enable mandates for eIDAS nodes

1 files changed, 72 insertions, 96 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 9e586b0f4..5a5d0bcf6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 			//####################################################
 			//set general authData info's
 			authData.setIssuer(protocolRequest.getAuthURL());
-			authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());
-			authData.setIsBusinessService(oaParam.getBusinessService());
-		
+			authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality());			
+			authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction());
+			
 		
 			//####################################################
 			//parse user info's from identityLink
@@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	 * @param oaParam Service-Provider configuration, never null
 	 * @param bPKType bPK-Type to check
 	 * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false
+	 * @throws ConfigurationException 
 	 */
-	private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) {		
-		String oaTarget = null;
-		if (oaParam.getBusinessService()) {
-			oaTarget = oaParam.getIdentityLinkDomainIdentifier();
-						
-		} else {
-			oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-			
-		}
-				
-		if (oaTarget.equals(bPKType))
-			return true;
-		else
-			return false;
+	private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException {						
+		return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType);
+
 	}
 
 	private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) {
@@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	 * 
 	 * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, 
 	 *         or <code>null</code> if no attribute exists or can not decrypted
+	 * @throws ConfigurationException 
 	 */
 	private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session,
-			AuthenticationData authData, IOAAuthParameters spConfig) {
+			AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException {
 		//set List of encrypted bPKs to authData DAO		
 		String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class);
 		if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) {
@@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 					String second = fullEncbPK.substring(0, index);					
 					int secIndex = second.indexOf("+");
 					if (secIndex >= 0) {
-						if (spConfig.getTarget().equals(second.substring(secIndex+1))) {
-							Logger.debug("Found encrypted bPK for online-application " 
-									+ spConfig.getPublicURLPrefix()
-									+ " Start decryption process ...");
-							PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
-							if (privKey != null) {
-								try {
-									String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey);
-									if (MiscUtil.isNotEmpty(bPK)) {
-										Logger.info("bPK decryption process finished successfully.");
-										return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget());
-																														
-									} else {
-										Logger.error("bPK decryption FAILED.");
-									
+						String oaTargetId = spConfig.getAreaSpecificTargetIdentifier();
+						if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) {						
+							String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length());						
+							if (publicServiceShortTarget.equals(second.substring(secIndex+1))) {
+								Logger.debug("Found encrypted bPK for online-application " 
+										+ spConfig.getPublicURLPrefix()
+										+ " Start decryption process ...");
+								PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey();
+								if (privKey != null) {
+									try {
+										String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey);
+										if (MiscUtil.isNotEmpty(bPK)) {
+											Logger.info("bPK decryption process finished successfully.");
+											return Pair.newInstance(bPK, oaTargetId);
+																															
+										} else {
+											Logger.error("bPK decryption FAILED.");
+										
+										}
+									} catch (BuildException e) {
+										Logger.error("bPK decryption FAILED.", e);
+										
 									}
-								} catch (BuildException e) {
-									Logger.error("bPK decryption FAILED.", e);
 									
-								}
+								} else {
+									Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+									
+								}							
 								
 							} else {
-								Logger.info("bPK decryption FAILED, because no valid decryption key is found.");
+								Logger.info("Found encrypted bPK but " +
+										"encrypted bPK target does not match to online-application target"); 
 								
-							}							
+							}
 							
 						} else {
-							Logger.info("Found encrypted bPK but " +
-									"encrypted bPK target does not match to online-application target"); 
+							Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID 
+									+ " BUT oaTarget is " + oaTargetId);
 							
 						}
 					}					
@@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	}
 
 	private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException {
-		if (oaParam.getBusinessService()) {
+		if (oaParam.hasBaseIdTransferRestriction()) {
             Element idlassertion = idl.getSamlAssertion();
             //set bpk/wpbk;
 	        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
@@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	}		
 
 
-	private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException  {
+	private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException  {
 		
-		String bPK;
-		String bPKType; 
-
 		String baseID = authData.getIdentificationValue();
-		String baseIDType = authData.getIdentificationType();
-			
-		 if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {			 
-			 //Calculate eIDAS identifier
-			 if (oaParam.getBusinessService() && 
-					 oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { 
-				 String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+");
-				 String cititzenCountryCode = splittedTarget[1];
-				 String eIDASOutboundCountry = splittedTarget[2];				 
-				 
-				 if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) {
-					 Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry");
-					 
-				 }
-				 				 
-				 Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseID, baseIDType, 
-						 cititzenCountryCode, eIDASOutboundCountry);
-				 Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond());	
-				 return eIDASID;
-				 
-			 } else if (oaParam.getBusinessService()) {
-				 //is Austrian private-service application
-				 String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier();
-	                bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr);
-	                bPKType = registerAndOrdNr; 
-				 
-			 } else {
-		        // only compute bPK if online application is a public service and we have the Stammzahl
-	            String target = null;
-	            Class<?>  saml1RequstTemplate = null;
-	        	try {
-	        		saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
-	        		if (saml1RequstTemplate != null && 
-							saml1RequstTemplate.isInstance(pendingReq)) {
-		            	target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
+		String baseIDType = authData.getIdentificationType();		
+		Pair<String, String> sectorSpecId = null;
+		
+		if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) {			
+			//SAML1 legacy target parameter work-around
+			String oaTargetId = null;
+	        Class<?>  saml1RequstTemplate = null;
+	        try {
+	        	saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl");
+	        	if (saml1RequstTemplate != null && 
+	        			saml1RequstTemplate.isInstance(pendingReq)) {
+	        		oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq);
 		            	
-		            }  
+		        }  
 	        		
-	        	} catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException |  java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) {	        			}	
+	        } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException |  java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) {	        			}
+			
+	        if (MiscUtil.isEmpty(oaTargetId)) { 
+	        	oaTargetId = oaParam.getAreaSpecificTargetIdentifier();
+	        	Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration");
 	        	
-	        	if (MiscUtil.isEmpty(target)) 
-	            	target = oaParam.getTarget();
-	            	
-	            bPK = new BPKBuilder().buildBPK(baseID, target);
-	            bPKType = Constants.URN_PREFIX_CDID + "+" + target;	            	
-	            				 
-			 }
-			 			 			 
+	        } else 
+	        	Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation");
+	        
+	        //calculate sector specific unique identifier
+	        sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId);
+	        
+				 			 			 
 		 } else {
-			 Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!");
-			 bPK = baseID;
-             bPKType = baseIDType; 
-			 
+			 Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!");                           	
+     		 sectorSpecId = Pair.newInstance(baseID, baseIDType);
+     		 
 		 }
 		
-        Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType);		
-		return Pair.newInstance(bPK, bPKType);
+		Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond());
+		return sectorSpecId;
         
 	}