Merge branch 'merge' into moa-2.1-Snapshot

author: Alexander Marsalek <amarsalek@iaik.tugraz.at> 2014-11-03 10:13:04 +0100
committer: Alexander Marsalek <amarsalek@iaik.tugraz.at> 2014-11-03 10:13:04 +0100
commit: 95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed (patch)
tree: 0fbf6ff054dd669fccde458659d58622edb467f1
parent: bce35f534b42d77cdaf1ab8e861237d1cf2f1191 (diff)
parent: db040cc2832f845db0919d1c4e2b034b8737ef24 (diff)
download: moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.tar.gz
moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.tar.bz2
moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.zip
11 files changed, 125 insertions, 33 deletions
diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html
index e7658875c..1c6e51661 100644
--- a/id/server/doc/handbook/protocol/protocol.html
+++ b/id/server/doc/handbook/protocol/protocol.html
@@ -632,6 +632,10 @@ Redirect Binding</td>
     <td>1204</td>
     <td>Ein STORK Attribut wei&szlig;t ein fehlerhaftes Format auf.</td>
   </tr>
+  <tr>
+    <td>1205</td>
+    <td>Der geforderte QAA Level ist h&ouml;her als der QAA Level der gew&auml;hlten Authentifizierungsmethode</td>
+  </tr>
 </table>
 <h3><a name="statuscodes_4xxxx" id="allgemeines_zugangspunkte8"></a>1.3.2 Statuscodes 4xxxx</h3>
 <p>Alles Statuscodes beginnend mit der Zahl vier beschreiben Fehler die w&auml;hrend der Kommunikation mit externen Services aufgetreten sind.</p>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5c0e497a3..52488c3cb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -96,6 +96,7 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData;
 import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
 import at.gv.egovernment.moa.logging.Logger;
@@ -526,10 +527,40 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 			
 		}
 		
-		if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
-			authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +  
-					extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
 		
+		try {
+			String qaaLevel = extractor.getQAALevel();
+			if (MiscUtil.isNotEmpty(qaaLevel) && 
+					qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
+				authData.setQAALevel(qaaLevel);
+				
+			} else {
+				Logger.debug("Found PVP QAA level. QAA mapping process starts ... ");				
+				String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel);
+				if (MiscUtil.isNotEmpty(mappedQAA))
+					authData.setQAALevel(mappedQAA);
+				
+				else 
+					throw new AssertionAttributeExtractorExeption("PVP SecClass not mappable");
+				
+			}
+							
+		} catch (AssertionAttributeExtractorExeption e) {
+			Logger.warn("No QAA level found in <RequestedAuthnContext> element of interfederated assertion. " +
+					"(ErrorHeader=" + e.getMessage() + ")");
+			if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) {
+				authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +  
+						extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+					
+			} else {
+				Logger.info("No QAA level found. Set to default level " + 
+						PVPConstants.STORK_QAA_PREFIX + "1");
+				authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1");
+				
+			}
+				
+		}
+										
 		if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) {
 			try {
 				byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false);				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 3be5df917..4ba93f8fe 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -170,6 +170,7 @@ public class SAMLVerificationEngine {
 			
 				}
 				
+				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				
 				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
 					
 					Conditions conditions = saml2assertion.getConditions();
@@ -177,19 +178,21 @@ public class SAMLVerificationEngine {
 					DateTime notafter = conditions.getNotOnOrAfter();
 					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
 						Logger.warn("PVP2 Assertion is out of Date");
-						saml2assertions.remove(saml2assertion);						
+											
+					} else {
+						validatedassertions.add(saml2assertion);
 						
-					}					
+					}							
 				}
 				
-				if (saml2assertions.isEmpty()) {
+				if (validatedassertions.isEmpty()) {
 					Logger.info("No valid PVP 2.1 assertion received.");
 					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
 				}
 					
 				samlResp.getAssertions().clear();
 				samlResp.getEncryptedAssertions().clear();
-				samlResp.getAssertions().addAll(saml2assertions);
+				samlResp.getAssertions().addAll(validatedassertions);
 				
 			} else {
 				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
index aa018d5a3..d59191c08 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
@@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction {
                 // Get personal attributtes from MOA/IdentityLink
                 
                 //build STORK attributes from local authentication information
-                if (authData != null)
+                if (authData != null) {
+                	int reqQaa = -1;
+                	int authQaa = -1;
+                	try {
+                		reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa();
+                		authQaa = Integer.valueOf(
+                				authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length()));
+                		
+                		if (reqQaa > authQaa) {
+                			Logger.warn("Requested QAA level does not match to authenticated QAA level");
+                			throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                			
+                		}
+                	
+                	} catch (MOAIDException e) {
+                		throw e;
+                		
+                	} catch (Exception e) {
+                		if (Logger.isDebugEnabled())
+                			Logger.warn("STORK QAA Level evaluation error", e);
+                		
+                		else
+                			Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" 
+                					+  e.getMessage() + ")");
+                		
+                		throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                		
+                	}
+                	                	
                 	moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam));
+                	
+                }
             }
 
             //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry());
@@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction {
 
         IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList();
         Logger.info("Found " + attrLst.size() + " personal attributes in the request.");
-
+        
         // Define attribute list to be populated
         PersonalAttributeList attributeList = new PersonalAttributeList();
         MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest);
@@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction {
             Logger.error("Exception, attributes: " + e.getMessage());
         }
 
-        Logger.debug("AUTHBLOCK " + authData.getAuthBlock());
+        Logger.trace("AUTHBLOCK " + authData.getAuthBlock());
         Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier());
 
         return attributeList;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
index aaded0ce6..993514ec7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
@@ -23,11 +23,10 @@
 package at.gv.egovernment.moa.id.protocols.stork2;
 
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.data.AuthenticationRole;
 import at.gv.egovernment.moa.id.data.IAuthData;
-import at.gv.egovernment.moa.id.util.PVPtoSTORKRoleMapper;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -44,11 +43,6 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
-
-import javassist.expr.Instanceof;
-
 /**
  * @author bsuzic
  *         Date: 2/19/14, Time: 4:42 PM
@@ -125,7 +119,7 @@ public class MOAAttributeProvider {
     			&& authData.getAuthenticationRoles().size() > 0) {
 
     		storkRoles = new ArrayList<String>();
-    		PVPtoSTORKRoleMapper mapper = PVPtoSTORKRoleMapper.getInstance();
+    		PVPtoSTORKMapper mapper = PVPtoSTORKMapper.getInstance();
     		for (AuthenticationRole el : authData.getAuthenticationRoles()) {
     			String storkRole = mapper.map(el);
     			if (MiscUtil.isNotEmpty(storkRole))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
index 88c59ccf9..96aa55bcf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider {
         authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList());
 
         authRequest.setCitizenCountryCode("AT");
-        authRequest.setQaa(oaParam.getQaaLevel());
+        //authRequest.setQaa(oaParam.getQaaLevel());
+       	authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa());
 
-        if (authRequest.getQaa() == 0 )  {
-        	authRequest.setQaa(4); // workaround
-        }
 
 
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
index 20f541a1a..0ea03e29d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
@@ -33,24 +33,26 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
-public class PVPtoSTORKRoleMapper {
+public class PVPtoSTORKMapper {
 
+	private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/";
+	
 	private static final String MAPPING_RESOURCE = 
-			"resources/properties/pvp-stork_role_mapping.properties";
+			"resources/properties/pvp-stork_mapping.properties";
 	
 	private Properties mapping = null;
 	
-	private static PVPtoSTORKRoleMapper instance = null;
+	private static PVPtoSTORKMapper instance = null;
 	
-	public static PVPtoSTORKRoleMapper getInstance() {
+	public static PVPtoSTORKMapper getInstance() {
 		if (instance == null) {
-			instance = new PVPtoSTORKRoleMapper();			
+			instance = new PVPtoSTORKMapper();			
 		}
 		
 		return instance;
 	}
 	
-	private PVPtoSTORKRoleMapper() {
+	private PVPtoSTORKMapper() {
 		try {
 			mapping = new Properties();
 			mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE));
@@ -65,9 +67,29 @@ public class PVPtoSTORKRoleMapper {
 		
 	}
 
-	/**
-	 * @param el
-	 * @return
+	/**Map a PVP SecClass to STORK QAA level
+	 * 
+	 * @param PVP SecClass pvpQAALevel
+	 * @return STORK-QAA level
+	 */	
+	public String mapQAALevel(String pvpQAALevel) {
+		if (mapping != null) {
+			String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length());			
+			String mappedQAA = mapping.getProperty(input);
+			if (MiscUtil.isNotEmpty(mappedQAA)) {
+				Logger.info("Map PVP SecClass " + pvpQAALevel + " to STORK-QAA " + mappedQAA);
+				return mappedQAA;
+				
+			}						
+		}		
+		Logger.warn("No mapping for PVP SecClass " + pvpQAALevel +" !");
+		return null;
+	}
+	
+	/**Map a PVP Role attribute to STORK ECAuthenticationRole attribute values
+	 * 
+	 * @param PVP Role attribute
+	 * @return STORK ECAuthenticationRole attribute value
 	 */
 	public String map(AuthenticationRole el) {
 		if (mapping != null) {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 848866090..8fda4566c 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -228,6 +228,7 @@ stork.17=Fehler beim Einholen der Zustimmung f\uFFFDr Attribut\u00FCbertragung d
 stork.18=STORK-SAML Engine konnte nicht initialisiert werden. 
 stork.19=Das erforderliche Attribut ist f\u00FCr naturliche Personen nicht vorhanden\: {0}
 stork.20=Fehler bei der Datenkonversion - eingegebens Datum fehlerhaft
+stork.21=Der angeforderte QAA-level {0} ist h\u00F6her als der QAA-level der Authentifizierung {1}
 
 pvp2.00={0} ist kein gueltiger consumer service index
 pvp2.01=Fehler beim kodieren der PVP2 Antwort
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 27f735028..eeacdc627 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -172,6 +172,7 @@ stork.17=1203
 stork.18=9004 
 stork.19=1203
 stork.20=1204
+stork.21=1205
 
 pvp2.01=6100
 pvp2.06=6100
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
new file mode 100644
index 000000000..63745f826
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
@@ -0,0 +1,9 @@
+##PVP role mapping
+viewer=CIRCABC/viewer
+CIRCABC-viewer=CIRCABC/viewer
+
+##PVP SecClass mapping
+secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1
+secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2
+secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3
+secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
+\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties
deleted file mode 100644
index 295d381cd..000000000
--- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-viewer=CIRCABC/viewer
-CIRCABC-viewer=CIRCABC/viewer
-\ No newline at end of file
author	Alexander Marsalek <amarsalek@iaik.tugraz.at>	2014-11-03 10:13:04 +0100
committer	Alexander Marsalek <amarsalek@iaik.tugraz.at>	2014-11-03 10:13:04 +0100
commit	95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed (patch)
tree	0fbf6ff054dd669fccde458659d58622edb467f1
parent	bce35f534b42d77cdaf1ab8e861237d1cf2f1191 (diff)
parent	db040cc2832f845db0919d1c4e2b034b8737ef24 (diff)
download	moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.tar.gz moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.tar.bz2 moa-id-spss-95b5b52b1fac00ab38e54d8deecb7a268ea6f5ed.zip