Finish PVP21 interfederation assertion preprocessing

8 files changed, 204 insertions, 91 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
index 31b88263b..b2bcd443f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java
@@ -68,6 +68,7 @@ public class OAParameter {
 		
 		this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20();
 		
+		this.isInderfederationIDP = oa.isIsInterfederationIDP();
 		
 	}
 	
@@ -104,6 +105,8 @@ public class OAParameter {
 	
 	private boolean removePBKFromAuthblock;
 	
+	private Boolean isInderfederationIDP;
+	
 	/**
 	 * Contains the oAuth 2.0 configuration (client id, secret and redirect uri)
 	 */
@@ -141,4 +144,16 @@ public class OAParameter {
 		return oAuth20Config;
 	}
 
+	/**
+	 * @return the isInderfederationIDP
+	 */
+	public boolean isInderfederationIDP() {
+		if (isInderfederationIDP == null)
+			return false;
+		
+		return isInderfederationIDP;
+	}
+	
+	
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 31e19ee46..2f4bbbcf4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
@@ -262,9 +263,12 @@ public class DispatcherServlet extends AuthServlet{
 							Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + ".");
 							
 						} else if (protocolRequest != null && 
-								protocolRequest.getInterfederationResponse() != null ) {
+								protocolRequest.getInterfederationResponse() != null ) {							
+							Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest");
+							String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true);
+							req.getParameterMap().put(PARAM_SESSIONID, sessionID);
 							Logger.info("PreProcessing of SSO interfederation response complete. ");
-						
+													
 						} else {
 							Logger.error("Failed to generate a valid protocol request!");
 							resp.setContentType("text/html;charset=UTF-8");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 3ab4dd74c..639b8672b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -187,20 +187,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 											
 				IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState());
 				if (obj instanceof RequestImpl) {
-					RequestImpl iReq = (RequestImpl) obj;
+					RequestImpl iReqSP = (RequestImpl) obj;
 
 					MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
 					
 					if ( processedMsg != null ) {
-						iReq.setInterfederationResponse((MOAResponse) msg);						
+						iReqSP.setInterfederationResponse((MOAResponse) msg);						
 												
 					} else {
 						Logger.info("Receive NO valid SSO session from " + msg.getEntityID() 
 								+". Switch to local authentication process ...");
-						iReq.setRequestedIDP(null);
+						iReqSP.setRequestedIDP(null);
 					}
 									
-					return iReq;
+					return iReqSP;
 					
 				}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
new file mode 100644
index 000000000..61b481447
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -0,0 +1,111 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.Subject;
+
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class AssertionAttributeExtractor {
+	
+	private Assertion assertion = null;
+	
+	public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption {
+		if (samlResponse != null) {
+			if (samlResponse.getAssertions().size() == 0) 
+				throw new AssertionAttributeExtractorExeption("Assertion");
+				
+			else if (samlResponse.getAssertions().size() > 1)
+				Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used.");
+			
+			assertion = samlResponse.getAssertions().get(0);			
+					
+		} else 
+			throw new AssertionAttributeExtractorExeption();		
+	}
+
+	public String getNameID() throws AssertionAttributeExtractorExeption {		
+		if (assertion.getSubject() != null) {
+			Subject subject = assertion.getSubject();
+			
+			if (subject.getNameID() != null) {
+				if (MiscUtil.isNotEmpty(subject.getNameID().getValue()))					
+					return subject.getNameID().getValue();			
+				
+				else
+					Logger.error("SAML2 NameID Element is empty.");
+			}
+		}
+			
+		throw new AssertionAttributeExtractorExeption("nameID");
+	}
+	
+	public String getSessionIndex() throws AssertionAttributeExtractorExeption {		
+		AuthnStatement authn = getAuthnStatement();
+		
+		if (MiscUtil.isNotEmpty(authn.getSessionIndex()))
+			return authn.getSessionIndex();
+		
+		else
+			throw new AssertionAttributeExtractorExeption("SessionIndex");		
+	}
+
+	/**
+	 * @return
+	 * @throws AssertionAttributeExtractorExeption 
+	 */
+	public String getQAALevel() throws AssertionAttributeExtractorExeption {
+		AuthnStatement authn = getAuthnStatement();
+		if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) {
+			AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef();
+			
+			if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef()))
+				return qaaClass.getAuthnContextClassRef();
+			
+			else
+				throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)");			
+		}
+		
+		throw new AssertionAttributeExtractorExeption("AuthnContextClassRef");		
+	}
+	
+	private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption {
+		List<AuthnStatement> authnList = assertion.getAuthnStatements();
+		if (authnList.size() == 0)
+			throw new AssertionAttributeExtractorExeption("AuthnStatement");
+		
+		else if (authnList.size() > 1)
+			Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used.");
+		
+		return authnList.get(0);
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java
deleted file mode 100644
index 666bfab3c..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.util.Iterator;
-import java.util.List;
-
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
-
-public class AttributeExtractor {
-	
-	public static String extractSAMLAttributeOA(String name, 
-			AuthenticationSession authSession) {
-		List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesOA();
-		if(extAttributes == null) {
-			return null;
-		}
-		Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator();
-		while(extAttributesIt.hasNext()) {
-			Object attr = extAttributesIt.next();
-			if(attr instanceof ExtendedSAMLAttribute) {
-				ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr;
-				if(extAttribute.getName().equals(name)) {
-					if(extAttribute.getValue() instanceof String) {
-						return extAttribute.getValue().toString();
-					}
-					break;
-				}
-			}
-		}
-		return null;
-	}
-	
-	public static String extractSAMLAttributeAUTH(String name, 
-			AuthenticationSession authSession) {
-		List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesAUTH();
-		if(extAttributes == null) {
-			return null;
-		}
-		Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator();
-		while(extAttributesIt.hasNext()) {
-			Object attr = extAttributesIt.next();
-			if(attr instanceof ExtendedSAMLAttribute) {
-				ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr;
-				if(extAttribute.getName().equals(name)) {
-					if(extAttribute.getValue() instanceof String) {
-						return extAttribute.getValue().toString();
-					}
-					break;
-				}
-			}
-		}
-		return null;
-	}
-	
-	public static String extractSAMLAttributeBOTH(String name, 
-			AuthenticationSession authSession) {
-		String value = extractSAMLAttributeOA(name, authSession);
-		if(value == null) {
-			value = extractSAMLAttributeAUTH(name, authSession);
-		}
-		return value;
-	}
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index ca5cb9226..69167c75d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -22,6 +22,7 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.storage;
 
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 
@@ -36,11 +37,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
 import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.data.EncryptedData;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.id.util.SessionEncrytionUtil;
 import at.gv.egovernment.moa.logging.Logger;
@@ -105,6 +110,51 @@ public class AuthenticationSessionStoreage {
 		return session;
 	}
 	
+	public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption {
+		String id = Random.nextRandom();
+		AuthenticationSession session = new AuthenticationSession(id);
+		
+		AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore();
+		dbsession.setSessionid(id);
+		dbsession.setAuthenticated(isAuthenticated);
+		
+		//set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
+		Date now = new Date();
+		dbsession.setCreated(now);
+		dbsession.setUpdated(now);
+		
+		dbsession.setSession(SerializationUtils.serialize(session));
+		
+		//add interfederation information
+		List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
+		if (idpList == null)
+			idpList = new ArrayList<InterfederationSessionStore>();
+		
+		InterfederationSessionStore idp = new InterfederationSessionStore();
+		idp.setCreated(now);
+		idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID());
+		
+		AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse());		
+		idp.setSessionIndex(extract.getSessionIndex());
+		idp.setUserNameID(extract.getNameID());
+		idp.setAttributesRequested(false);
+		idp.setQAALevel(extract.getQAALevel());
+		idpList.add(idp);
+		
+		//store AssertionStore element to Database
+		try {
+			MOASessionDBUtils.saveOrUpdate(dbsession);
+			Logger.info("MOASession with sessionID=" + id + " is stored in Database");
+			
+		} catch (MOADatabaseException e) {
+			Logger.warn("MOASession could not be created.");
+			throw new MOADatabaseException(e);
+		}
+		
+		return id;
+	}
+	
+	
 	public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException {
 		
 		try {
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java
index 93734954f..1fcdd9b9b 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/InterfederationSessionStore.java
@@ -59,6 +59,9 @@ public class InterfederationSessionStore implements Serializable{
 	@Column(name = "nameID", unique=false, nullable=false)
 	private String userNameID;
 	
+	@Column(name = "QAALevel", unique=false, nullable=false)
+	private String QAALevel;
+	
 	@Column(name = "attributesRequested", unique=false, nullable=true)
 	private boolean attributesRequested;
 	
@@ -173,6 +176,20 @@ public class InterfederationSessionStore implements Serializable{
 		this.moasession = moasession;
 	}
 
+	/**
+	 * @return the qAALevel
+	 */
+	public String getQAALevel() {
+		return QAALevel;
+	}
+
+	/**
+	 * @param qAALevel the qAALevel to set
+	 */
+	public void setQAALevel(String qAALevel) {
+		QAALevel = qAALevel;
+	}
+
 
 }
 
diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
index e8562a57b..49d919978 100644
--- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
+++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd
@@ -485,6 +485,7 @@
 		<xsd:sequence>
 			<xsd:element name="isActive" type="xsd:boolean" default="false" minOccurs="1" maxOccurs="1"/>
 			<xsd:element name="isAdminRequired" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/>
+			<xsd:element name="isInterfederationIDP" type="xsd:boolean" default="false" minOccurs="0" maxOccurs="1"/>
 			<xsd:element name="AuthComponent_OA" minOccurs="0">
 				<xsd:annotation>
 					<xsd:documentation>enthält Parameter über die OA, die die