diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-04-18 09:56:19 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-04-18 09:56:19 +0200 | 
| commit | a184de09bda4327441c214aa84d77e57500b28ca (patch) | |
| tree | e7e8129ac11388d3e24dc1d90ce37c5fa0ce35d5 | |
| parent | e71dc9f4f38fc762dad0ce5e0c0cbb8bd5884685 (diff) | |
| download | moa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.tar.gz moa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.tar.bz2 moa-id-spss-a184de09bda4327441c214aa84d77e57500b28ca.zip | |
Finish PVP21 interfederation assertion preprocessing
8 files changed, 204 insertions, 91 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index 31b88263b..b2bcd443f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -68,6 +68,7 @@ public class OAParameter {  		this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20(); +		this.isInderfederationIDP = oa.isIsInterfederationIDP();  	} @@ -104,6 +105,8 @@ public class OAParameter {  	private boolean removePBKFromAuthblock; +	private Boolean isInderfederationIDP; +	  	/**  	 * Contains the oAuth 2.0 configuration (client id, secret and redirect uri)  	 */ @@ -141,4 +144,16 @@ public class OAParameter {  		return oAuth20Config;  	} +	/** +	 * @return the isInderfederationIDP +	 */ +	public boolean isInderfederationIDP() { +		if (isInderfederationIDP == null) +			return false; +		 +		return isInderfederationIDP; +	} +	 +	 +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 31e19ee46..2f4bbbcf4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;  import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;  import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;  import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData; @@ -262,9 +263,12 @@ public class DispatcherServlet extends AuthServlet{  							Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + ".");  						} else if (protocolRequest != null &&  -								protocolRequest.getInterfederationResponse() != null ) { +								protocolRequest.getInterfederationResponse() != null ) {							 +							Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest"); +							String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true); +							req.getParameterMap().put(PARAM_SESSIONID, sessionID);  							Logger.info("PreProcessing of SSO interfederation response complete. "); -						 +													  						} else {  							Logger.error("Failed to generate a valid protocol request!");  							resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 3ab4dd74c..639b8672b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -187,20 +187,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  				IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState());  				if (obj instanceof RequestImpl) { -					RequestImpl iReq = (RequestImpl) obj; +					RequestImpl iReqSP = (RequestImpl) obj;  					MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);  					if ( processedMsg != null ) { -						iReq.setInterfederationResponse((MOAResponse) msg);						 +						iReqSP.setInterfederationResponse((MOAResponse) msg);						  					} else {  						Logger.info("Receive NO valid SSO session from " + msg.getEntityID()   								+". Switch to local authentication process ..."); -						iReq.setRequestedIDP(null); +						iReqSP.setRequestedIDP(null);  					} -					return iReq; +					return iReqSP;  				} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java new file mode 100644 index 000000000..61b481447 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -0,0 +1,111 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.Subject; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class AssertionAttributeExtractor { +	 +	private Assertion assertion = null; +	 +	public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption { +		if (samlResponse != null) { +			if (samlResponse.getAssertions().size() == 0)  +				throw new AssertionAttributeExtractorExeption("Assertion"); +				 +			else if (samlResponse.getAssertions().size() > 1) +				Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); +			 +			assertion = samlResponse.getAssertions().get(0);			 +					 +		} else  +			throw new AssertionAttributeExtractorExeption();		 +	} + +	public String getNameID() throws AssertionAttributeExtractorExeption {		 +		if (assertion.getSubject() != null) { +			Subject subject = assertion.getSubject(); +			 +			if (subject.getNameID() != null) { +				if (MiscUtil.isNotEmpty(subject.getNameID().getValue()))					 +					return subject.getNameID().getValue();			 +				 +				else +					Logger.error("SAML2 NameID Element is empty."); +			} +		} +			 +		throw new AssertionAttributeExtractorExeption("nameID"); +	} +	 +	public String getSessionIndex() throws AssertionAttributeExtractorExeption {		 +		AuthnStatement authn = getAuthnStatement(); +		 +		if (MiscUtil.isNotEmpty(authn.getSessionIndex())) +			return authn.getSessionIndex(); +		 +		else +			throw new AssertionAttributeExtractorExeption("SessionIndex");		 +	} + +	/** +	 * @return +	 * @throws AssertionAttributeExtractorExeption  +	 */ +	public String getQAALevel() throws AssertionAttributeExtractorExeption { +		AuthnStatement authn = getAuthnStatement(); +		if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) { +			AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef(); +			 +			if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef())) +				return qaaClass.getAuthnContextClassRef(); +			 +			else +				throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)");			 +		} +		 +		throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");		 +	} +	 +	private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { +		List<AuthnStatement> authnList = assertion.getAuthnStatements(); +		if (authnList.size() == 0) +			throw new AssertionAttributeExtractorExeption("AuthnStatement"); +		 +		else if (authnList.size() > 1) +			Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used."); +		 +		return authnList.get(0); +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java deleted file mode 100644 index 666bfab3c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java +++ /dev/null @@ -1,85 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; - -public class AttributeExtractor { -	 -	public static String extractSAMLAttributeOA(String name,  -			AuthenticationSession authSession) { -		List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesOA(); -		if(extAttributes == null) { -			return null; -		} -		Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator(); -		while(extAttributesIt.hasNext()) { -			Object attr = extAttributesIt.next(); -			if(attr instanceof ExtendedSAMLAttribute) { -				ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; -				if(extAttribute.getName().equals(name)) { -					if(extAttribute.getValue() instanceof String) { -						return extAttribute.getValue().toString(); -					} -					break; -				} -			} -		} -		return null; -	} -	 -	public static String extractSAMLAttributeAUTH(String name,  -			AuthenticationSession authSession) { -		List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesAUTH(); -		if(extAttributes == null) { -			return null; -		} -		Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator(); -		while(extAttributesIt.hasNext()) { -			Object attr = extAttributesIt.next(); -			if(attr instanceof ExtendedSAMLAttribute) { -				ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; -				if(extAttribute.getName().equals(name)) { -					if(extAttribute.getValue() instanceof String) { -						return extAttribute.getValue().toString(); -					} -					break; -				} -			} -		} -		return null; -	} -	 -	public static String extractSAMLAttributeBOTH(String name,  -			AuthenticationSession authSession) { -		String value = extractSAMLAttributeOA(name, authSession); -		if(value == null) { -			value = extractSAMLAttributeAUTH(name, authSession); -		} -		return value; -	} -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index ca5cb9226..69167c75d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -22,6 +22,7 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.storage; +import java.util.ArrayList;  import java.util.Date;  import java.util.List; @@ -36,11 +37,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;  import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;  import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;  import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;  import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;  import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.data.EncryptedData;  import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;  import at.gv.egovernment.moa.logging.Logger; @@ -105,6 +110,51 @@ public class AuthenticationSessionStoreage {  		return session;  	} +	public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { +		String id = Random.nextRandom(); +		AuthenticationSession session = new AuthenticationSession(id); +		 +		AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); +		dbsession.setSessionid(id); +		dbsession.setAuthenticated(isAuthenticated); +		 +		//set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 +		Date now = new Date(); +		dbsession.setCreated(now); +		dbsession.setUpdated(now); +		 +		dbsession.setSession(SerializationUtils.serialize(session)); +		 +		//add interfederation information +		List<InterfederationSessionStore> idpList = dbsession.getInderfederation(); +		if (idpList == null) +			idpList = new ArrayList<InterfederationSessionStore>(); +		 +		InterfederationSessionStore idp = new InterfederationSessionStore(); +		idp.setCreated(now); +		idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); +		 +		AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse());		 +		idp.setSessionIndex(extract.getSessionIndex()); +		idp.setUserNameID(extract.getNameID()); +		idp.setAttributesRequested(false); +		idp.setQAALevel(extract.getQAALevel()); +		idpList.add(idp); +		 +		//store AssertionStore element to Database +		try { +			MOASessionDBUtils.saveOrUpdate(dbsession); +			Logger.info("MOASession with sessionID=" + id + " is stored in Database"); +			 +		} catch (MOADatabaseException e) { +			Logger.warn("MOASession could not be created."); +			throw new MOADatabaseException(e); +		} +		 +		return id; +	} +	 +	  	public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException {  		try { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java index 93734954f..1fcdd9b9b 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java @@ -59,6 +59,9 @@ public class InterfederationSessionStore implements Serializable{  	@Column(name = "nameID", unique=false, nullable=false)  	private String userNameID; +	@Column(name = "QAALevel", unique=false, nullable=false) +	private String QAALevel; +	  	@Column(name = "attributesRequested", unique=false, nullable=true)  	private boolean attributesRequested; @@ -173,6 +176,20 @@ public class InterfederationSessionStore implements Serializable{  		this.moasession = moasession;  	} +	/** +	 * @return the qAALevel +	 */ +	public String getQAALevel() { +		return QAALevel; +	} + +	/** +	 * @param qAALevel the qAALevel to set +	 */ +	public void setQAALevel(String qAALevel) { +		QAALevel = qAALevel; +	} +  } diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index e8562a57b..49d919978 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -485,6 +485,7 @@  		<xsd:sequence>  			<xsd:element name="isActive" type="xsd:boolean" default="false" minOccurs="1" maxOccurs="1"/>  			<xsd:element name="isAdminRequired" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/> +			<xsd:element name="isInterfederationIDP" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/>  			<xsd:element name="AuthComponent_OA" minOccurs="0">  				<xsd:annotation>  					<xsd:documentation>enthält Parameter über die OA, die die | 
