enable mandates for eIDAS nodes

8 files changed, 30 insertions, 65 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
index a6a5f1dd4..b4846db12 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java
@@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder  {
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
 		
-		if (authData.isBusinessService())
+		if (authData.isBaseIDTransferRestrication())
 			throw new AttributePolicyException(EID_SOURCE_PIN_NAME);
 		
 		else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
index 1d836802a..ccaecb3b6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java
@@ -23,7 +23,6 @@
 package at.gv.egovernment.moa.id.protocols.builder.attributes;
 
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException;
@@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder {
 	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
 			IAttributeGenerator<ATT> g) throws AttributeException {
 		
-		if (authData.isBusinessService())
+		if (authData.isBaseIDTransferRestrication())
 			throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME);
 		
 		else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
index f4e69749c..a74ed4af5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java
@@ -30,7 +30,9 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;
 import at.gv.egovernment.moa.id.util.MandateBuilder;
@@ -74,24 +76,16 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui
 				}
 				
 				try {					
-					if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {
-												
-						/*TODO: some updates are required if we support bPKs in eIDAS context, because
-						 * BPKBuilder().buildWBPK only supports Austrian wbPKs  
-						 */						
-						if (oaParam.getBusinessService()) {
-							bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier());
-							
-						} else {
-							bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget());
-							
-						}
-						
+					if (id.getType().equals(Constants.URN_PREFIX_BASEID)) {											
+						Pair<String, String> calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), 
+								oaParam.getAreaSpecificTargetIdentifier());
+						bpk = calcResult.getFirst();
+										
 					} else
 						bpk = id.getValue().getValue();
 					
 				}
-				catch (BuildException e) {
+				catch (BuildException | ConfigurationException e) {
 					Logger.error("Failed to generate IdentificationType");
 					throw new NoMandateDataAttributeException();
 					
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
index 69a731e53..82ebbb2b5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java
@@ -27,10 +27,7 @@ import org.w3c.dom.Element;
 import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException;
@@ -64,7 +61,7 @@ public class MandateNaturalPersonSourcePinAttributeBuilder  implements IPVPAttri
 			IdentificationType id = null;
 			id = physicalPerson.getIdentification().get(0);
 			
-			if(oaParam.getBusinessService()) {
+			if(authData.isBaseIDTransferRestrication()) {
 				throw new AttributePolicyException(this.getName());
 			}
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 643e30ac9..72691a034 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction {
 				}
 				
 				//check next IDP service area policy. BusinessService IDPs can only request wbPKs 
-				if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) {
+				if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
 					Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() 
-							+ " has a BusinessService-IDP but requests PublicService attributes.");
+							+ " is a BusinessService-IDP but requests PublicService attributes.");
 					throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
 					
 				}	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 2df72637d..4aa4f7419 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Constants;
 
 /**
  * @author tlenz
@@ -70,7 +69,7 @@ public class AttributQueryBuilder {
 
 	@Autowired IDPCredentialProvider credentialProvider;
 	
-	public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) {
+	public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException {
 		
 		Logger.debug("Build OA specific Attributes for AttributQuery request");
 		
@@ -87,17 +86,13 @@ public class AttributQueryBuilder {
 			} else {				
 				//add OA specific information
 				if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
-					if (oa.getBusinessService())
-						attr = generator.buildStringAttribute(attr.getFriendlyName(), 
-								attr.getName(), oa.getIdentityLinkDomainIdentifier());
-					else
-						attr = generator.buildStringAttribute(attr.getFriendlyName(), 
-								attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget());					
+					attr = generator.buildStringAttribute(attr.getFriendlyName(), 
+								attr.getName(), oa.getAreaSpecificTargetIdentifier());					
+					
 				}
 				
 				//TODO: add attribute values for SSO with mandates (ProfileList)
-				
-				
+								
 				attrList.add(attr);
 			}			
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 55d8fa1ff..45539da3f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod
 import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
 import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
@@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
 					}
 					
 					//set bPK-Type from configuration, because it MUST be equal to service-provider type
-					if (oaParam.getBusinessService()) {
-						if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
-							bpktype = oaParam.getIdentityLinkDomainIdentifier();
-						else
-							bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier();
-						
-					} else {
-						if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
-							bpktype = oaParam.getTarget();
-						else
-							bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget();
-						
-					}
-					
+					bpktype = oaParam.getAreaSpecificTargetIdentifier();
+										
 				} else {
 					//sourcePin is include --> check sourcePinType
 					if (MiscUtil.isEmpty(bpktype))
@@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants {
 				
 			}
 			
-			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
-				if (oaParam.getBusinessService()) {						    
-					subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
-					if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
-						subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
-					else
-						subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
-					
-				} else {
-					subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
-					if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
-						subjectNameID.setNameQualifier(oaParam.getTarget());
-					else
-						subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
-				}
+			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {				
+				Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier());								
+				subjectNameID.setValue(calcbPK.getFirst());
+				subjectNameID.setNameQualifier(calcbPK.getSecond());
 				
 				
 			} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 5380d7f53..ab355646c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -217,6 +217,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 			Logger.warn("Refresh PVP2X metadata for onlineApplication: " 
 					+ entityID + " FAILED.", e);
 			
+		} catch (ConfigurationException e) {
+			Logger.warn("Refresh PVP2X metadata for onlineApplication: " 
+					+ entityID + " FAILED.", e);
 		}
 		
 		return false;
@@ -484,13 +487,13 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
 				
 	}
 		
-	private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException {
+	private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
 		PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
 		filterChain.getFilters().add(new SchemaValidationFilter());
 		
 		if (oaParam.isInderfederationIDP()) {
 			Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
-			filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService()));
+			filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction()));
 			
 		}