add functionality for global authentication protocol activation/deactivation

8 files changed, 199 insertions, 6 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java
new file mode 100644
index 000000000..fe2bcedca
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/ProtocolNotActiveException.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.exception;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ProtocolNotActiveException extends MOAIDException {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1832697083163940710L;
+
+	/**
+	 * @param messageId
+	 * @param parameters
+	 */
+	public ProtocolNotActiveException(String messageId, Object[] parameters) {
+		super(messageId, parameters);
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 69a73215a..d1872b2bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -105,6 +105,7 @@ import at.gv.egovernment.moa.id.config.ConnectionParameter;
 import at.gv.egovernment.moa.id.config.ConnectionParameterForeign;
 import at.gv.egovernment.moa.id.config.ConnectionParameterMOASP;
 import at.gv.egovernment.moa.id.config.ConnectionParameterMandate;
+import at.gv.egovernment.moa.id.config.auth.data.ProtocolAllowed;
 import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig;
 import at.gv.egovernment.moa.id.config.stork.STORKConfig;
 import at.gv.egovernment.moa.id.data.IssuerAndSerial;
@@ -190,6 +191,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
   private static String alternativesourceid = null;
   
   private static List<String> legacyallowedprotocols = new ArrayList<String>();
+  private static ProtocolAllowed allowedProtcols = null;
   
   private static VerifyAuthBlock verifyidl = null;
   
@@ -246,6 +248,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
     return instance;
   }
 
+
   /**
    * Constructor for AuthConfigurationProvider.
    * @param fileName
@@ -515,8 +518,22 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
 		//set PVP2 general config
 		Protocols protocols = auth.getProtocols();
 			if (protocols != null) {
+				
+				allowedProtcols = new ProtocolAllowed();
+				
+				if (protocols.getSAML1() != null) {
+					allowedProtcols.setSAML1Active(protocols.getSAML1().isIsActive());
+				}
+				
+				if (protocols.getOAuth() != null) {
+					allowedProtcols.setOAUTHActive(protocols.getOAuth().isIsActive());
+				}
+				
 				if (protocols.getPVP2() != null) {
-					PVP2 el = protocols.getPVP2();;
+					PVP2 el = protocols.getPVP2();
+					
+					allowedProtcols.setPVP21Active(el.isIsActive());
+					
 					pvp2general =  new PVP2();
 					pvp2general.setIssuerName(el.getIssuerName());	
 					pvp2general.setPublicURLPrefix(el.getPublicURLPrefix());
@@ -730,6 +747,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
       return this.getGeneralProperiesConfig("protocols.oauth20.");
   }
   
+  public ProtocolAllowed getAllowedProtocols() {
+	  return this.allowedProtcols;
+  }
   
   public PVP2 getGeneralPVP2DBConfig() {
 	  return pvp2general;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java
new file mode 100644
index 000000000..a04fb1626
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth.data;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ProtocolAllowed {
+
+	private boolean isSAML1Active = false;
+	private boolean isPVP21Active = true;
+	private boolean isOAUTHActive = true;
+	
+	/**
+	 * 
+	 */
+	public ProtocolAllowed() {
+		
+	}
+	
+	/**
+	 * 
+	 */
+	public ProtocolAllowed(boolean saml1, boolean pvp21, boolean oauth) {
+		this.isOAUTHActive = oauth;
+		this.isPVP21Active = pvp21;
+		this.isSAML1Active = saml1;
+		
+	}
+	
+	/**
+	 * @return the isSAML1Active
+	 */
+	public boolean isSAML1Active() {
+		return isSAML1Active;
+	}
+	/**
+	 * @param isSAML1Active the isSAML1Active to set
+	 */
+	public void setSAML1Active(boolean isSAML1Active) {
+		this.isSAML1Active = isSAML1Active;
+	}
+	/**
+	 * @return the isPVP21Active
+	 */
+	public boolean isPVP21Active() {
+		return isPVP21Active;
+	}
+	/**
+	 * @param isPVP21Active the isPVP21Active to set
+	 */
+	public void setPVP21Active(boolean isPVP21Active) {
+		this.isPVP21Active = isPVP21Active;
+	}
+	/**
+	 * @return the isOAUTHActive
+	 */
+	public boolean isOAUTHActive() {
+		return isOAUTHActive;
+	}
+	/**
+	 * @param isOAUTHActive the isOAUTHActive to set
+	 */
+	public void setOAUTHActive(boolean isOAUTHActive) {
+		this.isOAUTHActive = isOAUTHActive;
+	}
+	
+	
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 260a4fd79..1f526caca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -28,6 +28,7 @@ import iaik.security.ecc.provider.ECCProvider;
 import iaik.security.provider.IAIK;
 
 import java.io.IOException;
+import java.io.PrintWriter;
 import java.security.Security;
 import java.util.Iterator;
 import java.util.Map;
@@ -45,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
@@ -317,20 +319,28 @@ public class DispatcherServlet extends AuthServlet{
 								}
 							}
 						}
+						
+					} catch (ProtocolNotActiveException e) {
+						resp.getWriter().write(e.getMessage());
+						resp.setContentType("text/html;charset=UTF-8");
+						resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+						return;
+						
+						
 					} catch (MOAIDException e) {
 						Logger.error("Failed to generate a valid protocol request!");
-						resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
 						resp.setContentType("text/html;charset=UTF-8");
-						resp.getWriter().write("NO valid protocol request received!");
+						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
 						return;
+						
 					}
 						
 					if (protocolRequest == null) {
 						Logger.error("Failed to generate a valid protocol request!");
-						resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
 						resp.setContentType("text/html;charset=UTF-8");
-						resp.getWriter().write("NO valid protocol request received!");
+						resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!");
 						return;
+						
 					}
 				}
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 1fb67a0b2..7ef5a2068 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -32,6 +32,8 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang.StringUtils;
 
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -77,6 +79,13 @@ public class OAuth20Protocol implements IModulInfo {
 	 */
 	public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException {
 		// validation is done inside creation
+		
+		if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isOAUTHActive()) {
+			Logger.info("OAuth is deaktivated!");
+			throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
+			
+		}
+	
 		OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request);
 		Logger.debug("Created: " + res);
 		return res;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 82a620f6b..84c0138a5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -47,6 +47,8 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -129,6 +131,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 	public IRequest preProcess(HttpServletRequest request,
 			HttpServletResponse response, String action) throws MOAIDException {
 
+		
+		if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isPVP21Active()) {
+			Logger.info("PVP2.1 is deaktivated!");
+			throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME });
+			
+		}
+		
+		
 		if(METADATA.equals(action)) {
 			return new PVPTargetConfiguration();
 		}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 1c57c841e..e587ef0e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -32,6 +32,7 @@ import org.apache.commons.lang.StringEscapeUtils;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1;
@@ -81,6 +82,13 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants {
 	public IRequest preProcess(HttpServletRequest request,
 			HttpServletResponse response, String action) throws MOAIDException {
 		RequestImpl config = new RequestImpl();
+		
+		if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) {
+			Logger.info("SAML1 is deaktivated!");
+			throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
+			
+		}
+			
 		String oaURL = (String) request.getParameter(PARAM_OA);
 		//oaURL = StringEscapeUtils.escapeHtml(oaURL);
 		
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 3151aa657..dc698782a 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -40,6 +40,7 @@ auth.18=Keine MOASessionID vorhanden
 auth.19=Die Authentifizierung kann nicht passiv durchgef\u00FChrt werden.

 auth.20=No valid MOA session found. Authentification process is abourted.

 auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen.

+auth.22=Das Protokoll {0} ist deaktiviert.

 

 init.00=MOA ID Authentisierung wurde erfolgreich gestartet

 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar

@@ -227,5 +228,5 @@ oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt
 oauth20.05=Der angegebene Benutzer ist nicht berechtigt

 oauth20.06=Die angegebene OA kann nicht verwendet werden

 oauth20.07=Angeforderter grant_type ist nicht erlaubt

-oauth20.08=Nicht berechtigt für Token-Request

+oauth20.08=Nicht berechtigt f�r Token-Request

 oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}"