From 709244c42e6dfe339805a1476a70a5690b1ee4dc Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Thu, 1 Dec 2022 08:21:51 +0100
Subject: feat(proxyservice): add configuration flag to disable error
 forwarding to eIDAS Node

---
 .../msproxyservice/MsProxyServiceConstants.java    |   4 +-
 .../protocol/EidasProxyServiceController.java      | 140 +++++++++++----------
 2 files changed, 77 insertions(+), 67 deletions(-)

(limited to 'modules/eidas_proxy-sevice/src/main')

diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
index a2a2e78f..418d2799 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/MsProxyServiceConstants.java
@@ -18,7 +18,9 @@ public class MsProxyServiceConstants {
   public static final String CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID = EidasConstants.CONIG_PROPS_EIDAS_NODE
       + ".proxy.entityId";
   public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_URL = EidasConstants.CONIG_PROPS_EIDAS_NODE
-      + ".proxy.forward.endpoint";
+      + ".proxy.forward.endpoint";  
+  public static final String CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS = EidasConstants.CONIG_PROPS_EIDAS_NODE
+      + ".proxy.forward.errors";
   
   
   public static final String CONIG_PROPS_EIDAS_PROXY_ATTIBUTE_CONFIGURATION = 
diff --git a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
index b5f6b6d2..4de28956 100644
--- a/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
+++ b/modules/eidas_proxy-sevice/src/main/java/at/asitplus/eidas/specific/modules/msproxyservice/protocol/EidasProxyServiceController.java
@@ -45,6 +45,7 @@ import at.gv.egiz.eaaf.core.api.data.EaafConstants;
 import at.gv.egiz.eaaf.core.api.data.ExtendedPvpAttributeDefinitions.SpMandateModes;
 import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
 import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.GuiBuildException;
 import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
@@ -99,8 +100,7 @@ public class EidasProxyServiceController extends AbstractController implements I
    */
   @RequestMapping(value = {
       MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_POST,
-      MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT
-      },
+      MsProxyServiceConstants.EIDAS_HTTP_ENDPOINT_IDP_REDIRECT },
       method = { RequestMethod.POST, RequestMethod.GET })
   public void receiveEidasAuthnRequest(HttpServletRequest httpReq, HttpServletResponse httpResp)
       throws IOException,
@@ -196,42 +196,9 @@ public class EidasProxyServiceController extends AbstractController implements I
   @Override
   public boolean generateErrorMessage(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp,
       IRequest pendingReq) throws Throwable {
-    if (pendingReq instanceof ProxyServicePendingRequest) {
-      try {
-        final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest();
-
-        // build eIDAS response
-        final Builder lightRespBuilder = LightResponse.builder();
-        lightRespBuilder.id(UUID.randomUUID().toString());
-        lightRespBuilder.inResponseToId(eidasReq.getId());
-        lightRespBuilder.relayState(eidasReq.getRelayState());
-        lightRespBuilder.issuer(authConfig.getBasicConfiguration(
-            MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
-        lightRespBuilder.subject(UUID.randomUUID().toString());
-        lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT);
-        lightRespBuilder.status(ResponseStatus.builder()
-            .statusCode(StatusCode.RESPONDER)
-            .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue())
-            .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()))
-            .build());
-
-        // forward to eIDAS Proxy-Service
-        responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build());
-
-        return true;
-
-      } catch (ServletException | IOException | GuiBuildException e1) {
-        log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1);
-
-      }
-
-    } else {
-      log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}",
-          ProxyServicePendingRequest.class.getName());
-
-    }
-
-    return false;
+    return authConfig.getBasicConfigurationBoolean(
+        MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_FORWARD_ERRORS, false)
+        && generateAndSendError(e, httpReq, httpResp, pendingReq);
 
   }
 
@@ -272,17 +239,17 @@ public class EidasProxyServiceController extends AbstractController implements I
         .distinct()
         .collect(Collectors.toSet());
 
-    if (!requiredHandlers.isEmpty()) {    
+    if (!requiredHandlers.isEmpty()) {
       log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
-          + "Starting advanced attribute-validation ... ", requiredHandlers.size());      
+          + "Starting advanced attribute-validation ... ", requiredHandlers.size());
       for (String el : requiredHandlers) {
         executeAdvancedRequestValidation(el, eidasRequest);
-        
+
       }
-      
+
     } else {
       log.debug("No advanced eIDAS attribute-validation required.");
-      
+
     }
 
   }
@@ -302,8 +269,8 @@ public class EidasProxyServiceController extends AbstractController implements I
         && EidasProxyServiceUtils.isNaturalPersonRequested(eidasRequest)) {
       throw new EidasProxyServiceException(ERROR_08, null);
 
-    }    
-    
+    }
+
     // TODO: validate some other stuff
 
   }
@@ -354,10 +321,10 @@ public class EidasProxyServiceController extends AbstractController implements I
 
       // map eIDAS attributes to national attributes
       buildNationalRequestedAttributes(spConfig, eidasRequest);
-      
+
       // execute custom attribute-handler
       advancedAttributeHandler(spConfig, eidasRequest);
-      
+
       return spConfig;
 
     } catch (final EidasProxyServiceException e) {
@@ -368,7 +335,7 @@ public class EidasProxyServiceController extends AbstractController implements I
 
     }
   }
-    
+
   private void advancedAttributeHandler(ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) {
     Set<String> requiredHandlers = eidasRequest.getRequestedAttributes().getAttributeMap().keySet().stream()
         .map(el -> attrRegistry.mapEidasAttributeToAttributeHandler(el.getNameUri().toString()).orElse(null))
@@ -376,44 +343,46 @@ public class EidasProxyServiceController extends AbstractController implements I
         .distinct()
         .collect(Collectors.toSet());
 
-    if (!requiredHandlers.isEmpty()) {    
+    if (!requiredHandlers.isEmpty()) {
       log.info("eIDAS requested attributes requires #{} specific attribute-hander. "
-          + "Starting advanced attribute-handling ... ", requiredHandlers.size());     
-      requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig));      
-      
+          + "Starting advanced attribute-handling ... ", requiredHandlers.size());
+      requiredHandlers.forEach(el -> executeAttributeHandler(el, spConfig));
+
     } else {
       log.debug("No advanced eIDAS attribute-handling required.");
-      
-    }        
+
+    }
   }
 
   private void executeAttributeHandler(String handlerClass, ServiceProviderConfiguration spConfig) {
     try {
       IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class);
-    
+
       log.trace("Perfom SP config post-processing by using: {}", handler.getClass().getName());
       handler.performSpConfigPostprocessing(spConfig);
-      
+
     } catch (Exception e) {
-      log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
-      
-    }     
+      log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed",
+          handlerClass, e);
+
+    }
   }
 
-  private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest) 
+  private void executeAdvancedRequestValidation(String handlerClass, ILightRequest eidasRequest)
       throws EidasProxyServiceException {
     try {
       IEidasAttributeHandler handler = applicationContext.getBean(handlerClass, IEidasAttributeHandler.class);
-    
+
       log.trace("Perfom request-validastion by using: {}", handler.getClass().getName());
       handler.validateAuthnRequest(eidasRequest);
-      
+
     } catch (BeansException e) {
-      log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed", handlerClass, e);
-      
-    }     
+      log.error("No custom attribute-handler implementation for: {}. Operation can NOT be performed",
+          handlerClass, e);
+
+    }
   }
-  
+
   private void buildNationalRequestedAttributes(
       ServiceProviderConfiguration spConfig, ILightRequest eidasRequest) {
     final boolean mandatesEnabled = !SpMandateModes.NONE.equals(spConfig.getMandateMode());
@@ -552,6 +521,45 @@ public class EidasProxyServiceController extends AbstractController implements I
           spConfig.getMandateProfiles(), spConfig.getUniqueIdentifier());
 
     }
+  }
+
+  private boolean generateAndSendError(Throwable e, HttpServletRequest httpReq, HttpServletResponse httpResp,
+      IRequest pendingReq) throws EaafConfigurationException {
+    if (pendingReq instanceof ProxyServicePendingRequest) {
+      try {
+        final ILightRequest eidasReq = ((ProxyServicePendingRequest) pendingReq).getEidasRequest();
+
+        // build eIDAS response
+        final Builder lightRespBuilder = LightResponse.builder();
+        lightRespBuilder.id(UUID.randomUUID().toString());
+        lightRespBuilder.inResponseToId(eidasReq.getId());
+        lightRespBuilder.relayState(eidasReq.getRelayState());
+        lightRespBuilder.issuer(authConfig.getBasicConfiguration(
+            MsProxyServiceConstants.CONIG_PROPS_EIDAS_PROXY_NODE_ENTITYID));
+        lightRespBuilder.subject(UUID.randomUUID().toString());
+        lightRespBuilder.subjectNameIdFormat(NameIDType.TRANSIENT);
+        lightRespBuilder.status(ResponseStatus.builder()
+            .statusCode(StatusCode.RESPONDER)
+            .subStatusCode(EIDASSubStatusCode.AUTHN_FAILED_URI.getValue())
+            .statusMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage()))
+            .build());
+
+        // forward to eIDAS Proxy-Service
+        responseAction.forwardToEidasProxy(pendingReq, httpReq, httpResp, lightRespBuilder.build());
+
+        return true;
+
+      } catch (ServletException | IOException | GuiBuildException e1) {
+        log.warn("Forward error to eIDAS Proxy-Service FAILED. Handle error localy ... ", e1);
+
+      }
+
+    } else {
+      log.error("eIDAS Proxy-Service authentication requires PendingRequest of Type: {}",
+          ProxyServicePendingRequest.class.getName());
+
+    }
+    return false;
 
   }
 }
-- 
cgit v1.2.3