From 6b93c404726457a04cb52430d40abcf23fdd8f31 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Tue, 11 Oct 2022 16:40:54 +0200
Subject: feat(ejustic): add work-around to support BORIS eJustice attribute
 for natural person on IDA system

eJustice attributes are implemented by using mandates on IDA side.
However, European Commission only supports authentication without mandates.
This work-around integrates both requirements into MS-Proxy-Service
---
 .../EJusticWorkaroundPersonRoleHandler.java        | 35 +++++++++++++++
 .../handler/EJusticePersonRoleHandler.java         |  8 +++-
 .../handler/IEidasAttributeHandler.java            |  9 ++++
 .../protocol/ProxyServiceAuthenticationAction.java | 51 +++++++++++++++++++++-
 .../resources/spring/eidas_proxy-service.beans.xml |  3 ++
 5 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java

(limited to 'modules/eidas_proxy-sevice/src/main')

diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java
new file mode 100644
index 00000000..6f855c14
--- /dev/null
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticWorkaroundPersonRoleHandler.java
@@ -0,0 +1,35 @@
+package at.asitplus.eidas.specific.modules.msproxyservice.handler;
+
+import at.gv.egiz.eaaf.core.api.idp.IEidAuthData;
+import at.gv.egiz.eaaf.core.impl.idp.EidAuthenticationData;
+import lombok.NonNull;
+import lombok.extern.slf4j.Slf4j;
+
+
+/**
+ * eJustic PersonRole attribute-handler for natural-person use-cases only.
+ * 
+ * <p>In that special case, the legal-person mandate will be ignored and 
+ * eIDAS response looks like a normal authentication without mandates.</p>
+ * 
+ * @author tlenz
+ *
+ */
+@Slf4j
+public class EJusticWorkaroundPersonRoleHandler extends EJusticePersonRoleHandler {
+  
+  @Override
+  public void performAuthDataPostprocessing(@NonNull IEidAuthData authData) {        
+    if (authData.isUseMandate()) {
+      log.info("eJusticeNaturalPersonRole was requested by SP. "
+          + "Perform work-around and partially ignoring mandate from IDA system ... ");                        
+      ((EidAuthenticationData)authData).setUseMandate(false);      
+            
+    } else {
+      log.info("eJustice attribute was requested but no mandate from ID Austria. "
+          + "Something looks wrong, but use it as it is.");
+      
+    }        
+  }
+
+}
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
index 6a5e4967..f8c14ceb 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/EJusticePersonRoleHandler.java
@@ -57,7 +57,13 @@ public class EJusticePersonRoleHandler implements IEidasAttributeHandler {
       spConfig.getRequestedAttributes().addAll(additionalReqAttributes);
       log.info("Add additional requested attributes: {}", additionalReqAttributes);
       
-    }
+    }    
+  }
+  
+  @Override
+  public void performAuthDataPostprocessing(@NonNull IEidAuthData authData) {
+    log.trace("{} needs no post processing of authData, because we are in regular mode of operation.",
+        EJusticePersonRoleHandler.class.getName());
     
   }
   
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
index 5a9c8d8c..36deba30 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/handler/IEidasAttributeHandler.java
@@ -22,6 +22,15 @@ public interface IEidasAttributeHandler {
   void performSpConfigPostprocessing(@NonNull ServiceProviderConfiguration spConfig);
 
   
+  /**
+   * Perform attribute-specific post-processing of authentication information.
+   * 
+   * @param authData authentication information from ID Austria system that should be post processed.
+   */
+  @NonNull
+  void performAuthDataPostprocessing(@NonNull IEidAuthData authData);
+  
+  
   /**
    * Build eIDAS attribute-value from authentication data.
    * 
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
index f1cb8f0b..7d01deda 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/ProxyServiceAuthenticationAction.java
@@ -1,8 +1,11 @@
 package at.asitplus.eidas.specific.modules.msproxyservice.protocol;
 
 import java.io.IOException;
+import java.util.Objects;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import javax.annotation.PostConstruct;
 import javax.servlet.ServletException;
@@ -205,9 +208,14 @@ public class ProxyServiceAuthenticationAction implements IAction {
 
   }
 
+
+  
   private ImmutableAttributeMap buildAttributesFromAuthData(IAuthData authData,
       ILightRequest eidasReq) {
-    final IEidAuthData eidAuthData = (IEidAuthData) authData;
+    
+    // eIDAS Out-Going and attribute-specific post-processing of authentication data
+    final IEidAuthData eidAuthData = performAuthdataPostprocessing(authData, eidasReq);
+            
     final ImmutableAttributeMap.Builder attributeMap = ImmutableAttributeMap.builder();
 
     // inject all requested attributres
@@ -369,5 +377,46 @@ public class ProxyServiceAuthenticationAction implements IAction {
         PvpAttributeDefinitions.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class));
 
   }
+  
+  /**
+   * Post-processing of authentication data based on requested attributes.
+   * 
+   * @param authData Authentication data from ID Austria system.
+   * @param eidasRequest AuthnRequest from foreign country 
+   * @return AuthnRequest specific modification of authentication data
+   */
+  private IEidAuthData performAuthdataPostprocessing(IAuthData authData, ILightRequest eidasRequest) {
+    IEidAuthData idaAuthData = (IEidAuthData) authData;
+    
+    // select advanced attribute handler
+    Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream()
+        .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null))
+        .filter(Objects::nonNull)
+        .distinct()
+        .collect(Collectors.toSet());
+
+    if (!requiredHandlers.isEmpty()) {    
+      log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
+          + "Starting advanced post-processing of authentication data ... ", requiredHandlers.size());     
+      requiredHandlers.forEach(el -> executeAttributeHandler(el, idaAuthData));      
+      
+    }
+    
+    return idaAuthData;
+             
+  }
+
+  private void executeAttributeHandler(String handlerClass, IEidAuthData authData) {
+    try {
+      IEidasAttributeHandler handler = context.getBean(handlerClass, IEidasAttributeHandler.class);
+    
+      log.trace("Perfom authData post-processing by using: {}", handler.getClass().getName());
+      handler.performAuthDataPostprocessing(authData);
+      
+    } catch (Exception e) {
+      log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
+      
+    }     
+  }
 
 }
diff --git a/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml b/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml
index 38bd44da..361802eb 100644
--- a/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml
+++ b/modules/eidas_proxy-sevice/src/main/resources/spring/eidas_proxy-service.beans.xml
@@ -38,4 +38,7 @@
   <bean id="at.asitplus.eidas.specific.modules.msproxyservice.handler.EJusticePersonRoleHandler"
         class="at.asitplus.eidas.specific.modules.msproxyservice.handler.EJusticePersonRoleHandler" />
   
+  <bean id="at.asitplus.eidas.specific.modules.msproxyservice.handler.EJusticWorkaroundPersonRoleHandler"
+        class="at.asitplus.eidas.specific.modules.msproxyservice.handler.EJusticWorkaroundPersonRoleHandler" />
+  
 </beans>
\ No newline at end of file
-- 
cgit v1.2.3