From 332a953758ab2626095ae5bd0169ff2edd9adcae Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 12 May 2022 10:39:31 +0200 Subject: fix(matching): remove prefix from bPK aftern an ID Austria login --- .../ReceiveMobilePhoneSignatureResponseTask.java | 38 ++++++++++++---- .../v2/test/clients/ZmrClientProductionTest.java | 7 ++- ...eceiveMobilePhoneSignatureResponseTaskTest.java | 25 ++++++++++- .../Response_with_EID_deprecated_bpk_encoding.xml | 52 ++++++++++++++++++++++ 4 files changed, 109 insertions(+), 13 deletions(-) create mode 100644 modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml (limited to 'modules/authmodule-eIDAS-v2') diff --git a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java index 286b63b1..b212d133 100644 --- a/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java +++ b/modules/authmodule-eIDAS-v2/src/main/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/tasks/ReceiveMobilePhoneSignatureResponseTask.java @@ -127,7 +127,9 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet private static final String ERROR_MSG_01 = "Processing PVP response from 'ID Austria system' FAILED."; private static final String ERROR_MSG_02 = "PVP response decryption FAILED. No credential found."; private static final String ERROR_MSG_03 = "PVP response validation FAILED."; - + private static final String ERROR_GENERIC = "Matching failed, because response from ID Austria was " + + "invalid or contains an error. Detail: {}"; + private static final String MSG_PROP_23 = "module.eidasauth.matching.23"; private static final String MSG_PROP_24 = "module.eidasauth.matching.24"; @@ -155,6 +157,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet InboundMessage inboundMessage = decodeAndVerifyMessage(request, response, decoder, comparator); Pair processedMsg = validateAssertion((PvpSProfileResponse) inboundMessage); if (processedMsg.getSecond()) { + log.info("Matching failed, because ID Austria login was stopped by user."); // forward to next matching step in case of ID Autria authentication was stopped by user executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_23); @@ -177,6 +180,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet // check if MDS from ID Austria authentication matchs to eIDAS authentication if (!simpleMobileSignatureData.equalsSimpleEidasData(eidasData)) { + log.info("Matching failed, because MDS from ID-Austria login does not match to MDS from initial eIDAS"); executionContext.put(TRANSITION_TO_GENERATE_OTHER_LOGIN_METHOD_GUI_TASK, true); executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED_REASON, MSG_PROP_24); executionContext.put(CONTEXT_FLAG_ADVANCED_MATCHING_FAILED, true); @@ -207,28 +211,27 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet } } catch (final AuthnResponseValidationException e) { + log.info(ERROR_GENERIC, e.getMessage()); throw new TaskExecutionException(pendingReq, ERROR_MSG_03, e); } catch (MessageDecodingException | SecurityException | SamlSigningException e) { - //final String samlRequest = request.getParameter("SAMLRequest"); - //log.debug("Receive INVALID PVP Response from 'ms-specific eIDAS node': {}", - // samlRequest, null, e); + log.info(ERROR_GENERIC, e.getMessage()); throw new TaskExecutionException(pendingReq, ERROR_MSG_00, new AuthnResponseValidationException(ERROR_PVP_11, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); } catch (IOException | MarshallingException | TransformerException e) { - log.debug("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); + log.info("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); throw new TaskExecutionException(pendingReq, ERROR_MSG_01, new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); } catch (final CredentialsNotAvailableException e) { - log.debug("PVP response decryption FAILED. No credential found.", e); + log.info("PVP response decryption FAILED. No credential found.", e); throw new TaskExecutionException(pendingReq, ERROR_MSG_02, new AuthnResponseValidationException(ERROR_PVP_10, new Object[]{MODULE_NAME_FOR_LOGGING}, e)); } catch (final Exception e) { // todo catch ManualFixNecessaryException in any other way? - log.debug("PVP response validation FAILED. Msg:" + e.getMessage(), e); + log.info("PVP response validation FAILED. Msg: {}",e.getMessage(), e); throw new TaskExecutionException(pendingReq, ERROR_MSG_03, new AuthnResponseValidationException(ERROR_PVP_12, new Object[]{MODULE_NAME_FOR_LOGGING, e.getMessage()}, e)); @@ -356,7 +359,7 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet final Set includedAttrNames = extractor.getAllIncludeAttributeNames(); for (final String attrName : includedAttrNames) { if (PvpAttributeDefinitions.BPK_NAME.equals(attrName)) { - builder.bpk(extractor.getSingleAttributeValue(attrName)); + builder.bpk(removeTargetPrefixFromBpk(extractor.getSingleAttributeValue(attrName))); } if (PvpAttributeDefinitions.GIVEN_NAME_NAME.equals(attrName)) { builder.givenName(extractor.getSingleAttributeValue(attrName)); @@ -377,5 +380,24 @@ public class ReceiveMobilePhoneSignatureResponseTask extends AbstractAuthServlet } + private String removeTargetPrefixFromBpk(String bpkWithPrefix) { + if (StringUtils.isNotEmpty(bpkWithPrefix)) { + final String[] spitted = bpkWithPrefix.split(":"); + if (spitted.length == 2) { + log.debug("Find PVP-Attr: {}", PvpAttributeDefinitions.BPK_FRIENDLY_NAME); + return spitted[1]; + + } else { + log.info("Find PVP-Attr: {} without prefix. Use it as it is", PvpAttributeDefinitions.BPK_FRIENDLY_NAME); + return spitted[0]; + + } + } else { + log.warn("Receive no bPK in response from ID Austria System. There is something wrong on IDA side!!!"); + return null; + + } + } + } diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java index b99bd302..cada6f40 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/clients/ZmrClientProductionTest.java @@ -197,7 +197,6 @@ public class ZmrClientProductionTest { } - @Ignore @Test public void updateZmrEntryTestIdentity() throws EidasSAuthenticationException { final String personalIdentifier = "7cEYSvKZasdfsafsaf4CDVzNT4E7cjkU4Vq"; @@ -205,9 +204,9 @@ public class ZmrClientProductionTest { final SimpleEidasData eidasData = SimpleEidasData.builder() .citizenCountryCode(cc) - .familyName("XXXĂ–hlinger") - .givenName("XXXHildegard") - .dateOfBirth("1971-02-18") + .familyName("Muster301") + .givenName("Eric") + .dateOfBirth("1988-01-03") .personalIdentifier(cc + "/AT/" + personalIdentifier) .pseudonym(personalIdentifier) .build(); diff --git a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java index 8fae81b1..034f06d1 100644 --- a/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java +++ b/modules/authmodule-eIDAS-v2/src/test/java/at/asitplus/eidas/specific/modules/auth/eidas/v2/test/tasks/ReceiveMobilePhoneSignatureResponseTaskTest.java @@ -79,7 +79,7 @@ import net.shibboleth.utilities.java.support.xml.ParserPool; public class ReceiveMobilePhoneSignatureResponseTaskTest { private static final String METADATA_PATH = "classpath:/data/idp_metadata_classpath_entity.xml"; - private static final String BPK_FROM_ID_AUSTRIA = "BF:QVGm48cqcM4UcyhDTNGYmVdrIoY="; + private static final String BPK_FROM_ID_AUSTRIA = "QVGm48cqcM4UcyhDTNGYmVdrIoY="; @Autowired protected MsConnectorDummyConfigMap authConfig; @@ -377,6 +377,29 @@ public class ReceiveMobilePhoneSignatureResponseTaskTest { //Mockito.verify(registerSearchService).step7aKittProcess(eq(registerSearchResult), eq(eidData)); } + @Test + public void httpPostValidSignedAssertionEidValid_ExactlyOneRegisterResultDeprecadedBpkEnc() throws Exception { + setupMetadataResolver(); + initResponse("/data/Response_with_EID_deprecated_bpk_encoding.xml", true); + AuthProcessDataWrapper authProcessData = pendingReq.getSessionData(AuthProcessDataWrapper.class); + SimpleEidasData eidData = createEidasDataMatchingToSamlResponse().build(); + authProcessData.setGenericDataToSession(Constants.DATA_SIMPLE_EIDAS, eidData); + RegisterStatusResults registerSearchResult = buildResultWithOneMatch(); + MatchingTaskUtils.storeIntermediateMatchingResult(pendingReq, registerSearchResult); + + task.execute(pendingReq, executionContext); + + AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); + assertEquals("LoA", "http://eidas.europa.eu/LoA/low", session.getQaaLevel()); + assertEquals("IssueInstant", "2014-03-05T06:39:51Z", session.getIssueInstantString()); + assertNull("Transition To S16", executionContext.get(Constants.TRANSITION_TO_GENERATE_GUI_QUERY_AUSTRIAN_RESIDENCE_TASK)); + + //TODO: update this check because this task selects one result from MDS search result before and creates a new element + //Mockito.verify(registerSearchService).step7aKittProcess(eq(registerSearchResult), eq(eidData)); + } + + + //TODO: implement new test that this test makes no sense any more @Ignore @Test diff --git a/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml b/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml new file mode 100644 index 00000000..92ace06c --- /dev/null +++ b/modules/authmodule-eIDAS-v2/src/test/resources/data/Response_with_EID_deprecated_bpk_encoding.xml @@ -0,0 +1,52 @@ + + + classpath:/data/idp_metadata_classpath_entity.xml + + + + + https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp/metadata + + QVGm48cqcM4UcyhDTNGYmVdrIoY= + + + + + + + https://localhost/authhandler/sp/idaustria/metadata + + + + + http://eidas.europa.eu/LoA/high + + + + + Mustermann + + + 2.1 + + + http://eidas.europa.eu/LoA/low + + + IT + + + Max + + + 1940-01-01 + + + QVGm48cqcM4UcyhDTNGYmVdrIoY= + + + MIIBbjCCARSgAwIBAgIEXh7TNzAKBggqhkjOPQQDAjA/MQswCQYDVQQGEwJBVDENMAsGA1UECgwERUdJWjEOMAwGA1UECwwFalVuaXQxETAPBgNVBAMMCG1ldGFkYXRhMB4XDTIwMDExNTA4NTQxNVoXDTMwMDExNDA4NTQxNVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVHSVoxDjAMBgNVBAsMBWpVbml0MREwDwYDVQQDDAhtZXRhZGF0YTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBdBkaxt31p++aZeP3SmlWITj9SYO4McV2ccXFsH4X4QMHuKAMUvjxPm1kdU01eTOWdiQX0GpDIBspYMZh8ZKcwwCgYIKoZIzj0EAwIDSAAwRQIhAJ3QKlk9cd90s+i8y62fvmGF6LtfNO+JvkWqDUBeQImnAiA2KwFtzO7STAp9MEwQGe0vt0F8mO1ttrLE+rr6YxdwGA== + + + + -- cgit v1.2.3