add PVPAuthentication provider

3 files changed, 290 insertions, 0 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java
index bcc031741..a1525db0a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java
@@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributePro
 import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.EHvdAttributeProviderPlugin;
 import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.EHvdAttribute_deprecatedProviderPlugin;
 import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.MandateAttributeRequestProvider;
+import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.PVPAuthenticationProvider;
 import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.SignedDocAttributeRequestProvider;
 import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.StorkAttributeRequestProvider;
 import at.gv.egovernment.moa.logging.Logger;
@@ -80,6 +81,8 @@ public class AttributeProviderFactory {
                 ex.printStackTrace();
                 return null;
             }
+        } else if (shortname.equals("PVPAuthenticationProvider")) {
+        	return new PVPAuthenticationProvider(url, attributes);
         } else {
             return null;
         }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java
new file mode 100644
index 000000000..d923eccde
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.stork2;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * @author tlenz
+ *
+ */
+public class STORKPVPUtilits {
+	
+	public static final List<String> attributesRequirePVPAuthentication = 
+			Arrays.asList("ECApplicationRole");
+	
+	
+	
+	public static boolean performAuthenticationOnNationalIDP(MOASTORKRequest moastorkRequest) {		
+		for (String el : attributesRequirePVPAuthentication) {		
+			if (moastorkRequest.getPersonalAttributeList().containsKey(el)) {
+				return true;
+			
+			}
+		}
+		return false;
+	}
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
new file mode 100644
index 000000000..95af3565e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -0,0 +1,238 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.stork2.attributeproviders;
+
+import java.io.StringWriter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException;
+import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest;
+import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.StringUtils;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+import eu.stork.peps.auth.commons.PEPSUtil;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.STORKAttrQueryRequest;
+import eu.stork.peps.auth.commons.STORKAttrQueryResponse;
+import eu.stork.peps.auth.commons.STORKAuthnRequest;
+import eu.stork.peps.auth.commons.STORKAuthnResponse;
+import eu.stork.peps.auth.engine.STORKSAMLEngine;
+import eu.stork.peps.exceptions.STORKSAMLEngineException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class PVPAuthenticationProvider extends AttributeProvider {
+
+	private String destination = null;
+	private MOASTORKRequest moastorkRequest = null;
+	
+	/**
+	 * @param attributes
+	 * @param attributes2 
+	 */
+	public PVPAuthenticationProvider(String url, String attributes) {
+		super(attributes);
+		this.destination = url;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute, java.lang.String, at.gv.egovernment.moa.id.data.IAuthData)
+	 */
+	@Override
+	protected IPersonalAttributeList acquire(PersonalAttribute attribute,
+			MOASTORKRequest moastorkRequest, IAuthData authData)
+			throws UnsupportedAttributeException,
+			ExternalAttributeRequestRequiredException, MOAIDException {
+		
+		this.moastorkRequest = moastorkRequest;
+        // break if we cannot handle the requested attribute
+        if (!attributes.contains(attribute.getName())) {
+            Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName());
+            throw new UnsupportedAttributeException();
+            
+        }
+                     
+        Logger.info("Thrown external request by: " + getAttrProviderName());
+        throw new ExternalAttributeRequestRequiredException(this);
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#performRedirect(java.lang.String, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.config.auth.OAAuthParameter)
+	 */
+	@Override
+	public void performRedirect(String url, HttpServletRequest req,
+			HttpServletResponse resp, OAAuthParameter oaParam)
+			throws MOAIDException {
+		
+        String spSector = "Business";
+        String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName();
+        String spApplication = spInstitution;
+        String spCountryCode = moastorkRequest.getSpCountry();
+
+        if ((spCountryCode == null) || (spCountryCode.length()<2)) {
+            spCountryCode = oaParam.getTarget();
+            Logger.info("Setting spcountry target: " + oaParam.getTarget());
+            Logger.info("idlink ident " + oaParam.getIdentityLinkDomainIdentifier());
+            Logger.info("idlink type " + oaParam.getIdentityLinkDomainIdentifierType());
+            Logger.info("Setting spcountry target friendly : " + oaParam.getTargetFriendlyName());
+            Logger.info("Oatype : " + oaParam.getOaType());
+            Logger.info("puburl : " + oaParam.getPublicURLPrefix());
+            if ("STORK".equals(oaParam.getIdentityLinkDomainIdentifierType())) {
+
+                spCountryCode =  oaParam.getIdentityLinkDomainIdentifier().substring(oaParam.getIdentityLinkDomainIdentifier().length()-2);
+                Logger.info("Set to " +spCountryCode);
+            }
+
+        }
+		
+        //generate AttrQueryRequest
+        STORKAuthnRequest authRequest = new STORKAuthnRequest();
+        authRequest.setDestination(destination);
+        authRequest.setAssertionConsumerServiceURL(url);
+        authRequest.setIssuer(HTTPUtils.getBaseURL(req));
+        authRequest.setQaa(oaParam.getQaaLevel());
+        authRequest.setSpInstitution(spInstitution);
+        authRequest.setCountry(spCountryCode);
+        authRequest.setSpCountry(spCountryCode);
+        authRequest.setSpApplication(spApplication);
+        authRequest.setSpSector(spSector);               
+        authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList());
+
+        authRequest.setCitizenCountryCode("AT");
+        authRequest.setQaa(oaParam.getQaaLevel());
+
+        if (authRequest.getQaa() == 0 )  {
+        	authRequest.setQaa(4); // workaround
+        }
+
+
+
+        Logger.info("STORK AttrRequest successfully assembled.");
+
+        STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("VIDP");
+        try {
+
+        	authRequest = samlEngine.generateSTORKAuthnRequest(authRequest);
+        } catch (STORKSAMLEngineException e) {
+            Logger.error("Could not sign STORK SAML AttrRequest.", e);
+            throw new MOAIDException("stork.00", null);
+        }
+
+        Logger.info("STORK AttrRequest successfully signed!");
+
+		//validate AuthnRequest
+		try {
+			samlEngine.validateSTORKAuthnRequest(authRequest.getTokenSaml());
+		} catch (STORKSAMLEngineException e) {
+			Logger.error("STORK SAML AuthnRequest not valid.", e);
+			throw new MOAIDException("stork.01", null);
+		}
+
+		Logger.debug("STORK AuthnRequest successfully internally validated.");
+        
+        try {
+            Logger.trace("Initialize VelocityEngine...");
+
+            VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+            Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm");
+            VelocityContext context = new VelocityContext();
+            context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authRequest.getTokenSaml()));
+            context.put("action", destination);
+
+            StringWriter writer = new StringWriter();
+            template.merge(context, writer);
+
+            resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+            
+        } catch (Exception e) {
+            Logger.error("Error sending STORK SAML AttrRequest.", e);
+            throw new MOAIDException("stork.11", null);
+            
+        }
+        Logger.info("STORK AttrRequest successfully rendered!");
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#parse(javax.servlet.http.HttpServletRequest)
+	 */
+	@Override
+	public IPersonalAttributeList parse(HttpServletRequest httpReq)
+			throws UnsupportedAttributeException, MOAIDException {
+		
+		Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request");
+		
+		//extract STORK Response from HTTP Request
+		//Decodes SAML Response
+		byte[] decSamlToken;
+		try {
+			decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse"));
+		} catch(NullPointerException e) {
+			throw new UnsupportedAttributeException();
+		}
+
+		//Get SAMLEngine instance
+		STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
+
+		STORKAuthnResponse authnResponse = null;
+		try {
+			//validate SAML Token
+			Logger.debug("Starting validation of SAML response");
+			authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost());
+			Logger.info("SAML response successfully verified!");
+			
+		}catch(STORKSAMLEngineException e){
+			Logger.error("Failed to verify STORK SAML Response", e);
+			throw new MOAIDException("stork.05", null);
+		}
+		
+		return authnResponse.getPersonalAttributeList();
+			
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority()
+	 */
+	@Override
+	public int getPriority() {
+		return 1;
+	}
+	
+    public String getAttrProviderName() {
+        return this.getClass().getName();
+    }
+}