diff options
author | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2015-05-19 13:45:11 +0200 |
---|---|---|
committer | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2015-05-19 13:45:11 +0200 |
commit | b7c5a35d0f5a960bfaf8008ec2661f21764d2e2d (patch) | |
tree | 3f7251047b2222a7cbe6a25aafa058c273a115fe | |
parent | 6207deba1c063a20f2ce92f1f09e1d27b3783cec (diff) | |
download | moa-id-spss-b7c5a35d0f5a960bfaf8008ec2661f21764d2e2d.tar.gz moa-id-spss-b7c5a35d0f5a960bfaf8008ec2661f21764d2e2d.tar.bz2 moa-id-spss-b7c5a35d0f5a960bfaf8008ec2661f21764d2e2d.zip |
integrating attribute correlation check for eidentifier, when present; updating mandate data; extending error messages
6 files changed, 80 insertions, 38 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 371cfb1d7..42e9bf25d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -50,7 +50,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** - * the AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins. + * The AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins. * The class is called whenever the {@link AuthenticationRequest} Action is invoked and checks for missing attributes. * Furthermore, the class can handle direct posts. That is when the class triggers an attribute query which needs user * interaction, redirect to another portal, etc. The redirect will hit here and the class can continue to fetch attributes. @@ -80,8 +80,6 @@ public class AttributeCollector implements IAction { } - // TODO extract attribute response and check if it corresponds to the container - if (httpReq.getParameter("SAMLResponse") != null) { Logger.info("Got SAML response from external attribute provider."); @@ -106,7 +104,7 @@ public class AttributeCollector implements IAction { STORKAuthnResponse authnResponse = null; - // check if valid authn request is contained + // check if valid authn response is contained try { authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, httpReq.getRemoteAddr()); } catch (STORKSAMLEngineException ex) { @@ -115,6 +113,22 @@ public class AttributeCollector implements IAction { STORK2Response.setSTORKAuthnResponseToken(decSamlToken); + // check if the attributes are provided for the same person from request + // requires presence of eIdentifier for unambigious correlation + Logger.debug("Checking if the attribute relates to the correct person.."); + try { + String remoteEIdentifier= authnResponse.getPersonalAttributeList().get("eIdentifier").getValue().get(0); + String localEidentifier= container.getResponse().getStorkAuthnResponse().getPersonalAttributeList().get("eIdentifier").getValue().get(0); + if (!remoteEIdentifier.equals(localEidentifier)) { + Logger.error("The attribute is not provided for the same person!"); + throw new MOAIDException("stork.25", null); + } + } catch (NullPointerException ex) { + Logger.warn("Could not check the correlation of attributes from external provider. Ignoring the check."); + //Logger.debug(ex); + //throw new MOAIDException("stork.04", null); // TODO revise message, raise exception when ehvd checked + } + if (authnResponse.getPersonalAttributeList().size() > 0) { Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes."); container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java index 9207cc2dc..a3fac0f6e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java @@ -165,7 +165,8 @@ public abstract class MandateContainer { } public void setPhysicalRepresentativeBirthDate(String physicalRepresentativeBirthDate) { - this.physicalRepresentativeBirthDate = physicalRepresentativeBirthDate; + // making it conform to STORK dateOfBirth specifications, removing dash + this.physicalRepresentativeBirthDate = physicalRepresentativeBirthDate.replaceAll("-",""); } public String getAnnotation() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 59e1dbeca..c529a8465 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -41,7 +41,6 @@ import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; import eu.stork.peps.auth.commons.STORKAttrQueryResponse; import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.*; -import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.StringUtils; import javax.servlet.http.HttpServletRequest; @@ -54,14 +53,14 @@ import javax.xml.datatype.DatatypeFactory; import javax.xml.datatype.XMLGregorianCalendar; import javax.xml.namespace.QName; import java.io.StringWriter; -import java.math.BigInteger; import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.regex.Pattern; /** - * + * Entry point for mandate retrieval. Processes MIS data and transforms into STORK mandate attribute. + * Additionally provides eIdentifier attribute (if requested) in order to enable identity correlation */ public class MandateRetrievalRequest implements IAction { @@ -78,8 +77,13 @@ public class MandateRetrievalRequest implements IAction { this.QAALevel = translateQAALevel(authData.getQAALevel()); // preparing original content and removing sensitive data from it - this.originalContent = authData.getMISMandate().getMandate(); // TODO ERROR - //Logger.debug("Original content " + StringUtils.newStringUtf8(authData.getMISMandate().getMandate())); + try { + this.originalContent = authData.getMISMandate().getMandate(); + } catch (Exception e) { + Logger.error("Could not extract mandate"); + Logger.debug(e); + throw new MOAIDException("stork.26", new Object[]{}); + } String originalMandate = StringUtils.newStringUtf8(authData.getMISMandate().getMandate()).replaceAll("<pd:Value>.*?==</pd:Value><pd:Type>urn:publicid:gv.at:baseid</pd:Type>","<pd:Value></pd:Value><pd:Type></pd:Type>");; Logger.debug("Removing personal identification value and type from original mandate "); originalContent = StringUtils.getBytesUtf8(originalMandate); @@ -97,13 +101,13 @@ public class MandateRetrievalRequest implements IAction { this.moaStorkRequest = (MOASTORKRequest) req; } else { Logger.error("Internal error - did not receive MOASTORKRequest as expected"); - throw new MOAIDException("stork.16", new Object[]{}); // TODO + throw new MOAIDException("stork.27", new Object[]{}); } if (!(moaStorkRequest.isAttrRequest() || moaStorkRequest.getStorkAttrQueryRequest() == null)) { Logger.error("Did not receive attribute request as expected"); - throw new MOAIDException("stork.16", new Object[]{}); // TODO + throw new MOAIDException("stork.27", new Object[]{}); } MandateContainer mandateContainer = null; @@ -115,7 +119,7 @@ public class MandateRetrievalRequest implements IAction { mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex2) { Logger.error("Could not extract data and create mandate container."); - throw new MOAIDException("stork.16", new Object[]{}); // TODO + throw new MOAIDException("stork.27", new Object[]{}); } } @@ -123,26 +127,21 @@ public class MandateRetrievalRequest implements IAction { IPersonalAttributeList attributeList = new PersonalAttributeList(); + // according to new mapping, only mandate attribute is directly relevant for (PersonalAttribute currentAttribute : sourceAttributeList) { - Logger.debug("Evaluating currentattribute " + currentAttribute.getName()); - if (currentAttribute.getName().equals("mandateContent")) { + Logger.debug("Evaluating attributes, current attribute: " + currentAttribute.getName()); + if (currentAttribute.getName().equals("mandateContent")) { // deprecated MandateContentType mandateContent = getMandateContent(mandateContainer, currentAttribute); attributeList.add(marshallComplexAttribute(currentAttribute, mandateContent)); - } else if (currentAttribute.getName().equals("representative")) { // TODO CHECK IN DETAIL + } else if (currentAttribute.getName().equals("representative")) { // deprecated RepresentationPersonType representative = getRepresentative(mandateContainer, currentAttribute); attributeList.add(marshallComplexAttribute(currentAttribute, representative)); - - //attributeList.add(getRepresentative(mandateContainer, currentAttribute)); } else if (currentAttribute.getName().equals("represented")) { - //attributeList.add(getRepresented(mandateContainer, currentAttribute)); RepresentationPersonType represented = getRepresented(mandateContainer, currentAttribute); attributeList.add(marshallComplexAttribute(currentAttribute, represented)); - } else if (currentAttribute.getName().equals("mandate")) { - //attributeList.add(getMandateType(mandateContainer, currentAttribute)); MandateType mandateType = getMandateType(mandateContainer, currentAttribute); attributeList.add(marshallComplexAttribute(currentAttribute, mandateType)); - } else if (currentAttribute.getName().equals("legalName")) { String legalName = getLegalName(mandateContainer, currentAttribute); if (legalName.length() > 0) { @@ -180,6 +179,11 @@ public class MandateRetrievalRequest implements IAction { } } + if (currentAttribute.getName().equals("eIdentifier")) { + attributeList.add(new PersonalAttribute(currentAttribute.getName(), currentAttribute.isRequired(), Arrays.asList(geteIdentifier(authData.getIdentificationType(), authData.getIdentificationValue(), moaStorkRequest.getStorkAttrQueryRequest().getSpCountry())), AttributeStatusType.AVAILABLE.value())); + Logger.info("Adding eIdentifier for mandate holder using SP country: " + moaStorkRequest.getStorkAttrQueryRequest().getSpCountry()); + } + } @@ -228,7 +232,7 @@ public class MandateRetrievalRequest implements IAction { if (qaaLevel.equals(PVPConstants.STORK_QAA_1_4)) return 4; Logger.error("Wrong QAA Number format"); - throw new MOAIDException("stork.16", new Object[]{}); + throw new MOAIDException("stork.28", new Object[]{}); } private String geteLPIdentifier(MandateContainer mandateContainer, PersonalAttribute currentAttribute) throws MOAIDException { @@ -237,11 +241,20 @@ public class MandateRetrievalRequest implements IAction { return represented.getELPIdentifier(); } else if (currentAttribute.isRequired()) { Logger.error("Cannot provide eLPIdentifier for natural person."); - throw new MOAIDException("stork.19", new Object[]{currentAttribute.getName()}); // TODO + throw new MOAIDException("stork.29", new Object[]{currentAttribute.getName()}); } return ""; } + private String geteIdentifier(String identificationType, String identificationValue, String destinationCountry) throws MOAIDException { + BPKBuilder bpkBuilder = new BPKBuilder(); + try { + return bpkBuilder.buildStorkeIdentifier(identificationType, identificationValue, destinationCountry); + } catch (BuildException be) { + Logger.error("Could not build STORK eIdentifier while generating mandate assertion."); + throw new MOAIDException("stork.29", new Object[]{}); + } + } private PersonalAttribute marshallComplexAttribute(PersonalAttribute currentAttribute, Object obj) { // TODO refactor StringWriter stringWriter = new StringWriter(); @@ -456,7 +469,6 @@ public class MandateRetrievalRequest implements IAction { private String getRepresentedStorkeIdentifier(MandateContainer mandateContainer) throws MOAIDException { - //String identificationType, String identificationValue if (!(mandateContainer instanceof PhyPersonMandateContainer)) { Logger.error("Physical person mandate container missing"); throw new MOAIDException("stork.20", new Object[]{}); // TODO @@ -479,13 +491,7 @@ public class MandateRetrievalRequest implements IAction { throw new MOAIDException("stork.20", new Object[]{}); // TODO } - BPKBuilder bpkBuilder = new BPKBuilder(); - try { - return bpkBuilder.buildStorkeIdentifier(phyPersonMandateContainer.getPhyPersMandatorIdentificationType(), phyPersonMandateContainer.getPhyPersMandatorIdentificationValue(), this.moaStorkRequest.getStorkAttrQueryRequest().getSpCountry()); - } catch (BuildException be) { - Logger.error("Could not build STORK eIdentifier while generating mandate assertion."); - throw new MOAIDException("stork.20", new Object[]{}); // TODO - } + return geteIdentifier(phyPersonMandateContainer.getPhyPersMandatorIdentificationType(), phyPersonMandateContainer.getPhyPersMandatorIdentificationValue(), this.moaStorkRequest.getStorkAttrQueryRequest().getSpCountry()); } private String getRepresentingStorkeIdentifier(MandateContainer mandateContainer) throws MOAIDException { @@ -522,6 +528,7 @@ public class MandateRetrievalRequest implements IAction { Logger.error("Could not build STORK eIdentifier while generating mandate assertion."); throw new MOAIDException("stork.20", new Object[]{}); // TODO } + } private RepresentationPersonType getRepresentative(MandateContainer mandateContainer, PersonalAttribute sourceAttribute) throws MOAIDException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java index ba89663ab..c715b65eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java @@ -109,7 +109,8 @@ public class PhyPersonMandateContainer extends MandateContainer { } public void setPhyPersMandatorBirthDate(String phyPersMandatorBirthDate) { - this.phyPersMandatorBirthDate = phyPersMandatorBirthDate; + // making it conform to STORK dateOfBirth specifications, removing dash + this.phyPersMandatorBirthDate = phyPersMandatorBirthDate.replaceAll("-",""); } public String getPhyPersMandatorIdentificationValue() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java index f4d963645..f671f0807 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java @@ -73,6 +73,7 @@ public class MandateAttributeRequestProvider extends AttributeProvider { return "MandateAttributeRequestProvider"; } + // TODO check if used @Override protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring attribute: " + attribute.getName() + ", by: " + getAttrProviderName()); @@ -85,10 +86,14 @@ public class MandateAttributeRequestProvider extends AttributeProvider { Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName()); throw new UnsupportedAttributeException(); } - PersonalAttributeList result = new PersonalAttributeList(); - //return result; - + // check if there is eIdentifier included and add if necessary +// if (!requestedAttributes.containsKey("eIdentifier")) { +// PersonalAttribute eIdentifier = new PersonalAttribute(); + // eIdentifier.setName("eIdentifier"); +// eIdentifier.setIsRequired(true); +// requestedAttributes.add(eIdentifier); +// } Logger.info("Thrown external request by: " + getAttrProviderName()); throw new ExternalAttributeRequestRequiredException(this); @@ -111,10 +116,12 @@ public class MandateAttributeRequestProvider extends AttributeProvider { // continue with other attribute providers if there are no attributes current provider is able to handle if (requestedAttributes.size() == 0) { - Logger.info("Attribute(s) " + attributes.toString() + " not supported by the provider: " + getAttrProviderName()); + Logger.info("Attribute(s) " + attributes.toString() + " not supported by the provider: " + getAttrProviderName()); throw new UnsupportedAttributeException(); } + + Logger.info("Thrown external request by: " + getAttrProviderName()); throw new ExternalAttributeRequestRequiredException(this); } @@ -144,7 +151,14 @@ public class MandateAttributeRequestProvider extends AttributeProvider { } - + // TODO ensure that other providers request eidentifier + // check if there is eIdentifier included and add if necessary + if (!requestedAttributes.containsKey("eIdentifier")) { + PersonalAttribute eIdentifier = new PersonalAttribute(); + eIdentifier.setName("eIdentifier"); + eIdentifier.setIsRequired(true); + requestedAttributes.add(eIdentifier); + } //generate AttrQueryRequest STORKAttrQueryRequest attributeRequest = new STORKAttrQueryRequest(); diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index ad01644a1..0d91fc2c0 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -232,6 +232,11 @@ stork.21=Der angeforderte QAA-level {0} ist h\u00F6her als der QAA-level der Aut stork.22=Der STORK Authentifizierung erfordert die Auswahl des Herkunftslandes der Betroffenen.
stork.23=Die STORK Authentifizierung f\u00FCr "{0}" wird nicht unterst\u00FCtzt.
stork.24=Die STORK Authentifizierungsantwort enth\uFFFDlt leere Angaben zum Geschlecht.
+stork.25=Die Attribute referenzieren verschiedene Personen.
+stork.26=Fehler bei der Extrahierung von Vollmachtendaten.
+stork.27=Fehler bei der Verarbeitung von STORKRequest.
+stork.28=Fehler bei der Umwandelung von QAA Daten.
+stork.29=Fehler bei der Generierung von STORK-Attribut (eIdentifier/eLPIdentifier)
pvp2.00={0} ist kein gueltiger consumer service index
pvp2.01=Fehler beim kodieren der PVP2 Antwort
|