SSO and Configuration updated

TODO:
  --PVP2 from configuration
  --UseIFrame for OAs
  --SSO with mandates
  --Resign IdentityLink
  --Encrypted MOASession in Database

1 files changed, 218 insertions, 3 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index ba7893412..d0fb1f87f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -35,9 +35,13 @@ import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.SAMLAttribute;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
 import at.gv.egovernment.moa.util.XPathUtils;
 
@@ -243,9 +247,15 @@ public class CreateXMLSignatureResponseValidator {
     if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
       String samlSpecialText = (String)samlAttribute.getValue();
       
-      //TODO:load Text from OA config
-      //String text = "Hiermit bestätige ich, #NAME#, die Übernahme sämtlicher eingelangter Zustellstücke zum #DATE# um #TIME#.";
-      String text = "";
+    String text = "";
+    try {
+		OAAuthParameter oaparam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+		if (MiscUtil.isNotEmpty(text = oaparam.getAditionalAuthBlockText()))
+			Logger.info("Use addional AuthBlock Text from OA=" + oaparam.getPublicURLPrefix());
+	} catch (ConfigurationException e) {
+		Logger.warn("Addional AuthBlock Text can not loaded from OA!", e);
+	}
+      
       
       String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant);
       if (!samlSpecialText.equals(specialText)) {
@@ -333,6 +343,211 @@ public class CreateXMLSignatureResponseValidator {
     }
   }
   
+  /**
+   * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse}
+   * @param createXMLSignatureResponse
+   * @param session
+   * @throws ValidateException
+   */
+  public void validateSSO(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session)
+   throws ValidateException {
+      
+      // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
+    
+	String oaURL;
+    try {
+		oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl();
+	} catch (ConfigurationException e1) {
+		oaURL = new String();
+	} 
+    
+    IdentityLink identityLink = session.getIdentityLink();
+    
+    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); 
+    String issuer = samlAssertion.getAttribute("Issuer");
+    if (issuer == null) {
+      // should not happen, because parser would dedect this
+      throw new ValidateException("validator.32", null);
+    }
+    // replace ' in name with '
+    issuer = issuer.replaceAll("'", "'");
+    
+    String issueInstant = samlAssertion.getAttribute("IssueInstant");
+    if (!issueInstant.equals(session.getIssueInstant())) {
+      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()});
+    }
+    
+    String name = identityLink.getName();
+    
+    if (!issuer.equals(name)) {
+      throw new ValidateException("validator.33", new Object[] {issuer, name});
+    }     
+       
+    SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes();
+
+    boolean foundOA = false;
+    boolean foundGB = false;
+    boolean foundWBPK = false;
+    int offset = 0;
+    
+    // check number of SAML aatributes
+    List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+    int extendedSAMLAttributesNum = 0;
+    if (extendedSAMLAttributes != null) {
+      extendedSAMLAttributesNum = extendedSAMLAttributes.size();
+    }
+    int expectedSAMLAttributeNumber = 
+      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + extendedSAMLAttributesNum;
+    if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--;
+    int actualSAMLAttributeNumber = samlAttributes.length;
+    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) {
+      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + 
+        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber);
+      throw new ValidateException(
+        "validator.36", 
+        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)});
+    }
+    
+    SAMLAttribute samlAttribute;
+    if (!session.getSAMLAttributeGebeORwbpk()) {
+      offset--;
+    }
+
+    // check the first attribute (must be "OA")
+    samlAttribute = samlAttributes[0 + offset];
+    if (!samlAttribute.getName().equals("OA")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      foundOA = true;            
+      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch             
+        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); 
+      }             
+    } else {
+      throw new ValidateException("validator.15", null);
+    }
+      
+    // check the third attribute (must be "Geburtsdatum")
+    samlAttribute = samlAttributes[1 + offset];
+    if (!samlAttribute.getName().equals("Geburtsdatum")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String samlDateOfBirth = (String)samlAttribute.getValue();
+      String dateOfBirth = identityLink.getDateOfBirth();
+      if (!samlDateOfBirth.equals(dateOfBirth)) {
+        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+     
+    // check four attribute could be a special text
+    samlAttribute = samlAttributes[2 + offset];
+    if (!samlAttribute.getName().equals("SpecialText")) {
+      throw new ValidateException(
+          "validator.37", 
+          new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(3)});
+    }
+    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {
+      String samlSpecialText = (String)samlAttribute.getValue();
+      
+    String text = "";
+    try {
+		if (MiscUtil.isNotEmpty(text = AuthConfigurationProvider.getInstance().getSSOSpecialText()))
+			Logger.info("Use addional AuthBlock Text from SSO=" +text);
+		else
+			text = new String();
+	} catch (ConfigurationException e) {
+		Logger.warn("Addional AuthBlock Text can not loaded from SSO!", e);
+	}
+      
+      
+      String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant);
+      if (!samlSpecialText.equals(specialText)) {
+        throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText});
+      }
+    } else {
+      throw new ValidateException("validator.35", null);
+    }
+    
+    // now check the extended SAML attributes
+    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES_SSO + offset;
+    if (extendedSAMLAttributes != null) {
+      Iterator it = extendedSAMLAttributes.iterator();
+      while (it.hasNext()) {
+        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next();
+        samlAttribute = samlAttributes[i];
+        String actualName = samlAttribute.getName();
+        String expectedName = extendedSAMLAttribute.getName();
+        if (!actualName.equals(expectedName)) {
+          throw new ValidateException(
+            "validator.38", 
+            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName });
+        }
+        String actualNamespace = samlAttribute.getNamespace();
+        String expectedNamespace = extendedSAMLAttribute.getNameSpace();
+        if (!actualNamespace.equals(expectedNamespace)) {
+          throw new ValidateException(
+            "validator.38", 
+            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });
+        }
+        Object expectedValue = extendedSAMLAttribute.getValue();
+        Object actualValue = samlAttribute.getValue();
+        try {
+          if (expectedValue instanceof String) {
+            // replace \r\n because text might be base64-encoded
+            String expValue = StringUtils.replaceAll((String)expectedValue,"\r","");
+            expValue = StringUtils.replaceAll(expValue,"\n","");
+            String actValue = StringUtils.replaceAll((String)actualValue,"\r","");
+            actValue = StringUtils.replaceAll(actValue,"\n","");
+            if (!expValue.equals(actValue)) {
+              throw new ValidateException(
+              "validator.38", 
+              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });          
+            }
+          } else if (expectedValue instanceof Element) {
+            // only check the name of the element
+            String actualElementName = ((Element)actualValue).getNodeName();
+            String expectedElementName = ((Element)expectedValue).getNodeName();
+            if (!(expectedElementName.equals(actualElementName))){
+              throw new ValidateException(
+              "validator.38", 
+              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});          
+            }
+          } else {
+            // should not happen
+            throw new ValidateException(
+              "validator.38", 
+              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});
+          }
+        } catch (ClassCastException e) {
+          throw new ValidateException(
+              "validator.38", 
+              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()});
+        }
+        i++;
+      }
+    }
+    
+    
+    if (!foundOA) throw new ValidateException("validator.14", null); 
+  
+     //Check if dsig:Signature exists
+//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+//    if (nl.getLength() != 1) {
+//      throw new ValidateException("validator.05", null);
+//    }
+    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH);
+    if (dsigSignature == null) {    
+      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;
+    }
+  }
+  
   public void validateSigningDateTime( CreateXMLSignatureResponse csresp) throws ValidateException {
 	
 	  //TODO: insert Time validation!!!!