From 44464bfe90a47e48cd3a76fb30d38c226f0af786 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Tue, 27 Jul 2021 13:41:47 +0200
Subject: add work-around for representation of legal person in DE4A project.
 Work-around can be removed in a future version

---
 .../msproxyservice/MsProxyServiceConstants.java    |  4 ++
 .../protocol/EidasProxyServiceController.java      | 26 ++------
 .../protocol/ProxyServiceAuthenticationAction.java | 73 ++++++++++++++++++----
 .../utils/EidasProxyServiceUtils.java              | 45 +++++++++++++
 4 files changed, 115 insertions(+), 33 deletions(-)
 create mode 100644 eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java

(limited to 'eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice')

diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
index 65fb556a..bf71ba64 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
@@ -39,6 +39,10 @@ public class MsProxyServiceConstants {
   public static final String CONIG_PROPS_EIDAS_PROXY_MANDATES_PROFILE_DEFAULT_LEGAL = 
       Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.mandates.profiles.legal.default";
   
+  
+  public static final String CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON = 
+      Constants.CONIG_PROPS_EIDAS_PREFIX + ".proxy.workaround.mandates.legalperson";
+  
   // specific eIDAS-Connector configuration
   public static final String CONIG_PROPS_CONNECTOR_PREFIX = "connector";
   public static final String CONIG_PROPS_CONNECTOR_UNIQUEID = EaafConfigConstants.SERVICE_UNIQUEIDENTIFIER;
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
index a9cc998e..56b34257 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
@@ -29,6 +29,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants;
 import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
+import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils;
 import at.gv.egiz.components.eventlog.api.EventConstants;
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.EaafConfigConstants;
@@ -261,7 +262,8 @@ public class EidasProxyServiceController extends AbstractController implements I
       throws EidasProxyServiceException {    
     // check if natural-person and legal-person attributes requested in parallel
     if (spConfig.isConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_VALIDATION_ATTR_MDS, true) 
-        && isLegalPersonRequested(eidasRequest) && isNaturalPersonRequested(eidasRequest)) {
+        && EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest) 
+        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
       throw new EidasProxyServiceException(ERROR_08, null);
       
     }
@@ -382,7 +384,7 @@ public class EidasProxyServiceController extends AbstractController implements I
       injectMandateInfosIntoSpConfig(spConfig, eidasRequest);
                  
     } else {            
-      if (isLegalPersonRequested(eidasRequest)) {
+      if (EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest)) {
         throw new EidasProxyServiceException(ERROR_09, null);
         
       } 
@@ -400,7 +402,7 @@ public class EidasProxyServiceController extends AbstractController implements I
         spConfig.getUniqueIdentifier());
 
     //check if legal person is requested
-    boolean isLegalPersonRequested = isLegalPersonRequested(eidasRequest);
+    boolean isLegalPersonRequested = EidasProxyServiceUtils.isLegalPersonRequested(eidasRequest);
             
     // set mandate profiles 
     if (isLegalPersonRequested) {
@@ -409,7 +411,7 @@ public class EidasProxyServiceController extends AbstractController implements I
       
       spConfig.setMandateMode(SpMandateModes.LEGAL_FORCE);
       
-    } else if (isNaturalPersonRequested(eidasRequest)) {
+    } else if (EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
       spConfig.setMandateProfiles(KeyValueUtils.getListOfCsvValues(
           spConfig.getConfigurationValue(MsProxyServiceConstants.CONIG_PROPS_CONNECTOR_MANDATES_PROFILE_NATURAL)));
       
@@ -433,20 +435,4 @@ public class EidasProxyServiceController extends AbstractController implements I
     }
     
   }
-
-  private boolean isLegalPersonRequested(ILightRequest eidasRequest) {
-    return eidasRequest.getRequestedAttributes().entrySet().stream()
-        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER))
-        .findFirst()
-        .isPresent();
-    
-  }
-  
-  private boolean isNaturalPersonRequested(ILightRequest eidasRequest) {
-    return eidasRequest.getRequestedAttributes().entrySet().stream()
-        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
-        .findFirst()
-        .isPresent();
-    
-  }
 }
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
index 805bbc42..33d9fdc0 100644
--- a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
@@ -20,6 +20,7 @@ import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
 import at.asitplus.eidas.specific.modules.auth.eidas.v2.service.EidasAttributeRegistry;
 import at.asitplus.eidas.specific.modules.msproxyservice.MsProxyServiceConstants;
 import at.asitplus.eidas.specific.modules.msproxyservice.exception.EidasProxyServiceException;
+import at.asitplus.eidas.specific.modules.msproxyservice.utils.EidasProxyServiceUtils;
 import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.data.PvpAttributeDefinitions;
 import at.gv.egiz.eaaf.core.api.gui.ISpringMvcGuiFormBuilder;
@@ -94,7 +95,7 @@ public class ProxyServiceAuthenticationAction implements IAction {
         lightRespBuilder.issuer(basicConfig.getBasicConfiguration(
             MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
         lightRespBuilder.levelOfAssurance(authData.getEidasQaaLevel());       
-        lightRespBuilder.attributes(buildAttributesFromAuthData(authData));
+        lightRespBuilder.attributes(buildAttributesFromAuthData(authData, eidasReq));
         
         // set SLO response object of EAAF framework
         final SloInformationImpl sloInformation = new SloInformationImpl();
@@ -202,13 +203,18 @@ public class ProxyServiceAuthenticationAction implements IAction {
   }
   
   
-  private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData) {
+  private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData, 
+      ILightRequest eidasReq) {
     IEidAuthData eidAuthData = (IEidAuthData) authData;
     if (eidAuthData.isUseMandate()) {
       log.debug("Building eIDAS Proxy-Service response with mandate ... ");
       final ImmutableAttributeMap.Builder attributeMap = ImmutableAttributeMap.builder();
       injectRepesentativeInformation(attributeMap, eidAuthData);
-      injectMandatorInformation(attributeMap, eidAuthData);  
+      injectMandatorInformation(attributeMap, eidAuthData);
+      
+      // work-around that injects nat. person subject to bypass validation on eIDAS Node
+      injectJurPersonWorkaroundIfRequired(attributeMap, eidasReq, authData);
+      
       return attributeMap.build();
             
     } else {
@@ -217,7 +223,7 @@ public class ProxyServiceAuthenticationAction implements IAction {
       
     }   
   }
-  
+    
   private void injectMandatorInformation(
       ImmutableAttributeMap.Builder attributeMap, IEidAuthData eidAuthData) {    
     String natMandatorId = eidAuthData.getGenericData(
@@ -278,7 +284,39 @@ public class ProxyServiceAuthenticationAction implements IAction {
     
   }
 
-  private ImmutableAttributeMap buildAttributesWithoutMandate(IEidAuthData eidAuthData) {
+  /**
+   * Work-around to inject representative information as nat. person subject to bypass eIDAS Node validation. 
+   * 
+   * <p><b>Injection will only be done if this work-around is enabled by configuration, 
+   * the mandator is a legal person, and both legal and natural person subject's is requested.</b></p>
+   * 
+   * @param attributeMap Attribute set for eIDAS response
+   * @param eidasReq Incoming eIDAS request
+   * @param authData Authentication data
+   */
+  private void injectJurPersonWorkaroundIfRequired(
+      ImmutableAttributeMap.Builder attributeMap, ILightRequest eidasReq, IAuthData authData) {
+    if (isLegalPersonWorkaroundActive() && isLegalPersonMandateAvailable(authData) 
+        && EidasProxyServiceUtils.isNaturalPersonRequested(eidasReq)
+        && EidasProxyServiceUtils.isLegalPersonRequested(eidasReq)) {
+      log.debug("Injecting representative information as nat. person subject to bypass eIDAS Node validation");
+      attributeMap.putAll(buildAttributesWithoutMandate(authData));
+      
+    }        
+  }
+  
+  private ImmutableAttributeMap buildAttributesWithoutMandate(IAuthData eidAuthData) {        
+    //TODO: throw an error in case of SZR Date with month or day = "00"
+    return buildAttributesWithoutMandate(
+        eidAuthData.getGenericData(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class), 
+        eidAuthData.getFamilyName(), 
+        eidAuthData.getGivenName(), 
+        eidAuthData.getDateOfBirth());
+    
+  }
+
+  private ImmutableAttributeMap buildAttributesWithoutMandate(String personalIdentifier, String familyName,
+      String givenName, String dateOfBirth) {
     final AttributeDefinition<?> attrDefPersonalId = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(
         Constants.eIDAS_ATTR_PERSONALIDENTIFIER).first();
     final AttributeDefinition<?> attrDefFamilyName = attrRegistry.getCoreAttributeRegistry().getByFriendlyName(
@@ -290,18 +328,15 @@ public class ProxyServiceAuthenticationAction implements IAction {
    
     final ImmutableAttributeMap.Builder attributeMap = 
         ImmutableAttributeMap.builder()
-        .put(attrDefPersonalId, 
-            eidAuthData.getGenericData(MsProxyServiceConstants.ATTR_EIDAS_PERSONAL_IDENTIFIER, String.class))
-        .put(attrDefFamilyName, eidAuthData.getFamilyName())
-        .put(attrDefGivenName, eidAuthData.getGivenName())
-        
-        //TODO: throw an error in case of SZR Date with month or day = "00"
-        .put(attrDefDateOfBirth, eidAuthData.getDateOfBirth());
+        .put(attrDefPersonalId, personalIdentifier)
+        .put(attrDefFamilyName, familyName)
+        .put(attrDefGivenName, givenName)        
+        .put(attrDefDateOfBirth, dateOfBirth);
     
     return attributeMap.build();
     
   }
-
+  
   private BinaryLightToken putResponseInCommunicationCache(ILightResponse lightResponse)
       throws ServletException {
     final BinaryLightToken binaryLightToken;
@@ -322,5 +357,17 @@ public class ProxyServiceAuthenticationAction implements IAction {
     return binaryLightToken;
   }
 
+  private boolean isLegalPersonWorkaroundActive() {
+    return basicConfig.getBasicConfigurationBoolean(
+        MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_WORKAROUND_MANDATES_LEGAL_PERSON, 
+        false);
+    
+  }
+  
+  private boolean isLegalPersonMandateAvailable(IAuthData authData) {
+    return StringUtils.isNoneEmpty(authData.getGenericData(
+          MsProxyServiceConstants.ATTR_EIDAS_JUR_MANDATOR_PERSONAL_IDENTIFIER, String.class));
+    
+  }
 
 }
diff --git a/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java
new file mode 100644
index 00000000..4cd7ba6c
--- /dev/null
+++ b/eidas_modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/utils/EidasProxyServiceUtils.java
@@ -0,0 +1,45 @@
+package at.asitplus.eidas.specific.modules.msproxyservice.utils;
+
+import at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants;
+import eu.eidas.auth.commons.light.ILightRequest;
+
+/**
+ * Common utils for eIDAS Proxy-Service implementation.
+ * 
+ * @author tlenz
+ *
+ */
+public class EidasProxyServiceUtils {
+
+  /**
+   * Check if legal person subject is requested by eIDAS Connector.
+   * 
+   * @param eidasRequest Authentication request from eIDAS Connector.
+   * @return <code>true</code> if <i>LegalPersonIdentifier</i> is requested, otherwise <code>false</code>lse
+   */
+  public static boolean isLegalPersonRequested(ILightRequest eidasRequest) {
+    return eidasRequest.getRequestedAttributes().entrySet().stream()
+        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_LEGALPERSONIDENTIFIER))
+        .findFirst()
+        .isPresent();
+    
+  }
+  
+  /**
+   * Check if natural person subject is requested by eIDAS Connector.
+   * 
+   * @param eidasRequest Authentication request from eIDAS Connector.
+   * @return <code>true</code> if <i>PersonIdentifier</i> is requested, otherwise <code>false</code>lse
+   */
+  public static boolean isNaturalPersonRequested(ILightRequest eidasRequest) {
+    return eidasRequest.getRequestedAttributes().entrySet().stream()
+        .filter(el -> el.getKey().getFriendlyName().equals(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
+        .findFirst()
+        .isPresent();
+    
+  }
+  
+  private EidasProxyServiceUtils() {
+    //hide constructor for class with static methods only
+  }
+}
-- 
cgit v1.2.3