more refactoring staff

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-14 06:18:47 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2018-06-14 06:18:47 +0200
commit: 2a073c6727d704271e17d9b682be28410f23aae7 (patch)
tree: c5d126bc6c116527c3b0f59e4c9c6ebcd185a2a9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls
parent: e441bcf4eb1a53e1bb17df34997f17206796af72 (diff)
download: moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.tar.gz
moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.tar.bz2
moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.zip
2 files changed, 266 insertions, 384 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index a24683545..2e1af43e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -22,8 +22,6 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.moduls;
 
-import java.io.IOException;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -31,11 +29,11 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map.Entry;
 
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.opensaml.saml2.core.LogoutRequest;
 import org.opensaml.saml2.core.LogoutResponse;
 import org.opensaml.saml2.core.StatusCode;
@@ -46,21 +44,22 @@ import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage;
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.exceptions.GUIBuildException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.AbstractAuthenticationManager;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
-import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
-import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration;
-import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
-import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
-import at.gv.egovernment.moa.id.auth.modules.SingleSignOnConsentsModuleImpl;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
-import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
@@ -69,10 +68,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.data.SLOInformationContainer;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
-import at.gv.egovernment.moa.id.process.ExecutionContextImpl;
-import at.gv.egovernment.moa.id.process.ProcessEngine;
-import at.gv.egovernment.moa.id.process.ProcessExecutionException;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
@@ -81,36 +76,50 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.Random;
-import at.gv.egovernment.moa.id.util.legacy.LegacyHelper;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 @Service("MOAID_AuthenticationManager")
-public class AuthenticationManager extends MOAIDAuthConstants {
+public class AuthenticationManager extends AbstractAuthenticationManager {
 
-	private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>();
-	private static List<String> reqHeaderWhiteListeForModules = new ArrayList<String>();
-	
+	public static final String DATAID_INTERFEDERATIOIDP_URL = "interIDPURL";
+	public static final String DATAID_INTERFEDERATIOIDP_RESPONSE = "interIDPResponse";
+	public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes";
+	public static final String DATAID_INTERFEDERATIOIDP_ENTITYID = "interIDPEntityID";	
+	public static final String eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE = "eIDAS_LoA";
+		
 	public static final String MOA_SESSION = "MoaAuthenticationSession";
 	public static final String MOA_AUTHENTICATED = "MoaAuthenticated";
 
 	public static final int SLOTIMEOUT = 30 * 1000; //30 sec
 	
-	@Autowired private ProcessEngine processEngine;	
-	@Autowired private SSOManager ssoManager;
-	@Autowired private IRequestStorage requestStoreage;
+
 	@Autowired private ITransactionStorage transactionStorage;
 	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStore;
-	@Autowired private MOAReversionLogger revisionsLogger;
-	@Autowired protected AuthConfiguration authConfig;
+	
 	@Autowired private SingleLogOutBuilder sloBuilder;
 	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
 	@Autowired private IGUIFormBuilder guiBuilder;
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
 	
+	
+	@Override
+	public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq)
+			throws EAAFException {
+		// TODO Auto-generated method stub
+		
+	}
+
+	@Override
+	public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq, String arg3)
+			throws EAAFException {
+		// TODO Auto-generated method stub
+		
+	}
+	
+	
+	
 	public void performSingleLogOut(HttpServletRequest httpReq,
 	HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {
 		performSingleLogOut(httpReq, httpResp, session, pvpReq, null);
@@ -123,39 +132,6 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		
 	}
 	
-	/**
-	 * @param req
-	 * @param resp
-	 * @param moasessionid
-	 */
-	public void performOnlyIDPLogOut(AuthenticationSession authSession) {
-		
-		if (authSession == null) {
-			Logger.info("No internal MOA SSO-Session found. Nothing to destroy");
-			return;
-			
-		}
-		
-		try {
-									
-			authSession.setAuthenticated(false);
-			//HTTPSessionUtils.setHTTPSessionString(session, MOA_SESSION, null); // remove moa session from HTTP Session
-
-			//log Session_Destroy to reversionslog
-			AuthenticationSessionExtensions sessionExtensions = authenticatedSessionStore.getAuthenticationSessionExtensions(authSession.getSessionID());
-			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId());
-			
-			authenticatedSessionStore.destroyInternalSSOSession(authSession.getSessionID());
-			
-			//session.invalidate();
-		
-		} catch (MOADatabaseException e) {
-			Logger.info("NO MOA Authentication data for ID " + authSession.getSessionID());
-			return;
-		}
-		
-	}
-	
 	
 	public void performOnlyIDPLogOut(HttpServletRequest request,
 			HttpServletResponse response, String internalMOASsoSessionID) {
@@ -187,327 +163,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		}
 
 	}
-
-
-	/**
-	 * Authenticates the authentication request {pendingReq}, which is actually processed
-	 * 
-	 * @param httpReq HttpServletRequest	
-	 * @param httpResp HttpServletResponse
-	 * @param protocolRequest Authentication request which is actually in process
-	 * 
-	 * @return Return already authenticated MOASession if exists, otherwise return null 
-	 * @throws MOADatabaseException 
-	 * @throws MOAIDException 
-	 * @throws IOException 
-	 * @throws ServletException 
-	 * 
-	 */
-	public AuthenticationSession doAuthentication(HttpServletRequest httpReq,
-			HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException {
-	
-		//load OA configuration from pending request
-		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
-				
-		//set logging context and log unique OA identifier to revision log 
-		TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
-		revisionsLogger.logEvent(oaParam, 
-				pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL());
-			
-		//generic authentication request validation 
-		if (pendingReq.isPassiv()
-				&& pendingReq.forceAuth()) {
-			// conflict!
-			throw new NoPassivAuthenticationException();
-		}
-				
-		//get SSO cookie from http request
-		String ssoId = ssoManager.getSSOSessionID(httpReq);
-		
-		//check if interfederation IDP is requested
-		ssoManager.checkInterfederationIsRequested(httpReq, httpResp, pendingReq);
-		
-		//check if SSO session cookie is already used
-		if (ssoId != null) {
-			String correspondingMOASession = ssoManager.existsOldSSOSession(ssoId);
-			
-			if (correspondingMOASession != null) {
-				Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " +
-						"Invalidate the corresponding MOASession with ID="+ correspondingMOASession);
-				
-				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
-						pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO_INVALID);
-				
-				//destroy internal SSO-session object and SSO-session cooky
-				authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession);
-				ssoManager.deleteSSOSessionID(httpReq, httpResp);
-			}
-		}
-
-		//check if SSO Session is valid
-		boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq);
-		
-		// check if Service-Provider allows SSO sessions
-		boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP();		
-				
-		//if a legacy request is used SSO should not be allowed in case of mandate authentication
-		boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
-			
-		//check if SSO is allowed for the actually executed request
-		//INFO: Actually, useMandate disables SSO functionality!!!!!
-		boolean isSSOAllowed = (useSSOOA  && !isUseMandateRequested);
-		pendingReq.setNeedSingleSignOnFunctionality(isSSOAllowed);
-						
-		//get MOASession from SSO-Cookie if SSO is allowed
-		AuthenticationSession ssoMOASession = null;
-		if (isValidSSOSession && isSSOAllowed) {
-			ssoMOASession = ssoManager.getInternalMOASession(ssoId);
-			
-			if (ssoMOASession == null)
-				Logger.info("No MOASession FOUND with provided SSO-Cookie.");
-			
-			else {
-				Logger.debug("Found authenticated MOASession with provided SSO-Cookie.");
-				revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_SSO);
-				
-			}			
-		}
-						
-		//check if session is already authenticated
-		boolean isSessionAuthenticated = tryPerformAuthentication((RequestImpl) pendingReq, ssoMOASession);
-
-		//force new authentication authentication process
-		if (pendingReq.forceAuth()) {	
-			startAuthenticationProcess(httpReq, httpResp, pendingReq);
-			return null;
-				
-		//perform SSO-Consents evaluation if it it required			
-		} else if (isSessionAuthenticated && oaParam.useSSOQuestion()) {
-			sendSingleSignOnConsentsEvaluation(httpReq, httpResp, pendingReq);
-			return null;
-		
-		} else if (pendingReq.isPassiv()) {
-			if (isSessionAuthenticated) {
-				// Passive authentication ok!
-				revisionsLogger.logEvent(oaParam, pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED);
-				return ssoMOASession;
-				
-			} else {				
-				throw new NoPassivAuthenticationException();
-				
-			}
-		} else {
-			if (isSessionAuthenticated) {
-				// Is authenticated .. proceed
-				revisionsLogger.logEvent(oaParam, 
-						pendingReq, MOAIDEventConstants.AUTHPROCESS_FINISHED);
-				return ssoMOASession;
-				
-			} else {
-				// Start authentication!
-				startAuthenticationProcess(httpReq, httpResp, pendingReq);
-				return null;
-			}
-		}		
-	}
-	
-	/**
-	 * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
-	 * 
-	 * @param httpReqParam http parameter name, but never null
-	 */
-	public void addParameterNameToWhiteList(String httpReqParam) {
-		if (MiscUtil.isNotEmpty(httpReqParam))
-			reqParameterWhiteListeForModules.add(httpReqParam);
-		
-	}
-	
-	/**
-	 * Add a request header to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} 
-	 * 
-	 * @param httpReqParam http header name, but never null
-	 */
-	public void addHeaderNameToWhiteList(String httpReqParam) {
-		if (MiscUtil.isNotEmpty(httpReqParam))
-			reqHeaderWhiteListeForModules.add(httpReqParam.toLowerCase());
 		
-	}
-	
-	/**
-	 * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated
-	 * 
-	 * @param protocolRequest Authentication request which is actually in process
-	 * @param moaSession MOASession with authentication information or null if no active MOASession exists
-	 * 
-	 * @return true if session is already authenticated, otherwise false
-	 * @throws MOAIDException 
-	 */
-	private boolean tryPerformAuthentication(RequestImpl protocolRequest, AuthenticationSession ssoMOASession) {
-
-		//if no MOASession exist -> authentication is required
-		if (ssoMOASession == null) {
-			return false;
-			
-		} else {
-			//if MOA SSO-Session is found but not authenticated --> authentication is required
-			if (!ssoMOASession.isAuthenticated()) {
-				return false;
-			}
-			
-			//if MOASession is already authenticated and protocol-request is authenticated 
-			//  --> no authentication is required any more
-			else if (ssoMOASession.isAuthenticated() && protocolRequest.isAuthenticated()) {
-				protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID());
-				return true;
-
-			// if MOASession is authenticated and SSO is allowed --> authenticate pendingRequest
-			} else if (!protocolRequest.isAuthenticated() 
-					&& ssoMOASession.isAuthenticated() && protocolRequest.needSingleSignOnFunctionality()) {
-				Logger.debug("Found active MOASession and SSO is allowed --> pendingRequest is authenticted");
-				protocolRequest.setAuthenticated(true);
-				protocolRequest.setInternalSSOSessionIdentifier(ssoMOASession.getSessionID());
-				return true;
-				
-			}
-			
-			// force authentication as backup solution
-			else {
-				Logger.warn("Authentication-required check find an unsuspected state --> force authentication");
-				return false;
-				
-			}					
-		}
-	}
-	
-	private void startAuthenticationProcess(HttpServletRequest httpReq,
-			HttpServletResponse httpResp, RequestImpl pendingReq)
-			throws ServletException, IOException, MOAIDException {
-				
-		Logger.info("Starting authentication ...");		
-		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
-				pendingReq, MOAIDEventConstants.AUTHPROCESS_START);
-		
-		//is legacy allowed		
-		List<String> legacyallowed_prot = authConfig.getLegacyAllowedProtocols();
-		boolean legacyallowed = legacyallowed_prot.contains(pendingReq.requestedModule());
-
-		//check legacy request parameter 
-		boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq);
-				
-		//create authentication process execution context
-		ExecutionContext executionContext = new ExecutionContextImpl();
-
-		//set oaIdentifeir
-		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER, 
-				pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix());
-		
-		//set interfederation authentication flag
-		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, 
-				MiscUtil.isNotEmpty(
-						pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
-		
-		//set legacy mode or BKU-selection flags
-		boolean leagacyMode = (legacyallowed && legacyparamavail);			
-		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
-		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode 
-				&& MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class)));
-		
-		//add X509 SSL client certificate if exist
-		if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) {
-			Logger.debug("Find SSL-client-certificate on request --> Add it to context");
-			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, 
-					((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate")));
-			
-		}
-						
-		//add additional http request parameter to context
-		if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) {
-			Enumeration<String> reqParamNames = httpReq.getParameterNames();
-			while(reqParamNames.hasMoreElements()) {
-				String paramName = reqParamNames.nextElement();
-				if (MiscUtil.isNotEmpty(paramName) && 
-						( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) 
-								|| reqParameterWhiteListeForModules.contains(paramName) ))
-					executionContext.put(paramName, 
-							StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));				
-			}			
-		}
-		
-		//add additional http request parameter to context
-		if (!reqHeaderWhiteListeForModules.isEmpty()) {
-			Enumeration<String> reqHeaderNames = httpReq.getHeaderNames();
-			while(reqHeaderNames.hasMoreElements()) { 
-				String paramName = reqHeaderNames.nextElement();
-				if (MiscUtil.isNotEmpty(paramName) && reqHeaderWhiteListeForModules.contains(paramName.toLowerCase()) ) {
-					executionContext.put(paramName, 
-							StringEscapeUtils.escapeHtml(httpReq.getHeader(paramName)));				
-				}
-			}			
-		}
-		
-		//start process engine
-		startProcessEngine(pendingReq, executionContext);
-		
-	}
-			
-	private void sendSingleSignOnConsentsEvaluation(HttpServletRequest request,
-			HttpServletResponse response, RequestImpl pendingReq)
-			throws ServletException, IOException, MOAIDException { 
-			
-			Logger.info("Start SSO user-consents evaluation ...");
-		
-			//set authenticated flag to false, because user consents is required
-			pendingReq.setAuthenticated(false);
-			
-			//create execution context
-			ExecutionContext executionContext = new ExecutionContextImpl();
-			executionContext.put(SingleSignOnConsentsModuleImpl.PARAM_SSO_CONSENTS_EVALUATION, true);
-			
-			//start process engine
-			startProcessEngine(pendingReq, executionContext);
-		 
-	}
-	
-	private void startProcessEngine(RequestImpl pendingReq, ExecutionContext executionContext) throws MOAIDException {
-		try {
-			//put pending-request ID on execurtionContext
-			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, pendingReq.getRequestID());			
-						
-			// create process instance
-			String processDefinitionId = ModuleRegistration.getInstance().selectProcess(executionContext);
-
-			if (processDefinitionId == null) {
-				Logger.warn("No suitable process found for SessionID " + pendingReq.getRequestID() );
-				throw new MOAIDException("process.02",new Object[] {
-						pendingReq.getRequestID()});
-			}
-
-			String processInstanceId = processEngine.createProcessInstance(processDefinitionId, executionContext);
-
-			// keep process instance id in protocol pending-request
-			pendingReq.setProcessInstanceId(processInstanceId);
-
-			//store pending-request			
-			requestStoreage.storePendingRequest(pendingReq);
-									
-	    	// start process
-			processEngine.start(pendingReq);
-			
-		} catch (ProcessExecutionException e) {
-			Throwable cause = e.getCause();
-			if (cause != null && cause instanceof TaskExecutionException) {
-				Throwable taskCause = cause.getCause();
-				if (taskCause != null && taskCause instanceof MOAIDException) {
-					MOAIDException moaTaskCause = (MOAIDException) taskCause;
-					Logger.warn(taskCause);
-					throw moaTaskCause;
-				
-				}									
-			}
-			
-			throw new MOAIDException("process.01", new Object[] { pendingReq.getProcessInstanceId(), pendingReq.getRequestID() }, e);
-		}		
-	}
 	
 	private void performSingleLogOut(HttpServletRequest httpReq,
 	HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException {		
@@ -732,5 +388,45 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			e.printStackTrace();
 		}				
 	}
+	
+	@Override
+	protected void populateExecutionContext(ExecutionContext executionContext, RequestImpl pendingReq, HttpServletRequest httpReq)
+			throws EAAFException {
+		//is legacy allowed
+		boolean legacyallowed = false;
+		if (authConfig instanceof  AuthConfiguration) {
+			List<String> legacyallowed_prot = ((AuthConfiguration)authConfig).getLegacyAllowedProtocols();
+			legacyallowed = legacyallowed_prot.contains(pendingReq.requestedModule());
+			
+		} else
+			Logger.info("Base configuration is NOT of type 'AuthConfiguration'. LegacyMode is disabled");
+		
+
+		//check legacy request parameter 
+		boolean legacyparamavail = ParamValidatorUtils.areAllLegacyParametersAvailable(httpReq);
+				
+		
+		//set interfederation authentication flag
+		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, 
+				MiscUtil.isNotEmpty(
+						pendingReq.getGenericData(DATAID_INTERFEDERATIOIDP_URL, String.class)));
+		
+		//set legacy mode or BKU-selection flags
+		boolean leagacyMode = (legacyallowed && legacyparamavail);			
+		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode);
+		executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode 
+				&& MiscUtil.isEmpty(pendingReq.getGenericData(DATAID_INTERFEDERATIOIDP_URL, String.class)));
+				
+		//add additional http request parameter to context
+		if (leagacyMode) {
+			Enumeration<String> reqParamNames = httpReq.getParameterNames();
+			while(reqParamNames.hasMoreElements()) {
+				String paramName = reqParamNames.nextElement();
+				if (StringUtils.isNotEmpty(paramName) && MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) )
+					executionContext.put(paramName, StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName)));				
+			}			
+		}
+		
+	}
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index 718f730b0..bded1943b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -33,12 +33,20 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.auth.ISSOManager;
+import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
+import at.gv.egiz.eaaf.core.exceptions.EAAFSSOException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
 import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
 import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException;
@@ -46,12 +54,15 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.legacy.LegacyHelper;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
 @Service("MOAID_SSOManager")
-public class SSOManager {	
+public class SSOManager implements ISSOManager {	
+	
 	private static final String HTMLTEMPLATESDIR = "htmlTemplates/";
 	private static final String HTMLTEMPLATEFULL = "slo_template.html";
 	public static String CONTEXTPATH = "contextPath";
@@ -62,9 +73,160 @@ public class SSOManager {
 	private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec
 
 	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStore;
-	@Autowired protected AuthConfiguration authConfig;
+	@Autowired private AuthConfiguration authConfig;
+	@Autowired private IRevisionLogger revisionsLogger;
+	
+	
 	//@Autowired private MOASessionDBUtils moaSessionDBUtils;
 	
+	
+	public boolean checkAndValidateSSOSession(IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp) throws EAAFSSOException {
+		try {
+			//get SSO cookie from http request
+			String ssoId = getSSOSessionID(httpReq);
+		
+			//check if interfederation IDP is requested
+			checkInterfederationIsRequested(httpReq, httpResp, pendingReq);
+			
+			//check if SSO session cookie is already used
+			if (ssoId != null) {
+				String correspondingMOASession = existsOldSSOSession(ssoId);
+				
+				if (correspondingMOASession != null) {
+					Logger.warn("Request sends an old SSO Session ID("+ssoId+")! " +
+							"Invalidate the corresponding MOASession with ID="+ correspondingMOASession);
+					
+					revisionsLogger.logEvent(pendingReq, EVENT_SSO_SESSION_INVALID);
+					
+					//destroy internal SSO-session object and SSO-session cooky
+					authenticatedSessionStore.destroyInternalSSOSession(correspondingMOASession);
+					deleteSSOSessionID(httpReq, httpResp);
+				}
+			}
+
+			//check if SSO Session is valid
+			boolean isSSOValid = isValidSSOSession(ssoId, pendingReq);
+						
+			if (isSSOValid)
+				pendingReq.setSSOSessionIdentifier(ssoId);
+			
+			return isSSOValid;
+						
+			
+		} catch (SessionDataStorageException | ConfigurationException | MOADatabaseException e) {
+			Logger.warn("Cann not process SSO session. Reason: " + e.getMessage(), e);
+			Logger.info("All SSO session will be ignored.");
+			
+		}
+		
+		return false;
+				
+	}
+	
+	
+	
+	public void isSSOAllowedForSP(IRequest pendingReq, HttpServletRequest httpReq) {
+		// check if Service-Provider allows SSO sessions
+		IOAAuthParameters oaConfig = pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class);
+		boolean useSSOOA = oaConfig.useSSO() || oaConfig.isInderfederationIDP();		
+				
+		//if a legacy request is used SSO should not be allowed in case of mandate authentication
+		boolean isUseMandateRequested = false;
+		try {
+			isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq);
+
+			//check if SSO is allowed for the actually executed request
+			//INFO: Actually, useMandate disables SSO functionality!!!!!
+			pendingReq.setNeedSingleSignOnFunctionality((useSSOOA  && !isUseMandateRequested));
+			
+			//check if current service provider needs user consent for SSO
+			pendingReq.setNeedUserConsent(oaConfig.useSSOQuestion());
+						
+		} catch (WrongParametersException e) {
+			Logger.warn("Find suspect http parameter for mandates! Reason: " + e.getMessage());
+			
+		}
+		
+	}
+	
+	public void populatePendingRequestWithSSOInformation(IRequest pendingReq) throws EAAFSSOException {				
+		//populate pending request with eID data from SSO session if no userConsent is required
+		try {
+			AuthenticationSession ssoMOASession = getInternalMOASession(pendingReq.getSSOSessionIdentifier());
+			
+			if (ssoMOASession == null)
+				Logger.info("No MOASession FOUND with provided SSO-Cookie.");
+			
+			else {
+				Logger.debug("Found authenticated MOASession with provided SSO-Cookie.");
+				revisionsLogger.logEvent(pendingReq, EVENT_SSO_SESSION_VALID);
+				
+				Logger.trace("Populatint pending request with SSO session information .... ");						
+				pendingReq.setGenericDataToSession(ssoMOASession.getKeyValueRepresentationFromAuthSession());
+				pendingReq.setAuthenticated(true);
+							
+			}
+			
+		} catch (EAAFStorageException e) {
+			Logger.warn("Can NOT populate pending request from SSO session.", e);
+			throw new EAAFSSOException("", new Object[] {},
+					"Can NOT populate pending request from SSO session", e);
+			
+		}
+
+	}
+	
+	
+	@Override
+	public boolean destroySSOSessionOnIDPOnly(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq) throws EAAFSSOException {
+		//get SSO token from request
+		String ssoid = null;
+		if (pendingReq != null && MiscUtil.isNotEmpty(pendingReq.getSSOSessionIdentifier())) {
+			ssoid = pendingReq.getSSOSessionIdentifier();
+			
+		} else {
+			ssoid = getSSOSessionID(httpReq);
+			
+		}
+		try {
+			if (isValidSSOSession(ssoid, null)) {
+		
+				//delete SSO session and MOA session
+				AuthenticationSession ssoSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoid);
+		
+				if (ssoSession == null) {
+					Logger.info("No internal MOA SSO-Session found. Nothing to destroy");
+					return false;
+				
+				}
+			
+													
+				ssoSession.setAuthenticated(false);
+
+				//log Session_Destroy to reversionslog
+				AuthenticationSessionExtensions sessionExtensions = 
+						authenticatedSessionStore.getAuthenticationSessionExtensions(ssoSession.getSSOSessionID());
+				revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId());
+				authenticatedSessionStore.destroyInternalSSOSession(ssoSession.getSSOSessionID());
+			}
+			
+		} catch (MOADatabaseException | ConfigurationException | SessionDataStorageException e) {
+			Logger.info("NO MOA Authentication data for ID " + ssoid);
+			return false;
+			
+		}
+
+
+		//Remove SSO token
+		deleteSSOSessionID(httpReq, httpResp);
+				
+		return true;
+		
+	}
+	
+	
+	//*********************************** old **************************************
+	
 	/**
 	 * Check if interfederation IDP is requested via HTTP GET parameter or if interfederation cookie exists.
 	 * Set the requested interfederation IDP as attribte of the {protocolRequest}
@@ -209,7 +371,7 @@ public class SSOManager {
 			if (MiscUtil.isNotEmpty(ssoSessionID)) {			
 				AuthenticationSession moaSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID);
 				if (moaSession != null) {
-					AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSessionID());
+					AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSSOSessionID());
 						return extSessionInformation.getUniqueSessionId();
 			
 				}
@@ -336,4 +498,28 @@ public class SSOManager {
 		setCookie(httpReq, httpResp, cookieName, "", 0);
 	}
 
+
+
+	@Override
+	public void createNewSSOSession(IRequest arg0, String arg1, SLOInformationInterface arg2) throws EAAFSSOException {
+		// TODO Auto-generated method stub
+		
+	}
+
+
+
+	@Override
+	public String createNewSSOSessionCookie(HttpServletRequest arg0, HttpServletResponse arg1, IRequest arg2)
+			throws EAAFSSOException {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+
+	@Override
+	public void updateSSOSession(IRequest arg0, String arg1, SLOInformationInterface arg2) throws EAAFSSOException {
+		// TODO Auto-generated method stub
+		
+	}
+
 }
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-14 06:18:47 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2018-06-14 06:18:47 +0200
commit	2a073c6727d704271e17d9b682be28410f23aae7 (patch)
tree	c5d126bc6c116527c3b0f59e4c9c6ebcd185a2a9 /id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls
parent	e441bcf4eb1a53e1bb17df34997f17206796af72 (diff)
download	moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.tar.gz moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.tar.bz2 moa-id-spss-2a073c6727d704271e17d9b682be28410f23aae7.zip