add STORK-QAA to PVP SecClass mapping

1 files changed, 52 insertions, 6 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index dab89b7c3..333bd35f1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -77,6 +77,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.SLOInformationContainer;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -87,9 +88,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
@@ -381,6 +384,7 @@ public class AuthenticationManager extends AuthServlet {
 		//get IDP metadata
 		try {
 			OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP());
+			OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL());
 			
 			if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
 				Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation.");
@@ -389,7 +393,7 @@ public class AuthenticationManager extends AuthServlet {
 				return;
 				
 			} 
-						
+			
 			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
 					getEntityDescriptor(target.getRequestedIDP());
 			
@@ -409,7 +413,7 @@ public class AuthenticationManager extends AuthServlet {
 							redirectEndpoint == null )
 						redirectEndpoint = sss;
 				}
-				
+								
 				if (redirectEndpoint != null) {
 					
 					AuthnRequest authReq = SAML2Utils
@@ -440,13 +444,55 @@ public class AuthenticationManager extends AuthServlet {
 							SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
 					
 					AuthnContextClassRef authnClassRef = 
-							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);					
-					authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+					
+					if (sp != null && sp.isSTORKPVPGateway()){
+						//use PVP SecClass instead of STORK QAA level
+						String secClass = null;
+						if (target instanceof MOASTORKRequest) {
+							
+							try {
+								MOASTORKRequest storkReq = (MOASTORKRequest) target;	
+								secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
+										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+							
+							} catch (Exception e) {
+								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+							}							
+						}
+						
+						if (MiscUtil.isNotEmpty(secClass))
+							authnClassRef.setAuthnContextClassRef(secClass);
+						else
+							authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
+											
+					} else {
+						if (target instanceof MOASTORKRequest) {
+							//use requested QAA level from STORK request
+							try {
+								MOASTORKRequest storkReq = (MOASTORKRequest) target;
+								authnClassRef.setAuthnContextClassRef(
+										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+								Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef() 
+										+ " from STORK request");
+								
+							} catch (Exception e) {
+								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+								
+							}
+							
+						}
+						
+						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))						
+							authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+						
+					}
+					
 					reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);					
 					reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);					
 					authReq.setRequestedAuthnContext(reqAuthContext);
-					
-					
+										
 					IEncoder binding = null;
 					if (redirectEndpoint.getBinding().equals(
 							SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {