for (final Triple el : DEFAULT_REQUIRED_PVP_ATTRIBUTES) { - add(el.getFirst()); - } - } - }); - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthCredentialProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthCredentialProvider.java deleted file mode 100644 index 1aa85e71..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthCredentialProvider.java +++ /dev/null @@ -1,130 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; - -import org.springframework.beans.factory.annotation.Autowired; - -/** - * Credential provider for eIDAS PVP S-Profile client. - * - * @author tlenz - * - */ -public class IdAustriaClientAuthCredentialProvider extends AbstractCredentialProvider { - - @Autowired - IConfiguration authConfig; - - private static final String FRIENDLYNAME = "eIDAS centrial authentication"; - - @Override - public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException { - final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); - keyStoreConfig.setFriendlyName(FRIENDLYNAME); - keyStoreConfig.setKeyStoreType( - authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_TYPE, - KeyStoreType.PKCS12.getKeyStoreType())); - keyStoreConfig.setKeyStoreName( - authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_NAME)); - keyStoreConfig.setSoftKeyStoreFilePath(getKeyStoreFilePath()); - keyStoreConfig.setSoftKeyStorePassword( - authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PASSWORD)); - - return keyStoreConfig; - - } - - private String getKeyStoreFilePath() throws EaafConfigurationException { - final String path = authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); - if (path == null) { - throw new EaafConfigurationException("module.eidasauth.00", - new Object[] { IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH }); - - } - return path; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getMetadataKeyAlias() - */ - @Override - public String getMetadataKeyAlias() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS); - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getMetadataKeyPassword() - */ - @Override - public String getMetadataKeyPassword() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD); - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getSignatureKeyAlias() - */ - @Override - public String getSignatureKeyAlias() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS); - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getSignatureKeyPassword() - */ - @Override - public String getSignatureKeyPassword() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD); - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getEncryptionKeyAlias() - */ - @Override - public String getEncryptionKeyAlias() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS); - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# - * getEncryptionKeyPassword() - */ - @Override - public String getEncryptionKeyPassword() { - return authConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD); - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataConfiguration.java deleted file mode 100644 index 4b5861e9..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataConfiguration.java +++ /dev/null @@ -1,471 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.data.Triple; -import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; - -import org.opensaml.saml.saml2.core.Attribute; -import org.opensaml.saml.saml2.core.NameIDType; -import org.opensaml.saml.saml2.metadata.ContactPerson; -import org.opensaml.saml.saml2.metadata.Organization; -import org.opensaml.saml.saml2.metadata.RequestedAttribute; -import org.opensaml.security.credential.Credential; - -import lombok.extern.slf4j.Slf4j; - -/** - * Configuration object to generate PVP S-Profile metadata for SAML2 client. - * - * @author tlenz - * - */ -@Slf4j -public class IdAustriaClientAuthMetadataConfiguration implements IPvpMetadataBuilderConfiguration { - - private Collection additionalAttributes = null; - - private final String authUrl; - private final IdAustriaClientAuthCredentialProvider credentialProvider; - private final IPvp2BasicConfiguration pvpConfiguration; - - /** - * Configuration object to create PVP2 S-Profile metadata information. - * - * @param authUrl Public URL prefix of the application - * @param credentialProvider Credentials used by PVP2 S-Profile end-point - * @param pvpConfiguration Basic PVP2 S-Profile end-point configuration - */ - public IdAustriaClientAuthMetadataConfiguration(String authUrl, - IdAustriaClientAuthCredentialProvider credentialProvider, - IPvp2BasicConfiguration pvpConfiguration) { - this.authUrl = authUrl; - this.credentialProvider = credentialProvider; - this.pvpConfiguration = pvpConfiguration; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getMetadataValidUntil() - */ - @Override - public int getMetadataValidUntil() { - return IdAustriaClientAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * buildEntitiesDescriptorAsRootElement() - */ - @Override - public boolean buildEntitiesDescriptorAsRootElement() { - return false; - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * buildIDPSSODescriptor() - */ - @Override - public boolean buildIdpSsoDescriptor() { - return false; - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * buildSPSSODescriptor() - */ - @Override - public boolean buildSpSsoDescriptor() { - return true; - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getEntityIDPostfix() - */ - @Override - public String getEntityID() { - return authUrl + IdAustriaClientAuthConstants.ENDPOINT_METADATA; - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getEntityFriendlyName() - */ - @Override - public String getEntityFriendlyName() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getContactPersonInformation() - */ - @Override - public List getContactPersonInformation() { - try { - return pvpConfiguration.getIdpContacts(); - - } catch (final EaafException e) { - log.warn("Can not load Metadata entry: Contect Person", e); - return null; - - } - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getOrgansiationInformation() - */ - @Override - public Organization getOrgansiationInformation() { - try { - return pvpConfiguration.getIdpOrganisation(); - - } catch (final EaafException e) { - log.warn("Can not load Metadata entry: Organisation", e); - return null; - - } - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getMetadataSigningCredentials() - */ - @Override - public EaafX509Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getMetaDataSigningCredential(); - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getRequestorResponseSigningCredentials() - */ - @Override - public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getMessageSigningCredential(); - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getEncryptionCredentials() - */ - @Override - public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getMessageEncryptionCredential(); - - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPWebSSOPostBindingURL() - */ - @Override - public String getIdpWebSsoPostBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPWebSSORedirectBindingURL() - */ - @Override - public String getIdpWebSsoRedirectBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPSLOPostBindingURL() - */ - @Override - public String getIdpSloPostBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPSLORedirectBindingURL() - */ - @Override - public String getIdpSloRedirectBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPAssertionConsumerServicePostBindingURL() - */ - @Override - public String getSpAssertionConsumerServicePostBindingUrl() { - return authUrl + IdAustriaClientAuthConstants.ENDPOINT_POST; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPAssertionConsumerServiceRedirectBindingURL() - */ - @Override - public String getSpAssertionConsumerServiceRedirectBindingUrl() { - return authUrl + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPSLOPostBindingURL() - */ - @Override - public String getSpSloPostBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPSLORedirectBindingURL() - */ - @Override - public String getSpSloRedirectBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPSLOSOAPBindingURL() - */ - @Override - public String getSpSloSoapBindingUrl() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPPossibleAttributes() - */ - @Override - public List getIdpPossibleAttributes() { - return null; - } - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getIDPPossibleNameITTypes() - */ - @Override - public List getIdpPossibleNameIdTypes() { - return null; - } - - - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPRequiredAttributes() - */ - @Override - public Collection getSpRequiredAttributes() { - final Map requestedAttributes = new HashMap<>(); - - if (pvpConfiguration.getBasicConfiguration().getBasicConfigurationBoolean( - AuthHandlerConstants.PROP_CONFIG_LEGACY_ALLOW, false)) { - log.trace("Build required attributes for legacy operaton ... "); - injectDefinedAttributes(requestedAttributes, - IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES_WITHOUT_EID); - - } else { - log.trace("Build required attributes for E-ID operaton ... "); - injectDefinedAttributes(requestedAttributes, - IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES); - - } - - if (additionalAttributes != null) { - log.trace("Add additional PVP attributes into metadata ... "); - for (final RequestedAttribute el : additionalAttributes) { - if (requestedAttributes.containsKey(el.getName())) { - log.debug("Attribute " + el.getName() - + " is already added by default configuration. Overwrite it by user configuration"); - } - - requestedAttributes.put(el.getName(), el); - - } - } - - return requestedAttributes.values(); - - } - - - - /* - * (non-Javadoc) - * - * @see - * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# - * getSPAllowedNameITTypes() - */ - @Override - public List getSpAllowedNameIdTypes() { - return Arrays.asList(NameIDType.PERSISTENT); - - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPMetadataBuilderConfiguration#getSPNameForLogging() - */ - @Override - public String getSpNameForLogging() { - return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPMetadataBuilderConfiguration#wantAssertionSigned() - */ - @Override - public boolean wantAssertionSigned() { - return false; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() - */ - @Override - public boolean wantAuthnRequestSigned() { - return true; - } - - /** - * Add additonal PVP attributes that are required by this deployment. - * - * @param additionalAttr List of PVP attribute name and isRequired flag - */ - public void setAdditionalRequiredAttributes(List> additionalAttr) { - if (additionalAttr != null && !additionalAttr.isEmpty()) { - additionalAttributes = new ArrayList<>(); - for (final Pair el : additionalAttr) { - final Attribute attributBuilder = PvpAttributeBuilder.buildEmptyAttribute(el.getFirst()); - if (attributBuilder != null) { - additionalAttributes.add( - PvpAttributeBuilder.buildReqAttribute( - attributBuilder.getName(), - attributBuilder.getFriendlyName(), - el.getSecond())); - - } else { - log.info("NO PVP attribute with name: " + el.getFirst()); - } - - } - } - } - - private void injectDefinedAttributes(Map requestedAttributes, - List> attributes) { - for (final Triple el : attributes) { - requestedAttributes.put(el.getFirst(), PvpAttributeBuilder.buildReqAttribute(el.getFirst(), el - .getSecond(), el.getThird())); - - } - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataController.java deleted file mode 100644 index 87886397..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataController.java +++ /dev/null @@ -1,149 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - - -import java.io.IOException; -import java.net.MalformedURLException; -import java.net.URL; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.http.HttpUtils; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; -import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; -import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; - -import org.apache.commons.lang3.StringUtils; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import com.google.common.net.MediaType; -import lombok.extern.slf4j.Slf4j; - -/** - * Controller that generates SAML2 metadata for eIDAS authentication client. - * - * @author tlenz - * - */ -@Slf4j -@Controller -public class IdAustriaClientAuthMetadataController extends AbstractController { - - private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; - - @Autowired - PvpMetadataBuilder metadatabuilder; - @Autowired - IdAustriaClientAuthCredentialProvider credentialProvider; - @Autowired - IPvp2BasicConfiguration pvpConfiguration; - - /** - * Default construction with logging. - * - */ - public IdAustriaClientAuthMetadataController() { - super(); - log.debug("Registering servlet " + getClass().getName() - + " with mappings '" + IdAustriaClientAuthConstants.ENDPOINT_METADATA - + "'."); - - } - - /** - * End-point that produce PVP2 metadata for eIDAS authentication client. - * - * @param req http Request - * @param resp http Response - * @throws IOException In case of an I/O error - * @throws EaafException In case of a metadata generation error - */ - @RequestMapping(value = IdAustriaClientAuthConstants.ENDPOINT_METADATA, - method = { RequestMethod.GET }) - public void getSpMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, - EaafException { - // check PublicURL prefix - try { - final String authUrl = getAuthUrlFromHttpContext(req); - - // initialize metadata builder configuration - final IdAustriaClientAuthMetadataConfiguration metadataConfig = - new IdAustriaClientAuthMetadataConfiguration(authUrl, credentialProvider, pvpConfiguration); - metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); - - // build metadata - final String xmlMetadata = metadatabuilder.buildPvpMetadata(metadataConfig); - - // write response - final byte[] content = xmlMetadata.getBytes("UTF-8"); - resp.setStatus(HttpServletResponse.SC_OK); - resp.setContentLength(content.length); - resp.setContentType(MediaType.XML_UTF_8.toString()); - resp.getOutputStream().write(content); - - } catch (final Exception e) { - log.warn("Build federated-authentication PVP metadata FAILED.", e); - protAuthService.handleErrorNoRedirect(e, req, resp, false); - - } - - } - - private String getAuthUrlFromHttpContext(HttpServletRequest req) throws EaafException { - // check if End-Point is valid - final String authUrlString = HttpUtils.extractAuthUrlFromRequest(req); - URL authReqUrl; - try { - authReqUrl = new URL(authUrlString); - - } catch (final MalformedURLException e) { - log.warn("Requested URL: {} is not a valid URL.", authUrlString); - throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }, e); - - } - - final String idpAuthUrl = authConfig.validateIdpUrl(authReqUrl); - if (idpAuthUrl == null) { - log.warn("Requested URL: {} is NOT found in configuration.", authReqUrl); - throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }); - - } - - return idpAuthUrl; - } - - private List> getAdditonalRequiredAttributes() { - final List> result = new ArrayList<>(); - - // load attributes from configuration - final Map addReqAttributes = authConfig.getBasicConfigurationWithPrefix( - IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); - for (final String el : addReqAttributes.values()) { - if (StringUtils.isNotEmpty(el)) { - log.trace("Parse additional attr. definition: " + el); - final List attr = KeyValueUtils.getListOfCsvValues(el.trim()); - if (attr.size() == 2) { - result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1)))); - - } else { - log.info("IGNORE additional attr. definition: " + el - + " Reason: Format not valid"); - } - } - } - - return result; - - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataProvider.java deleted file mode 100644 index c0bfa290..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthMetadataProvider.java +++ /dev/null @@ -1,169 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - -import java.io.IOException; -import java.security.KeyStore; -import java.security.Provider; -import java.security.cert.CertificateException; -import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - -import javax.annotation.PostConstruct; - -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; - -import org.apache.commons.lang3.StringUtils; -import org.opensaml.saml.metadata.resolver.MetadataResolver; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; -import org.springframework.beans.factory.annotation.Autowired; - -import lombok.extern.slf4j.Slf4j; - -/** - * SAML2 metadata-provider implementation for eIDAS client. - * - * @author tlenz - * - */ -@Slf4j -public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadataProvider { - - private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'eIDAS_client metadata truststore'"; - private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; - public static final String PROVIDER_ID = "'eIDAS_client metadata provider'"; - - @Autowired - private IConfiguration basicConfig; - - @Autowired - private PvpMetadataResolverFactory metadataProviderFactory; - @Autowired - private IHttpClientFactory httpClientFactory; - - @Autowired - private EaafKeyStoreFactory keyStoreFactory; - - private Pair metadataSigningTrustStore; - - @Override - protected String getMetadataUrl(String entityId) throws EaafConfigurationException { - log.trace("eIDAS Auth. uses SAML2 well-known location approach. EntityId is Metadata-URL"); - return entityId; - - } - - @Override - protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, - IOException, CertificateException { - final List filterList = new ArrayList<>(); - filterList.add(new SchemaValidationFilter(true)); - filterList.add(new SimpleMetadataSignatureVerificationFilter( - metadataSigningTrustStore.getFirst(), entityId)); - - final MetadataFilterChain filter = new MetadataFilterChain(); - filter.setFilters(filterList); - - try { - return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), - filter, - MessageFormat.format(PROVIDER_ID_PATTERN, entityId), - httpClientFactory.getHttpClient()); - - } catch (final Pvp2MetadataException e) { - log.info("Can NOT build metadata provider for entityId: {}", entityId); - throw new EaafConfigurationException("module.eidasauth.04", - new Object[] { entityId, e.getMessage() }, e); - - } - } - - @Override - protected List getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { - return Collections.emptyList(); - - } - - @Override - protected String getMetadataProviderId() { - return PROVIDER_ID; - - } - - @Override - public void runGarbageCollector() { - log.trace("Garbage collection is NOT supported by: {}", getId()); - } - - @Override - public void doDestroy() { - super.fullyDestroy(); - - } - - @PostConstruct - private void initialize() throws EaafException { - // initialize truststore to validate metadata signing certificates - initializeTrustStore(); - - // load metadata with metadataURL, as backup - initializeFileSystemMetadata(); - - } - - private void initializeFileSystemMetadata() { - try { - final String metadataUrl = basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_METADATAURL); - if (StringUtils.isNotEmpty(metadataUrl)) { - log.info("Use not recommended metadata-provider initialization!" - + " SAML2 'Well-Known-Location' is the preferred methode."); - log.info("Initialize 'ms-specific eIDAS node' metadata-provider with URL: {}", metadataUrl); - - addMetadataResolverIntoChain(createNewMetadataProvider(metadataUrl)); - } - - } catch (final EaafConfigurationException | CertificateException | IOException e) { - log.warn("Can NOT inject static eIDAS Node metadata-soure.", e); - log.warn("eIDAS Node communication can be FAIL."); - - } - } - - private void initializeTrustStore() throws EaafException { - // set configuration - final KeyStoreConfiguration trustStoreConfig = new KeyStoreConfiguration(); - trustStoreConfig.setFriendlyName(FRIENDLYNAME_METADATA_TRUSTSTORE); - trustStoreConfig.setKeyStoreType(basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_TYPE, - KeyStoreType.JKS.getKeyStoreType())); - trustStoreConfig.setKeyStoreName(basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_NAME)); - trustStoreConfig.setSoftKeyStoreFilePath(basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PATH)); - trustStoreConfig.setSoftKeyStorePassword(basicConfig.getBasicConfiguration( - IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PASSWORD)); - - // validate configuration - trustStoreConfig.validate(); - - // open new TrustStore - metadataSigningTrustStore = keyStoreFactory.buildNewKeyStore(trustStoreConfig); - - } - -} - diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthRequestBuilderConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthRequestBuilderConfiguration.java deleted file mode 100644 index ddaf872d..00000000 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idAustriaClient/IdAustriaClientAuthRequestBuilderConfiguration.java +++ /dev/null @@ -1,300 +0,0 @@ -package at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient; - -import java.util.List; - -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; - -import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml.saml2.core.NameIDType; -import org.opensaml.saml.saml2.metadata.EntityDescriptor; -import org.w3c.dom.Element; - -public class IdAustriaClientAuthRequestBuilderConfiguration implements IPvpAuthnRequestBuilderConfiguruation { - - private boolean isPassive; - private String spEntityId; - private String qaaLevel; - private EntityDescriptor idpEntity; - private EaafX509Credential signCred; - private String scopeRequesterId; - private String providerName; - private List requestedAttributes; - private String reqId; - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() - */ - @Override - public Boolean isPassivRequest() { - return this.isPassive; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() - */ - @Override - public Integer getAssertionConsumerServiceId() { - return 0; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getEntityID() - */ - @Override - public String getSpEntityID() { - return this.spEntityId; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() - */ - @Override - public String getNameIdPolicyFormat() { - return NameIDType.PERSISTENT; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() - */ - @Override - public boolean getNameIdPolicyAllowCreation() { - return true; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() - */ - @Override - public String getAuthnContextClassRef() { - return this.qaaLevel; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() - */ - @Override - public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { - return AuthnContextComparisonTypeEnumeration.MINIMUM; - } - - /** - * Set isPassive flag in SAML2 request. - * - * @param isPassive the isPassive to set. - */ - public void setPassive(boolean isPassive) { - this.isPassive = isPassive; - } - - /** - * Set the requester EntityId. - * - * @param spEntityId EntityId of SP - */ - public void setSpEntityID(String spEntityId) { - this.spEntityId = spEntityId; - } - - /** - * Set required LoA. - * - * @param loa the LoA to set. - */ - public void setRequestedLoA(String loa) { - qaaLevel = loa; - } - - /** - * Set EntityId of IDP. - * - * @param idpEntity the idpEntity to set. - */ - public void setIdpEntity(EntityDescriptor idpEntity) { - this.idpEntity = idpEntity; - } - - /** - * Set message signing credentials. - * - * @param signCred the signCred to set. - */ - public void setSignCred(EaafX509Credential signCred) { - this.signCred = signCred; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() - */ - @Override - public EaafX509Credential getAuthnRequestSigningCredential() { - return this.signCred; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() - */ - @Override - public EntityDescriptor getIdpEntityDescriptor() { - return this.idpEntity; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() - */ - @Override - public String getSubjectNameID() { - return null; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() - */ - @Override - public String getSpNameForLogging() { - return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() - */ - @Override - public String getSubjectNameIdFormat() { - return null; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getRequestID() - */ - @Override - public String getRequestID() { - return this.reqId; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() - */ - @Override - public String getSubjectNameIdQualifier() { - return null; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() - */ - @Override - public String getSubjectConformationMethode() { - return null; - } - - /* - * (non-Javadoc) - * - * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. - * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() - */ - @Override - public Element getSubjectConformationDate() { - return null; - } - - @Override - public List getRequestedAttributes() { - return this.requestedAttributes; - - } - - @Override - public String getProviderName() { - return this.providerName; - } - - @Override - public String getScopeRequesterId() { - return this.scopeRequesterId; - } - - /** - * Set the entityId of the SP that requests the proxy for eIDAS authentication. - * - * @param scopeRequesterId RequestId in SAML2 Proxy extension - */ - public void setScopeRequesterId(String scopeRequesterId) { - this.scopeRequesterId = scopeRequesterId; - } - - /** - * Set a friendlyName for the SP that requests the proxy for eIDAS - * authentication. - * - * @param providerName SAML2 provider-name attribute-value - */ - public void setProviderName(String providerName) { - this.providerName = providerName; - } - - /** - * Set a Set of PVP attributes that a requested by using requested attributes. - * - * @param requestedAttributes Requested SAML2 attributes - */ - public void setRequestedAttributes(List requestedAttributes) { - this.requestedAttributes = requestedAttributes; - } - - /** - * Set a RequestId for this Authn. Request. - * - * @param reqId SAML2 message requestId - */ - public void setRequestId(String reqId) { - this.reqId = reqId; - } - -} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataConstants.java new file mode 100644 index 00000000..36ea2440 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataConstants.java @@ -0,0 +1,9 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import at.gv.egiz.eaaf.core.api.idp.EaafAuthProcessDataConstants; + +public interface AhAuthProcessDataConstants extends EaafAuthProcessDataConstants { + + + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataWrapper.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataWrapper.java new file mode 100644 index 00000000..1b20960b --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhAuthProcessDataWrapper.java @@ -0,0 +1,224 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.util.Map; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import iaik.x509.X509Certificate; + +public class AhAuthProcessDataWrapper extends AuthProcessDataWrapper + implements IAhAuthProcessData, AhAuthProcessDataConstants { + private static final Logger log = LoggerFactory.getLogger(AhAuthProcessDataWrapper.class); + + public static final String VALUE_SIGNER_CERT = "direct_signerCert"; + public static final String VALUE_VDAURL = "direct_bkuUrl"; + + public static final String VALUE_MANDATES_REFVALUE = "direct_mis_refvalue"; + + public static final String VALUE_EID_QCBIND = "direct_eid_qcBind"; + public static final String VALUE_EID_VSZ = "direct_eid_vsz"; + public static final String VALUE_EID_SIGNEDAUTHBLOCK = "direct_eid_authblock"; + public static final String VALUE_EID_SIGNEDAUTHBLOCK_TYPE = "direct_eid_authblock_type"; + public static final String VALUE_EID_MIS_MANDATE = "direct_eid_mis_mandate"; + + public static final String VALUE_INTERNAL_BPK = "direct_internal_bpk"; + public static final String VALUE_INTERNAL_BPKYPE = "direct_internal_bpktype"; + + public static final String VALUE_INTERNAL_MANDATE_ELGA_PROCESS = "direct_is_elga_mandate_process"; + public static final String VALUE_INTERNAL_VDA_AUTHENTICATION_PROCESS = "direct_is_vda_auth_process"; + + public AhAuthProcessDataWrapper(final Map authProcessData) { + super(authProcessData); + + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.auth.data.IAuthenticationSession#getSignerCertificate() + */ + @Override + public X509Certificate getSignerCertificate() { + final byte[] encCert = getEncodedSignerCertificate(); + + if (encCert != null) { + try { + return new X509Certificate(encCert); + } catch (final CertificateException e) { + log.warn("Signer certificate can not be loaded from session database!", e); + + } + } + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.auth.data.IAuthenticationSession#getEncodedSignerCertificate() + */ + @Override + public byte[] getEncodedSignerCertificate() { + return wrapStoredObject(VALUE_SIGNER_CERT, null, byte[].class); + + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.auth.data.IAuthenticationSession#setSignerCertificate(iaik.x509. + * X509Certificate) + */ + @Override + public void setSignerCertificate(final java.security.cert.X509Certificate signerCertificate) { + try { + authProcessData.put(VALUE_SIGNER_CERT, signerCertificate.getEncoded()); + + } catch (final CertificateEncodingException e) { + log.warn("Signer certificate can not be stored to session database!", e); + } + + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.auth.data.IAuthenticationSession#getBkuURL() + */ + @Override + public String getVdaUrl() { + return wrapStoredObject(VALUE_VDAURL, null, String.class); + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.auth.data.IAuthenticationSession#setBkuURL(java.lang.String) + */ + @Override + public void setVdaUrl(final String vdaUrl) { + authProcessData.put(VALUE_VDAURL, vdaUrl); + + } + + @Override + public String getMandateReferenceValue() { + return wrapStoredObject(VALUE_MANDATES_REFVALUE, null, String.class); + } + + @Override + public void setMandateReferenceValue(final String refValue) { + authProcessData.put(VALUE_MANDATES_REFVALUE, refValue); + + } + + @Override + public String getQcBind() { + return wrapStoredObject(VALUE_EID_QCBIND, null, String.class); + } + + @Override + public void setQcBind(final String qcBind) { + authProcessData.put(VALUE_EID_QCBIND, qcBind); + + } + + @Override + public String getVsz() { + return wrapStoredObject(VALUE_EID_VSZ, null, String.class); + } + + @Override + public void setVsz(final String vsz) { + authProcessData.put(VALUE_EID_VSZ, vsz); + + } + + @Override + public byte[] getSignedAuthBlock() { + return wrapStoredObject(VALUE_EID_SIGNEDAUTHBLOCK, null, byte[].class); + } + + @Override + public void setSignedAuthBlock(final byte[] signedConsent) { + authProcessData.put(VALUE_EID_SIGNEDAUTHBLOCK, signedConsent); + + } + + @Override + public AuthHandlerConstants.AuthBlockType getSignedAuthBlockType() { + return wrapStoredObject(VALUE_EID_SIGNEDAUTHBLOCK_TYPE, AuthHandlerConstants.AuthBlockType.NONE, + AuthHandlerConstants.AuthBlockType.class); + } + + @Override + public void setSignedAuthBlockType(final AuthHandlerConstants.AuthBlockType authBlockType) { + authProcessData.put(VALUE_EID_SIGNEDAUTHBLOCK_TYPE, authBlockType); + + } + + @Override + public ISignedMandate getMandateDate() { + return wrapStoredObject(VALUE_EID_MIS_MANDATE, null, ISignedMandate.class); + + } + + @Override + public void setMandateDate(final ISignedMandate mandateDate) { + authProcessData.put(VALUE_EID_MIS_MANDATE, mandateDate); + + } + + @Override + public String getInternalBpk() { + return wrapStoredObject(VALUE_INTERNAL_BPK, null, String.class); + } + + @Override + public void setInternalBpk(final String bpk) { + authProcessData.put(VALUE_INTERNAL_BPK, bpk); + + } + + @Override + public String getInternalBpkType() { + return wrapStoredObject(VALUE_INTERNAL_BPKYPE, null, String.class); + + } + + @Override + public void setInternalBpkType(final String bpkType) { + authProcessData.put(VALUE_INTERNAL_BPKYPE, bpkType); + + } + + @Override + public boolean isElgaMandateProcess() { + return wrapStoredObject(VALUE_INTERNAL_MANDATE_ELGA_PROCESS, false, Boolean.class); + + } + + @Override + public void setElgaMandateProcess(boolean flag) { + authProcessData.put(VALUE_INTERNAL_MANDATE_ELGA_PROCESS, flag); + + } + + @Override + public boolean isVdaAuthentication() { + return wrapStoredObject(VALUE_INTERNAL_VDA_AUTHENTICATION_PROCESS, false, Boolean.class); + + } + + @Override + public void setVdaAuthentication(boolean flag) { + authProcessData.put(VALUE_INTERNAL_VDA_AUTHENTICATION_PROCESS, flag); + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhExtendedPvpAttributeDefinitions.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhExtendedPvpAttributeDefinitions.java new file mode 100644 index 00000000..b74767de --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AhExtendedPvpAttributeDefinitions.java @@ -0,0 +1,24 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AhExtendedPvpAttributeDefinitions implements ExtendedPvpAttributeDefinitions { + private static final Logger log = + LoggerFactory.getLogger(AhExtendedPvpAttributeDefinitions.class); + + private AhExtendedPvpAttributeDefinitions() { + log.trace("Instance class: {} for SonarQube", + AhExtendedPvpAttributeDefinitions.class.getName()); + + } + + public static final String EID_BCBIND_NAME = "urn:eidgvat:attributes.bcbind"; + public static final String EID_BCBIND_FRIENDLY_NAME = "bcBind"; + + public static final String EID_BINDING_PUBKEY_NAME = "urn:eidgvat:attributes.binding.pubkey"; + public static final String EID_BINDING_PUBKEY_FRIENDLY_NAME = "BindingPubKey"; + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AuthHandlerConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AuthHandlerConstants.java new file mode 100644 index 00000000..1bbc31e0 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/AuthHandlerConstants.java @@ -0,0 +1,141 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +public class AuthHandlerConstants { + + private AuthHandlerConstants() { + + } + + // TODO: maybe update to another target + public static final String DEFAULT_INTERNAL_BPK_TARGET = "urn:publicid:gv.at:cdid+ZP-MH"; + + // configuration parameters + public static final String PROP_CONFIG_APPLICATION_PREFIX = "authhandler."; + public static final String PROP_CONFIG_APPLICATION_PUBLIC_URL_PREFIX = "core.context.url.prefix"; + public static final String PROP_CONFIG_APPLICATION_PUBLIC_URL_REQUEST_VALIDATION = + "core.context.url.request.validation"; + public static final String PROP_CONFIG_LEGACY_ALLOW = "core.legacy.allowLegacyMode"; + + public static final String PROP_CONFIG_WEBCONTENT_STATIC_PATH = + "core.webcontent.static.directory"; + public static final String PROP_CONFIG_WEBCONTENT_TEMPLATES_PATH = "core.webcontent.templates"; + public static final String PROP_CONFIG_WEBCONTENT_PROPERTIES_PATH = "core.webcontent.properties"; + + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_NAME = "core.cache.transaction.name"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_ENABLED = + "core.cache.transaction.encryption.enabled"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEY_TYPE = + "core.cache.transaction.encryption.type"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_PASSPHRASE = + "core.cache.transaction.encryption.passphrase"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_SALT = + "core.cache.transaction.encryption.salt"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEYSTORE_NAME = + "core.cache.transaction.encryption.keystore.name"; + public static final String PROP_CONFIG_CACHE_TRANSACTIONS_ENC_KEY_ALIAS = + "core.cache.transaction.encryption.key.alias"; + + public static final String PROP_CONFIG_CACHE_ATTRIBUTEPROXY_NAME = + "core.cache.attributeproxy.name"; + + public static final String PROP_CONFIG_BACKEND_ENDPOINT_GETALLSUPPORTEDATTRIBUTES = + "backend.endpoints.getallsupportedattributes"; + public static final String PROP_CONFIG_BACKEND_ENDPOINT_GETAPPLICATIONCONFIGURATION = + "backend.endpoints.getapplicationconfiguration"; + + public static final String PROP_CONFIG_INTERNAL_BPK_TARGET = "core.internal.bpk.target"; + + public static final String PROP_CONFIG_INTERNAL_FRONTEND_ONLY_MODE = "core.internal.frontend.only.mode"; + public static final boolean PROP_DEFAULT_CONFIG_INTERNAL_FRONTEND_ONLY_MODE = false; + + // Servlet End-Points + public static final String ENDPOINT_PROCESSENGINE_CONTROLLER = "/api/process"; + public static final String ENDPOINT_ERROR_IFRAME_HOPPING = "/error/parenthop"; + + + // GUI template directories + public static final String CLASSPATH_TEMPLATE_DIR = "/templates/"; + public static final String FILESYSTEM_TEMPLATE_DIR = "./templates/"; + public static final String TEMPLATE_HTML_ERROR = "error_message.html"; + + // GUI template defaultfiles + public static final String TEMPLATE_AUTHPROCESS_SELECTION_VDA_FULLFRAME = "authSelection.html"; + public static final String TEMPLATE_AUTHPROCESS_SELECTION_VDA_IFRAME = "authSelection_iframe.html"; + public static final String TEMPLATE_USER_CONSENT_REQUEST = "userConsent.html"; + public static final String TEMPLATE_IFRAME_TO_PARENT_HOPE = "iframe_parent_hope.html"; + public static final String TEMPLATE_MANDATE_SELECTION = "mandateSelection.html"; + public static final String TEMPLATE_PROF_REP_MANDATE_SELECTION = "profRepMandateSelection.html"; + public static final String TEMPLATE_MANDATE_SELECTION_DUMMY = "mandateSelection_dummy.html"; + + + + // http request parameters + public static final String HTTP_PARAM_APPLICATION_ID = "appId"; + public static final String HTTP_PARAM_STOP_PROCESS = "stopAuthProcess"; + public static final String HTTP_PARAM_EIDAS_PROCESS = "useeIDAS"; + public static final String HTTP_PARAM_EID_PROCESS = "useeID"; + public static final String HTTP_PARAM_EID_BINDING_AUTH_PROCESS = "useBindingAuth"; + public static final String HTTP_PARAM_USE_MANDATES = "useMandate"; + public static final String HTTP_PARAM_AUTHMETHOD = "authMethod"; + public static final String HTTP_PARAM_CONSENT_RELEASE_ATTRIBUTES = "releaseAttributes"; + public static final String HTTP_PARAM_CONSENT_STORE_CONSENT = "storeConsent"; + + @Deprecated + public static final String HTTP_PARAM_EIDMIGRATIONPILOT_PROCESS = "pilotMigration"; + @Deprecated + public static final String HTTP_PARAM_EIDMIGRATIONPILOT_SHOW_INFO_PAGE = "pilotMigrationInfoPage"; + @Deprecated + public static final String HTTP_PARAM_MOBILESIGNATURE_PROCESS = "usemobileSig"; + + // UI options + public static final String UI_PARAM_USE_MANDATES = HTTP_PARAM_USE_MANDATES; + public static final String UI_PARAM_USE_ONLY_MANDATES = "useOnlyMandate"; + public static final String UI_PARAM_USE_EIDAS = HTTP_PARAM_EIDAS_PROCESS; + public static final String UI_PARAM_DSGVO_SHORT_INFO = "dsgvoShortText"; + public static final String UI_PARAM_DSGVO_SP_PRIVACY_STATEMENT_URL = "dsgvoPrivacyStatementUrl"; + public static final String UI_PARAM_DSGVO_SP_SERVICE_URL = "dsgvoServiceUrl"; + public static final String UI_PARAM_DSGVO_SP_LOGO = "dsgvoSpLogo"; + public static final String UI_PARAM_DSGVO_SP_LOGO_SET = "dsgvoSpLogoSet"; + public static final String UI_PARAM_DSGVO_SP_LOGO_SET_DATAURL = "dataUrl"; + public static final String UI_PARAM_DSGVO_SP_LOGO_SET_THEME = "theme"; + public static final String UI_PARAM_DSGVO_SP_LOGO_SET_RESOLUTION = "resolution"; + public static final String UI_PARAM_DSGVO_SP_LOGO_SET_TYPE = "type"; + + public enum LogoType { SVG, PNG, UNKNOWN } + + public enum AuthBlockType { + CADES("CAdES"), JWS("JWS"), NONE("none"); + + private final String internalType; + + AuthBlockType(final String type) { + this.internalType = type; + + } + + /** + * Get Type identifier for this AuthBlock. + * + * @return + */ + public String getAuthBlockType() { + return this.internalType; + } + + @Override + public String toString() { + return getAuthBlockType(); + + } + } + + // process context parameters + public static final String PROCESSCONTEXT_USERCONSENT_NEEDED = "userConsentNeeded"; + public static final String PROCESSCONTEXT_AUTHPROCESSSELECTION_DONE = "authProcSelectDone"; + public static final String PROCESSCONTEXT_SWITCH_LANGUAGE = "changeLanguage"; + public static final String PROCESSCONTEXT_IFRAME_PARENT_NEEDED = "iframeParentNeeded"; + + public static final String PROCESSCONTEXT_WAS_EID_PROCESS = "wasEidProcess"; + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/EidasAuthEventConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/EidasAuthEventConstants.java new file mode 100644 index 00000000..bca04369 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/EidasAuthEventConstants.java @@ -0,0 +1,10 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +public class EidasAuthEventConstants { + + public static final int AUTHPROCESS_EIDAS_AT_CONNECTOR_SELECTED = 6200; + public static final int AUTHPROCESS_EIDAS_AT_CONNECTOR_REQUESTED = 6201; + public static final int AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED = 6202; + public static final int AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR = 6203; + public static final int AUTHPROCESS_EIDAS_AT_CONNECTOR_MDS_VALID = 6204; +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhAuthProcessData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhAuthProcessData.java new file mode 100644 index 00000000..47d3d37c --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhAuthProcessData.java @@ -0,0 +1,190 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.security.cert.X509Certificate; + +import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer; + +public interface IAhAuthProcessData extends IAuthProcessDataContainer { + + /** + * Get the certificate that was used to sign the Consent. + * + * @return {@link X509Certificate} + */ + X509Certificate getSignerCertificate(); + + /** + * Get the certificate that was used to sign the Consent. + * + * @return Serialized certificate + */ + byte[] getEncodedSignerCertificate(); + + /** + * Set the certificate that was used to sign the Consent. + * + * @param signerCertificate Signer certificate of the user + */ + void setSignerCertificate(X509Certificate signerCertificate); + + + /** + * Get URL to VDA that was used for authentication. + * + * @return + */ + String getVdaUrl(); + + /** + * Set URL to VDA that was used for authentication. + * + * @param vdaUrl URL to VDA that was used for authentication + */ + void setVdaUrl(String vdaUrl); + + /** + * Get the reference-value that used to interact with MIS service. + * + * @return + */ + String getMandateReferenceValue(); + + /** + * Set the reference-value that used to interact with MIS service. + * + * @param refValue Mandate reference value + */ + void setMandateReferenceValue(String refValue); + + /** + * Get the qcBind of the user that was received by VDA or other storage during authentication. + * + * @return + */ + String getQcBind(); + + /** + * Set the qcBind of the user that was received by VDA or other storage during authentication. + * + * @param qcBind raw qcBind data-structure (serialized JSON) + */ + void setQcBind(String qcBind); + + /** + * Get the vSZ of the user. + * + * @return + */ + String getVsz(); + + /** + * Set the vSZ of the user. + * + * @param vsz user's encrypted baseId + */ + void setVsz(String vsz); + + /** + * Get the signed AuthBlock of the user. + * + * @return + */ + byte[] getSignedAuthBlock(); + + /** + * Set the signed AuthBlock of the user. + * + * @param authBlock raw signed consent + */ + void setSignedAuthBlock(byte[] authBlock); + + /** + * Get a textual type identifier of the AuthBlock. + * + * @return AuthBlock type + */ + AuthHandlerConstants.AuthBlockType getSignedAuthBlockType(); + + /** + * Set a textual identifier for the type of the AuthBlock. + * + * @param authBlockType AuthBlock type + */ + void setSignedAuthBlockType(final AuthHandlerConstants.AuthBlockType authBlockType); + + /** + * Get the selected mandate of the user that was issued by MIS. + * + * @return + */ + ISignedMandate getMandateDate(); + + /** + * Set the selected mandate of the user that is issued by MIS. + * + * @param signedMandate Raw mandate structure for E-ID backend + */ + void setMandateDate(ISignedMandate signedMandate); + + + /** + * Get bPK for this entity.
+ * THIS bPK is only for AuthHandler internal usage + * + * @return bPK, or null if no bPK is set + */ + String getInternalBpk(); + + /** + * Get bPK type for this entity.
+ * THIS bPK is only for AuthHandler internal usage + * + * @return bPKType, or null if no bPKType is set + */ + String getInternalBpkType(); + + /** + * Set the bPK for INTERNAL USAGE of the current entity. + * + * @param bpk bPK for internal usage + */ + void setInternalBpk(String bpk); + + /** + * Set the bPK for INTERNAL USAGE of the current entity. + * + * @param bpkType bPK for internal usage + */ + void setInternalBpkType(String bpkType); + + + /** + * Indicate if the current process uses ELGA mandates. + * + * @return true if ELGA mandates are used, otherwise false + */ + boolean isElgaMandateProcess(); + + /** + * Set flag if the current process is an ELGA mandate process. + * + * @param flag true if it is an ELGA mandate-process, otherwise false + */ + void setElgaMandateProcess(boolean flag); + + + /** + * Indicate if the current process was authenticated by a VDA. + * + * @return true if the current process was authenticated by VDA, otherwise false + */ + boolean isVdaAuthentication(); + + /** + * Set flag that indicates if the current process was authenticated by a VDA. + * + * @param flag true in case of VDA authentication, otherwise false + */ + void setVdaAuthentication(boolean flag); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhSpConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhSpConfiguration.java new file mode 100644 index 00000000..081b215a --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IAhSpConfiguration.java @@ -0,0 +1,151 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.util.List; + +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; + +public interface IAhSpConfiguration extends ISpConfiguration { + + + /** + * Flag if this Service Provider is enabled. + * + * @return true if the SP is enabled, otherwise false + */ + boolean isEnabled(); + + /** + * Get unique identifier that is used in Application-Register from BM.I. + * + *

If no BM.I specific identifier is available then this method returns + * the same identifier as getUniqueIdentifier()

+ * + * @return unique identifier from BM.I AppReg, or generic uniqueId of no specific exists + */ + String getUniqueApplicationRegisterIdentifier(); + + /** + * Flag that marks this Service-Provider as public or private. + * + *

Default: If it is not set or has an unknown value, its private by default

+ * + * @return true if it is from public, otherwise false + */ + boolean isPublicServiceProvider(); + + /** + * Enable test identities for this Service Provider. + * + * @return true if test identities are allowed, otherwise false + */ + boolean isTestCredentialEnabled(); + + /** + * Get a List of OID's that refine the set of allowed test identities. + * + * @return @link {@link List} of test-identity OID's + */ + @Nullable + List getTestCredentialOids(); + + + /** + * Get a List of unique attribute URI's that are required by this SP. + * + * @return {@link List} of attribute URI's / parameter {@link Pair}s + */ + List> getRequiredAttributes(); + + + /** + * Get the CountryCode for this service.
+ *
+ * Default: AT + * + * @return + */ + String getCountryCode(); + + /** + * Set the CountryCode for this service. If not countryCode is set, AT is used as default. + * + * @param cc Service-Provider country-code + */ + void setCountryCode(String cc); + + /** + * Enable mandates for this service provider. + * + * @return true if mandates are enabled, otherwise false + */ + boolean isMandateEnabled(); + + /** + * Enables multi-mandates for this service-provider. + * + * @return true if multi-mandates are enabled, otherwise false + */ + boolean isMultiMandateEnabled(); + + /** + * Only mandates are allowed for this service provider. + * + * @return true if only mandates are allowed, otherwise false + */ + boolean isOnlyMandateEnabled(); + + /** + * Get a {@link List} of mandate profiles that are supported by this Service provider. + * + * @return + */ + @Nonnull List getMandateProfiles(); + + + /** + * eIDAS authentication allowed flag. + * + * @return true if eIDAS authentication is enabled, otherwise false + */ + boolean isEidasEnabled(); + + /** + * Get a List of targets for additional bPKs that are required by this service provider. + * + * @return List of prefixed bPK targets + */ + @Nonnull List getAdditionalBpkTargets(); + + /** + * Get a list of foreign bPK targets that are required by this service provider. + * + * @return List of pairs with prefixed bPK targets as first element and VKZ as second element + */ + @Nonnull List> getAdditionalForeignBpkTargets(); + + /** + * Flag that indicates that service-provider as restricted or unrestricted. + * + *

A restricted service-provider can only used by test-identities that contains a + * valid application-restriction in User-Certificate Pinning

+ * + *

Default: true

+ * + * @return true if it is restricted, otherwise false + */ + boolean isRestrictedServiceProvider(); + + + /** + * Defines the time in minutes how long the last VDA registration h@Override + ave passed as maximum. + * + * @return time in minutes + */ + long lastVdaAuthenticationDelay(); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IRawMandateDao.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IRawMandateDao.java new file mode 100644 index 00000000..7e3b2aa1 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IRawMandateDao.java @@ -0,0 +1,32 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.io.Serializable; +import java.util.Date; + +public interface IRawMandateDao extends Serializable { + + boolean isNaturalPerson(); + + boolean isProfRepresentation(); + + String getIdentifier(); + + String getIdentifierType(); + + String getGivenName(); + + String getFamilyName(); + + Date getDateOfBirth(); + + String getCommonName(); + + String getMandateTypeOid(); + + String getMandateAnnotation(); + + String getMandateId(); + + String getMandateContent(); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/ISignedMandate.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/ISignedMandate.java new file mode 100644 index 00000000..edd167fb --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/ISignedMandate.java @@ -0,0 +1,19 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +public interface ISignedMandate extends IRawMandateDao { + + /** + * Get the full signed mandate issued by the MIS component. + * + * @return serialized JWS that contains the mandate + */ + String getSignedMandate(); + + /** + * Get formated date-of-birth. + * + * @return date-of-birth as 'yyyy-MM-dd' + */ + String getDateOfBirthFormated(); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java new file mode 100644 index 00000000..7d8b9dc8 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthConstants.java @@ -0,0 +1,166 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.impl.data.Triple; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + + +public class IdAustriaClientAuthConstants { + + private IdAustriaClientAuthConstants() { + + } + + public static final String SAML2_STATUSCODE_USERSTOP = "1005"; + + public static final String MODULE_NAME_FOR_LOGGING = "ID Austria Client"; + + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + + // public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = + // AuthHandlerConstants.HTTP_PARAM_EIDAS_PROCESS; + + public static final String ENDPOINT_POST = "/idAustriaSp/post"; + public static final String ENDPOINT_REDIRECT = "/idAustriaSp/redirect"; + public static final String ENDPOINT_METADATA = "/idAustriaSp/metadata"; + + public static final String CONFIG_PROPS_PREFIX = "modules.idaustriaclient."; + public static final String CONFIG_PROPS_KEYSTORE_TYPE = CONFIG_PROPS_PREFIX + "keystore.type"; + public static final String CONFIG_PROPS_KEYSTORE_NAME = CONFIG_PROPS_PREFIX + "keystore.name"; + public static final String CONFIG_PROPS_KEYSTORE_PATH = CONFIG_PROPS_PREFIX + "keystore.path"; + public static final String CONFIG_PROPS_KEYSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "metadata.sign.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS = CONFIG_PROPS_PREFIX + + "metadata.sign.alias"; + public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "request.sign.password"; + public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS = CONFIG_PROPS_PREFIX + + "request.sign.alias"; + public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + + "response.encryption.password"; + public static final String CONFIG_PROPS_ENCRYPTION_ALIAS = CONFIG_PROPS_PREFIX + + "response.encryption.alias"; + + public static final String CONFIG_PROPS_TRUSTSTORE_TYPE = CONFIG_PROPS_PREFIX + "truststore.type"; + public static final String CONFIG_PROPS_TRUSTSTORE_NAME = CONFIG_PROPS_PREFIX + "truststore.name"; + public static final String CONFIG_PROPS_TRUSTSTORE_PATH = CONFIG_PROPS_PREFIX + "truststore.path"; + public static final String CONFIG_PROPS_TRUSTSTORE_PASSWORD = CONFIG_PROPS_PREFIX + "truststore.password"; + + public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + + "required.additional.attributes"; + public static final String CONFIG_PROPS_REQUIRED_LOA = CONFIG_PROPS_PREFIX + + "required.loa"; + public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId"; + public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; + public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; + + + public static final String CONFIG_PROPS_METADATA_CONTACT_GIVENNAME = + CONFIG_PROPS_PREFIX + "metadata.contact.givenname"; + public static final String CONFIG_PROPS_METADATA_CONTACT_SURNAME = + CONFIG_PROPS_PREFIX + "metadata.contact.surname"; + public static final String CONFIG_PROPS_METADATA_CONTACT_EMAIL = + CONFIG_PROPS_PREFIX + "metadata.contact.email"; + public static final String CONFIG_PROPS_METADATA_ORGANISATION_NAME = + CONFIG_PROPS_PREFIX + "metadata.organisation.name"; + public static final String CONFIG_PROPS_METADATA_ORGANISATION_FRIENDLYNAME = + CONFIG_PROPS_PREFIX + "metadata.organisation.friendyname"; + public static final String CONFIG_PROPS_METADATA_ORGANISATION_URL = + CONFIG_PROPS_PREFIX + "metadata.organisation.url"; + + public static final String CONFIG_PROPS_APPSPECIFIC_EIDAS_NODE_URL = "auth.eidas.node.entityId"; + + public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX + + "semper.mandates.active"; + public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX + + "semper.msproxy.list"; + + public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EaafConstants.EIDAS_LOA_HIGH; + + @Deprecated + public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES_WITHOUT_EID = + Collections.unmodifiableList(new ArrayList>() { + private static final long serialVersionUID = 1L; + { + // add PVP Version attribute + add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, + PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, true)); + + // request entity information + add(Triple.newInstance(PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME, + PvpAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false)); + add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, + PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); + + // entity eID information + add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, + AhExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME, false)); + add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, + AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, false)); + + // Deprecated information + add(Triple.newInstance(PvpAttributeDefinitions.GIVEN_NAME_NAME, + PvpAttributeDefinitions.GIVEN_NAME_FRIENDLY_NAME, false)); + add(Triple.newInstance(PvpAttributeDefinitions.PRINCIPAL_NAME_NAME, + PvpAttributeDefinitions.PRINCIPAL_NAME_FRIENDLY_NAME, false)); + add(Triple.newInstance(PvpAttributeDefinitions.BIRTHDATE_NAME, + PvpAttributeDefinitions.BIRTHDATE_FRIENDLY_NAME, false)); + add(Triple.newInstance(PvpAttributeDefinitions.BPK_NAME, PvpAttributeDefinitions.BPK_FRIENDLY_NAME, + false)); + add(Triple.newInstance(PvpAttributeDefinitions.EID_IDENTITY_LINK_NAME, + PvpAttributeDefinitions.EID_IDENTITY_LINK_FRIENDLY_NAME, false)); + + //request pII transactionId from MS-Connector + add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, + ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_FRIENDLY_NAME, false)); + + } + }); + + public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList>() { + private static final long serialVersionUID = 1L; + { + // add PVP Version attribute + add(Triple.newInstance(PvpAttributeDefinitions.PVP_VERSION_NAME, + PvpAttributeDefinitions.PVP_VERSION_FRIENDLY_NAME, true)); + + // entity metadata information + add(Triple.newInstance(PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, + PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true)); + add(Triple.newInstance(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, + PvpAttributeDefinitions.EID_ISSUING_NATION_FRIENDLY_NAME, true)); + + // entity eID information + add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME, + AhExtendedPvpAttributeDefinitions.EID_EIDBIND_FRIENDLY_NAME, true)); + add(Triple.newInstance(AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME, + AhExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_FRIENDLY_NAME, true)); + + //request pII transactionId from MS-Connector + add(Triple.newInstance(ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME, + ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_FRIENDLY_NAME, false)); + + } + }); + + public static final List DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = + Collections.unmodifiableList(new ArrayList() { + private static final long serialVersionUID = 1L; + { + for (final Triple el : DEFAULT_REQUIRED_PVP_ATTRIBUTES) { + add(el.getFirst()); + } + } + }); + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java new file mode 100644 index 00000000..69386194 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthCredentialProvider.java @@ -0,0 +1,130 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; + +import org.springframework.beans.factory.annotation.Autowired; + +/** + * Credential provider for eIDAS PVP S-Profile client. + * + * @author tlenz + * + */ +public class IdAustriaClientAuthCredentialProvider extends AbstractCredentialProvider { + + @Autowired + IConfiguration authConfig; + + private static final String FRIENDLYNAME = "eIDAS centrial authentication"; + + @Override + public KeyStoreConfiguration getBasicKeyStoreConfig() throws EaafConfigurationException { + final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setFriendlyName(FRIENDLYNAME); + keyStoreConfig.setKeyStoreType( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_TYPE, + KeyStoreType.PKCS12.getKeyStoreType())); + keyStoreConfig.setKeyStoreName( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_NAME)); + keyStoreConfig.setSoftKeyStoreFilePath(getKeyStoreFilePath()); + keyStoreConfig.setSoftKeyStorePassword( + authConfig.getBasicConfiguration(IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PASSWORD)); + + return keyStoreConfig; + + } + + private String getKeyStoreFilePath() throws EaafConfigurationException { + final String path = authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH); + if (path == null) { + throw new EaafConfigurationException("module.eidasauth.00", + new Object[] { IdAustriaClientAuthConstants.CONFIG_PROPS_KEYSTORE_PATH }); + + } + return path; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getMetadataKeyAlias() + */ + @Override + public String getMetadataKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getMetadataKeyPassword() + */ + @Override + public String getMetadataKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getSignatureKeyAlias() + */ + @Override + public String getSignatureKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getSignatureKeyPassword() + */ + @Override + public String getSignatureKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getEncryptionKeyAlias() + */ + @Override + public String getEncryptionKeyAlias() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS); + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider# + * getEncryptionKeyPassword() + */ + @Override + public String getEncryptionKeyPassword() { + return authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java new file mode 100644 index 00000000..93aefb42 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataConfiguration.java @@ -0,0 +1,471 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; + +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.ContactPerson; +import org.opensaml.saml.saml2.metadata.Organization; +import org.opensaml.saml.saml2.metadata.RequestedAttribute; +import org.opensaml.security.credential.Credential; + +import lombok.extern.slf4j.Slf4j; + +/** + * Configuration object to generate PVP S-Profile metadata for SAML2 client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthMetadataConfiguration implements IPvpMetadataBuilderConfiguration { + + private Collection additionalAttributes = null; + + private final String authUrl; + private final IdAustriaClientAuthCredentialProvider credentialProvider; + private final IPvp2BasicConfiguration pvpConfiguration; + + /** + * Configuration object to create PVP2 S-Profile metadata information. + * + * @param authUrl Public URL prefix of the application + * @param credentialProvider Credentials used by PVP2 S-Profile end-point + * @param pvpConfiguration Basic PVP2 S-Profile end-point configuration + */ + public IdAustriaClientAuthMetadataConfiguration(String authUrl, + IdAustriaClientAuthCredentialProvider credentialProvider, + IPvp2BasicConfiguration pvpConfiguration) { + this.authUrl = authUrl; + this.credentialProvider = credentialProvider; + this.pvpConfiguration = pvpConfiguration; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return IdAustriaClientAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return false; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildIDPSSODescriptor() + */ + @Override + public boolean buildIdpSsoDescriptor() { + return false; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * buildSPSSODescriptor() + */ + @Override + public boolean buildSpSsoDescriptor() { + return true; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEntityIDPostfix() + */ + @Override + public String getEntityID() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_METADATA; + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getContactPersonInformation() + */ + @Override + public List getContactPersonInformation() { + try { + return pvpConfiguration.getIdpContacts(); + + } catch (final EaafException e) { + log.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return pvpConfiguration.getIdpOrganisation(); + + } catch (final EaafException e) { + log.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getMetadataSigningCredentials() + */ + @Override + public EaafX509Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMetaDataSigningCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMessageSigningCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getMessageEncryptionCredential(); + + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPWebSSOPostBindingURL() + */ + @Override + public String getIdpWebSsoPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIdpWebSsoRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPSLOPostBindingURL() + */ + @Override + public String getIdpSloPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPSLORedirectBindingURL() + */ + @Override + public String getIdpSloRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSpAssertionConsumerServicePostBindingUrl() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_POST; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSpAssertionConsumerServiceRedirectBindingUrl() { + return authUrl + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLOPostBindingURL() + */ + @Override + public String getSpSloPostBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLORedirectBindingURL() + */ + @Override + public String getSpSloRedirectBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPSLOSOAPBindingURL() + */ + @Override + public String getSpSloSoapBindingUrl() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPPossibleAttributes() + */ + @Override + public List getIdpPossibleAttributes() { + return null; + } + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getIDPPossibleNameITTypes() + */ + @Override + public List getIdpPossibleNameIdTypes() { + return null; + } + + + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPRequiredAttributes() + */ + @Override + public Collection getSpRequiredAttributes() { + final Map requestedAttributes = new HashMap<>(); + + if (pvpConfiguration.getBasicConfiguration().getBasicConfigurationBoolean( + AuthHandlerConstants.PROP_CONFIG_LEGACY_ALLOW, false)) { + log.trace("Build required attributes for legacy operaton ... "); + injectDefinedAttributes(requestedAttributes, + IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES_WITHOUT_EID); + + } else { + log.trace("Build required attributes for E-ID operaton ... "); + injectDefinedAttributes(requestedAttributes, + IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES); + + } + + if (additionalAttributes != null) { + log.trace("Add additional PVP attributes into metadata ... "); + for (final RequestedAttribute el : additionalAttributes) { + if (requestedAttributes.containsKey(el.getName())) { + log.debug("Attribute " + el.getName() + + " is already added by default configuration. Overwrite it by user configuration"); + } + + requestedAttributes.put(el.getName(), el); + + } + } + + return requestedAttributes.values(); + + } + + + + /* + * (non-Javadoc) + * + * @see + * at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder# + * getSPAllowedNameITTypes() + */ + @Override + public List getSpAllowedNameIdTypes() { + return Arrays.asList(NameIDType.PERSISTENT); + + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#getSPNameForLogging() + */ + @Override + public String getSpNameForLogging() { + return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return false; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + } + + /** + * Add additonal PVP attributes that are required by this deployment. + * + * @param additionalAttr List of PVP attribute name and isRequired flag + */ + public void setAdditionalRequiredAttributes(List> additionalAttr) { + if (additionalAttr != null && !additionalAttr.isEmpty()) { + additionalAttributes = new ArrayList<>(); + for (final Pair el : additionalAttr) { + final Attribute attributBuilder = PvpAttributeBuilder.buildEmptyAttribute(el.getFirst()); + if (attributBuilder != null) { + additionalAttributes.add( + PvpAttributeBuilder.buildReqAttribute( + attributBuilder.getName(), + attributBuilder.getFriendlyName(), + el.getSecond())); + + } else { + log.info("NO PVP attribute with name: " + el.getFirst()); + } + + } + } + } + + private void injectDefinedAttributes(Map requestedAttributes, + List> attributes) { + for (final Triple el : attributes) { + requestedAttributes.put(el.getFirst(), PvpAttributeBuilder.buildReqAttribute(el.getFirst(), el + .getSecond(), el.getThird())); + + } + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java new file mode 100644 index 00000000..a2966c7e --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataController.java @@ -0,0 +1,149 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + + +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.HttpUtils; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpMetadataBuilder; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.common.net.MediaType; +import lombok.extern.slf4j.Slf4j; + +/** + * Controller that generates SAML2 metadata for eIDAS authentication client. + * + * @author tlenz + * + */ +@Slf4j +@Controller +public class IdAustriaClientAuthMetadataController extends AbstractController { + + private static final String ERROR_CODE_INTERNAL_00 = "eaaf.core.00"; + + @Autowired + PvpMetadataBuilder metadatabuilder; + @Autowired + IdAustriaClientAuthCredentialProvider credentialProvider; + @Autowired + IPvp2BasicConfiguration pvpConfiguration; + + /** + * Default construction with logging. + * + */ + public IdAustriaClientAuthMetadataController() { + super(); + log.debug("Registering servlet " + getClass().getName() + + " with mappings '" + IdAustriaClientAuthConstants.ENDPOINT_METADATA + + "'."); + + } + + /** + * End-point that produce PVP2 metadata for eIDAS authentication client. + * + * @param req http Request + * @param resp http Response + * @throws IOException In case of an I/O error + * @throws EaafException In case of a metadata generation error + */ + @RequestMapping(value = IdAustriaClientAuthConstants.ENDPOINT_METADATA, + method = { RequestMethod.GET }) + public void getSpMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, + EaafException { + // check PublicURL prefix + try { + final String authUrl = getAuthUrlFromHttpContext(req); + + // initialize metadata builder configuration + final IdAustriaClientAuthMetadataConfiguration metadataConfig = + new IdAustriaClientAuthMetadataConfiguration(authUrl, credentialProvider, pvpConfiguration); + metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); + + // build metadata + final String xmlMetadata = metadatabuilder.buildPvpMetadata(metadataConfig); + + // write response + final byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); + resp.setContentType(MediaType.XML_UTF_8.toString()); + resp.getOutputStream().write(content); + + } catch (final Exception e) { + log.warn("Build federated-authentication PVP metadata FAILED.", e); + protAuthService.handleErrorNoRedirect(e, req, resp, false); + + } + + } + + private String getAuthUrlFromHttpContext(HttpServletRequest req) throws EaafException { + // check if End-Point is valid + final String authUrlString = HttpUtils.extractAuthUrlFromRequest(req); + URL authReqUrl; + try { + authReqUrl = new URL(authUrlString); + + } catch (final MalformedURLException e) { + log.warn("Requested URL: {} is not a valid URL.", authUrlString); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }, e); + + } + + final String idpAuthUrl = authConfig.validateIdpUrl(authReqUrl); + if (idpAuthUrl == null) { + log.warn("Requested URL: {} is NOT found in configuration.", authReqUrl); + throw new EaafAuthenticationException(ERROR_CODE_INTERNAL_00, new Object[] { authUrlString }); + + } + + return idpAuthUrl; + } + + private List> getAdditonalRequiredAttributes() { + final List> result = new ArrayList<>(); + + // load attributes from configuration + final Map addReqAttributes = authConfig.getBasicConfigurationWithPrefix( + IdAustriaClientAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); + for (final String el : addReqAttributes.values()) { + if (StringUtils.isNotEmpty(el)) { + log.trace("Parse additional attr. definition: " + el); + final List attr = KeyValueUtils.getListOfCsvValues(el.trim()); + if (attr.size() == 2) { + result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1)))); + + } else { + log.info("IGNORE additional attr. definition: " + el + + " Reason: Format not valid"); + } + } + } + + return result; + + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java new file mode 100644 index 00000000..46278ad8 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthMetadataProvider.java @@ -0,0 +1,169 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.io.IOException; +import java.security.KeyStore; +import java.security.Provider; +import java.security.cert.CertificateException; +import java.text.MessageFormat; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import javax.annotation.PostConstruct; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SimpleMetadataSignatureVerificationFilter; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.springframework.beans.factory.annotation.Autowired; + +import lombok.extern.slf4j.Slf4j; + +/** + * SAML2 metadata-provider implementation for eIDAS client. + * + * @author tlenz + * + */ +@Slf4j +public class IdAustriaClientAuthMetadataProvider extends AbstractChainingMetadataProvider { + + private static final String FRIENDLYNAME_METADATA_TRUSTSTORE = "'eIDAS_client metadata truststore'"; + private static final String PROVIDER_ID_PATTERN = "eIDAS resolver: {0}"; + public static final String PROVIDER_ID = "'eIDAS_client metadata provider'"; + + @Autowired + private IConfiguration basicConfig; + + @Autowired + private PvpMetadataResolverFactory metadataProviderFactory; + @Autowired + private IHttpClientFactory httpClientFactory; + + @Autowired + private EaafKeyStoreFactory keyStoreFactory; + + private Pair metadataSigningTrustStore; + + @Override + protected String getMetadataUrl(String entityId) throws EaafConfigurationException { + log.trace("eIDAS Auth. uses SAML2 well-known location approach. EntityId is Metadata-URL"); + return entityId; + + } + + @Override + protected MetadataResolver createNewMetadataProvider(String entityId) throws EaafConfigurationException, + IOException, CertificateException { + final List filterList = new ArrayList<>(); + filterList.add(new SchemaValidationFilter(true)); + filterList.add(new SimpleMetadataSignatureVerificationFilter( + metadataSigningTrustStore.getFirst(), entityId)); + + final MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); + + try { + return metadataProviderFactory.createMetadataProvider(getMetadataUrl(entityId), + filter, + MessageFormat.format(PROVIDER_ID_PATTERN, entityId), + httpClientFactory.getHttpClient()); + + } catch (final Pvp2MetadataException e) { + log.info("Can NOT build metadata provider for entityId: {}", entityId); + throw new EaafConfigurationException("module.eidasauth.04", + new Object[] { entityId, e.getMessage() }, e); + + } + } + + @Override + protected List getAllMetadataUrlsFromConfiguration() throws EaafConfigurationException { + return Collections.emptyList(); + + } + + @Override + protected String getMetadataProviderId() { + return PROVIDER_ID; + + } + + @Override + public void runGarbageCollector() { + log.trace("Garbage collection is NOT supported by: {}", getId()); + } + + @Override + public void doDestroy() { + super.fullyDestroy(); + + } + + @PostConstruct + private void initialize() throws EaafException { + // initialize truststore to validate metadata signing certificates + initializeTrustStore(); + + // load metadata with metadataURL, as backup + initializeFileSystemMetadata(); + + } + + private void initializeFileSystemMetadata() { + try { + final String metadataUrl = basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_METADATAURL); + if (StringUtils.isNotEmpty(metadataUrl)) { + log.info("Use not recommended metadata-provider initialization!" + + " SAML2 'Well-Known-Location' is the preferred methode."); + log.info("Initialize 'ms-specific eIDAS node' metadata-provider with URL: {}", metadataUrl); + + addMetadataResolverIntoChain(createNewMetadataProvider(metadataUrl)); + } + + } catch (final EaafConfigurationException | CertificateException | IOException e) { + log.warn("Can NOT inject static eIDAS Node metadata-soure.", e); + log.warn("eIDAS Node communication can be FAIL."); + + } + } + + private void initializeTrustStore() throws EaafException { + // set configuration + final KeyStoreConfiguration trustStoreConfig = new KeyStoreConfiguration(); + trustStoreConfig.setFriendlyName(FRIENDLYNAME_METADATA_TRUSTSTORE); + trustStoreConfig.setKeyStoreType(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_TYPE, + KeyStoreType.JKS.getKeyStoreType())); + trustStoreConfig.setKeyStoreName(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_NAME)); + trustStoreConfig.setSoftKeyStoreFilePath(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PATH)); + trustStoreConfig.setSoftKeyStorePassword(basicConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_TRUSTSTORE_PASSWORD)); + + // validate configuration + trustStoreConfig.validate(); + + // open new TrustStore + metadataSigningTrustStore = keyStoreFactory.buildNewKeyStore(trustStoreConfig); + + } + +} + diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java new file mode 100644 index 00000000..65b6a198 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/IdAustriaClientAuthRequestBuilderConfiguration.java @@ -0,0 +1,300 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import java.util.List; + +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; + +import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.w3c.dom.Element; + +public class IdAustriaClientAuthRequestBuilderConfiguration implements IPvpAuthnRequestBuilderConfiguruation { + + private boolean isPassive; + private String spEntityId; + private String qaaLevel; + private EntityDescriptor idpEntity; + private EaafX509Credential signCred; + private String scopeRequesterId; + private String providerName; + private List requestedAttributes; + private String reqId; + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() + */ + @Override + public Boolean isPassivRequest() { + return this.isPassive; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() + */ + @Override + public Integer getAssertionConsumerServiceId() { + return 0; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getEntityID() + */ + @Override + public String getSpEntityID() { + return this.spEntityId; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public String getNameIdPolicyFormat() { + return NameIDType.PERSISTENT; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public boolean getNameIdPolicyAllowCreation() { + return true; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() + */ + @Override + public String getAuthnContextClassRef() { + return this.qaaLevel; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() + */ + @Override + public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { + return AuthnContextComparisonTypeEnumeration.MINIMUM; + } + + /** + * Set isPassive flag in SAML2 request. + * + * @param isPassive the isPassive to set. + */ + public void setPassive(boolean isPassive) { + this.isPassive = isPassive; + } + + /** + * Set the requester EntityId. + * + * @param spEntityId EntityId of SP + */ + public void setSpEntityID(String spEntityId) { + this.spEntityId = spEntityId; + } + + /** + * Set required LoA. + * + * @param loa the LoA to set. + */ + public void setRequestedLoA(String loa) { + qaaLevel = loa; + } + + /** + * Set EntityId of IDP. + * + * @param idpEntity the idpEntity to set. + */ + public void setIdpEntity(EntityDescriptor idpEntity) { + this.idpEntity = idpEntity; + } + + /** + * Set message signing credentials. + * + * @param signCred the signCred to set. + */ + public void setSignCred(EaafX509Credential signCred) { + this.signCred = signCred; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() + */ + @Override + public EaafX509Credential getAuthnRequestSigningCredential() { + return this.signCred; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() + */ + @Override + public EntityDescriptor getIdpEntityDescriptor() { + return this.idpEntity; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() + */ + @Override + public String getSubjectNameID() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() + */ + @Override + public String getSpNameForLogging() { + return IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() + */ + @Override + public String getSubjectNameIdFormat() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getRequestID() + */ + @Override + public String getRequestID() { + return this.reqId; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() + */ + @Override + public String getSubjectNameIdQualifier() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() + */ + @Override + public String getSubjectConformationMethode() { + return null; + } + + /* + * (non-Javadoc) + * + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config. + * IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() + */ + @Override + public Element getSubjectConformationDate() { + return null; + } + + @Override + public List getRequestedAttributes() { + return this.requestedAttributes; + + } + + @Override + public String getProviderName() { + return this.providerName; + } + + @Override + public String getScopeRequesterId() { + return this.scopeRequesterId; + } + + /** + * Set the entityId of the SP that requests the proxy for eIDAS authentication. + * + * @param scopeRequesterId RequestId in SAML2 Proxy extension + */ + public void setScopeRequesterId(String scopeRequesterId) { + this.scopeRequesterId = scopeRequesterId; + } + + /** + * Set a friendlyName for the SP that requests the proxy for eIDAS + * authentication. + * + * @param providerName SAML2 provider-name attribute-value + */ + public void setProviderName(String providerName) { + this.providerName = providerName; + } + + /** + * Set a Set of PVP attributes that a requested by using requested attributes. + * + * @param requestedAttributes Requested SAML2 attributes + */ + public void setRequestedAttributes(List requestedAttributes) { + this.requestedAttributes = requestedAttributes; + } + + /** + * Set a RequestId for this Authn. Request. + * + * @param reqId SAML2 message requestId + */ + public void setRequestId(String reqId) { + this.reqId = reqId; + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/MisException.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/MisException.java new file mode 100644 index 00000000..71826d23 --- /dev/null +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/idaustriaclient/MisException.java @@ -0,0 +1,17 @@ +package at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; + +public class MisException extends EaafException { + + private static final long serialVersionUID = 1L; + + public MisException(final String errorId, final Object[] params) { + super(errorId, params); + } + + public MisException(final String errorId, final Object[] params, final Throwable e) { + super(errorId, params, e); + } + +} diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java index 5f242c1b..aa8deb2b 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/GenerateMobilePhoneSignatureRequestTask.java @@ -23,11 +23,11 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient.IdAustriaClientAuthConstants; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient.IdAustriaClientAuthCredentialProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient.IdAustriaClientAuthMetadataProvider; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient.IdAustriaClientAuthRequestBuilderConfiguration; -import at.asitplus.eidas.specific.modules.auth.eidas.v2.idAustriaClient.IAhSpConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthRequestBuilderConfiguration; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IAhSpConfiguration; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; @@ -75,9 +75,6 @@ public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServlet IdAustriaClientAuthCredentialProvider credential; @Autowired IdAustriaClientAuthMetadataProvider metadataService; - // @Autowired - // ITransactionStorage transactionStorage; - @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) @@ -136,9 +133,6 @@ public class GenerateMobilePhoneSignatureRequestTask extends AbstractAuthServlet authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig, relayState, response); - //MsEidasNodeConstants.ENDPOINT_PVP_POST - //MsEidasNodeConstants.ENDPOINT_PVP_METADATA - //TODO } catch (final Exception e) { log.error("Initial search FAILED.", e); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java index b598cb92..9e6aa7cc 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask.java @@ -29,18 +29,59 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.RegisterResult; import at.asitplus.eidas.specific.modules.auth.eidas.v2.dao.SimpleEidasData; import at.asitplus.eidas.specific.modules.auth.eidas.v2.ernp.IErnpClient; import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.ManualFixNecessaryException; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.AhAuthProcessDataWrapper; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.AuthHandlerConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.EidasAuthEventConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthConstants; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthCredentialProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.IdAustriaClientAuthMetadataProvider; +import at.asitplus.eidas.specific.modules.auth.eidas.v2.idaustriaclient.MisException; import at.asitplus.eidas.specific.modules.auth.eidas.v2.utils.Utils; import at.asitplus.eidas.specific.modules.auth.eidas.v2.zmr.IZmrClient; +import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.StringUtils; +import org.opensaml.core.xml.io.MarshallingException; +import org.opensaml.messaging.decoder.MessageDecodingException; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import javax.naming.ConfigurationException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; +import java.io.IOException; +import java.util.Arrays; +import java.util.Base64; import java.util.List; +import java.util.Set; /** * Task that searches ErnB and ZMR before adding person to SZR. @@ -51,6 +92,31 @@ import java.util.List; @Component("ReceiveMobilePhoneSignatureResponseTask") public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends AbstractAuthServletTask { + @Autowired + private SamlVerificationEngine samlVerificationEngine; + @Autowired + private IdAustriaClientAuthCredentialProvider credentialProvider; + @Autowired(required = true) + IdAustriaClientAuthMetadataProvider metadataProvider; + + private static final String ERROR_PVP_03 = "sp.pvp2.03"; + private static final String ERROR_PVP_05 = "sp.pvp2.05"; + private static final String ERROR_PVP_06 = "sp.pvp2.06"; + private static final String ERROR_PVP_08 = "sp.pvp2.08"; + private static final String ERROR_PVP_10 = "sp.pvp2.10"; + private static final String ERROR_PVP_11 = "sp.pvp2.11"; + private static final String ERROR_PVP_12 = "sp.pvp2.12"; + + private static final String ERROR_MSG_00 = + "Receive INVALID PVP Response from federated IDP"; + private static final String ERROR_MSG_01 = + "Processing PVP response from 'ms-specific eIDAS node' FAILED."; + private static final String ERROR_MSG_02 = + "PVP response decrytion FAILED. No credential found."; + private static final String ERROR_MSG_03 = + "PVP response validation FAILED."; + + private final IErnpClient ernpClient; private final IZmrClient zmrClient; @@ -71,6 +137,123 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends SimpleEidasData eidData = authProcessData.getGenericDataFromSession(Constants.DATA_SIMPLE_EIDAS, SimpleEidasData.class); + + InboundMessage msg = null; + + try { + + IDecoder decoder = null; + EaafUriCompare comperator = null; + // select Response Binding + if (request.getMethod().equalsIgnoreCase("POST")) { + decoder = new PostBinding(); + comperator = new EaafUriCompare(pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_POST); + log.trace("Receive PVP Response from 'ID Austria node', by using POST-Binding."); + + } else if (request.getMethod().equalsIgnoreCase("GET")) { + decoder = new RedirectBinding(); + comperator = new EaafUriCompare(pendingReq.getAuthUrl() + + IdAustriaClientAuthConstants.ENDPOINT_REDIRECT); + log.trace("Receive PVP Response from 'ID Austria node', by using Redirect-Binding."); + + } else { + log.warn("Receive PVP Response, but Binding (" + + request.getMethod() + ") is not supported."); + throw new AuthnResponseValidationException(ERROR_PVP_03, new Object[]{ + IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + // decode PVP response object + msg = (InboundMessage) decoder.decode( + request, response, metadataProvider, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, + comperator); + + // validate response signature + if (!msg.isVerified()) { + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine( + metadataProvider)); + msg.setVerified(true); + + } + + // validate assertion + final Pair processedMsg = + preProcessAuthResponse((PvpSProfileResponse) msg); + + //check if SAML2 response contains user-stop decision + if (processedMsg.getSecond()) { + stopProcessFromUserDecision(executionContext, request, response); + + } else { + // validate entityId of response + final String msNodeEntityID = authConfig.getBasicConfiguration( + IdAustriaClientAuthConstants.CONFIG_PROPS_NODE_ENTITYID); + final String respEntityId = msg.getEntityID(); + if (!msNodeEntityID.equals(respEntityId)) { + log.warn("Response Issuer is not a 'ms-specific eIDAS node'. Stopping eIDAS authentication ..."); + throw new AuthnResponseValidationException(ERROR_PVP_08, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING, + msg.getEntityID()}); + + } + + // initialize Attribute extractor + final AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor(processedMsg.getFirst().getResponse()); + + getAuthDataFromInterfederation(extractor); + + // set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + + // store pending-request + requestStoreage.storePendingRequest(pendingReq); + + //set E-ID process flag to execution context + final AhAuthProcessDataWrapper session = pendingReq.getSessionData( + AhAuthProcessDataWrapper.class); + executionContext.put(AuthHandlerConstants.PROCESSCONTEXT_WAS_EID_PROCESS, session.isEidProcess()); + executionContext.put(AuthHandlerConstants.HTTP_PARAM_USE_MANDATES, session.isMandateUsed()); + + + log.info("Receive a valid assertion from IDP " + msg.getEntityID()); + + } + + } catch (final AuthnResponseValidationException e) { + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e); + + } catch (MessageDecodingException | SecurityException | SamlSigningException e) { + //final String samlRequest = request.getParameter("SAMLRequest"); + //log.debug("Receive INVALID PVP Response from 'ms-specific eIDAS node': {}", + // samlRequest, null, e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_00, + new AuthnResponseValidationException(ERROR_PVP_11, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING}, e)); + + } catch (IOException | MarshallingException | TransformerException e) { + log.debug("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_01, + new AuthnResponseValidationException(ERROR_PVP_12, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage()}, + e)); + + } catch (final CredentialsNotAvailableException e) { + log.debug("PVP response decrytion FAILED. No credential found.", e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_02, + new AuthnResponseValidationException(ERROR_PVP_10, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING}, e)); + + } catch (final Exception e) { + log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e); + throw new TaskExecutionException(pendingReq, ERROR_MSG_03, + new AuthnResponseValidationException(ERROR_PVP_12, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); + + } + + //TODO extract bPK-ZP from response String bpkzp = "TODO"; MergedRegisterSearchResult result = searchInZmrAndErnp(bpkzp); @@ -93,6 +276,165 @@ public class ReceiveMobilePhoneSignatureResponseAndSearchInRegistersTask extends } } + private Pair preProcessAuthResponse(PvpSProfileResponse msg) + throws IOException, MarshallingException, TransformerException, + CredentialsNotAvailableException, AuthnResponseValidationException, SamlAssertionValidationExeption { + log.debug("Start PVP21 assertion processing... "); + final Response samlResp = (Response) msg.getResponse(); + + // check SAML2 response status-code + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { + // validate PVP 2.1 assertion + samlVerificationEngine.validateAssertion(samlResp, + credentialProvider.getMessageEncryptionCredential(), + pendingReq.getAuthUrl() + IdAustriaClientAuthConstants.ENDPOINT_METADATA, + IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING); + + msg.setSamlMessage(Saml2Utils.asDomDocument(samlResp).getDocumentElement()); + revisionsLogger.logEvent(pendingReq, + EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED, + samlResp.getID()); + return Pair.newInstance(msg, false); + + } else { + log.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + + " from 'ms-specific eIDAS node'."); + StatusCode subStatusCode = getSubStatusCode(samlResp); + if (subStatusCode != null + && IdAustriaClientAuthConstants.SAML2_STATUSCODE_USERSTOP.equals(subStatusCode.getValue())) { + log.info("Find 'User-Stop operation' in SAML2 response. Stopping authentication process ... "); + return Pair.newInstance(msg, true); + + } + + revisionsLogger.logEvent(pendingReq, + EidasAuthEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR); + throw new AuthnResponseValidationException(ERROR_PVP_05, + new Object[]{IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING, + samlResp.getIssuer().getValue(), + samlResp.getStatus().getStatusCode().getValue(), + samlResp.getStatus().getStatusMessage().getMessage()}); + + } + + } + + /** + * Get SAML2 Sub-StatusCode if not null. + * + * @param samlResp SAML2 response + * @return Sub-StatusCode or null if it's not set + */ + private StatusCode getSubStatusCode(Response samlResp) { + if (samlResp.getStatus().getStatusCode().getStatusCode() != null + && StringUtils.isNotEmpty(samlResp.getStatus().getStatusCode().getStatusCode().getValue())) { + return samlResp.getStatus().getStatusCode().getStatusCode(); + } + return null; + } + + private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor) + throws EaafBuilderException, ConfigurationException { + + List requiredEidasNodeAttributes = IdAustriaClientAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES; + if (authConfig.getBasicConfigurationBoolean( + AuthHandlerConstants.PROP_CONFIG_LEGACY_ALLOW, false)) { + log.trace("Build required attributes for legacy operaton ... "); + requiredEidasNodeAttributes = Arrays.asList( + PvpAttributeDefinitions.PVP_VERSION_NAME, + PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, + PvpAttributeDefinitions.EID_ISSUING_NATION_NAME); + + } + + try { + // check if all attributes are include + if (!extractor.containsAllRequiredAttributes() + || !extractor.containsAllRequiredAttributes( + requiredEidasNodeAttributes)) { + log.warn("PVP Response from 'ms-specific eIDAS node' contains not all requested attributes."); + throw new AssertionValidationExeption(ERROR_PVP_06, new Object[]{ + IdAustriaClientAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + // copy attributes into MOASession + final AhAuthProcessDataWrapper session = pendingReq.getSessionData( + AhAuthProcessDataWrapper.class); + final Set includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (final String attrName : includedAttrNames) { + injectAuthInfosIntoSession(session, attrName, + extractor.getSingleAttributeValue(attrName)); + + } + + //set piiTransactionId from eIDAS Connector + String piiTransactionId = extractor.getSingleAttributeValue( + ExtendedPvpAttributeDefinitions.EID_PII_TRANSACTION_ID_NAME); + if (StringUtils.isNotEmpty(piiTransactionId) && pendingReq instanceof RequestImpl) { + log.info("Receive piiTransactionId from Austrian eIDAS Connector. Use this for further processing"); + ((RequestImpl) pendingReq).setUniquePiiTransactionIdentifier(piiTransactionId); + + } else { + log.debug("Receive no piiTransactionId from Austrian eIDAS Connector."); + + } + + // set foreigner flag + session.setForeigner(true); + + // set IssuerInstant from Assertion + session.setIssueInstant(extractor.getAssertionIssuingDate()); + + // set CCE URL + if (extractor.getFullAssertion().getIssuer() != null + && StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue())) { + session.setVdaUrl(extractor.getFullAssertion().getIssuer().getValue()); + + } else { + session.setVdaUrl("eIDAS_Authentication"); + + } + + } catch (final EaafStorageException | MisException | AssertionValidationExeption | IOException e) { + throw new EaafBuilderException(ERROR_PVP_06, null, e.getMessage(), e); + + } + } + + private void injectAuthInfosIntoSession(AhAuthProcessDataWrapper session, String attrName, String attrValue) + throws EaafStorageException, MisException, IOException { + log.trace("Inject attribute: {} with value: {} into AuthSession", attrName, attrValue); + log.debug("Inject attribute: {} into AuthSession", attrName); + + if (ExtendedPvpAttributeDefinitions.EID_EIDBIND_NAME.equals(attrName)) { + log.debug("Find eidasBind attribute. Switching to E-ID mode ... "); + session.setEidProcess(true); + session.setQcBind(attrValue); + // session.setVsz(extractVszFromEidasBind(attrValue)); + //T + + } else if (ExtendedPvpAttributeDefinitions.EID_AUTHBLOCK_SIGNED_NAME.equals(attrName)) { + session.setSignedAuthBlock(Base64.getDecoder().decode(attrValue)); + session.setSignedAuthBlockType(AuthHandlerConstants.AuthBlockType.JWS); + + } else if (PvpAttributeDefinitions.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME.equals(attrName)) { + session.setQaaLevel(attrValue); + + // } else if (ExtendedPvpAttributeDefinitions.EID_MIS_MANDATE_NAME.equals(attrName) + // && authConfig.getBasicConfigurationBoolean( + // IdAustriaClientAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { + // session.setMandateDate(new SignedMandateDao(attrValue)); + // session.setUseMandates(true); + // + } else { + session.setGenericDataToSession(attrName, attrValue); + + } + + } + + private MergedRegisterSearchResult searchInZmrAndErnp(String bpkzp) { List resultsZmr = zmrClient.searchWithBpkZp(bpkzp); List resultsErnp = ernpClient.searchWithBpkZp(bpkzp); -- cgit v1.2.3