Merge STORK2 fakeIDL extension into development branch

6 files changed, 102 insertions, 17 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5fb4d6be8..5d816be1b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -992,7 +992,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
             //resign IDL
 			IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();					
 			Element resignedilAssertion;
-			resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion());    				    				
+
+			AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+			if (config.isIdentityLinkResigning()) {
+				resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), config.getIdentityLinkResigningKey());
+			} else {
+				resignedilAssertion = businessServiceIdl.getSamlAssertion();
+			}
 			IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion);
 			IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink();
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
index e2802c1d2..a5783bfb7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java
@@ -106,7 +106,7 @@ public class IdentityLinkAssertionParser {
       + PDATA
       + "Person";
   /** Xpath expression to the PersonData GivenName element */      
-  private static final String PERSON_GIVEN_NAME_XPATH =
+  public static final String PERSON_GIVEN_NAME_XPATH =
     PERSON_XPATH
     	+ "/"
       + PDATA
@@ -114,7 +114,7 @@ public class IdentityLinkAssertionParser {
       + PDATA
       + "GivenName";
   /** Xpath expression to the PersonData FamilyName element */
-  private static final String PERSON_FAMILY_NAME_XPATH =
+  public static final String PERSON_FAMILY_NAME_XPATH =
     PERSON_XPATH
     	+ "/"
       + PDATA
@@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser {
       + PDATA
       + "FamilyName";
   /** Xpath expression to the PersonData DateOfBirth element */
-  private static final String PERSON_DATE_OF_BIRTH_XPATH =
+  public static final String PERSON_DATE_OF_BIRTH_XPATH =
     PERSON_XPATH
     	+ "/"
       + PDATA
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 4cd192070..10d0ddbc4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -48,6 +48,8 @@ import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;

 import org.apache.velocity.app.VelocityEngine;

 import org.opensaml.saml2.core.StatusCode;

+import org.w3c.dom.Element;

+import org.w3c.dom.Node;

 

 import at.gv.egovernment.moa.id.auth.AuthenticationServer;

 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;

@@ -55,6 +57,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;

 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;

 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;

+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;

 import at.gv.egovernment.moa.id.auth.stork.STORKException;

 import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;

 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;

@@ -64,9 +67,12 @@ import at.gv.egovernment.moa.id.moduls.ModulUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;

 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;

 import at.gv.egovernment.moa.id.util.HTTPUtils;

+import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;

 import at.gv.egovernment.moa.id.util.VelocityProvider;

 import at.gv.egovernment.moa.logging.Logger;

+import at.gv.egovernment.moa.util.DOMUtils;

 import at.gv.egovernment.moa.util.StringUtils;

+import at.gv.egovernment.moa.util.XPathUtils;

 import at.gv.util.xsd.xmldsig.SignatureType;

 import at.gv.util.xsd.xmldsig.X509DataType;

 import eu.stork.oasisdss.api.ApiUtils;

@@ -360,14 +366,61 @@ public class PEPSConnectorServlet extends AuthServlet {
 	        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();

 	        }

 			

-			Logger.debug("Starting connecting SZR Gateway");

-			//contact SZR Gateway

 			IdentityLink identityLink = null;

 			try {

-				identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),

+				AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();

+				if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {

+					// create fake IdL

+					// - fetch IdL template from resources

+					InputStream s = PEPSConnectorServlet.class.getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");

+					Element idlTemplate = DOMUtils.parseXmlValidating(s);

+

+				    identityLink = new IdentityLinkAssertionParser(idlTemplate).parseIdentityLink();

+

+				    // replace data

+		            Element idlassertion = identityLink.getSamlAssertion();

+		            // - set bpk/wpbk;

+			        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);

+			        if(!STORKResponseProcessor.hasAttribute("eIdentifier", attributeList))

+			        	throw new STORKException("eIdentifier is missing");

+			        String eIdentifier = STORKResponseProcessor.getAttributeValue("eIdentifier", attributeList, false);

+			        prIdentification.getFirstChild().setNodeValue(eIdentifier);

+

+			        // - set last name

+			        Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);

+			        if(!STORKResponseProcessor.hasAttribute("surname", attributeList))

+			        	throw new STORKException("surname is missing");

+					String familyName = STORKResponseProcessor.getAttributeValue("surname", attributeList, false);

+					prFamilyName.getFirstChild().setNodeValue(familyName);

+

+			        // - set first name

+			        Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);

+			        if(!STORKResponseProcessor.hasAttribute("givenName", attributeList))

+			        	throw new STORKException("givenName is missing");

+					String givenName = STORKResponseProcessor.getAttributeValue("givenName", attributeList, false);

+					prGivenName.getFirstChild().setNodeValue(givenName);

+

+			        // - set date of birth

+			        Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);

+			        if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))

+			        	throw new STORKException("dateOfBirth is missing");

+					String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);

+					prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);

+

+		            identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();

+

+		            //resign IDL

+					IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();

+					Element resignedilAssertion = identitylinkresigner.resignIdentityLink(identityLink.getSamlAssertion(), config.getStorkFakeIdLResigningKey());

+					identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink();

+				} else {

+					//contact SZR Gateway

+					Logger.debug("Starting connecting SZR Gateway");

+					identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),

 																		  oaParam.getFriendlyName(), 

 																		  targetType, null, 

 																		  oaParam.getMandateProfiles(), citizenSignature);

+				}

 			} catch (STORKException e) {

 				// this is really nasty but we work against the system here. We are supposed to get the gender attribute from

 				// stork. If we do not, we cannot register the person in the ERnP - we have to have the

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
index 7113dcf70..ea1526ff0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java
@@ -102,7 +102,7 @@ public class STORKResponseProcessor {
 	private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList) throws STORKException {

 		return getAttributeValue(attributeName, attributeList, true);

 	}

-	private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {

+	public static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {

 		try {

 			String result = attributeList.get(attributeName).getValue().get(0);

 			Logger.trace(attributeName + " : " + result);

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index dae5ffcef..2a016fa8b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -53,6 +53,7 @@ import java.io.IOException;
 import java.math.BigInteger;
 import java.net.MalformedURLException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@@ -1007,6 +1008,39 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
 		  return null;
   }
   
+  /**
+   * Checks if is fakeIdL is activated.
+   *
+   * @return true, if fake IdLs are available for stork
+   */
+  public boolean isStorkFakeIdLActive() {
+	  String prop = props.getProperty("stork.fakeIdL.active", "false");
+	  return Boolean.valueOf(prop);
+  }
+
+  /**
+   * Gets the countries which will receive a fake IdL
+   *
+   * @return the countries
+   */
+  public List<String> getStorkFakeIdLCountries() {
+	  String prop = props.getProperty("stork.fakeIdL.countries", "");
+	  return Arrays.asList(prop.replaceAll(" ", "").split(","));
+  }
+
+  /**
+   * Gets the resigning key (group) for the stork fake IdL.
+   *
+   * @return the resigning key
+   */
+  public String getStorkFakeIdLResigningKey() {
+	  String prop = props.getProperty("stork.fakeIdL.keygroup");
+	  if (MiscUtil.isNotEmpty(prop))
+		  return prop;
+	  else
+		  return null;
+  }
+
   public boolean isMonitoringActive() {
 	  String prop = props.getProperty("configuration.monitoring.active", "false");
 	  return Boolean.valueOf(prop);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
index 090bea486..520b81b17 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java
@@ -71,13 +71,9 @@ public class IdentityLinkReSigner {
 		return instance;
 	}
 	
-	public Element resignIdentityLink(Element idl) throws MOAIDException {
+	public Element resignIdentityLink(Element idl, String keyGroupId) throws MOAIDException {
 		
 		try {
-			AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
-						
-			if (config.isIdentityLinkResigning()) {
-				
 				if (idl == null) {
 					Logger.warn("IdentityLink is empty");
 					return null;
@@ -91,7 +87,6 @@ public class IdentityLinkReSigner {
 				
 				SPSSFactory spssFac = SPSSFactory.getInstance();
 				
-				String keyGroupId = config.getIdentityLinkResigningKey();
 				if (MiscUtil.isEmpty(keyGroupId)) {
 					Logger.warn("No IdentityLink reSigning-Key definded");
 					throw new MOAIDException("config.19", new Object[]{});
@@ -166,9 +161,6 @@ public class IdentityLinkReSigner {
 			    	Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS");
 			    	throw new MOAIDException("builder.05", new Object[]{});
 			    }
-			    				
-			} else 
-				return idl;
 						
 		} catch (ConfigurationException e) {
 			Logger.warn("Configuration can not be loaded", e);