From 31bc1246bb56fcd8807678e3f7516023bdfaed44 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 20 Jul 2018 10:56:04 +0200 Subject: add SZR client add different logging backends define errorcodes and error messages update to eIDAS Ref. impl 2.1 --- .../tasks/GenerateAuthnRequestTask.java | 425 +++++++++------------ 1 file changed, 187 insertions(+), 238 deletions(-) (limited to 'eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java') diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java index 358b681e..da554249 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/gv/egiz/eidas/specific/modules/authmodule_eIDASv2/tasks/GenerateAuthnRequestTask.java @@ -2,66 +2,64 @@ *******************************************************************************/ package at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.tasks; -import java.io.StringWriter; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; +import java.util.Map; import java.util.UUID; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.lang3.BooleanUtils; -import org.apache.velocity.Template; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Component; -import org.springframework.util.StringUtils; +import org.springframework.web.util.UriComponentsBuilder; -import com.google.common.net.MediaType; +import com.google.common.collect.ImmutableSortedSet; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eidas.specific.connector.gui.StaticGuiBuilderConfiguration; import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.Constants; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; -import at.gv.egovernment.moa.id.commons.api.data.CPEPS; -import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; -import eu.eidas.auth.commons.EidasStringUtil; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.exception.eIDASAuthenticationException; +import at.gv.egiz.eidas.specific.modules.authmodule_eIDASv2.service.eIDASAttributeRegistry; +import eu.eidas.auth.commons.EidasParameterKeys; import eu.eidas.auth.commons.attribute.AttributeDefinition; -import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder; -import eu.eidas.auth.commons.light.impl.LightRequest; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; -import eu.eidas.auth.commons.protocol.IRequestMessage; -import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance; -import eu.eidas.auth.commons.protocol.eidas.LevelOfAssuranceComparison; +import eu.eidas.auth.commons.light.ILightRequest; +import eu.eidas.auth.commons.light.impl.LightRequest; import eu.eidas.auth.commons.protocol.eidas.SpType; -import eu.eidas.auth.commons.protocol.eidas.impl.EidasAuthenticationRequest; +import eu.eidas.auth.commons.tx.BinaryLightToken; +import eu.eidas.specificcommunication.BinaryLightTokenHelper; +import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames; +import eu.eidas.specificcommunication.exception.SpecificCommunicationException; +import eu.eidas.specificcommunication.protocol.impl.SpecificConnectorCommunicationServiceImpl; /** * @author tlenz * - */ -@Component("GenerateAuthnRequestTask") + */ +@Component("ConnecteIDASNodeTask") public class GenerateAuthnRequestTask extends AbstractAuthServletTask { - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ + private static final Logger log = LoggerFactory.getLogger(GenerateAuthnRequestTask.class); + + @Autowired IConfiguration basicConfig; + @Autowired eIDASAttributeRegistry attrRegistry; + @Autowired ApplicationContext context; + @Autowired ITransactionStorage transactionStore; + @Autowired IGUIFormBuilder guiBuilder; + @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) @@ -69,245 +67,196 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { try{ //get service-provider configuration - IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration(); + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); // get target and validate citizen countryCode - String citizenCountryCode = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC); + String citizenCountryCode = (String) executionContext.get(Constants.EXECUTIONCONTEXT_SELECTED_COUNTRY); if (StringUtils.isEmpty(citizenCountryCode)) { // illegal state; task should not have been executed without a selected country - throw new AuthenticationException("eIDAS.03", new Object[] { "" }); + throw new eIDASAuthenticationException("eidas.03", new Object[] { "" }); } - CPEPS cpeps = authConfig.getStorkConfig().getCPEPSWithFullName(citizenCountryCode); - if(null == cpeps) { - Logger.error("PEPS unknown for country: " + citizenCountryCode); - throw new AuthenticationException("eIDAS.04", new Object[] {citizenCountryCode}); - } - Logger.debug("Found eIDaS Node/C-PEPS configuration for citizen of country: " + citizenCountryCode); - - //TODO: load authnReq End-Point URL from configuration - SingleSignOnService authnReqEndpoint = null; + //TODO: maybe add countryCode validation before request ref. impl. eIDAS node + log.debug("Request eIDAS auth. for citizen of country: " + citizenCountryCode); - + //TODO: switch to entityID and set new status codes -// revisionsLogger.logEvent(oaConfig, pendingReq, -// MOAIDEventConstants.AUTHPROCESS_PEPS_SELECTED, -// metadataUrl); + //revisionsLogger.logEvent(oaConfig, pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_SELECTED, metadataUrl); - // assemble requested attributes - Collection attributesFromConfig = oaConfig.getRequestedSTORKAttributes(); - - // - prepare attribute list - - // - fill container - List> reqAttrList = new ArrayList>(); - //TODO: update requested attribute builder -// for (StorkAttribute current : attributesFromConfig) { -// AttributeDefinition newAttribute = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(current.getName()); -// -// if (newAttribute == null) { -// Logger.warn("eIDAS attribute with friendlyName:" + current.getName() + " is not supported."); -// -// } else { -// boolean globallyMandatory = false; -// for (StorkAttribute currentGlobalAttribute : authConfig.getStorkConfig().getStorkAttributes()) -// if (current.getName().equals(currentGlobalAttribute.getName())) { -// globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.getMandatory()); -// break; -// } -// -// Builder attrBuilder = AttributeDefinition.builder(newAttribute).required(current.getMandatory() || globallyMandatory); -// reqAttrList.add(attrBuilder.build()); -// -// } -// } - - //request -// if (reqAttrList.isEmpty()) { -// Logger.info("No attributes requested by OA:" + pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix() -// + " --> Request attr:" + Constants.eIDAS_ATTR_PERSONALIDENTIFIER + " by default"); -// AttributeDefinition newAttribute = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER); -// Builder attrBuilder = AttributeDefinition.builder(newAttribute).required(true); -// reqAttrList.add(attrBuilder.build()); -// -// } - - //build requested attribute set - ImmutableAttributeMap reqAttrMap = new ImmutableAttributeMap.Builder().putAll(reqAttrList).build(); //build eIDAS AuthnRequest - LightRequest.Builder authnRequestBuilder = LightRequest.builder(); - + LightRequest.Builder authnRequestBuilder = LightRequest.builder(); authnRequestBuilder.id(UUID.randomUUID().toString()); - authnRequestBuilder.providerName(pendingReq.getAuthURL()); - String issur = pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA; - authnRequestBuilder.issuer(issur); - //TODO: - //authnRequestBuilder.destination(authnReqEndpoint.getLocation()); - - authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); + String issur = basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_ENTITYID); + if (StringUtils.isEmpty(issur)) { + log.error("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); + throw new EAAFConfigurationException("Found NO 'eIDAS node issuer' in configuration. Authentication NOT possible!"); + + } + authnRequestBuilder.issuer(issur); - //set minimum required eIDAS LoA from OA config - String LoA = oaConfig.getQaaLevel(); - //TODO: -// if (MiscUtil.isNotEmpty(LoA)) -// authnRequestBuilder.levelOfAssurance(LevelOfAssurance.fromString(oaConfig.getQaaLevel())); -// else - authnRequestBuilder.levelOfAssurance(LevelOfAssurance.HIGH.getValue()); - //TODO: check if required - //authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); + //TODO: set matching mode if eIDAS ref. impl. support this method + + //TODO: update if eIDAS ref. impl. supports exact matching for non-notified LoA schemes + String loa = EAAFConstants.EIDAS_LOA_HIGH; + if (spConfig.getRequiredLoA() != null) { + if (spConfig.getRequiredLoA().isEmpty()) + log.info("No eIDAS LoA requested. Use LoA HIGH as default"); + + else { + if (spConfig.getRequiredLoA().size() > 1 ) + log.info("Currently only ONE requested LoA is supported for service provider. Use first one ... "); + + loa = spConfig.getRequiredLoA().get(0); + + } + } + + log.debug("Request eIdAS node with LoA: " + loa); + authnRequestBuilder.levelOfAssurance(loa); - //set correct SPType for this online application - if (oaConfig.hasBaseIdTransferRestriction()) - authnRequestBuilder.spType(SpType.PRIVATE.getValue()); - else + //set correct SPType for requested target sector + String publicSectorTargetSelector = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_NODE_PUBLICSECTOR_TARGETS, + Constants.POLICY_DEFAULT_ALLOWED_TARGETS); + Pattern p = Pattern.compile(publicSectorTargetSelector); + Matcher m = p.matcher(spConfig.getAreaSpecificTargetIdentifier()); + if (m.matches()) { + log.debug("Map " + spConfig.getAreaSpecificTargetIdentifier() + " to 'PublicSector'"); authnRequestBuilder.spType(SpType.PUBLIC.getValue()); + + //TODO: only for eIDAS ref. node 2.0 because it need 'Providername' for any SPType + String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); + if (StringUtils.isNotEmpty(providerName) + && basicConfig.getBasicMOAIDConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_ADD_ALWAYS_PROVIDERNAME, + false) + ) + authnRequestBuilder.providerName(providerName); + + } else { + log.debug("Map " + spConfig.getAreaSpecificTargetIdentifier() + " to 'PrivateSector'"); + authnRequestBuilder.spType(SpType.PRIVATE.getValue()); + //TODO: switch to RequesterId in further version + //set provider name for private sector applications + String providerName = pendingReq.getRawData(Constants.DATA_PROVIDERNAME, String.class); + if (StringUtils.isNotEmpty(providerName)) + authnRequestBuilder.providerName(providerName); - //TODO - //set service provider (eIDAS node) countryCode -// authnRequestBuilder.serviceProviderCountryCode( -// authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_COUNTRYCODE, "AT")); - - //set citizen country code for foreign uses - authnRequestBuilder.citizenCountryCode(cpeps.getCountryCode()); - - //add requested attributes - authnRequestBuilder.requestedAttributes(reqAttrMap); - + } - LightRequest lightAuthnReq = authnRequestBuilder.build(); + //set nameIDFormat + authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT); + //set citizen country code for foreign uses + authnRequestBuilder.citizenCountryCode(citizenCountryCode); + //set relay state + authnRequestBuilder.relayState(pendingReq.getPendingRequestId()); - //IRequestMessage authnRequest = engine.generateRequestMessage(authnRequestBuilder.build(), issur); + //build and add requested attribute set + ImmutableAttributeMap reqAttrMap = translateToEidasAttributes(attrRegistry.getAttributeSetFromConfiguration()); + authnRequestBuilder.requestedAttributes(reqAttrMap); - //encode AuthnRequest -// byte[] token = authnRequest.getMessageBytes(); -// String SAMLRequest = EidasStringUtil.encodeToBase64(token); + //build request + LightRequest lightAuthnReq = authnRequestBuilder.build(); + //put request into cache + BinaryLightToken token = putRequestInCommunicationCache(lightAuthnReq); + final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token); + + //Workaround, because eIDAS node ref. impl. does not return relayState + if (basicConfig.getBasicMOAIDConfigurationBoolean( + Constants.CONIG_PROPS_EIDAS_NODE_WORKAROUND_USEREQUESTIDASTRANSACTIONIDENTIFIER, + false)) { + log.trace("Put lightRequestId into transactionstore as session-handling backup"); + transactionStore.put(lightAuthnReq.getId(), pendingReq.getPendingRequestId(), -1); + + } -// if (SAMLConstants.SAML2_POST_BINDING_URI.equals(authnReqEndpoint.getBinding())) -// buildPostBindingRequest(pendingReq, authnReqEndpoint, SAMLRequest, authnRequest, response); -// -// //TODO: redirect Binding is not completely implemented -// //else if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(authnReqEndpoint.getBinding())) -// //buildRedirecttBindingRequest(pendingReq, authnReqEndpoint, token, authnRequest, response); -// -// else { -// Logger.error("eIDAS-node use an unsupported binding (" -// + authnReqEndpoint.getBinding() + "). Request eIDAS node not possible."); -// throw new MOAIDException("eIDAS.02", new Object[]{"eIDAS-node use an unsupported binding"}); -// -// } + if (basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_METHOD, + Constants.FORWARD_METHOD_GET + ).equals(Constants.FORWARD_METHOD_GET)) { + + log.debug("Use http-redirect for eIDAS node forwarding ... "); + //send redirect + UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL)); + redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64); + response.sendRedirect(redirectUrl.build().encode().toString()); + + } else { + log.debug("Use http-post for eIDAS node forwarding ... "); + StaticGuiBuilderConfiguration config = new StaticGuiBuilderConfiguration( + basicConfig, + pendingReq, + Constants.TEMPLATE_POST_FORWARD_NAME, + null); + + config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_ENDPOINT, + basicConfig.getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_NODE_FORWARD_URL)); + config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_TOKEN_NAME, + EidasParameterKeys.TOKEN.toString()); + config.putCustomParameter(Constants.TEMPLATE_POST_FORWARD_TOKEN_VALUE, + tokenBase64); + + guiBuilder.build(response, config, "BKU-Selection form"); + + } - - -// }catch (EIDASSAMLEngineException e){ -// throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", -// new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e)); - } catch (MOAIDException e) { + + } catch (eIDASAuthenticationException e) { throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", e); } catch (Exception e) { - Logger.error("eIDAS AuthnRequest generation FAILED.", e); + log.warn("eIDAS AuthnRequest generation FAILED.", e); throw new TaskExecutionException(pendingReq, e.getMessage(), e); } + } + + private ImmutableAttributeMap translateToEidasAttributes(final Map requiredAttributes) { + ImmutableAttributeMap.Builder builder = ImmutableAttributeMap.builder(); + for (Map.Entry attribute : requiredAttributes.entrySet()) { + final String name = attribute.getKey(); + final ImmutableSortedSet> byFriendlyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(name); + if (!byFriendlyName.isEmpty()) { + final AttributeDefinition attributeDefinition = byFriendlyName.first(); + builder.put(AttributeDefinition.builder(attributeDefinition).required(attribute.getValue()).build()); + + } else + log.warn("Can NOT request UNKNOWN attribute: " + attribute.getKey() + " Ignore it!"); + + } + + return builder.build(); + + } - /** - * Encode the eIDAS request with POST binding - * - * @param pendingReq - * @param authnReqEndpoint - * @param SAMLRequest - * @param authnRequest - * @param response - * @throws MOAIDException - */ - private void buildPostBindingRequest(IRequest pendingReq, SingleSignOnService authnReqEndpoint, - String SAMLRequest, IRequestMessage authnRequest, HttpServletResponse response) - throws MOAIDException { - //send + private BinaryLightToken putRequestInCommunicationCache(ILightRequest iLightRequest) throws ServletException { + final BinaryLightToken binaryLightToken; try { - VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - Template template = velocityEngine.getTemplate("/resources/templates/eidas_postbinding_template.vm"); - VelocityContext context = new VelocityContext(); - - String actionType = "SAMLRequest"; - context.put(actionType, SAMLRequest); - context.put("RelayState", pendingReq.getRequestID()); - context.put("action", authnReqEndpoint.getLocation()); - - Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); - Logger.debug("Encoded " + actionType + " original: " + SAMLRequest); + final SpecificConnectorCommunicationServiceImpl springManagedSpecificConnectorCommunicationService = + (SpecificConnectorCommunicationServiceImpl) context.getBean(SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString()); - Logger.trace("Starting template merge"); - StringWriter writer = new StringWriter(); - - Logger.trace("Doing template merge"); - template.merge(context, writer); - - Logger.trace("Template merge done"); - Logger.trace("Sending html content: " + writer.getBuffer().toString()); + binaryLightToken = springManagedSpecificConnectorCommunicationService.putRequest(iLightRequest); - - byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); - response.setContentType(MediaType.HTML_UTF_8.toString()); - response.setContentLength(content.length); - response.getOutputStream().write(content); - - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, - MOAIDEventConstants.AUTHPROCESS_PEPS_REQUESTED, - authnRequest.getRequest().getId()); - - } catch (Exception e) { - Logger.error("Velocity general error: " + e.getMessage()); - throw new MOAIDException("eIDAS.02", new Object[]{e.getMessage()}, e); + } catch (SpecificCommunicationException e) { + log.error("Unable to process specific request"); + throw new ServletException(e); } - - } - - /** - * Select a SingleSignOnService endPoint from eIDAS node metadata. - * This endPoint receives the Authn. request - * - * @param idpEntity - * @return - */ - private SingleSignOnService selectSingleSignOnServiceFromMetadata(EntityDescriptor idpEntity) { - //select SingleSignOn Service endpoint from IDP metadata - SingleSignOnService endpoint = null; - if (idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) == null) { - return null; - - } - - for (SingleSignOnService sss : - idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { - - // use POST binding as default if it exists - if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) - endpoint = sss; - - //TODO: redirect Binding is not completely implemented - // use Redirect binding as backup -// else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) -// && endpoint == null ) -// endpoint = sss; - - } - - return endpoint; - } - + + return binaryLightToken; + } + } -- cgit v1.2.3