diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-11-21 12:14:09 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-11-21 12:14:09 +0100 |
commit | b1940fc000b40808a7d173125d5552e9e0424024 (patch) | |
tree | ab96581fd3522525e8d30647de875d8f7834790b /id/server/idserverlib/src/main | |
parent | 27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (diff) | |
parent | 1b5e11112af6bbe48bfb5c95c8b75ae90f3edb22 (diff) | |
download | moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.gz moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.tar.bz2 moa-id-spss-b1940fc000b40808a7d173125d5552e9e0424024.zip |
Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation
Diffstat (limited to 'id/server/idserverlib/src/main')
40 files changed, 1239 insertions, 578 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 55b1a7c9a..72aef5fed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{ //set actual date and time dblog.setTimestamp(new Date()); - - //set OA databaseID - //dblog.setOaID(dbOA.getHjid()); - + //log basic AuthInformation dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - boolean isbusinessservice = isBusinessService(dbOA); - dblog.setBusinessservice(isbusinessservice); + try { + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + } + dblog.setOatarget(authData.getBPKType()); @@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{ if (dbOA != null) { dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - dblog.setOatarget(dbOA.getTarget()); - //dblog.setOaID(dbOA.getHjid()); - dblog.setBusinessservice(isBusinessService(dbOA)); + + try { + dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier()); + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + + } IAuthenticationSession moasession = null; if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) { @@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{ } } - - private boolean isBusinessService(IOAAuthParameters dbOA) { - if (dbOA.getOaType().equals("businessService")) - return true; - else - return false; - } - private String getMessageWithMaxLength(String msg, int maxlength) { return getErrorMessageWithMaxLength(msg, maxlength); @@ -391,15 +390,15 @@ public class StatisticLogger implements IStatisticLogger{ if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.LOCALBKU))) return IOAAuthParameters.LOCALBKU; - if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.ONLINEBKU))) - return IOAAuthParameters.ONLINEBKU; + if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.THIRDBKU))) + return IOAAuthParameters.THIRDBKU; } Logger.trace("Staticic Log search BKUType from DefaultBKUs"); try { - if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU))) - return IOAAuthParameters.ONLINEBKU; + if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.THIRDBKU))) + return IOAAuthParameters.THIRDBKU; if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU))) return IOAAuthParameters.LOCALBKU; @@ -422,12 +421,7 @@ public class StatisticLogger implements IStatisticLogger{ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU); return IOAAuthParameters.HANDYBKU; } - - if (bkuURL.contains(GENERIC_ONLINE_BKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); - return IOAAuthParameters.ONLINEBKU; - } - + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS); return IOAAuthParameters.AUTHTYPE_OTHERS; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index cad3354f5..5a5d0bcf6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //#################################################### //set general authData info's authData.setIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setIsBusinessService(oaParam.getBusinessService()); - + authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); + //#################################################### //parse user info's from identityLink @@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @param oaParam Service-Provider configuration, never null * @param bPKType bPK-Type to check * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false + * @throws ConfigurationException */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) { - String oaTarget = null; - if (oaParam.getBusinessService()) { - oaTarget = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - - if (oaTarget.equals(bPKType)) - return true; - else - return false; + private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { + return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); + } private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { @@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, * or <code>null</code> if no attribute exists or can not decrypted + * @throws ConfigurationException */ private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - AuthenticationData authData, IOAAuthParameters spConfig) { + AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { //set List of encrypted bPKs to authData DAO String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { @@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { String second = fullEncbPK.substring(0, index); int secIndex = second.indexOf("+"); if (secIndex >= 0) { - if (spConfig.getTarget().equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget()); - - } else { - Logger.error("bPK decryption FAILED."); - + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } } @@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException { - if (oaParam.getBusinessService()) { + if (oaParam.hasBaseIdTransferRestriction()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); @@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException { + private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { - String bPK; - String bPKType; - String baseID = authData.getIdentificationValue(); - String baseIDType = authData.getIdentificationType(); - - if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { - //Calculate eIDAS identifier - if (oaParam.getBusinessService() && - oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { - String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+"); - String cititzenCountryCode = splittedTarget[1]; - String eIDASOutboundCountry = splittedTarget[2]; - - if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { - Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); - - } - - Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID, - cititzenCountryCode, eIDASOutboundCountry); - Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond()); - return eIDASID; - - } else if (oaParam.getBusinessService()) { - //is Austrian private-service application - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr); - bPKType = registerAndOrdNr; - - } else { - // only compute bPK if online application is a public service and we have the Stammzahl - String target = null; - Class<?> saml1RequstTemplate = null; - try { - saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(pendingReq)) { - target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); + String baseIDType = authData.getIdentificationType(); + Pair<String, String> sectorSpecId = null; + + if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { + //SAML1 legacy target parameter work-around + String oaTargetId = null; + Class<?> saml1RequstTemplate = null; + try { + saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); - } + } - } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + + if (MiscUtil.isEmpty(oaTargetId)) { + oaTargetId = oaParam.getAreaSpecificTargetIdentifier(); + Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration"); - if (MiscUtil.isEmpty(target)) - target = oaParam.getTarget(); - - bPK = new BPKBuilder().buildBPK(baseID, target); - bPKType = Constants.URN_PREFIX_CDID + "+" + target; - - } - + } else + Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation"); + + //calculate sector specific unique identifier + sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId); + + } else { - Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); - bPK = baseID; - bPKType = baseIDType; - + Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); + sectorSpecId = Pair.newInstance(baseID, baseIDType); + } - Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType); - return Pair.newInstance(bPK, bPKType); + Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond()); + return sectorSpecId; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 32ac8ad68..a7f6e873f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class BPKBuilder { - /** - * Builds the bPK from the given parameters. - * - * @param identificationValue Base64 encoded "Stammzahl" - * @param target "Bereich lt. Verordnung des BKA" - * @return bPK in a BASE64 encoding - * @throws BuildException if an error occurs on building the bPK - */ - public String buildBPK(String identificationValue, String target) - throws BuildException { - - if ((identificationValue == null || - identificationValue.length() == 0 || - target == null || - target.length() == 0)) { - throw new BuildException("builder.00", - new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",target=" + target}); - } - String basisbegriff; - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - basisbegriff = identificationValue + "+" + target; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; + /** + * Calculates an area specific unique person-identifier from a baseID + * + * @param baseID baseId from user but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{ + return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier); + + } + + /** + * Calculates an area specific unique person-identifier from an unique identifier with a specific type + * + * @param baseID baseId from user but never null + * @param baseIdType Type of the baseID but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{ + if (MiscUtil.isEmpty(baseID)) + throw new BuildException("builder.00", new Object[]{"baseID is empty or null"}); - return calculatebPKwbPK(basisbegriff); - } + if (MiscUtil.isEmpty(baseIdType)) + throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"}); + + if (MiscUtil.isEmpty(targetIdentifier)) + throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"}); + if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) { + Logger.trace("Find baseID. Starting unique identifier caluclation for this target"); + + if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) { + Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier); + return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier); + + } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) { + Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier); + String[] splittedTarget = targetIdentifier.split("\\+"); + String cititzenCountryCode = splittedTarget[1]; + String eIDASOutboundCountry = splittedTarget[2]; + + if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { + Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); + + } + return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry); + + + } else + throw new BuildException("builder.00", + new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"}); + + } else { + Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ..."); + if (baseIdType.equals(targetIdentifier)) { + Logger.debug("Unique identifier is already area specific. Is nothing todo"); + return Pair.newInstance(baseID, targetIdentifier); + + } else { + Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!"); + throw new BuildException("builder.00", + new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"}); + + } + } + } + + /** - * Builds the wbPK from the given parameters. + * Builds the storkeid from the given parameters. * - * @param identificationValue Base64 encoded "Stammzahl" - * @param registerAndOrdNr type of register + "+" + number in register. - * @return wbPK in a BASE64 encoding + * @param baseID baseID of the citizen + * @param baseIDType Type of the baseID + * @param sourceCountry CountryCode of that country, which build the eIDAs ID + * @param destinationCountry CountryCode of that country, which receives the eIDAs ID + * + * @return Pair<eIDAs, bPKType> in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildWBPK(String identificationValue, String registerAndOrdNr) - throws BuildException { + private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) + throws BuildException { + String bPK = null; + String bPKType = null; + + // check if we have been called by public sector application + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; + Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); + bPK = calculatebPKwbPK(baseID + "+" + bPKType); + + } else { // if not, sector identification value is already calculated by BKU + Logger.debug("eIDAS eIdentifier already provided by BKU"); + bPK = baseID; + } - if ((identificationValue == null || - identificationValue.length() == 0 || - registerAndOrdNr == null || - registerAndOrdNr.length() == 0)) { + if ((MiscUtil.isEmpty(bPK) || + MiscUtil.isEmpty(sourceCountry) || + MiscUtil.isEmpty(destinationCountry))) { throw new BuildException("builder.00", - new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); + new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + + bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); } - - String basisbegriff; - if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) - basisbegriff = identificationValue + "+" + registerAndOrdNr; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; - - return calculatebPKwbPK(basisbegriff); - } - - public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { - if (MiscUtil.isEmpty(baseID) || - !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { - throw new BuildException("builder.00", - new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget - + " has an unkown prefix."}); - - } - - return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); - + + Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); + String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; + + return Pair.newInstance(eIdentifier, bPKType); } + +// /** +// * Builds the bPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param target "Bereich lt. Verordnung des BKA" +// * @return bPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the bPK +// */ +// private String buildBPK(String identificationValue, String target) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// target == null || +// target.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",target=" + target}); +// } +// String basisbegriff; +// if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) +// basisbegriff = identificationValue + "+" + target; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// /** +// * Builds the wbPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param registerAndOrdNr type of register + "+" + number in register. +// * @return wbPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the wbPK +// */ +// private String buildWBPK(String identificationValue, String registerAndOrdNr) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// registerAndOrdNr == null || +// registerAndOrdNr.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); +// } +// +// String basisbegriff; +// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) +// basisbegriff = identificationValue + "+" + registerAndOrdNr; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { +// if (MiscUtil.isEmpty(baseID) || +// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { +// throw new BuildException("builder.00", +// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget +// + " has an unkown prefix."}); +// +// } +// +// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); +// +// } public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); @@ -199,48 +315,7 @@ public class BPKBuilder { return null; } } - - /** - * Builds the storkeid from the given parameters. - * - * @param baseID baseID of the citizen - * @param baseIDType Type of the baseID - * @param sourceCountry CountryCode of that country, which build the eIDAs ID - * @param destinationCountry CountryCode of that country, which receives the eIDAs ID - * - * @return Pair<eIDAs, bPKType> in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String bPK = null; - String bPKType = null; - - // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); - bPK = calculatebPKwbPK(baseID + "+" + bPKType); - - } else { // if not, sector identification value is already calculated by BKU - Logger.debug("eIDAS eIdentifier already provided by BKU"); - bPK = baseID; - } - - if ((MiscUtil.isEmpty(bPK) || - MiscUtil.isEmpty(sourceCountry) || - MiscUtil.isEmpty(destinationCountry))) { - throw new BuildException("builder.00", - new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + - bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); - } - - Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; - return Pair.newInstance(eIdentifier, bPKType); - } - private String calculatebPKwbPK(String basisbegriff) throws BuildException { try { MessageDigest md = MessageDigest.getInstance("SHA-1"); @@ -281,6 +356,4 @@ public class BPKBuilder { result = cipher.doFinal(encryptedBytes); return result; } - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 73fe961eb..4c4af4239 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -53,9 +53,11 @@ import java.util.List; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; /** @@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * @param oaParam parameter for the OA * @param session current session * @return String representation of <code><CreateXMLSignatureRequest></code> + * @throws ConfigurationException */ - public String buildForeignID(String subject, IRequest pendingReq) { + public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException { String request = ""; request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">"; @@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants { return request; } - public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) { + public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException { IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - String target = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); + String target = null; + String sectorName = null; + + + String saml1Target = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + if (MiscUtil.isNotEmpty(saml1Target)) { + target = saml1Target; + sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target); + + } else { + target = oaParam.getAreaSpecificTargetIdentifier(); + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } Calendar cal = Calendar.getInstance(); String date = DateTimeUtils.buildDate(cal); @@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += oaParam.getPublicURLPrefix(); request += "</td>"; request += "</tr>"; - boolean business = oaParam.getBusinessService(); - if (business) { + + if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { // OA is businessservice - String identifierType = oaParam.getIdentityLinkDomainIdentifierType(); - String identifier = oaParam.getIdentityLinkDomainIdentifier(); + String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + String identifier = oaParam.getAreaSpecificTargetIdentifier(); request += "<tr>"; request += "<td class=\"italicstyle\">"; request += identifierType + ":"; @@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += "<td class=\"italicstyle\">"; request += "Sektor (Sector):</td>"; request += "<td class=\"normalstyle\">"; - request += target + " (" + sectorName + ")"; + request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; request += "</td>"; request += "</tr>"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index f4f6e82ba..fc5489673 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder { if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { - dynamicOA.setBusinessService(false); - dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + //dynamicOA.setBusinessService(false); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || - attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { - dynamicOA.setBusinessService(true); - dynamicOA.setTarget(attrValue); + attrValue.startsWith(Constants.URN_PREFIX_STORK) || + attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) { + //dynamicOA.setBusinessService(true); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else { Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); @@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder { * @param oaParam * @param protocolRequest * @return + * @throws ConfigurationException */ public static IOAAuthParameters buildFromAuthnRequest( - IOAAuthParameters oaParam, IRequest protocolRequest) { + IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - dynOAParams.setBusinessService(oaParam.getBusinessService()); + + dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); + dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); Object storkRequst = null; try { @@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder { if (storkRequst != null && protocolRequest.getClass().isInstance(storkRequst)) { - dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null)); - dynOAParams.setBusinessService(true); + //dynOAParams.setBusinessService(true); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java index a82ba501c..d5ca89656 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java @@ -56,12 +56,16 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; /** * Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br> @@ -108,6 +112,18 @@ public class SignatureVerificationInvoker { } + public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest cmsSigVerifyReq) throws ServiceException { + try { + return svs.verifyCMSSignature(cmsSigVerifyReq); + + } catch (MOAException e) { + Logger.warn("CMS signature verification has an error.", e); + throw new ServiceException("service.03", new Object[] { e.toString()}, e); + + } + + } + /** * Method verifyXMLSignature. * @param request to be sent diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 92d76751f..b2db8d5a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -52,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ @Autowired AuthConfiguration authConfig; public void parse(IAuthenticationSession moasession, - String target, + String reqTarget, String oaURL, String bkuURL, String templateURL, @@ -61,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ HttpServletRequest req, IRequest protocolReq) throws WrongParametersException, MOAIDException { - String targetFriendlyName = null; - + String resultTargetFriendlyName = null; + String resultTarget = null; + // escape parameter strings - target = StringEscapeUtils.escapeHtml(target); + reqTarget = StringEscapeUtils.escapeHtml(reqTarget); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); @@ -102,66 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ // get target and target friendly name from config - String targetConfig = oaParam.getTarget(); - String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); + String targetConfig = oaParam.getAreaSpecificTargetIdentifier(); + String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + + //SAML1 legacy work-around for public area targets in request + if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && + !StringUtils.isEmpty(reqTarget)) { + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter + if (!ParamValidatorUtils.isValidTarget(reqTarget)) { + Logger.error("Selected target is invalid. Used target: " + reqTarget); + throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + } + resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget; - if (!oaParam.getBusinessService()) { - if (StringUtils.isEmpty(targetConfig) - || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && - !StringUtils.isEmpty(target)) - ) { - //INFO: ONLY SAML1 legacy mode - // if SAML1 is used and target attribute is given in request - // use requested target - // check target parameter - if (!ParamValidatorUtils.isValidTarget(target)) { - Logger.error("Selected target is invalid. Using target: " + target); - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - } - if (MiscUtil.isNotEmpty(targetConfig)) - targetFriendlyName = targetFriendlyNameConfig; + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget); + if (MiscUtil.isNotEmpty(sectorName)) + resultTargetFriendlyName = sectorName; + + else { + //check target contains subSector + int delimiter = reqTarget.indexOf("-"); + if (delimiter > 0) { + resultTargetFriendlyName = + TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter)); - else { - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (MiscUtil.isNotEmpty(sectorName)) - targetFriendlyName = sectorName; - - else { - //check target contains subSector - int delimiter = target.indexOf("-"); - if (delimiter > 0) { - targetFriendlyName = - TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); - - } - } - } - - } else { - // use target from config - target = targetConfig; - targetFriendlyName = targetFriendlyNameConfig; + } } - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", - PARAM_TARGET, "auth.05"); - - protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target); + if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName)) + resultTargetFriendlyName = targetFriendlyNameConfig; + + //set info's into request-context. (It's required to support SAML1 requested target parameters) + protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget); protocolReq.setGenericDataToSession( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName); - Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target); - - } else { - Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName); - if (useMandateBoolean) { - Logger.error("Online-Mandate Mode for business application not supported."); - throw new AuthenticationException("auth.17", null); - } + } else { + Logger.trace("Use oa sector-identifier from configuration"); + resultTarget = targetConfig; + resultTargetFriendlyName = targetFriendlyNameConfig; } - + + //check if target is found + if (MiscUtil.isEmpty(resultTarget)) + throw new WrongParametersException("StartAuthentication", + PARAM_TARGET, "auth.05"); + + //check if mandates are allowed + if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) { + Logger.error("Online-Mandate Mode for business application not supported."); + throw new AuthenticationException("auth.17", null); + + } + + if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget); + else + Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget); + + + //Validate BKU URI List<String> allowedbkus = oaParam.getBKUURL(); allowedbkus.addAll(authConfig.getDefaultBKUURLs()); @@ -247,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq); } - - /** - * Checks a parameter. - * - * @param param - * parameter - * @return true if the parameter is null or empty - */ - private boolean isEmpty(String param) { - return param == null || param.length() == 0; - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 353261085..5f74d8fdd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -29,6 +29,7 @@ import java.io.StringWriter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.ExceptionHandler; @@ -48,7 +49,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.ExceptionContainer; import at.gv.egovernment.moa.id.moduls.IRequestStorage; @@ -166,8 +166,9 @@ public abstract class AbstractController extends MOAIDAuthConstants { return; - } catch (MOADatabaseException e) { - Logger.warn("Exception can not be stored to Database.", e); + } catch (Exception e) { + Logger.warn("Default error-handling FAILED. Exception can not be stored to Database.", e); + Logger.info("Switch to generic generic backup error-handling ... "); handleErrorNoRedirect(loggedException, req, resp, true); } @@ -231,7 +232,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { ErrorResponseUtils utils = ErrorResponseUtils.getInstance(); String code = utils.mapInternalErrorToExternalError( ((InvalidProtocolRequestException)e).getMessageId()); - String descr = e.getMessage(); + String descr = StringEscapeUtils.escapeHtml(e.getMessage()); resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" + "(Errorcode=" + code + @@ -248,7 +249,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { null); //add errorcode and errormessage - config.putCustomParameter("errorMsg", msg); + config.putCustomParameter("errorMsg", StringEscapeUtils.escapeHtml(msg)); config.putCustomParameter("errorCode", errorCode); //add stacktrace if debug is enabled diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java index 416e787a7..49145a850 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java @@ -33,9 +33,11 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.moduls.IRequestStorage; @@ -52,6 +54,7 @@ public class GUILayoutBuilderServlet extends AbstractController { public static final String ENDPOINT_CSS = "/css/buildCSS"; public static final String ENDPOINT_JS = "/js/buildJS"; + public static final String ENDPOINT_BKUDETECTION = "/feature/bkuDetection"; @Autowired AuthConfiguration authConfig; @Autowired IRequestStorage requestStoreage; @@ -65,6 +68,41 @@ public class GUILayoutBuilderServlet extends AbstractController { } + @RequestMapping(value = ENDPOINT_BKUDETECTION, method = {RequestMethod.GET}) + public void buildBkuDetectionFrame(HttpServletRequest req, HttpServletResponse resp) throws IOException { + try { + IRequest pendingReq = extractPendingRequest(req); + + //initialize GUI builder configuration + AbstractServiceProviderSpecificGUIFormBuilderConfiguration config = null; + if (pendingReq != null) + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( + pendingReq, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC, + null); + + else { + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( + HTTPUtils.extractAuthURLFromRequest(req), + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_GENERIC, + null); + config.setTemplateClasspahtDir( + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_MAINGUI_DIRECTORY); + + } + + //build GUI component + formBuilder.build(resp, config, MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8, "BKUDetection-Frame"); + + + } catch (Exception e) { + Logger.warn("GUI ressource:'BKUDetection' generation FAILED.", e); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); + + } + + } + @RequestMapping(value = "/css/buildCSS", method = {RequestMethod.GET}) public void buildCSS(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { @@ -88,7 +126,7 @@ public class GUILayoutBuilderServlet extends AbstractController { formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form"); } catch (Exception e) { - Logger.warn("GUI ressource:'CSS' generation FAILED."); + Logger.warn("GUI ressource:'CSS' generation FAILED.", e); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); } @@ -117,7 +155,7 @@ public class GUILayoutBuilderServlet extends AbstractController { formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript"); } catch (Exception e) { - Logger.warn("GUI ressource:'JavaScript' generation FAILED."); + Logger.warn("GUI ressource:'JavaScript' generation FAILED.", e); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); } @@ -142,6 +180,7 @@ public class GUILayoutBuilderServlet extends AbstractController { } catch (Exception e) { Logger.warn("GUI-Layout builder-servlet has an error during request-preprocessing.", e); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 1848fa6f7..be511d888 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -49,6 +49,8 @@ import at.gv.egovernment.moa.util.URLEncoder; @Controller public class RedirectServlet { + public static final String SERVICE_ENDPOINT = "/RedirectServlet"; + public static final String REDIRCT_PARAM_URL = "redirecturl"; private static final String DEFAULT_REDIRECTTARGET = "_parent"; @@ -74,6 +76,8 @@ public class RedirectServlet { //validate URL new java.net.URL(url); + //url = URLDecoder.decode(url, "UTF-8"); + oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(url); String authURL = HTTPUtils.extractAuthURLFromRequest(req); @@ -128,12 +132,24 @@ public class RedirectServlet { resp.addHeader("Location", url); } else { - Logger.debug("Redirect to " + url); + Logger.debug("Redirect to " + url); + + try { + String test = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET); + if (MiscUtil.isNotEmpty(test)) + redirectTarget = test; + + } catch (Exception e) { + Logger.debug("Use default redirectTarget."); + } + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( authURL, DefaultGUIFormBuilderConfiguration.VIEW_REDIRECT, null); config.putCustomParameter(URL, StringEscapeUtils.escapeHtml(url)); + config.putCustomParameter(TARGET, redirectTarget); + guiBuilder.build(resp, config, "RedirectForm.html"); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java index c31666bbb..fc5cc0495 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java @@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config; import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames { }
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 6a6359058..99b4154e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -60,7 +60,9 @@ import java.util.Set; import org.apache.commons.lang.SerializationUtils; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.MOAIDConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IStorkConfig; import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters; @@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair"; private Map<String, String> oaConfiguration; + private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>(); + private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>(); - - public OAAuthParameter(final Map<String, String> oa) { + public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) { this.oaConfiguration = oa; + + //set oa specific restrictions + targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL, + MOAIDAuthConstants.PREFIX_CDID)); + + targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION, + MOAIDAuthConstants.PREFIX_CDID)); + + if (Logger.isTraceEnabled()) { + Logger.trace("Internal policy for OA: " + getPublicURLPrefix()); + for (String el : targetAreasWithNoInteralBaseIdRestriction) + Logger.trace(" Allow baseID processing for prefix " + el); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) + Logger.trace(" Allow baseID transfer for prefix " + el); + + } } @@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ return this.oaConfiguration.get(key); } + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoInteralBaseIdRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + if (getBusinessService()) + return getIdentityLinkDomainIdentifier(); + else + return MOAIDAuthConstants.PREFIX_CDID + getTarget(); + + } + + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{ + if (getBusinessService()) + return getIdentityLinkDomainIdentifierType(); + else + return getTargetFriendlyName(); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() */ -@Override -public String getIdentityLinkDomainIdentifier() { +//@Override +private String getIdentityLinkDomainIdentifier() { String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE); if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) { @@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ -@Override -public String getIdentityLinkDomainIdentifierType() { +//@Override +private String getIdentityLinkDomainIdentifierType() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); if (MiscUtil.isNotEmpty(value)) return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value); @@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() */ -@Override -public String getTarget() { +//@Override +private String getTarget() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET); @@ -171,8 +236,8 @@ public String getTarget() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ -@Override -public String getTargetFriendlyName() { +//@Override +private String getTargetFriendlyName() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME); @@ -265,8 +330,8 @@ public String getKeyBoxIdentifier() { */ @Override public String getBKUURL(String bkutype) { - if (bkutype.equals(ONLINEBKU)) { - return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE); + if (bkutype.equals(THIRDBKU)) { + return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD); } else if (bkutype.equals(HANDYBKU)) { return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY); @@ -274,10 +339,15 @@ public String getKeyBoxIdentifier() { } else if (bkutype.equals(LOCALBKU)) { return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL); + } else if (bkutype.equals(ONLINEBKU)) { + return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD); + } + + Logger.warn("BKU Type does not match: " - + ONLINEBKU + " or " + HANDYBKU + " or " + LOCALBKU); + + THIRDBKU + " or " + HANDYBKU + " or " + LOCALBKU); return null; } @@ -288,8 +358,8 @@ public String getKeyBoxIdentifier() { public List<String> getBKUURL() { List<String> list = new ArrayList<String>(); - if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)) - list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)); + if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)) + list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)); if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)) list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)); @@ -572,7 +642,7 @@ public Collection<CPEPS> getPepsList() { MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST + "." + index + "." + MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST_ENABLED))) { - CPEPS availableCPEPS = availableSTORKConfig.getCPEPS( + CPEPS availableCPEPS = availableSTORKConfig.getCPEPSWithFullName( oaConfiguration.get( MOAIDConfigurationConstants.SERVICE_AUTH_STORK_COUNTRIES_LIST + "." + index + "." @@ -648,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() { return false; } -public boolean isIDPPublicService() { - return !getBusinessService(); +public boolean isIDPPublicService() throws ConfigurationException { + return !hasBaseIdTransferRestriction(); } @@ -735,11 +805,7 @@ public String getPublicURLPrefix() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ -@Override -public boolean getBusinessService() { +private boolean getBusinessService() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE); if (MiscUtil.isNotEmpty(value)) return Boolean.parseBoolean(value); @@ -780,16 +846,16 @@ public String getFriendlyName() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ -@Override -public String getOaType() { - if (getBusinessService()) - return "businessService"; - else - return "publicService"; -} +///* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() +// */ +//@Override +//public String getOaType() { +// if (getBusinessService()) +// return "businessService"; +// else +// return "publicService"; +//} /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 35d052acd..332604257 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide return null; } - return new OAAuthParameter(oa); + return new OAAuthParameter(oa, this); } /** @@ -676,7 +676,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide templatesList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)); templatesList.add(configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)); templatesList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY)); @@ -701,9 +701,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide try { switch (type) { - case IOAAuthParameters.ONLINEBKU: + case IOAAuthParameters.THIRDBKU: slRequestTemplate = configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD); break; case IOAAuthParameters.LOCALBKU: slRequestTemplate = configuration.getStringValue( @@ -714,7 +714,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY); break; default: - Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); } @@ -736,7 +736,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide List<String> bkuurlsList = new ArrayList<String>(); try { bkuurlsList.add(configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)); bkuurlsList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)); bkuurlsList.add(configuration.getStringValue( @@ -762,9 +762,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide String defaultBKUUrl = null; try { switch (type) { - case IOAAuthParameters.ONLINEBKU: + case IOAAuthParameters.THIRDBKU: defaultBKUUrl = configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD); break; case IOAAuthParameters.LOCALBKU: defaultBKUUrl = configuration.getStringValue( @@ -775,7 +775,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY); break; default: - Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); } @@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide public String getSSOFriendlyName() { try { return configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO"); + MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO"); } catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 9fd58b5c7..f3db82315 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ private static final long serialVersionUID = 1648437815185614566L; private String publicURLPrefix; - - private String businessTarget; - - private boolean businessService; - + private boolean isInderfederationIDP; - private String IDPQueryURL; - private String target; - + private boolean hasBaseIdProcessingRestriction; + private boolean hasBaseIdTransfergRestriction; + private String oaTargetAreaIdentifier; + + /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() */ @Override - public String getTarget() { - return this.target; + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return this.hasBaseIdProcessingRestriction; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return this.hasBaseIdTransfergRestriction; } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + return this.oaTargetAreaIdentifier; + } + + /** + * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set + */ + public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) { + this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction; + } + + /** + * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set + */ + public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) { + this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction; + } + + /** + * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set + */ + public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) { + this.oaTargetAreaIdentifier = oaTargetAreaIdentifier; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() */ @Override - public String getIdentityLinkDomainIdentifier() { - return this.businessTarget; + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + return null; } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() +// */ +// //@Override +// public String getTarget() { +// return this.target; +// } +// +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() +// */ +// //@Override +// public String getIdentityLinkDomainIdentifier() { +// return this.businessTarget; +// } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() */ @@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ - @Override + //@Override public String getIdentityLinkDomainIdentifierType() { // TODO Auto-generated method stub return null; @@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return null; } - /** - * @param isBusinessService the isBusinessService to set - */ - public void setBusinessService(boolean isBusinessService) { - businessService = isBusinessService; - } - - /** - * @param target the target to set - */ - public void setTarget(String target) { - this.target = target; - } - - /** - * @param businessTarget the businessTarget to set - */ - public void setBusinessTarget(String businessTarget) { - this.businessTarget = businessTarget; - } +// /** +// * @param isBusinessService the isBusinessService to set +// */ +// public void setBusinessService(boolean isBusinessService) { +// businessService = isBusinessService; +// } + +// /** +// * @param target the target to set +// */ +// public void setTarget(String target) { +// this.target = target; +// } +// +// /** +// * @param businessTarget the businessTarget to set +// */ +// public void setBusinessTarget(String businessTarget) { +// this.businessTarget = businessTarget; +// } /** * @param inderfederatedIDP the inderfederatedIDP to set @@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return this.publicURLPrefix; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return this.businessService; - } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() +// */ +// //@Override +// public boolean getBusinessService() { +// return this.businessService; +// } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ - @Override + //@Override public String getTargetFriendlyName() { // TODO Auto-generated method stub return null; @@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ // TODO Auto-generated method stub return false; } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index b85938bb7..a04236288 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -178,7 +178,7 @@ public class STORKConfig implements IStorkConfig { * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)
*/
@Override
- public CPEPS getCPEPS(String ccc) {
+ public CPEPS getCPEPSWithFullName(String ccc) {
if (isSTORKAuthentication(ccc))
return this.cpepsMap.get(ccc);
else
@@ -186,6 +186,23 @@ public class STORKConfig implements IStorkConfig { }
/* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getCPEPS(java.lang.String)
+ */
+ @Override
+ public CPEPS getCPEPSWithCC(String ccc) {
+ if (isSTORKAuthentication(ccc)) {
+ for (CPEPS el :this.cpepsMap.values()) {
+ if (el.getCountryCode().equals(ccc))
+ return el;
+
+ }
+ }
+
+ return null;
+ }
+
+
+ /* (non-Javadoc)
* @see at.gv.egovernment.moa.id.config.stork.IStorkConfig#getStorkAttributes()
*/
@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index f5f056ccc..7f56f519b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable { * the corresponding <code>lt;saml:Assertion></code> */ - private boolean businessService; + private boolean isBaseIDTransferRestrication = true; + /** * STORK attributes from response @@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable { * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() */ @Override - public boolean isBusinessService() { - return this.businessService; + public boolean isBaseIDTransferRestrication() { + return isBaseIDTransferRestrication; } - - public void setIsBusinessService(boolean flag) { - this.businessService = flag; - + + /** + * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set + */ + public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) { + this.isBaseIDTransferRestrication = isBaseIDTransferRestrication; } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 4c15cd3d1..e9fef4676 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -38,8 +38,8 @@ public interface IAuthData { Date getIssueInstant(); String getIssuer(); - - boolean isBusinessService(); + boolean isBaseIDTransferRestrication(); + boolean isSsoSession(); //boolean isInterfederatedSSOSession(); boolean isUseMandate(); @@ -90,5 +90,6 @@ public interface IAuthData { String getCcc(); public <T> T getGenericData(String key, final Class<T> clazz); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 7c581d470..aff2c83ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -90,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_AuthenticationManager") public class AuthenticationManager extends MOAIDAuthConstants { + private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>(); public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; @@ -309,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants { } /** + * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} + * + * @param httpReqParam http parameter name, but never null + */ + public void addParameterNameToWhiteList(String httpReqParam) { + if (MiscUtil.isNotEmpty(httpReqParam)) + reqParameterWhiteListeForModules.add(httpReqParam); + + } + + + /** * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated * * @param protocolRequest Authentication request which is actually in process @@ -386,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants { executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); + + //add X509 SSL client certificate if exist + if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) { + Logger.debug("Find SSL-client-certificate on request --> Add it to context"); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, + ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); + + } - //add leagcy parameters to context - if (leagacyMode) { + //add additional http request parameter to context + if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) { Enumeration<String> reqParamNames = httpReq.getParameterNames(); while(reqParamNames.hasMoreElements()) { String paramName = reqParamNames.nextElement(); if (MiscUtil.isNotEmpty(paramName) && - MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName)) + ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) + || reqParameterWhiteListeForModules.contains(paramName) )) executionContext.put(paramName, - StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); - + StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java index eff839e4e..c13c5e288 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -51,6 +50,9 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) + type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java index a6a5f1dd4..b4846db12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java @@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java index 1d836802a..ccaecb3b6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 97043a3a0..f85fd7cae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -60,7 +60,7 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute } CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); if (corporation == null) { - Logger.error("No corporation mandate"); + Logger.info("No corporation mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index 46472c983..7e0815ab2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -42,41 +42,12 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authData.isUseMandate()) { - - //get PVP attribute directly, if exists - String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); - - if (MiscUtil.isEmpty(sourcePin)) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if(corporation == null) { - Logger.error("No corporation mandate"); - throw new NoMandateDataAttributeException(); - - } - if(corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - - } - - sourcePin = corporation.getIdentification().get(0).getValue().getValue(); - - } - + if(authData.isUseMandate()) { return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, - MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin); + MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData)); + } + return null; } @@ -84,4 +55,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { return g.buildEmptyAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_NAME); } + + + protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException { + //get PVP attribute directly, if exists + String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + + if (MiscUtil.isEmpty(sourcePin)) { + Element mandate = authData.getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if(corporation == null) { + Logger.info("No corporation mandate"); + throw new NoMandateDataAttributeException(); + + } + if(corporation.getIdentification().size() == 0) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + + sourcePin = corporation.getIdentification().get(0).getValue().getValue(); + + } + + return sourcePin; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index 41c35dad3..8b22acc01 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -59,12 +59,12 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr } CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); if (corporation == null) { - Logger.error("No corporate mandate"); + Logger.info("No corporate mandate"); throw new NoMandateDataAttributeException(); } if (corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index df8f86f7e..6ac517e19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -30,9 +30,12 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -45,12 +48,60 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, - IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isUseMandate()) { + IAttributeGenerator<ATT> g) throws AttributeException { + try { + Pair<String, String> calcResult = internalBPKGenerator(oaParam, authData); + if (calcResult != null) { + String bpk = calcResult.getFirst(); + String type = calcResult.getSecond(); + + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + + if (type.startsWith(Constants.URN_PREFIX_WBPK)) + type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) + type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + + if (bpk.length() > BPK_MAX_LENGTH) { + bpk = bpk.substring(0, BPK_MAX_LENGTH); + } + + Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type); + + if (type != null) + return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk); + else + return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk); - //get PVP attribute directly, if exists - String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); + } + } + catch (BuildException | ConfigurationException e) { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + + return null; + + } + + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME); + } + + protected Pair<String, String> internalBPKGenerator(IOAAuthParameters oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException { + //get PVP attribute directly, if exists + Pair<String, String> calcResult = null; + + if (authData.isUseMandate()) { + String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); + if (MiscUtil.isEmpty(bpk)) { //read bPK from mandate if it is not directly included Element mandate = authData.getMandate(); @@ -63,45 +114,31 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.debug("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); if (id == null) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } + + + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) + calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), + oaParam.getAreaSpecificTargetIdentifier()); + else + calcResult = Pair.newInstance(id.getValue().getValue(), id.getType()); + + + } else { + Logger.info("Find '" + MANDATE_NAT_PER_BPK_NAME + "' in AuthData. Use it what is is."); + calcResult = Pair.newInstance(bpk, null); - try { - if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); - - } else { - bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); - - } - - } else - bpk = id.getValue().getValue(); - - } - catch (BuildException e) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - - } } - - return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk); } - return null; + return calcResult; } - - public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { - return g.buildEmptyAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME); - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index a64880889..ebba376f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -48,6 +48,21 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { + + String attrValue = internalAttributGeneration(oaParam, authData); + if (attrValue != null) + return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, attrValue); + else + return null; + + } + + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME); + } + + + protected String internalAttributGeneration(IOAAuthParameters oaParam, IAuthData authData) throws InvalidDateFormatAttributeException, NoMandateDataAttributeException { if (authData.isUseMandate()) { //get PVP attribute directly, if exists @@ -65,7 +80,7 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } @@ -98,14 +113,12 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib } - return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString); + return birthDayString; + } - return null; + return null; } - public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { - return g.buildEmptyAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME); - } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index 085579108..07e5c9d09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -62,7 +62,7 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if(physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.debug("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4cd2ca670..51a3d2e74 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -59,7 +59,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.debug("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 69a731e53..8be85415e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -27,10 +27,7 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; @@ -58,18 +55,18 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri PhysicalPersonType physicalPerson = mandateObject.getMandator() .getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.debug("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - if(oaParam.getBusinessService()) { + if(authData.isBaseIDTransferRestrication()) { throw new AttributePolicyException(this.getName()); } if(id == null) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 41a821c98..d89ae0225 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -28,7 +28,6 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; @@ -55,13 +54,13 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt PhysicalPersonType physicalPerson = mandateObject.getMandator() .getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.debug("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); if(id == null) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 643e30ac9..72691a034 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -227,9 +227,9 @@ public class AttributQueryAction implements IAction { } //check next IDP service area policy. BusinessService IDPs can only request wbPKs - if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { + if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) { Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes."); + + " is a BusinessService-IDP but requests PublicService attributes."); throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 73d6e978e..95e3c5bc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,13 +22,19 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + import org.opensaml.xml.encryption.EncryptionConstants; import org.opensaml.xml.signature.SignatureConstants; +import at.gv.egovernment.moa.id.data.Trible; + public interface PVPConstants { public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider"; - + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256; @@ -54,8 +60,12 @@ public interface PVPConstants { public static final String PVP_VERSION_NAME = URN_OID_PREFIX + PVP_VERSION_OID; public static final String PVP_VERSION_FRIENDLY_NAME = "PVP-VERSION"; public static final String PVP_VERSION_2_1 = "2.1"; + + public static final String SECCLASS_OID = "1.2.40.0.10.2.1.1.261.110"; public static final String SECCLASS_FRIENDLY_NAME = "SECCLASS"; + public static final String SECCLASS_NAME = URN_OID_PREFIX + SECCLASS_OID; + public static final int SECCLASS_MAX_LENGTH = 128; public static final String PRINCIPAL_NAME_OID = "1.2.40.0.10.2.1.1.261.20"; public static final String PRINCIPAL_NAME_NAME = URN_OID_PREFIX + PRINCIPAL_NAME_OID; @@ -136,9 +146,13 @@ public interface PVPConstants { public static final String ROLES_FRIENDLY_NAME = "ROLES"; public static final int ROLES_MAX_LENGTH = 32767; - public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94"; - public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID; - public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL"; + @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.94"; + @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_QAA_LEVEL_OID; + @Deprecated public static final String EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-LEVEL"; + + public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_OID = "1.2.40.0.10.2.1.1.261.108"; + public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_NAME = URN_OID_PREFIX + EID_CITIZEN_EIDAS_QAA_LEVEL_OID; + public static final String EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME = "EID-CITIZEN-QAA-EIDAS-LEVEL"; public static final String EID_ISSUING_NATION_OID = "1.2.40.0.10.2.1.1.261.32"; public static final String EID_ISSUING_NATION_NAME = URN_OID_PREFIX + EID_ISSUING_NATION_OID; @@ -283,4 +297,81 @@ public interface PVPConstants { public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx"; public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID; public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE"; + + + + public static final String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category"; + public static final String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken"; + public static final String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken"; + + /** + * + * Get required PVP attributes for egovtoken + * First : PVP attribute name (OID) + * Second: FriendlyName + * Third: Required + * + */ + public static final List<Trible<String, String, Boolean>> EGOVTOKEN_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { + private static final long serialVersionUID = 1L; + { + //currently supported attributes + add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true)); + add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true)); + + //currently not supported attributes + add(Trible.newInstance(USERID_NAME, USERID_FRIENDLY_NAME, false)); + add(Trible.newInstance(GID_NAME, GID_FRIENDLY_NAME, false)); + add(Trible.newInstance(PARTICIPANT_ID_NAME, PARTICIPANT_ID_FRIENDLY_NAME, false)); + add(Trible.newInstance(OU_GV_OU_ID_NAME, OU_GV_OU_ID_FRIENDLY_NAME, false)); + add(Trible.newInstance(OU_NAME, OU_FRIENDLY_NAME, false)); + add(Trible.newInstance(SECCLASS_NAME, SECCLASS_FRIENDLY_NAME, false)); + + + } + }); + + /** + * + * Get required PVP attributes for citizenToken + * First : PVP attribute name (OID) + * Second: FriendlyName + * Third: Required + * + */ + public static final List<Trible<String, String, Boolean>> CITIZENTOKEN_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { + private static final long serialVersionUID = 1L; + { + //required attributes - eIDAS minimal-data set + add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true)); + add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true)); + add(Trible.newInstance(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true)); + add(Trible.newInstance(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, true)); + add(Trible.newInstance(BPK_NAME, BPK_FRIENDLY_NAME, true)); + + + //not required attributes + add(Trible.newInstance(EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false)); + add(Trible.newInstance(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, false)); + add(Trible.newInstance(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_TYPE_OID_NAME, MANDATE_TYPE_OID_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false)); + add(Trible.newInstance(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false)); + + + + } + }); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 4f44a6202..95c4f1726 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; -import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; @@ -60,6 +59,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -159,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder { SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); + policy.getPolicyRules().add(signedRole); + policy.getPolicyRules().add(signatureRule); SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( policy); messageContext.setSecurityPolicyResolver(resolver); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 2df72637d..4aa4f7419 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; /** * @author tlenz @@ -70,7 +69,7 @@ public class AttributQueryBuilder { @Autowired IDPCredentialProvider credentialProvider; - public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) { + public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException { Logger.debug("Build OA specific Attributes for AttributQuery request"); @@ -87,17 +86,13 @@ public class AttributQueryBuilder { } else { //add OA specific information if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - if (oa.getBusinessService()) - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), oa.getIdentityLinkDomainIdentifier()); - else - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget()); + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), oa.getAreaSpecificTargetIdentifier()); + } //TODO: add attribute values for SSO with mandates (ProfileList) - - + attrList.add(attr); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 55d8fa1ff..45539da3f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; @@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants { } //set bPK-Type from configuration, because it MUST be equal to service-provider type - if (oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - bpktype = oaParam.getIdentityLinkDomainIdentifier(); - else - bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - bpktype = oaParam.getTarget(); - else - bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - + bpktype = oaParam.getAreaSpecificTargetIdentifier(); + } else { //sourcePin is include --> check sourcePinType if (MiscUtil.isEmpty(bpktype)) @@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants { } - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier()); - - } else { - subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget())); - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - subjectNameID.setNameQualifier(oaParam.getTarget()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } + if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { + Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier()); + subjectNameID.setValue(calcbPK.getFirst()); + subjectNameID.setNameQualifier(calcbPK.getSecond()); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 5380d7f53..585aac805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; @@ -217,6 +218,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider Logger.warn("Refresh PVP2X metadata for onlineApplication: " + entityID + " FAILED.", e); + } catch (ConfigurationException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); } return false; @@ -484,13 +488,14 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } - private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException { + private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); + filterChain.getFilters().add(new PVPEntityCategoryFilter()); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); - filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService())); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction())); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java new file mode 100644 index 000000000..efcf21b50 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java @@ -0,0 +1,49 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import org.opensaml.common.binding.SAMLMessageContext; +import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; +import org.opensaml.ws.transport.http.HTTPInTransport; +import org.opensaml.xml.util.DatatypeHelper; + +/** + * @author tlenz + * + */ +public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { + + @Override + protected boolean isMessageSigned(SAMLMessageContext messageContext) { + // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. + HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); + String sigParam = inTransport.getParameterValue("Signature"); + boolean isSigned = !DatatypeHelper.isEmpty(sigParam); + + String sigAlgParam = inTransport.getParameterValue("SigAlg"); + boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam); + + return isSigned && isSigAlgExists; + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java new file mode 100644 index 000000000..95d30db49 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -0,0 +1,207 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.samlext.saml2mdattr.EntityAttributes; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moaspss.logging.Logger; + +/** + * @author tlenz + * + */ +public class PVPEntityCategoryFilter implements MetadataFilter { + + + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject metadata) throws FilterException { + String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + Logger.trace("Find EnitiesDescriptor ... "); + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) + resolveEntityCategoriesToAttributes(el); + + } + + } else if (metadata instanceof EntityDescriptor) { + Logger.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); + + + } else + throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); + + + + } catch (Exception e) { + Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } + } + + private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { + Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); + Extensions extensions = metadata.getExtensions(); + if (extensions != null) { + List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); + if (listOfExt != null && !listOfExt.isEmpty()) { + for (XMLObject el : listOfExt) { + Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); + if (el instanceof EntityAttributes) { + EntityAttributes entityAttrElem = (EntityAttributes)el; + if (entityAttrElem.getAttributes() != null) { + Logger.trace("Find EntityAttributes. Start attribute processing ..."); + for (Attribute entityAttr : entityAttrElem.getAttributes()) { + if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { + if (!entityAttr.getAttributeValues().isEmpty()) { + String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); + if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { + Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + + } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { + Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + } else + Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); + + } else + Logger.info("EntityAttribute: No attribute value"); + + } else + Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); + + } + + } else + Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); + + } + } + } + } + + } + + /** + * @param metadata + * @param attrList + */ + private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) { + SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + if (spSSODesc != null) { + if (spSSODesc.getAttributeConsumingServices() == null || + spSSODesc.getAttributeConsumingServices().isEmpty()) { + Logger.trace("No 'AttributeConsumingServices' found. Added it ..."); + + AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "en")); + attributeService.getNames().add(serviceName); + + if (attrList != null && !attrList.isEmpty()) { + attributeService.getRequestAttributes().addAll(attrList); + Logger.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); + + } + + spSSODesc.getAttributeConsumingServices().add(attributeService); + + } else { + Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); + for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { + Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); + + //load currently requested attributes + List<String> currentlyReqAttr = new ArrayList<String>(); + for (RequestedAttribute reqAttr : el.getRequestAttributes()) + currentlyReqAttr.add(reqAttr.getName()); + + + //check against EntityAttribute List + for (RequestedAttribute entityAttrListEl : attrList) { + if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { + el.getRequestAttributes().add(entityAttrListEl); + + } else + Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); + + } + + } + + } + + } else + Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); + + } + + private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) { + List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); + for (Trible<String, String, Boolean> el : attrSet) + requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); + + return requestedAttributes; + + + } + +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 50b2c5ece..05f58d5bc 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -88,6 +88,8 @@ config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix. config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
config.26=Federated IDP {0} contains no AttributeQuery URL.
config.27=Fehler beim Verarbeiten eines Konfigurationsparameters. Msg:{0}
+config.28=Fehler beim initialisieren des SSL-TrustManagers. Zertifikat {0} kann nicht geladen werden; Ursache: {1}
+config.29=Fehler beim initialisieren des SSL-TrustManagers. TrustStore: {0} | Ursache: {1}
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
@@ -273,6 +275,7 @@ eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0} eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.
eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.
+eIDAS.17=Generation of eIDAS Response FAILED. Citzen use mandates for authentication but there are no mandate attributes requested
pvp2.01=Fehler beim kodieren der PVP2 Antwort
pvp2.02=Ungueltiges Datumsformat
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index c6d0844ce..0a37fdc91 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -230,6 +230,7 @@ eIDAS.13=1307 eIDAS.14=1301 eIDAS.15=1307 eIDAS.16=1301 +eIDAS.17=1307 pvp2.01=6100 pvp2.06=6100 |