add check if requested STORK-QAA level matches auth QAA level

5 files changed, 42 insertions, 7 deletions

diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html
index e7658875c..1c6e51661 100644
--- a/id/server/doc/handbook/protocol/protocol.html
+++ b/id/server/doc/handbook/protocol/protocol.html
@@ -632,6 +632,10 @@ Redirect Binding</td>
     <td>1204</td>
     <td>Ein STORK Attribut wei&szlig;t ein fehlerhaftes Format auf.</td>
   </tr>
+  <tr>
+    <td>1205</td>
+    <td>Der geforderte QAA Level ist h&ouml;her als der QAA Level der gew&auml;hlten Authentifizierungsmethode</td>
+  </tr>
 </table>
 <h3><a name="statuscodes_4xxxx" id="allgemeines_zugangspunkte8"></a>1.3.2 Statuscodes 4xxxx</h3>
 <p>Alles Statuscodes beginnend mit der Zahl vier beschreiben Fehler die w&auml;hrend der Kommunikation mit externen Services aufgetreten sind.</p>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
index aa018d5a3..d59191c08 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
@@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction {
                 // Get personal attributtes from MOA/IdentityLink
                 
                 //build STORK attributes from local authentication information
-                if (authData != null)
+                if (authData != null) {
+                	int reqQaa = -1;
+                	int authQaa = -1;
+                	try {
+                		reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa();
+                		authQaa = Integer.valueOf(
+                				authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length()));
+                		
+                		if (reqQaa > authQaa) {
+                			Logger.warn("Requested QAA level does not match to authenticated QAA level");
+                			throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                			
+                		}
+                	
+                	} catch (MOAIDException e) {
+                		throw e;
+                		
+                	} catch (Exception e) {
+                		if (Logger.isDebugEnabled())
+                			Logger.warn("STORK QAA Level evaluation error", e);
+                		
+                		else
+                			Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" 
+                					+  e.getMessage() + ")");
+                		
+                		throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                		
+                	}
+                	                	
                 	moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam));
+                	
+                }
             }
 
             //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry());
@@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction {
 
         IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList();
         Logger.info("Found " + attrLst.size() + " personal attributes in the request.");
-
+        
         // Define attribute list to be populated
         PersonalAttributeList attributeList = new PersonalAttributeList();
         MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest);
@@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction {
             Logger.error("Exception, attributes: " + e.getMessage());
         }
 
-        Logger.debug("AUTHBLOCK " + authData.getAuthBlock());
+        Logger.trace("AUTHBLOCK " + authData.getAuthBlock());
         Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier());
 
         return attributeList;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
index 88c59ccf9..96aa55bcf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider {
         authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList());
 
         authRequest.setCitizenCountryCode("AT");
-        authRequest.setQaa(oaParam.getQaaLevel());
+        //authRequest.setQaa(oaParam.getQaaLevel());
+       	authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa());
 
-        if (authRequest.getQaa() == 0 )  {
-        	authRequest.setQaa(4); // workaround
-        }
 
 
 
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 848866090..8fda4566c 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -228,6 +228,7 @@ stork.17=Fehler beim Einholen der Zustimmung f\uFFFDr Attribut\u00FCbertragung d
 stork.18=STORK-SAML Engine konnte nicht initialisiert werden. 

 stork.19=Das erforderliche Attribut ist f\u00FCr naturliche Personen nicht vorhanden\: {0}

 stork.20=Fehler bei der Datenkonversion - eingegebens Datum fehlerhaft

+stork.21=Der angeforderte QAA-level {0} ist h\u00F6her als der QAA-level der Authentifizierung {1}

 

 pvp2.00={0} ist kein gueltiger consumer service index

 pvp2.01=Fehler beim kodieren der PVP2 Antwort

diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 27f735028..eeacdc627 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -172,6 +172,7 @@ stork.17=1203
 stork.18=9004 
 stork.19=1203
 stork.20=1204
+stork.21=1205
 
 pvp2.01=6100
 pvp2.06=6100