diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:44:40 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:44:40 +0200 | 
| commit | 709197ce12c5502f86e16da1167b97ca318f47fa (patch) | |
| tree | 17a96fd5d68ddd9eb6390989bcd4590ade8de46d | |
| parent | ecf9de84e76dde785ced8c1632c7909d1d57f94a (diff) | |
| download | moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.gz moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.bz2 moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.zip | |
implement user restriction based on whitelisting
9 files changed, 195 insertions, 12 deletions
| diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html index 7d3f8d627..8f6ed735c 100644 --- a/id/server/doc/handbook/protocol/protocol.html +++ b/id/server/doc/handbook/protocol/protocol.html @@ -621,6 +621,10 @@ Redirect Binding</td>      <td>1110</td>      <td>Ungültige Single Sign-On Session</td>    </tr> +  <tr> +    <td>1111</td> +    <td>Der Anmeldevorgang wurde automatisiert abgebrochten da dem Benutzer die nötigen Zugriffsrechte für diese Online Applikation fehlen.</td> +  </tr>  </table>  <h5><a name="statuscodes_12xxx" id="allgemeines_zugangspunkte13"></a>1.3.1.3 STORK (12xxx)</h5>  <table class="configtable"> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java new file mode 100644 index 000000000..4853a5ab6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java @@ -0,0 +1,85 @@ +package at.gv.egovernment.moa.id.auth.modules.internal.tasks; + +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class UserRestrictionTask extends AbstractAuthServletTask { +		 +	public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds"; +	public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url"; +	public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector"; +	 +	@Autowired(required=true) UserWhitelistStore whitelist; +	 +	@Override +	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) +			throws TaskExecutionException { +		try {			 +			String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();			 +			List<String> restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST));						 +			if (restrictedSPs.contains(spEntityId)) { +				Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... ");				 +				defaultTaskInitialization(request, executionContext);; +				 +				//check if user idl is already loaded +				if (moasession.getIdentityLink() == null) { +					Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!"); +					throw new MOAIDException("process.03", null); +					 +				} +				 +				//calculate whitelist bPK for current user +				String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR); +				if (MiscUtil.isEmpty(bpkTarget)) { +					Logger.info("NO bPK sector for user whitelist in configuration"); +					throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR}); +					 +				} +				 +				Pair<String, String> pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier( +						moasession.getIdentityLink().getIdentificationValue(),  +						moasession.getIdentityLink().getIdentificationType(),  +						bpkTarget); +				 +				 +				//check if user's bPK is whitelisted  +				if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) { +					Logger.info("User's bPK is not whitelisted. Authentication process stops ..."); +					Logger.trace("User's bPK: " + pseudonym.getFirst()); +					throw new MOAIDException("auth.35", null); +					 +				} +				 +				Logger.debug("User was found in whitelist. Continue authentication process ... "); +				 +			} else +				Logger.trace("SP: " + spEntityId + " has no user restrication."); +			 +			 +		} catch (MOAIDException e) { +			throw new TaskExecutionException(pendingReq, e.getMessage(), e); +			 +		} catch (Exception e) { +			Logger.warn("RestartAuthProzessManagement has an internal error", e); +			throw new TaskExecutionException(pendingReq, e.getMessage(), e); +			 +		}		 + +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java new file mode 100644 index 000000000..a300739b3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -0,0 +1,73 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.URISyntaxException; +import java.net.URL; +import java.util.ArrayList; +import java.util.List; + +import javax.annotation.PostConstruct; + +import org.apache.commons.io.IOUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; + +@Service("UserWhiteList_Store") +public class UserWhitelistStore { + +	@Autowired(required=true) AuthConfiguration authConfig; +	 +	private List<String> whitelist = new ArrayList<String>(); +	 +	@PostConstruct +	private void initialize() { +		String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE); +		if (MiscUtil.isEmpty(whiteListUrl))  +			Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file."); +		 +		else { +			String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); +			try {			 +				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); +				String whiteListString = IOUtils.toString(new InputStreamReader(is)); +				whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); +				Logger.info("User whitelist is initialized with " + whitelist.size() + " entries."); +				  +			} catch (FileNotFoundException e) { +				Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e); + +			} catch (IOException e) { +				Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e); +				 +			} catch (URISyntaxException e) { +				Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e); +				 +			} +			 +		} +		 +	} +	 +	/** +	 * Check if bPK is in whitelist +	 *  +	 * @param bPK +	 * @return true if bPK is in whitelist, otherwise false +	 */ +	public boolean isUserbPKInWhitelist(String bPK) {		 +		return whitelist.contains(bPK); +		 +	} +} diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index ba8c47304..dc3022ab4 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -42,6 +42,9 @@  	<bean id="MOAID_SSOManager"   				class="at.gv.egovernment.moa.id.moduls.SSOManager"/> +	<bean id="UserWhiteList_Store"  +				class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/> +  	<bean id="AuthenticationSessionStoreage"  @@ -91,7 +94,11 @@  	<bean id="EvaluateSSOConsentsTaskImpl"   				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl" -				scope="prototype"/>		 +				scope="prototype"/> +				 +	<bean id="UserRestrictionTask"  +				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask" +				scope="prototype"/>			  	<beans profile="advancedLogOn">  		<bean id="StatisticLogger"  diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 84fd93773..799b32025 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -52,6 +52,7 @@ auth.31=Federated authentication FAILED. No information for AttributeQuery, mayb  auth.32=Federated authentication FAILED. No configuration for IDP {0}
  auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. 
  auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
 +auth.35=Der Anmeldevorgang wurde automatisiert abgebrochen, da der Benutzer nicht für dieses Onlineapplikation berechtigt ist. 
  init.00=MOA-ID-Auth wurde erfolgreich gestartet
  init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
 @@ -336,6 +337,7 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin  process.01=Fehler beim Ausf\u00FChren des Prozesses.
  process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
  process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
 +process.03=Fehler beim Ausf\u00FChren des Prozesses. Interner state ung\u00FCltig.
  sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
  sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index d77ea437b..dae88889f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -32,6 +32,7 @@ auth.31=4400  auth.32=4401  auth.33=4401  auth.34=4401 +auth.35=1111  init.00=9199  init.01=9199 @@ -103,6 +104,7 @@ service.10=4500  process.01=9104  process.02=9104  process.03=9105 +process.03=9104  sp.pvp2.00=4501  sp.pvp2.01=4501 diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml index 74792ed72..48c7b6a07 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml @@ -15,7 +15,8 @@  	<pd:Task id="prepareAuthBlockSignature" class="PrepareAuthBlockSignatureTask" />  	<pd:Task id="prepareGetMISMandate" 			class="PrepareGetMISMandateTask" />  	<pd:Task id="finalizeAuthentication" 		class="FinalizeAuthenticationTask" /> -	<pd:Task id="getForeignID"              class="GetForeignIDTask"              async="true" /> +	<pd:Task id="getForeignID"              class="GetForeignIDTask"              async="true" />	 +	<pd:Task id="userRestrictionTask" class="UserRestrictionTask" />  	<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->  	<pd:StartEvent id="start" /> @@ -39,13 +40,15 @@  	<pd:Transition from="verifyCertificate"         to="getForeignID" />  	<pd:Transition from="verifyAuthBlock"           to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" /> -	<pd:Transition from="verifyAuthBlock"           to="finalizeAuthentication" /> +	<pd:Transition from="verifyAuthBlock"           to="userRestrictionTask" />  	<pd:Transition from="prepareGetMISMandate"      to="getMISMandate" /> -	<pd:Transition from="getMISMandate"           	to="finalizeAuthentication" /> -	<pd:Transition from="getForeignID"              to="finalizeAuthentication" /> +	<pd:Transition from="getMISMandate"           	to="userRestrictionTask" /> +	<pd:Transition from="getForeignID"              to="userRestrictionTask" /> +	 +	<pd:Transition from="userRestrictionTask"           to="finalizeAuthentication" />  	<pd:Transition from="finalizeAuthentication"    to="end" />  	<pd:EndEvent id="end" /> diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml index d41e8a017..60fd120d0 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml @@ -17,6 +17,8 @@  	<pd:Task id="finalizeAuthentication" 		class="FinalizeAuthenticationTask" />  	<pd:Task id="getForeignID"              class="GetForeignIDTask"              async="true" /> +	<pd:Task id="userRestrictionTask" class="UserRestrictionTask" /> +	  	<!-- ELGA Mandate-Service Tasks -->  	<pd:Task id="redirectToMandateSelectionTask"    class="RedirectToMandateSelectionTask" />  	<pd:Task id="selectMandateServiceTask"    			class="SelectMandateServiceTask" async="true"/> @@ -47,7 +49,7 @@  	<pd:Transition from="verifyCertificate"         to="getForeignID" />  	<pd:Transition from="verifyAuthBlock"           to="redirectToMandateSelectionTask" conditionExpression="ctx['useMandate']" /> -	<pd:Transition from="verifyAuthBlock"           to="finalizeAuthentication" /> +	<pd:Transition from="verifyAuthBlock"           to="userRestrictionTask" />  	<pd:Transition from="redirectToMandateSelectionTask"   to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />	  	<pd:Transition from="redirectToMandateSelectionTask"   to="selectMandateServiceTask" />		 @@ -60,13 +62,14 @@  	<pd:Transition from="requestELGAMandateTask"      		to="receiveElgaMandateResponseTask" /> -	<pd:Transition from="receiveElgaMandateResponseTask"  to="finalizeAuthentication" /> +	<pd:Transition from="receiveElgaMandateResponseTask"  to="userRestrictionTask" />  	<pd:Transition from="prepareGetMISMandate"      to="getMISMandate" />	 -	<pd:Transition from="getMISMandate"           	to="finalizeAuthentication" /> -	 -	<pd:Transition from="getForeignID"              to="finalizeAuthentication" /> +	<pd:Transition from="getMISMandate"           	to="userRestrictionTask" /> +	<pd:Transition from="getForeignID"              to="userRestrictionTask" /> +		 +	<pd:Transition from="userRestrictionTask"       to="finalizeAuthentication" />  	<pd:Transition from="finalizeAuthentication"    to="end" />  	<pd:EndEvent id="end" /> diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml index 4975dc2d7..673144b06 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml @@ -3,16 +3,20 @@  	<pd:Task id="createQualifiedeIDRequest" class="CreateQualeIDRequestTask" />  	<pd:Task id="receiveQualifiedeID" class="ReceiveQualeIDResponseTask"  async="true"/> -	<pd:Task id="verifyQualifiedeIDTask" class="VerifyQualifiedeIDTask" async="true"/>	 +	<pd:Task id="verifyQualifiedeIDTask" class="VerifyQualifiedeIDTask" async="true"/> +	<pd:Task id="userRestrictionTask" class="UserRestrictionTask" />	  	<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />  	<pd:StartEvent id="start" />  	<pd:Transition from="start" to="createQualifiedeIDRequest" />	  	<pd:Transition from="createQualifiedeIDRequest" to="receiveQualifiedeID" />	  	<pd:Transition from="receiveQualifiedeID" to="verifyQualifiedeIDTask" /> -	<pd:Transition from="verifyQualifiedeIDTask" to="finalizeAuthentication" />			 +	<pd:Transition from="verifyQualifiedeIDTask" to="userRestrictionTask" />			 +	<pd:Transition from="userRestrictionTask" to="finalizeAuthentication" />  	<pd:Transition from="finalizeAuthentication"    to="end" /> +	 +	  	<pd:EndEvent id="end" />  </pd:ProcessDefinition> | 
