From 1bb05a848206fb1e3bd77b744068c1ee5b344d73 Mon Sep 17 00:00:00 2001 From: Christian Kollmann Date: Thu, 4 Mar 2021 16:02:22 +0100 Subject: Prevent SZRClient from creating ERnP entry if person does not exist --- .../modules/auth/eidas/v2/szr/SzrClient.java | 60 +++++++++++----------- .../modules/auth/eidas/v2/test/SzrClientTest.java | 39 ++++++-------- .../eidas/v2/test/SzrClientTestProduction.java | 22 ++++---- .../tasks/CreateIdentityLinkTaskEidNewTest.java | 4 +- 4 files changed, 57 insertions(+), 68 deletions(-) (limited to 'eidas_modules/authmodule-eIDAS-v2/src') diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java index dc6df967..5bad738b 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/szr/SzrClient.java @@ -27,6 +27,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.net.URL; +import java.nio.charset.StandardCharsets; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; @@ -34,7 +35,7 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.security.UnrecoverableKeyException; import java.util.ArrayList; -import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -117,6 +118,7 @@ public class SzrClient { private static final String JOSE_HEADER_USERCERTPINNING_EIDASBIND = "urn:at.gv.eid:eidasBind"; public static final String ATTR_NAME_MDS = "urn:eidgvat:mds"; + @SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection") @Autowired private IConfiguration basicConfig; @@ -126,10 +128,6 @@ public class SzrClient { // RAW client is needed for identitylink private Dispatch dispatch = null; - private SzrService szrService = null; - private String szrUrl = null; - private QName qname = null; - final ObjectMapper mapper = new ObjectMapper(); /** @@ -164,7 +162,7 @@ public class SzrClient { .createUnmarshaller().unmarshal(new ByteArrayInputStream(szrResponse)); // build response - log.trace(new String(szrResponse, "UTF-8")); + log.trace(new String(szrResponse, StandardCharsets.UTF_8)); // ok, we have success final Document doc = DomUtils.parseDocument( @@ -223,7 +221,11 @@ public class SzrClient { } /** - * Request a encryped baseId from SRZ. + * Request a encrypted baseId from SZR. + * + * Note: Previously, this method did create a new ERnP entry, if it did not exist. This is + * not the case any more. See + * {@link at.asitplus.eidas.specific.modules.auth.eidas.v2.tasks.CreateNewErnpEntryTask} for that functionality. * * @param personInfo Minimum dataset of person * @return encrypted baseId @@ -234,10 +236,7 @@ public class SzrClient { final String resp; try { - //TODO wirklich immer "insertERnP=true"? - // wenn insertErnP=false dann returns vsz oder fehler - // wenn insertErnp = true dann returns vsz, ggf vom neuen Eintrag - resp = this.szr.getStammzahlEncrypted(personInfo, true); + resp = this.szr.getStammzahlEncrypted(personInfo, false); } catch (SZRException_Exception e) { throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); } @@ -253,8 +252,8 @@ public class SzrClient { /** * Sign an eidasBind data-structure that combines vsz with user's pubKey and E-ID status. * - * @param vsz encryped baseId - * @param bindingPubKey binding PublikKey as PKCS1# (ASN.1) container + * @param vsz encrypted baseId + * @param bindingPubKey binding PublicKey as PKCS1# (ASN.1) container * @param eidStatus Status of the E-ID * @param eidData eID information that was used for ERnP registration * @return bPK for this person @@ -266,7 +265,7 @@ public class SzrClient { final Map eidsaBindMap = new HashMap<>(); eidsaBindMap.put(ATTR_NAME_VSZ, vsz); eidsaBindMap.put(ATTR_NAME_STATUS, eidStatus); - eidsaBindMap.put(ATTR_NAME_PUBKEYS, Arrays.asList(bindingPubKey)); + eidsaBindMap.put(ATTR_NAME_PUBKEYS, Collections.singletonList(bindingPubKey)); eidsaBindMap.put(PvpAttributeDefinitions.EID_ISSUING_NATION_NAME, eidData.getCitizenCountryCode()); injectMdsIfAvailableAndActive(eidsaBindMap, eidData); @@ -296,7 +295,7 @@ public class SzrClient { return resp.getOut().get(0).getValue(); } catch (final JsonProcessingException | SZRException_Exception e) { - log.warn("Requesting bcBind by using SZR FAILED. Reason: {}", e.getMessage(), null, e); + log.warn("Requesting bcBind by using SZR FAILED.", e); throw new SzrCommunicationException("ernb.02", new Object[]{e.getMessage()}, e); } @@ -311,6 +310,9 @@ public class SzrClient { Constants.CONIG_PROPS_EIDAS_SZRCLIENT_USETESTSERVICE, true); + SzrService szrService; + QName qname; + String szrUrl; if (useTestSzr) { log.debug("Initializing SZR test environment configuration."); qname = SzrService.SZRTestumgebung; @@ -350,20 +352,20 @@ public class SzrClient { // inject handler log.info("Use SZR service-URL: " + szrUrl); - injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT); - injectBindingProvider(dispatch, CLIENT_RAW); + injectBindingProvider((BindingProvider) szr, CLIENT_DEFAULT, szrUrl); + injectBindingProvider(dispatch, CLIENT_RAW, szrUrl); // inject http parameters and SSL context log.debug("Inject HTTP client settings ... "); - injectHttpClient(szr, CLIENT_DEFAULT); - injectHttpClient(dispatch, CLIENT_RAW); + injectHttpClient(szr, CLIENT_DEFAULT, szrUrl); + injectHttpClient(dispatch, CLIENT_RAW, szrUrl); log.info("SZR-Client initialization successfull"); } - private void injectHttpClient(Object raw, String clientType) { + private void injectHttpClient(Object raw, String clientType, String szrUrl) { // extract client from implementation - Client client = null; + Client client; if (raw instanceof DispatchImpl) { client = ((DispatchImpl) raw).getClient(); } else if (raw instanceof Client) { @@ -378,14 +380,12 @@ public class SzrClient { // set timeout policy final HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); - httpClientPolicy.setConnectionTimeout( - Integer.parseInt(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION, - Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION)) * 1000); - httpClientPolicy.setReceiveTimeout( - Integer.parseInt(basicConfig.getBasicConfiguration( - Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE, - Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE)) * 1000); + String connectionTimeout = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_CONNECTION, Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_CONNECTION); + httpClientPolicy.setConnectionTimeout(Integer.parseInt(connectionTimeout) * 1000L); + String responseTimeout = basicConfig.getBasicConfiguration( + Constants.CONIG_PROPS_EIDAS_SZRCLIENT_TIMEOUT_RESPONSE, Constants.HTTP_CLIENT_DEFAULT_TIMEOUT_RESPONSE); + httpClientPolicy.setReceiveTimeout(Integer.parseInt(responseTimeout) * 1000L); http.setClient(httpClientPolicy); // inject SSL context in case of https @@ -400,7 +400,7 @@ public class SzrClient { } - private void injectBindingProvider(BindingProvider bindingProvider, String clientType) { + private void injectBindingProvider(BindingProvider bindingProvider, String clientType, String szrUrl) { final Map requestContext = bindingProvider.getRequestContext(); requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, szrUrl); diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java index 99c221d8..5deb5f31 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTest.java @@ -28,10 +28,10 @@ import static org.mockito.ArgumentMatchers.anyList; import static org.mockito.Mockito.when; import java.io.IOException; -import java.security.InvalidKeyException; +import java.nio.charset.StandardCharsets; import java.security.MessageDigest; -import java.security.NoSuchProviderException; import java.util.List; +import java.util.Objects; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; @@ -44,7 +44,6 @@ import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.apache.cxf.binding.soap.SoapFault; import org.joda.time.DateTime; -import org.jose4j.lang.JoseException; import org.junit.Assert; import org.junit.Before; import org.junit.Ignore; @@ -60,9 +59,6 @@ import org.springframework.util.Base64Utils; import org.w3c.dom.Element; import org.xml.sax.SAXException; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.JsonMappingException; -import com.fasterxml.jackson.databind.ObjectMapper; import com.skjolberg.mockito.soap.SoapServiceRule; import at.asitplus.eidas.specific.connector.test.config.dummy.MsConnectorDummyConfigMap; @@ -102,8 +98,6 @@ public class SzrClientTest { @Autowired SzrClient szrClient; @Autowired MsConnectorDummyConfigMap basicConfig; - private static ObjectMapper mapper = new ObjectMapper(); - private static final String givenName = "Franz"; private static final String familyName = "Mustermann"; private static final String dateOfBirth = "1989-05-05"; @@ -139,7 +133,7 @@ public class SzrClientTest { @Test - public void getStammzahlenEcryptedTest() throws JAXBException, SZRException_Exception, SzrCommunicationException { + public void getStammzahlenEcryptedTest() throws SZRException_Exception, SzrCommunicationException { final GetBPKFromStammzahlEncryptedResponse szrResponse = new GetBPKFromStammzahlEncryptedResponse(); final GetBPKFromStammzahlEncryptedResponseType result1 = new GetBPKFromStammzahlEncryptedResponseType(); szrResponse.getOut().add(result1); @@ -156,7 +150,7 @@ public class SzrClientTest { when(szrMock.getStammzahlEncrypted(any(), any())).thenReturn(null); try { - stammzahlEncrypted = szrClient.getEncryptedStammzahl(new PersonInfoType()); + szrClient.getEncryptedStammzahl(new PersonInfoType()); } catch (SzrCommunicationException e) { Assert.assertTrue("Not correct error", e.getMessage().contains("ernb.01")); } @@ -234,8 +228,7 @@ public class SzrClientTest { } @Test - public void eidasBindValid() throws SZRException_Exception, SzrCommunicationException, JsonMappingException, - JsonProcessingException, JoseException { + public void eidasBindValid() throws SZRException_Exception, SzrCommunicationException { final SignContentResponse szrResponse = new SignContentResponse(); final SignContentEntry result1 = new SignContentEntry(); final SignContentResponseType content = new SignContentResponseType(); @@ -257,8 +250,7 @@ public class SzrClientTest { } @Test - public void eidasBindValidWithMds() throws SZRException_Exception, SzrCommunicationException, JoseException, - JsonMappingException, JsonProcessingException { + public void eidasBindValidWithMds() throws SZRException_Exception, SzrCommunicationException { basicConfig.putConfigValue("eidas.ms.auth.eIDAS.szrclient.eidasbind.mds.inject", "true"); final SignContentResponse szrResponse = new SignContentResponse(); @@ -283,7 +275,7 @@ public class SzrClientTest { @Test public void getIdentityLinkRawModeValidResponse() - throws SZRException_Exception, EaafParserException, NoSuchProviderException, IOException, InvalidKeyException, + throws SZRException_Exception, EaafParserException, EidasSAuthenticationException, JAXBException { setSzrResponseIdentityLink("/data/szr/szr_resp_valid_1.xml"); @@ -317,8 +309,8 @@ public class SzrClientTest { @Test public void getIdentityLinkRawModeErrorTravelerDocExists() - throws SZRException_Exception, EaafParserException, NoSuchProviderException, IOException, InvalidKeyException, - EidasSAuthenticationException, JAXBException, ParserConfigurationException, SAXException { + throws SZRException_Exception, IOException, + EidasSAuthenticationException, ParserConfigurationException, SAXException { setSzrExceptionIdentityLink("/data/szr/szr_resp_error_travelerdocexists.xml"); try { @@ -342,7 +334,7 @@ public class SzrClientTest { @Ignore @Test - public void getBpkTest() throws SZRException_Exception, EidasSAuthenticationException { + public void getBpkTest() throws EidasSAuthenticationException { final List bPK = szrClient.getBpk(getPersonInfo(), DUMMY_TARGET, basicConfig .getBasicConfiguration(Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, "no VKZ defined")); @@ -363,6 +355,7 @@ public class SzrClientTest { } + @SuppressWarnings("SameParameterValue") private void setSzrResponseIdentityLink(String responseXmlPath) throws JAXBException, SZRException_Exception { final JAXBContext jaxbContext = JAXBContext .newInstance(szrservices.ObjectFactory.class, org.w3._2001._04.xmldsig_more.ObjectFactory.class, @@ -375,8 +368,9 @@ public class SzrClientTest { } + @SuppressWarnings("SameParameterValue") private void setSzrExceptionIdentityLink(String responseXmlPath) - throws JAXBException, ParserConfigurationException, SAXException, IOException, SZRException_Exception { + throws ParserConfigurationException, SAXException, IOException, SZRException_Exception { final Element detailerror = DomUtils.parseXmlNonValidating(this.getClass().getResourceAsStream(responseXmlPath)); final javax.xml.namespace.QName qName = new javax.xml.namespace.QName("urn:SZRServices", "F455", "p344"); final SoapFault fault = new SoapFault( @@ -391,9 +385,8 @@ public class SzrClientTest { private String createHashFromUniqueId(String uniqueId) throws EidasSAuthenticationException { try { final MessageDigest md = MessageDigest.getInstance("SHA-256"); - final byte[] hash = md.digest(uniqueId.getBytes("UTF-8")); - final String hashBase64 = new String(Base64Utils.encode(hash), "UTF-8").replaceAll("\r\n", ""); - return hashBase64; + final byte[] hash = md.digest(uniqueId.getBytes(StandardCharsets.UTF_8)); + return new String(Base64Utils.encode(hash), StandardCharsets.UTF_8).replaceAll("\r\n", ""); } catch (final Exception ex) { throw new EidasSAuthenticationException("internal.03", new Object[]{}, ex); @@ -413,7 +406,7 @@ public class SzrClientTest { // parse some eID attributes final Triple eIdentifier = EidasResponseUtils.parseEidasPersonalIdentifier(eIDASeID); - final String uniqueId = createHashFromUniqueId(eIdentifier.getThird()); + final String uniqueId = createHashFromUniqueId(Objects.requireNonNull(eIdentifier).getThird()); final String citizenCountry = eIdentifier.getFirst(); // person information diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java index abebf0da..38829d67 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/SzrClientTestProduction.java @@ -23,11 +23,10 @@ package at.asitplus.eidas.specific.modules.auth.eidas.v2.test; -import java.io.IOException; -import java.security.InvalidKeyException; +import java.nio.charset.StandardCharsets; import java.security.MessageDigest; -import java.security.NoSuchProviderException; import java.util.List; +import java.util.Objects; import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; @@ -63,7 +62,6 @@ import at.gv.egiz.eaaf.core.impl.data.Triple; import at.gv.egiz.eaaf.core.impl.idp.auth.data.SimpleIdentityLinkAssertionParser; import szrservices.IdentityLinkType; import szrservices.PersonInfoType; -import szrservices.SZRException_Exception; import szrservices.TravelDocumentType; @@ -98,14 +96,14 @@ public class SzrClientTestProduction { } @Test - public void getVsz() throws SzrCommunicationException, EidasSAuthenticationException { + public void getVsz() throws EidasSAuthenticationException { String vsz = szrClient.getEncryptedStammzahl(getPersonInfo()); Assert.assertNotNull("vsz", vsz); } @Test - public void getEidasBind() throws SzrCommunicationException, EidasSAuthenticationException { + public void getEidasBind() throws EidasSAuthenticationException { String vsz = RandomStringUtils.randomAlphanumeric(10); String bindingPubKey = Base64.toBase64String(RandomStringUtils.random(20).getBytes()); String eidStatus = "urn:eidgvat:eid.status.eidas"; @@ -125,8 +123,7 @@ public class SzrClientTestProduction { @Test - public void getIdentityLinkRawMode() throws SZRException_Exception, EaafParserException, - NoSuchProviderException, IOException, InvalidKeyException, EidasSAuthenticationException { + public void getIdentityLinkRawMode() throws EaafParserException, EidasSAuthenticationException { log.debug("Starting connecting SZR Gateway"); final IdentityLinkType result = szrClient.getIdentityLinkInRawMode( getPersonInfo()); @@ -173,7 +170,7 @@ public class SzrClientTestProduction { @Ignore @Test - public void getBpkTest() throws SZRException_Exception, EidasSAuthenticationException { + public void getBpkTest() throws EidasSAuthenticationException { final List bPK = szrClient.getBpk(getPersonInfo(), DUMMY_TARGET, basicConfig.getBasicConfiguration( Constants.CONIG_PROPS_EIDAS_SZRCLIENT_PARAMS_VKZ, @@ -193,9 +190,8 @@ public class SzrClientTestProduction { private String createHashFromUniqueId(String uniqueId) throws EidasSAuthenticationException { try { final MessageDigest md = MessageDigest.getInstance("SHA-256"); - final byte[] hash = md.digest(uniqueId.getBytes("UTF-8")); - final String hashBase64 = new String(Base64Utils.encode(hash), "UTF-8").replaceAll("\r\n", ""); - return hashBase64; + final byte[] hash = md.digest(uniqueId.getBytes(StandardCharsets.UTF_8)); + return new String(Base64Utils.encode(hash), StandardCharsets.UTF_8).replaceAll("\r\n", ""); } catch (final Exception ex) { throw new EidasSAuthenticationException("internal.03", new Object[] {}, ex); @@ -216,7 +212,7 @@ public class SzrClientTestProduction { // parse some eID attributes final Triple eIdentifier = EidasResponseUtils.parseEidasPersonalIdentifier(eIDASeID); - final String uniqueId = createHashFromUniqueId(eIdentifier.getThird()); + final String uniqueId = createHashFromUniqueId(Objects.requireNonNull(eIdentifier).getThird()); final String citizenCountry = eIdentifier.getFirst(); // person information diff --git a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java index c29c82c7..ee7d2ebd 100644 --- a/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java +++ b/eidas_modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/CreateIdentityLinkTaskEidNewTest.java @@ -227,7 +227,7 @@ public class CreateIdentityLinkTaskEidNewTest { verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); Boolean param5 = argument5.getValue(); - Assert.assertTrue("insertERnP flag", param5); + Assert.assertFalse("insertERnP flag", param5); PersonInfoType person = argument4.getValue(); Assert.assertEquals("FamilyName", response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( @@ -344,7 +344,7 @@ public class CreateIdentityLinkTaskEidNewTest { verify(szrMock, times(1)).getStammzahlEncrypted(argument4.capture(), argument5.capture()); Boolean param5 = argument5.getValue(); - Assert.assertTrue("insertERnP flag", param5); + Assert.assertFalse("insertERnP flag", param5); PersonInfoType person = argument4.getValue(); Assert.assertEquals("FamilyName", response.getAttributes().getAttributeValuesByFriendlyName("FamilyName").getFirstValue( -- cgit v1.2.3