aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 17:13:03 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 17:13:03 +0200
commit1cf340e047d2d701d9bfe442f291231ec477d2f4 (patch)
treecd746e2157c21aeea1308b29859f6d414f53e4a8
parentdf3931ff25cebff9686f433461f48aff9e4c14dc (diff)
downloadmoa-id-spss-1cf340e047d2d701d9bfe442f291231ec477d2f4.tar.gz
moa-id-spss-1cf340e047d2d701d9bfe442f291231ec477d2f4.tar.bz2
moa-id-spss-1cf340e047d2d701d9bfe442f291231ec477d2f4.zip
fix some more bugs in SAML2 ATTRIBUTEQUERRY implementation for federated authentication
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java8
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java16
6 files changed, 22 insertions, 20 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index cc716f9f8..b93de5119 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -189,7 +189,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
* @throws MOAIDException
*/
public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr,
- String userNameID, IOAAuthParameters idpConfig ) throws MOAIDException{
+ String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{
String idpEnityID = idpConfig.getPublicURLPrefix();
try {
@@ -203,7 +203,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
}
//build attributQuery request
- AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(userNameID, endpoint, reqQueryAttr);
+ AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr);
//build SOAP request
List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
@@ -362,7 +362,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
else {
String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class);
if (MiscUtil.isNotEmpty(qaaLevel)) {
- Logger.debug("Find PVP-Attr: " + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME
+ Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + qaaLevel
+ " --> Parse QAA-Level from that attribute.");
if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 72691a034..4ef9fa05e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -235,8 +235,12 @@ public class AttributQueryAction implements IAction {
}
//validation complete --> start AttributeQuery Request
+ /*TODO:
+ * 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module
+ * but used in moa-id-lib. This should be refactored!!!
+ */
AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes,
- nextIDPInformation.getUserNameID(), idp);
+ nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata");
//mark attribute request as used
if (nextIDPInformation.isStoreSSOInformation()) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 4369a469a..4b9b21093 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -634,7 +634,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
//validate destination
String destinaten = attrQuery.getDestination();
- if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
+ if (!PVPConfiguration.getInstance().getIDPSSOSOAPService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 4aa4f7419..f4cd7422c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -101,7 +101,7 @@ public class AttributQueryBuilder {
}
- public AttributeQuery buildAttributQueryRequest(String nameID,
+ public AttributeQuery buildAttributQueryRequest(String spEntityID, String nameID,
String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException {
@@ -125,7 +125,7 @@ public class AttributQueryBuilder {
query.setIssueInstant(now);
Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
- nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));
+ nissuer.setValue(spEntityID);
nissuer.setFormat(NameID.ENTITY);
query.setIssuer(nissuer);
@@ -156,10 +156,6 @@ public class AttributQueryBuilder {
return query;
- } catch (ConfigurationException e) {
- Logger.error("Build AttributQuery Request FAILED.", e);
- throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e);
-
} catch (CredentialsNotAvailableException e) {
Logger.error("Build AttributQuery Request FAILED.", e);
throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 480656e30..47c4b0736 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -138,10 +138,6 @@ public class PVPConfiguration {
public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException {
return publicURLPrefix + PVP2_IDP_SOAP;
}
-
- public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException {
- return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;
- }
public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
return publicURLPrefix + PVP2_METADATA;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 106be8a09..9d585bc86 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -52,12 +52,17 @@ public class AssertionAttributeExtractor {
private Map<String, List<String>> attributs = new HashMap<String, List<String>>();
//private PersonalAttributeList storkAttributes = new PersonalAttributeList();
- private final List<String> minimalAttributeNameList = Arrays.asList(
+ private final List<String> minimalMDSAttributeNamesList = Arrays.asList(
PVPConstants.PRINCIPAL_NAME_NAME,
PVPConstants.GIVEN_NAME_NAME,
- PVPConstants.ENC_BPK_LIST_NAME,
+ PVPConstants.BIRTHDATE_NAME,
PVPConstants.BPK_NAME);
-
+
+ private final List<String> minimalIDLAttributeNamesList = Arrays.asList(
+ PVPConstants.EID_IDENTITY_LINK_NAME,
+ PVPConstants.EID_SOURCE_PIN_NAME,
+ PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
+
/**
* Parse the SAML2 Response element and extracts included information
* <br><br>
@@ -132,7 +137,8 @@ public class AssertionAttributeExtractor {
* @return
*/
public boolean containsAllRequiredAttributes() {
- return containsAllRequiredAttributes(minimalAttributeNameList);
+ return containsAllRequiredAttributes(minimalMDSAttributeNamesList)
+ || containsAllRequiredAttributes(minimalIDLAttributeNamesList);
}
@@ -161,7 +167,7 @@ public class AssertionAttributeExtractor {
return flag;
else {
- Logger.debug("Assertion contains no bPK or encryptedbPK.");
+ Logger.debug("Assertion contains no all minimum attributes from: " + attributeNameList.toString());
return false;
}