From 1fdf8a0784c70479fbf59c6c3841faeae290b883 Mon Sep 17 00:00:00 2001
From: Christian Kollmann <christian.kollmann@a-sit.at>
Date: Thu, 15 Jul 2021 14:37:05 +0200
Subject: Verify data of alternative eIDAS authn matches initial authn

---
 .../modules/auth/eidas/v2/dao/SimpleEidasData.java | 28 +++++++++++++++-------
 .../auth/eidas/v2/tasks/AlternativeSearchTask.java | 16 ++++++++++++-
 2 files changed, 34 insertions(+), 10 deletions(-)

(limited to 'eidas_modules')

diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
index cedf01e3..35f353f4 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/dao/SimpleEidasData.java
@@ -38,10 +38,10 @@ public class SimpleEidasData {
    * Full eIDAS personal identifier with prefix.
    */
   private final String personalIdentifier;
-  
+
   /**
    * Citizen country-code from eIDAS personal-identifier.
-   */  
+   */
   private final String citizenCountryCode;
 
   // MDS
@@ -67,11 +67,11 @@ public class SimpleEidasData {
    * @throws WorkflowException if multiple results have been found
    */
   public boolean equalsRegisterData(RegisterResult result) throws WorkflowException {
-    /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName, 
+    /*TODO: maybe this is check is not valid, because only the minimum data-set (personalIdentifer, givenName,
      *      familyName, dateOfBirth) has to be always available. Any other attributes are optional.
-     *      This check will always evaluate to false if register has more information as current eIDAS process!!! 
+     *      This check will always evaluate to false if register has more information as current eIDAS process!!!
      */
-    
+
     return new EqualsBuilder()
         .append(result.getGivenName(), givenName)
         .append(result.getFamilyName(), familyName)
@@ -80,10 +80,20 @@ public class SimpleEidasData {
         .append(result.getBirthName(), birthName)
         .append(result.getTaxNumber(), taxNumber)
         .isEquals() && result.getPseudonym().stream()
-            .filter(el -> el.equals(pseudonym))
-            .findFirst()
-            .isPresent();
-    
+            .anyMatch(el -> el.equals(pseudonym));
   }
 
+  /**
+   * Checks if the MDS (<code>givenName</code>, <code>familyName</code>,
+   * <code>dateOfBirth</code>) matches.
+   */
+  public boolean equalsMds(SimpleEidasData other) {
+    return new EqualsBuilder()
+        .append(other.givenName, givenName)
+        .append(other.familyName, familyName)
+        .append(other.dateOfBirth, dateOfBirth)
+        .isEquals();
+  }
+
+
 }
diff --git a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
index 38a7076a..4705c56b 100644
--- a/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
+++ b/eidas_modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/AlternativeSearchTask.java
@@ -46,6 +46,7 @@ import org.springframework.stereotype.Component;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
+import java.util.Objects;
 
 import static at.asitplus.eidas.specific.modules.auth.eidas.v2.Constants.TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK;
 
@@ -97,7 +98,7 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
     try {
       final SimpleEidasData altEidasData = convertEidasAttrToSimpleData();
       final SimpleEidasData initialEidasData = MatchingTaskUtils.getInitialEidasData(pendingReq);
-      // TODO Verify that altEidasData and initialEidasData "match"?
+      verifyAlternativeEidasData(altEidasData, initialEidasData);
       step11RegisterSearchWithPersonIdentifier(executionContext, altEidasData, initialEidasData);
     } catch (WorkflowException e) {
       throw new TaskExecutionException(pendingReq, "Initial search failed", e);
@@ -107,6 +108,19 @@ public class AlternativeSearchTask extends AbstractAuthServletTask {
     }
   }
 
+  private void verifyAlternativeEidasData(SimpleEidasData altEidasData, SimpleEidasData initialEidasData)
+      throws WorkflowException {
+    if (initialEidasData == null) {
+      throw new WorkflowException("step11", "No initial eIDAS authn data");
+    }
+    if (!Objects.equals(altEidasData.getCitizenCountryCode(), initialEidasData.getCitizenCountryCode())) {
+      throw new WorkflowException("step11", "Country Code of alternative eIDAS authn not matching", true);
+    }
+    if (!altEidasData.equalsMds(initialEidasData)) {
+      throw new WorkflowException("step11", "MDS of alternative eIDAS authn does not match initial authn", true);
+    }
+  }
+
   private void step11RegisterSearchWithPersonIdentifier(
       ExecutionContext executionContext, SimpleEidasData initialEidasData, SimpleEidasData altEidasData)
       throws WorkflowException, EaafStorageException {
-- 
cgit v1.2.3