enforce eiDAS legal-person MDS if citizen uses mandates and no legal-person attributes are requested

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-10-13 15:00:25 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-10-13 15:00:25 +0200
commit: 154338abc9ba998bf589b9ab12882ddffa78cf53 (patch)
tree: e16b9c9b45cf88dc156c03b524d3e2f6dedb53bf
parent: 87182edee2d4b4d923802995f1421857034e40c7 (diff)
download: moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.tar.gz
moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.tar.bz2
moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.zip
3 files changed, 46 insertions, 19 deletions
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 2ce9fb9e7..05f58d5bc 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -275,6 +275,7 @@ eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0}
 eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
 eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.
 eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.
+eIDAS.17=Generation of eIDAS Response FAILED. Citzen use mandates for authentication but there are no mandate attributes requested
 
 pvp2.01=Fehler beim kodieren der PVP2 Antwort
 pvp2.02=Ungueltiges Datumsformat
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index c6d0844ce..0a37fdc91 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -230,6 +230,7 @@ eIDAS.13=1307
 eIDAS.14=1301
 eIDAS.15=1307
 eIDAS.16=1301
+eIDAS.17=1307
 
 pvp2.01=6100
 pvp2.06=6100
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..b91bbde9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction {
 	@Autowired protected MOAReversionLogger revisionsLogger;
 	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
 	
+
+	
 	@Override
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
 		EIDASData eidasRequest;
@@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction {
 		//gather attributes
 		ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();		
 		ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
-		//generate eIDAS attributes
-		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
-			Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
-					attr, req.getOnlineApplicationConfiguration(), authData);
-						
-			if(eIDASAttr == null) {				
-				if (attr.isRequired()) {
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
-					throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
-										
-				} else
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
 				
-			} else {
-				//add attribute to Map
-				attrMapBuilder.put(
-						(AttributeDefinition)eIDASAttr.getFirst(), 
-						(ImmutableSet)eIDASAttr.getSecond());
+		//generate eIDAS attributes
+		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+			buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+		
+		//Check if Mandate attributes are requested if mandates was used
+		if (authData.isUseMandate()) { 
+			if (reqAttributeList.getDefinitionByNameUri(
+						eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) {
+			Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'");
+			buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData);
+					
+			}
+			
+			if (reqAttributeList.getDefinitionByNameUri(
+					eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) {
+				Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'");
+				buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData);
 				
 			}
 		}
 		
+		//build final attibute set
+		ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+		
 		// construct eIDaS response
 		AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
 		
@@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
 		
 		//add attributes
-		responseBuilder.attributes(attrMapBuilder.build());
+		responseBuilder.attributes(eIDASAttrbutMap);
 		
 		//set success statuscode
 		responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction {
 		return "eIDAS_AuthnRequest";
 	}
 
+	private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+		Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+				attr, req.getOnlineApplicationConfiguration(), authData);
+					
+		if(eIDASAttr == null) {				
+			if (attr.isRequired()) {
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+				throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+									
+			} else
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
+			
+		} else {
+			//add attribute to Map
+			attrMapBuilder.put(
+					(AttributeDefinition)eIDASAttr.getFirst(), 
+					(ImmutableSet)eIDASAttr.getSecond());
+			
+		}			
+	}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-10-13 15:00:25 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-10-13 15:00:25 +0200
commit	154338abc9ba998bf589b9ab12882ddffa78cf53 (patch)
tree	e16b9c9b45cf88dc156c03b524d3e2f6dedb53bf
parent	87182edee2d4b4d923802995f1421857034e40c7 (diff)
download	moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.tar.gz moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.tar.bz2 moa-id-spss-154338abc9ba998bf589b9ab12882ddffa78cf53.zip