-- Resign IdentityLink: if this feature is enabled, the identitylink is resigned in case of businessservice by using MOASS

 -- GeneralConfigReloadDaemon: Reload general MOA-ID configuration from database every minute if it has changed

1 files changed, 169 insertions, 0 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
new file mode 100644
index 000000000..da44a3905
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
@@ -0,0 +1,169 @@
+package at.gv.egovernment.moa.id.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOAException;
+import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.SignatureCreationService;
+import at.gv.egovernment.moa.spss.api.common.Content;
+import at.gv.egovernment.moa.spss.api.common.MetaInfo;
+import at.gv.egovernment.moa.spss.api.common.Transform;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureEnvironmentProfile;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureInfo;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfo;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfoProfile;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest;
+import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo;
+import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse;
+import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse;
+import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class IdentityLinkReSigner {
+
+	private static IdentityLinkReSigner instance;
+	
+	public static IdentityLinkReSigner getInstance() {
+		if (instance == null) {
+			instance = new IdentityLinkReSigner();
+		}
+		return instance;
+	}
+	
+	public Element resignIdentityLink(Element idl) throws MOAIDException {
+		
+		try {
+			AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+						
+			if (config.isIdentityLinkResigning()) {
+				
+				if (idl == null) {
+					Logger.warn("IdentityLink is empty");
+					return null;
+					
+				} else {
+					 NodeList signatures = idl.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature");
+					 Node signature = signatures.item(0);				 
+					 Node parent = signature.getParentNode();
+					 parent.removeChild(signature);
+				}
+				
+				SPSSFactory spssFac = SPSSFactory.getInstance();
+				
+				String keyGroupId = config.getIdentityLinkResigningKey();
+				if (MiscUtil.isEmpty(keyGroupId)) {
+					Logger.warn("No IdentityLink reSigning-Key definded");
+					throw new MOAIDException("config.19", new Object[]{});
+				}
+				
+				MetaInfo mi = spssFac.createMetaInfo("text/xml", null, null, null);
+							
+				Transform envelopedSignatureTransform = spssFac.createEnvelopedSignatureTransform();
+				List<Transform> transformsList = new ArrayList<Transform>();
+				transformsList.add(envelopedSignatureTransform);
+				
+				CreateTransformsInfo ct = spssFac.createCreateTransformsInfo(transformsList, mi);
+				CreateTransformsInfoProfile ctip = spssFac.createCreateTransformsInfoProfile(ct, null); 
+				
+				Content content = spssFac.createContent("");
+				DataObjectInfo doi = spssFac.createDataObjectInfo(DataObjectInfo.STRUCTURE_DETACHED, false, content, ctip);
+				
+			    // create signature environment
+			    HashMap<String, String> nsMap = new HashMap<String, String>(); 
+			    nsMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI);
+				nsMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI);
+				nsMap.put(Constants.PD_PREFIX, Constants.PD_NS_URI);
+			    
+			    CreateSignatureLocation csl = spssFac.createCreateSignatureLocation("/" + Constants.SAML_PREFIX + ":" + "Assertion", -1, nsMap);
+			    CreateSignatureEnvironmentProfile csep = spssFac.createCreateSignatureEnvironmentProfile(csl, null);
+
+				
+				InputStream serializedIdl = new ByteArrayInputStream(DOMUtils.serializeNode(idl).getBytes());
+				
+			    Content confirmationContent = spssFac.createContent(serializedIdl, null);
+			    CreateSignatureInfo csi = spssFac.createCreateSignatureInfo(confirmationContent, csep);
+				
+			    List<DataObjectInfo> dataobjectinfoList = new ArrayList<DataObjectInfo>();
+			    dataobjectinfoList.add(doi);
+			    SingleSignatureInfo ssi = spssFac.createSingleSignatureInfo(dataobjectinfoList, csi, false);
+
+			    
+			    List<SingleSignatureInfo> singlesignatureinfolist = new ArrayList<SingleSignatureInfo>();
+			    singlesignatureinfolist.add(ssi);
+			    
+			    CreateXMLSignatureRequest cxsreq = spssFac.createCreateXMLSignatureRequest(keyGroupId, singlesignatureinfolist);
+			    
+			    
+			    // signature creation service
+			    SignatureCreationService scs = SignatureCreationService.getInstance();
+			    CreateXMLSignatureResponse cxresp;
+			    Logger.info("Creating MOA-SS signature");
+			    cxresp = scs.createXMLSignature(cxsreq);
+			
+			    // evaluate response
+			    List<Object> elements = cxresp.getResponseElements();
+			    
+			    if (elements.get(0) instanceof ErrorResponse) {
+			    	ErrorResponse errResponse = (ErrorResponse) elements.get(0);
+				    Logger.warn("Error while calling MOA-SS: " + errResponse.getErrorCode() + " / " + errResponse.getInfo());
+			    	throw new MOAIDException("builder.04", new Object[]{errResponse.getErrorCode(), errResponse.getInfo()});
+			    	
+			    } else if (elements.get(0) instanceof SignatureEnvironmentResponse) {
+			    	 Logger.debug("Successfully created signature.");
+				     SignatureEnvironmentResponse ser = (SignatureEnvironmentResponse) elements.get(0);
+				     int responseType = ser.getResponseType();
+				     if (responseType == SignatureEnvironmentResponse.ERROR_RESPONSE) {
+				    	 Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS");
+				    	 throw new MOAIDException("builder.05", new Object[]{});
+				    	 
+				     } else {
+				    	 return ser.getSignatureEnvironment();
+				     }
+			    	
+			    } else {
+			    	Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS");
+			    	throw new MOAIDException("builder.05", new Object[]{});
+			    }
+			    				
+			} else 
+				return idl;
+						
+		} catch (ConfigurationException e) {
+			Logger.warn("Configuration can not be loaded", e);
+			throw new MOAIDException("config.18", new Object[]{});
+			
+		} catch (TransformerException e) {
+			Logger.warn("IdentityLink serialization error.", e);
+			throw new MOAIDException("builder.05", new Object[]{});
+			
+		} catch (IOException e) {
+			Logger.warn("IdentityLink I/O error.", e);
+			throw new MOAIDException("builder.05", new Object[]{});
+			
+		} catch (MOAException e) {
+			Logger.warn("General IdentityLink signing error.", e);
+			throw new MOAIDException("builder.05", new Object[]{});
+			
+		}		
+	}
+	
+}