aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-06-05 10:44:40 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-06-05 10:44:40 +0200
commit709197ce12c5502f86e16da1167b97ca318f47fa (patch)
tree17a96fd5d68ddd9eb6390989bcd4590ade8de46d
parentecf9de84e76dde785ced8c1632c7909d1d57f94a (diff)
downloadmoa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.gz
moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.bz2
moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.zip
implement user restriction based on whitelisting
-rw-r--r--id/server/doc/handbook/protocol/protocol.html4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java85
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java73
-rw-r--r--id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml9
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties2
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties2
-rw-r--r--id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml11
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml13
-rw-r--r--id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml8
9 files changed, 195 insertions, 12 deletions
diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html
index 7d3f8d627..8f6ed735c 100644
--- a/id/server/doc/handbook/protocol/protocol.html
+++ b/id/server/doc/handbook/protocol/protocol.html
@@ -621,6 +621,10 @@ Redirect Binding</td>
<td>1110</td>
<td>Ung&uuml;ltige Single Sign-On Session</td>
</tr>
+ <tr>
+ <td>1111</td>
+ <td>Der Anmeldevorgang wurde automatisiert abgebrochten da dem Benutzer die n&ouml;tigen Zugriffsrechte f&uuml;r diese Online Applikation fehlen.</td>
+ </tr>
</table>
<h5><a name="statuscodes_12xxx" id="allgemeines_zugangspunkte13"></a>1.3.1.3 STORK (12xxx)</h5>
<table class="configtable">
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
new file mode 100644
index 000000000..4853a5ab6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
@@ -0,0 +1,85 @@
+package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class UserRestrictionTask extends AbstractAuthServletTask {
+
+ public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds";
+ public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url";
+ public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector";
+
+ @Autowired(required=true) UserWhitelistStore whitelist;
+
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try {
+ String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();
+ List<String> restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST));
+ if (restrictedSPs.contains(spEntityId)) {
+ Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... ");
+ defaultTaskInitialization(request, executionContext);;
+
+ //check if user idl is already loaded
+ if (moasession.getIdentityLink() == null) {
+ Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!");
+ throw new MOAIDException("process.03", null);
+
+ }
+
+ //calculate whitelist bPK for current user
+ String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR);
+ if (MiscUtil.isEmpty(bpkTarget)) {
+ Logger.info("NO bPK sector for user whitelist in configuration");
+ throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR});
+
+ }
+
+ Pair<String, String> pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+ moasession.getIdentityLink().getIdentificationValue(),
+ moasession.getIdentityLink().getIdentificationType(),
+ bpkTarget);
+
+
+ //check if user's bPK is whitelisted
+ if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) {
+ Logger.info("User's bPK is not whitelisted. Authentication process stops ...");
+ Logger.trace("User's bPK: " + pseudonym.getFirst());
+ throw new MOAIDException("auth.35", null);
+
+ }
+
+ Logger.debug("User was found in whitelist. Continue authentication process ... ");
+
+ } else
+ Logger.trace("SP: " + spEntityId + " has no user restrication.");
+
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.warn("RestartAuthProzessManagement has an internal error", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
new file mode 100644
index 000000000..a300739b3
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -0,0 +1,73 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.io.IOUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+@Service("UserWhiteList_Store")
+public class UserWhitelistStore {
+
+ @Autowired(required=true) AuthConfiguration authConfig;
+
+ private List<String> whitelist = new ArrayList<String>();
+
+ @PostConstruct
+ private void initialize() {
+ String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE);
+ if (MiscUtil.isEmpty(whiteListUrl))
+ Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file.");
+
+ else {
+ String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
+ try {
+ InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+ String whiteListString = IOUtils.toString(new InputStreamReader(is));
+ whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
+ Logger.info("User whitelist is initialized with " + whitelist.size() + " entries.");
+
+ } catch (FileNotFoundException e) {
+ Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e);
+
+ } catch (IOException e) {
+ Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e);
+
+ } catch (URISyntaxException e) {
+ Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e);
+
+ }
+
+ }
+
+ }
+
+ /**
+ * Check if bPK is in whitelist
+ *
+ * @param bPK
+ * @return true if bPK is in whitelist, otherwise false
+ */
+ public boolean isUserbPKInWhitelist(String bPK) {
+ return whitelist.contains(bPK);
+
+ }
+}
diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
index ba8c47304..dc3022ab4 100644
--- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
+++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
@@ -42,6 +42,9 @@
<bean id="MOAID_SSOManager"
class="at.gv.egovernment.moa.id.moduls.SSOManager"/>
+ <bean id="UserWhiteList_Store"
+ class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/>
+
<bean id="AuthenticationSessionStoreage"
@@ -91,7 +94,11 @@
<bean id="EvaluateSSOConsentsTaskImpl"
class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl"
- scope="prototype"/>
+ scope="prototype"/>
+
+ <bean id="UserRestrictionTask"
+ class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask"
+ scope="prototype"/>
<beans profile="advancedLogOn">
<bean id="StatisticLogger"
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 84fd93773..799b32025 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -52,6 +52,7 @@ auth.31=Federated authentication FAILED. No information for AttributeQuery, mayb
auth.32=Federated authentication FAILED. No configuration for IDP {0}
auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages.
auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
+auth.35=Der Anmeldevorgang wurde automatisiert abgebrochen, da der Benutzer nicht für dieses Onlineapplikation berechtigt ist.
init.00=MOA-ID-Auth wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -336,6 +337,7 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
process.01=Fehler beim Ausf\u00FChren des Prozesses.
process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+process.03=Fehler beim Ausf\u00FChren des Prozesses. Interner state ung\u00FCltig.
sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index d77ea437b..dae88889f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -32,6 +32,7 @@ auth.31=4400
auth.32=4401
auth.33=4401
auth.34=4401
+auth.35=1111
init.00=9199
init.01=9199
@@ -103,6 +104,7 @@ service.10=4500
process.01=9104
process.02=9104
process.03=9105
+process.03=9104
sp.pvp2.00=4501
sp.pvp2.01=4501
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
index 74792ed72..48c7b6a07 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
@@ -15,7 +15,8 @@
<pd:Task id="prepareAuthBlockSignature" class="PrepareAuthBlockSignatureTask" />
<pd:Task id="prepareGetMISMandate" class="PrepareGetMISMandateTask" />
<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
- <pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+ <pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+ <pd:Task id="userRestrictionTask" class="UserRestrictionTask" />
<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
<pd:StartEvent id="start" />
@@ -39,13 +40,15 @@
<pd:Transition from="verifyCertificate" to="getForeignID" />
<pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
- <pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
+ <pd:Transition from="verifyAuthBlock" to="userRestrictionTask" />
<pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
- <pd:Transition from="getMISMandate" to="finalizeAuthentication" />
- <pd:Transition from="getForeignID" to="finalizeAuthentication" />
+ <pd:Transition from="getMISMandate" to="userRestrictionTask" />
+ <pd:Transition from="getForeignID" to="userRestrictionTask" />
+
+ <pd:Transition from="userRestrictionTask" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
<pd:EndEvent id="end" />
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
index d41e8a017..60fd120d0 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -17,6 +17,8 @@
<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
<pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+ <pd:Task id="userRestrictionTask" class="UserRestrictionTask" />
+
<!-- ELGA Mandate-Service Tasks -->
<pd:Task id="redirectToMandateSelectionTask" class="RedirectToMandateSelectionTask" />
<pd:Task id="selectMandateServiceTask" class="SelectMandateServiceTask" async="true"/>
@@ -47,7 +49,7 @@
<pd:Transition from="verifyCertificate" to="getForeignID" />
<pd:Transition from="verifyAuthBlock" to="redirectToMandateSelectionTask" conditionExpression="ctx['useMandate']" />
- <pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
+ <pd:Transition from="verifyAuthBlock" to="userRestrictionTask" />
<pd:Transition from="redirectToMandateSelectionTask" to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
<pd:Transition from="redirectToMandateSelectionTask" to="selectMandateServiceTask" />
@@ -60,13 +62,14 @@
<pd:Transition from="requestELGAMandateTask" to="receiveElgaMandateResponseTask" />
- <pd:Transition from="receiveElgaMandateResponseTask" to="finalizeAuthentication" />
+ <pd:Transition from="receiveElgaMandateResponseTask" to="userRestrictionTask" />
<pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
- <pd:Transition from="getMISMandate" to="finalizeAuthentication" />
-
- <pd:Transition from="getForeignID" to="finalizeAuthentication" />
+ <pd:Transition from="getMISMandate" to="userRestrictionTask" />
+ <pd:Transition from="getForeignID" to="userRestrictionTask" />
+
+ <pd:Transition from="userRestrictionTask" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
<pd:EndEvent id="end" />
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml
index 4975dc2d7..673144b06 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/resources/sl20.Authentication.process.xml
@@ -3,16 +3,20 @@
<pd:Task id="createQualifiedeIDRequest" class="CreateQualeIDRequestTask" />
<pd:Task id="receiveQualifiedeID" class="ReceiveQualeIDResponseTask" async="true"/>
- <pd:Task id="verifyQualifiedeIDTask" class="VerifyQualifiedeIDTask" async="true"/>
+ <pd:Task id="verifyQualifiedeIDTask" class="VerifyQualifiedeIDTask" async="true"/>
+ <pd:Task id="userRestrictionTask" class="UserRestrictionTask" />
<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
<pd:StartEvent id="start" />
<pd:Transition from="start" to="createQualifiedeIDRequest" />
<pd:Transition from="createQualifiedeIDRequest" to="receiveQualifiedeID" />
<pd:Transition from="receiveQualifiedeID" to="verifyQualifiedeIDTask" />
- <pd:Transition from="verifyQualifiedeIDTask" to="finalizeAuthentication" />
+ <pd:Transition from="verifyQualifiedeIDTask" to="userRestrictionTask" />
+ <pd:Transition from="userRestrictionTask" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
+
+
<pd:EndEvent id="end" />
</pd:ProcessDefinition>