final betaversion if MOA-ID-Auth Single LogOut

2 files changed, 195 insertions, 1 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 5a06b3ecd..ee26d9223 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -24,13 +24,21 @@ package at.gv.egovernment.moa.id.moduls;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.io.StringWriter;
 import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 import java.util.List;
+import java.util.Map.Entry;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
 import org.joda.time.DateTime;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.common.xml.SAMLConstants;
@@ -38,6 +46,8 @@ import org.opensaml.saml2.core.AuthnContextClassRef;
 import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
 import org.opensaml.saml2.core.AuthnRequest;
 import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.LogoutRequest;
+import org.opensaml.saml2.core.LogoutResponse;
 import org.opensaml.saml2.core.NameID;
 import org.opensaml.saml2.core.NameIDPolicy;
 import org.opensaml.saml2.core.NameIDType;
@@ -45,12 +55,15 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.SingleLogoutService;
 import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.security.MetadataCredentialResolver;
 import org.opensaml.security.MetadataCredentialResolverFactory;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.security.CriteriaSet;
 import org.opensaml.xml.security.SecurityException;
 import org.opensaml.xml.security.criteria.EntityIDCriteria;
@@ -64,19 +77,32 @@ import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.SLOInformationContainer;
+import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MessageProvider;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
 
@@ -138,7 +164,149 @@ public class AuthenticationManager extends AuthServlet {
 		return false;
 	}
 	
-	public void logout(HttpServletRequest request,
+	public void performSingleLogOut(HttpServletRequest httpReq,
+	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {		
+		String pvpSLOIssuer = null;
+		String inboundRelayState = null;
+		
+		if (pvpReq != null) {
+			MOARequest samlReq = (MOARequest) pvpReq.getRequest();
+			LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest();
+			pvpSLOIssuer = logOutReq.getIssuer().getValue();
+			inboundRelayState = samlReq.getRelayState();
+		}
+		
+		SSOManager ssomanager = SSOManager.getInstance();
+		
+		//store active OAs to SLOContaine
+		List<OASessionStore> dbOAs = AuthenticationSessionStoreage.getAllActiveOAFromMOASession(session);
+		List<InterfederationSessionStore> dbIDPs = AuthenticationSessionStoreage.getAllActiveIDPsFromMOASession(session);
+		SLOInformationContainer sloContainer = new SLOInformationContainer();
+		sloContainer.setSloRequest(pvpReq);
+		sloContainer.parseActiveIDPs(dbIDPs, pvpSLOIssuer);
+		sloContainer.parseActiveOAs(dbOAs, pvpSLOIssuer);
+						
+		//terminate MOASession
+		try {
+			AuthenticationSessionStoreage.destroySession(session.getSessionID());
+			ssomanager.deleteSSOSessionID(httpReq, httpResp);
+			
+		} catch (MOADatabaseException e) {
+			Logger.warn("Delete MOASession FAILED.");
+			sloContainer.putFailedOA(AuthConfigurationProvider.getInstance().getPublicURLPrefix());
+			
+		}
+		
+		//start service provider back channel logout process
+		Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA();	
+		while (nextOAInterator.hasNext()) {
+			SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next());
+			LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr);
+
+			try {
+				List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq);
+				
+				LogoutResponse sloResp = null;						
+				for (XMLObject el : soapResp) {
+					if (el instanceof LogoutResponse)
+						sloResp = (LogoutResponse) el;							
+				}
+				
+				if (sloResp == null) {
+					Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()
+							+ " FAILED. NO LogOut response received.");
+					sloContainer.putFailedOA(sloReq.getIssuer().getValue());
+					
+				}
+				
+				SingleLogOutBuilder.checkStatusCode(sloContainer, sloResp);
+										
+			} catch (SOAPException e) {
+				Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()
+						+ " FAILED.", e);
+				sloContainer.putFailedOA(sloReq.getIssuer().getValue());
+				
+			} catch (SecurityException e) {
+				Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()
+						+ " FAILED.", e);
+				sloContainer.putFailedOA(sloReq.getIssuer().getValue());
+				
+			}					
+		}
+						
+		//start service provider front channel logout process
+		try {
+			if (sloContainer.hasFrontChannelOA()) {
+				String relayState = Random.nextRandom();
+				
+				Collection<Entry<String, SLOInformationImpl>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions();
+				List<String> sloReqList = new ArrayList<String>();
+				for (Entry<String, SLOInformationImpl> el : sloDescr) {
+					LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(el.getValue());
+					try {
+						sloReqList.add(SingleLogOutBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), 
+								sloReq, httpReq, httpResp, relayState));
+						
+					} catch (Exception e) {
+						Logger.warn("Failed to build SLO request for OA:" + el.getKey());
+						sloContainer.putFailedOA(el.getKey());
+						
+					}														
+				}
+				
+				AssertionStorage.getInstance().put(relayState, sloContainer);
+				
+		        VelocityContext context = new VelocityContext();
+		        context.put("redirectURLs", sloReqList);
+		        ssomanager.printSingleLogOutInfo(context, httpResp);
+				
+								
+			} else {
+				if (pvpReq != null) {
+					//send SLO response to SLO request issuer
+					SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
+					LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
+					SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+					
+				} else {
+					//print SLO information directly
+			        VelocityContext context = new VelocityContext();
+			        if (sloContainer.getSloFailedOAs() == null || 
+			        		sloContainer.getSloFailedOAs().size() == 0)
+			        	context.put("successMsg", 
+			        			MessageProvider.getInstance().getMessage("slo.00", null));
+			        else
+			        	context.put("errorMsg", 
+			        			MessageProvider.getInstance().getMessage("slo.01", null));
+			        ssomanager.printSingleLogOutInfo(context, httpResp);
+										
+				}
+									
+			}	
+								
+		} catch (MOADatabaseException e) {
+			Logger.error("MOA AssertionDatabase ERROR", e);
+			if (pvpReq != null) {
+				SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq);
+				LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq);
+				SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState);
+				
+			}else {
+				//print SLO information directly
+		        VelocityContext context = new VelocityContext();
+	        	context.put("errorMsg", 
+	        			MessageProvider.getInstance().getMessage("slo.01", null));
+		        ssomanager.printSingleLogOutInfo(context, httpResp);
+									
+			}
+			
+		} catch (Exception e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}				
+	}
+		
+	public void performOnlyIDPLogOut(HttpServletRequest request,
 			HttpServletResponse response, String moaSessionID) {
 		Logger.info("Logout");
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
index f4f89a4ba..02e252412 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java
@@ -22,17 +22,22 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.moduls;
 
+import java.io.StringWriter;
 import java.util.List;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
 import org.hibernate.Query;
 import org.hibernate.Session;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
 import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
@@ -42,6 +47,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -267,6 +273,26 @@ public class SSOManager {
 		
 	}
 	
+	public void printSingleLogOutInfo(VelocityContext context, HttpServletResponse httpResp) throws MOAIDException {		
+		try {		
+			Logger.trace("Initialize VelocityEngine...");
+			VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+			Template template = velocityEngine.getTemplate("/resources/templates/slo_template.html");
+
+			StringWriter writer = new StringWriter();
+			template.merge(context, writer);
+        
+			httpResp.setContentType("text/html;charset=UTF-8");            
+			httpResp.getOutputStream().write(writer.toString().getBytes());
+			
+		} catch (Exception e) {
+			Logger.error("Single LogOut from can not created.", e);
+			throw new MOAIDException("Create Single LogOut information FAILED.", null, e);
+		}
+			
+	}
+	
+	
 	private String getValueFromCookie(HttpServletRequest httpReq, String cookieName) {
 		Cookie[] cookies = httpReq.getCookies();