respect multi-part stork responses

2 files changed, 27 insertions, 14 deletions

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
index 3338804b4..e2c3880ac 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
@@ -136,7 +136,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 			try {

 				// validate SAML Token

 				Logger.debug("Starting validation of SAML response");

-				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());

+				authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost());

 				Logger.info("SAML response succesfully verified!");

 			} catch (STORKSAMLEngineException e) {

 				Logger.error("Failed to verify STORK SAML Response", e);

@@ -211,10 +211,16 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 

 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);

 

-			// //////////// incorporate gender from parameters if not in stork response

 

-			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();

+			// first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled

+			// with ALL attributes when there is more than one assertion in the SAML2 STORK message.  

+			IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList();

+

+			// if the list is empty, there was just one assertion... probably

+			if(attributeList.isEmpty())

+				attributeList = authnResponse.getPersonalAttributeList();

 

+			// //////////// incorporate gender from parameters if not in stork response

 			// but first, check if we have a representation case

 			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)

 					|| STORKResponseProcessor.hasAttribute("representative", attributeList)

@@ -233,7 +239,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 						tmp.add(gendervalue);

 						gender.setValue(tmp);

 

-						authnResponse.getPersonalAttributeList().add(gender);

+						attributeList.add(gender);

 					}

 				}

 			}

@@ -246,7 +252,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 			// extract signed doc element and citizen signature

 			String citizenSignature = null;

 			try {

-				PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc");

+				PersonalAttribute signedDoc = attributeList.get("signedDoc");

 				String signatureInfo = null;

 				// FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem...

 				if (signedDoc != null) {

@@ -259,7 +265,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 					// store authnResponse

 

 					// moaSession.setAuthnResponse(authnResponse);//not serializable

-					moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList());

+					moaSession.setAuthnResponseGetPersonalAttributeList(attributeList);

 

 					String authnContextClassRef = null;

 					try {

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 6e0bd19ff..9df0ff37b 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -162,7 +162,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			try {

 				// validate SAML Token

 				Logger.debug("Starting validation of SAML response");

-				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());

+				authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost());

 				Logger.info("SAML response succesfully verified!");

 			} catch (STORKSAMLEngineException e) {

 				Logger.error("Failed to verify STORK SAML Response", e);

@@ -297,9 +297,16 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			

 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);

 

-			// //////////// incorporate gender from parameters if not in stork response

 

-			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();

+			// first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled

+			// with ALL attributes when there is more than one assertion in the SAML2 STORK message.  

+			IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList();

+

+			// if the list is empty, there was just one assertion... probably

+			if(attributeList.isEmpty())

+				attributeList = authnResponse.getPersonalAttributeList();

+

+			// //////////// incorporate gender from parameters if not in stork response

 

 			// but first, check if we have a representation case

 			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)

@@ -320,7 +327,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 						tmp.add(gendervalue);

 						gender.setValue(tmp);

 

-						authnResponse.getPersonalAttributeList().add(gender);

+						attributeList.add(gender);

 					}

 				}

 			}

@@ -336,15 +343,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// extract signed doc element and citizen signature

 			try {

 

-				if (authnResponse.getPersonalAttributeList().get("signedDoc") == null 

-						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null

-						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) {

+				if (attributeList.get("signedDoc") == null 

+						|| attributeList.get("signedDoc").getValue() == null

+						|| attributeList.get("signedDoc").getValue().get(0) == null) {

 					Logger.info("STORK Response include NO signedDoc attribute!");

 					throw new STORKException("STORK Response include NO signedDoc attribute.");

 					

 				}

 				

-				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);

+				String signatureInfo = attributeList.get("signedDoc").getValue().get(0);

 					

 									

 				Logger.debug("signatureInfo:" + signatureInfo);