diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-14 13:55:39 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-14 13:55:39 +0200 |
commit | 3b26a365d832d4b0664777d2c348606247022564 (patch) | |
tree | ce9d87c9144d75afad3be5fe4af503f7c4d78b4f /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth | |
parent | 2a073c6727d704271e17d9b682be28410f23aae7 (diff) | |
download | moa-id-spss-3b26a365d832d4b0664777d2c348606247022564.tar.gz moa-id-spss-3b26a365d832d4b0664777d2c348606247022564.tar.bz2 moa-id-spss-3b26a365d832d4b0664777d2c348606247022564.zip |
some more stuff
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth')
6 files changed, 62 insertions, 137 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index efe28c900..738f733a8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -36,11 +36,6 @@ import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.DOMException; @@ -49,10 +44,12 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; @@ -71,7 +68,6 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; @@ -80,17 +76,9 @@ import at.gv.egovernment.moa.id.data.MOAAuthenticationData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; -import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; +import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -112,9 +100,6 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; - @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Override public IAuthData buildAuthenticationData(IRequest pendingReq) throws EAAFAuthenticationException { @@ -193,82 +178,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu return authdata; } - - /** - * Get PVP authentication attributes by using a SAML2 AttributeQuery - * - * @param reqQueryAttr List of PVP attributes which are requested - * @param userNameID SAML2 UserNameID of the user for which attributes are requested - * @param idpConfig Configuration of the IDP, which is requested - * @return - * @return PVP attribute DAO, which contains all received information - * @throws MOAIDException - */ - public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr, - String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{ - String idpEnityID = idpConfig.getPublicURLPrefix(); - - try { - Logger.debug("Starting AttributeQuery process ..."); - //collect attributes by using BackChannel communication - String endpoint = idpConfig.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); - throw new ConfigurationException("config.26", new Object[]{idpEnityID}); - - } - - //build attributQuery request - AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr); - - //build SOAP request - List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."}); - - } - - Response intfResp; - if (xmlObjects.get(0) instanceof Response) { - intfResp = (Response) xmlObjects.get(0); - - //validate PVP 2.1 response - try { - samlVerificationEngine.verifyIDPResponse(intfResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine( - metadataProvider)); - - //create assertion attribute extractor from AttributeQuery response - return new AssertionAttributeExtractor(intfResp); - - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("auth.27", - new Object[]{idpEnityID, e.getMessage()}, e); - } - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); - } - - } catch (SOAPException e) { - throw new BuildException("builder.06", null, e); - - } catch (SecurityException e) { - throw new BuildException("builder.06", null, e); - - } catch (org.opensaml.xml.security.SecurityException e1) { - throw new BuildException("builder.06", null, e1); - - } - } - private void buildAuthDataFormMOASession(MOAAuthenticationData authData, IAuthenticationSession session, IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { @@ -372,32 +282,43 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu //#################################################### //set QAA level includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + String currentLoA = null; if (MiscUtil.isNotEmpty(session.getQAALevel())) - authData.setQAALevel(session.getQAALevel()); - + currentLoA = session.getQAALevel(); else { - String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); - if (MiscUtil.isNotEmpty(qaaLevel)) { - Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + qaaLevel + currentLoA = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); + if (MiscUtil.isNotEmpty(currentLoA)) { + Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + currentLoA + " --> Parse QAA-Level from that attribute."); - - if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { - authData.setQAALevel(qaaLevel); - - } else { - Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); - if (MiscUtil.isNotEmpty(mappedQAA)) - authData.setQAALevel(mappedQAA); - - } + } } + + if (MiscUtil.isNotEmpty(currentLoA)) { + if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + + } else if (currentLoA.startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { + authData.setQAALevel(LoALevelMapper.getInstance().mapeIDASQAAToSTORKQAA(currentLoA)); + authData.seteIDASLoA(currentLoA); + + } else { + Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); + String mappedStorkQAA = LoALevelMapper.getInstance().mapToQAALevel(currentLoA); + if (MiscUtil.isNotEmpty(mappedStorkQAA)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + + } + } + } //if no QAA level is set in MOASession then set default QAA level if (MiscUtil.isEmpty(authData.getQAALevel())) { - Logger.info("No QAA level found. Set to default level " + PVPConstants.STORK_QAA_PREFIX + "1"); + Logger.info("No QAA level found. Set to default level " + EAAFConstants.EIDAS_QAA_LOW); authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + authData.seteIDASLoA(EAAFConstants.EIDAS_QAA_LOW); } @@ -810,7 +731,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu try { authData.setGenericData(elementKey, session.getGenericDataFromSession(elementKey)); - } catch (SessionDataStorageException e) { + } catch (EAAFStorageException e) { Logger.warn("Can not add generic authData with key:" + elementKey, e); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index e9e217137..a1d31f5ae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -29,7 +29,6 @@ import org.opensaml.saml2.core.Attribute; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.PVPAttributeConstants; -import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -89,16 +88,8 @@ public class DynamicOAAuthParameterBuilder { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - try { - dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); - dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); - - } catch (EAAFConfigurationException e) { - Logger.warn("Can not resolve baseID restrications! Set to privacy friendly configuration", e); - dynOAParams.setHasBaseIdProcessingRestriction(true); - dynOAParams.setHasBaseIdTransfergRestriction(true); - - } + dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); + dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); Object storkRequst = null; try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index e0d65e103..10c271b6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -186,7 +186,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), - authConfig.getRootConfigFileDir()); + authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 0e9db3964..f9aa1b83c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -36,12 +36,14 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; -import at.gv.egiz.eaaf.core.impl.idp.auth.AuthenticationManager; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -50,6 +52,7 @@ import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; @@ -66,7 +69,7 @@ import at.gv.egovernment.moa.util.URLEncoder; public class IDPSingleLogOutServlet extends AbstractController { @Autowired SSOManager ssoManager; - @Autowired AuthenticationManager authManager; + @Autowired IAuthenticationManager authManager; @Autowired IAuthenticationSessionStoreage authenicationStorage; @Autowired SingleLogOutBuilder sloBuilder; @@ -127,6 +130,9 @@ public class IDPSingleLogOutServlet extends AbstractController { } catch (MOADatabaseException e) { handleErrorNoRedirect(e, req, resp, false); + } catch (EAAFException e) { + handleErrorNoRedirect(e, req, resp, false); + } return; @@ -135,10 +141,13 @@ public class IDPSingleLogOutServlet extends AbstractController { try { if (ssoManager.isValidSSOSession(ssoid, null)) { - AuthenticationSession authSession = authenicationStorage.getInternalMOASessionWithSSOID(ssoid); + String internalSSOId = authenicationStorage.getInternalSSOSessionWithSSOID(ssoid); - if(authSession != null) { - authManager.performSingleLogOut(req, resp, authSession, authURL); + if(MiscUtil.isNotEmpty(internalSSOId)) { + ISLOInformationContainer sloInfoContainer = authManager.performSingleLogOut(req, resp, null, internalSSOId); + + Logger.debug("Starting technical SLO process ... "); + sloBuilder.toTechnicalLogout(sloInfoContainer, req, resp, authURL); return; } @@ -159,11 +168,12 @@ public class IDPSingleLogOutServlet extends AbstractController { sloContainer.putFailedOA("differntent OAs"); String redirectURL = null; - if (sloContainer.getSloRequest() != null) { + IRequest sloReq = sloContainer.getSloRequest(); + if (sloReq != null && sloReq instanceof PVPTargetConfiguration) { //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); - redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState()); + SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPTargetConfiguration)sloContainer.getSloRequest()); + LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPTargetConfiguration)sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); + redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, ((PVPTargetConfiguration)sloContainer.getSloRequest()).getRequest().getRelayState()); } else { //print SLO information directly @@ -205,6 +215,9 @@ public class IDPSingleLogOutServlet extends AbstractController { } catch (MOAIDException e) { Logger.warn("Build SLO respone FAILED.", e); + } catch (EAAFException e) { + Logger.warn("Build SLO respone FAILED.", e); + } try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 21d329145..0285dd75b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -98,7 +98,7 @@ public class LogOutServlet { } - if (ssomanager.destroySSOSessionOnIDPOnly(req, resp)) + if (ssomanager.destroySSOSessionOnIDPOnly(req, resp, null)) Logger.info("User with SSO is logged out and get redirect to "+ redirectUrl); else Logger.info("No active SSO session found. User is maybe logout already and get redirect to "+ redirectUrl); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java index 752f54139..07b5242e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java @@ -29,9 +29,9 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils; -import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.util.MiscUtil; @@ -56,10 +56,10 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { //search for unique session identifier String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId); if (MiscUtil.isEmpty(uniqueSessionIdentifier)) - uniqueSessionIdentifier = Random.nextRandom(); + uniqueSessionIdentifier = Random.nextHexRandom16(); TransactionIDUtils.setSessionId(uniqueSessionIdentifier); - request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); + request.setAttribute(EAAFConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); return true; } |