diff options
| author | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2014-11-03 13:05:12 +0100 |
|---|---|---|
| committer | Bojan Suzic <bojan.suzic@iaik.tugraz.at> | 2014-11-03 13:05:12 +0100 |
| commit | c2819264cface1a6f11cfe692429a0e93804794f (patch) | |
| tree | 710858de5e3d9883d36213b041e5baff25d1da29 /id/server/idserverlib/src/main/java/at/gv/egovernment | |
| parent | 22a66cdf1b5f7916422034f3338e680202ddc31b (diff) | |
| parent | 2886006ba2ca141377e66a330df5fc52797c2755 (diff) | |
| download | moa-id-spss-c2819264cface1a6f11cfe692429a0e93804794f.tar.gz moa-id-spss-c2819264cface1a6f11cfe692429a0e93804794f.tar.bz2 moa-id-spss-c2819264cface1a6f11cfe692429a0e93804794f.zip | |
merging
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment')
47 files changed, 1722 insertions, 316 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index f20339506..b68db92a4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -110,8 +110,7 @@ public class StatisticLogger { Logger.warn("Advanced logging failed: OA can not be found in database."); return; } - - + StatisticLog dblog = new StatisticLog(); //set actual date and time @@ -125,12 +124,8 @@ public class StatisticLogger { dblog.setOafriendlyName(dbOA.getFriendlyName()); boolean isbusinessservice = isBusinessService(dbOA); - dblog.setBusinessservice(isbusinessservice); - - if (isbusinessservice) - dblog.setOatarget(dbOA.getAuthComponentOA().getIdentificationNumber().getValue()); - else - dblog.setOatarget(dbOA.getTarget()); + dblog.setBusinessservice(isbusinessservice); + dblog.setOatarget(authData.getBPKType()); dblog.setInterfederatedSSOSession(authData.isInterfederatedSSOSession()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index a8a7d0c51..5c0e497a3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -31,7 +31,6 @@ import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; import java.util.Date; -import java.util.Iterator; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -66,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; @@ -78,6 +78,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -102,6 +103,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.XPathUtils; +import at.gv.util.client.szr.SZRClient; +import at.gv.util.config.EgovUtilPropertiesConfiguration; +import at.gv.util.ex.EgovUtilException; +import at.gv.util.wsdl.szr.SZRException; +import at.gv.util.xsd.szr.PersonInfoType; /** * @author tlenz @@ -170,7 +176,11 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //get OnlineApplication from MOA-ID-Auth configuration oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(oaID); - + + //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway + if (oaParam.isSTORKPVPGateway()) + oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest); + } else { //build OnlineApplication dynamic from requested attributes oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); @@ -342,23 +352,46 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.debug("Build AuthData from assertion starts ...."); - authData.setFamilyName(extractor.getAttribute(PVPConstants.PRINCIPAL_NAME_NAME)); - authData.setGivenName(extractor.getAttribute(PVPConstants.GIVEN_NAME_NAME)); - authData.setDateOfBirth(extractor.getAttribute(PVPConstants.BIRTHDATE_NAME)); - authData.setBPKType(extractor.getAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); - authData.setCcc(extractor.getAttribute(PVPConstants.EID_ISSUING_NATION_NAME)); - authData.setBkuURL(extractor.getAttribute(PVPConstants.EID_CCS_URL_NAME)); - authData.setIdentificationValue(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_NAME)); - authData.setIdentificationType(extractor.getAttribute(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); + authData.setIsBusinessService(oaParam.getBusinessService()); + + authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME)); + authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME)); + authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME)); + authData.setBPKType(extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); + authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME)); + authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME)); + authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME)); + authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { - String pvpbPK = extractor.getAttribute(PVPConstants.BPK_NAME); - authData.setBPK(pvpbPK.split(":")[1]); + String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); + String[] spitted = pvpbPK.split(":"); + authData.setBPK(spitted[1]); + if (MiscUtil.isEmpty(authData.getBPKType())) { + Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + + "Starting target extraction from bPK/wbPK prefix ..."); + //exract bPK/wbPK type from bpk attribute value prefix if type is + //not transmitted as single attribute + Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); + Matcher matcher = pattern.matcher(spitted[0]); + if (matcher.matches()) { + //find public service bPK + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); + Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); + + } else { + //find business service wbPK + authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); + Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); + + } + } } + boolean foundEncryptedbPKForOA = false; if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { List<String> encbPKList = Arrays.asList( - extractor.getAttribute(PVPConstants.ENC_BPK_LIST_NAME).split(";")); + extractor.getSingleAttributeValue(PVPConstants.ENC_BPK_LIST_NAME).split(";")); authData.setEncbPKList(encbPKList); for (String fullEncbPK : encbPKList) { int index = fullEncbPK.indexOf("|"); @@ -372,6 +405,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { + oaParam.getPublicURLPrefix() + " Start decryption process ..."); PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); + foundEncryptedbPKForOA = true; if (privKey != null) { try { String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); @@ -406,20 +440,99 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } - if (MiscUtil.isEmpty(authData.getBPK()) && authData.getEncbPKList().size() == 0) { - Logger.error("Federated assertion include no bPK or encrypted bPK"); + if (MiscUtil.isEmpty(authData.getIdentificationValue()) && + MiscUtil.isEmpty(authData.getBPK()) && + !foundEncryptedbPKForOA) { + Logger.info("Federated assertion include no bPK, encrypted bPK or baseID"); throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME); + + " or " + PVPConstants.EID_SOURCE_PIN_NAME + + " or " + PVPConstants.ENC_BPK_LIST_NAME); + + } + + //check if received bPK matchs to online application configuration + //and no encrypted bPK is found for this oa + if (!matchsReceivedbPKToOnlineApplication(oaParam, authData) + && !foundEncryptedbPKForOA) { + Logger.info("Received bPK/wbPK does not match to online application"); + + if (MiscUtil.isEmpty(authData.getIdentificationValue())) { + Logger.info("No baseID found. Connect SZR to reveive baseID ..."); + try { + EgovUtilPropertiesConfiguration eGovClientsConfig = AuthConfigurationProvider.getInstance().geteGovUtilsConfig(); + if (eGovClientsConfig != null) { + SZRClient szrclient = new SZRClient(eGovClientsConfig); + + Logger.debug("Create SZR request to get baseID ... "); + PersonInfoType personInfo = new PersonInfoType(); + at.gv.util.xsd.szr.persondata.PhysicalPersonType person = new at.gv.util.xsd.szr.persondata.PhysicalPersonType(); + personInfo.setPerson(person); + at.gv.util.xsd.szr.persondata.PersonNameType name = new at.gv.util.xsd.szr.persondata.PersonNameType(); + person.setName(name); + at.gv.util.xsd.szr.persondata.IdentificationType idValue = new at.gv.util.xsd.szr.persondata.IdentificationType(); + person.setIdentification(idValue); + + //set bPK or wbPK + idValue.setValue(authData.getBPK()); + idValue.setType(authData.getBPKType()); + + //set person information + name.setGivenName(authData.getGivenName()); + name.setFamilyName(authData.getFamilyName()); + if (authData.getDateOfBirth() != null) + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + //request szr and store baseID + authData.setIdentificationValue(szrclient.getStammzahl(personInfo)); + authData.setIdentificationType(Constants.URN_PREFIX_BASEID); + + } else { + Logger.warn("No SZR clieht configuration found. Interfederation SSO login not possible."); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } + + } catch (ConfigurationException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } catch (EgovUtilException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } catch (SZRException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); + throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } + } + + //build OA specific bPK/wbPK information + buildOAspecificbPK(oaParam, authData, + authData.getIdentificationValue(), + authData.getIdentificationType()); + + } + + if (MiscUtil.isEmpty(authData.getBPK())) { + Logger.debug("Calcutlate bPK from baseID"); + buildOAspecificbPK(oaParam, authData, + authData.getIdentificationValue(), + authData.getIdentificationType()); } if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - extractor.getAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { try { - byte[] authBlock = Base64Utils.decode(extractor.getAttribute(PVPConstants.EID_AUTH_BLOCK_NAME), false); + byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false); authData.setAuthBlock(new String(authBlock, "UTF-8")); } catch (IOException e) { @@ -431,7 +544,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { try { authData.setSignerCertificate(Base64Utils.decode( - extractor.getAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + extractor.getSingleAttributeValue(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); } catch (IOException e) { Logger.error("Received SignerCertificate is not valid", e); @@ -441,10 +554,10 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { try { - InputStream idlStream = Base64Utils.decodeToStream(extractor.getAttribute(PVPConstants.EID_IDENTITY_LINK_NAME), false); + InputStream idlStream = Base64Utils.decodeToStream(extractor.getSingleAttributeValue(PVPConstants.EID_IDENTITY_LINK_NAME), false); IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - authData.setIdentityLink(idl); - + buildOAspecificIdentityLink(oaParam, authData, idl); + } catch (ParseException e) { Logger.error("Received IdentityLink is not valid", e); @@ -456,12 +569,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { // set mandate attributes - authData.setMandateReferenceValue(extractor.getAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); + authData.setMandateReferenceValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { try { byte[] mandate = Base64Utils.decode( - (extractor.getAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + (extractor.getSingleAttributeValue(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); @@ -502,9 +615,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { legalperson.getIdentification().add(legalID ); mandator.setCorporateBody(legalperson ); - legalperson.setFullName(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); - legalID.setType(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); - idvalue.setValue(extractor.getAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); + legalperson.setFullName(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); + legalID.setType(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); + idvalue.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); //build natural person short mandate } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || @@ -524,18 +637,18 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Value idValue = new Value(); persID.setValue(idValue ); - String[] pvp2GivenName = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); + String[] pvp2GivenName = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); for(int i=0; i<pvp2GivenName.length; i++) persName.getGivenName().add(pvp2GivenName[i]); - familyName.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME)); - physPerson.setDateOfBirth(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)); + familyName.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME)); + physPerson.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)); if (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) { persID.setType(Constants.URN_PREFIX_BASEID); - idValue.setValue(extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)); + idValue.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)); } else { - String[] pvp2bPK = extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); + String[] pvp2bPK = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); if (pvp2bPK.length == 2) { idValue.setValue(pvp2bPK[1]); @@ -547,7 +660,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]); } else { - Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); + Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format."); } @@ -585,14 +698,25 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (authData.getMISMandate() == null) authData.setMISMandate(new MISMandate()); authData.getMISMandate().setProfRep( - extractor.getAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)); + extractor.getSingleAttributeValue(PVPConstants.MANDATE_PROF_REP_OID_NAME)); } - + + //set PVP role attribute + if (extractor.containsAttribute(PVPConstants.ROLES_NAME)) { + String pvpRoles = extractor.getSingleAttributeValue(PVPConstants.ROLES_NAME); + if (MiscUtil.isNotEmpty(pvpRoles)) { + List<String> roles = Arrays.asList(pvpRoles.split(";")); + for (String role : roles) { + authData.addAuthenticationRole(AuthenticationRoleFactory.buildFormPVPole(role)); + } + } + } + //set STORK attributes if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { - authData.setStorkAuthnResponse(extractor.getAttribute(PVPConstants.EID_STORK_TOKEN_NAME)); + authData.setStorkAuthnResponse(extractor.getSingleAttributeValue(PVPConstants.EID_STORK_TOKEN_NAME)); authData.setForeigner(true); } @@ -604,6 +728,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } authData.setSsoSession(true); + authData.setInterfederatedSSOSession(true); if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); @@ -616,17 +741,45 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setPublicAuthority(false); } + /** + * @param oaParam + * @param authData + * @return + */ + private static boolean matchsReceivedbPKToOnlineApplication( + IOAAuthParameters oaParam, AuthenticationData authData) { + + String oaTarget = null; + if (oaParam.getBusinessService()) { + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK) || + oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_STORK)) + oaTarget = oaParam.getIdentityLinkDomainIdentifier(); + + else { + Logger.warn("BusinessIdentifier can not be clearly assigned, because it starts without a prefix."); + return false; + + } + + } else { + oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); + + } + + + if (oaTarget.equals(authData.getBPKType())) + return true; + else + return false; + } + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, IOAAuthParameters oaParam) throws BuildException, ConfigurationException { - - String target = oaParam.getTarget(); IdentityLink identityLink = session.getIdentityLink(); VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - boolean businessService = oaParam.getBusinessService(); - authData.setIssuer(session.getAuthURL()); //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO @@ -661,6 +814,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setForeigner(session.isForeigner()); authData.setQAALevel(session.getQAALevel()); + authData.setIsBusinessService(oaParam.getBusinessService()); + if (session.isForeigner()) { try { //TODO: replace with TSL lookup when TSL is ready! @@ -733,67 +888,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); } else { - - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } - - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - - } else { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } - - Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - - Element idlassertion = session.getIdentityLink().getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IdentityLink idl = idlparser.parseIdentityLink(); - - //resign IDL - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - Element resignedilAssertion; - resignedilAssertion = identitylinkresigner.resignIdentityLink(idl.getSamlAssertion()); - IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); - IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); - - authData.setIdentityLink(resignedIDL); - - } else { - - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - Logger.trace("Authenticate user with bPK " + authData.getBPK()); - - authData.setIdentityLink(identityLink); - } + buildOAspecificbPK(oaParam, authData, + identityLink.getIdentificationValue(), + identityLink.getIdentificationType()); + + buildOAspecificIdentityLink(oaParam, authData, identityLink); + } @@ -803,4 +903,65 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } + + private static void buildOAspecificIdentityLink(IOAAuthParameters oaParam, AuthenticationData authData, IdentityLink idl) throws MOAIDException { + if (oaParam.getBusinessService()) { + Element idlassertion = idl.getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink businessServiceIdl = idlparser.parseIdentityLink(); + + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion()); + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); + + authData.setIdentityLink(resignedIDL); + + } else + authData.setIdentityLink(idl); + + + } + + private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { + + if (oaParam.getBusinessService()) { + //since we have foreigner, wbPK is not calculated in BKU + if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + authData.setBPK(new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr)); + authData.setBPKType(registerAndOrdNr); + + } else { + authData.setBPK(baseID); + authData.setBPKType(baseIDType); + + } + + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); + + } else { + + if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget()); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + } + + Logger.trace("Authenticate user with bPK " + authData.getBPK()); + } + + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index b122ba17e..063d7d8e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,7 +46,6 @@ package at.gv.egovernment.moa.id.auth.builder; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.logging.Logger; @@ -54,7 +53,6 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; -import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -103,14 +101,7 @@ public class BPKBuilder { else basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); - String hashBase64 = Base64Utils.encode(hash); - return hashBase64; - } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"bPK", ex.toString()}, ex); - } + return calculatebPKwbPK(basisbegriff); } /** @@ -139,16 +130,24 @@ public class BPKBuilder { else basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); - String hashBase64 = Base64Utils.encode(hash); - return hashBase64; - } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"wbPK", ex.toString()}, ex); - } + return calculatebPKwbPK(basisbegriff); } + public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { + if (MiscUtil.isEmpty(baseID) || + !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || + bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || + bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { + throw new BuildException("builder.00", + new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget + + " has an unkown prefix."}); + + } + + return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); + + } + public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); MiscUtil.assertNotNull(publicKey, "publicKey"); @@ -211,7 +210,8 @@ public class BPKBuilder { */ public String buildStorkeIdentifier(IdentityLink identityLink, String destinationCountry) throws BuildException { - return buildStorkbPK(identityLink, "AT", destinationCountry); + return buildStorkbPK(identityLink.getIdentificationValue(), + identityLink.getIdentificationType(), "AT", destinationCountry); } /** @@ -224,10 +224,7 @@ public class BPKBuilder { */ public String buildStorkeIdentifier(String identificationType, String identificationValue, String destinationCountry) throws BuildException { - IdentityLink tempIdentity = new IdentityLink(); - tempIdentity.setIdentificationType(identificationType); - tempIdentity.setIdentificationValue(identificationValue); - return buildStorkbPK(tempIdentity, "AT", destinationCountry); + return buildStorkbPK(identificationValue, identificationType, "AT", destinationCountry); } /** @@ -239,16 +236,17 @@ public class BPKBuilder { * @return storkid in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildStorkbPK(IdentityLink identityLink, String sourceCountry, String destinationCountry) + public String buildStorkbPK(String baseID, String baseIDType, String sourceCountry, String destinationCountry) throws BuildException { String identificationValue = null; // check if we have been called by public sector application - if (identityLink.getIdentificationType().startsWith(Constants.URN_PREFIX_BASEID)) { - identificationValue = calculateStorkeIdentifierBase(identityLink, sourceCountry, destinationCountry); + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + identificationValue = calculateStorkeIdentifierBase(baseID, sourceCountry, destinationCountry); + } else { // if not, sector identification value is already calculated by BKU Logger.info("STORK eIdentifier already provided by BKU"); - identificationValue = identityLink.getIdentificationValue(); + identificationValue = baseID; } if ((identificationValue == null || @@ -266,19 +264,25 @@ public class BPKBuilder { return eIdentifier; } - - private String calculateStorkeIdentifierBase(IdentityLink identityLink, String sourceCountry, String destinationCountry) throws BuildException { - String basisbegriff = identityLink.getIdentificationValue() + "+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry; - Logger.info("Building STORK identification from: [identValue]+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry); - try { + + private String calculateStorkeIdentifierBase(String baseID, String sourceCountry, String destinationCountry) throws BuildException { + String basisbegriff = baseID + "+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry; + Logger.info("Building STORK identification from: [identValue]+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry); + return calculatebPKwbPK(basisbegriff); + + } + + private String calculatebPKwbPK(String basisbegriff) throws BuildException { + try { MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); String hashBase64 = Base64Utils.encode(hash); - Logger.debug("STORK identification defined as: " + hashBase64); return hashBase64; + } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"storkid", ex.toString()}, ex); + throw new BuildException("builder.00", new Object[]{"bPK/wbPK", ex.toString()}, ex); } + } private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index 132b6af01..49f87122d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -33,7 +33,9 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -62,7 +64,7 @@ public class DynamicOAAuthParameterBuilder { attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { dynamicOA.setBusinessService(true); dynamicOA.setTarget(attrValue); - + } else { Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); @@ -106,4 +108,37 @@ public class DynamicOAAuthParameterBuilder { } + + /** + * @param oaParam + * @param protocolRequest + * @return + */ + public static IOAAuthParameters buildFromAuthnRequest( + IOAAuthParameters oaParam, IRequest protocolRequest) { + + DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); + dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); + dynOAParams.setBusinessService(oaParam.getBusinessService()); + + if (protocolRequest instanceof MOASTORKRequest) + return buildFromSTORKRequest(dynOAParams, (MOASTORKRequest) protocolRequest); + + Logger.warn("Dynamic OA generation failed. RequestType is not implemented."); + return null; + } + + /** + * @param oaParam + * @param protocolRequest + * @return + */ + private static IOAAuthParameters buildFromSTORKRequest( + DynamicOAAuthParameters oaParam, MOASTORKRequest protocolRequest) { + + oaParam.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + protocolRequest.getSpCountry()); + oaParam.setBusinessService(true); + + return oaParam; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index ade7d3f3c..4cd192070 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -27,7 +27,11 @@ import iaik.x509.X509Certificate; import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
+import java.net.URL;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Properties;
import javax.activation.DataSource;
import javax.servlet.ServletException;
@@ -68,24 +72,54 @@ import at.gv.util.xsd.xmldsig.X509DataType; import eu.stork.oasisdss.api.ApiUtils;
import eu.stork.oasisdss.api.LightweightSourceResolver;
import eu.stork.oasisdss.api.exceptions.ApiUtilsException;
+import eu.stork.oasisdss.api.utils.ByteArrayDataSource;
+import eu.stork.oasisdss.profile.DocumentType;
+import eu.stork.oasisdss.profile.DocumentWithSignature;
+import eu.stork.oasisdss.profile.SignRequest;
import eu.stork.oasisdss.profile.SignResponse;
import eu.stork.peps.auth.commons.IPersonalAttributeList;
import eu.stork.peps.auth.commons.PEPSUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+import eu.stork.peps.auth.commons.STORKAttrQueryRequest;
import eu.stork.peps.auth.commons.STORKAuthnRequest;
import eu.stork.peps.auth.commons.STORKAuthnResponse;
import eu.stork.peps.auth.engine.STORKSAMLEngine;
import eu.stork.peps.exceptions.STORKSAMLEngineException;
+import eu.stork.documentservice.DocumentService;
+import eu.stork.documentservice.data.DatabaseConnectorMySQLImpl;
+import javax.xml.namespace.QName;
+import javax.xml.ws.Service;
+import javax.xml.ws.soap.SOAPBinding;
+import javax.xml.ws.BindingProvider;
+
+
/**
* Endpoint for receiving STORK response messages
*/
public class PEPSConnectorServlet extends AuthServlet {
+
private static final long serialVersionUID = 1L;
public static final String PEPSCONNECTOR_SERVLET_URL_PATTERN = "/PEPSConnector";
-
+ private String dtlUrl = null;
+
+
+ public PEPSConnectorServlet()
+ {
+ super();
+ Properties props = new Properties();
+ try {
+ props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+ dtlUrl = props.getProperty("docservice.url");
+ } catch (IOException e) {
+ dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+ Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
+ e.printStackTrace();
+ }
+ }
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
@@ -245,7 +279,9 @@ public class PEPSConnectorServlet extends AuthServlet { String citizenSignature = null;
try {
String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
-
+
+ Logger.debug("signatureInfo:"+signatureInfo);
+
SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
// fetch signed doc
@@ -258,6 +294,19 @@ public class PEPSConnectorServlet extends AuthServlet { citizenSignature = IOUtils.toString(incoming);
incoming.close();
+ Logger.debug("citizenSignature:"+citizenSignature);
+ if(isDocumentServiceUsed(citizenSignature)==true)
+ {
+ Logger.debug("Loading document from DocumentService.");
+ String url = getDtlUrlFromResponse(dssSignResponse);
+ //get Transferrequest
+ String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ //Load document from DocujmentService
+ byte[] data = getDocumentFromDtl(transferRequest, url);
+ citizenSignature = new String(data, "UTF-8");
+ Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ }
+
JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
@@ -423,5 +472,135 @@ public class PEPSConnectorServlet extends AuthServlet { }
}
+
+ private boolean isDocumentServiceUsed(String citizenSignature) //TODo add better check
+ {
+ if(citizenSignature.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+ return true;
+ return false;
+ }
+
+ /**
+ * Get DTL uril from the oasis sign response
+ * @param signRequest The signature response
+ * @return The URL of DTL service
+ * @throws SimpleException
+ */
+ private String getDtlUrlFromResponse(SignResponse dssSignResponse) {
+ List<DocumentWithSignature> documents = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(),
+ ApiUtils.OPTIONAL_OUTPUT_DOCUMENTWITHSIGNATURE, DocumentWithSignature.class);
+ DocumentType sourceDocument = documents.get(0).getDocument();
+
+ if (sourceDocument.getDocumentURL() != null)
+ return sourceDocument.getDocumentURL();
+ else
+ return null;//throw new Exception("No document url found");
+ }
+
+//From DTLPEPSUTIL
+
+
+
+ /**
+ * Get document from DTL
+ * @param transferRequest The transfer request (attribute query)
+ * @param eDtlUrl The DTL url of external DTL
+ * @return the document data
+ * @throws SimpleException
+ */
+ private byte[] getDocumentFromDtl(String transferRequest, String eDtlUrl) throws Exception
+ {
+ URL url = null;
+ try
+ {
+ url = new URL(dtlUrl);
+ QName qname = new QName("http://stork.eu",
+ "DocumentService");
+
+ Service service = Service.create(url, qname);
+ DocumentService docservice = service.getPort(DocumentService.class);
+
+ BindingProvider bp = (BindingProvider) docservice;
+ SOAPBinding binding = (SOAPBinding) bp.getBinding();
+ binding.setMTOMEnabled(true);
+
+ if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+ return docservice.getDocument(transferRequest, "");
+ else
+ return docservice.getDocument(transferRequest, eDtlUrl);
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ throw new Exception("Error in getDocumentFromDtl", e);
+ }
+ }
+
+ /**
+ * Get a document transfer request (attribute query)
+ * @param docId
+ * @return
+ * @throws SimpleException
+ */
+ private String getDocTransferRequest(String docId, String destinationUrl) throws Exception
+ {
+ String spCountry = docId.substring(0, docId.indexOf("/"));
+ final STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
+ STORKAttrQueryRequest req = new STORKAttrQueryRequest();
+ req.setAssertionConsumerServiceURL(dtlUrl);
+ req.setDestination(destinationUrl);
+ req.setSpCountry(spCountry);
+ req.setQaa(3);//TODO
+ PersonalAttributeList pal = new PersonalAttributeList();
+ PersonalAttribute attr = new PersonalAttribute();
+ attr.setName("docRequest");
+ attr.setIsRequired(true);
+ attr.setValue(Arrays.asList(docId));
+ pal.add(attr);
+ req.setPersonalAttributeList(pal);
+
+ STORKAttrQueryRequest req1;
+ try {
+ req1 = engine.generateSTORKAttrQueryRequest(req);
+ return PEPSUtil.encodeSAMLTokenUrlSafe(req1.getTokenSaml());
+ } catch (STORKSAMLEngineException e) {
+ e.printStackTrace();
+ throw new Exception("Error in doc request attribute query generation", e);
+ }
+ }
+
+ /**
+ * Get mime type of document from DTL
+ * @param docId The document id
+ * @param dtlUrl The url of dtl
+ * @return The mime type
+ */
+// private String getDocumentMimeFromDtl(String docId, String eDtlUrl) throws Exception
+// {
+// URL url = null;
+// try
+// {
+// url = new URL(dtlUrl);
+// QName qname = new QName("http://stork.eu",
+// "DocumentService");
+//
+// Service service = Service.create(url, qname);
+// DocumentService docservice = service.getPort(DocumentService.class);
+//
+// BindingProvider bp = (BindingProvider) docservice;
+// SOAPBinding binding = (SOAPBinding) bp.getBinding();
+// binding.setMTOMEnabled(true);
+//
+// if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+// return docservice.getDocumentMime(docId, "");
+// else
+// return docservice.getDocumentMime(docId, eDtlUrl);
+// }
+// catch (Exception e)
+// {
+// e.printStackTrace();
+// throw new Exception("Error in getDocumentFromDtl", e);
+// }
+// }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java index c675885c9..9e4f3fa36 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java @@ -38,9 +38,14 @@ import at.gv.util.wsdl.szrgw.SZRGWType; import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest; import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; -import com.sun.xml.ws.developer.JAXWSProperties; import javax.xml.ws.BindingProvider; +import org.apache.cxf.configuration.jsse.TLSClientParameters; +import org.apache.cxf.endpoint.Client; +import org.apache.cxf.frontend.ClientProxy; +import org.apache.cxf.transport.http.HTTPConduit; +import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; + public class SZRGWClient { private SSLSocketFactory sslContext = null; @@ -57,9 +62,6 @@ public class SZRGWClient { SZRGWService service = new SZRGWService(url, new QName("http://reference.e-government.gv.at/namespace/szrgw/20070807/wsdl", "SZRGWService")); SZRGWType port = service.getSZRGWPort(); - - - BindingProvider bindingProvider = (BindingProvider) port; Map<String, Object> requestContext = bindingProvider.getRequestContext(); requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, serviceUrl); @@ -72,12 +74,24 @@ public class SZRGWClient { throw new SZRGWClientException(); } - requestContext.put(JAXWSProperties.SSL_SOCKET_FACTORY, sslContext); + Client client = ClientProxy.getClient(port); + HTTPConduit http = (HTTPConduit) client.getConduit(); + HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy(); + + httpClientPolicy.setConnectionTimeout(36000); + httpClientPolicy.setReceiveTimeout(32000); + + http.setClient(httpClientPolicy); + TLSClientParameters tlsParams = new TLSClientParameters(); + tlsParams.setSSLSocketFactory(sslContext); + + http.setTlsClientParameters(tlsParams ); + // check for lax hostname if (true) { Logger.trace("LaxHostnameVerifier enabled. This setting is not recommended to use."); - requestContext.put(JAXWSProperties.HOSTNAME_VERIFIER, new LaxHostNameVerifier()); + tlsParams.setHostnameVerifier(new LaxHostNameVerifier()); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index b2bcd443f..a2e8bab9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -47,6 +47,8 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; */ public class OAParameter { + public OAParameter() { } + public OAParameter(OnlineApplication oa) { this.oaType = oa.getType(); @@ -70,6 +72,8 @@ public class OAParameter { this.isInderfederationIDP = oa.isIsInterfederationIDP(); + this.isSTORKPVPGateway = oa.isIsInterfederationGateway(); + } /** @@ -81,31 +85,33 @@ public class OAParameter { * specifies whether the online application is a business application or not (<code>true</code> * if value of {@link #oaType} is "businessService" */ - private boolean businessService; + protected boolean businessService; /** * public URL prefix of the online application */ - private String publicURLPrefix; + protected String publicURLPrefix; /** * specifies a human readable name of the Online Application */ - private String friendlyName; + protected String friendlyName; /** * specified a specific target for the Online Application (overwrites the target in der request) */ - private String target; + protected String target; /** * specifies a friendly name for the target */ - private String targetFriendlyName; + protected String targetFriendlyName; + + protected boolean removePBKFromAuthblock; - private boolean removePBKFromAuthblock; + protected Boolean isInderfederationIDP; - private Boolean isInderfederationIDP; + protected Boolean isSTORKPVPGateway; /** * Contains the oAuth 2.0 configuration (client id, secret and redirect uri) @@ -154,6 +160,13 @@ public class OAParameter { return isInderfederationIDP; } + public boolean isSTORKPVPGateway() { + if (isSTORKPVPGateway == null) + return false; + + return isSTORKPVPGateway; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index a62de27fc..23369fecc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -113,6 +113,8 @@ import at.gv.egovernment.moa.id.data.IssuerAndSerial; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.util.config.EgovUtilConfiguration; +import at.gv.util.config.EgovUtilPropertiesConfiguration; /** * A class providing access to the Auth Part of the MOA-ID configuration data. @@ -210,6 +212,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private static SSO ssoconfig = null; + private EgovUtilPropertiesConfiguration eGovUtilsConfig = null; + private static Date date = null; private String publicURLPreFix = null; @@ -325,7 +329,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { statisticProps.put(propertyName, props.get(key.toString())); } } - + // initialize hibernate synchronized (AuthConfigurationProvider.class) { @@ -384,6 +388,24 @@ public class AuthConfigurationProvider extends ConfigurationProvider { // String xmlconfigout = props.getProperty("configuration.xml.out"); + //configure eGovUtils client implementations + + //read eGovUtils client configuration + Properties eGovUtilsConfigProp = new Properties(); + for (Object key : props.keySet()) { + String propPrefix = "service."; + if (key.toString().startsWith(propPrefix+"egovutil")) { + String propertyName = key.toString().substring(propPrefix.length()); + eGovUtilsConfigProp.put(propertyName, props.get(key.toString())); + } + } + if (!eGovUtilsConfigProp.isEmpty()) { + Logger.info("Start eGovUtils client implementation configuration ..."); + eGovUtilsConfig = + new EgovUtilPropertiesConfiguration(eGovUtilsConfigProp, rootConfigFileDir); + } + + //check if XML config should be used if (MiscUtil.isNotEmpty(legacyconfig) || MiscUtil.isNotEmpty(xmlconfig)) { Logger.warn("WARNING! MOA-ID 2.0 is started with XML configuration. This setup overstrike the actual configuration in the Database!"); @@ -1035,7 +1057,14 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return storkconfig; } - private void setCertStoreDirectory() throws ConfigurationException { + /** + * @return the eGovUtilsConfig + */ +public EgovUtilPropertiesConfiguration geteGovUtilsConfig() { + return eGovUtilsConfig; +} + +private void setCertStoreDirectory() throws ConfigurationException { AuthComponentGeneral auth = getAuthComponentGeneral(); if (auth.getGeneralConfiguration() != null) @@ -1075,5 +1104,5 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } return moasp; } - + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 4c6519b57..c336eb316 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -54,6 +54,8 @@ public interface IOAAuthParameters { public boolean isInderfederationIDP(); + public boolean isSTORKPVPGateway(); + /** * @return the identityLinkDomainIdentifier */ @@ -152,5 +154,15 @@ public interface IOAAuthParameters { List<String> getTestCredentialOIDs(); PrivateKey getBPKDecBpkDecryptionKey(); + + /** + * @return + */ + boolean isPassivRequestUsedForInterfederation(); + + /** + * @return + */ + boolean isPerformLocalAuthenticationOnInterfederationError(); }
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 673d23373..90b72b72b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -61,6 +61,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationT import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationGatewayType; import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; import at.gv.egovernment.moa.id.commons.db.dao.config.MandatesProfileNameItem; @@ -99,6 +100,7 @@ public class OAAuthParameter extends OAParameter implements IOAAuthParameters { private AuthComponentOA oa_auth; private String keyBoxIdentifier; private InterfederationIDPType inderfederatedIDP = null; + private InterfederationGatewayType interfederatedGateway = null; public OAAuthParameter(OnlineApplication oa) { super(oa); @@ -108,6 +110,8 @@ public class OAAuthParameter extends OAParameter implements IOAAuthParameters { this.keyBoxIdentifier = oa.getKeyBoxIdentifier().value(); this.inderfederatedIDP = oa.getInterfederationIDP(); + + this.interfederatedGateway = oa.getInterfederationGateway(); } @@ -439,6 +443,9 @@ public List<OAStorkAttribute> getRequestedAttributes() { @Override public boolean isRequireConsentForStorkAttributes() { try{ + if (isSTORKPVPGateway()) + return false; + return oa_auth.getOASTORK().isRequireConsent(); }catch(Exception e) { @@ -453,7 +460,13 @@ public boolean isRequireConsentForStorkAttributes() { */ @Override public List<AttributeProviderPlugin> getStorkAPs() { - return oa_auth.getOASTORK().getAttributeProviders(); + if (oa_auth.getOASTORK() != null && + oa_auth.getOASTORK().getAttributeProviders() != null) + return oa_auth.getOASTORK().getAttributeProviders(); + + else + return new ArrayList<AttributeProviderPlugin>(); + } /* (non-Javadoc) @@ -524,9 +537,25 @@ public boolean isOutboundSSOInterfederationAllowed() { } @Override +public boolean isPassivRequestUsedForInterfederation() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isPerformPassivRequest().booleanValue(); + else + return false; +} + +@Override +public boolean isPerformLocalAuthenticationOnInterfederationError() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isPerformLocalAuthenticationOnError().booleanValue(); + else + return false; +} + +@Override public boolean isInterfederationSSOStorageAllowed() { if (inderfederatedIDP != null) - return inderfederatedIDP.isStoreSSOSession(); + return inderfederatedIDP.isStoreSSOSession().booleanValue(); else return false; } @@ -537,6 +566,15 @@ public boolean isIDPPublicService() { } +public String getSTORKPVPForwardEntity() { + if (interfederatedGateway != null) { + return interfederatedGateway.getForwardIDPIdentifier(); + + } else + return null; + +} + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 7dbdcfa52..e576522bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -32,32 +32,20 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; /** * @author tlenz * */ -public class DynamicOAAuthParameters implements IOAAuthParameters { - - private String applicationID = null; +public class DynamicOAAuthParameters extends OAParameter implements IOAAuthParameters { - private boolean isBusinessService; - private String target; private String businessTarget; - private boolean inderfederatedIDP; private String IDPQueryURL; /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return this.isBusinessService; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() */ @Override @@ -74,14 +62,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() - */ - @Override - public boolean isInderfederationIDP() { - return this.inderfederatedIDP; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() */ @Override @@ -309,7 +289,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { * @param isBusinessService the isBusinessService to set */ public void setBusinessService(boolean isBusinessService) { - this.isBusinessService = isBusinessService; + businessService = isBusinessService; } /** @@ -330,7 +310,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { * @param inderfederatedIDP the inderfederatedIDP to set */ public void setInderfederatedIDP(boolean inderfederatedIDP) { - this.inderfederatedIDP = inderfederatedIDP; + isInderfederationIDP = inderfederatedIDP; } /** @@ -340,19 +320,11 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { IDPQueryURL = iDPQueryURL; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPublicURLPrefix() - */ - @Override - public String getPublicURLPrefix() { - return this.applicationID; - } - /** * @param applicationID the applicationID to set */ public void setApplicationID(String applicationID) { - this.applicationID = applicationID; + publicURLPrefix = applicationID; } /* (non-Javadoc) @@ -409,6 +381,21 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { return null; } - + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isPassivRequestUsedForInterfederation() + */ + @Override + public boolean isPassivRequestUsedForInterfederation() { + // TODO Auto-generated method stub + return false; + } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isPerformLocalAuthenticationOnInterfederationError() + */ + @Override + public boolean isPerformLocalAuthenticationOnInterfederationError() { + // TODO Auto-generated method stub + return false; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 6fd327add..65c413ef9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -26,6 +26,8 @@ import java.io.Serializable; import java.text.DateFormat; import java.text.ParseException; import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; import java.util.List; @@ -116,6 +118,8 @@ public class AuthenticationData implements IAuthData, Serializable { * the corresponding <code>lt;saml:Assertion></code> */ + private boolean businessService; + /** * STORK attributes from response */ @@ -129,6 +133,7 @@ public class AuthenticationData implements IAuthData, Serializable { private String authBlock = null; private List<String> encbPKList = null; + private List<AuthenticationRole> roles = null; private boolean useMandate = false; private MISMandate mandate = null; @@ -228,7 +233,7 @@ public class AuthenticationData implements IAuthData, Serializable { if (getDateOfBirth() != null) return pvpDateFormat.format(getDateOfBirth()); else - return "1900-01-01"; + return "2999-12-31"; } /** @@ -688,6 +693,44 @@ public class AuthenticationData implements IAuthData, Serializable { public void setEncbPKList(List<String> encbPKList) { this.encbPKList = encbPKList; } + + /** + * @return the roles + */ + public List<AuthenticationRole> getAuthenticationRoles() { +// if (this.roles == null) { +// this.roles = new ArrayList<AuthenticationRole>(); +// this.roles.add(new AuthenticationRole("xxpvprole", "xxpvprole")); +// this.roles.add(new AuthenticationRole("yypvprole", "yypvprole")); +// } + + return roles; + } + + /** + * @param roles the roles to set + */ + public void addAuthenticationRole(AuthenticationRole role) { + if (this.roles == null) + this.roles = new ArrayList<AuthenticationRole>(); + + this.roles.add(role); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() + */ + @Override + public boolean isBusinessService() { + // TODO Auto-generated method stub + return this.businessService; + } + + public void setIsBusinessService(boolean flag) { + this.businessService = flag; + + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRole.java new file mode 100644 index 000000000..cde4ad7d4 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRole.java @@ -0,0 +1,122 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +/** + * @author tlenz + * + */ +public class AuthenticationRole { + + private String roleName = null; + private String rawRoleString = null; + private List<Entry<String, String>> params = null; + + public AuthenticationRole(String roleName, String rawRoleString) { + this.roleName = roleName; + this.rawRoleString = rawRoleString; + } + + public void addParameter(String key, String value) { + if (params == null) + params = new ArrayList<Entry<String,String>>(); + params.add(new Entry<String, String>(key, value)); + + } + + /** + * @return the roleName + */ + public String getRoleName() { + return roleName; + } + + /** + * @return the params + */ + public List<Entry<String, String>> getParams() { + return params; + } + + /** + * @return the params + */ + public Iterator<Entry<String, String>> getParamsInterator() { + return params.iterator(); + } + + + /** + * @return the rawRoleString + */ + public String getRawRoleString() { + return rawRoleString; + } + + + + static class Entry<K,V> implements Map.Entry<K,V> { + + private K key; + private V value; + + Entry(K k, V v) { + key = k; + value = v; + } + + /* (non-Javadoc) + * @see java.util.Map.Entry#getKey() + */ + @Override + public K getKey() { + return key; + } + + /* (non-Javadoc) + * @see java.util.Map.Entry#getValue() + */ + @Override + public V getValue() { + return value; + } + + /* (non-Javadoc) + * @see java.util.Map.Entry#setValue(java.lang.Object) + */ + @Override + public V setValue(V newValue) { + V oldValue = value; + value = newValue; + return oldValue; + } + + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java new file mode 100644 index 000000000..8915b2442 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java @@ -0,0 +1,76 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.util.Arrays; +import java.util.List; + +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class AuthenticationRoleFactory { + + public static AuthenticationRole buildFormPVPole(String pvprole) { + AuthenticationRole role = null; + + int first = pvprole.indexOf("("); + + if (first < 0) { + //no role paramters found + role = new AuthenticationRole(pvprole.trim(), pvprole.trim()); + Logger.debug("Add authentication role with name=" + pvprole.trim()); + + } else { + role = new AuthenticationRole(pvprole.substring(0, first).trim(), pvprole.trim()); + Logger.debug("Add authentication role with name=" + pvprole.substring(0, first).trim()); + String params = pvprole.substring(first + 1, pvprole.length() - 1); + + List<String> param = Arrays.asList(params.split(",")); + String test = new String(); + for (String el : param) { + test = test.concat(el); + if (!test.endsWith("\\") || + (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) { + String[] keyValue = test.split("="); + if (keyValue.length < 2) { + role.addParameter(keyValue[0].trim(), ""); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()); + + } else { + role.addParameter(keyValue[0].trim(), keyValue[1].trim()); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim() + + " value=" + keyValue[1].trim()); + + } + + test = new String(); + } + } + } + + return role; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 8ce33021d..ebbf62ce7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -42,6 +42,7 @@ public interface IAuthData { Date getIssueInstant(); String getIssuer(); + boolean isBusinessService(); boolean isSsoSession(); boolean isInterfederatedSSOSession(); boolean isUseMandate(); @@ -69,6 +70,8 @@ public interface IAuthData { byte[] getSignerCertificate(); String getAuthBlock(); + List<AuthenticationRole> getAuthenticationRoles(); + boolean isPublicAuthority(); String getPublicAuthorityCode(); boolean isQualifiedCertificate(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 1e38bd4ff..03cb6c1c4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -276,11 +276,27 @@ public class DispatcherServlet extends AuthServlet{ Logger.info("PreProcessing of SSO interfederation response complete. "); - //request is a not valid interfederation response -> Restart local authentication + //request is a not valid interfederation response } else if (protocolRequest != null && MiscUtil.isNotEmpty(protocolRequest.getRequestID())) { - Logger.info("Restart authentication with stored " + protocolRequest.requestedModule() - + " AuthnRequest for OnlineApplication " + protocolRequest.getOAURL()); + + OAAuthParameter oaParams = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(protocolRequest.getOAURL()); + if (oaParams.isSTORKPVPGateway() || !oaParams.isPerformLocalAuthenticationOnInterfederationError()) { + // -> send end error to service provider + Logger.info("Federated authentication for entity " + protocolRequest.getOAURL() + + " FAILED. Sending error message to service provider."); + MOAIDException e = new MOAIDException("auth.27", new Object[]{}); + IModulInfo requestedModul = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); + if (!requestedModul.generateErrorMessage(e, req, resp, protocolRequest)) + handleErrorNoRedirect(e.getMessage(), e, req, + resp); + + return; + + } else + //-> Restart local authentication + Logger.info("Restart authentication with stored " + protocolRequest.requestedModule() + + " AuthnRequest for OnlineApplication " + protocolRequest.getOAURL()); //request is a new authentication request } else if (protocolRequest != null && diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index daa70efce..a4d63b144 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -381,14 +381,15 @@ public class AuthenticationManager extends AuthServlet { //get IDP metadata try { OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); Logger.info("Switch to local authentication on this IDP ... "); perfomLocalAuthentication(request, response, target); return; - } - + } + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); @@ -417,7 +418,7 @@ public class AuthenticationManager extends AuthServlet { authReq.setID(gen.generateIdentifier()); //send passive AuthnRequest - authReq.setIsPassive(true); + authReq.setIsPassive(idp.isPassivRequestUsedForInterfederation()); authReq.setAssertionConsumerServiceIndex(0); authReq.setIssueInstant(new DateTime()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index ff294dc3d..68545e1c2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -100,6 +100,7 @@ public class SSOManager { if (MiscUtil.isNotEmpty(protocolRequest.getRequestedIDP())) { Logger.info("Protocolspecific preprocessing already set interfederation IDP " + protocolRequest.getRequestedIDP()); + return; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index dbf54951f..0a8a6a581 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -194,7 +194,7 @@ public class MetadataAction implements IAction { .createSAMLObject(SPSSODescriptor.class); spSSODescriptor.setAuthnRequestsSigned(true); - spSSODescriptor.setWantAssertionsSigned(true); + spSSODescriptor.setWantAssertionsSigned(false); //Set AuthRequest Signing certificate diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 0da846f9e..cf20db7d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -664,7 +664,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } else { Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + " from interfederated IDP."); - + } } catch (IOException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 47c297914..1f3e86ff6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -41,7 +41,7 @@ public interface PVPConstants { public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3"; public static final String STORK_QAA_1_4 = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; - public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/1.0/"; + public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/"; public static final String URN_OID_PREFIX = "urn:oid:"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 6296d102f..91888df5c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -49,6 +49,7 @@ import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; @@ -66,7 +67,7 @@ import at.gv.egovernment.moa.util.Constants; */ public class AttributQueryBuilder { - public static List<Attribute> buildSAML2AttributeList(OAAuthParameter oa, Iterator<String> iterator) { + public static List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) { Logger.debug("Build OA specific Attributes for AttributQuery request"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 8b6e71e6b..3d8661143 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -150,14 +150,14 @@ public class PVPAttributeBuilder { } public static Attribute buildAttribute(String name, OAAuthParameter oaParam, - IAuthData authData) throws PVP2Exception { + IAuthData authData) throws PVP2Exception, AttributeException { if (builders.containsKey(name)) { try { return builders.get(name).build(oaParam, authData, generator); } catch (AttributeException e) { if (e instanceof UnavailableAttributeException) { - throw new UnprovideableAttributeException(((UnavailableAttributeException) e).getAttributeName()); + throw e; } else if (e instanceof InvalidDateFormatAttributeException) { throw new InvalidDateFormatException(); } else if (e instanceof NoMandateDataAttributeException) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index fa5d252bd..b301b6e5e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -70,6 +70,8 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; @@ -121,7 +123,7 @@ public class PVP2AssertionBuilder implements PVPConstants { } catch (Exception e) { Logger.error( "General Attribute generation failed! for " - + reqAttributName); + + reqAttributName, e); } } @@ -251,10 +253,21 @@ public class PVP2AssertionBuilder implements PVPConstants { } else { attrList.add(attr); } + + } catch (UnavailableAttributeException e) { + Logger.info( + "Attribute generation for " + + reqAttribut.getFriendlyName() + " not possible."); + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + + } catch (PVP2Exception e) { - Logger.error( + Logger.warn( "Attribute generation failed! for " - + reqAttribut.getFriendlyName(), e); + + reqAttribut.getFriendlyName()); if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index 16de43e11..1327c634b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (oaParam.getBusinessService()) + if (authData.isBusinessService()) throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java index 0681419fc..2145e3af7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java @@ -36,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (oaParam.getBusinessService()) + if (authData.isBusinessService()) throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index a16fed9cd..f0373e214 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -36,6 +36,7 @@ import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import org.opensaml.xml.XMLObject; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; @@ -48,7 +49,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; - private Map<String, String> attributs = new HashMap<String, String>(); + private Map<String, List<String>> attributs = new HashMap<String, List<String>>(); private PersonalAttributeList storkAttributes = new PersonalAttributeList(); private final List<String> minimalAttributeNameList = Arrays.asList( @@ -74,13 +75,21 @@ public class AssertionAttributeExtractor { for (Attribute attr : attrStat.getAttributes()) { if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { List<String> storkAttrValues = new ArrayList<String>(); - storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + for (XMLObject el : attr.getAttributeValues()) + storkAttrValues.add(el.getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), false, storkAttrValues , "Available"); storkAttributes.put(attr.getName(), storkAttr ); - } else - attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } else { + List<String> attrList = new ArrayList<String>(); + for (XMLObject el : attr.getAttributeValues()) + attrList.add(el.getDOM().getTextContent()); + + attributs.put(attr.getName(), attrList); + + } } } @@ -129,7 +138,15 @@ public class AssertionAttributeExtractor { } - public String getAttribute(String attributeName) { + public String getSingleAttributeValue(String attributeName) { + if (attributs.containsKey(attributeName) && attributs.get(attributeName).size() > 0) + return attributs.get(attributeName).get(0); + else + return null; + + } + + public List<String> getAttributeValues(String attributeName) { return attributs.get(attributeName); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 7d3c72630..65e520cc3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -36,8 +36,6 @@ import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.xml.sax.SAXException; -import com.sun.xml.bind.marshaller.NamespacePrefixMapper; - import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -235,14 +233,14 @@ public class SAML1AuthenticationServer extends AuthenticationServer { Marshaller m = jc.createMarshaller(); m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); - m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { - public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { - if (Constants.PD_NS_URI.equals(arg0)) - return Constants.PD_PREFIX; - else - return arg1; - } - }); +// m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { +// public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { +// if (Constants.PD_NS_URI.equals(arg0)) +// return Constants.PD_PREFIX; +// else +// return arg1; +// } +// }); ByteArrayOutputStream stream = new ByteArrayOutputStream(); m.marshal( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 456baf49f..e3b9992aa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.stork2; import java.util.ArrayList; +import java.util.Iterator; import java.util.List; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -135,9 +136,11 @@ public class AttributeCollector implements IAction { // find the attribute provider plugin that can handle the response IPersonalAttributeList newAttributes = null; - for (AttributeProvider current : AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs())) + + Iterator<AttributeProvider> attibuteProvidersInterator = AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs()); + while(attibuteProvidersInterator.hasNext()) try { - newAttributes = current.parse(httpReq); + newAttributes = attibuteProvidersInterator.next().parse(httpReq); // stop as soon as we hit a capable plugin break; @@ -203,7 +206,9 @@ public class AttributeCollector implements IAction { addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes); // - check if we can find a suitable AttributeProvider Plugin - for (AttributeProvider currentProvider : AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs())) { + Iterator<AttributeProvider> attibuteProvidersInterator = AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs()); + while(attibuteProvidersInterator.hasNext()) { + AttributeProvider currentProvider = attibuteProvidersInterator.next(); // build a section of attribute provider's predefined attributes and missing attributes // only missing attributes that can be handled by attribute provider will be sent to it @@ -223,7 +228,7 @@ public class AttributeCollector implements IAction { //aquiredAttributes = currentProvider.acquire(currentAttribute, container.getRequest().getSpCountry(), moasession); //aquiredAttributes = currentProvider.acquire(missingAttributes, container.getRequest().getSpCountry(), moasession); - aquiredAttributes = currentProvider.acquire(currentProviderConfiguredAttributes, container.getRequest().getSpCountry(), authData); + aquiredAttributes = currentProvider.acquire(currentProviderConfiguredAttributes, container.getRequest(), authData); Logger.info(currentProvider.getClass().getSimpleName() + " can handle attribute '" + currentAttribute.getName() + "'"); break; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java index ec64f7eb1..10b325234 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProviderFactory.java @@ -27,12 +27,15 @@ import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributePro import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.EHvdAttributeProviderPlugin; import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.EHvdAttribute_deprecatedProviderPlugin; import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.MandateAttributeRequestProvider; +import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.PVPAuthenticationProvider; import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.SignedDocAttributeRequestProvider; import at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.StorkAttributeRequestProvider; import at.gv.egovernment.moa.logging.Logger; import java.util.ArrayList; +import java.util.Iterator; import java.util.List; +import java.util.PriorityQueue; /** * A factory for creating AttributeProvider objects. @@ -51,7 +54,7 @@ public class AttributeProviderFactory { result.add("EHvdAttributeProvider"); result.add("SignedDocAttributeRequestProvider"); result.add("MandateAttributeRequestProvider"); - + result.add("PVPAuthenticationProvider"); return result; } @@ -78,6 +81,8 @@ public class AttributeProviderFactory { ex.printStackTrace(); return null; } + } else if (shortname.equals("PVPAuthenticationProvider")) { + return new PVPAuthenticationProvider(url, attributes); } else { return null; } @@ -89,16 +94,16 @@ public class AttributeProviderFactory { * @param configuredAPs the configured a ps * @return the configured plugins */ - public static List<AttributeProvider> getConfiguredPlugins( + public static Iterator<AttributeProvider> getConfiguredPlugins( List<AttributeProviderPlugin> configuredAPs) { - List<AttributeProvider> result = new ArrayList<AttributeProvider>(); + PriorityQueue<AttributeProvider> result = new PriorityQueue<AttributeProvider>(); for (AttributeProviderPlugin current : configuredAPs) { result.add(create(current.getName(), current.getUrl(), current.getAttributes())); Logger.debug("Adding configured attribute provider: " + current.getClass().getName() + current.getName() + " at " + current.getUrl()); } - return result; + return result.iterator(); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index 3bd827667..aa018d5a3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.stork2; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; @@ -38,6 +37,7 @@ import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.*; import eu.stork.peps.auth.engine.STORKSAMLEngine; import eu.stork.peps.exceptions.STORKSAMLEngineException; @@ -67,14 +67,11 @@ public class AuthenticationRequest implements IAction { private VelocityEngine velocityEngine; - private IAuthData authData = null; private MOASTORKRequest moaStorkRequest = null; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - this.authData = authData; - if ((req instanceof MOASTORKRequest)) { // && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -111,7 +108,10 @@ public class AuthenticationRequest implements IAction { // } // Get personal attributtes from MOA/IdentityLink - moaStorkResponse.setPersonalAttributeList(populateAttributes(oaParam)); + + //build STORK attributes from local authentication information + if (authData != null) + moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam)); } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -390,6 +390,10 @@ public class AuthenticationRequest implements IAction { public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + //redirect to national PVP IDP infrastructure if special attributes are requested + if (MiscUtil.isEmpty(req.getRequestedIDP()) && req instanceof MOASTORKRequest) + return !STORKPVPUtilits.performAuthenticationOnNationalIDP((MOASTORKRequest) req); + // // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country // if (req instanceof MOASTORKRequest) { // MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; @@ -444,14 +448,14 @@ public class AuthenticationRequest implements IAction { } - public PersonalAttributeList populateAttributes(IOAAuthParameters oaParam) { + public PersonalAttributeList populateAttributes(IAuthData authData, IOAAuthParameters oaParam) { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); - MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData.getIdentityLink(), moaStorkRequest); + MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest); try { for (PersonalAttribute personalAttribute : attrLst) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java index b358436ae..3e16db7d2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java @@ -24,17 +24,10 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.logging.Logger; -import javanet.staxutils.SimpleNamespaceContext; import org.xml.sax.InputSource; -import javax.xml.xpath.XPath; import javax.xml.xpath.XPathExpressionException; -import javax.xml.xpath.XPathFactory; import java.io.StringReader; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; -import java.util.HashMap; - /** * Physical person representing corporate body * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index a0ec1eb45..aaded0ce6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -25,23 +25,39 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.util.PVPtoSTORKRoleMapper; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; +import eu.stork.peps.auth.commons.STORKStatusCode; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.text.DateFormat; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; +import org.joda.time.format.DateTimeFormat; +import org.joda.time.format.DateTimeFormatter; + +import javassist.expr.Instanceof; + /** * @author bsuzic * Date: 2/19/14, Time: 4:42 PM + * + * @author tlenz + * Date: 23.10.14 */ public class MOAAttributeProvider { - private final IdentityLink identityLink; + private final IAuthData authData; private static final Map<String, String> storkAttributeSimpleMapping; private static final Map<String, String> storkAttributeFunctionMapping; private final MOASTORKRequest moastorkRequest; @@ -50,17 +66,18 @@ public class MOAAttributeProvider { Map<String, String> tempSimpleMap = new HashMap<String, String>(); tempSimpleMap.put("givenName", "getGivenName"); tempSimpleMap.put("surname", "getFamilyName"); - tempSimpleMap.put("dateOfBirth", "getDateOfBirth"); storkAttributeSimpleMapping = Collections.unmodifiableMap(tempSimpleMap); Map<String, String> tempFunctionMap = new HashMap<String, String>(); tempFunctionMap.put("eIdentifier", "geteIdentifier"); + tempFunctionMap.put("ECApplicationRole","getECApplicationRole"); + tempFunctionMap.put("dateOfBirth", "getFormatedDateOfBirth"); storkAttributeFunctionMapping = Collections.unmodifiableMap(tempFunctionMap); } - public MOAAttributeProvider(IdentityLink identityLink, MOASTORKRequest moastorkRequest) { - this.identityLink = identityLink; + public MOAAttributeProvider(IAuthData authData, MOASTORKRequest moastorkRequest) { + this.authData = authData; this.moastorkRequest = moastorkRequest; - Logger.debug("identity " + identityLink.getIdentificationType() + " " + identityLink.getIdentificationValue()); + Logger.debug("identity " + authData.getIdentificationType() + " " + authData.getIdentificationValue()); } public void populateAttribute(PersonalAttributeList attributeList, PersonalAttribute requestedAttribute ) { @@ -68,8 +85,8 @@ public class MOAAttributeProvider { if (storkAttributeSimpleMapping.containsKey(storkAttribute)) { Logger.debug("Trying to get value for attribute using simple mapping [" + storkAttribute + "]"); try { - Method method = identityLink.getClass().getDeclaredMethod(storkAttributeSimpleMapping.get(storkAttribute)); - populateAttributeWithMethod(method, identityLink, attributeList, storkAttribute, requestedAttribute.isRequired()); + Method method = authData.getClass().getDeclaredMethod(storkAttributeSimpleMapping.get(storkAttribute)); + populateAttributeWithMethod(method, authData, attributeList, storkAttribute, requestedAttribute.isRequired()); } catch (NoSuchMethodException e) { Logger.error("Could not found MOA extraction method while getting attribute: " + storkAttribute); e.printStackTrace(); @@ -91,27 +108,82 @@ public class MOAAttributeProvider { } private String geteIdentifier() { - Logger.debug("Using base urn for identification value: " + identityLink.getIdentificationType() + " and target country: " + moastorkRequest.getStorkAuthnRequest().getSpCountry()); + Logger.debug("Using base urn for identification value: " + authData.getIdentificationType() + " and target country: " + moastorkRequest.getStorkAuthnRequest().getSpCountry()); try { - return new BPKBuilder().buildStorkeIdentifier(identityLink, moastorkRequest.getStorkAuthnRequest().getSpCountry()); + return new BPKBuilder().buildStorkeIdentifier(authData.getIdentificationType(), authData.getIdentificationValue(), + moastorkRequest.getStorkAuthnRequest().getSpCountry()); } catch (BuildException be) { Logger.error("Stork eid could not be constructed; " + be.getMessage()); return null; // TODO error } } + private List<String> getECApplicationRole() { + List<String> storkRoles = null; + + if (authData.getAuthenticationRoles() != null + && authData.getAuthenticationRoles().size() > 0) { + + storkRoles = new ArrayList<String>(); + PVPtoSTORKRoleMapper mapper = PVPtoSTORKRoleMapper.getInstance(); + for (AuthenticationRole el : authData.getAuthenticationRoles()) { + String storkRole = mapper.map(el); + if (MiscUtil.isNotEmpty(storkRole)) + storkRoles.add(storkRole); + + } + } + return storkRoles; + } + private String getFormatedDateOfBirth() { + if (authData.getDateOfBirth() != null) { + DateFormat fmt = new SimpleDateFormat("yyyyMMdd"); + return fmt.format(authData.getDateOfBirth()); + + } + else + return null; + + } + private void populateAttributeWithMethod(Method method, Object object, PersonalAttributeList attributeList, String storkAttribute, Boolean isRequired) { try { - String attributeValue = method.invoke(object, new Class[]{}).toString(); + Object attributeValue = method.invoke(object, new Class[]{}); + PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName(storkAttribute); - - newAttribute.setStatus("Available"); newAttribute.setIsRequired(isRequired); - Logger.info("Got attribute value: " + attributeValue); - newAttribute.setValue(new ArrayList<String>(Collections.singletonList(attributeValue))); - attributeList.add(newAttribute); + + if (attributeValue != null) { + newAttribute.setStatus(STORKStatusCode.STATUS_AVAILABLE.name()); + Logger.info("Got attribute value: " + attributeValue); + + if (attributeValue instanceof String) + newAttribute.setValue(new ArrayList<String>(Collections.singletonList((String)attributeValue))); + + else if (attributeValue instanceof List<?>) { + List<?> attributeValueList = (List<?>) attributeValue; + if (attributeValueList.size() > 0 && attributeValueList.get(0) instanceof String) { + newAttribute.setValue((List<String>) attributeValueList); + + } else { + Logger.info("Attribute " + storkAttribute + " is not available."); + newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name()); + + } + + } else { + Logger.error("Receive an unsupported type for attribute " + storkAttribute); + + } + attributeList.add(newAttribute); + + } else { + Logger.info("Attribute " + storkAttribute + " is not available."); + newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name()); + } + } catch (InvocationTargetException e) { Logger.error("Invocation target exception while getting attribute: " + storkAttribute); e.printStackTrace(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index 076139018..a92d02e08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -22,13 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.stork2; +import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import org.opensaml.saml2.core.Attribute; +import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.STORKAttrQueryRequest; import eu.stork.peps.auth.commons.STORKAuthnRequest; @@ -41,6 +53,16 @@ import eu.stork.peps.auth.commons.STORKAuthnResponse; */ public class MOASTORKRequest extends RequestImpl { + public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.BPK_NAME, + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.BIRTHDATE_NAME, + PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, + }); + /** The Constant serialVersionUID. */ private static final long serialVersionUID = 4581953368724501376L; @@ -206,29 +228,28 @@ public class MOASTORKRequest extends RequestImpl { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP() - */ - @Override - public String getRequestedIDP() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#getInterfederationResponse() - */ - @Override - public MOAResponse getInterfederationResponse() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() */ @Override public List<Attribute> getRequestedAttributes() { - // TODO Auto-generated method stub - return null; + //TODO: only for testing with MOA-ID as PVP Stammportal + IOAAuthParameters oa; + try { + oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + oa = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oa, this); + + DynamicOAAuthParameters tmp = (DynamicOAAuthParameters) oa; + tmp.setBusinessTarget(Constants.URN_PREFIX_CDID + "+BF"); + + return AttributQueryBuilder.buildSAML2AttributeList(tmp, DEFAULTREQUESTEDATTRFORINTERFEDERATION.iterator()); + + } catch (ConfigurationException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + return null; + } + + //return new ArrayList<Attribute>(); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java index 25350e686..e6c58b503 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java @@ -24,11 +24,11 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.logging.Logger; -import javanet.staxutils.SimpleNamespaceContext; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; + import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.HashMap; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java index 8fd5c41dc..2ea6cce00 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/PhyPersonMandateContainer.java @@ -24,14 +24,10 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.logging.Logger; -import javanet.staxutils.SimpleNamespaceContext; import org.xml.sax.InputSource; -import javax.xml.xpath.XPath; import javax.xml.xpath.XPathExpressionException; -import javax.xml.xpath.XPathFactory; import java.io.StringReader; -import java.util.HashMap; /** * Physical person representing physical person diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java new file mode 100644 index 000000000..d923eccde --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java @@ -0,0 +1,49 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.stork2; + +import java.util.Arrays; +import java.util.List; + +/** + * @author tlenz + * + */ +public class STORKPVPUtilits { + + public static final List<String> attributesRequirePVPAuthentication = + Arrays.asList("ECApplicationRole"); + + + + public static boolean performAuthenticationOnNationalIDP(MOASTORKRequest moastorkRequest) { + for (String el : attributesRequirePVPAuthentication) { + if (moastorkRequest.getPersonalAttributeList().containsKey(el)) { + return true; + + } + } + return false; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java index 440121417..57531992d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java @@ -23,11 +23,15 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.*; import eu.stork.peps.auth.engine.STORKSAMLEngine; import eu.stork.peps.exceptions.STORKSAMLEngineException; @@ -145,20 +149,23 @@ public class STORKProtocol implements IModulInfo, MOAIDAuthConstants { STORKAuthnRequest authnRequest = null; STORKAttrQueryRequest attrRequest = null; - - + // check if valid authn request is contained try { authnRequest = engine.validateSTORKAuthnRequest(decSamlToken); + } catch (STORKSAMLEngineException ex) { Logger.error("Unable to validate Stork AuthenticationRequest: " + ex.getMessage()); + } catch (ClassCastException e) { // we do not have a authnRequest // check if a valid attr request is container try { attrRequest = engine.validateSTORKAttrQueryRequest(decSamlToken); + } catch (STORKSAMLEngineException ex) { Logger.error("Unable to validate Stork AuthenticationRequest: " + ex.getMessage()); + } } @@ -176,11 +183,32 @@ public class STORKProtocol implements IModulInfo, MOAIDAuthConstants { Logger.error("Exception, attributes: " + e.getMessage()); } - STORK2Request.setSTORKAuthnRequest(authnRequest); STORK2Request.setSTORKAttrRequest(attrRequest); - - + + //check if OA is instance of VIDP or STORKPVPGateway + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(STORK2Request.getOAURL()); + if (oaParam == null) + throw new AuthenticationException("stork.12", new Object[]{STORK2Request.getOAURL()}); + + else { + if (oaParam.isSTORKPVPGateway()) { + if (MiscUtil.isNotEmpty(oaParam.getSTORKPVPForwardEntity())) { + Logger.info("Received request for STORK->PVP gateway. " + + "Forward to PVP portal with entiyID " + oaParam.getSTORKPVPForwardEntity() + + " ..." ); + STORK2Request.setRequestedIDP(oaParam.getSTORKPVPForwardEntity()); + + } else { + Logger.error("InterfederatedGateway configuration with ID " + STORK2Request.getOAURL() + + " not configure a forward entityID."); + throw new MOAIDException("", null); + + } + } + + } + return STORK2Request; } else { throw new MOAIDException("stork.14", null); // TODO Specify message diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SimpleNamespaceContext.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SimpleNamespaceContext.java new file mode 100644 index 000000000..2c2df3e54 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SimpleNamespaceContext.java @@ -0,0 +1,83 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.stork2; + +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map.Entry; +import java.util.Set; + +import javax.xml.namespace.NamespaceContext; + +/** + * @author tlenz + * + */ +public class SimpleNamespaceContext implements NamespaceContext { + + HashMap<String, String> prefMap = null; + /** + * @param prefMap + */ + SimpleNamespaceContext(HashMap<String, String> prefMap) { + this.prefMap = prefMap; + } + + /* (non-Javadoc) + * @see javax.xml.namespace.NamespaceContext#getNamespaceURI(java.lang.String) + */ + @Override + public String getNamespaceURI(String prefix) { + if (prefMap.containsKey(prefix)) + return prefMap.get(prefix); + else + return null; + } + + /* (non-Javadoc) + * @see javax.xml.namespace.NamespaceContext#getPrefix(java.lang.String) + */ + @Override + public String getPrefix(String namespaceURI) { + if (prefMap.containsValue(namespaceURI)) { + Set<Entry<String, String>> set = prefMap.entrySet(); + for (Entry<String, String> el : set) { + if (el.getValue().equals(namespaceURI)) + return el.getKey(); + + } + } + + return null; + } + + /* (non-Javadoc) + * @see javax.xml.namespace.NamespaceContext#getPrefixes(java.lang.String) + */ + @Override + public Iterator getPrefixes(String namespaceURI) { + // TODO Auto-generated method stub + return null; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/AttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/AttributeProvider.java index a8454b37c..aaf13a779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/AttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/AttributeProvider.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -40,7 +41,7 @@ import eu.stork.peps.auth.commons.PersonalAttribute; * An {@link AttributeProvider} can fetch a set of stork attributes. It might complete the query within one method call, * but might also need to redirect to another webservice to accomplish its task. */ -public abstract class AttributeProvider { +public abstract class AttributeProvider implements Comparable<AttributeProvider>{ protected String attributes; @@ -53,19 +54,19 @@ public abstract class AttributeProvider { * for redirecting the user to an external service. Use {@link AttributeProvider#parse(HttpServletRequest)} to parse * the response. * - * @param attributes the list of attributes to be acquired - * @param spCountyCode the sp county code + * @param currentProviderConfiguredAttributes the list of attributes to be acquired + * @param moastorkRequest the sp county code * @param authData the moasession * @return the personal attribute * @throws UnsupportedAttributeException the unsupported attribute exception * @throws ExternalAttributeRequestRequiredException an attribute request to an external service has to be done * @throws MOAIDException the mOAID exception */ - protected abstract IPersonalAttributeList acquire(PersonalAttribute attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; + protected abstract IPersonalAttributeList acquire(PersonalAttribute currentProviderConfiguredAttributes, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; - public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { if (attributes.size() == 1) { - return acquire(attributes.get(0), spCountyCode, authData); + return acquire(attributes.get(0), moastorkRequest, authData); } else { throw new MOAIDException("stork.13", new Object[] { }); // TODO message only one attribute supported by this provider @@ -107,5 +108,32 @@ public abstract class AttributeProvider { return supportedAttributeNames; } - + + /** + * Returns the sequence priority of this attribute provider. + * Providers with small numbers are requested first. + * + * @return a sequence priority of this provider + */ + public abstract int getPriority(); + + /** + * Compare the sequence priority of two attribute providers + * @param o attribute provider + * @return 0 if priority is equal + * @return -1 if priority if this is higher then from o + * @return +1 if priority if o is higher then from this + */ + @Override + public int compareTo(AttributeProvider o) { + if (this.getPriority() == o.getPriority()) + return 0; + + if (this.getPriority() < o.getPriority()) + return -1; + + else + return +1; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java index 8af35673f..761460971 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; @@ -77,7 +78,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute) */ @Override - protected IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) + protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { @@ -214,7 +215,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { // add stork id for verification ArrayList<String> value = new ArrayList<String>(); - value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), spCountryCode)); + value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry())); result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); return result; @@ -241,5 +242,12 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { throw new UnsupportedAttributeException(); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 99; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java index fb62e43e5..2000ef928 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; @@ -78,7 +79,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute) */ @Override - protected IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) + protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { @@ -219,7 +220,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { // add stork id for verification ArrayList<String> value = new ArrayList<String>(); - value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), spCountryCode)); + value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry())); result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); return result; @@ -246,5 +247,12 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { throw new UnsupportedAttributeException(); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 99; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java index 07e5b70ba..f4d963645 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; @@ -73,9 +74,9 @@ public class MandateAttributeRequestProvider extends AttributeProvider { } @Override - protected IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring attribute: " + attribute.getName() + ", by: " + getAttrProviderName()); - this.spCountryCode = spCountryCode; + this.spCountryCode = moastorkRequest.getSpCountry(); requestedAttributes = new PersonalAttributeList(1); requestedAttributes.add(attribute); @@ -94,9 +95,9 @@ public class MandateAttributeRequestProvider extends AttributeProvider { } @Override - public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountryCode, IAuthData moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, MOASTORKRequest moastorkRequest, IAuthData moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring " + attributes.size() + " attributes, by: " + getAttrProviderName()); - this.spCountryCode = spCountryCode; + this.spCountryCode = moastorkRequest.getSpCountry(); requestedAttributes = new PersonalAttributeList(attributes.size()); for (PersonalAttribute personalAttribute : attributes) { @@ -205,5 +206,12 @@ public class MandateAttributeRequestProvider extends AttributeProvider { return null; // } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 99; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java new file mode 100644 index 000000000..88c59ccf9 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -0,0 +1,239 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.stork2.attributeproviders; + +import java.io.StringWriter; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; + +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; +import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.StringUtils; +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.STORKAttrQueryRequest; +import eu.stork.peps.auth.commons.STORKAttrQueryResponse; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.commons.STORKAuthnResponse; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.exceptions.STORKSAMLEngineException; + +/** + * @author tlenz + * + */ +public class PVPAuthenticationProvider extends AttributeProvider { + + private String destination = null; + private MOASTORKRequest moastorkRequest = null; + + /** + * @param attributes + * @param attributes2 + */ + public PVPAuthenticationProvider(String url, String attributes) { + super(attributes); + this.destination = url; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute, java.lang.String, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + protected IPersonalAttributeList acquire(PersonalAttribute attribute, + MOASTORKRequest moastorkRequest, IAuthData authData) + throws UnsupportedAttributeException, + ExternalAttributeRequestRequiredException, MOAIDException { + + this.moastorkRequest = moastorkRequest; + // break if we cannot handle the requested attribute + if (!attributes.contains(attribute.getName())) { + Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName()); + throw new UnsupportedAttributeException(); + + } + + Logger.info("Thrown external request by: " + getAttrProviderName()); + throw new ExternalAttributeRequestRequiredException(this); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#performRedirect(java.lang.String, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.config.auth.OAAuthParameter) + */ + @Override + public void performRedirect(String url, HttpServletRequest req, + HttpServletResponse resp, OAAuthParameter oaParam) + throws MOAIDException { + + String spSector = "Business"; + String spInstitution = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "UNKNOWN" : oaParam.getFriendlyName(); + String spApplication = spInstitution; + String spCountryCode = moastorkRequest.getSpCountry(); + + if ((spCountryCode == null) || (spCountryCode.length()<2)) { + spCountryCode = oaParam.getTarget(); + Logger.info("Setting spcountry target: " + oaParam.getTarget()); + Logger.info("idlink ident " + oaParam.getIdentityLinkDomainIdentifier()); + Logger.info("idlink type " + oaParam.getIdentityLinkDomainIdentifierType()); + Logger.info("Setting spcountry target friendly : " + oaParam.getTargetFriendlyName()); + Logger.info("Oatype : " + oaParam.getOaType()); + Logger.info("puburl : " + oaParam.getPublicURLPrefix()); + if ("STORK".equals(oaParam.getIdentityLinkDomainIdentifierType())) { + + spCountryCode = oaParam.getIdentityLinkDomainIdentifier().substring(oaParam.getIdentityLinkDomainIdentifier().length()-2); + Logger.info("Set to " +spCountryCode); + } + + } + + //generate AttrQueryRequest + STORKAuthnRequest authRequest = new STORKAuthnRequest(); + authRequest.setDestination(destination); + authRequest.setAssertionConsumerServiceURL(url); + authRequest.setIssuer(HTTPUtils.getBaseURL(req)); + authRequest.setQaa(oaParam.getQaaLevel()); + authRequest.setSpInstitution(spInstitution); + authRequest.setCountry(spCountryCode); + authRequest.setSpCountry(spCountryCode); + authRequest.setSpApplication(spApplication); + authRequest.setProviderName(spApplication); + authRequest.setSpSector(spSector); + authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList()); + + authRequest.setCitizenCountryCode("AT"); + authRequest.setQaa(oaParam.getQaaLevel()); + + if (authRequest.getQaa() == 0 ) { + authRequest.setQaa(4); // workaround + } + + + + Logger.info("STORK AttrRequest successfully assembled."); + + STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("VIDP"); + try { + + authRequest = samlEngine.generateSTORKAuthnRequest(authRequest); + } catch (STORKSAMLEngineException e) { + Logger.error("Could not sign STORK SAML AttrRequest.", e); + throw new MOAIDException("stork.00", null); + } + + Logger.info("STORK AttrRequest successfully signed!"); + + //validate AuthnRequest + try { + samlEngine.validateSTORKAuthnRequest(authRequest.getTokenSaml()); + } catch (STORKSAMLEngineException e) { + Logger.error("STORK SAML AuthnRequest not valid.", e); + throw new MOAIDException("stork.01", null); + } + + Logger.debug("STORK AuthnRequest successfully internally validated."); + + try { + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/resources/templates/saml2-post-binding-moa.vm"); + VelocityContext context = new VelocityContext(); + context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authRequest.getTokenSaml())); + context.put("action", destination); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + + } catch (Exception e) { + Logger.error("Error sending STORK SAML AttrRequest.", e); + throw new MOAIDException("stork.11", null); + + } + Logger.info("STORK AttrRequest successfully rendered!"); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#parse(javax.servlet.http.HttpServletRequest) + */ + @Override + public IPersonalAttributeList parse(HttpServletRequest httpReq) + throws UnsupportedAttributeException, MOAIDException { + + Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request"); + + //extract STORK Response from HTTP Request + //Decodes SAML Response + byte[] decSamlToken; + try { + decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse")); + } catch(NullPointerException e) { + throw new UnsupportedAttributeException(); + } + + //Get SAMLEngine instance + STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); + + STORKAuthnResponse authnResponse = null; + try { + //validate SAML Token + Logger.debug("Starting validation of SAML response"); + authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost()); + Logger.info("SAML response successfully verified!"); + + }catch(STORKSAMLEngineException e){ + Logger.error("Failed to verify STORK SAML Response", e); + throw new MOAIDException("stork.05", null); + } + + return authnResponse.getPersonalAttributeList(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 1; + } + + public String getAttrProviderName() { + return this.getClass().getName(); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 13b14b0be..06cb99da0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -58,6 +58,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; @@ -124,7 +125,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { * .lang.String) */ @Override - protected IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, + protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if(!attributes.contains(attribute.getName())) { throw new UnsupportedAttributeException(); @@ -616,4 +617,12 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { return success; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 99; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java index cb3a33c69..5ee0e380e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java @@ -35,6 +35,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.protocols.stork2.UnsupportedAttributeException; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; @@ -77,13 +78,13 @@ public class StorkAttributeRequestProvider extends AttributeProvider { * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java.lang.String) */ @Override - protected IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) + protected IPersonalAttributeList acquire(PersonalAttribute attribute, MOASTORKRequest moastorkRequest, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if (!attributes.contains(attribute.getName())) throw new UnsupportedAttributeException(); - this.spCountryCode = spCountyCode; + this.spCountryCode = moastorkRequest.getSpCountry(); requestedAttributes = new PersonalAttributeList(1); requestedAttributes.add(attribute); @@ -180,5 +181,13 @@ public class StorkAttributeRequestProvider extends AttributeProvider { Logger.info("STORK AttrRequest successfully rendered!"); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.attributeproviders.AttributeProvider#getPriority() + */ + @Override + public int getPriority() { + return 99; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java new file mode 100644 index 000000000..20f541a1a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java @@ -0,0 +1,83 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.util; + +import java.io.IOException; +import java.util.Properties; + +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class PVPtoSTORKRoleMapper { + + private static final String MAPPING_RESOURCE = + "resources/properties/pvp-stork_role_mapping.properties"; + + private Properties mapping = null; + + private static PVPtoSTORKRoleMapper instance = null; + + public static PVPtoSTORKRoleMapper getInstance() { + if (instance == null) { + instance = new PVPtoSTORKRoleMapper(); + } + + return instance; + } + + private PVPtoSTORKRoleMapper() { + try { + mapping = new Properties(); + mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); + Logger.debug("PVP -> STORK Role mapping initialisation finished."); + + } catch (IOException e) { + Logger.error("PVP -> STORK Role mapping initialisation FAILED." , e); + mapping = null; + + } + + + } + + /** + * @param el + * @return + */ + public String map(AuthenticationRole el) { + if (mapping != null) { + String ecRole = mapping.getProperty(el.getRawRoleString()); + if (MiscUtil.isNotEmpty(ecRole)) { + Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + return ecRole; + } + } + Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + return null; + } +} |