ReImplement MOAMetadataProvider to add and remove HTTPMetadataProvider dynamically from configuration database.

4 files changed, 254 insertions, 49 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
index cd34d382b..e07a0ba77 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java
@@ -368,9 +368,6 @@ ServletResponseAware {
 			}
 		}
 		
-		
-		
-
 		Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA);	
 		if (nextPageAttr != null && nextPageAttr instanceof String) {
 			nextPage = (String) nextPageAttr;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java
index 92323f02b..e351cfa7d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java
@@ -26,7 +26,6 @@ public class AuthConfigLoader implements Runnable {
 				MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration();
 				Date dbdate = moaidconfig.getTimestampItem();
 				Date pvprefresh = moaidconfig.getPvp2RefreshItem();
-				ConfigurationDBUtils.closeSession();
 
 				Date date = AuthConfigurationProvider.getTimeStamp();
 			
@@ -36,17 +35,18 @@ public class AuthConfigLoader implements Runnable {
 				}
 				
 				Date pvpdate = MOAMetadataProvider.getTimeStamp();
-				if (pvprefresh != null && pvprefresh.after(pvpdate)) {
-					MOAMetadataProvider metainst = MOAMetadataProvider.getInstance();
-					metainst.reInitialize();
+				if (pvprefresh != null && pvpdate != null && pvprefresh.after(pvpdate)) {
+					MOAMetadataProvider.reInitialize();
 				}
 				
-				
 			} catch (Throwable e) {
 				Logger.warn("MOA-ID Configuration is actually not loadable. Reuse old configuration.", e);
+				
+			} finally {
+				ConfigurationDBUtils.closeSession();
+				
 			}
-		}
-		
+		}	
 	}
 	
 	public static void start() {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index a61633e12..107ee22ee 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -1,11 +1,13 @@
 package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
 
-import iaik.util.logging.Log;
-
 import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Timer;
 
 import javax.xml.namespace.QName;
@@ -34,8 +36,7 @@ public class MOAMetadataProvider implements MetadataProvider {
 	private static MOAMetadataProvider instance = null;
 
 	private static Object mutex = new Object();
-	private static Date timestamp;
-	
+	private static Date timestamp = null;
 	
 	public static MOAMetadataProvider getInstance() {
 		if (instance == null) {
@@ -52,18 +53,162 @@ public class MOAMetadataProvider implements MetadataProvider {
 		return timestamp;
 	}
 	
-	public void reInitialize() {
+	public static void reInitialize() {
 		synchronized (mutex) {
-			Log.info("ReInitalize MOAMetaDataProvider.");
-			instance = new MOAMetadataProvider();
+			
+			/**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/
+			if (instance != null)
+				instance.addAndRemoveMetadataProvider();
+			
+			else
+				Logger.info("MOAMetadataProvider is not loaded.");
+		}
+	}
+	
+	public static void destroy() {
+		if (instance != null) {
+			instance.internalDestroy();
+			
+		} else {
+			Logger.info("MOAMetadataProvider is not loaded. Accordingly it can not be destroyed");
 		}
 	}
 	
 	MetadataProvider internalProvider;
 
+	
+	private void addAndRemoveMetadataProvider() {
+		if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) {
+			Logger.info("Relaod MOAMetaDataProvider.");
+			
+			/*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException)
+			 *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ 
+			Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>();
+
+			Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>();
+			ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+			
+			//make a Map of all actually loaded HTTPMetadataProvider
+			List<MetadataProvider> providers = chainProvider.getProviders();
+			for (MetadataProvider provider : providers) {
+				if (provider instanceof HTTPMetadataProvider) {
+					HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
+					loadedproviders.put(httpprovider.getMetadataURI(), httpprovider);
+				}
+			}
+			
+			//load all PVP2 OAs form ConfigurationDatabase and 
+			//compare actually loaded Providers with configured PVP2 OAs
+			List<OnlineApplication> oaList = ConfigurationDBRead
+					.getAllActiveOnlineApplications();
+			
+			//set Timestamp
+			timestamp = new Date();
+			
+			Iterator<OnlineApplication> oaIt = oaList.iterator();
+			while (oaIt.hasNext()) {
+				try {
+					OnlineApplication oa = oaIt.next();
+					OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2();
+					if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) {
+						
+						String metadataurl = pvp2Config.getMetadataURL();
+						
+						if (loadedproviders.containsKey(metadataurl)) {
+							//PVP2 OA is actually loaded, to nothing
+							providersinuse.put(metadataurl, loadedproviders.get(metadataurl));
+							loadedproviders.remove(metadataurl);
+							
+							
+						} else if ( MiscUtil.isNotEmpty(metadataurl) &&
+								!providersinuse.containsKey(metadataurl) ) {
+							//PVP2 OA is new, add it to MOAMetadataProvider
+							Logger.info("Loading metadata for: " + oa.getFriendlyName());
+							HTTPMetadataProvider httpProvider = createNewHTTPMetaDataProvider(
+									pvp2Config.getMetadataURL(), 
+									pvp2Config.getCertificate(),
+									oa.getFriendlyName());
+							
+							if (httpProvider != null)
+								providersinuse.put(metadataurl, httpProvider);
+						
+						}
+					}
+				} catch (Throwable e) {
+					Logger.error(
+							"Failed to add Metadata (unhandled reason: "
+									+ e.getMessage(), e);
+				}	
+			}
+			
+			//remove all actually loaded MetadataProviders with are not in ConfigurationDB any more
+			Collection<HTTPMetadataProvider> notusedproviders = loadedproviders.values();
+			for (HTTPMetadataProvider provider : notusedproviders) {
+				String metadataurl = provider.getMetadataURI();
+				
+				try {
+					
+					provider.destroy();
+					
+					/*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException)
+					 *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/
+					//chainProvider.removeMetadataProvider(provider);
+					
+					Logger.info("Remove not used MetadataProvider with MetadataURL " + metadataurl);
+					
+				} catch (Throwable e) {
+					Logger.error("HTTPMetadataProvider with URL " + metadataurl 
+							+ " can not be removed from the list of actually loaded Providers.", e);
+					
+				}
+				
+			}
+			
+			try {
+				chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
+				
+			} catch (MetadataProviderException e) {
+				Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy", e);
+				
+			}
+			
+			
+			
+		} else {
+			Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy");
+		}
+		
+	}
+	
+	
+	public void internalDestroy() {
+		if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) {
+			Logger.info("Destrorying MOAMetaDataProvider.");
+			ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;				
+			
+			List<MetadataProvider> providers = chainProvider.getProviders();
+			for (MetadataProvider provider : providers) {
+				if (provider instanceof HTTPMetadataProvider) {
+					HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
+					Logger.debug("Destroy HTTPMetadataProvider +" + httpprovider.getMetadataURI());
+					httpprovider.destroy();
+					
+				} else {
+					Logger.warn("MetadataProvider can not be destroyed.");
+				}
+			}	
+			instance = null;
+		} else {
+			Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy");
+		}
+	}
+	
 	private MOAMetadataProvider() {
 		ChainingMetadataProvider chainProvider = new ChainingMetadataProvider();
 		Logger.info("Loading metadata");
+		
+		Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>();
+		
 		List<OnlineApplication> oaList = ConfigurationDBRead
 				.getAllActiveOnlineApplications();
 		Iterator<OnlineApplication> oaIt = oaList.iterator();
@@ -73,35 +218,22 @@ public class MOAMetadataProvider implements MetadataProvider {
 				Logger.info("Loading metadata for: " + oa.getFriendlyName());
 				OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2();
 				if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) {
-//				if (pvp2Config != null) {
 					String metadataURL = pvp2Config.getMetadataURL();
-					try {
-						// TODO: use proper SSL checking
-						HTTPMetadataProvider httpProvider = 
-								new HTTPMetadataProvider(new Timer(), new HttpClient(), 
-										metadataURL);
-						httpProvider.setParserPool(new BasicParserPool());
-						httpProvider.setRequireValidMetadata(true);
-						httpProvider.setMinRefreshDelay(1000*60*5); //5min
-						httpProvider.setMaxRefreshDelay(1000*60*30); //30min
-						//httpProvider.setRefreshDelayFactor(0.1F);
-						MetadataFilter filter = new MetadataSignatureFilter(
-								metadataURL, pvp2Config.getCertificate());
-						httpProvider.setMetadataFilter(filter);
-						chainProvider.addMetadataProvider(httpProvider);
-						httpProvider.initialize();
-
-					} catch (MetadataProviderException e) {
-						Logger.error(
-								"Failed to add Metadata file for "
-										+ oa.getFriendlyName() + "[ "
-										+ e.getMessage() + " ]", e);
-					} catch (CertificateException e) {
-						Logger.error(
-								"Failed to add Metadata file for "
-										+ oa.getFriendlyName() + "[ "
-										+ e.getMessage() + " ]", e);
+					
+					if (!providersinuse.containsKey(metadataURL)) {
+					
+						HTTPMetadataProvider httpProvider = createNewHTTPMetaDataProvider(
+								metadataURL, 
+								pvp2Config.getCertificate(),
+								oa.getFriendlyName());
+					
+						if (httpProvider != null)
+							providersinuse.put(metadataURL, httpProvider);
+						
+					} else {
+						Logger.info(metadataURL + " are already added.");
 					}
+					
 				} else {
 					Logger.info(oa.getFriendlyName()
 							+ " is not a PVP2 Application skipping");
@@ -113,10 +245,55 @@ public class MOAMetadataProvider implements MetadataProvider {
 			}			
 		}
 		
+		
+		try {
+			chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values()));
+			
+		} catch (MetadataProviderException e) {
+			Logger.error(
+					"Failed to add Metadata (unhandled reason: "
+							+ e.getMessage(), e);
+		}
+		
 		internalProvider = chainProvider;
 		timestamp = new Date();
 	}
 	
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName) {
+		try {						
+			HTTPMetadataProvider httpProvider = new HTTPMetadataProvider(new Timer(), new HttpClient(), 
+					metadataURL);
+			httpProvider.setParserPool(new BasicParserPool());
+			httpProvider.setRequireValidMetadata(true);
+			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+			//httpProvider.setRefreshDelayFactor(0.1F);
+			
+			// TODO: use proper SSL checking
+			
+			MetadataFilter filter = new MetadataSignatureFilter(
+					metadataURL, certificate);
+			httpProvider.setMetadataFilter(filter);
+			httpProvider.initialize();
+			
+			return httpProvider;
+			
+			
+		} catch (MetadataProviderException e) {
+			Logger.error(
+					"Failed to add Metadata file for "
+							+ oaName + "[ "
+							+ e.getMessage() + " ]", e);
+		} catch (CertificateException e) {
+			Logger.error(
+					"Failed to add Metadata file for "
+							+ oaName + "[ "
+							+ e.getMessage() + " ]", e);
+		}
+		
+		return null;	
+	}
+	
 	public boolean requireValidMetadata() {
 		return internalProvider.requireValidMetadata();
 	}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
index fb1f08132..ffc3f9b29 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
@@ -14,6 +14,8 @@ import org.opensaml.xml.security.credential.Credential;
 import org.opensaml.xml.security.x509.BasicX509Credential;
 
 import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class MetadataSignatureFilter implements MetadataFilter {
@@ -48,11 +50,37 @@ public class MetadataSignatureFilter implements MetadataFilter {
 		}
 		
 		Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator();
-		
-		
-		//TODO: check this!!!!
-		while(entID.hasNext()) {
-			processEntityDescriptorr(entIT.next());
+	
+		//check every Entity 
+		while(entIT.hasNext()) {
+			
+			EntityDescriptor entity = entIT.next();
+			String entityID = entity.getEntityID();
+			
+			//CHECK if Entity also match MetaData signature.
+			/*This check is necessary to prepend declaration of counterfeit OA metadata!!*/
+			byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID);
+			
+			if (entityCert != null) {
+			
+				X509Certificate cert;
+				try {
+					cert = new X509Certificate(entityCert);
+					BasicX509Credential entityCrendential = new BasicX509Credential();
+					entityCrendential.setEntityCertificate(cert);
+	
+					EntityVerifier.verify(desc, entityCrendential);
+					
+				} catch (Exception e) {
+					throw new MOAIDException("The App", null, e);
+				}
+				
+			} else {
+				throw new NoCredentialsException("NO Certificate found for OA " + entityID);
+			}
+
+			//TODO: insert to support signed Entity-Elements
+			//processEntityDescriptorr(entIT.next());
 		}
 	}
 	
@@ -70,6 +98,9 @@ public class MetadataSignatureFilter implements MetadataFilter {
 			} */else {
 				throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
 			}
+			
+			ConfigurationDBUtils.closeSession();
+			
 			Logger.info("Metadata Filter done OK");
 		} catch (MOAIDException e) {
 			e.printStackTrace();