updated for wbPK

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@398 d688527b-c9ab-4aba-bd8d-4036d912da1d

2 files changed, 81 insertions, 38 deletions

diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 3c15b9ec4..2eafaa297 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth.validator;
 
 import org.w3c.dom.Element;
 
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
 import at.gv.egovernment.moa.util.Constants;
@@ -17,7 +18,7 @@ import at.gv.egovernment.moa.util.XPathUtils;
  */
 public class CreateXMLSignatureResponseValidator {
 
-  /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */
+  /** Xpath prefix for reaching SAML Namespaces */
   private static final String SAML = Constants.SAML_PREFIX + ":";
   /** Xpath prefix for reaching XML-DSIG Namespaces */
   private static final String DSIG = Constants.DSIG_PREFIX + ":";
@@ -59,45 +60,78 @@ public class CreateXMLSignatureResponseValidator {
    * @param oaURL
    * @throws ValidateException
    */
-  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, String gbTarget, String oaURL)
+  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session)
   	throws ValidateException {
       
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
-      
-
-      XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH);
+    
+    String gbTarget = session.getTarget();
+    String oaURL = session.getPublicOAURLPrefix(); 
+    boolean businessService = session.getBusinessService();
+    
+//    XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH);
        
-      SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes();
+    SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes();
 
-      boolean foundOA = false;
-      boolean foundGB = false;
-      for (int i = 0; i < samlattributes.length; i++) 
-      {
-        if (samlattributes[i].getName().equals("Geschaeftsbereich"))
-          if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#"))
-
-            {
-              foundGB = true;
-              if (!gbTarget.equals(samlattributes[i].getValue()))
-              {
-                throw new ValidateException("validator.13", null); 
-              }
+    boolean foundOA = false;
+    boolean foundGB = false;
+    boolean foundWBPK = false;
+    
+    for (int i = 0; i < samlattributes.length; i++) {
+      if (samlattributes[i].getName().equals("Geschaeftsbereich")) { 
+        if (businessService) {
+          throw new ValidateException("validator.26", null);
+        }
+        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+          foundGB = true;             
+          if (!gbTarget.equals((String)samlattributes[i].getValue())) {
+            throw new ValidateException("validator.13", null); 
+          }             
+        } else {
+          throw new ValidateException("validator.12", null);
+        }
+      }
+      if (samlattributes[i].getName().equals("OA")) {
+        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+          foundOA = true;            
+          if (!oaURL.equals((String)samlattributes[i].getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
+            throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); 
+          }             
+        } else {
+          throw new ValidateException("validator.15", null);
+        }
+      }
+      if (samlattributes[i].getName().equals("wbPK")) { 
+        if (!businessService) {
+          throw new ValidateException("validator.27", null);
+        }
+        if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {          
+          foundWBPK = true;
+          try {
+            Element attrValue = (Element)samlattributes[i].getValue();
+            String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue();
+            String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue();
+            if (!value.equals(session.getIdentityLink().getIdentificationValue())) {
+              throw new ValidateException("validator.28", null); 
             }
-            else throw new ValidateException("validator.12", null); 
-        if (samlattributes[i].getName().equals("OA"))
-           if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#"))
-            {
-              foundOA = true;            
-              if (!oaURL.equals(samlattributes[i].getValue())) // CHECKS für die AttributeVALUES fehlen noch
-              {
-                throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); 
-              }
-              
+            if (!type.equals(session.getIdentityLink().getIdentificationType())) {
+              throw new ValidateException("validator.28", null); 
             }
-           else throw new ValidateException("validator.15", null); 
-      }      
-      if (!foundOA) throw new ValidateException("validator.14", null); 
+          } catch (Exception ex) {
+            throw new ValidateException("validator.29", null);
+          }
+        } else {
+          throw new ValidateException("validator.30", null);
+        }         
+      }
+    } 
+    
+    if (!foundOA) throw new ValidateException("validator.14", null); 
+    if (businessService) {
+      if (!foundWBPK) throw new ValidateException("validator.31", null);
+    } else {
       if (!foundGB) throw new ValidateException("validator.11", null);
+    }
   
      //Check if dsig:Signature exists
      Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature");
diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index 5adbc5b3d..1127b3f43 100644
--- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -11,6 +11,7 @@ import iaik.x509.X509Certificate;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.logging.Logger;
 
 /**
  * This class is used to validate an {@link VerifyXMLSignatureResponse} 
@@ -46,11 +47,15 @@ public class VerifyXMLSignatureResponseValidator {
    * @param verifyXMLSignatureResponse the <code>&lt;VerifyXMLSignatureResponse&gt;</code>
    * @param identityLinkSignersSubjectDNNames subject names configured
    * @param whatToCheck is used to identify whether the identityLink or the Auth-Block is validated
+   * @param ignoreManifestValidationResult specifies whether the validation result of the 
+   *                                       manifest has to be ignored (identityLink validation if
+   *                                       the OA is a business service) or not
    * @throws ValidateException on any validation error
    */
-  public void validate(
-    VerifyXMLSignatureResponse verifyXMLSignatureResponse,
-    String[] identityLinkSignersSubjectDNNames, String whatToCheck)
+  public void validate(VerifyXMLSignatureResponse verifyXMLSignatureResponse,
+                       String[] identityLinkSignersSubjectDNNames, 
+                       String whatToCheck,
+                       boolean ignoreManifestValidationResult)
     throws ValidateException {
 
     if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0)
@@ -74,9 +79,13 @@ public class VerifyXMLSignatureResponseValidator {
       else
         throw new ValidateException("validator.19", new Object[] { checkFailedReason } );
     }
-    if (verifyXMLSignatureResponse.isXmlDSIGManigest())
-      if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
-        throw new ValidateException("validator.08", null);
+    if (ignoreManifestValidationResult) {
+      Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
+    } else {
+      if (verifyXMLSignatureResponse.isXmlDSIGManigest())
+        if (verifyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0)
+          throw new ValidateException("validator.08", null);
+    }
     //Check whether the returned X509 SubjectName is in the MOA-ID configuration or not
     if (identityLinkSignersSubjectDNNames != null) {
       String subjectDN = "";