fix bug in eIDAS SAML-engine to allow 2 minutes time jitter in Assertion->Conditions element

5 files changed, 151 insertions, 3 deletions

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 7664eec86..035a9e7f6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -67,7 +67,7 @@ public class Constants {
 	
 	
 	//timeouts and clock skews
-	public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  			//2 minutes skew time for response validation
+	public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  			//2 minutes skew time for response validation
 	public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000;  	//20 seconds metadata socked timeout
 	public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000;	//remove unused eIDAS metadata after 7 days
 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
index f214efc90..c24c5efca 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
@@ -32,6 +32,8 @@ import eu.eidas.auth.engine.metadata.MetadataSignerI;
  */
 public class MOAEidasProtocolProcesser extends EidasProtocolProcessor {
 
+	private static final String OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID = "moaEidasResponseValidatorSuiteId";
+	
 	private final MetadataFetcherI metadataFetcher;
 	 private final MetadataSignerI metadataSigner;
 	 
@@ -46,5 +48,10 @@ public class MOAEidasProtocolProcesser extends EidasProtocolProcessor {
 		this.metadataSigner = metadataSigner;
 		
 	}
+	
+    @Override
+    public String getResponseValidatorId() {
+        return OWN_EIDAS_RESPONSE_VALIDATOR_SUITE_ID;
+    }
 			
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
new file mode 100644
index 000000000..d9453322f
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.validator.ConditionsSpecValidator;
+import org.opensaml.xml.validation.ValidationException;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ * MOA-ID specific eIDAS Response Condition validator
+ * 
+ * This validator allows time jitter in 'notBefore' validation
+ *
+ */
+
+public class MoaEidasConditionsValidator extends ConditionsSpecValidator {
+
+	
+	
+    @Override
+    public void validate(Conditions conditions) throws ValidationException {
+        Logger.debug("conditions.getNotBefore() "+ conditions.getNotBefore());
+        Logger.debug("conditions.getNotOnOrAfter() "+ conditions.getNotOnOrAfter());
+        Logger.debug("dateTime.now() "+ DateTime.now());
+
+        super.validate(conditions);
+
+        if (conditions.getNotBefore() == null) {
+
+            throw new ValidationException("NotBefore is required.");
+        }
+
+        if (conditions.getNotBefore().minusMillis(Constants.CONFIG_PROPS_SKEWTIME).isAfterNow()) {
+            throw new ValidationException("Current time is before NotBefore condition");
+        }
+
+        if (conditions.getNotOnOrAfter() == null) {
+
+            throw new ValidationException("NotOnOrAfter is required.");
+        }
+        if (conditions.getNotOnOrAfter().isBeforeNow()) {
+
+            throw new ValidationException("Current time is after NotOnOrAfter condition");
+        }
+
+        if (conditions.getAudienceRestrictions() == null || conditions.getAudienceRestrictions().isEmpty()) {
+
+            throw new ValidationException("AudienceRestriction is required.");
+        }
+
+        if (conditions.getOneTimeUse() == null) {
+
+            throw new ValidationException("OneTimeUse is required.");
+        }
+
+    }
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index b95d4359f..eb50c113f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -22,9 +22,13 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
 
+import java.io.InputStream;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.opensaml.xml.ConfigurationException;
+import org.opensaml.xml.XMLConfigurator;
+
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
 import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOASWSigner;
@@ -38,6 +42,7 @@ import eu.eidas.auth.engine.ProtocolEngineI;
 import eu.eidas.auth.engine.SamlEngineSystemClock;
 import eu.eidas.auth.engine.metadata.MetadataFetcherI;
 import eu.eidas.auth.engine.metadata.MetadataSignerI;
+import eu.eidas.auth.engine.xml.opensaml.SAMLBootstrap;
 import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
 import eu.eidas.samlengineconfig.CertificateConfigurationManager;
 
@@ -76,10 +81,15 @@ public class SAMLEngineUtils {
 				//build a map with all actually supported attributes
 				for (AttributeDefinition<?> el : engine.getProtocolProcessor().getAllSupportedAttributes())
 					allSupportedAttributeMap.put(el.getFriendlyName(), el);
-														
+
+				//TODO: check if bug is fixed in next eIDAS SAML-engine version
+				//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
+				initOpenSAMLConfig("own-saml-eidasnode-config.xml");
+				
+				
 				eIDASEngine = engine;
 				
-			} catch (EIDASSAMLEngineException e) {
+			} catch (EIDASSAMLEngineException | ConfigurationException e) {
 				Logger.error("eIDAS SAMLengine initialization FAILED!", e);
 				throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e);
 				
@@ -127,6 +137,12 @@ public class SAMLEngineUtils {
 		}
 	}
 	
+	 private static void initOpenSAMLConfig(String xmlConfig) throws ConfigurationException {
+	        XMLConfigurator configurator = new XMLConfigurator();
+	        InputStream is = SAMLBootstrap.class.getClassLoader().getResourceAsStream(xmlConfig);
+	        configurator.load(is);
+	        
+	    }
 	
 	
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml
new file mode 100644
index 000000000..856ebd96a
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/own-saml-eidasnode-config.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<XMLTooling xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:schemaLocation="http://www.opensaml.org/xmltooling-config ../../src/schema/xmltooling-config.xsd"
+            xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
+            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
+            xmlns:stork="urn:eu:stork:names:tc:STORK:1.0:assertion"
+            xmlns:storkp="urn:eu:stork:names:tc:STORK:1.0:protocol"
+            xmlns:eidas="http://eidas.europa.eu/saml-extensions"
+            xmlns="http://www.opensaml.org/xmltooling-config">
+
+<!-- SAML 2.0 Protocol Object providers -->
+ 		<ValidatorSuites>
+    <!--  SAML 2.0 Schema Validation Rules -->
+
+        <ValidatorSuite id="moaEidasResponseValidatorSuiteId">
+
+            <Validator qualifiedName="saml2p:Response"
+                       className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseOneAssertionValidator"/>
+
+            <Validator qualifiedName="saml2p:Response"
+                       className="eu.eidas.auth.engine.core.validator.eidas.EidasResponseValidator"/>
+
+            <Validator qualifiedName="saml2:Assertion"
+                       className="eu.eidas.auth.engine.core.validator.eidas.EidasAssertionValidator"/>
+
+
+            <Validator qualifiedName="saml2:Conditions"
+                       className="at.gv.egovernment.moa.id.auth.modules.eidas.engine.validation.MoaEidasConditionsValidator"/>
+
+            <Validator qualifiedName="saml2:AuthnStatement"
+                       className="eu.eidas.auth.engine.core.validator.eidas.EidasAuthnStatementValidator"/>
+
+            <Validator qualifiedName="saml2:Attribute"
+                       className="eu.eidas.auth.engine.core.validator.eidas.EidasAttributeValidator"/>
+
+        </ValidatorSuite>
+
+
+    </ValidatorSuites>
+
+
+</XMLTooling>
\ No newline at end of file