aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-08-28 07:34:55 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-08-28 07:34:55 +0200
commitc4633dffe99d4cc41e25fe165b6b8b5013ea34bd (patch)
tree8fe721b7b9590464fe14c6ad35a2b178efd666c3 /id/server/idserverlib/src/main/java
parentf27db66b14e417cbc4b8124842d5525bf3bb8884 (diff)
downloadmoa-id-spss-c4633dffe99d4cc41e25fe165b6b8b5013ea34bd.tar.gz
moa-id-spss-c4633dffe99d4cc41e25fe165b6b8b5013ea34bd.tar.bz2
moa-id-spss-c4633dffe99d4cc41e25fe165b6b8b5013ea34bd.zip
fix wrong SAML2 SubjectNameGeneration in case of mandate-attribute processing in proxy-mode
Diffstat (limited to 'id/server/idserverlib/src/main/java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java128
1 files changed, 79 insertions, 49 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
index 3dfba9cca..6864d4ec3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
@@ -1,6 +1,5 @@
package at.gv.egovernment.moa.id.auth.builder;
-import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
@@ -18,9 +17,11 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
import at.gv.egovernment.moa.id.data.IMOAAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
import at.gv.egovernment.moa.util.Constants;
@Service("MOASAML2SubjectNameIDGenerator")
@@ -31,8 +32,8 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
//build nameID and nameID Format from moasessio
if (authData instanceof IMOAAuthData &&
((IMOAAuthData)authData).isUseMandate()) {
- String bpktype = null;
- String bpk = null;
+ String identifier = null;
+ String identifierType = null;
Element mandate = ((IMOAAuthData)authData).getMandate();
if(mandate != null) {
@@ -56,59 +57,88 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
Logger.error("Failed to generate IdentificationType");
throw new NoMandateDataAvailableException();
}
-
- bpktype = id.getType();
- bpk = id.getValue().getValue();
-
+
+ identifier = id.getValue().getValue();
+ identifierType = id.getType();
+
} else {
Logger.debug("Read mandator bPK|baseID from PVP attributes ... ");
- bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
- bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);
-
- if (StringUtils.isEmpty(bpk)) {
- //no sourcePin is included --> search for bPK
- bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
-
- try {
- if (bpk.contains(":"))
- bpk = bpk.split(":")[1];
-
- } catch (Exception e) {
- Logger.warn("Can not split bPK from mandator attribute!", e);
-
- }
-
- //set bPK-Type from configuration, because it MUST be equal to service-provider type
- bpktype = spConfig.getAreaSpecificTargetIdentifier();
-
- } else {
- //sourcePin is include --> check sourcePinType
- if (StringUtils.isEmpty(bpktype))
- bpktype = Constants.URN_PREFIX_BASEID;
-
- }
- }
-
- if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) {
- throw new NoMandateDataAvailableException();
+ String natSourcePin = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
+ String natSourcePinType = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);
+ String natBpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
- }
-
- if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
- try {
- return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier());
+ String jurSourcePin = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+ String jurSourcePinType = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class);
+
+ if ( (MiscUtil.isNotEmpty(jurSourcePin) || MiscUtil.isNotEmpty(jurSourcePinType))
+ && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natBpk))) {
+ Logger.warn("Found mandate attributes for legal- AND natural-person. "
+ + "Both not allowed during on authentication. Process stops now!");
+ throw new MandateAttributesNotHandleAbleException();
+
+ }
+
+ if (MiscUtil.isNotEmpty(jurSourcePin) && MiscUtil.isNotEmpty(jurSourcePinType)) {
+ Logger.debug("Find jur. person sourcepin. Build SubjectNameId from this ... ");
+ return Pair.newInstance(jurSourcePin, jurSourcePinType);
+
+
+ } else if (MiscUtil.isNotEmpty(natSourcePin)) {
+ Logger.debug("Find nat. person sourcepin. Build SubjectNameId from this ... ");
+ identifier = natSourcePin;
+
+ if (MiscUtil.isNotEmpty(natSourcePinType)) {
+ identifierType = natSourcePinType;
+
+ } else {
+ identifierType = Constants.URN_PREFIX_BASEID;
+
+ }
+
+ } else if (MiscUtil.isNotEmpty(natBpk)) {
+ Logger.debug("Find nat. person bPK. Build SubjectNameId from this ... ");
+ try {
+ if (natBpk.contains(":")) {
+ natBpk = natBpk.split(":")[1];
+
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Can not split bPK from mandator attribute!", e);
+ Logger.info("Use nat. person bPK as it is");
+
+ }
+
+ return Pair.newInstance(natBpk,
+ spConfig.getAreaSpecificTargetIdentifier());
+
+ } else {
+ throw new NoMandateDataAvailableException();
+
+ }
+ }
+
+ if (identifierType.equals(Constants.URN_PREFIX_BASEID)) {
+ try {
+ return BPKBuilder.generateAreaSpecificPersonIdentifier(
+ identifier, spConfig.getAreaSpecificTargetIdentifier());
- } catch (EAAFBuilderException e) {
- Logger.warn("Can NOT generate SubjectNameId." , e);
- throw new ResponderErrorException("pvp2.01", null);
+ } catch (EAAFBuilderException e) {
+ Logger.warn("Can NOT generate SubjectNameId." , e);
+ throw new ResponderErrorException("pvp2.01", null);
- }
+ }
- } else
- return Pair.newInstance(bpk, bpktype);
-
- } else
+ } else {
+ return Pair.newInstance(identifier, identifierType);
+
+ }
+
+ //no mandate available. Use bPK from authenticated entity
+ } else {
return Pair.newInstance(authData.getBPK(), authData.getBPKType());
+
+ }
}