refactor Single Sign-On authentication consents evaluator to get executed by processEngine

5 files changed, 294 insertions, 13 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java
index 68d5ae299..559d4fd4f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AbstractAuthServletTask.java
@@ -12,6 +12,7 @@ import java.util.Map;
 import java.util.Map.Entry;

 

 import javax.servlet.http.HttpServletRequest;

+import javax.servlet.http.HttpServletResponse;

 

 import org.apache.commons.fileupload.FileItem;

 import org.apache.commons.fileupload.FileItemFactory;

@@ -25,6 +26,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 

 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;

 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;

+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;

 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;

 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;

 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;

@@ -33,6 +35,7 @@ import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.moduls.IRequestStorage;

 import at.gv.egovernment.moa.id.process.api.ExecutionContext;

 import at.gv.egovernment.moa.id.process.springweb.MoaIdTask;

+import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;

 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;

 import at.gv.egovernment.moa.logging.Logger;

 import at.gv.egovernment.moa.util.MiscUtil;

@@ -96,6 +99,23 @@ public abstract class AbstractAuthServletTask extends MoaIdTask {
 	}

 

 	/**

+	 * Redirect the authentication process to protocol specific finalization endpoint.  

+	 * 

+	 * @param pendingReq Actually processed protocol specific authentication request

+	 * @param httpResp

+	 */

+	protected void performRedirectToProtocolFinialization(IRequest pendingReq, HttpServletResponse httpResp) {

+		String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), 

+				AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, pendingReq.getRequestID());

+						

+		httpResp.setContentType("text/html");

+		httpResp.setStatus(302);

+		httpResp.addHeader("Location", redirectURL);		

+		Logger.debug("REDIRECT TO: " + redirectURL);

+		

+	}

+	

+	/**

 	 * Parses the request input stream for parameters, assuming parameters are

 	 * encoded UTF-8 (no standard exists how browsers should encode them).

 	 * 

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/SingleSignOnConsentsModuleImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/SingleSignOnConsentsModuleImpl.java
new file mode 100644
index 000000000..d64126de6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/SingleSignOnConsentsModuleImpl.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules;
+
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SingleSignOnConsentsModuleImpl implements AuthModule {
+
+	public static final String PARAM_SSO_CONSENTS_EVALUATION = "ssoconsentsevaluation";
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+	 */
+	@Override
+	public int getPriority() {
+		return 0;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+	 */
+	@Override
+	public String selectProcess(ExecutionContext context) {
+		Object evaluationObj = context.get(PARAM_SSO_CONSENTS_EVALUATION);
+		if (evaluationObj != null && evaluationObj instanceof Boolean) {
+			boolean evaluateSSOConsents = (boolean) evaluationObj;
+			if (evaluateSSOConsents) {
+				return "SSOConsentsEvluationProcess";
+				
+			}			
+		}
+			
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+	 */
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/internal/SingleSignOnConsentEvaluator.process.xml" };
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateSSOConsentsTaskImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateSSOConsentsTaskImpl.java
new file mode 100644
index 000000000..8dcb63550
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateSSOConsentsTaskImpl.java
@@ -0,0 +1,115 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.moduls.SSOManager;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * Evaluate the Single Sign-On user consent
+ * 
+ * @author tlenz
+ *
+ */
+public class EvaluateSSOConsentsTaskImpl extends AbstractAuthServletTask {
+
+	private static final String PARAM_SSO_CONSENTS = "value";
+	
+	@Autowired private SSOManager ssoManager;
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try {
+			//evaluate SSO consents flag
+			String ssoConsentsString = request.getParameter(PARAM_SSO_CONSENTS);
+			ssoConsentsString = StringEscapeUtils.escapeHtml(ssoConsentsString);
+			if (!ParamValidatorUtils.isValidUseMandate(ssoConsentsString))
+				throw new WrongParametersException("EvaluateSSOConsentsTaskImpl", PARAM_SSO_CONSENTS, null);
+			
+			boolean ssoConsents = false;
+			if (MiscUtil.isNotEmpty(ssoConsentsString))
+				ssoConsents = Boolean.parseBoolean(ssoConsentsString);
+			
+			//perform default task initialization 
+			defaultTaskInitialization(request, executionContext);
+			
+			//check SSO session cookie and MOASession object
+			String ssoId = ssoManager.getSSOSessionID(request);
+			boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);			
+			if (!(isValidSSOSession && moasession.isAuthenticated() )) {
+				Logger.info("Single Sign-On consents evaluator found NO valid SSO session. Stopping authentication process ...");
+				throw new AuthenticationException("auth.30", null);
+				
+			}
+			
+			//Log consents evaluator event to revisionslog
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_FINISHED, String.valueOf(ssoConsents));
+			
+			//user allow single sign-on authentication
+			if (ssoConsents) {
+				//authenticate pending-request
+				pendingReq.setAuthenticated(true);
+				
+				//store pending-request
+				requestStoreage.storePendingRequest(pendingReq);
+				
+				//redirect to auth. protocol finalization
+				performRedirectToProtocolFinialization(pendingReq, response);
+				
+			} else {
+				//user deny single sign-on authentication
+				throw new AuthenticationException("auth.21", new Object[] {});
+				
+			}
+						
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.warn("FinalizeAuthenticationTask has an internal error", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
index 4fd43b6ba..d1d2cdca8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
@@ -28,14 +28,12 @@ import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -93,7 +91,6 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask {
 			
 			}
 		
-
 			//set MOASession to authenticated and store MOASession
 			moasession.setAuthenticated(true);
 			String newMOASessionID = authenticatedSessionStorage.changeSessionID(moasession);
@@ -103,16 +100,9 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask {
 			pendingReq.setAuthenticated(true);
 			requestStoreage.storePendingRequest(pendingReq);
 		
-			Logger.info("AuthProcess finished. Redirect to Protocol Dispatcher.");
-			
-			String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), 
-					AbstractAuthProtocolModulController.FINALIZEPROTOCOL_ENDPOINT, pendingReq.getRequestID());
-							
-			response.setContentType("text/html");
-			response.setStatus(302);
-			response.addHeader("Location", redirectURL);		
-			Logger.debug("REDIRECT TO: " + redirectURL);
-			
+			Logger.info("AuthProcess finished. Redirect to Protocol Dispatcher.");			
+			performRedirectToProtocolFinialization(pendingReq, response);
+						
 		} catch (MOAIDException e) {
 			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
new file mode 100644
index 000000000..f9f121520
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
+
+import java.io.PrintWriter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * Build a Single Sign-On consents evaluator form
+ * 
+ * @author tlenz
+ *
+ */
+public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTask {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try {
+			//perform default task initialization 
+			defaultTaskInitialization(request, executionContext);
+									
+			//set authenticated flag to false, because user consents is required
+			pendingReq.setAuthenticated(false);
+		
+			//build consents evaluator form
+			String form = SendAssertionFormBuilder.buildForm(pendingReq);
+
+			//store pending request
+			requestStoreage.storePendingRequest(pendingReq);
+			
+			//Log consents evaluator event to revisionslog
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+					pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START);
+			
+			//write form to response object
+			response.setContentType("text/html;charset=UTF-8");
+			PrintWriter out = new PrintWriter(response.getOutputStream()); 
+			out.print(form);
+			out.flush();
+			
+			
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.warn("FinalizeAuthenticationTask has an internal error", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}
+
+	}
+
+}