diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-10-13 13:18:11 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-10-13 13:18:11 +0200 |
commit | d703b4201def4ea55bc865da87010972d13a434e (patch) | |
tree | d9be30af066c7cf6281a15954318d40bf37131b5 | |
parent | 1a80e310ed77110a8757b78b750a6a000495b16f (diff) | |
download | moa-id-spss-d703b4201def4ea55bc865da87010972d13a434e.tar.gz moa-id-spss-d703b4201def4ea55bc865da87010972d13a434e.tar.bz2 moa-id-spss-d703b4201def4ea55bc865da87010972d13a434e.zip |
enable mandates for eIDAS nodes
40 files changed, 1262 insertions, 1220 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 15900cc7c..72aef5fed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{ //set actual date and time dblog.setTimestamp(new Date()); - - //set OA databaseID - //dblog.setOaID(dbOA.getHjid()); - + //log basic AuthInformation dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - boolean isbusinessservice = isBusinessService(dbOA); - dblog.setBusinessservice(isbusinessservice); + try { + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + } + dblog.setOatarget(authData.getBPKType()); @@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{ if (dbOA != null) { dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - dblog.setOatarget(dbOA.getTarget()); - //dblog.setOaID(dbOA.getHjid()); - dblog.setBusinessservice(isBusinessService(dbOA)); + + try { + dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier()); + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + + } IAuthenticationSession moasession = null; if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) { @@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{ } } - - private boolean isBusinessService(IOAAuthParameters dbOA) { - if (dbOA.getOaType().equals("businessService")) - return true; - else - return false; - } - private String getMessageWithMaxLength(String msg, int maxlength) { return getErrorMessageWithMaxLength(msg, maxlength); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 9e586b0f4..5a5d0bcf6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //#################################################### //set general authData info's authData.setIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setIsBusinessService(oaParam.getBusinessService()); - + authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); + //#################################################### //parse user info's from identityLink @@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @param oaParam Service-Provider configuration, never null * @param bPKType bPK-Type to check * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false + * @throws ConfigurationException */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) { - String oaTarget = null; - if (oaParam.getBusinessService()) { - oaTarget = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - - if (oaTarget.equals(bPKType)) - return true; - else - return false; + private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { + return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); + } private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { @@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, * or <code>null</code> if no attribute exists or can not decrypted + * @throws ConfigurationException */ private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - AuthenticationData authData, IOAAuthParameters spConfig) { + AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { //set List of encrypted bPKs to authData DAO String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { @@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { String second = fullEncbPK.substring(0, index); int secIndex = second.indexOf("+"); if (secIndex >= 0) { - if (spConfig.getTarget().equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget()); - - } else { - Logger.error("bPK decryption FAILED."); - + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } } @@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException { - if (oaParam.getBusinessService()) { + if (oaParam.hasBaseIdTransferRestriction()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); @@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException { + private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { - String bPK; - String bPKType; - String baseID = authData.getIdentificationValue(); - String baseIDType = authData.getIdentificationType(); - - if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { - //Calculate eIDAS identifier - if (oaParam.getBusinessService() && - oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { - String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+"); - String cititzenCountryCode = splittedTarget[1]; - String eIDASOutboundCountry = splittedTarget[2]; - - if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { - Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); - - } - - Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseID, baseIDType, - cititzenCountryCode, eIDASOutboundCountry); - Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond()); - return eIDASID; - - } else if (oaParam.getBusinessService()) { - //is Austrian private-service application - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr); - bPKType = registerAndOrdNr; - - } else { - // only compute bPK if online application is a public service and we have the Stammzahl - String target = null; - Class<?> saml1RequstTemplate = null; - try { - saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(pendingReq)) { - target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); + String baseIDType = authData.getIdentificationType(); + Pair<String, String> sectorSpecId = null; + + if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { + //SAML1 legacy target parameter work-around + String oaTargetId = null; + Class<?> saml1RequstTemplate = null; + try { + saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); - } + } - } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + + if (MiscUtil.isEmpty(oaTargetId)) { + oaTargetId = oaParam.getAreaSpecificTargetIdentifier(); + Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration"); - if (MiscUtil.isEmpty(target)) - target = oaParam.getTarget(); - - bPK = new BPKBuilder().buildBPK(baseID, target); - bPKType = Constants.URN_PREFIX_CDID + "+" + target; - - } - + } else + Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation"); + + //calculate sector specific unique identifier + sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId); + + } else { - Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); - bPK = baseID; - bPKType = baseIDType; - + Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); + sectorSpecId = Pair.newInstance(baseID, baseIDType); + } - Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType); - return Pair.newInstance(bPK, bPKType); + Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond()); + return sectorSpecId; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 32ac8ad68..a7f6e873f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class BPKBuilder { - /** - * Builds the bPK from the given parameters. - * - * @param identificationValue Base64 encoded "Stammzahl" - * @param target "Bereich lt. Verordnung des BKA" - * @return bPK in a BASE64 encoding - * @throws BuildException if an error occurs on building the bPK - */ - public String buildBPK(String identificationValue, String target) - throws BuildException { - - if ((identificationValue == null || - identificationValue.length() == 0 || - target == null || - target.length() == 0)) { - throw new BuildException("builder.00", - new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",target=" + target}); - } - String basisbegriff; - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - basisbegriff = identificationValue + "+" + target; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; + /** + * Calculates an area specific unique person-identifier from a baseID + * + * @param baseID baseId from user but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{ + return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier); + + } + + /** + * Calculates an area specific unique person-identifier from an unique identifier with a specific type + * + * @param baseID baseId from user but never null + * @param baseIdType Type of the baseID but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{ + if (MiscUtil.isEmpty(baseID)) + throw new BuildException("builder.00", new Object[]{"baseID is empty or null"}); - return calculatebPKwbPK(basisbegriff); - } + if (MiscUtil.isEmpty(baseIdType)) + throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"}); + + if (MiscUtil.isEmpty(targetIdentifier)) + throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"}); + if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) { + Logger.trace("Find baseID. Starting unique identifier caluclation for this target"); + + if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) { + Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier); + return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier); + + } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) { + Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier); + String[] splittedTarget = targetIdentifier.split("\\+"); + String cititzenCountryCode = splittedTarget[1]; + String eIDASOutboundCountry = splittedTarget[2]; + + if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { + Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); + + } + return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry); + + + } else + throw new BuildException("builder.00", + new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"}); + + } else { + Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ..."); + if (baseIdType.equals(targetIdentifier)) { + Logger.debug("Unique identifier is already area specific. Is nothing todo"); + return Pair.newInstance(baseID, targetIdentifier); + + } else { + Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!"); + throw new BuildException("builder.00", + new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"}); + + } + } + } + + /** - * Builds the wbPK from the given parameters. + * Builds the storkeid from the given parameters. * - * @param identificationValue Base64 encoded "Stammzahl" - * @param registerAndOrdNr type of register + "+" + number in register. - * @return wbPK in a BASE64 encoding + * @param baseID baseID of the citizen + * @param baseIDType Type of the baseID + * @param sourceCountry CountryCode of that country, which build the eIDAs ID + * @param destinationCountry CountryCode of that country, which receives the eIDAs ID + * + * @return Pair<eIDAs, bPKType> in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildWBPK(String identificationValue, String registerAndOrdNr) - throws BuildException { + private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) + throws BuildException { + String bPK = null; + String bPKType = null; + + // check if we have been called by public sector application + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; + Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); + bPK = calculatebPKwbPK(baseID + "+" + bPKType); + + } else { // if not, sector identification value is already calculated by BKU + Logger.debug("eIDAS eIdentifier already provided by BKU"); + bPK = baseID; + } - if ((identificationValue == null || - identificationValue.length() == 0 || - registerAndOrdNr == null || - registerAndOrdNr.length() == 0)) { + if ((MiscUtil.isEmpty(bPK) || + MiscUtil.isEmpty(sourceCountry) || + MiscUtil.isEmpty(destinationCountry))) { throw new BuildException("builder.00", - new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); + new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + + bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); } - - String basisbegriff; - if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) - basisbegriff = identificationValue + "+" + registerAndOrdNr; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; - - return calculatebPKwbPK(basisbegriff); - } - - public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { - if (MiscUtil.isEmpty(baseID) || - !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { - throw new BuildException("builder.00", - new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget - + " has an unkown prefix."}); - - } - - return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); - + + Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); + String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; + + return Pair.newInstance(eIdentifier, bPKType); } + +// /** +// * Builds the bPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param target "Bereich lt. Verordnung des BKA" +// * @return bPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the bPK +// */ +// private String buildBPK(String identificationValue, String target) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// target == null || +// target.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",target=" + target}); +// } +// String basisbegriff; +// if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) +// basisbegriff = identificationValue + "+" + target; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// /** +// * Builds the wbPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param registerAndOrdNr type of register + "+" + number in register. +// * @return wbPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the wbPK +// */ +// private String buildWBPK(String identificationValue, String registerAndOrdNr) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// registerAndOrdNr == null || +// registerAndOrdNr.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); +// } +// +// String basisbegriff; +// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) +// basisbegriff = identificationValue + "+" + registerAndOrdNr; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { +// if (MiscUtil.isEmpty(baseID) || +// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { +// throw new BuildException("builder.00", +// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget +// + " has an unkown prefix."}); +// +// } +// +// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); +// +// } public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); @@ -199,48 +315,7 @@ public class BPKBuilder { return null; } } - - /** - * Builds the storkeid from the given parameters. - * - * @param baseID baseID of the citizen - * @param baseIDType Type of the baseID - * @param sourceCountry CountryCode of that country, which build the eIDAs ID - * @param destinationCountry CountryCode of that country, which receives the eIDAs ID - * - * @return Pair<eIDAs, bPKType> in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String bPK = null; - String bPKType = null; - - // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); - bPK = calculatebPKwbPK(baseID + "+" + bPKType); - - } else { // if not, sector identification value is already calculated by BKU - Logger.debug("eIDAS eIdentifier already provided by BKU"); - bPK = baseID; - } - - if ((MiscUtil.isEmpty(bPK) || - MiscUtil.isEmpty(sourceCountry) || - MiscUtil.isEmpty(destinationCountry))) { - throw new BuildException("builder.00", - new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + - bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); - } - - Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; - return Pair.newInstance(eIdentifier, bPKType); - } - private String calculatebPKwbPK(String basisbegriff) throws BuildException { try { MessageDigest md = MessageDigest.getInstance("SHA-1"); @@ -281,6 +356,4 @@ public class BPKBuilder { result = cipher.doFinal(encryptedBytes); return result; } - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 73fe961eb..4c4af4239 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -53,9 +53,11 @@ import java.util.List; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; /** @@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * @param oaParam parameter for the OA * @param session current session * @return String representation of <code><CreateXMLSignatureRequest></code> + * @throws ConfigurationException */ - public String buildForeignID(String subject, IRequest pendingReq) { + public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException { String request = ""; request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">"; @@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants { return request; } - public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) { + public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException { IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - String target = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); + String target = null; + String sectorName = null; + + + String saml1Target = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + if (MiscUtil.isNotEmpty(saml1Target)) { + target = saml1Target; + sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target); + + } else { + target = oaParam.getAreaSpecificTargetIdentifier(); + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } Calendar cal = Calendar.getInstance(); String date = DateTimeUtils.buildDate(cal); @@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += oaParam.getPublicURLPrefix(); request += "</td>"; request += "</tr>"; - boolean business = oaParam.getBusinessService(); - if (business) { + + if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { // OA is businessservice - String identifierType = oaParam.getIdentityLinkDomainIdentifierType(); - String identifier = oaParam.getIdentityLinkDomainIdentifier(); + String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + String identifier = oaParam.getAreaSpecificTargetIdentifier(); request += "<tr>"; request += "<td class=\"italicstyle\">"; request += identifierType + ":"; @@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += "<td class=\"italicstyle\">"; request += "Sektor (Sector):</td>"; request += "<td class=\"normalstyle\">"; - request += target + " (" + sectorName + ")"; + request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; request += "</td>"; request += "</tr>"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index f4f6e82ba..fc5489673 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder { if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { - dynamicOA.setBusinessService(false); - dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + //dynamicOA.setBusinessService(false); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || - attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { - dynamicOA.setBusinessService(true); - dynamicOA.setTarget(attrValue); + attrValue.startsWith(Constants.URN_PREFIX_STORK) || + attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) { + //dynamicOA.setBusinessService(true); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else { Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); @@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder { * @param oaParam * @param protocolRequest * @return + * @throws ConfigurationException */ public static IOAAuthParameters buildFromAuthnRequest( - IOAAuthParameters oaParam, IRequest protocolRequest) { + IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - dynOAParams.setBusinessService(oaParam.getBusinessService()); + + dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); + dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); Object storkRequst = null; try { @@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder { if (storkRequst != null && protocolRequest.getClass().isInstance(storkRequst)) { - dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null)); - dynOAParams.setBusinessService(true); + //dynOAParams.setBusinessService(true); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index cfe075520..b2db8d5a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -33,7 +33,6 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -53,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ @Autowired AuthConfiguration authConfig; public void parse(IAuthenticationSession moasession, - String target, + String reqTarget, String oaURL, String bkuURL, String templateURL, @@ -62,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ HttpServletRequest req, IRequest protocolReq) throws WrongParametersException, MOAIDException { - String targetFriendlyName = null; - + String resultTargetFriendlyName = null; + String resultTarget = null; + // escape parameter strings - target = StringEscapeUtils.escapeHtml(target); + reqTarget = StringEscapeUtils.escapeHtml(reqTarget); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); @@ -103,70 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ // get target and target friendly name from config - String targetConfig = oaParam.getTarget(); - String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); + String targetConfig = oaParam.getAreaSpecificTargetIdentifier(); + String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + + //SAML1 legacy work-around for public area targets in request + if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && + !StringUtils.isEmpty(reqTarget)) { + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter + if (!ParamValidatorUtils.isValidTarget(reqTarget)) { + Logger.error("Selected target is invalid. Used target: " + reqTarget); + throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + } + resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget; - if (!oaParam.getBusinessService()) { - if (StringUtils.isEmpty(targetConfig) - || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && - !StringUtils.isEmpty(target)) - ) { - //INFO: ONLY SAML1 legacy mode - // if SAML1 is used and target attribute is given in request - // use requested target - // check target parameter - if (!ParamValidatorUtils.isValidTarget(target)) { - Logger.error("Selected target is invalid. Using target: " + target); - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - } - if (MiscUtil.isNotEmpty(targetConfig)) - targetFriendlyName = targetFriendlyNameConfig; + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget); + if (MiscUtil.isNotEmpty(sectorName)) + resultTargetFriendlyName = sectorName; + + else { + //check target contains subSector + int delimiter = reqTarget.indexOf("-"); + if (delimiter > 0) { + resultTargetFriendlyName = + TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter)); - else { - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (MiscUtil.isNotEmpty(sectorName)) - targetFriendlyName = sectorName; - - else { - //check target contains subSector - int delimiter = target.indexOf("-"); - if (delimiter > 0) { - targetFriendlyName = - TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); - - } - } - } - - } else { - // use target from config - target = targetConfig; - targetFriendlyName = targetFriendlyNameConfig; + } } - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", - PARAM_TARGET, "auth.05"); - - protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target); + if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName)) + resultTargetFriendlyName = targetFriendlyNameConfig; + + //set info's into request-context. (It's required to support SAML1 requested target parameters) + protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget); protocolReq.setGenericDataToSession( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName); - Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target); - + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName); + } else { - Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); + Logger.trace("Use oa sector-identifier from configuration"); + resultTarget = targetConfig; + resultTargetFriendlyName = targetFriendlyNameConfig; - /*eIDAS SPs have the same policies regarding Austrian baseIDs as Austrian business services, - * but mandates are allowed for these - */ - if (useMandateBoolean && - !oaParam.getIdentityLinkDomainIdentifier().startsWith(MOAIDConstants.PREFIX_EIDAS)) { - Logger.error("Online-Mandate Mode for business application not supported."); - throw new AuthenticationException("auth.17", null); - - } } - + + //check if target is found + if (MiscUtil.isEmpty(resultTarget)) + throw new WrongParametersException("StartAuthentication", + PARAM_TARGET, "auth.05"); + + //check if mandates are allowed + if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) { + Logger.error("Online-Mandate Mode for business application not supported."); + throw new AuthenticationException("auth.17", null); + + } + + if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget); + else + Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget); + + + //Validate BKU URI List<String> allowedbkus = oaParam.getBKUURL(); allowedbkus.addAll(authConfig.getDefaultBKUURLs()); @@ -252,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq); } - - /** - * Checks a parameter. - * - * @param param - * parameter - * @return true if the parameter is null or empty - */ - private boolean isEmpty(String param) { - return param == null || param.length() == 0; - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java index c31666bbb..fc5cc0495 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java @@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config; import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames { }
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index e96169688..3d04a142e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -60,7 +60,9 @@ import java.util.Set; import org.apache.commons.lang.SerializationUtils; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.MOAIDConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IStorkConfig; import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters; @@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair"; private Map<String, String> oaConfiguration; + private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>(); + private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>(); - - public OAAuthParameter(final Map<String, String> oa) { + public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) { this.oaConfiguration = oa; + + //set oa specific restrictions + targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL, + MOAIDAuthConstants.PREFIX_CDID)); + + targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION, + MOAIDAuthConstants.PREFIX_CDID)); + + if (Logger.isTraceEnabled()) { + Logger.trace("Internal policy for OA: " + getPublicURLPrefix()); + for (String el : targetAreasWithNoInteralBaseIdRestriction) + Logger.trace(" Allow baseID processing for prefix " + el); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) + Logger.trace(" Allow baseID transfer for prefix " + el); + + } } @@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ return this.oaConfiguration.get(key); } + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoInteralBaseIdRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + if (getBusinessService()) + return getIdentityLinkDomainIdentifier(); + else + return MOAIDAuthConstants.PREFIX_CDID + getTarget(); + + } + + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{ + if (getBusinessService()) + return getIdentityLinkDomainIdentifierType(); + else + return getTargetFriendlyName(); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() */ -@Override -public String getIdentityLinkDomainIdentifier() { +//@Override +private String getIdentityLinkDomainIdentifier() { String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE); if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) { @@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ -@Override -public String getIdentityLinkDomainIdentifierType() { +//@Override +private String getIdentityLinkDomainIdentifierType() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); if (MiscUtil.isNotEmpty(value)) return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value); @@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() */ -@Override -public String getTarget() { +//@Override +private String getTarget() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET); @@ -171,8 +236,8 @@ public String getTarget() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ -@Override -public String getTargetFriendlyName() { +//@Override +private String getTargetFriendlyName() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME); @@ -653,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() { return false; } -public boolean isIDPPublicService() { - return !getBusinessService(); +public boolean isIDPPublicService() throws ConfigurationException { + return !hasBaseIdTransferRestriction(); } @@ -740,11 +805,7 @@ public String getPublicURLPrefix() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ -@Override -public boolean getBusinessService() { +private boolean getBusinessService() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE); if (MiscUtil.isNotEmpty(value)) return Boolean.parseBoolean(value); @@ -785,16 +846,16 @@ public String getFriendlyName() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ -@Override -public String getOaType() { - if (getBusinessService()) - return "businessService"; - else - return "publicService"; -} +///* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() +// */ +//@Override +//public String getOaType() { +// if (getBusinessService()) +// return "businessService"; +// else +// return "publicService"; +//} /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index b1fc12f26..332604257 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide return null; } - return new OAAuthParameter(oa); + return new OAAuthParameter(oa, this); } /** @@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide public String getSSOFriendlyName() { try { return configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO"); + MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO"); } catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 9fd58b5c7..f3db82315 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ private static final long serialVersionUID = 1648437815185614566L; private String publicURLPrefix; - - private String businessTarget; - - private boolean businessService; - + private boolean isInderfederationIDP; - private String IDPQueryURL; - private String target; - + private boolean hasBaseIdProcessingRestriction; + private boolean hasBaseIdTransfergRestriction; + private String oaTargetAreaIdentifier; + + /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() */ @Override - public String getTarget() { - return this.target; + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return this.hasBaseIdProcessingRestriction; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return this.hasBaseIdTransfergRestriction; } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + return this.oaTargetAreaIdentifier; + } + + /** + * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set + */ + public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) { + this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction; + } + + /** + * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set + */ + public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) { + this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction; + } + + /** + * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set + */ + public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) { + this.oaTargetAreaIdentifier = oaTargetAreaIdentifier; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() */ @Override - public String getIdentityLinkDomainIdentifier() { - return this.businessTarget; + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + return null; } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() +// */ +// //@Override +// public String getTarget() { +// return this.target; +// } +// +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() +// */ +// //@Override +// public String getIdentityLinkDomainIdentifier() { +// return this.businessTarget; +// } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() */ @@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ - @Override + //@Override public String getIdentityLinkDomainIdentifierType() { // TODO Auto-generated method stub return null; @@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return null; } - /** - * @param isBusinessService the isBusinessService to set - */ - public void setBusinessService(boolean isBusinessService) { - businessService = isBusinessService; - } - - /** - * @param target the target to set - */ - public void setTarget(String target) { - this.target = target; - } - - /** - * @param businessTarget the businessTarget to set - */ - public void setBusinessTarget(String businessTarget) { - this.businessTarget = businessTarget; - } +// /** +// * @param isBusinessService the isBusinessService to set +// */ +// public void setBusinessService(boolean isBusinessService) { +// businessService = isBusinessService; +// } + +// /** +// * @param target the target to set +// */ +// public void setTarget(String target) { +// this.target = target; +// } +// +// /** +// * @param businessTarget the businessTarget to set +// */ +// public void setBusinessTarget(String businessTarget) { +// this.businessTarget = businessTarget; +// } /** * @param inderfederatedIDP the inderfederatedIDP to set @@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return this.publicURLPrefix; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return this.businessService; - } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() +// */ +// //@Override +// public boolean getBusinessService() { +// return this.businessService; +// } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ - @Override + //@Override public String getTargetFriendlyName() { // TODO Auto-generated method stub return null; @@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ // TODO Auto-generated method stub return false; } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index f5f056ccc..7f56f519b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable { * the corresponding <code>lt;saml:Assertion></code> */ - private boolean businessService; + private boolean isBaseIDTransferRestrication = true; + /** * STORK attributes from response @@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable { * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() */ @Override - public boolean isBusinessService() { - return this.businessService; + public boolean isBaseIDTransferRestrication() { + return isBaseIDTransferRestrication; } - - public void setIsBusinessService(boolean flag) { - this.businessService = flag; - + + /** + * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set + */ + public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) { + this.isBaseIDTransferRestrication = isBaseIDTransferRestrication; } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 4c15cd3d1..e9fef4676 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -38,8 +38,8 @@ public interface IAuthData { Date getIssueInstant(); String getIssuer(); - - boolean isBusinessService(); + boolean isBaseIDTransferRestrication(); + boolean isSsoSession(); //boolean isInterfederatedSSOSession(); boolean isUseMandate(); @@ -90,5 +90,6 @@ public interface IAuthData { String getCcc(); public <T> T getGenericData(String key, final Class<T> clazz); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java index a6a5f1dd4..b4846db12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java @@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java index 1d836802a..ccaecb3b6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index f4e69749c..a74ed4af5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -30,7 +30,9 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -74,24 +76,16 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } try { - if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - - /*TODO: some updates are required if we support bPKs in eIDAS context, because - * BPKBuilder().buildWBPK only supports Austrian wbPKs - */ - if (oaParam.getBusinessService()) { - bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); - - } else { - bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); - - } - + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { + Pair<String, String> calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), + oaParam.getAreaSpecificTargetIdentifier()); + bpk = calcResult.getFirst(); + } else bpk = id.getValue().getValue(); } - catch (BuildException e) { + catch (BuildException | ConfigurationException e) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 69a731e53..82ebbb2b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -27,10 +27,7 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; @@ -64,7 +61,7 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - if(oaParam.getBusinessService()) { + if(authData.isBaseIDTransferRestrication()) { throw new AttributePolicyException(this.getName()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 643e30ac9..72691a034 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction { } //check next IDP service area policy. BusinessService IDPs can only request wbPKs - if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { + if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) { Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes."); + + " is a BusinessService-IDP but requests PublicService attributes."); throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 2df72637d..4aa4f7419 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; /** * @author tlenz @@ -70,7 +69,7 @@ public class AttributQueryBuilder { @Autowired IDPCredentialProvider credentialProvider; - public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) { + public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException { Logger.debug("Build OA specific Attributes for AttributQuery request"); @@ -87,17 +86,13 @@ public class AttributQueryBuilder { } else { //add OA specific information if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - if (oa.getBusinessService()) - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), oa.getIdentityLinkDomainIdentifier()); - else - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget()); + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), oa.getAreaSpecificTargetIdentifier()); + } //TODO: add attribute values for SSO with mandates (ProfileList) - - + attrList.add(attr); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 55d8fa1ff..45539da3f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; @@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants { } //set bPK-Type from configuration, because it MUST be equal to service-provider type - if (oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - bpktype = oaParam.getIdentityLinkDomainIdentifier(); - else - bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - bpktype = oaParam.getTarget(); - else - bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - + bpktype = oaParam.getAreaSpecificTargetIdentifier(); + } else { //sourcePin is include --> check sourcePinType if (MiscUtil.isEmpty(bpktype)) @@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants { } - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier()); - - } else { - subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget())); - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - subjectNameID.setNameQualifier(oaParam.getTarget()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } + if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { + Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier()); + subjectNameID.setValue(calcbPK.getFirst()); + subjectNameID.setNameQualifier(calcbPK.getSecond()); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 5380d7f53..ab355646c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -217,6 +217,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider Logger.warn("Refresh PVP2X metadata for onlineApplication: " + entityID + " FAILED.", e); + } catch (ConfigurationException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); } return false; @@ -484,13 +487,13 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } - private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException { + private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); - filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService())); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction())); } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java index f53bfd90c..6f6735d48 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -192,9 +192,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE; //General protocol-request data-store keys + public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + + @Deprecated public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; + @Deprecated public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; - public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java index e9f9a7e80..98f0616a5 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java @@ -28,6 +28,8 @@ import java.util.Hashtable; import java.util.List; import java.util.Map; +import at.gv.egovernment.moa.util.Constants; + /** * @author tlenz * @@ -40,9 +42,15 @@ public class MOAIDConstants { public static final String FILE_URI_PREFIX = "file:/"; - public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; - public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+"; - public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+"; + public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID; + public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK; + public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI; + + public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+"; + public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+"; + public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+"; + public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+"; + public static final String IDENIFICATIONTYPE_FN = "FN"; public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index 298d3e84e..1e1bfa94b 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -38,6 +39,9 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; */ public interface IOAAuthParameters { + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing"; + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission"; + public static final String THIRDBKU = "thirdBKU"; public static final String HANDYBKU = "handy"; public static final String LOCALBKU = "local"; @@ -67,20 +71,52 @@ public interface IOAAuthParameters { public String getFriendlyName(); public String getPublicURLPrefix(); - - public String getOaType(); - public boolean getBusinessService(); + /** + * Indicates if this online applications has private area restrictions that disallow baseId processing in general + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs + * + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException; + /** - * Get target of a public service-provider + * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs * - * @return target identifier without prefix + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies */ - public String getTarget(); + public boolean hasBaseIdTransferRestriction() throws ConfigurationException; - public String getTargetFriendlyName(); + /** + * Get the full area-identifier for this online application to calculate the + * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...). + * This identifier always contains the full prefix + * + * @return area identifier with prefix + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifier() throws ConfigurationException; + + /** + * Get a friendly name for the specific area-identifier of this online application + * + * @return fiendly name of the area-identifier + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException; + + public boolean isInderfederationIDP(); public boolean isSTORKPVPGateway(); @@ -88,13 +124,6 @@ public interface IOAAuthParameters { public boolean isRemovePBKFromAuthBlock(); /** - * Return the private-service domain-identifier with PreFix - * - * @return the identityLinkDomainIdentifier - */ - public String getIdentityLinkDomainIdentifier(); - - /** * @return the keyBoxIdentifier */ public String getKeyBoxIdentifier(); @@ -142,11 +171,6 @@ public interface IOAAuthParameters { */ public List<String> getMandateProfiles(); - /** - * @return the identityLinkDomainIdentifierType - */ - public String getIdentityLinkDomainIdentifierType(); - public boolean isShowMandateCheckBox(); public boolean isOnlyMandateAllowed(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 2a4e3b362..1d94e5da0 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -454,7 +454,6 @@ public interface Constants { /** URN prefix for context dependent id (stork). */ public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid"; - //TODO: update to eIDAS prefix /** URN prefix for context dependent id (eIDAS). */ public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid"; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 9294f3658..0a2371575 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; @@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer { Logger.debug("Non-SSO Login requested or SSO not allowed/possible"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.getBusinessService(), oaParam - .getIdentityLinkDomainIdentifier()); + oaParam.hasBaseIdInternalProcessingRestriction(), oaParam + .getAreaSpecificTargetIdentifier()); } @@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { try { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam - .getBusinessService()); + .hasBaseIdTransferRestriction()); - validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction()); } catch (SAXException e) { @@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { * @return <code><saml:Assertion></code> as a String * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. + * @throws ConfigurationException */ private String buildAuthenticationBlock(IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException { + IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException { IIdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); @@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer { String identificationValue = null; String identificationType = null; + String identificationTypeFriendlyName = null; //get processing data from pending-request String authURL = pendingReq.getAuthURL(); - String requestedTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( + + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); @@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer { if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - - String bpkBase64 = new BPKBuilder().buildWBPK(identityLink - .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); - identificationValue = bpkBase64; - - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = oaParam.getIdentityLinkDomainIdentifier(); - else - identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), requestedTarget); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget; + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) { + Logger.debug("Build AuthBlock bPK from SAML1 requested target"); + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = saml1RequestedFriendlyName; + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } - } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } //set AuthBlock generation time to session - String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance()); + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()); session.setIssueInstant(issueInstant); - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - + //load extend attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + //load special authblock text patterns for replacement + Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder. + generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant); + String authBlock = null; if (pendingReq.needSingleSignOnFunctionality()) { String oaURL = pendingReq.getAuthURL(); @@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer { oaURL = oaURL.replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - + .buildAuthBlockSSO(issuer, issueInstant, authURL, + oaURL, gebDat, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } else { String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); + .buildAuthBlock(issuer, issueInstant, authURL, + identificationValue, + identificationType, + gebDat, + oaURL, + identificationTypeFriendlyName, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } @@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Value"); - String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target); + valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - bpkBase64)); + targedId.getFirst())); Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Type"); typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ecc91991e..80702795b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -28,7 +28,11 @@ import java.io.StringWriter; import java.text.MessageFormat; import java.text.SimpleDateFormat; import java.util.Calendar; +import java.util.HashMap; +import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; import javax.xml.bind.DatatypeConverter; import javax.xml.transform.Result; @@ -46,7 +50,9 @@ import org.w3c.dom.Node; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion public static final int NUM_OF_SAML_ATTRIBUTES = 5; public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; + public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\""; + + public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#"; + public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#"; + public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#"; + public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#"; + + public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap"; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion super(); } + public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) { + Map<String, String> result = new HashMap<String, String>(); + + //convert issueInstant + Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); + SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); + SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); + + //set default values + result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer); + result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat); + result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime())); + result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime())); + + //set other values from pendingReq if exists + Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class); + if (processSpecificElements != null && !processSpecificElements.isEmpty()) { + Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ..."); + Iterator<?> mapIterator = processSpecificElements.entrySet().iterator(); + while (mapIterator.hasNext()) { + Object objEl = mapIterator.next(); + if (objEl instanceof Entry<?, ?>) { + try { + @SuppressWarnings("unchecked") + Entry<String, String> el = (Entry<String, String>) objEl; + Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue()); + if (result.containsKey(el.getKey())) + Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists."); + else + result.put(el.getKey(), el.getValue()); + + } catch (Exception e) { + Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e); + + } + } + } + } + + return result; + } + + /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. + * @param issuer + * @param issueInstant + * @param authURL + * @param sectorSpecificUniqueId + * @param sectorSpecificUniqueIdType + * @param gebDat + * @param oaURL + * @param spTargetAreaFriendlyName + * @param extendedSAMLAttributes + * @param session + * @param oaParam + * @return + * @throws BuildException + * @throws ConfigurationException */ public String buildAuthBlock( String issuer, String issueInstant, - String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, + String authURL, + String sectorSpecificUniqueId, + String sectorSpecificUniqueIdType, + String gebDat, + String oaURL, + String spTargetAreaFriendlyName, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) + throws BuildException, ConfigurationException { + + //initialize state + session.setSAMLAttributeGebeORwbpk(true); + String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY; + String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY; + + + if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK + + if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) { + //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType}); + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; - //adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + //adding type of wbPK domain identifier + ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = + new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); + extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + + } + } else { + // OA is a govermental application + + //convert sector identifier into friendly name and add it to AuthBlock + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType); + if (StringUtils.isEmpty(sectorName)) { + if (spTargetAreaFriendlyName != null) + sectorName = spTargetAreaFriendlyName; + + } + publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, + new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" }); - } else { - // OA is a govermental application - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - - - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - - //no business service, adding bPK - if (identityLinkValue != null) { - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - // String s = xmlToString(bpkSamlValueElement); - // System.out.println("bpkSamlValueElement: " + s); - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(bpkAttribute); - } - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); - - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } - - - - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - } - - //adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); + //add bPK to AuthBlock if it is not empty + if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) { + Element bpkSamlValueElement; + try { + bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); + + } catch (Exception e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } + + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + } + + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; + } + //check if mandates should be used + if (session.isMandateUsed()) { + + //generate mandate reference value + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + + //adding friendly name of OA + String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + //generate special AuthBlock text + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); + + //generate unique AuthBlock tokken + String uniquetokken = Random.nextProcessReferenceValue(); + session.setAuthBlockTokken(uniquetokken); String assertion; try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, + usedwbPKbPKNamespaceDeclaration, issuer, issueInstant, authURL, - gebeORwbpk, + publicSectorIdOrwbPK, oaURL, gebDat, specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); - } catch (ParseException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - return assertion; - - } - - /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. - * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - public String buildAuthBlockForeignID( - String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, - List<ExtendedSAMLAttribute> extendedSAMLAttributes, - IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - - //BZ.., adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ - - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } - } else { - // OA is a govermental application - //BZ.. - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - - //BZ.., no business service, adding bPK - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(bpkAttribute); - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ - } - - //BZ.., adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ - - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); - - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); - - String assertion; - try { - assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, - issuer, - issueInstant, - authURL, - gebeORwbpk, - oaURL, - gebDat, - specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } return assertion; } - public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) { - Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); - SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); - SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); - - String text = inputtext.replaceAll("#NAME#", issuer); - text = text.replaceAll("#BIRTHDAY#", gebDat); - text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime())); - text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime())); - - return text; + public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) { + Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator(); + String text = inputtext; + while (it.hasNext()) { + Entry<String, String> el = it.next(); + text = text.replaceAll(el.getKey(), el.getValue()); + + } + + return text; + } public static String xmlToString(Node node) { @@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String issuer, String issueInstant, String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, String oaURL, String gebDat, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - if (target != null) { - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); + + //add mandate reference-value if mandates are used + if (session.isMandateUsed()) { + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } + extendedSAMLAttributes.add(mandateReferenceValueAttribute); } + //adding friendly name of OA String friendlyname; try { - friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - - - String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); + friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + //generate special AuthBlock text + String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); if (MiscUtil.isEmpty(text)) text=""; String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); + //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); + String uniquetokken = Random.nextProcessReferenceValue(); session.setAuthBlockTokken(uniquetokken); - String assertion; - - assertion = MessageFormat.format( + String assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 608f50200..88a235978 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { //get Target from config or from request in case of SAML 1 String target = null; - if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && + if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) && pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) - target = pendingReq.getGenericData("target", String.class); - else - target = oaParam.getTarget(); - + target = pendingReq.getGenericData("saml1_target", String.class); + + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java index 975dec429..d2fd4d1de 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java @@ -35,7 +35,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask { byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8"); //TODO: check in case of SSO!!! - String targetType = null; - if(oaParam.getBusinessService()){ - targetType = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } + String targetType = oaParam.getAreaSpecificTargetIdentifier(); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index a227ab5be..da96bfe54 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; @@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; @@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator { * @param session * @param pendingReq * @throws ValidateException + * @throws BuildException + * @throws ConfigurationException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) - throws ValidateException { + throws ValidateException, BuildException, ConfigurationException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - String gbTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); String oaURL = oaParam.getPublicURLPrefix(); - boolean businessService = oaParam.getBusinessService(); - IIdentityLink identityLink = session.getIdentityLink(); + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + + //validate issuer String issuer = samlAssertion.getAttribute("Issuer"); if (issuer == null) { // should not happen, because parser would dedect this throw new ValidateException("validator.32", null); } // replace ' in name with ' - issuer = issuer.replaceAll("'", "'"); + issuer = issuer.replaceAll("'", "'"); + if (!issuer.equals(identityLink.getName())) + throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()}); + + //validate issuerInstant String issueInstant = samlAssertion.getAttribute("IssueInstant"); - if (!issueInstant.equals(session.getIssueInstant())) { - throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - } + if (!issueInstant.equals(session.getIssueInstant())) + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - String name = identityLink.getName(); - if (!issuer.equals(name)) { - throw new ValidateException("validator.33", new Object[] {issuer, name}); - } - + //validate extended attributes SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; @@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator { boolean foundWBPK = false; int offset = 0; - // check number of SAML aatributes + // check number of SAML attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); int extendedSAMLAttributesNum = 0; if (extendedSAMLAttributes != null) { - extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); } - int expectedSAMLAttributeNumber = - AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + + //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + + //check number of attributes in AuthBlock response against expected number of attributes int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { - Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + - expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); - throw new ValidateException( - "validator.36", - new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException("validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } - SAMLAttribute samlAttribute; - if (session.getSAMLAttributeGebeORwbpk()) { - // check the first attribute ("Geschaeftsbereich" or "wbPK") - samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } - } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - gbTarget = gbTarget + " (" + sectorName + ")"; - //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")"; + //now check every single attribute + SAMLAttribute samlAttribute = null; + Pair<String, String> userSectorId = null; + if (session.getSAMLAttributeGebeORwbpk()) { + //check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + + //calculate bPK or wbPK as reference value for validation + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + else + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + + //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix + // is internally handled as an AuthBlock with wbPK + if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + + } else { + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(userSectorId.getFirst())) + throw new ValidateException("validator.28", null); - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } - } - } else { - offset--; - } + if (!type.equals(userSectorId.getSecond())) + throw new ValidateException("validator.28", null); + + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + + } else + throw new ValidateException("validator.30", null); + + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) + throw new ValidateException("validator.26", null); + + else + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond()); + if (StringUtils.isEmpty(sectorName)) { + if (saml1RequestedFriendlyName != null) + sectorName = saml1RequestedFriendlyName; + else + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } + + String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; + if (!refValueSector.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.13", null); + + } else + throw new ValidateException("validator.12", null); + + } + + } else + //check nothing if wbPK or public SP target is not part of AuthBlock + offset--; + + // check the second attribute (must be "OA") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("OA")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + + } else + throw new ValidateException("validator.15", null); - // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1 + offset]; - if (!samlAttribute.getName().equals("OA")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundOA = true; - if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); - } - } else { - throw new ValidateException("validator.15", null); - } - // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2 + offset]; - if (!samlAttribute.getName().equals("Geburtsdatum")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlDateOfBirth = (String)samlAttribute.getValue(); - String dateOfBirth = identityLink.getDateOfBirth(); - if (!samlDateOfBirth.equals(dateOfBirth)) { - throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); - } - } else { - throw new ValidateException("validator.35", null); - } + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + + } else + throw new ValidateException("validator.35", null); - // check four attribute could be a special text - samlAttribute = samlAttributes[3 + offset]; - if (!samlAttribute.getName().equals("SpecialText")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlSpecialText = (String)samlAttribute.getValue(); - samlSpecialText = samlSpecialText.replaceAll("'", "'"); + // check four attribute could be a special text + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } - } else { - throw new ValidateException("validator.35", null); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); + if (!samlSpecialText.equals(specialText)) + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + + } else + throw new ValidateException("validator.35", null); - } - - - //check unique AuthBlock tokken - samlAttribute = samlAttributes[4 + offset]; - if (!samlAttribute.getName().equals("UniqueTokken")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String uniquetokken = (String)samlAttribute.getValue(); + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); - if (!uniquetokken.equals(session.getAuthBlockTokken())) { - throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); - } - } else { - throw new ValidateException("validator.35", null); - } - - - // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; - if (extendedSAMLAttributes != null) { - Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); - while (it.hasNext()) { - ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); - samlAttribute = samlAttributes[i]; - String actualName = samlAttribute.getName(); - String expectedName = extendedSAMLAttribute.getName(); - if (!actualName.equals(expectedName)) { - throw new ValidateException( - "validator.38", - new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); - } - String actualNamespace = samlAttribute.getNamespace(); - String expectedNamespace = extendedSAMLAttribute.getNameSpace(); - if (!actualNamespace.equals(expectedNamespace)) { - throw new ValidateException( - "validator.38", - new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); - } - Object expectedValue = extendedSAMLAttribute.getValue(); - Object actualValue = samlAttribute.getValue(); - try { - if (expectedValue instanceof String) { - // replace \r\n because text might be base64-encoded - String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); - expValue = StringUtils.replaceAll(expValue,"\n",""); - String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); - actValue = StringUtils.replaceAll(actValue,"\n",""); - if (!expValue.equals(actValue)) { - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); - } - } else if (expectedValue instanceof Element) { - // only check the name of the element - String actualElementName = ((Element)actualValue).getNodeName(); - String expectedElementName = ((Element)expectedValue).getNodeName(); - if (!(expectedElementName.equals(actualElementName))){ - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); - } - } else { - // should not happen - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); - } - } catch (ClassCastException e) { - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); - } - i++; - } - } - + if (!uniquetokken.equals(session.getAuthBlockTokken())) + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } else + throw new ValidateException("validator.35", null); - if (!foundOA) throw new ValidateException("validator.14", null); - if (businessService) { - if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); - } else { - if (!foundGB) throw new ValidateException("validator.11", null); - } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; + if (extendedSAMLAttributes != null) { + Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) + throw new ValidateException("validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) + throw new ValidateException("validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + + } else + // should not happen + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + + } catch (ClassCastException e) { + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + + i++; + } + } + + if (!foundOA) + throw new ValidateException("validator.14", null); + + if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) + throw new ValidateException("validator.31", null); + + } else { + if (!foundGB) + throw new ValidateException("validator.11", null); + } - //Check if dsig:Signature exists -// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -// if (nl.getLength() != 1) { -// throw new ValidateException("validator.05", null); -// } - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); - if (dsigSignature == null) { - throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; - } + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } /** @@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator { try { if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) { text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); - Logger.info("Use addional AuthBlock Text from SSO=" +text); + Logger.debug("Use addional AuthBlock Text from SSO=" +text); } else @@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4953dad02..c4ea80df9 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator { // to be ignored boolean ignoreManifestValidationResult = false; if (whatToCheck.equals(CHECK_IDENTITY_LINK)) - ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true : false; if (ignoreManifestValidationResult) { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 55562176d..09c64c267 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -66,10 +66,10 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; @@ -688,7 +688,7 @@ public class ParepUtils { * <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements. * @return The element where Stammzahlen are hidden. */ - public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank) + public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank) throws BuildException { try { if (hideElement != null) { @@ -706,20 +706,11 @@ public class ParepUtils { } if (blank) { idValueNode.setNodeValue(""); - } else { - String idValue = idValueNode.getNodeValue(); - if (businessApplication) { - // wbPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID); - String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID); - idValueNode.setNodeValue(bpkBase64); - - } else { - // bPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK); - String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target); - idValueNode.setNodeValue(bpkBase64); - } + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId); + idValueNode.setNodeValue(calcId.getFirst()); + } } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index c55b5a749..154006ed8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); //set correct SPType for this online application - if (oaConfig.getBusinessService()) + if (oaConfig.hasBaseIdTransferRestriction()) authnRequestBuilder.spType(SpType.PRIVATE.getValue()); else authnRequestBuilder.spType(SpType.PUBLIC.getValue()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 4b67370d6..1ce900ebb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -270,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { //validate request country-code against eIDAS node config String reqCC = samlReq.getOriginCountryCode(); - String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier(); + String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier(); //validate eIDAS target Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index d65d74c3f..299eb442e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; @@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { String sourcePinType = moasession.getIdentityLink().getIdentificationType(); String sourcePinValue = moasession.getIdentityLink().getIdentificationValue(); if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) { - representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget); + Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget); + representativeBPK = userId.getFirst(); } else { Logger.debug("No 'SourcePin' found for representative. " diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 2f6a54027..4ce77d861 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() - */ - @Override - public boolean isBusinessService() { - return this.isIDPPrivateService; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession() */ @Override @@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData { return this.authSession.getGenericDataFromSession(key, clazz); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication() + */ + @Override + public boolean isBaseIDTransferRestrication() { + return this.isIDPPrivateService; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 3affa17b3..c2132c1f9 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { public SSOTransferOnlineApplication() { } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return false; - } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() */ @@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() - */ - @Override - public String getTarget() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() - */ - @Override - public String getTargetFriendlyName() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() */ @Override @@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() - */ - @Override - public String getIdentityLinkDomainIdentifier() { - // TODO Auto-generated method stub - return null; - } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() @@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() - */ - @Override - public String getIdentityLinkDomainIdentifierType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() */ @Override @@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() + */ + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() + */ + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index d3ebffdfd..9981e8156 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @Service("SAML1_GetArtifactAction") @@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction { String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); + String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class); + if (authData.isSsoSession()) { String url = req.getAuthURL() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); - if (!oaParam.getBusinessService()) + if (MiscUtil.isNotEmpty(oaTargetArea)) url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); @@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction { } else { String redirectURL = oaURL; - if (!oaParam.getBusinessService()) { + if (MiscUtil.isNotEmpty(oaTargetArea)) { redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index df8f13544..bf4a55e46 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; @@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() - || oaParam.getBusinessService(); + || oaParam.hasBaseIdTransferRestriction(); String prPerson = ""; String ilAssertion = ""; @@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { id.setValue(value ); if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && - saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) { + saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) { //add baseID if it is requested and available and SP is publicService value.setValue(authData.getIdentificationValue()); id.setType(authData.getIdentificationType()); @@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - authData.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), oaAttributes, useCondition, conditionLength); @@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); @@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson = ParepUtils.extractPrPersonOfMandate(mandate); if (physical - && oaParam.getBusinessService() + && oaParam.hasBaseIdTransferRestriction() && identificationType != null && Constants.URN_PREFIX_BASEID .equals(identificationType)) { // now we calculate the wbPK and do so if we got it from the // BKU - - //load IdentityLinkDomainType from OAParam - String type = oaParam.getIdentityLinkDomainIdentifier(); - if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = type; - else - identificationType = Constants.URN_PREFIX_WBPK + "+" - + type; - - - identificationValue = new BPKBuilder().buildWBPK( - identificationValue, identificationType); - ParepUtils - .HideStammZahlen(prPerson, true, null, null, true); + //load IdentityLinkDomainType from OAParam + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identificationValue, oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = targedId.getFirst(); + identificationType = targedId.getSecond(); + + ParepUtils.HideStammZahlen(prPerson, true, null, true); } } @@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl(); - String oatargetType; - if(oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - oatargetType = oaParam.getIdentityLinkDomainIdentifier(); - else - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } - + String oatargetType = oaParam.getAreaSpecificTargetIdentifier(); Element prIdentification = (Element) prPerson. getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0); @@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String baseid = getBaseId(prPerson); Element identificationBpK; if (MiscUtil.isNotEmpty(baseid)) { - identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget()); + identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType); if (!provideStammzahl) { prIdentification.getFirstChild().setTextContent(""); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 37d66d29b..19fadb318 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; @@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { //preProcess SAML1 Request preProcess(req, resp, pendingReq); - + performAuthentication(req, resp, pendingReq); return; @@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { if (MiscUtil.isNotEmpty(target)) { pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target); - pendingRequest.setTarget(target); + pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target); + + } else { + String targetArea = oaParam.getAreaSpecificTargetIdentifier(); + pendingRequest.setTarget(targetArea); + + if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, + targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length())); - } - else { - pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget()); - pendingRequest.setTarget(oaParam.getTarget()); } + //AuthnRequest needs authentication pendingRequest.setNeedAuthentication(true); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6372fefa8..a56be1f46 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface { domVerifyXMLSignatureResponse).parseData(); DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); - oaParam.setBusinessService(true); + oaParam.setHasBaseIdProcessingRestriction(true); + oaParam.setHasBaseIdTransfergRestriction(true); VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, |