From 1ad67c91820de1c7f2b2541f8e39752baac197d2 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Wed, 9 Mar 2022 13:13:35 +0100
Subject: chore(core): add support for multiple ms-connector stages into
 matching by alternative eIDAS auth.

---
 .../tasks/ReceiveAuthnResponseAlternativeTask.java | 62 ++++++++++++++++++----
 .../resources/eIDAS.Authentication.process.xml     |  4 +-
 2 files changed, 56 insertions(+), 10 deletions(-)

(limited to 'eidas_modules/authmodule-eIDAS-v2/src')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java
index aa04f55e..828fe7bb 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveAuthnResponseAlternativeTask.java
@@ -23,6 +23,18 @@
 
 package at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks;
 
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.jetbrains.annotations.NotNull;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.stereotype.Component;
+import org.springframework.web.util.UriComponentsBuilder;
+
 import at.asitplus.eidas.specific.connector.MsEidasNodeConstants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.exception.EidasSAuthenticationException;
@@ -35,14 +47,14 @@ import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
 import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
 import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import eu.eidas.auth.commons.EidasParameterKeys;
 import eu.eidas.auth.commons.light.ILightResponse;
+import eu.eidas.auth.commons.tx.BinaryLightToken;
+import eu.eidas.specificcommunication.BinaryLightTokenHelper;
+import eu.eidas.specificcommunication.SpecificCommunicationDefinitionBeanNames;
+import eu.eidas.specificcommunication.exception.SpecificCommunicationException;
+import eu.eidas.specificcommunication.protocol.SpecificCommunicationService;
 import lombok.extern.slf4j.Slf4j;
-import org.jetbrains.annotations.NotNull;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 
 /**
@@ -68,6 +80,10 @@ import javax.servlet.http.HttpServletResponse;
 public class ReceiveAuthnResponseAlternativeTask extends AbstractAuthServletTask {
 
   @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
+  
+  @Autowired
+  ApplicationContext context;
+  
   @Autowired
   private IConfiguration basicConfig;
 
@@ -79,9 +95,19 @@ public class ReceiveAuthnResponseAlternativeTask extends AbstractAuthServletTask
                       HttpServletResponse response) throws TaskExecutionException {
     try {
       final ILightResponse eidasResponse = extractEidasResponse(request);
-      checkStatusCode(eidasResponse);
-      validateMsSpecificResponse(executionContext, eidasResponse);
-      storeInSession(eidasResponse);
+      
+      String stagingEndpoint = pendingReq.getRawData(
+          MsEidasNodeConstants.EXECCONTEXT_PARAM_MSCONNECTOR_STAGING, String.class);      
+      if (StringUtils.isNotEmpty(stagingEndpoint)) {
+        log.info("Find ms-connector staging to: {}. Forwarding to that endpoint ... ", stagingEndpoint);
+        forwardToOtherStage(response, executionContext, eidasResponse, stagingEndpoint);
+                
+      } else {      
+        checkStatusCode(eidasResponse);
+        validateMsSpecificResponse(executionContext, eidasResponse);
+        storeInSession(eidasResponse);
+        
+      }
     } catch (final Exception e) {
       log.warn("eIDAS Response processing FAILED.", e);
       throw new TaskExecutionException(pendingReq, e.getMessage(),
@@ -127,5 +153,23 @@ public class ReceiveAuthnResponseAlternativeTask extends AbstractAuthServletTask
     authProcessData.setGenericDataToSession(Constants.DATA_FULL_EIDAS_RESPONSE_ALTERNATIVE, eidasResponse);
     requestStoreage.storePendingRequest(pendingReq);
   }
+  
+  private void forwardToOtherStage(HttpServletResponse response, ExecutionContext executionContext, 
+      ILightResponse eidasResponse, String stagingEndpoint) throws SpecificCommunicationException, IOException {
+    executionContext.put(MsEidasNodeConstants.EXECCONTEXT_PARAM_MSCONNECTOR_STAGING, true);
+    
+    final SpecificCommunicationService specificConnectorCommunicationService =
+        (SpecificCommunicationService) context.getBean(
+            SpecificCommunicationDefinitionBeanNames.SPECIFIC_CONNECTOR_COMMUNICATION_SERVICE.toString());
+    BinaryLightToken token = specificConnectorCommunicationService.putResponse(eidasResponse);
+    final String tokenBase64 = BinaryLightTokenHelper.encodeBinaryLightTokenBase64(token);    
+    
+    final UriComponentsBuilder redirectUrl = UriComponentsBuilder.fromHttpUrl(stagingEndpoint);
+    redirectUrl.queryParam(EidasParameterKeys.TOKEN.toString(), tokenBase64);
+
+    log.debug("Forward to other stage .... ");
+    response.sendRedirect(redirectUrl.build().encode().toString());
+       
+  }
 
 }
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml
index 6ca21550..52a056f0 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/resources/eIDAS.Authentication.process.xml
@@ -47,7 +47,9 @@
                   from="receiveOtherLoginMethodGuiResponseTask"     to="createNewErnpEntryTask" />
 
   <!-- alternative eIDAS authentication -->
-  <pd:Transition  from="generateAlternativeEidasAuthnRequest"       to="receiveAlternativeEidasAuthnRequest" />
+  <pd:Transition  from="generateAlternativeEidasAuthnRequest"       to="receiveAlternativeEidasAuthnRequest" />  
+  <pd:Transition  conditionExpression="ctx['msConnectorStaging']"
+                  from="receiveAlternativeEidasAuthnRequest"        to="end" />
   <pd:Transition  from="receiveAlternativeEidasAuthnRequest"        to="alternativeRegisterSearch" />  
   <pd:Transition  conditionExpression="ctx['TASK_GenerateOtherLoginMethodGuiTask']"
                   from="alternativeRegisterSearch"                  to="generateOtherLoginMethodGuiTask" />
-- 
cgit v1.2.3