diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-20 15:11:13 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-20 15:11:13 +0200 |
commit | 139926faa31ae3ed34dc0083fee503d439112281 (patch) | |
tree | bf69a673df4a222653b47c0b8da88588065e2271 /id/server/idserverlib/src | |
parent | 1f8f686bee862ae95e32fc79664d82dcc21f708f (diff) | |
download | moa-id-spss-139926faa31ae3ed34dc0083fee503d439112281.tar.gz moa-id-spss-139926faa31ae3ed34dc0083fee503d439112281.tar.bz2 moa-id-spss-139926faa31ae3ed34dc0083fee503d439112281.zip |
refactor PVP2 S-Profile implementation and perform first tests
Diffstat (limited to 'id/server/idserverlib/src')
118 files changed, 601 insertions, 10754 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java index 54e459db1..2c1e47009 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java @@ -35,10 +35,7 @@ import at.gv.egiz.components.eventlog.api.EventConstants; public interface MOAIDEventConstants extends EventConstants { //auth protocol specific information - public static final int AUTHPROTOCOL_TYPE = 3000; - public static final int AUTHPROTOCOL_PVP_METADATA = 3100; - public static final int AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST = 3101; public static final int AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE = 3102; public static final int AUTHPROTOCOL_PVP_REQUEST_SLO = 3103; public static final int AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY = 3104; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java index e630455b4..8298b082b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java @@ -34,6 +34,7 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; +import at.gv.egiz.eaaf.modules.pvp2.PVPEventConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; @@ -63,8 +64,8 @@ public class MOAReversionLogger implements IRevisionLogger { MOAIDEventConstants.TRANSACTION_DESTROYED, MOAIDEventConstants.TRANSACTION_ERROR, MOAIDEventConstants.TRANSACTION_IP, - MOAIDEventConstants.AUTHPROTOCOL_TYPE, - MOAIDEventConstants.AUTHPROTOCOL_PVP_METADATA, + IRevisionLogger.AUTHPROTOCOL_TYPE, + PVPEventConstants.AUTHPROTOCOL_PVP_METADATA, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java deleted file mode 100644 index 6f98357e2..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IDestroyableObject.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth; - -/** - * @author tlenz - * - */ -public interface IDestroyableObject { - /** - * Manually deep destroy a Java object with all child objects like timers and threads - * - */ - public void fullyDestroy(); - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java deleted file mode 100644 index 27d142f2c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IGarbageCollectorProcessing.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth; - -/** - * @author tlenz - * - */ -public interface IGarbageCollectorProcessing { - - /** - * This method gets executed by the MOA garbage collector at regular intervals. - * - */ - public void runGarbageCollector(); -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java deleted file mode 100644 index d918be463..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/IPostStartupInitializable.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth; - - -/** - * - * @author tlenz - * - * Interface initialize a Object when the MOA-ID-Auth start-up process is fully completed - * - */ -public interface IPostStartupInitializable { - - /** - * This method is called once when MOA-ID-Auth start-up process is fully completed - * - */ - public void executeAfterStartup(); - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java index 52e30a2f0..f88267ad7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAGarbageCollector.java @@ -33,6 +33,7 @@ import org.springframework.scheduling.annotation.EnableScheduling; import org.springframework.scheduling.annotation.Scheduled; import org.springframework.stereotype.Service; +import at.gv.egiz.eaaf.core.api.IGarbageCollectorProcessing; import at.gv.egovernment.moa.logging.Logger; @Service("MOAGarbageCollector") diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 738f733a8..998817b19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -50,6 +50,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; @@ -73,9 +74,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; import at.gv.egovernment.moa.id.data.MISMandate; import at.gv.egovernment.moa.id.data.MOAAuthenticationData; -import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.id.util.LoALevelMapper; @@ -100,6 +99,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; + @Autowired private LoALevelMapper loaLevelMapper; @Override public IAuthData buildAuthenticationData(IRequest pendingReq) throws EAAFAuthenticationException { @@ -124,7 +124,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu try { //check if SAML1 authentication module is in Classpath Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + //IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").getConstructor(LoALevelMapper.class).newInstance(loaLevelMapper); if (saml1RequstTemplate != null && saml1RequstTemplate.isInstance(pendingReq)) { //request is SAML1 --> invoke SAML1 protocol specific methods @@ -138,12 +139,12 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu authdata = (MOAAuthenticationData) saml1authdata; } else { - authdata = new MOAAuthenticationData(); + authdata = new MOAAuthenticationData(loaLevelMapper); } } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { - authdata = new MOAAuthenticationData(); + authdata = new MOAAuthenticationData(loaLevelMapper); } @@ -162,13 +163,13 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( - PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); + MOAIDAuthConstants.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { //only set minimal response attributes authdata.setQAALevel( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); + pendingReq.getGenericData(MOAIDAuthConstants.DATAID_INTERFEDERATION_QAALEVEL, String.class)); authdata.setBPK( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); + pendingReq.getGenericData(MOAIDAuthConstants.DATAID_INTERFEDERATION_NAMEID, String.class)); } else { //build AuthenticationData from MOASession @@ -297,18 +298,18 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu if (MiscUtil.isNotEmpty(currentLoA)) { if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { authData.setQAALevel(currentLoA); - authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(currentLoA)); } else if (currentLoA.startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { - authData.setQAALevel(LoALevelMapper.getInstance().mapeIDASQAAToSTORKQAA(currentLoA)); + authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(currentLoA)); authData.seteIDASLoA(currentLoA); - } else { - Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedStorkQAA = LoALevelMapper.getInstance().mapToQAALevel(currentLoA); + } else { + Logger.debug("Found PVP SecClass. QAA mapping process starts ... "); + String mappedStorkQAA = loaLevelMapper.mapSecClassToQAALevel(currentLoA); if (MiscUtil.isNotEmpty(mappedStorkQAA)) { - authData.setQAALevel(currentLoA); - authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + authData.setQAALevel(mappedStorkQAA); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(mappedStorkQAA)); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index a7f6e873f..4bc4a7e81 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -59,9 +59,9 @@ import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index a1d31f5ae..e600505a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -28,7 +28,7 @@ import java.util.List; import org.opensaml.saml2.core.Attribute; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.PVPAttributeConstants; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -50,7 +50,7 @@ public class DynamicOAAuthParameterBuilder { for (Attribute attr : reqAttributes) { //get Target or BusinessService from request - if (attr.getName().equals(PVPAttributeConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + if (attr.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { //dynamicOA.setBusinessService(false); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java new file mode 100644 index 000000000..aa462c480 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java @@ -0,0 +1,114 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.stereotype.Service; +import org.w3c.dom.Element; + +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; +import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; +import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +@Service("MOASAML2SubjectNameIDGenerator") +public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { + + @Override + public Pair<String, String> generateSubjectNameId(IAuthData authData, ISPConfiguration spConfig) throws PVP2Exception { + //build nameID and nameID Format from moasessio + if (authData instanceof IMOAAuthData && + ((IMOAAuthData)authData).isUseMandate()) { + String bpktype = null; + String bpk = null; + + Element mandate = ((IMOAAuthData)authData).getMandate(); + if(mandate != null) { + Logger.debug("Read mandator bPK|baseID from full-mandate ... "); + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAvailableException(); + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); + + IdentificationType id; + if(corporation != null && corporation.getIdentification().size() > 0) + id = corporation.getIdentification().get(0); + + + else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) + id = pysicalperson.getIdentification().get(0); + + else { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAvailableException(); + } + + bpktype = id.getType(); + bpk = id.getValue().getValue(); + + } else { + Logger.debug("Read mandator bPK|baseID from PVP attributes ... "); + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if (StringUtils.isEmpty(bpk)) { + //no sourcePin is included --> search for bPK + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); + + try { + if (bpk.contains(":")) + bpk = bpk.split(":")[1]; + + } catch (Exception e) { + Logger.warn("Can not split bPK from mandator attribute!", e); + + } + + //set bPK-Type from configuration, because it MUST be equal to service-provider type + bpktype = spConfig.getAreaSpecificTargetIdentifier(); + + } else { + //sourcePin is include --> check sourcePinType + if (StringUtils.isEmpty(bpktype)) + bpktype = Constants.URN_PREFIX_BASEID; + + } + } + + if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) { + throw new NoMandateDataAvailableException(); + + } + + if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { + try { + return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier()); + + } catch (BuildException e) { + Logger.warn("Can NOT generate SubjectNameId." , e); + throw new ResponderErrorException("pvp2.01", null); + + } + + } else + return Pair.newInstance(bpk, bpktype); + + } else + return Pair.newInstance(authData.getBPK(), authData.getBPKType()); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java deleted file mode 100644 index 8def0f860..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth.modules.internal.tasks; - -import java.util.Set; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Component; - -import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; -import at.gv.egiz.eaaf.core.api.idp.process.ProcessEngine; -import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; -import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; -import at.gv.egiz.eaaf.core.impl.idp.auth.modules.ModuleRegistration; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -@Component("RestartAuthProzessManagement") -public class RestartAuthProzessManagement extends AbstractAuthServletTask { - - @Autowired ProcessEngine processEngine; - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - @Override - public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) - throws TaskExecutionException { - try { - //create a new execution context and copy all elements to new context - ExecutionContext newec = new ExecutionContextImpl(); - Set<String> entries = executionContext.keySet(); - for (String key : entries) { - newec.put(key, executionContext.get(key)); - - } - - Logger.debug("Select new auth.-process and restart restart process-engine ... "); - - // select and create new process instance - String processDefinitionId = ModuleRegistration.getInstance().selectProcess(newec); - if (processDefinitionId == null) { - Logger.warn("No suitable authentication process found for SessionID " + pendingReq.getPendingRequestId()); - throw new MOAIDException("process.02", new Object[] { pendingReq.getPendingRequestId() }); - } - - String processInstanceId = processEngine.createProcessInstance(processDefinitionId, newec); - - // keep process instance id in moa session - ((RequestImpl)pendingReq).setProcessInstanceId(processInstanceId); - - // make sure pending request has been persisted before running the process - try { - requestStoreage.storePendingRequest(pendingReq); - - } catch (MOAIDException e) { - Logger.error("Database Error! MOASession is not stored!"); - throw new MOAIDException("init.04", new Object[] { pendingReq.getPendingRequestId() }); - - } - - Logger.info("Restart process-engine with auth.process:" + processDefinitionId); - - // start process - processEngine.start(pendingReq); - - - } catch (MOAIDException e) { - throw new TaskExecutionException(pendingReq, e.getMessage(), e); - - } catch (Exception e) { - Logger.warn("RestartAuthProzessManagement has an internal error", e); - throw new TaskExecutionException(pendingReq, e.getMessage(), e); - - } - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 10c271b6a..0e1e1bf12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -33,6 +33,7 @@ import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -43,7 +44,6 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index f9aa1b83c..448e2a0f5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -44,6 +44,8 @@ import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -52,10 +54,8 @@ import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.moduls.SSOManager; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -169,11 +169,11 @@ public class IDPSingleLogOutServlet extends AbstractController { String redirectURL = null; IRequest sloReq = sloContainer.getSloRequest(); - if (sloReq != null && sloReq instanceof PVPTargetConfiguration) { + if (sloReq != null && sloReq instanceof PVPSProfilePendingRequest) { //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPTargetConfiguration)sloContainer.getSloRequest()); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPTargetConfiguration)sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); - redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, ((PVPTargetConfiguration)sloContainer.getSloRequest()).getRequest().getRelayState()); + SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPSProfilePendingRequest)sloContainer.getSloRequest()); + LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPSProfilePendingRequest)sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); + redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, ((PVPSProfilePendingRequest)sloContainer.getSloRequest()).getRequest().getRelayState()); } else { //print SLO information directly diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java index 9380d3b64..a9be3f51d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProviderImpl.java @@ -53,10 +53,10 @@ import java.util.Properties; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EAAFDefaultSAML2Bootstrap; import at.gv.egovernment.moa.id.commons.api.ConfigurationProvider; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.SpringProfileConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.logging.Logger; import at.gv.util.config.EgovUtilPropertiesConfiguration; @@ -187,7 +187,7 @@ public abstract class ConfigurationProviderImpl extends AbstractConfigurationImp //Initialize OpenSAML for STORK Logger.info("Starting initialization of OpenSAML..."); - MOADefaultBootstrap.bootstrap(); + EAAFDefaultSAML2Bootstrap.bootstrap(); //DefaultBootstrap.bootstrap(); Logger.debug("OpenSAML successfully initialized"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java deleted file mode 100644 index 38f6948d3..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ISLOInformationContainer.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.data; - -import java.util.Iterator; -import java.util.List; -import java.util.Map.Entry; -import java.util.Set; - -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; - -/** - * @author tlenz - * - */ -public interface ISLOInformationContainer { - - boolean hasFrontChannelOA(); - - Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions(); - - void removeFrontChannelOA(String oaID); - - Iterator<String> getNextBackChannelOA(); - - SLOInformationImpl getBackChannelOASessionDescripten(String oaID); - - void removeBackChannelOA(String oaID); - - /** - * @return the sloRequest - */ - PVPTargetConfiguration getSloRequest(); - - /** - * @param sloRequest the sloRequest to set - */ - void setSloRequest(PVPTargetConfiguration sloRequest); - - /** - * @return the sloFailedOAs - */ - List<String> getSloFailedOAs(); - - void putFailedOA(String oaID); - - public String getTransactionID(); - - public String getSessionID(); -}
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java index ba3eba2e6..e0dd30db3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java @@ -29,10 +29,10 @@ import java.util.List; import org.w3c.dom.Element; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; @@ -68,6 +68,12 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut private boolean interfederatedSSOSession; private String interfederatedIDP; + private LoALevelMapper loaMapper; + + public MOAAuthenticationData(LoALevelMapper loaMapper) { + this.loaMapper = loaMapper; + + } /** * @return @@ -76,7 +82,7 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut public String getQAALevel() { if (this.QAALevel != null && this.QAALevel.startsWith(PVPConstants.EIDAS_QAA_PREFIX)) { - String mappedQAA = LoALevelMapper.getInstance().mapeIDASQAAToSTORKQAA(this.QAALevel); + String mappedQAA = loaMapper.mapeIDASQAAToSTORKQAA(this.QAALevel); if (MiscUtil.isNotEmpty(mappedQAA)) return mappedQAA; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Pair.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Pair.java deleted file mode 100644 index 0b46345d3..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Pair.java +++ /dev/null @@ -1,45 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.data; - -public class Pair<P1, P2> { - private final P1 first; - private final P2 second; - - private Pair(final P1 newFirst, final P2 newSecond) { - this.first = newFirst; - this.second = newSecond; - } - - public P1 getFirst() { - return this.first; - } - - public P2 getSecond() { - return this.second; - } - - public static <P1, P2> Pair<P1, P2> newInstance(final P1 newFirst, final P2 newSecond) { - return new Pair<P1, P2>(newFirst, newSecond); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java deleted file mode 100644 index 5ff923bce..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ /dev/null @@ -1,190 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.data; - -import java.io.Serializable; - -import org.opensaml.saml2.metadata.SingleLogoutService; - -import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; - - -/** - * @author tlenz - * - */ -public class SLOInformationImpl implements SLOInformationInterface, Serializable { - - private static final long serialVersionUID = 295577931870512387L; - private String sessionIndex = null; - private String nameID = null; - private String protocolType = null; - private String nameIDFormat = null; - private String binding = null; - private String serviceURL = null; - private String authURL = null; - private String spEntityID = null; - - public SLOInformationImpl(String authURL, String spEntityID, String sessionID, String nameID, String nameIDFormat, String protocolType) { - new SLOInformationImpl(authURL, spEntityID, sessionID, nameID, nameIDFormat, protocolType, null); - } - - public SLOInformationImpl(String authURL, String spEntityID, String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { - this.sessionIndex = sessionID; - this.nameID = nameID; - this.nameIDFormat = nameIDFormat; - this.protocolType = protocolType; - this.spEntityID = spEntityID; - - if (authURL.endsWith("/")) - this.authURL = authURL.substring(0, authURL.length()-1); - else - this.authURL = authURL; - - if (sloService != null) { - this.binding = sloService.getBinding(); - this.serviceURL = sloService.getLocation(); - - } - } - - - /** - * - */ - public SLOInformationImpl() { - - } - - - - /** - * @return the spEntityID - */ - public String getSpEntityID() { - return spEntityID; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getSessionIndex() - */ - @Override - public String getSessionIndex() { - return sessionIndex; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getUserNameIdentifier() - */ - @Override - public String getUserNameIdentifier() { - return nameID; - - } - - - /** - * @param sessionIndex the sessionIndex to set - */ - public void setSessionIndex(String sessionIndex) { - this.sessionIndex = sessionIndex; - } - - - /** - * @param nameID the nameID to set - */ - public void setUserNameIdentifier(String nameID) { - this.nameID = nameID; - } - - - - /** - * @param protocolType the protocolType to set - */ - public void setProtocolType(String protocolType) { - this.protocolType = protocolType; - } - - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getProtocolType() - */ - @Override - public String getProtocolType() { - return protocolType; - } - - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getUserNameIDFormat() - */ - @Override - public String getUserNameIDFormat() { - return this.nameIDFormat; - } - - - /** - * @param nameIDFormat the nameIDFormat to set - */ - public void setNameIDFormat(String nameIDFormat) { - this.nameIDFormat = nameIDFormat; - } - - /** - * @return the binding - */ - public String getBinding() { - return binding; - } - - /** - * @return the serviceURL - */ - public String getServiceURL() { - return serviceURL; - } - - /** - * @return the authURL from requested IDP without ending / - */ - public String getAuthURL() { - return authURL; - } - - /** - * @param spEntityID the spEntityID to set - */ - public void setSpEntityID(String spEntityID) { - this.spEntityID = spEntityID; - } - - - - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java deleted file mode 100644 index 78e8be452..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java +++ /dev/null @@ -1,51 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.data; - -public class Trible<P1, P2, P3> { - private final P1 first; - private final P2 second; - private final P3 third; - - private Trible(final P1 newFirst, final P2 newSecond, final P3 newThird) { - this.first = newFirst; - this.second = newSecond; - this.third = newThird; - } - - public P1 getFirst() { - return this.first; - } - - public P2 getSecond() { - return this.second; - } - - public P3 getThird() { - return this.third; - } - - public static <P1, P2, P3> Trible<P1, P2, P3> newInstance(final P1 newFirst, final P2 newSecond, final P3 newThird) { - return new Trible<P1, P2, P3>(newFirst, newSecond, newThird); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 72b350991..c2dd7b4ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -41,6 +41,8 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.auth.AbstractAuthenticationManager; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -49,9 +51,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionSto import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.SLOInformationContainer; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; @@ -79,7 +79,7 @@ public class AuthenticationManager extends AbstractAuthenticationManager { String pvpSLOIssuer = null; String uniqueSessionIdentifier = "notSet"; String uniqueTransactionIdentifier = "notSet"; - PVPTargetConfiguration pvpReq = null; + PVPSProfilePendingRequest pvpReq = null; Logger.debug("Start technical Single LogOut process ... "); @@ -87,9 +87,9 @@ public class AuthenticationManager extends AbstractAuthenticationManager { uniqueSessionIdentifier = pendingReq.getUniqueSessionIdentifier(); uniqueTransactionIdentifier = pendingReq.getUniqueTransactionIdentifier(); - if (pendingReq instanceof PVPTargetConfiguration) { - pvpReq = ((PVPTargetConfiguration)pendingReq); - MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + if (pendingReq instanceof PVPSProfileRequest) { + pvpReq = ((PVPSProfilePendingRequest)pendingReq); + PVPSProfileRequest samlReq = (PVPSProfileRequest) pvpReq.getRequest(); LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); pvpSLOIssuer = logOutReq.getIssuer().getValue(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java deleted file mode 100644 index dbfeb5e90..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.opemsaml; - -import java.io.BufferedReader; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.OutputStreamWriter; -import java.io.Writer; - -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; -import org.opensaml.common.binding.SAMLMessageContext; -import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.transport.http.HTTPOutTransport; -import org.opensaml.ws.transport.http.HTTPTransportUtils; - -import at.gv.egiz.eaaf.core.api.gui.IGUIBuilderConfiguration; -import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class MOAIDHTTPPostEncoder extends HTTPPostEncoder { - - private VelocityEngine velocityEngine; - private IGUIBuilderConfiguration guiConfig; - private GUIFormBuilderImpl guiBuilder; - - /** - * @param engine - * @param templateId - */ - public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) { - super(engine, null); - this.velocityEngine = engine; - this.guiConfig = guiConfig; - this.guiBuilder = guiBuilder; - - } - - /** - * Base64 and POST encodes the outbound message and writes it to the outbound transport. - * - * @param messageContext current message context - * @param endpointURL endpoint URL to which to encode message - * - * @throws MessageEncodingException thrown if there is a problem encoding the message - */ - protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException { - Logger.debug("Invoking Velocity template to create POST body"); - InputStream is = null; - try { - //build Velocity Context from GUI input paramters - VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig); - - //load template - is = guiBuilder.getTemplateInputStream(guiConfig); - - //populate velocity context with SAML2 parameters - populateVelocityContext(context, messageContext, endpointURL); - - //populate transport parameter - HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport(); - HTTPTransportUtils.addNoCacheHeaders(outTransport); - HTTPTransportUtils.setUTF8Encoding(outTransport); - HTTPTransportUtils.setContentType(outTransport, "text/html"); - - //evaluate template and write content to response - Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8"); - velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is))); - out.flush(); - - } catch (Exception e) { - Logger.error("Error invoking Velocity template", e); - throw new MessageEncodingException("Error creating output document", e); - - } finally { - if (is != null) { - try { - is.close(); - - } catch (IOException e) { - Logger.error("Can NOT close GUI-Template InputStream.", e); - } - } - - } - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java deleted file mode 100644 index 81afcfbc1..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAKeyStoreX509CredentialAdapter.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.opemsaml; - -import java.security.KeyStore; - -import org.opensaml.xml.security.x509.X509Credential; - - -/** - * @author tlenz - * - */ -public class MOAKeyStoreX509CredentialAdapter extends - org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter { - - /** - * @param store - * @param alias - * @param password - */ - public MOAKeyStoreX509CredentialAdapter(KeyStore store, String alias, - char[] password) { - super(store, alias, password); - } - - public Class<? extends X509Credential> getCredentialType() { - return X509Credential.class; - } - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java deleted file mode 100644 index acbb67b34..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAStringRedirectDeflateEncoder.java +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.opemsaml; - -import org.opensaml.common.binding.SAMLMessageContext; -import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; -import org.opensaml.ws.message.MessageContext; -import org.opensaml.ws.message.encoder.MessageEncodingException; - -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class MOAStringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder { - - private String redirectURL = null; - - public void encode(MessageContext messageContext) - throws MessageEncodingException { - if (!(messageContext instanceof SAMLMessageContext)) { - Logger.error("Invalid message context type, this encoder only support SAMLMessageContext"); - throw new MessageEncodingException( - "Invalid message context type, this encoder only support SAMLMessageContext"); - } - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; - - String endpointURL = getEndpointURL(samlMsgCtx).buildURL(); - - setResponseDestination(samlMsgCtx.getOutboundSAMLMessage(), endpointURL); - - removeSignature(samlMsgCtx); - - String encodedMessage = deflateAndBase64Encode(samlMsgCtx - .getOutboundSAMLMessage()); - - redirectURL = buildRedirectURL(samlMsgCtx, endpointURL, - encodedMessage); - } - - /** - * @return the redirectURL - */ - public String getRedirectURL() { - return redirectURL; - } - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index ac3828750..b2a2aad88 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -33,12 +33,12 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.IMOAAuthData; -import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index c17f1a4dd..9e7f18842 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -51,6 +51,20 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.AttributQueryException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.PVP2AssertionBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.SoapBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.BuildException; @@ -62,22 +76,11 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionSto import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.IMOAAuthData; -import at.gv.egovernment.moa.id.data.Trible; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -98,6 +101,8 @@ public class AttributQueryAction implements IAction { @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + @Autowired(required=true) IPVP2BasicConfiguration pvpBasicConfiguration; + @Autowired(required=true) PVP2AssertionBuilder assertionBuilder; private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -114,11 +119,11 @@ public class AttributQueryAction implements IAction { @Override public SLOInformationInterface processRequest(IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp, - IAuthData authData) throws MOAIDException { + IAuthData authData) throws EAAFException { - if (pendingReq instanceof PVPTargetConfiguration && - ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && - ((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest() instanceof AttributeQuery) { + if (pendingReq instanceof PVPSProfilePendingRequest && + ((PVPSProfilePendingRequest) pendingReq).getRequest() instanceof PVPSProfileRequest && + ((PVPSProfileRequest)((PVPSProfilePendingRequest) pendingReq).getRequest()).getSamlRequest() instanceof AttributeQuery) { //set time reference DateTime date = new DateTime(); @@ -136,7 +141,7 @@ public class AttributQueryAction implements IAction { authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSSOSessionID()); AttributeQuery attrQuery = - (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); + (AttributeQuery)((PVPSProfileRequest)((PVPSProfilePendingRequest) pendingReq).getRequest()).getSamlRequest(); //build PVP 2.1 response-attribute information for this AttributQueryRequest Trible<List<Attribute>, Date, String> responseInfo = @@ -148,10 +153,9 @@ public class AttributQueryAction implements IAction { //build PVP 2.1 assertion - String issuerEntityID = PVPConfiguration.getInstance().getIDPSSOMetadataService( - pendingReq.getAuthURL()); + String issuerEntityID = pvpBasicConfiguration.getIDPEntityId(pendingReq.getAuthURL()); - Assertion assertion = PVP2AssertionBuilder.buildAssertion(issuerEntityID, + Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, attrQuery, responseInfo.getFirst(), date, new DateTime(responseInfo.getSecond().getTime()), responseInfo.getThird(), authData.getSessionIndex()); @@ -201,16 +205,16 @@ public class AttributQueryAction implements IAction { */ @Override public String getDefaultActionName() { - return PVP2XProtocol.ATTRIBUTEQUERY; + return at.gv.egiz.eaaf.modules.pvp2.PVPConstants.ATTRIBUTEQUERY; } private Trible<List<Attribute>, Date, String> buildResponseInformationForAttributQuery(IRequest pendingReq, - AuthenticationSession session, List<Attribute> reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException { + AuthenticationSession session, List<Attribute> reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException, AssertionAttributeExtractorExeption, AttributQueryException, AssertionValidationExeption { try { //mark AttributeQuery as used if it exists - if ( pendingReq instanceof PVPTargetConfiguration && - ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && - ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { + if ( pendingReq instanceof PVPSProfileRequest && + ((PVPSProfilePendingRequest) pendingReq).getRequest() instanceof PVPSProfileRequest && + ((PVPSProfilePendingRequest) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getSPEntityId(), pendingReq.requestedModule()); } @@ -218,7 +222,7 @@ public class AttributQueryAction implements IAction { //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes); - //search federated IDP information for this MOASession + //search federated IDP information for this MOASession if (nextIDPInformation != null) { Logger.info("Find active federated IDP information." + ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix() @@ -354,9 +358,11 @@ public class AttributQueryAction implements IAction { * @return * @return PVP attribute DAO, which contains all received information * @throws MOAIDException + * @throws AttributQueryException + * @throws AssertionValidationExeption */ public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr, - String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{ + String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException, AttributQueryException, AssertionValidationExeption{ String idpEnityID = idpConfig.getPublicURLPrefix(); try { @@ -407,7 +413,7 @@ public class AttributQueryAction implements IAction { new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); } - + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java deleted file mode 100644 index 43c860488..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ /dev/null @@ -1,151 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.joda.time.DateTime; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.security.SecurityException; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; -import org.springframework.stereotype.Service; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.idp.IAction; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; -import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; - -@Service("PVPAuthenticationRequestAction") -public class AuthenticationAction implements IAction { - @Autowired IDPCredentialProvider pvpCredentials; - @Autowired AuthConfiguration authConfig; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; - @Autowired(required=true) ApplicationContext springContext; - - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - - PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; - - //get basic information - MOARequest moaRequest = (MOARequest) pvpRequest.getRequest(); - AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); - EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider); - - AssertionConsumerService consumerService = - SAML2Utils.createSAMLObject(AssertionConsumerService.class); - consumerService.setBinding(pvpRequest.getBinding()); - consumerService.setLocation(pvpRequest.getConsumerURL()); - - DateTime date = new DateTime(); - - SLOInformationImpl sloInformation = new SLOInformationImpl(); - - //change to entity value from entity name to IDP EntityID (URL) -// String issuerEntityID = pvpRequest.getAuthURL(); -// if (issuerEntityID.endsWith("/")) -// issuerEntityID = issuerEntityID.substring(0, issuerEntityID.length()-1); - - String issuerEntityID = PVPConfiguration.getInstance().getIDPSSOMetadataService( - pvpRequest.getAuthURL()); - - //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData, - peerEntity, date, consumerService, sloInformation); - - Response authResponse = AuthResponseBuilder.buildResponse( - metadataProvider, issuerEntityID, authnRequest, - date, assertion, authConfig.isPVP2AssertionEncryptionActive()); - - IEncoder binding = null; - - if (consumerService.getBinding().equals( - SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); - - } else if (consumerService.getBinding().equals( - SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); - - } - - if (binding == null) { - throw new BindingNotSupportedException(consumerService.getBinding()); - } - - try { - binding.encodeRespone(httpReq, httpResp, authResponse, - consumerService.getLocation(), moaRequest.getRelayState(), - pvpCredentials.getIDPAssertionSigningCredential(), req); - - //set protocol type - sloInformation.setProtocolType(req.requestedModule()); - sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier()); - return sloInformation; - - } catch (MessageEncodingException e) { - Logger.error("Message Encoding exception", e); - throw new MOAIDException("pvp2.01", null, e); - - } catch (SecurityException e) { - Logger.error("Security exception", e); - throw new MOAIDException("pvp2.01", null, e); - - } - - } - - public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) { - return true; - } - - public String getDefaultActionName() { - return "PVPAuthenticationRequestAction"; - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java deleted file mode 100644 index 76956b5a8..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ /dev/null @@ -1,93 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -import com.google.common.net.MediaType; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.idp.IAction; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; -import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.IDPPVPMetadataConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.logging.Logger; - -@Service("pvpMetadataService") -public class MetadataAction implements IAction { - - - - @Autowired private IRevisionLogger revisionsLogger; - @Autowired private IDPCredentialProvider credentialProvider; - @Autowired private PVPMetadataBuilder metadatabuilder; - - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - try { - revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_PVP_METADATA); - - //build metadata - IPVPMetadataBuilderConfiguration metadataConfig = - new IDPPVPMetadataConfiguration(req.getAuthURLWithOutSlash(), credentialProvider); - - String metadataXML = metadatabuilder.buildPVPMetadata(metadataConfig); - Logger.debug("METADATA: " + metadataXML); - - byte[] content = metadataXML.getBytes("UTF-8"); - httpResp.setStatus(HttpServletResponse.SC_OK); - httpResp.setContentLength(content.length); - httpResp.setContentType(MediaType.XML_UTF_8.toString()); - httpResp.getOutputStream().write(content); - return null; - - } catch (Exception e) { - Logger.error("Failed to generate metadata", e); - throw new MOAIDException("pvp2.13", null); - } - } - - public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) { - return false; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() - */ - @Override - public String getDefaultActionName() { - return "IDP - PVP Metadata action"; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java deleted file mode 100644 index 176b1af43..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ /dev/null @@ -1,835 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; - -import java.net.MalformedURLException; -import java.net.URL; -import java.util.Arrays; -import java.util.List; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.commons.lang.StringEscapeUtils; -import org.joda.time.DateTime; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.saml2.core.LogoutResponse; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.saml2.core.impl.AuthnRequestImpl; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.ws.security.SecurityPolicyException; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.x509.X509Credential; -import org.opensaml.xml.signature.SignableXMLObject; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.idp.IModulInfo; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; -import at.gv.egiz.eaaf.core.exceptions.EAAFException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException; -import at.gv.egiz.eaaf.core.exceptions.ProtocolNotActiveException; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractAuthProtocolModulController; -import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityLogAdapter; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Controller -public class PVP2XProtocol extends AbstractAuthProtocolModulController implements IModulInfo { - - @Autowired IDPCredentialProvider pvpCredentials; - @Autowired SAMLVerificationEngineSP samlVerificationEngine; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; - - @Autowired protected IAuthenticationSessionStoreage authenticatedSessionStorage; - - public static final String NAME = PVP2XProtocol.class.getName(); - public static final String PATH = "id_pvp2x"; - - public static final String REDIRECT = "Redirect"; - public static final String POST = "Post"; - public static final String SOAP = "Soap"; - public static final String METADATA = "Metadata"; - public static final String ATTRIBUTEQUERY = "AttributeQuery"; - public static final String SINGLELOGOUT = "SingleLogOut"; - - public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( - new String[] { - PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME - }); - - static { - new VelocityLogAdapter(); - - } - - public String getName() { - return NAME; - } - - public String getPath() { - return PATH; - } - - public PVP2XProtocol() { - super(); - } - - //PVP2.x metadata end-point - @RequestMapping(value = "/pvp2/metadata", method = {RequestMethod.POST, RequestMethod.GET}) - public void PVPMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { -// if (!authConfig.getAllowedProtocols().isPVP21Active()) { -// Logger.info("PVP2.1 is deaktivated!"); -// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); -// -// } - - //create pendingRequest object - PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); - pendingReq.initialize(req, authConfig); - pendingReq.setModule(NAME); - - revisionsLogger.logEvent( - pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), - MOAIDEventConstants.TRANSACTION_IP, - req.getRemoteAddr()); - - MetadataAction metadataAction = applicationContext.getBean(MetadataAction.class); - metadataAction.processRequest(pendingReq, - req, resp, null); - - } - - //PVP2.x IDP POST-Binding end-point - @RequestMapping(value = "/pvp2/post", method = {RequestMethod.POST}) - public void PVPIDPPostRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { -// if (!authConfig.getAllowedProtocols().isPVP21Active()) { -// Logger.info("PVP2.1 is deaktivated!"); -// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); -// -// } - - PVPTargetConfiguration pendingReq = null; - - try { - //create pendingRequest object - pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); - pendingReq.initialize(req, authConfig); - pendingReq.setModule(NAME); - - revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); - revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier()); - revisionsLogger.logEvent( - pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), - MOAIDEventConstants.TRANSACTION_IP, - req.getRemoteAddr()); - - //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new PostBinding().decode( - req, resp, metadataProvider, false, - new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); - pendingReq.setRequest(msg); - - //preProcess Message - preProcess(req, resp, pendingReq); - - } catch (SecurityPolicyException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); - - } catch (SecurityException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); - - } catch (MOAIDException e) { - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw e; - - } catch (Throwable e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new MOAIDException("pvp2.24", new Object[] {e.getMessage()}); - } - } - - //PVP2.x IDP Redirect-Binding end-point - @RequestMapping(value = "/pvp2/redirect", method = {RequestMethod.GET}) - public void PVPIDPRedirecttRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { - if (!AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isPVP21Active()) { - Logger.info("PVP2.1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); - - } - PVPTargetConfiguration pendingReq = null; - try { - //create pendingRequest object - pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); - pendingReq.initialize(req, authConfig); - pendingReq.setModule(NAME); - - revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); - revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier()); - revisionsLogger.logEvent( - pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), - MOAIDEventConstants.TRANSACTION_IP, - req.getRemoteAddr()); - - //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new RedirectBinding().decode( - req, resp, metadataProvider, false, - new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(pendingReq.getAuthURL()))); - pendingReq.setRequest(msg); - - //preProcess Message - preProcess(req, resp, pendingReq); - - } catch (SecurityPolicyException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); - - } catch (SecurityException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); - - } catch (MOAIDException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.info("Receive INVALID protocol request: " + samlRequest); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw e; - - } catch (Throwable e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new MOAIDException("pvp2.24", new Object[] {e.getMessage()}); - } - } - - - //PVP2.x IDP SOAP-Binding end-point - @RequestMapping(value = "/pvp2/soap", method = {RequestMethod.POST}) - public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { -// if (!authConfig.getAllowedProtocols().isPVP21Active()) { -// Logger.info("PVP2.1 is deaktivated!"); -// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); -// -// } - - PVPTargetConfiguration pendingReq = null; - try { - //create pendingRequest object - pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); - pendingReq.initialize(req, authConfig); - pendingReq.setModule(NAME); - - revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); - revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier()); - revisionsLogger.logEvent( - pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), - MOAIDEventConstants.TRANSACTION_IP, - req.getRemoteAddr()); - - //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new SoapBinding().decode( - req, resp, metadataProvider, false, - new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); - pendingReq.setRequest(msg); - - //preProcess Message - preProcess(req, resp, pendingReq); - - } catch (SecurityPolicyException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); - - } catch (SecurityException e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); - - } catch (MOAIDException e) { - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw e; - - } catch (Throwable e) { - String samlRequest = req.getParameter("SAMLRequest"); - Logger.warn("Receive INVALID protocol request: " + samlRequest, e); - - //write revision log entries - if (pendingReq != null) - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - - throw new MOAIDException("pvp2.24", new Object[] {e.getMessage()}); - } - } - - - - private void preProcess(HttpServletRequest request, - HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable { - - InboundMessage msg = pendingReq.getRequest(); - - if (MiscUtil.isEmpty(msg.getEntityID())) { - throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}, "EntityId is null or empty"); - - } - - if(!msg.isVerified()) { - samlVerificationEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - msg.setVerified(true); - - } - - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof AuthnRequest) - preProcessAuthRequest(request, response, pendingReq); - - else if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof AttributeQuery) - preProcessAttributQueryRequest(request, response, pendingReq); - - else if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) - preProcessLogOut(request, response, pendingReq); - - else if (msg instanceof MOAResponse && - ((MOAResponse)msg).getResponse() instanceof LogoutResponse) - preProcessLogOut(request, response, pendingReq); - - else { - Logger.error("Receive unsupported PVP21 message"); - throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); - } - - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_TYPE, PATH); - - //switch to session authentication - performAuthentication(request, response, pendingReq); - } - - public boolean generateErrorMessage(Throwable e, - HttpServletRequest request, HttpServletResponse response, - IRequest protocolRequest) throws Throwable { - - if(protocolRequest == null) { - throw e; - } - - if(!(protocolRequest instanceof PVPTargetConfiguration) ) { - throw e; - } - PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration)protocolRequest; - - Response samlResponse = - SAML2Utils.createSAMLObject(Response.class); - Status status = SAML2Utils.createSAMLObject(Status.class); - StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); - StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - - String moaError = null; - - if(e instanceof NoPassivAuthenticationException) { - statusCode.setValue(StatusCode.NO_PASSIVE_URI); - statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); - - } else if (e instanceof NameIDFormatNotSupportedException) { - statusCode.setValue(StatusCode.INVALID_NAMEID_POLICY_URI); - statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); - - } else if (e instanceof SLOException) { - //SLOExecpetions only occurs if session information is lost - return false; - - } else if(e instanceof PVP2Exception) { - PVP2Exception ex = (PVP2Exception) e; - statusCode.setValue(ex.getStatusCodeValue()); - String statusMessageValue = ex.getStatusMessageValue(); - if(statusMessageValue != null) { - statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue)); - } - moaError = statusMessager.mapInternalErrorToExternalError(ex.getMessageId()); - - } else { - statusCode.setValue(StatusCode.RESPONDER_URI); - statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); - moaError = statusMessager.getResponseErrorCode(e); - } - - - if (MiscUtil.isNotEmpty(moaError)) { - StatusCode moaStatusCode = SAML2Utils.createSAMLObject(StatusCode.class); - moaStatusCode.setValue(moaError); - statusCode.setStatusCode(moaStatusCode); - } - - status.setStatusCode(statusCode); - if(statusMessage.getMessage() != null) { - status.setStatusMessage(statusMessage); - } - samlResponse.setStatus(status); - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - samlResponse.setID(remoteSessionID); - - samlResponse.setIssueInstant(new DateTime()); - Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService( - pvpRequest.getAuthURL())); - nissuer.setFormat(NameID.ENTITY); - samlResponse.setIssuer(nissuer); - - IEncoder encoder = null; - - if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class); - - } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class); - - } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { - encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class); - } - - if(encoder == null) { - // default to redirect binding - encoder = new RedirectBinding(); - } - - String relayState = null; - if (pvpRequest.getRequest() != null) - relayState = pvpRequest.getRequest().getRelayState(); - - X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential(); - - encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(), - relayState, signCred, protocolRequest); - return true; - } - - public boolean validate(HttpServletRequest request, - HttpServletResponse response, IRequest pending) { - - return true; - } - - - /** - * PreProcess Single LogOut request - * @param request - * @param response - * @param msg - * @return - * @throws EAAFException - * @throws MOAIDException - */ - private void preProcessLogOut(HttpServletRequest request, - HttpServletResponse response, PVPTargetConfiguration pendingReq) throws EAAFException { - - InboundMessage inMsg = pendingReq.getRequest(); - MOARequest msg; - if (inMsg instanceof MOARequest && - ((MOARequest)inMsg).getSamlRequest() instanceof LogoutRequest) { - //preProcess single logout request from service provider - - msg = (MOARequest) inMsg; - - EntityDescriptor metadata = msg.getEntityMetadata(metadataProvider); - if(metadata == null) { - throw new NoMetadataInformationException(); - } - - String oaURL = metadata.getEntityID(); - oaURL = StringEscapeUtils.escapeHtml(oaURL); - ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); - - Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + oaURL + " Binding=" + msg.getRequestBinding()); - - pendingReq.setSPEntityId(oaURL); - pendingReq.setOnlineApplicationConfiguration(oa); - pendingReq.setBinding(msg.getRequestBinding()); - - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_SLO); - - - - } else if (inMsg instanceof MOAResponse && - ((MOAResponse)inMsg).getResponse() instanceof LogoutResponse) { - //preProcess single logour response from service provider - - LogoutResponse resp = (LogoutResponse) (((MOAResponse)inMsg).getResponse()); - - Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); - -// List<String> allowedPublicURLPrefix = authConfig.getIDPPublicURLPrefixes(); -// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); - - boolean isAllowedDestination = false; - try { - isAllowedDestination = MiscUtil.isNotEmpty(authConfig.validateIDPURL(new URL(resp.getDestination()))); - - } catch (MalformedURLException e) { - Logger.info(resp.getDestination() + " is NOT valid. Reason: " + e.getMessage()); - - } - -// for (String prefix : allowedPublicURLPrefix) { -// if (resp.getDestination().startsWith( -// prefix)) { -// isAllowedDestination = true; -// break; -// } -// } - - if (!isAllowedDestination) { - Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); - throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null); - - } - - //TODO: check if relayState exists - inMsg.getRelayState(); - - - } else - throw new EAAFException("Unsupported request"); - - - pendingReq.setRequest(inMsg); - pendingReq.setAction(SINGLELOGOUT); - - //Single LogOut Request needs no authentication - pendingReq.setNeedAuthentication(false); - - //set protocol action, which should be executed - pendingReq.setAction(SingleLogOutAction.class.getName()); - } - - /** - * PreProcess AttributeQuery request - * @param request - * @param response - * @param pendingReq - * @throws Throwable - */ - private void preProcessAttributQueryRequest(HttpServletRequest request, - HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable { - MOARequest moaRequest = ((MOARequest)pendingReq.getRequest()); - AttributeQuery attrQuery = (AttributeQuery) moaRequest.getSamlRequest(); - moaRequest.setEntityID(attrQuery.getIssuer().getValue()); - - //validate destination - String destinaten = attrQuery.getDestination(); - if (!PVPConfiguration.getInstance().getIDPSSOSOAPService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) { - Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); - throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); - - } - - //check if Issuer is an interfederation IDP - IOAAuthParameters oa = authConfig.getServiceProviderConfiguration(moaRequest.getEntityID(), IOAAuthParameters.class); - if (!oa.isInderfederationIDP()) { - Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); - throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); - - } - - if (!oa.isOutboundSSOInterfederationAllowed()) { - Logger.warn("Interfederation IDP " + oa.getPublicURLPrefix() + " does not allow outgoing SSO interfederation."); - throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null); - - } - - //check active MOASession - String nameID = attrQuery.getSubject().getNameID().getValue(); - IAuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID); - if (session == null) { - Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); - throw new AttributQueryException("auth.31", null); - - } - - //set preProcessed information into pending-request - pendingReq.setRequest(moaRequest); - pendingReq.setSPEntityId(moaRequest.getEntityID()); - pendingReq.setOnlineApplicationConfiguration(oa); - pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - - //Attribute-Query Request needs authentication, because session MUST be already authenticated - pendingReq.setNeedAuthentication(false); - - //set protocol action, which should be executed after authentication - pendingReq.setAction(AttributQueryAction.class.getName()); - - //add moasession - pendingReq.setSSOSessionIdentifier(session.getSSOSessionID()); - - //write revisionslog entry - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY); - - - } - - /** - * PreProcess Authn request - * @param request - * @param response - * @param pendingReq - * @throws Throwable - */ - private void preProcessAuthRequest(HttpServletRequest request, - HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable { - - MOARequest moaRequest = ((MOARequest)pendingReq.getRequest()); - SignableXMLObject samlReq = moaRequest.getSamlRequest(); - - if(!(samlReq instanceof AuthnRequest)) { - throw new MOAIDException("Unsupported request", new Object[] {}); - } - - EntityDescriptor metadata = moaRequest.getEntityMetadata(metadataProvider); - if(metadata == null) { - throw new NoMetadataInformationException(); - } - SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - AuthnRequest authnRequest = (AuthnRequest)samlReq; - - if (authnRequest.getIssueInstant() == null) { - Logger.warn("Unsupported request: No IssueInstant Attribute found."); - throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant Attribute found.", new Object[] {}, - "Unsupported request: No IssueInstant Attribute found", pendingReq); - - } - - if (authnRequest.getIssueInstant().minusMinutes(MOAIDAuthConstants.TIME_JITTER).isAfterNow()) { - Logger.warn("Unsupported request: No IssueInstant DateTime is not valid anymore."); - throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant DateTime is not valid anymore.", new Object[] {}, - "Unsupported request: No IssueInstant DateTime is not valid anymore.", pendingReq); - - } - - //parse AssertionConsumerService - AssertionConsumerService consumerService = null; - if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && - MiscUtil.isNotEmpty(authnRequest.getProtocolBinding())) { - //use AssertionConsumerServiceURL from request - - //check requested AssertionConsumingService URL against metadata - List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices(); - for (AssertionConsumerService service : metadataAssertionServiceList) { - if (authnRequest.getProtocolBinding().equals(service.getBinding()) - && authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) { - consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - consumerService.setBinding(authnRequest.getProtocolBinding()); - consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL()); - Logger.debug("Requested AssertionConsumerServiceURL is valid."); - } - } - - if (consumerService == null) { - throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL()); - - } - - - } else { - //use AssertionConsumerServiceIndex and select consumerService from metadata - Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); - int assertionidx = 0; - - if(aIdx != null) { - assertionidx = aIdx.intValue(); - - } else { - assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); - - } - consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); - - if (consumerService == null) { - throw new InvalidAssertionConsumerServiceException(aIdx); - - } - } - - - //select AttributeConsumingService from request - AttributeConsumingService attributeConsumer = null; - Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int attributeIdx = 0; - - if(aIdx != null) { - attributeIdx = aIdx.intValue(); - } - - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); - } - - //validate AuthnRequest - AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; - AuthnRequestValidator.validate(authReq); - -// String useMandate = request.getParameter(PARAM_USEMANDATE); -// if(useMandate != null) { -// if(useMandate.equals("true") && attributeConsumer != null) { -// if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { -// throw new MandateAttributesNotHandleAbleException(); -// } -// } -// } - - String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID(); - oaURL = StringEscapeUtils.escapeHtml(oaURL); - ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); - - Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - - pendingReq.setSPEntityId(oaURL); - pendingReq.setOnlineApplicationConfiguration(oa); - pendingReq.setBinding(consumerService.getBinding()); - pendingReq.setRequest(moaRequest); - pendingReq.setConsumerURL(consumerService.getLocation()); - - //parse AuthRequest - pendingReq.setPassiv(authReq.isPassive()); - pendingReq.setForce(authReq.isForceAuthn()); - - //AuthnRequest needs authentication - pendingReq.setNeedAuthentication(true); - - //set protocol action, which should be executed after authentication - pendingReq.setAction(AuthenticationAction.class.getName()); - - //write revisionslog entry - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST); - - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 67e7a47f3..cdd0b659e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -22,25 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - -import org.opensaml.xml.encryption.EncryptionConstants; -import org.opensaml.xml.signature.SignatureConstants; - -import at.gv.egiz.eaaf.core.api.data.PVPAttributeConstants; -import at.gv.egovernment.moa.id.data.Trible; - -public interface PVPConstants extends PVPAttributeConstants { +public interface PVPConstants extends at.gv.egiz.eaaf.modules.pvp2.PVPConstants { public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider"; - - public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; - public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; - public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256; - public static final String DEFAULT_ASYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP; - public static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/citizenQAALevel/"; public static final String STORK_QAA_1_1 = "http://www.stork.gov.eu/1.0/citizenQAALevel/1"; @@ -52,84 +36,5 @@ public interface PVPConstants extends PVPAttributeConstants { public static final String EIDAS_QAA_LOW = EIDAS_QAA_PREFIX + "low"; public static final String EIDAS_QAA_SUBSTANTIAL = EIDAS_QAA_PREFIX + "substantial"; public static final String EIDAS_QAA_HIGH = EIDAS_QAA_PREFIX + "high"; - - public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/"; - - - - - public static final String ENTITY_CATEGORY_ATTRIBITE = "http://macedir.org/entity-category"; - public static final String EGOVTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/egovtoken"; - public static final String CITIZENTOKEN = "http://www.ref.gv.at/ns/names/agiz/pvp/citizentoken"; - - /** - * - * Get required PVP attributes for egovtoken - * First : PVP attribute name (OID) - * Second: FriendlyName - * Third: Required - * - */ - public static final List<Trible<String, String, Boolean>> EGOVTOKEN_PVP_ATTRIBUTES = - Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { - private static final long serialVersionUID = 1L; - { - //currently supported attributes - add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true)); - add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true)); - - //currently not supported attributes - add(Trible.newInstance(USERID_NAME, USERID_FRIENDLY_NAME, false)); - add(Trible.newInstance(GID_NAME, GID_FRIENDLY_NAME, false)); - add(Trible.newInstance(PARTICIPANT_ID_NAME, PARTICIPANT_ID_FRIENDLY_NAME, false)); - add(Trible.newInstance(OU_GV_OU_ID_NAME, OU_GV_OU_ID_FRIENDLY_NAME, false)); - add(Trible.newInstance(OU_NAME, OU_FRIENDLY_NAME, false)); - add(Trible.newInstance(SECCLASS_NAME, SECCLASS_FRIENDLY_NAME, false)); - - - } - }); - - /** - * - * Get required PVP attributes for citizenToken - * First : PVP attribute name (OID) - * Second: FriendlyName - * Third: Required - * - */ - public static final List<Trible<String, String, Boolean>> CITIZENTOKEN_PVP_ATTRIBUTES = - Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { - private static final long serialVersionUID = 1L; - { - //required attributes - eIDAS minimal-data set - add(Trible.newInstance(PVP_VERSION_NAME, PVP_VERSION_FRIENDLY_NAME, true)); - add(Trible.newInstance(PRINCIPAL_NAME_NAME, PRINCIPAL_NAME_FRIENDLY_NAME, true)); - add(Trible.newInstance(GIVEN_NAME_NAME, GIVEN_NAME_FRIENDLY_NAME, true)); - add(Trible.newInstance(BIRTHDATE_NAME, BIRTHDATE_FRIENDLY_NAME, true)); - add(Trible.newInstance(BPK_NAME, BPK_FRIENDLY_NAME, true)); - - - //not required attributes - add(Trible.newInstance(EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false)); - add(Trible.newInstance(EID_ISSUING_NATION_NAME, EID_ISSUING_NATION_FRIENDLY_NAME, false)); - add(Trible.newInstance(EID_SECTOR_FOR_IDENTIFIER_NAME, EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_TYPE_NAME, MANDATE_TYPE_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_TYPE_OID_NAME, MANDATE_TYPE_OID_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_NAME, MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_NAT_PER_BPK_NAME, MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_NAT_PER_GIVEN_NAME_NAME, MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_NAT_PER_FAMILY_NAME_NAME, MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_NAT_PER_BIRTHDATE_NAME, MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_LEG_PER_FULL_NAME_NAME, MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_PROF_REP_OID_NAME, MANDATE_PROF_REP_OID_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_PROF_REP_DESC_NAME, MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false)); - add(Trible.newInstance(MANDATE_REFERENCE_VALUE_NAME, MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false)); - - - - } - }); - + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java deleted file mode 100644 index 279d88860..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ /dev/null @@ -1,133 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; - -import org.springframework.beans.factory.config.BeanDefinition; -import org.springframework.context.annotation.Scope; -import org.springframework.stereotype.Component; - -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; - -@Component("PVPTargetConfiguration") -@Scope(value = BeanDefinition.SCOPE_PROTOTYPE) -public class PVPTargetConfiguration extends RequestImpl { - - - public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse"; - public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; - public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel"; - - public static final String DATAID_INTERFEDERATION_REQUESTID = "authnReqID"; - - private static final long serialVersionUID = 4889919265919638188L; - - - - InboundMessage request; - String binding; - String consumerURL; - - public InboundMessage getRequest() { - return request; - } - - public void setRequest(InboundMessage request) { - this.request = request; - } - - public String getBinding() { - return binding; - } - - public void setBinding(String binding) { - this.binding = binding; - } - - public String getConsumerURL() { - return consumerURL; - } - - public void setConsumerURL(String consumerURL) { - this.consumerURL = consumerURL; - - } - -// /* (non-Javadoc) -// * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() -// */ -// @Override -// public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) { -// -// Map<String, String> reqAttr = new HashMap<String, String>(); -// for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) -// reqAttr.put(el, ""); -// -// try { -// SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata(metadataProvider).getSPSSODescriptor(SAMLConstants.SAML20P_NS); -// if (spSSODescriptor.getAttributeConsumingServices() != null && -// spSSODescriptor.getAttributeConsumingServices().size() > 0) { -// -// Integer aIdx = null; -// if (getRequest() instanceof MOARequest && -// ((MOARequest)getRequest()).getSamlRequest() instanceof AuthnRequestImpl) { -// AuthnRequestImpl authnRequest = (AuthnRequestImpl)((MOARequest)getRequest()).getSamlRequest(); -// aIdx = authnRequest.getAttributeConsumingServiceIndex(); -// -// } else { -// Logger.error("MOARequest is NOT of type AuthnRequest"); -// } -// -// int idx = 0; -// -// AttributeConsumingService attributeConsumingService = null; -// -// if (aIdx != null) { -// idx = aIdx.intValue(); -// attributeConsumingService = spSSODescriptor -// .getAttributeConsumingServices().get(idx); -// -// } else { -// List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); -// for (AttributeConsumingService el : attrConsumingServiceList) { -// if (el.isDefault()) -// attributeConsumingService = el; -// } -// } -// -// for ( RequestedAttribute attr : attributeConsumingService.getRequestAttributes()) -// reqAttr.put(attr.getName(), ""); -// } -// -// //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator()); -// return reqAttr.keySet(); -// -// } catch (NoMetadataInformationException e) { -// Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); -// return null; -// -// } -// -// } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 6b945d692..ab88a765e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -44,7 +44,11 @@ import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.exceptions.SLOException; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; @@ -55,9 +59,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -86,12 +87,12 @@ public class SingleLogOutAction implements IAction { HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws EAAFException { - PVPTargetConfiguration pvpReq = (PVPTargetConfiguration) req; + PVPSProfilePendingRequest pvpReq = (PVPSProfilePendingRequest) req; - if (pvpReq.getRequest() instanceof MOARequest && - ((MOARequest)pvpReq.getRequest()).getSamlRequest() instanceof LogoutRequest) { + if (pvpReq.getRequest() instanceof PVPSProfileRequest && + ((PVPSProfileRequest)pvpReq.getRequest()).getSamlRequest() instanceof LogoutRequest) { Logger.debug("Process Single LogOut request"); - MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + PVPSProfileRequest samlReq = (PVPSProfileRequest) pvpReq.getRequest(); LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); String ssoSessionId = @@ -141,10 +142,10 @@ public class SingleLogOutAction implements IAction { Logger.debug("Starting technical SLO process ... "); sloBuilder.toTechnicalLogout(sloInformationContainer, httpReq, httpResp, null); - } else if (pvpReq.getRequest() instanceof MOAResponse && - ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { + } else if (pvpReq.getRequest() instanceof PVPSProfileResponse && + ((PVPSProfileResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); - LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); + LogoutResponse logOutResp = (LogoutResponse) ((PVPSProfileResponse)pvpReq.getRequest()).getResponse(); //Transaction tx = null; @@ -236,11 +237,11 @@ public class SingleLogOutAction implements IAction { storageSuccess = true; String redirectURL = null; IRequest sloReq = sloContainer.getSloRequest(); - if (sloReq != null && sloReq instanceof PVPTargetConfiguration) { + if (sloReq != null && sloReq instanceof PVPSProfilePendingRequest) { //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPTargetConfiguration)sloReq); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPTargetConfiguration)sloReq, sloContainer.getSloFailedOAs()); - redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, ((PVPTargetConfiguration)sloReq).getRequest().getRelayState()); + SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPSProfilePendingRequest)sloReq); + LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPSProfilePendingRequest)sloReq, sloContainer.getSloFailedOAs()); + redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, ((PVPSProfilePendingRequest)sloReq).getRequest().getRelayState()); } else { //print SLO information directly @@ -324,7 +325,7 @@ public class SingleLogOutAction implements IAction { */ @Override public String getDefaultActionName() { - return PVP2XProtocol.SINGLELOGOUT; + return PVPConstants.SINGLELOGOUT; } protected static String addURLParameter(String url, String paramname, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java deleted file mode 100644 index 71c5a46a4..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ /dev/null @@ -1,44 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.opensaml.common.binding.decoding.URIComparator; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.xml.security.SecurityException; - -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; - -public interface IDecoder { - public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) - throws MessageDecodingException, SecurityException, PVP2Exception; - - public boolean handleDecode(String action, HttpServletRequest req); - - public String getSAML2BindingName(); -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java deleted file mode 100644 index 409f995fc..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; - -public interface IEncoder { - - /** - * - * @param req The http request - * @param resp The http response - * @param request The SAML2 request object - * @param targetLocation URL, where the request should be transmit - * @param relayState token for session handling - * @param credentials Credential to sign the request object - * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null - * @throws MessageEncodingException - * @throws SecurityException - * @throws PVP2Exception - */ - public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException, PVP2Exception; - - /** - * Encoder SAML Response - * @param req The http request - * @param resp The http response - * @param response The SAML2 repsonse object - * @param targetLocation URL, where the request should be transmit - * @param relayState token for session handling - * @param credentials Credential to sign the response object - * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null - * @throws MessageEncodingException - * @throws SecurityException - */ - public void encodeRespone(HttpServletRequest req, - HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException, PVP2Exception; -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java deleted file mode 100644 index 7bb64a106..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java +++ /dev/null @@ -1,53 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import org.opensaml.common.binding.decoding.URIComparator; - -import at.gv.egovernment.moa.logging.Logger; - -public class MOAURICompare implements URIComparator { - - /** - * @param idpssoPostService - */ - - private String serviceURL = ""; - - public MOAURICompare(String serviceURL) { - this.serviceURL = serviceURL; - } - - public boolean compare(String uri1, String uri2) { - if (this.serviceURL.equals(uri1)) - return true; - - else { - Logger.warn("PVP request destination-endpoint: " + uri1 - + " does not match to IDP endpoint:" + serviceURL); - return false; - - } - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java deleted file mode 100644 index 998249028..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ /dev/null @@ -1,240 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.opensaml.common.SAMLObject; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.binding.decoding.URIComparator; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.security.SecurityPolicyResolver; -import org.opensaml.ws.security.provider.BasicSecurityPolicy; -import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; -import org.opensaml.ws.transport.http.HttpServletResponseAdapter; -import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.gui.IGUIBuilderConfiguration; -import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; -import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; -import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; -import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Service("PVPPOSTBinding") -public class PostBinding implements IDecoder, IEncoder { - - @Autowired(required=true) AuthConfiguration authConfig; - @Autowired(required=true) GUIFormBuilderImpl guiBuilder; - - public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException { - - try { -// X509Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - //initialize POST binding encoder with template decoration - IGUIBuilderConfiguration guiConfig = - new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( - pendingReq, - "pvp_postbinding_template.html", - MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, - null, - authConfig.getRootConfigFileDir()); - MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, - VelocityProvider.getClassPathVelocityEngine()); - - //set OpenSAML2 process parameter into binding context dao - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - resp, true); - BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - SingleSignOnService service = new SingleSignOnServiceBuilder().buildObject(); - service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); - service.setLocation(targetLocation);; - - context.setOutboundSAMLMessageSigningCredential(credentials); - context.setPeerEntityEndpoint(service); - context.setOutboundSAMLMessage(request); - context.setOutboundMessageTransport(responseAdapter); - context.setRelayState(relayState); - - encoder.encode(context); - -// } catch (CredentialsNotAvailableException e) { -// e.printStackTrace(); -// throw new SecurityException(e); - } catch (Exception e) { - e.printStackTrace(); - throw new SecurityException(e); - } - } - - public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException { - - try { - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - Logger.debug("create SAML POSTBinding response"); - - //initialize POST binding encoder with template decoration - IGUIBuilderConfiguration guiConfig = - new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( - pendingReq, - "pvp_postbinding_template.html", - MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, - null, - authConfig.getRootConfigFileDir()); - MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, - VelocityProvider.getClassPathVelocityEngine()); - - //set OpenSAML2 process parameter into binding context dao - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - resp, true); - BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - SingleSignOnService service = new SingleSignOnServiceBuilder() - .buildObject(); - service.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - service.setLocation(targetLocation); - context.setOutboundSAMLMessageSigningCredential(credentials); - context.setPeerEntityEndpoint(service); - // context.setOutboundMessage(authReq); - context.setOutboundSAMLMessage(response); - context.setOutboundMessageTransport(responseAdapter); - context.setRelayState(relayState); - - encoder.encode(context); -// } catch (CredentialsNotAvailableException e) { -// e.printStackTrace(); -// throw new SecurityException(e); - } catch (Exception e) { - e.printStackTrace(); - throw new SecurityException(e); - } - } - - public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, - SecurityException { - - HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - //set metadata descriptor type - if (isSPEndPoint) { - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(comparator); - - } else { - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(comparator); - } - - messageContext.setMetadataProvider(metadataProvider); - - //set security policy context - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add( - new MOAPVPSignedRequestPolicyRule(metadataProvider, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider), - messageContext.getPeerEntityRole())); - SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy); - messageContext.setSecurityPolicyResolver(secResolver); - - decode.decode(messageContext); - - InboundMessage msg = null; - if (messageContext.getInboundMessage() instanceof RequestAbstractType) { - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); - msg = new MOARequest(inboundMessage, getSAML2BindingName()); - msg.setEntityID(inboundMessage.getIssuer().getValue()); - - } else if (messageContext.getInboundMessage() instanceof StatusResponseType){ - StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage(); - msg = new MOAResponse(inboundMessage); - msg.setEntityID(inboundMessage.getIssuer().getValue()); - - } else - //create empty container if request type is unknown - msg = new InboundMessage(); - - if (messageContext.getPeerEntityMetadata() != null) - msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - - else { - if (MiscUtil.isEmpty(msg.getEntityID())) - Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); - } - - - msg.setVerified(true); - msg.setRelayState(messageContext.getRelayState()); - - return msg; - } - - public boolean handleDecode(String action, HttpServletRequest req) { - return (req.getMethod().equals("POST") && action.equals(PVP2XProtocol.POST)); - } - - public String getSAML2BindingName() { - return SAMLConstants.SAML2_POST_BINDING_URI; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java deleted file mode 100644 index caebd456b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ /dev/null @@ -1,244 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.opensaml.common.SAMLObject; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.binding.decoding.URIComparator; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; -import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; -import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.security.SecurityPolicyResolver; -import org.opensaml.ws.security.provider.BasicSecurityPolicy; -import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; -import org.opensaml.ws.transport.http.HttpServletResponseAdapter; -import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; -import org.springframework.stereotype.Service; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Service("PVPRedirectBinding") -public class RedirectBinding implements IDecoder, IEncoder { - - public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException { - -// try { -// X509Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - Logger.debug("create SAML RedirectBinding response"); - - HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - resp, true); - BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - SingleSignOnService service = new SingleSignOnServiceBuilder() - .buildObject(); - service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - service.setLocation(targetLocation); - context.setOutboundSAMLMessageSigningCredential(credentials); - context.setPeerEntityEndpoint(service); - context.setOutboundSAMLMessage(request); - context.setOutboundMessageTransport(responseAdapter); - context.setRelayState(relayState); - - encoder.encode(context); -// } catch (CredentialsNotAvailableException e) { -// e.printStackTrace(); -// throw new SecurityException(e); -// } - } - - public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, - Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { -// try { -// X509Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - Logger.debug("create SAML RedirectBinding response"); - - HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - resp, true); - BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - SingleSignOnService service = new SingleSignOnServiceBuilder() - .buildObject(); - service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - service.setLocation(targetLocation); - context.setOutboundSAMLMessageSigningCredential(credentials); - context.setPeerEntityEndpoint(service); - context.setOutboundSAMLMessage(response); - context.setOutboundMessageTransport(responseAdapter); - context.setRelayState(relayState); - - encoder.encode(context); -// } catch (CredentialsNotAvailableException e) { -// e.printStackTrace(); -// throw new SecurityException(e); -// } - } - - public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, - SecurityException { - - HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( - new BasicParserPool()); - - BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - - //set metadata descriptor type - if (isSPEndPoint) { - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(comparator); - - } else { - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(comparator); - } - - messageContext.setMetadataProvider(metadataProvider); - - SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole(); - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signedRole); - policy.getPolicyRules().add(signatureRule); - SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setSecurityPolicyResolver(resolver); - - //set metadata descriptor type - if (isSPEndPoint) - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - else - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - try { - decode.decode(messageContext); - - //check signature - signatureRule.evaluate(messageContext); - - } catch (SecurityException e) { - if (MiscUtil.isEmpty(messageContext.getInboundMessageIssuer())) { - throw e; - - } - - if (metadataProvider instanceof IMOARefreshableMetadataProvider) { - Logger.debug("PVP2X message validation FAILED. Reload metadata for entityID: " + messageContext.getInboundMessageIssuer()); - if (!((IMOARefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(messageContext.getInboundMessageIssuer())) - throw e; - - else { - Logger.trace("PVP2X metadata reload finished. Check validate message again."); - decode.decode(messageContext); - - //check signature - signatureRule.evaluate(messageContext); - - } - Logger.trace("Second PVP2X message validation finished"); - - } else { - throw e; - - } - } - - InboundMessage msg = null; - if (messageContext.getInboundMessage() instanceof RequestAbstractType) { - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); - msg = new MOARequest(inboundMessage, getSAML2BindingName()); - - - } else if (messageContext.getInboundMessage() instanceof StatusResponseType){ - StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage(); - msg = new MOAResponse(inboundMessage); - - } else - //create empty container if request type is unknown - msg = new InboundMessage(); - - if (messageContext.getPeerEntityMetadata() != null) - msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - - else - Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); - - msg.setVerified(true); - msg.setRelayState(messageContext.getRelayState()); - - return msg; - } - - public boolean handleDecode(String action, HttpServletRequest req) { - return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT)) - && req.getMethod().equals("GET")); - } - - public String getSAML2BindingName() { - return SAMLConstants.SAML2_REDIRECT_BINDING_URI; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java deleted file mode 100644 index 2b4374a64..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ /dev/null @@ -1,176 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import java.util.List; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.opensaml.common.SAMLObject; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.binding.decoding.URIComparator; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.ws.soap.soap11.Envelope; -import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; -import org.opensaml.ws.transport.http.HttpServletResponseAdapter; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.signature.SignableXMLObject; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Service("PVPSOAPBinding") -public class SoapBinding implements IDecoder, IEncoder { - - @Autowired(required=true) private MOAMetadataProvider metadataProvider; - @Autowired private IDPCredentialProvider credentialProvider; - - public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, - SecurityException, PVP2Exception { - HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); - BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = - new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - messageContext.setMetadataProvider(metadataProvider); - - //TODO: update in a futher version: - // requires a special SignedSOAPRequestPolicyRole because - // messageContext.getInboundMessage() is not directly signed - - //set security context -// BasicSecurityPolicy policy = new BasicSecurityPolicy(); -// policy.getPolicyRules().add( -// new MOAPVPSignedRequestPolicyRule( -// TrustEngineFactory.getSignatureKnownKeysTrustEngine(), -// SPSSODescriptor.DEFAULT_ELEMENT_NAME)); -// SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( -// policy); -// messageContext.setSecurityPolicyResolver(resolver); - - //decode message - soapDecoder.decode(messageContext); - - Envelope inboundMessage = (Envelope) messageContext - .getInboundMessage(); - - if (inboundMessage.getBody() != null) { - List<XMLObject> xmlElemList = inboundMessage.getBody().getUnknownXMLObjects(); - - if (!xmlElemList.isEmpty()) { - SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - - if (messageContext.getPeerEntityMetadata() != null) - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - - else if (attrReq instanceof RequestAbstractType) { - RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; - try { - if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && - metadataProvider.getRole( - attributeRequest.getIssuer().getValue(), - SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) - request.setEntityID(attributeRequest.getIssuer().getValue()); - - } catch (Exception e) { - Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); - } - } - - request.setVerified(false); - return request; - - } - } - - Logger.error("Receive empty PVP 2.1 attributequery request."); - throw new AttributQueryException("Receive empty PVP 2.1 attributequery request.", null); - } - - public boolean handleDecode(String action, HttpServletRequest req) { - return (req.getMethod().equals("POST") && - (action.equals(PVP2XProtocol.SOAP) || action.equals(PVP2XProtocol.ATTRIBUTEQUERY))); - } - - public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException, PVP2Exception { - - } - - public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) - throws MessageEncodingException, SecurityException, PVP2Exception { -// try { -// Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - - HTTPSOAP11Encoder encoder = new HTTPSOAP11Encoder(); - HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( - resp, true); - BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - context.setOutboundSAMLMessageSigningCredential(credentials); - context.setOutboundSAMLMessage(response); - context.setOutboundMessageTransport(responseAdapter); - - encoder.encode(context); -// } catch (CredentialsNotAvailableException e) { -// e.printStackTrace(); -// throw new SecurityException(e); -// } - } - - public String getSAML2BindingName() { - return SAMLConstants.SAML2_SOAP11_BINDING_URI; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index f3af12a2c..b5f77ce1a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -49,14 +49,15 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Document; +import at.gv.egiz.eaaf.modules.pvp2.exception.AttributQueryException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.SamlAttributeGenerator; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; /** @@ -104,7 +105,7 @@ public class AttributQueryBuilder { String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException { - try { + try { AttributeQuery query = new AttributeQueryBuilder().buildObject(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java deleted file mode 100644 index 78ddab488..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import java.util.ArrayList; -import java.util.List; - -import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.EncryptedAssertion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.encryption.Encrypter; -import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.xml.encryption.EncryptionException; -import org.opensaml.xml.encryption.EncryptionParameters; -import org.opensaml.xml.encryption.KeyEncryptionParameters; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; -import org.opensaml.xml.security.x509.X509Credential; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class AuthResponseBuilder { - - public static Response buildResponse(MetadataProvider metadataProvider, String issuerEntityID, RequestAbstractType req, DateTime date, Assertion assertion, boolean enableEncryption) throws InvalidAssertionEncryptionException, ConfigurationException { - Response authResponse = SAML2Utils.createSAMLObject(Response.class); - - Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - - nissuer.setValue(issuerEntityID); - nissuer.setFormat(NameID.ENTITY); - authResponse.setIssuer(nissuer); - authResponse.setInResponseTo(req.getID()); - - //set responseID - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authResponse.setID(remoteSessionID); - - - //SAML2 response required IssueInstant - authResponse.setIssueInstant(date); - - authResponse.setStatus(SAML2Utils.getSuccessStatus()); - - //check, if metadata includes an encryption key - MetadataCredentialResolver mdCredResolver = - new MetadataCredentialResolver(metadataProvider); - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(req.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); - - X509Credential encryptionCredentials = null; - try { - encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); - - } catch (SecurityException e2) { - Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); - throw new InvalidAssertionEncryptionException(); - - } - - if (encryptionCredentials != null && enableEncryption) { - //encrypt SAML2 assertion - - try { - - EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); - - List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>(); - KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); - - keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); - KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() - .getKeyInfoGeneratorManager().getDefaultManager() - .getFactory(encryptionCredentials); - keyEncParam.setKeyInfoGenerator(kigf.newInstance()); - keyEncParamList.add(keyEncParam); - - Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); - //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); - samlEncrypter.setKeyPlacement(KeyPlacement.PEER); - - EncryptedAssertion encryptAssertion = null; - - encryptAssertion = samlEncrypter.encrypt(assertion); - - authResponse.getEncryptedAssertions().add(encryptAssertion); - - } catch (EncryptionException e1) { - Logger.warn("Can not encrypt the PVP2 assertion", e1); - throw new InvalidAssertionEncryptionException(); - - } - - } else { - authResponse.getAssertions().add(assertion); - - } - - return authResponse; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java deleted file mode 100644 index d2a63c72f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/CitizenTokenBuilder.java +++ /dev/null @@ -1,171 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeValue; -import org.opensaml.xml.Configuration; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.schema.XSInteger; -import org.opensaml.xml.schema.XSString; -import org.opensaml.xml.schema.impl.XSIntegerBuilder; -import org.opensaml.xml.schema.impl.XSStringBuilder; - -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; - -public class CitizenTokenBuilder { - - public static XMLObject buildAttributeStringValue(String value) { - XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); - XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); - stringValue.setValue(value); - return stringValue; - } - - public static XMLObject buildAttributeIntegerValue(int value) { - XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME); - XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME); - integerValue.setValue(value); - return integerValue; - } - - public static Attribute buildStringAttribute(String friendlyName, - String name, String value) { - Attribute attribute = - SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.getAttributeValues().add(buildAttributeStringValue(value)); - return attribute; - } - - public static Attribute buildIntegerAttribute(String friendlyName, - String name, int value) { - Attribute attribute = - SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.getAttributeValues().add(buildAttributeIntegerValue(value)); - return attribute; - } - - public static Attribute buildPVPVersion(String value) { - return buildStringAttribute("PVP-VERSION", - "urn:oid:1.2.40.0.10.2.1.1.261.10", value); - } - - public static Attribute buildSecClass(int value) { - return buildIntegerAttribute("SECCLASS", - "", value); - } - - public static Attribute buildPrincipalName(String value) { - return buildStringAttribute("PRINCIPAL-NAME", - "urn:oid:1.2.40.0.10.2.1.1.261.20", value); - } - - public static Attribute buildGivenName(String value) { - return buildStringAttribute("GIVEN-NAME", - "urn:oid:2.5.4.42", value); - } - - public static Attribute buildBirthday(String value) { - return buildStringAttribute("BIRTHDATE", - "urn:oid:1.2.40.0.10.2.1.1.55", value); - } - - public static Attribute buildBPK(String value) { - return buildStringAttribute("BPK", - "urn:oid:1.2.40.0.10.2.1.1.149", value); - } - - public static Attribute buildEID_CITIZEN_QAALEVEL(int value) { - return buildIntegerAttribute("EID-CITIZEN-QAA-LEVEL", - "urn:oid:1.2.40.0.10.2.1.1.261.94", value); - } - - public static Attribute buildEID_ISSUING_NATION(String value) { - return buildStringAttribute("EID-ISSUING-NATION", - "urn:oid:1.2.40.0.10.2.1.1.261.32", value); - } - - public static Attribute buildEID_SECTOR_FOR_IDENTIFIER(String value) { - return buildStringAttribute("EID-SECTOR-FOR-IDENTIFIER", - "urn:oid:1.2.40.0.10.2.1.1.261.34", value); - } - - -// public static AttributeStatement buildCitizenToken(MOARequest obj, -// AuthenticationSession authSession) { -// AttributeStatement statement = -// SAML2Utils.createSAMLObject(AttributeStatement.class); -// -// //TL: AuthData generation is moved out from VerifyAuthBlockServlet -// try { -// -// //TODO: LOAD oaParam from request and not from MOASession in case of SSO -// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() -// .getOnlineApplicationParameter(authSession.getPublicOAURLPrefix()); -// -// AuthenticationData authData = AuthenticationServer.buildAuthenticationData(authSession, -// oaParam, -// authSession.getTarget()); -// -// Attribute pvpVersion = buildPVPVersion("2.1"); -// Attribute secClass = buildSecClass(3); -// Attribute principalName = buildPrincipalName(authData.getFamilyName()); -// Attribute givenName = buildGivenName(authData.getGivenName()); -// Attribute birthdate = buildBirthday(authData.getDateOfBirth()); -// -// //TL: getIdentificationValue holds the baseID --> change to pBK -// Attribute bpk = buildBPK(authData.getBPK()); -// -// Attribute eid_citizen_qaa = buildEID_CITIZEN_QAALEVEL(3); -// Attribute eid_issuing_nation = buildEID_ISSUING_NATION("AT"); -// Attribute eid_sector_for_id = buildEID_SECTOR_FOR_IDENTIFIER(authData.getIdentificationType()); -// -// statement.getAttributes().add(pvpVersion); -// statement.getAttributes().add(secClass); -// statement.getAttributes().add(principalName); -// statement.getAttributes().add(givenName); -// statement.getAttributes().add(birthdate); -// statement.getAttributes().add(bpk); -// statement.getAttributes().add(eid_citizen_qaa); -// statement.getAttributes().add(eid_issuing_nation); -// statement.getAttributes().add(eid_sector_for_id); -// -// return statement; -// -// } catch (ConfigurationException e) { -// -// // TODO: check Exception Handling -// return null; -// } catch (BuildException e) { -// -// // TODO: check Exception Handling -// return null; -// } -// -// -// } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java deleted file mode 100644 index 07da57d2a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ /dev/null @@ -1,207 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import java.util.ArrayList; -import java.util.Collection; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.ServiceLoader; - -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.RequestedAttribute; - -import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; -import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; -import at.gv.egiz.eaaf.core.exceptions.InvalidDateFormatAttributeException; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidDateFormatException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; - -public class PVPAttributeBuilder { - - private static IAttributeGenerator<Attribute> generator = new SamlAttributeGenerator(); - - private static HashMap<String, IAttributeBuilder> builders; - - private static ServiceLoader<IAttributeBuilder> attributBuilderLoader = - ServiceLoader.load(IAttributeBuilder.class); - - private static void addBuilder(IAttributeBuilder builder) { - builders.put(builder.getName(), builder); - } - - static { - builders = new HashMap<String, IAttributeBuilder>(); - - Logger.info("Loading protocol attribut-builder modules:"); - if (attributBuilderLoader != null ) { - Iterator<IAttributeBuilder> moduleLoaderInterator = attributBuilderLoader.iterator(); - while (moduleLoaderInterator.hasNext()) { - try { - IAttributeBuilder modul = moduleLoaderInterator.next(); - Logger.info("Loading attribut-builder Modul Information: " + modul.getName()); - addBuilder(modul); - - } catch(Throwable e) { - Logger.error("Check configuration! " + "Some attribute-builder modul" + - " is not a valid IAttributeBuilder", e); - } - } - } - - Logger.info("Loading attribute-builder modules done"); - - } - - - /** - * Get a specific attribute builder - * - * @param name Attribute-builder friendly name - * - * @return Attribute-builder with this name or null if builder does not exists - */ - public static IAttributeBuilder getAttributeBuilder(String name) { - return builders.get(name); - - } - - public static Attribute buildAttribute(String name, ISPConfiguration oaParam, - IAuthData authData) throws PVP2Exception, AttributeBuilderException { - if (builders.containsKey(name)) { - try { - return builders.get(name).build(oaParam, authData, generator); - } - catch (AttributeBuilderException e) { - if (e instanceof UnavailableAttributeException) { - throw e; - } else if (e instanceof InvalidDateFormatAttributeException) { - throw new InvalidDateFormatException(); - } else if (e instanceof NoMandateDataAttributeException) { - throw new NoMandateDataAvailableException(); - } else { - throw new UnprovideableAttributeException(name); - } - } - } - return null; - } - - public static Attribute buildEmptyAttribute(String name) { - if (builders.containsKey(name)) { - return builders.get(name).buildEmpty(generator); - } - return null; - } - - public static Attribute buildAttribute(String name, String value) { - if (builders.containsKey(name)) { - return builders.get(name).buildEmpty(generator); - } - return null; - } - - - - public static List<Attribute> buildSupportedEmptyAttributes() { - List<Attribute> attributes = new ArrayList<Attribute>(); - Iterator<IAttributeBuilder> builderIt = builders.values().iterator(); - while (builderIt.hasNext()) { - IAttributeBuilder builder = builderIt.next(); - Attribute emptyAttribute = builder.buildEmpty(generator); - if (emptyAttribute != null) { - attributes.add(emptyAttribute); - } - } - return attributes; - } - - public static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) { - RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class); - attribute.setIsRequired(required); - attribute.setName(name); - attribute.setFriendlyName(friendlyName); - attribute.setNameFormat(Attribute.URI_REFERENCE); - return attribute; - } - - /** - * Build a set of PVP Response-Attributes - * <br><br> - * <b>INFO:</b> If a specific attribute can not be build, a info is logged, but no execpetion is thrown. - * Therefore, the return List must not include all requested attributes. - * - * @param authData AuthenticationData <code>IAuthData</code> which is used to build the attribute values, but never <code>null</code> - * @param reqAttributenName List of PVP attribute names which are requested, but never <code>null</code> - * @return List of PVP attributes, but never <code>null</code> - */ - public static List<Attribute> buildSetOfResponseAttributes(IAuthData authData, - Collection<String> reqAttributenName) { - List<Attribute> attrList = new ArrayList<Attribute>(); - if (reqAttributenName != null) { - Iterator<String> it = reqAttributenName.iterator(); - while (it.hasNext()) { - String reqAttributName = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttributName, null, authData); - if (attr == null) { - Logger.info( - "Attribute generation failed! for " - + reqAttributName); - - } else { - attrList.add(attr); - - } - - } catch (PVP2Exception e) { - Logger.info( - "Attribute generation failed! for " - + reqAttributName); - - } catch (Exception e) { - Logger.warn( - "General Attribute generation failed! for " - + reqAttributName, e); - - } - } - } - - return attrList; - } - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java deleted file mode 100644 index a55e873b5..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ /dev/null @@ -1,221 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import java.security.NoSuchAlgorithmException; - -import javax.servlet.http.HttpServletResponse; - -import org.joda.time.DateTime; -import org.opensaml.common.impl.SecureRandomIdentifierGenerator; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.NameIDType; -import org.opensaml.saml2.core.RequestedAuthnContext; -import org.opensaml.saml2.core.Subject; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.security.SecurityException; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; -import org.springframework.stereotype.Service; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -@Service("PVPAuthnRequestBuilder") -public class PVPAuthnRequestBuilder { - - @Autowired(required=true) ApplicationContext springContext; - - /** - * Build a PVP2.x specific authentication request - * - * @param pendingReq Currently processed pendingRequest - * @param config AuthnRequest builder configuration, never null - * @param idpEntity SAML2 EntityDescriptor of the IDP, which receive this AuthnRequest, never null - * @param httpResp - * @throws NoSuchAlgorithmException - * @throws SecurityException - * @throws PVP2Exception - * @throws MessageEncodingException - */ - public void buildAuthnRequest(IRequest pendingReq, IPVPAuthnRequestBuilderConfiguruation config, - HttpServletResponse httpResp) throws NoSuchAlgorithmException, MessageEncodingException, PVP2Exception, SecurityException { - //get IDP Entity element from config - EntityDescriptor idpEntity = config.getIDPEntityDescriptor(); - - AuthnRequest authReq = SAML2Utils - .createSAMLObject(AuthnRequest.class); - - //select SingleSignOn Service endpoint from IDP metadata - SingleSignOnService endpoint = null; - for (SingleSignOnService sss : - idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { - - // use POST binding as default if it exists - if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - endpoint = sss; - - } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) - && endpoint == null ) - endpoint = sss; - - } - - if (endpoint == null) { - Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID() - + " does not support POST or Redirect Binding."); - throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{config.getSPNameForLogging(), idpEntity.getEntityID()}); - - } else - authReq.setDestination(endpoint.getLocation()); - - - //set basic AuthnRequest information - String reqID = config.getRequestID(); - if (MiscUtil.isNotEmpty(reqID)) - authReq.setID(reqID); - - else { - SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); - authReq.setID(gen.generateIdentifier()); - - } - - authReq.setIssueInstant(new DateTime()); - - //set isPassive flag - if (config.isPassivRequest() == null) - authReq.setIsPassive(false); - else - authReq.setIsPassive(config.isPassivRequest()); - - //set EntityID of the service provider - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setFormat(NameIDType.ENTITY); - issuer.setValue(config.getSPEntityID()); - authReq.setIssuer(issuer); - - //set AssertionConsumerService ID - if (config.getAssertionConsumerServiceId() != null) - authReq.setAssertionConsumerServiceIndex(config.getAssertionConsumerServiceId()); - - //set NameIDPolicy - if (config.getNameIDPolicyFormat() != null) { - NameIDPolicy policy = SAML2Utils.createSAMLObject(NameIDPolicy.class); - policy.setAllowCreate(config.getNameIDPolicyAllowCreation()); - policy.setFormat(config.getNameIDPolicyFormat()); - authReq.setNameIDPolicy(policy); - } - - //set requested QAA level - if (config.getAuthnContextClassRef() != null) { - RequestedAuthnContext reqAuthContext = SAML2Utils.createSAMLObject(RequestedAuthnContext.class); - AuthnContextClassRef authnClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - - authnClassRef.setAuthnContextClassRef(config.getAuthnContextClassRef()); - - if (config.getAuthnContextComparison() == null) - reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); - else - reqAuthContext.setComparison(config.getAuthnContextComparison()); - - reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); - authReq.setRequestedAuthnContext(reqAuthContext); - } - - //set request Subject element - if (MiscUtil.isNotEmpty(config.getSubjectNameID())) { - Subject reqSubject = SAML2Utils.createSAMLObject(Subject.class); - NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - - subjectNameID.setValue(config.getSubjectNameID()); - if (MiscUtil.isNotEmpty(config.getSubjectNameIDQualifier())) - subjectNameID.setNameQualifier(config.getSubjectNameIDQualifier()); - - if (MiscUtil.isNotEmpty(config.getSubjectNameIDFormat())) - subjectNameID.setFormat(config.getSubjectNameIDFormat()); - else - subjectNameID.setFormat(NameID.TRANSIENT); - - reqSubject.setNameID(subjectNameID); - - if (config.getSubjectConformationDate() != null) { - SubjectConfirmation subjectConformation = SAML2Utils.createSAMLObject(SubjectConfirmation.class); - SubjectConfirmationData subjectConformDate = SAML2Utils.createSAMLObject(SubjectConfirmationData.class); - subjectConformation.setSubjectConfirmationData(subjectConformDate); - reqSubject.getSubjectConfirmations().add(subjectConformation ); - - if (config.getSubjectConformationMethode() != null) - subjectConformation.setMethod(config.getSubjectConformationMethode()); - - subjectConformDate.setDOM(config.getSubjectConformationDate()); - - } - - authReq.setSubject(reqSubject ); - - } - - //TODO: implement requested attributes - //maybe: config.getRequestedAttributes(); - - //select message encoder - IEncoder binding = null; - if (endpoint.getBinding().equals( - SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); - - } else if (endpoint.getBinding().equals( - SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); - - } - - //encode message - binding.encodeRequest(null, httpResp, authReq, - endpoint.getLocation(), pendingReq.getPendingRequestId(), config.getAuthnRequestSigningCredential(), pendingReq); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java deleted file mode 100644 index e2ac50e5e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java +++ /dev/null @@ -1,442 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import java.io.IOException; -import java.io.StringWriter; -import java.util.List; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.TransformerFactoryConfigurationError; -import javax.xml.transform.dom.DOMSource; -import javax.xml.transform.stream.StreamResult; - -import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.KeyDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.xml.io.Marshaller; -import org.opensaml.xml.io.MarshallingException; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.SecurityHelper; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureException; -import org.opensaml.xml.signature.Signer; -import org.springframework.stereotype.Service; -import org.w3c.dom.Document; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ - -@Service("PVPMetadataBuilder") -public class PVPMetadataBuilder { - - X509KeyInfoGeneratorFactory keyInfoFactory = null; - - /** - * - */ - public PVPMetadataBuilder() { - keyInfoFactory = new X509KeyInfoGeneratorFactory(); - keyInfoFactory.setEmitEntityIDAsKeyName(true); - keyInfoFactory.setEmitEntityCertificate(true); - - } - - - /** - * - * Build PVP 2.1 conform SAML2 metadata - * - * @param config - * PVPMetadataBuilder configuration - * - * @return PVP metadata as XML String - * @throws SecurityException - * @throws ConfigurationException - * @throws CredentialsNotAvailableException - * @throws TransformerFactoryConfigurationError - * @throws MarshallingException - * @throws TransformerException - * @throws ParserConfigurationException - * @throws IOException - * @throws SignatureException - */ - public String buildPVPMetadata(IPVPMetadataBuilderConfiguration config) throws CredentialsNotAvailableException, ConfigurationException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException { - DateTime date = new DateTime(); - EntityDescriptor entityDescriptor = SAML2Utils - .createSAMLObject(EntityDescriptor.class); - - //set entityID - entityDescriptor.setEntityID(config.getEntityID()); - - //set contact and organisation information - List<ContactPerson> contactPersons = config.getContactPersonInformation(); - if (contactPersons != null) - entityDescriptor.getContactPersons().addAll(contactPersons); - - Organization organisation = config.getOrgansiationInformation(); - if (organisation != null) - entityDescriptor.setOrganization(organisation); - - //set IDP metadata - if (config.buildIDPSSODescriptor()) { - RoleDescriptor idpSSODesc = generateIDPMetadata(config); - if (idpSSODesc != null) - entityDescriptor.getRoleDescriptors().add(idpSSODesc); - - } - - //set SP metadata for interfederation - if (config.buildSPSSODescriptor()) { - RoleDescriptor spSSODesc = generateSPMetadata(config); - if (spSSODesc != null) - entityDescriptor.getRoleDescriptors().add(spSSODesc); - - } - - //set metadata signature parameters - Credential metadataSignCred = config.getMetadataSigningCredentials(); - Signature signature = AbstractCredentialProvider.getIDPSignature(metadataSignCred); - SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); - - //initialize XML document builder - DocumentBuilder builder; - DocumentBuilderFactory factory = DocumentBuilderFactory - .newInstance(); - - builder = factory.newDocumentBuilder(); - Document document = builder.newDocument(); - - - //build entities descriptor - if (config.buildEntitiesDescriptorAsRootElement()) { - EntitiesDescriptor entitiesDescriptor = - SAML2Utils.createSAMLObject(EntitiesDescriptor.class); - entitiesDescriptor.setName(config.getEntityFriendlyName()); - entitiesDescriptor.setID(SAML2Utils.getSecureIdentifier()); - entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); - entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); - - //load default PVP security configurations - MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - entitiesDescriptor.setSignature(signature); - - - //marshall document - Marshaller out = Configuration.getMarshallerFactory() - .getMarshaller(entitiesDescriptor); - out.marshall(entitiesDescriptor, document); - - } else { - entityDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); - entityDescriptor.setID(SAML2Utils.getSecureIdentifier()); - - entityDescriptor.setSignature(signature); - - - - //marshall document - Marshaller out = Configuration.getMarshallerFactory() - .getMarshaller(entityDescriptor); - out.marshall(entityDescriptor, document); - - } - - //sign metadata - Signer.signObject(signature); - - //transform metadata object to XML string - Transformer transformer = TransformerFactory.newInstance() - .newTransformer(); - - StringWriter sw = new StringWriter(); - StreamResult sr = new StreamResult(sw); - DOMSource source = new DOMSource(document); - transformer.transform(source, sr); - sw.close(); - - return sw.toString(); - } - - - private RoleDescriptor generateSPMetadata(IPVPMetadataBuilderConfiguration config) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { - SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class); - spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - spSSODescriptor.setAuthnRequestsSigned(config.wantAuthnRequestSigned()); - spSSODescriptor.setWantAssertionsSigned(config.wantAssertionSigned()); - - KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); - - //Set AuthRequest Signing certificate - Credential authcredential = config.getRequestorResponseSigningCredentials(); - if (authcredential == null) { - Logger.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. "); - return null; - - } else { - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); - spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - } - - //Set assertion encryption credentials - Credential authEncCredential = config.getEncryptionCredentials(); - - if (authEncCredential != null) { - KeyDescriptor encryKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - encryKeyDescriptor.setUse(UsageType.ENCRYPTION); - encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); - spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); - - } else { - Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); - - } - - //check nameID formates - if (config.getSPAllowedNameITTypes() == null || config.getSPAllowedNameITTypes().size() == 0) { - Logger.warn("SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); - return null; - - } else { - for (String format : config.getSPAllowedNameITTypes()) { - NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - nameIDFormat.setFormat(format); - spSSODescriptor.getNameIDFormats().add(nameIDFormat); - - } - } - - - //add POST-Binding assertion consumer services - if (MiscUtil.isNotEmpty(config.getSPAssertionConsumerServicePostBindingURL())) { - AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - postassertionConsumerService.setIndex(0); - postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - postassertionConsumerService.setLocation(config.getSPAssertionConsumerServicePostBindingURL()); - postassertionConsumerService.setIsDefault(true); - spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); - - } - - //add POST-Binding assertion consumer services - if (MiscUtil.isNotEmpty(config.getSPAssertionConsumerServiceRedirectBindingURL())) { - AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - redirectassertionConsumerService.setIndex(1); - redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - redirectassertionConsumerService.setLocation(config.getSPAssertionConsumerServiceRedirectBindingURL()); - spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); - - } - - //validate WebSSO endpoints - if (spSSODescriptor.getAssertionConsumerServices().size() == 0) { - Logger.warn("SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. "); - return null; - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(config.getSPSLOPostBindingURL())) { - SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - postSLOService.setLocation(config.getSPSLOPostBindingURL()); - postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(postSLOService); - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(config.getSPSLORedirectBindingURL())) { - SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - redirectSLOService.setLocation(config.getSPSLORedirectBindingURL()); - redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(config.getSPSLOSOAPBindingURL())) { - SingleLogoutService soapSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - soapSLOService.setLocation(config.getSPSLOSOAPBindingURL()); - soapSLOService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(soapSLOService); - - } - - - //add required attributes - List<RequestedAttribute> reqSPAttr = config.getSPRequiredAttributes(); - AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); - - attributeService.setIndex(0); - attributeService.setIsDefault(true); - ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); - serviceName.setName(new LocalizedString("Default Service", "en")); - attributeService.getNames().add(serviceName); - - if (reqSPAttr != null && reqSPAttr.size() > 0) { - Logger.debug("Add " + reqSPAttr.size() + " attributes to SP metadata"); - attributeService.getRequestAttributes().addAll(reqSPAttr); - - } else { - Logger.debug("SP metadata contains NO requested attributes."); - - } - - spSSODescriptor.getAttributeConsumingServices().add(attributeService); - - return spSSODescriptor; - } - - private IDPSSODescriptor generateIDPMetadata(IPVPMetadataBuilderConfiguration config) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { - //check response signing credential - Credential responseSignCred = config.getRequestorResponseSigningCredentials(); - if (responseSignCred == null) { - Logger.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. "); - return null; - - } - - //check nameID formates - if (config.getIDPPossibleNameITTypes() == null || config.getIDPPossibleNameITTypes().size() == 0) { - Logger.warn("IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); - return null; - - } - - // build SAML2 IDP-SSO descriptor element - IDPSSODescriptor idpSSODescriptor = SAML2Utils - .createSAMLObject(IDPSSODescriptor.class); - - idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - - //set ass default value, because PVP 2.x specification defines this feature as MUST - idpSSODescriptor.setWantAuthnRequestsSigned(config.wantAuthnRequestSigned()); - - // add WebSSO descriptor for POST-Binding - if (MiscUtil.isNotEmpty(config.getIDPWebSSOPostBindingURL())) { - SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); - postSingleSignOnService.setLocation(config.getIDPWebSSOPostBindingURL()); - postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); - - } - - // add WebSSO descriptor for Redirect-Binding - if (MiscUtil.isNotEmpty(config.getIDPWebSSORedirectBindingURL())) { - SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); - postSingleSignOnService.setLocation(config.getIDPWebSSORedirectBindingURL()); - postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); - - } - - //add Single LogOut POST-Binding endpoing - if (MiscUtil.isNotEmpty(config.getIDPSLOPostBindingURL())) { - SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - postSLOService.setLocation(config.getIDPSLOPostBindingURL()); - postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - idpSSODescriptor.getSingleLogoutServices().add(postSLOService); - - } - - //add Single LogOut Redirect-Binding endpoing - if (MiscUtil.isNotEmpty(config.getIDPSLORedirectBindingURL())) { - SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - redirectSLOService.setLocation(config.getIDPSLORedirectBindingURL()); - redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); - - } - - //validate WebSSO endpoints - if (idpSSODescriptor.getSingleSignOnServices().size() == 0) { - Logger.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. "); - return null; - - } - - //set assertion signing key - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(config.getRequestorResponseSigningCredentials())); - idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - //set IDP attribute set - idpSSODescriptor.getAttributes().addAll(config.getIDPPossibleAttributes()); - - //set providable nameID formats - for (String format : config.getIDPPossibleNameITTypes()) { - NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - nameIDFormat.setFormat(format); - idpSSODescriptor.getNameIDFormats().add(nameIDFormat); - - } - - return idpSSODescriptor; - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index a1d7f5d3a..53606b341 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -75,37 +75,39 @@ import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.data.SLOInformationImpl; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.BindingNotSupportedException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PVPSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.StringRedirectDeflateEncoder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; -import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.opemsaml.MOAStringRedirectDeflateEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -120,14 +122,15 @@ public class SingleLogOutBuilder { @Autowired(required=true) ApplicationContext springContext; @Autowired private IDPCredentialProvider credentialProvider; @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired private IGUIFormBuilder guiBuilder; + @Autowired private IGUIFormBuilder guiBuilder; @Autowired(required=true) protected IRevisionLogger revisionsLogger; @Autowired private ITransactionStorage transactionStorage; + @Autowired(required=true) IPVP2BasicConfiguration pvpBasicConfiguration; public static final int SLOTIMEOUT = 30 * 1000; //30 sec public void toTechnicalLogout(ISLOInformationContainer sloContainer, - HttpServletRequest httpReq, HttpServletResponse httpResp, String authUrl) throws MOAIDException { + HttpServletRequest httpReq, HttpServletResponse httpResp, String authUrl) throws EAAFException { Logger.trace("Starting Service-Provider logout process ... "); revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); @@ -174,7 +177,7 @@ public class SingleLogOutBuilder { } IRequest pendingReq = null; - PVPTargetConfiguration pvpReq = null; + PVPSProfilePendingRequest pvpReq = null; //start service provider front channel logout process try { if (sloContainer.hasFrontChannelOA()) { @@ -221,9 +224,9 @@ public class SingleLogOutBuilder { } else { pendingReq = sloContainer.getSloRequest(); - if (pendingReq != null && pendingReq instanceof PVPTargetConfiguration) { + if (pendingReq != null && pendingReq instanceof PVPSProfilePendingRequest) { //send SLO response to SLO request issuer - pvpReq = (PVPTargetConfiguration)pendingReq; + pvpReq = (PVPSProfilePendingRequest)pendingReq; SingleLogoutService sloService = getResponseSLODescriptor(pvpReq); LogoutResponse message = buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq); @@ -321,10 +324,11 @@ public class SingleLogOutBuilder { * @param httpResp * @param relayState * @return + * @throws CredentialsNotAvailableException */ public String getFrontChannelSLOMessageURL(String serviceURL, String bindingType, RequestAbstractType sloReq, HttpServletRequest httpReq, - HttpServletResponse httpResp, String relayState) throws MOAIDException { + HttpServletResponse httpResp, String relayState) throws MOAIDException, CredentialsNotAvailableException { try { X509Credential credentials = credentialProvider @@ -332,7 +336,7 @@ public class SingleLogOutBuilder { Logger.debug("create SAML RedirectBinding response"); - MOAStringRedirectDeflateEncoder encoder = new MOAStringRedirectDeflateEncoder(); + StringRedirectDeflateEncoder encoder = new StringRedirectDeflateEncoder(); BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); SingleLogoutService service = new SingleLogoutServiceBuilder() .buildObject(); @@ -356,7 +360,7 @@ public class SingleLogOutBuilder { public String getFrontChannelSLOMessageURL(SingleLogoutService service, StatusResponseType sloResp, HttpServletRequest httpReq, - HttpServletResponse httpResp, String relayState) throws MOAIDException { + HttpServletResponse httpResp, String relayState) throws MOAIDException, CredentialsNotAvailableException { try { X509Credential credentials = credentialProvider @@ -364,7 +368,7 @@ public class SingleLogOutBuilder { Logger.debug("create SAML RedirectBinding response"); - MOAStringRedirectDeflateEncoder encoder = new MOAStringRedirectDeflateEncoder(); + StringRedirectDeflateEncoder encoder = new StringRedirectDeflateEncoder(); BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); @@ -384,7 +388,7 @@ public class SingleLogOutBuilder { public void sendFrontChannelSLOMessage(SingleLogoutService consumerService, LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, - String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException { + String relayState, PVPSProfilePendingRequest pvpReq) throws MOAIDException, PVP2Exception, CredentialsNotAvailableException { IEncoder binding = null; if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { @@ -417,7 +421,7 @@ public class SingleLogOutBuilder { } - public LogoutRequest buildSLORequestMessage(SLOInformationInterface sloDescr) throws ConfigurationException, MOAIDException { + public LogoutRequest buildSLORequestMessage(SLOInformationInterface sloDescr) throws EAAFException { LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); SecureRandomIdentifierGenerator gen; @@ -433,7 +437,7 @@ public class SingleLogOutBuilder { DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloDescr.getAuthURL())); + issuer.setValue(pvpBasicConfiguration.getIDPEntityId(sloDescr.getAuthURL())); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); sloReq.setIssueInstant(now); @@ -477,7 +481,7 @@ public class SingleLogOutBuilder { return sloReq; } - public LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { + public LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPSProfilePendingRequest spRequest, String firstLevelStatusCode) throws EAAFException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status = SAML2Utils.createSAMLObject(Status.class); @@ -494,7 +498,7 @@ public class SingleLogOutBuilder { return sloResp; } - public LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException { + public LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPSProfilePendingRequest spRequest, List<String> failedOAs) throws EAAFException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status; @@ -519,11 +523,10 @@ public class SingleLogOutBuilder { } - private LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { + private LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPSProfilePendingRequest spRequest) throws EAAFException { LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService( - spRequest.getAuthURLWithOutSlash())); + issuer.setValue(pvpBasicConfiguration.getIDPEntityId(spRequest.getAuthURLWithOutSlash())); issuer.setFormat(NameID.ENTITY); sloResp.setIssuer(issuer); sloResp.setIssueInstant(new DateTime()); @@ -540,9 +543,9 @@ public class SingleLogOutBuilder { } - if (spRequest.getRequest() instanceof MOARequest && - ((MOARequest)spRequest.getRequest()).getSamlRequest() instanceof LogoutRequest) { - LogoutRequest sloReq = (LogoutRequest) ((MOARequest)spRequest.getRequest()).getSamlRequest(); + if (spRequest.getRequest() instanceof PVPSProfileRequest && + ((PVPSProfileRequest)spRequest.getRequest()).getSamlRequest() instanceof LogoutRequest) { + LogoutRequest sloReq = (LogoutRequest) ((PVPSProfileRequest)spRequest.getRequest()).getSamlRequest(); sloResp.setInResponseTo(sloReq.getID()); } @@ -592,8 +595,8 @@ public class SingleLogOutBuilder { } - public SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { - MOARequest moaReq = (MOARequest) spRequest.getRequest(); + public SingleLogoutService getResponseSLODescriptor(PVPSProfilePendingRequest spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { + PVPSProfileRequest moaReq = (PVPSProfileRequest) spRequest.getRequest(); EntityDescriptor metadata = moaReq.getEntityMetadata(metadataProvider); SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); @@ -655,7 +658,8 @@ public class SingleLogOutBuilder { oa.getUserNameID(), oa.getUserNameIDFormat(), oa.getProtocolType(), - sloDesc)); + sloDesc.getBinding(), + sloDesc.getLocation())); else container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(), @@ -666,7 +670,8 @@ public class SingleLogOutBuilder { oa.getUserNameID(), oa.getUserNameIDFormat(), oa.getProtocolType(), - sloDesc)); + sloDesc.getBinding(), + sloDesc.getLocation())); } catch (NOSLOServiceDescriptorException e) { container.putFailedOA(oa.getOaurlprefix()); @@ -707,7 +712,8 @@ public class SingleLogOutBuilder { el.getUserNameID(), NameID.TRANSIENT, PVP2XProtocol.NAME, - sloDesc)); + sloDesc.getBinding(), + sloDesc.getLocation())); } catch (NOSLOServiceDescriptorException e) { container.putFailedOA(el.getIdpurlprefix()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java deleted file mode 100644 index 056e2bba0..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ /dev/null @@ -1,543 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion; - -import java.security.MessageDigest; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; - -import org.joda.time.DateTime; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.AttributeStatement; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.AuthnContext; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.RequestedAuthnContext; -import org.opensaml.saml2.core.Subject; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; -import org.opensaml.saml2.core.impl.AuthnRequestImpl; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.w3c.dom.Element; - -import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; -import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; -import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egiz.eaaf.core.api.data.EAAFConstants; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.data.IMOAAuthData; -import at.gv.egovernment.moa.id.data.Pair; -import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.util.LoALevelMapper; -import at.gv.egovernment.moa.id.util.MandateBuilder; -import at.gv.egovernment.moa.id.util.QAALevelVerifier; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; - -public class PVP2AssertionBuilder implements PVPConstants { - - /** - * Build a PVP assertion as response for a SAML2 AttributeQuery request - * - * @param issuerEntityID EnitiyID, which should be used for this IDP response - * @param attrQuery AttributeQuery request from Service-Provider - * @param attrList List of PVP response attributes - * @param now Current time - * @param validTo ValidTo time of the assertion - * @param qaaLevel QAA level of the authentication - * @param sessionIndex SAML2 SessionIndex, which should be included * - * @return PVP 2.1 Assertion - * @throws ConfigurationException - */ - public static Assertion buildAssertion(String issuerEntityID, AttributeQuery attrQuery, - List<Attribute> attrList, DateTime now, DateTime validTo, String qaaLevel, String sessionIndex) throws ConfigurationException { - - AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - authnContextClassRef.setAuthnContextClassRef(qaaLevel); - - NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat()); - subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue()); - - SubjectConfirmationData subjectConfirmationData = null; - - return buildGenericAssertion(issuerEntityID, attrQuery.getIssuer().getValue(), now, - authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, - validTo); - } - - - /** - * Build a PVP 2.1 assertion as response of a SAML2 AuthnRequest - * - * @param issuerEntityID EnitiyID, which should be used for this IDP response - * @param pendingReq Current processed pendingRequest DAO - * @param authnRequest Current processed PVP AuthnRequest - * @param authData AuthenticationData of the user, which is already authenticated - * @param peerEntity SAML2 EntityDescriptor of the service-provider, which receives the response - * @param date TimeStamp - * @param assertionConsumerService SAML2 endpoint of the service-provider, which should be used - * @param sloInformation Single LogOut information DAO - * @return - * @throws MOAIDException - */ - public static Assertion buildAssertion(String issuerEntityID, PVPTargetConfiguration pendingReq, AuthnRequest authnRequest, - IAuthData authData, EntityDescriptor peerEntity, DateTime date, - AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) - throws MOAIDException { - - RequestedAuthnContext reqAuthnContext = authnRequest - .getRequestedAuthnContext(); - - AuthnContextClassRef authnContextClassRef = SAML2Utils - .createSAMLObject(AuthnContextClassRef.class); - - ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration(); - - if (reqAuthnContext == null) { - authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - - } else { - - boolean eIDAS_qaa_found = false; - - List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs(); - - if (reqAuthnContextClassRefIt.size() == 0) { - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), EAAFConstants.EIDAS_QAA_HIGH); - - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(EAAFConstants.EIDAS_QAA_HIGH); - - } else { - for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { - String qaa_uri = authnClassRef.getAuthnContextClassRef(); - - if (qaa_uri.trim().startsWith(STORK_QAA_PREFIX)) { - Logger.debug("Find STORK QAA leven in AuthnRequest. Starting mapping to eIDAS level ... "); - qaa_uri = LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(qaa_uri.trim()); - - } - - if (qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_HIGH) - || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_SUBSTANTIAL) - || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_LOW)) { - - if (authData.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), oaParam.getMinimumLevelOfAssurence()); - - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - - } else { - - QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), - qaa_uri.trim()); - - eIDAS_qaa_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); - - } - break; - } - } - } - - if (!eIDAS_qaa_found) - throw new QAANotSupportedException(EAAFConstants.EIDAS_QAA_HIGH); - - } - - - - SPSSODescriptor spSSODescriptor = peerEntity - .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - //add Attributes to Assertion - List<Attribute> attrList = new ArrayList<Attribute>(); - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - - Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int idx = 0; - - AttributeConsumingService attributeConsumingService = null; - if (aIdx != null) { - idx = aIdx.intValue(); - attributeConsumingService = spSSODescriptor - .getAttributeConsumingServices().get(idx); - - } else { - List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); - for (AttributeConsumingService el : attrConsumingServiceList) { - if (el.isDefault()) - attributeConsumingService = el; - } - } - - /* - * TODO: maybe use first AttributeConsumingService if no is selected - * in request or on service is marked as default - * - */ - if (attributeConsumingService == null ) { - List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); - if (attrConsumingServiceList != null && !attrConsumingServiceList.isEmpty()) - attributeConsumingService = attrConsumingServiceList.get(0); - - } - - - if (attributeConsumingService != null) { - Iterator<RequestedAttribute> it = attributeConsumingService - .getRequestAttributes().iterator(); - while (it.hasNext()) { - RequestedAttribute reqAttribut = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), oaParam, authData); - if (attr == null) { - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); - } - } else { - attrList.add(attr); - } - - } catch (UnavailableAttributeException e) { - Logger.info( - "Attribute generation for " - + reqAttribut.getFriendlyName() + " not possible."); - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); - } - - - } catch (PVP2Exception e) { - Logger.info( - "Attribute generation failed! for " - + reqAttribut.getFriendlyName()); - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); - } - - } catch (Exception e) { - Logger.warn( - "General Attribute generation failed! for " - + reqAttribut.getFriendlyName(), e); - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); - } - - } - } - } - } - - NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - - //build nameID and nameID Format from moasession - //TODO: nameID generation - if (authData instanceof IMOAAuthData && - ((IMOAAuthData)authData).isUseMandate()) { - String bpktype = null; - String bpk = null; - - Element mandate = ((IMOAAuthData)authData).getMandate(); - if(mandate != null) { - Logger.debug("Read mandator bPK|baseID from full-mandate ... "); - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAvailableException(); - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); - - IdentificationType id; - if(corporation != null && corporation.getIdentification().size() > 0) - id = corporation.getIdentification().get(0); - - - else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) - id = pysicalperson.getIdentification().get(0); - - else { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAvailableException(); - } - - bpktype = id.getType(); - bpk = id.getValue().getValue(); - - } else { - Logger.debug("Read mandator bPK|baseID from PVP attributes ... "); - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); - bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); - - if (MiscUtil.isEmpty(bpk)) { - //no sourcePin is included --> search for bPK - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); - - try { - if (bpk.contains(":")) - bpk = bpk.split(":")[1]; - - } catch (Exception e) { - Logger.warn("Can not split bPK from mandator attribute!", e); - - } - - //set bPK-Type from configuration, because it MUST be equal to service-provider type - bpktype = oaParam.getAreaSpecificTargetIdentifier(); - - } else { - //sourcePin is include --> check sourcePinType - if (MiscUtil.isEmpty(bpktype)) - bpktype = Constants.URN_PREFIX_BASEID; - - } - } - - if (MiscUtil.isEmpty(bpk) || MiscUtil.isEmpty(bpktype)) { - throw new NoMandateDataAvailableException(); - - } - - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier()); - subjectNameID.setValue(calcbPK.getFirst()); - subjectNameID.setNameQualifier(calcbPK.getSecond()); - - - } else { - subjectNameID.setNameQualifier(bpktype); - subjectNameID.setValue(bpk); - } - - } else { - subjectNameID.setNameQualifier(authData.getBPKType()); - subjectNameID.setValue(authData.getBPK()); - } - - String nameIDFormat = NameID.TRANSIENT; - - //get NameIDFormat from request - AuthnRequest authnReq = (AuthnRequestImpl) authnRequest; - if (authnReq.getNameIDPolicy() != null && - MiscUtil.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) { - nameIDFormat = authnReq.getNameIDPolicy().getFormat(); - - } else { - //get NameIDFormat from metadata - List<NameIDFormat> metadataNameIDFormats = spSSODescriptor.getNameIDFormats(); - - if (metadataNameIDFormats != null) { - - for (NameIDFormat el : metadataNameIDFormats) { - if (NameID.PERSISTENT.equals(el.getFormat())) { - nameIDFormat = NameID.PERSISTENT; - break; - - } else if (NameID.TRANSIENT.equals(el.getFormat()) || - NameID.UNSPECIFIED.equals(el.getFormat())) - break; - - } - } - } - - if (NameID.TRANSIENT.equals(nameIDFormat) || NameID.UNSPECIFIED.equals(nameIDFormat)) { - String random = Random.nextRandom(); - String nameID = subjectNameID.getValue(); - - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest((nameID + random).getBytes("ISO-8859-1")); - subjectNameID.setValue(Base64Utils.encode(hash)); - subjectNameID.setNameQualifier(null); - subjectNameID.setFormat(NameID.TRANSIENT); - - } catch (Exception e) { - Logger.warn("PVP2 subjectNameID error", e); - throw new MOAIDException("pvp2.13", null, e); - } - - } else - subjectNameID.setFormat(nameIDFormat); - - - String sessionIndex = null; - - //if request is a reauthentication and NameIDFormat match reuse old session information - if (MiscUtil.isNotEmpty(authData.getNameID()) && - MiscUtil.isNotEmpty(authData.getNameIDFormat()) && - nameIDFormat.equals(authData.getNameIDFormat())) { - subjectNameID.setValue(authData.getNameID()); - sessionIndex = authData.getSessionIndex(); - - } - - // - if (MiscUtil.isEmpty(sessionIndex)) - sessionIndex = SAML2Utils.getSecureIdentifier(); - - SubjectConfirmationData subjectConfirmationData = SAML2Utils - .createSAMLObject(SubjectConfirmationData.class); - subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); -// subjectConfirmationData.setNotBefore(date); - - //set 'recipient' attribute in subjectConformationData - subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); - - //set IP address of the user machine as 'Address' attribute in subjectConformationData - String usersIPAddress = pendingReq.getGenericData( - PVPTargetConfiguration.DATAID_REQUESTER_IP_ADDRESS, String.class); - if (MiscUtil.isNotEmpty(usersIPAddress)) - subjectConfirmationData.setAddress(usersIPAddress); - - //set SLO information - sloInformation.setUserNameIdentifier(subjectNameID.getValue()); - sloInformation.setNameIDFormat(subjectNameID.getFormat()); - sloInformation.setSessionIndex(sessionIndex); - - return buildGenericAssertion(issuerEntityID, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); - } - - /** - * - * @param issuer IDP EntityID - * @param entityID Service Provider EntityID - * @param date - * @param authnContextClassRef - * @param attrList - * @param subjectNameID - * @param subjectConfirmationData - * @param sessionIndex - * @param isValidTo - * @return - * @throws ConfigurationException - */ - - public static Assertion buildGenericAssertion(String issuer, String entityID, DateTime date, - AuthnContextClassRef authnContextClassRef, List<Attribute> attrList, - NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, - String sessionIndex, DateTime isValidTo) throws ConfigurationException { - Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); - - AuthnContext authnContext = SAML2Utils - .createSAMLObject(AuthnContext.class); - authnContext.setAuthnContextClassRef(authnContextClassRef); - - AuthnStatement authnStatement = SAML2Utils - .createSAMLObject(AuthnStatement.class); - - authnStatement.setAuthnInstant(date); - authnStatement.setSessionIndex(sessionIndex); - authnStatement.setAuthnContext(authnContext); - - assertion.getAuthnStatements().add(authnStatement); - - AttributeStatement attributeStatement = SAML2Utils - .createSAMLObject(AttributeStatement.class); - attributeStatement.getAttributes().addAll(attrList); - if (attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } - - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - subject.setNameID(subjectNameID); - - SubjectConfirmation subjectConfirmation = SAML2Utils - .createSAMLObject(SubjectConfirmation.class); - subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); - subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); - - subject.getSubjectConfirmations().add(subjectConfirmation); - - Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class); - AudienceRestriction audienceRestriction = SAML2Utils - .createSAMLObject(AudienceRestriction.class); - Audience audience = SAML2Utils.createSAMLObject(Audience.class); - - audience.setAudienceURI(entityID); - audienceRestriction.getAudiences().add(audience); - conditions.setNotBefore(date); - conditions.setNotOnOrAfter(isValidTo); - - conditions.getAudienceRestrictions().add(audienceRestriction); - - assertion.setConditions(conditions); - - Issuer issuerObj = SAML2Utils.createSAMLObject(Issuer.class); - - if (issuer.endsWith("/")) - issuer = issuer.substring(0, issuer.length()-1); - issuerObj.setValue(issuer); - issuerObj.setFormat(NameID.ENTITY); - - assertion.setIssuer(issuerObj); - assertion.setSubject(subject); - assertion.setID(SAML2Utils.getSecureIdentifier()); - assertion.setIssueInstant(date); - - return assertion; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java deleted file mode 100644 index 6ccacd6c8..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java +++ /dev/null @@ -1,88 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; - -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeValue; -import org.opensaml.xml.Configuration; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.schema.XSInteger; -import org.opensaml.xml.schema.XSString; -import org.opensaml.xml.schema.impl.XSIntegerBuilder; -import org.opensaml.xml.schema.impl.XSStringBuilder; - -import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; - -public class SamlAttributeGenerator implements IAttributeGenerator<Attribute> { - - private XMLObject buildAttributeStringValue(String value) { - XSStringBuilder stringBuilder = (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME); - XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME); - stringValue.setValue(value); - return stringValue; - } - - private XMLObject buildAttributeIntegerValue(int value) { - XSIntegerBuilder integerBuilder = (XSIntegerBuilder) Configuration.getBuilderFactory().getBuilder(XSInteger.TYPE_NAME); - XSInteger integerValue = integerBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSInteger.TYPE_NAME); - integerValue.setValue(value); - return integerValue; - } - - public Attribute buildStringAttribute(final String friendlyName, final String name, final String value) { - Attribute attribute = SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.setNameFormat(Attribute.URI_REFERENCE); - attribute.getAttributeValues().add(buildAttributeStringValue(value)); - return attribute; - } - - public Attribute buildIntegerAttribute(final String friendlyName, final String name, final int value) { - Attribute attribute = SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.setNameFormat(Attribute.URI_REFERENCE); - attribute.getAttributeValues().add(buildAttributeIntegerValue(value)); - return attribute; - } - - public Attribute buildEmptyAttribute(final String friendlyName, final String name) { - Attribute attribute = SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.setNameFormat(Attribute.URI_REFERENCE); - return attribute; - } - - public Attribute buildLongAttribute(String friendlyName, String name, long value) { - Attribute attribute = SAML2Utils.createSAMLObject(Attribute.class); - attribute.setFriendlyName(friendlyName); - attribute.setName(name); - attribute.setNameFormat(Attribute.URI_REFERENCE); - attribute.getAttributeValues().add(buildAttributeIntegerValue((int) value)); - return attribute; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java index c0fb5bf5b..d4c94e5c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java @@ -32,11 +32,12 @@ import org.opensaml.saml2.metadata.Organization; import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.xml.security.credential.Credential; +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; /** @@ -48,16 +49,18 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura private static final int VALIDUNTIL_IN_HOURS = 24; private String authURL; - private IDPCredentialProvider credentialProvider; + private AbstractCredentialProvider credentialProvider; + private PVPConfiguration pvpBasicConfiguration; - public IDPPVPMetadataConfiguration(String authURL, IDPCredentialProvider credentialProvider) { + public IDPPVPMetadataConfiguration(String authURL, AbstractCredentialProvider pvpIDPCredentials, PVPConfiguration pvpBasicConfiguration) { this.authURL = authURL; - this.credentialProvider = credentialProvider; + this.credentialProvider = pvpIDPCredentials; + this.pvpBasicConfiguration = pvpBasicConfiguration; } public String getDefaultActionName() { - return (PVP2XProtocol.METADATA); + return (PVPConstants.METADATA); } /* (non-Javadoc) @@ -98,7 +101,7 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura @Override public String getEntityID() { try { - return PVPConfiguration.getInstance().getIDPSSOMetadataService(authURL); + return pvpBasicConfiguration.getIDPSSOMetadataService(authURL); } catch (ConfigurationException e) { Logger.error("Can not load Metadata entry: EntityID", e); @@ -113,7 +116,7 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura @Override public String getEntityFriendlyName() { try { - return PVPConfiguration.getInstance().getIDPIssuerName(); + return pvpBasicConfiguration.getIDPIssuerName(); } catch (ConfigurationException e) { Logger.error("Can not load Metadata entry: EntityID friendlyName.", e); @@ -129,7 +132,7 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura @Override public List<ContactPerson> getContactPersonInformation() { try { - return PVPConfiguration.getInstance().getIDPContacts(); + return pvpBasicConfiguration.getIDPContacts(); } catch (ConfigurationException e) { Logger.warn("Can not load Metadata entry: Contect Person", e); @@ -145,7 +148,7 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura @Override public Organization getOrgansiationInformation() { try { - return PVPConfiguration.getInstance().getIDPOrganisation(); + return pvpBasicConfiguration.getIDPOrganisation(); } catch (ConfigurationException e) { Logger.warn("Can not load Metadata entry: Organisation", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java deleted file mode 100644 index 814a2387d..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.config; - -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.xml.security.credential.Credential; -import org.w3c.dom.Element; - -/** - * @author tlenz - * - */ -public interface IPVPAuthnRequestBuilderConfiguruation { - - /** - * Defines a unique name for this PVP Service-provider, which is used for logging - * - * @return - */ - public String getSPNameForLogging(); - - /** - * If true, the SAML2 isPassive flag is set in the AuthnRequest - * - * @return - */ - public Boolean isPassivRequest(); - - /** - * Define the ID of the AssertionConsumerService, - * which defines the required attributes in service-provider metadata. - * - * @return - */ - public Integer getAssertionConsumerServiceId(); - - /** - * Define the SAML2 EntityID of the service provider. - * - * @return - */ - public String getSPEntityID(); - - /** - * Define the SAML2 NameIDPolicy - * - * @return Service-Provider EntityID, but never null - */ - public String getNameIDPolicyFormat(); - - /** - * Define the AuthnContextClassRefernece of this request - * - * Example: - * http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3 - * http://www.stork.gov.eu/1.0/citizenQAALevel/4 - * - * - * @return - */ - public String getAuthnContextClassRef(); - - /** - * Define the AuthnContextComparison model, which should be used - * - * @return - */ - public AuthnContextComparisonTypeEnumeration getAuthnContextComparison(); - - - /** - * Define the credential, which should be used to sign the AuthnRequest - * - * @return - */ - public Credential getAuthnRequestSigningCredential(); - - - /** - * Define the SAML2 EntityDescriptor of the IDP, which should receive the AuthnRequest - * - * @return Credential, but never null. - */ - public EntityDescriptor getIDPEntityDescriptor(); - - /** - * Set the SAML2 NameIDPolicy allow-creation flag - * - * @return EntityDescriptor, but never null. - */ - public boolean getNameIDPolicyAllowCreation(); - - - /** - * Set the requested SubjectNameID - * - * @return SubjectNameID, or null if no SubjectNameID should be used - */ - public String getSubjectNameID(); - - /** - * Define the qualifier of the <code>SubjectNameID</code> - * <br><br> - * Like: 'urn:publicid:gv.at:cdid+BF' - * - * @return qualifier, or null if no qualifier should be set - */ - public String getSubjectNameIDQualifier(); - - /** - * Define the format of the subjectNameID, which is included in authn-request - * - * - * @return nameIDFormat, of SAML2 'transient' if nothing is defined - */ - public String getSubjectNameIDFormat(); - - /** - * Define a SP specific SAML2 requestID - * - * @return requestID, or null if the requestID should be generated automatically - */ - public String getRequestID(); - - /** - * Defines the 'method' attribute in 'SubjectConformation' element - * - * @return method, or null if no method should set - */ - public String getSubjectConformationMethode(); - - /** - * Define the information, which should be added as 'subjectConformationDate' - * in 'SubjectConformation' element - * - * @return subjectConformation information or null if no subjectConformation should be set - */ - public Element getSubjectConformationDate(); - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java deleted file mode 100644 index 3a8404cae..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java +++ /dev/null @@ -1,238 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.config; - -import java.util.List; - -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.xml.security.credential.Credential; - -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; - -/** - * @author tlenz - * - */ -public interface IPVPMetadataBuilderConfiguration { - - - /** - * Defines a unique name for this PVP Service-provider, which is used for logging - * - * @return - */ - public String getSPNameForLogging(); - - /** - * Set metadata valid area - * - * @return valid until in hours [h] - */ - public int getMetadataValidUntil(); - - /** - * Build a SAML2 Entities element as metadata root element - * - * @return true, if the metadata should start with entities element - */ - public boolean buildEntitiesDescriptorAsRootElement(); - - /** - * - * - * @return true, if an IDP SSO-descriptor element should be generated - */ - public boolean buildIDPSSODescriptor(); - - /** - * - * - * @return true, if an SP SSO-descriptor element should be generated - */ - public boolean buildSPSSODescriptor(); - - /** - * Set the PVP entityID for this SAML2 metadata. - * The entityID must be an URL and must be start with the public-URL prefix of the server - * - * @return PVP entityID postfix as String - */ - public String getEntityID(); - - /** - * Set a friendlyName for this PVP entity - * - * @return - */ - public String getEntityFriendlyName(); - - /** - * Set the contact information for this metadata entity - * - * @return - */ - public List<ContactPerson> getContactPersonInformation(); - - /** - * Set organisation information for this metadata entity - * - * @return - */ - public Organization getOrgansiationInformation(); - - - /** - * Set the credential for metadata signing - * - * @return - * @throws CredentialsNotAvailableException - */ - public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException; - - /** - * Set the credential for request/response signing - * IDP metadata: this credential is used for SAML2 response signing - * SP metadata: this credential is used for SAML2 response signing - * - * @return - * @throws CredentialsNotAvailableException - */ - public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException; - - /** - * Set the credential for response encryption - * - * @return - * @throws CredentialsNotAvailableException - */ - public Credential getEncryptionCredentials() throws CredentialsNotAvailableException; - - /** - * Set the IDP Post-Binding URL for WebSSO - * - * @return - */ - public String getIDPWebSSOPostBindingURL(); - - /** - * Set the IDP Redirect-Binding URL for WebSSO - * - * @return - */ - public String getIDPWebSSORedirectBindingURL(); - - /** - * Set the IDP Post-Binding URL for Single LogOut - * - * @return - */ - public String getIDPSLOPostBindingURL(); - - /** - * Set the IDP Redirect-Binding URL for Single LogOut - * - * @return - */ - public String getIDPSLORedirectBindingURL(); - - /** - * Set the SP Post-Binding URL for for the Assertion-Consumer Service - * - * @return - */ - public String getSPAssertionConsumerServicePostBindingURL(); - - /** - * Set the SP Redirect-Binding URL for the Assertion-Consumer Service - * - * @return - */ - public String getSPAssertionConsumerServiceRedirectBindingURL(); - - /** - * Set the SP Post-Binding URL for Single LogOut - * - * @return - */ - public String getSPSLOPostBindingURL(); - - /** - * Set the SP Redirect-Binding URL for Single LogOut - * - * @return - */ - public String getSPSLORedirectBindingURL(); - - /** - * Set the SP SOAP-Binding URL for Single LogOut - * - * @return - */ - public String getSPSLOSOAPBindingURL(); - - - /** - * Set all SAML2 attributes which could be provided by this IDP - * - * @return - */ - public List<Attribute> getIDPPossibleAttributes(); - - /** - * Set all nameID types which could be provided by this IDP - * - * @return a List of SAML2 nameID types - */ - public List<String> getIDPPossibleNameITTypes(); - - /** - * Set all SAML2 attributes which are required by the SP - * - * @return - */ - public List<RequestedAttribute> getSPRequiredAttributes(); - - /** - * Set all nameID types which allowed from the SP - * - * @return a List of SAML2 nameID types - */ - public List<String> getSPAllowedNameITTypes(); - - /** - * Set the 'wantAssertionSigned' attribute in SP metadata - * - * @return - */ - public boolean wantAssertionSigned(); - - /** - * Set the 'wantAuthnRequestSigned' attribute - * - * @return - */ - public boolean wantAuthnRequestSigned(); -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java deleted file mode 100644 index b731e2a95..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultBootstrap.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.config; - -import org.opensaml.Configuration; -import org.opensaml.DefaultBootstrap; -import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder; -import org.opensaml.xml.ConfigurationException; - -/** - * @author tlenz - * - */ -public class MOADefaultBootstrap extends DefaultBootstrap { - - public static synchronized void bootstrap() throws ConfigurationException { - - initializeXMLSecurity(); - - initializeXMLTooling(); - - initializeArtifactBuilderFactories(); - - initializeGlobalSecurityConfiguration(); - - initializeParserPool(); - - initializeESAPI(); - - } - - public static void initializeDefaultPVPConfiguration() { - initializeGlobalSecurityConfiguration(); - - } - - /** - * Initializes the default global security configuration. - */ - protected static void initializeGlobalSecurityConfiguration() { - Configuration.setGlobalSecurityConfiguration(MOADefaultSecurityConfigurationBootstrap.buildDefaultConfig()); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java deleted file mode 100644 index f878b95d3..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOADefaultSecurityConfigurationBootstrap.java +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.config; - -import org.opensaml.xml.encryption.EncryptionConstants; -import org.opensaml.xml.security.BasicSecurityConfiguration; -import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap; -import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory; -import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager; -import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.SignatureConstants; - -/** - * @author tlenz - * - */ -public class MOADefaultSecurityConfigurationBootstrap extends - DefaultSecurityConfigurationBootstrap { - - public static BasicSecurityConfiguration buildDefaultConfig() { - BasicSecurityConfiguration config = new BasicSecurityConfiguration(); - - populateSignatureParams(config); - populateEncryptionParams(config); - populateKeyInfoCredentialResolverParams(config); - populateKeyInfoGeneratorManager(config); - populateKeyParams(config); - - return config; - } - - protected static void populateKeyInfoGeneratorManager( - BasicSecurityConfiguration config) { - NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager(); - config.setKeyInfoGeneratorManager(namedManager); - - namedManager.setUseDefaultManager(true); - KeyInfoGeneratorManager defaultManager = namedManager - .getDefaultManager(); - - BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory(); - basicFactory.setEmitPublicKeyValue(true); - - X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory(); - x509Factory.setEmitEntityCertificate(true); - - defaultManager.registerFactory(basicFactory); - defaultManager.registerFactory(x509Factory); - } - - protected static void populateSignatureParams( - BasicSecurityConfiguration config) { - - //use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("RSA", - SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - - config.registerSignatureAlgorithmURI("DSA", - "http://www.w3.org/2000/09/xmldsig#dsa-sha1"); - - //use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("EC", - SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); - - //use SHA256 instead of SHA1 - config.registerSignatureAlgorithmURI("AES", - SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); - - - config.registerSignatureAlgorithmURI("DESede", - SignatureConstants.ALGO_ID_MAC_HMAC_SHA256); - - config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#"); - config.setSignatureHMACOutputLength(null); - - //use SHA256 instead of SHA1 - config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); - } - - protected static void populateEncryptionParams( - BasicSecurityConfiguration config) { - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), - "http://www.w3.org/2001/04/xmlenc#aes128-cbc"); - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), - "http://www.w3.org/2001/04/xmlenc#aes192-cbc"); - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), - "http://www.w3.org/2001/04/xmlenc#aes256-cbc"); - - //support GCM mode - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM); - - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM); - - config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), - EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM); - - - config.registerDataEncryptionAlgorithmURI("DESede", - Integer.valueOf(168), - "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); - config.registerDataEncryptionAlgorithmURI("DESede", - Integer.valueOf(192), - "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"); - - config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES", - "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); - - config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, - "DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"); - - config.registerKeyTransportEncryptionAlgorithmURI("AES", - Integer.valueOf(128), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes128"); - config.registerKeyTransportEncryptionAlgorithmURI("AES", - Integer.valueOf(192), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes192"); - config.registerKeyTransportEncryptionAlgorithmURI("AES", - Integer.valueOf(256), null, - "http://www.w3.org/2001/04/xmlenc#kw-aes256"); - config.registerKeyTransportEncryptionAlgorithmURI("DESede", - Integer.valueOf(168), null, - "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); - config.registerKeyTransportEncryptionAlgorithmURI("DESede", - Integer.valueOf(192), null, - "http://www.w3.org/2001/04/xmlenc#kw-tripledes"); - - config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc"); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOAPVPMetadataConfigurationFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOAPVPMetadataConfigurationFactory.java new file mode 100644 index 000000000..54940a9d3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/MOAPVPMetadataConfigurationFactory.java @@ -0,0 +1,21 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataConfigurationFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; + +@Service("MOAPVPMetadataConfigurationFactory") +public class MOAPVPMetadataConfigurationFactory implements IPVPMetadataConfigurationFactory { + + @Autowired(required=true) PVPConfiguration pvpBasicConfiguration; + + @Override + public IPVPMetadataBuilderConfiguration generateMetadataBuilderConfiguration(String authURL, + AbstractCredentialProvider pvpIDPCredentials) { + return new IDPPVPMetadataConfiguration(authURL, pvpIDPCredentials, pvpBasicConfiguration); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 81eca3765..5f39af7a4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -22,9 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.config; -import java.io.IOException; import java.net.URL; -import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -43,29 +41,19 @@ import org.opensaml.saml2.metadata.OrganizationName; import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; +import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; -import iaik.x509.X509Certificate; -public class PVPConfiguration { +@Service("MOAPVP2Configuration") +public class PVPConfiguration implements IPVP2BasicConfiguration { - private static PVPConfiguration instance; - - public static PVPConfiguration getInstance() { - if (instance == null) { - instance = new PVPConfiguration(); - } - return instance; - } - public static final String PVP2_METADATA = "/pvp2/metadata"; public static final String PVP2_IDP_REDIRECT = "/pvp2/redirect"; public static final String PVP2_IDP_POST = "/pvp2/post"; @@ -90,22 +78,7 @@ public class PVPConfiguration { public static final String IDP_CONTACT_PHONE = "phone"; private static String moaIDVersion = null; - - //PVP2 generalpvpconfigdb; - //Properties props; - //String rootDir = null; - - private PVPConfiguration() { -// try { -// //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); -// //props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); -// //rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); -// -// } catch (ConfigurationException e) { -// e.printStackTrace(); -// } - } - + public List<String> getIDPPublicPath() throws ConfigurationException { List<String> publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); List<String> returnvalue = new ArrayList<String>(); @@ -144,6 +117,12 @@ public class PVPConfiguration { return publicURLPrefix + PVP2_METADATA; } + @Override + public String getIDPEntityId(String authURL) throws ConfigurationException { + return getIDPSSOMetadataService(authURL); + + } + public String getIDPIssuerName() throws ConfigurationException { if (moaIDVersion == null) { @@ -153,47 +132,6 @@ public class PVPConfiguration { return AuthConfigurationProviderFactory.getInstance().getConfigurationWithKey( MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_SERVICENAMME) + moaIDVersion; } - - public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { - - try { - Logger.trace("Load metadata signing certificate for online application " + entityID); - ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); - if (oaParam == null) { - Logger.info("Online Application with ID " + entityID + " not found!"); - return null; - } - - String pvp2MetadataCertificateString = - oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { - Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); - return null; - - } - - X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); - Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); - return cert; - - } catch (CertificateException e) { - Logger.warn("Metadata signer certificate is not parsed.", e); - return null; - - } catch (ConfigurationException e) { - Logger.error("Configuration is not accessable.", e); - return null; - - } catch (IOException e) { - Logger.warn("Metadata signer certificate is not decodeable.", e); - return null; - - } catch (EAAFConfigurationException e) { - Logger.error("Configuration is not accessable.", e); - return null; - - } - } public List<ContactPerson> getIDPContacts() throws ConfigurationException { List<ContactPerson> list = new ArrayList<ContactPerson>(); @@ -356,4 +294,5 @@ public class PVPConfiguration { } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java deleted file mode 100644 index 69ca4e8f5..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class AssertionAttributeExtractorExeption extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = -6459000942830951492L; - - public AssertionAttributeExtractorExeption(String attributeName) { - super("Parse PVP2.1 assertion FAILED: Attribute " + attributeName - + " can not extract.", null); - } - - public AssertionAttributeExtractorExeption(String messageId, - Object[] parameters) { - super(messageId, parameters); - } - - public AssertionAttributeExtractorExeption() { - super("Parse PVP2.1 assertion FAILED. Interfederation not possible", null); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java deleted file mode 100644 index 1e029f567..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; - -/** - * @author tlenz - * - */ -public class AssertionValidationExeption extends PVP2Exception { - - private static final long serialVersionUID = -3987805399122286259L; - - public AssertionValidationExeption(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - /** - * @param string - * @param object - * @param e - */ - public AssertionValidationExeption(String string, Object[] parameters, - Throwable e) { - super(string, parameters, e); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java deleted file mode 100644 index 9008a7183..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class AttributQueryException extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = -4302422507173728748L; - - public AttributQueryException(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - public AttributQueryException(String messageId, Object[] parameters, Throwable e) { - super(messageId, parameters, e); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java deleted file mode 100644 index eebaf6c9e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class AuthnRequestBuildException extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = -1375451065455859354L; - - /** - * @param messageId - * @param parameters - */ - public AuthnRequestBuildException(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - public AuthnRequestBuildException(String messageId, Object[] parameters, Throwable e) { - super(messageId, parameters, e); - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java deleted file mode 100644 index 957f9af1d..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class AuthnResponseValidationException extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = 8023812861029406575L; - - /** - * @param messageId - * @param parameters - */ - public AuthnResponseValidationException(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - public AuthnResponseValidationException(String messageId, Object[] parameters, Throwable e) { - super(messageId, parameters, e); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/BindingNotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/BindingNotSupportedException.java deleted file mode 100644 index 9f4c7fed3..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/BindingNotSupportedException.java +++ /dev/null @@ -1,41 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class BindingNotSupportedException extends PVP2Exception { - - public BindingNotSupportedException(String binding) { - super("pvp2.11", new Object[] {binding}); - this.statusCodeValue = StatusCode.UNSUPPORTED_BINDING_URI; - } - - /** - * - */ - private static final long serialVersionUID = -7227603941387879360L; - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java deleted file mode 100644 index 392569366..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java +++ /dev/null @@ -1,48 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class InvalidAssertionConsumerServiceException extends PVP2Exception { - - public InvalidAssertionConsumerServiceException(int idx) { - super("pvp2.00", new Object[]{idx}); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - /** - * - */ - public InvalidAssertionConsumerServiceException(String wrongURL) { - super("pvp2.23", new Object[]{wrongURL}); - this.statusCodeValue = StatusCode.REQUESTER_URI; - - } - - /** - * - */ - private static final long serialVersionUID = 7861790149343943091L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java deleted file mode 100644 index b49070bd6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java +++ /dev/null @@ -1,36 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class InvalidAssertionEncryptionException extends PVP2Exception { - - private static final long serialVersionUID = 6513388841485355549L; - - public InvalidAssertionEncryptionException() { - super("pvp2.16", new Object[]{}); - this.statusCodeValue = StatusCode.RESPONDER_URI; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidDateFormatException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidDateFormatException.java deleted file mode 100644 index 252539bf5..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidDateFormatException.java +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class InvalidDateFormatException extends PVP2Exception { - - public InvalidDateFormatException() { - super("pvp2.02", null); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - /** - * - */ - private static final long serialVersionUID = -6867976890237846085L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/MandateAttributesNotHandleAbleException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/MandateAttributesNotHandleAbleException.java index 15a0ccf72..0e48dfbd6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/MandateAttributesNotHandleAbleException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/MandateAttributesNotHandleAbleException.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; import org.opensaml.saml2.core.StatusCode; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; + public class MandateAttributesNotHandleAbleException extends PVP2Exception { public MandateAttributesNotHandleAbleException() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java index 204e1c2a5..94e1874a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java @@ -22,6 +22,8 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; + /** * @author tlenz * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java deleted file mode 100644 index c82e6bdf1..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java +++ /dev/null @@ -1,42 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; - -public class NameIDFormatNotSupportedException extends AuthnRequestValidatorException { - - public NameIDFormatNotSupportedException(String nameIDFormat) { - super("pvp2.12", new Object[] {nameIDFormat}, "NameID format not supported"); - statusCodeValue = StatusCode.INVALID_NAMEID_POLICY_URI; - - } - - /** - * - */ - private static final long serialVersionUID = -2270762519437873336L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoCredentialsException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoCredentialsException.java index 333ef9765..58c2a032d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoCredentialsException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoCredentialsException.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; import org.opensaml.saml2.core.StatusCode; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; + public class NoCredentialsException extends PVP2Exception { public static final String MOA_IDP_TARGET = "MOA-ID"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMandateDataAvailableException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMandateDataAvailableException.java index ce80ac5cb..821813b69 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMandateDataAvailableException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMandateDataAvailableException.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; + public class NoMandateDataAvailableException extends PVP2Exception { public NoMandateDataAvailableException() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMetadataInformationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMetadataInformationException.java deleted file mode 100644 index 50a1af6ad..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoMetadataInformationException.java +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class NoMetadataInformationException extends PVP2Exception { - - public NoMetadataInformationException() { - super("pvp2.15", null); - this.statusCodeValue = StatusCode.UNKNOWN_PRINCIPAL_URI; - } - - /** - * - */ - private static final long serialVersionUID = -4608068445208032193L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/PVP2Exception.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/PVP2Exception.java deleted file mode 100644 index 00fb97151..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/PVP2Exception.java +++ /dev/null @@ -1,61 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; - -public abstract class PVP2Exception extends MOAIDException { - - protected String statusCodeValue = StatusCode.RESPONDER_URI; - protected String statusMessageValue = null; - - public PVP2Exception(String messageId, Object[] parameters, - Throwable wrapped) { - super(messageId, parameters, wrapped); - this.statusMessageValue = this.getMessage(); - } - - public PVP2Exception(String messageId, Object[] parameters) { - super(messageId, parameters); - this.statusMessageValue = this.getMessage(); - } - - - public String getStatusCodeValue() { - return (this.statusCodeValue); - } - - public String getStatusMessageValue() { - return (this.statusMessageValue); - } - - /** - * - */ - private static final long serialVersionUID = 7669537952484421069L; - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotAllowedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotAllowedException.java deleted file mode 100644 index 63f42cbe5..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotAllowedException.java +++ /dev/null @@ -1,40 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - - -public class QAANotAllowedException extends PVP2Exception { - - public QAANotAllowedException(String qaa_auth, String qaa_request) { - super("pvp2.17", new Object[] {qaa_auth, qaa_request}); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - /** - * - */ - private static final long serialVersionUID = -3964192953884089323L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotSupportedException.java deleted file mode 100644 index fdf1063c0..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/QAANotSupportedException.java +++ /dev/null @@ -1,40 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - - -public class QAANotSupportedException extends PVP2Exception { - - public QAANotSupportedException(String qaa) { - super("pvp2.05", new Object[] {qaa}); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - /** - * - */ - private static final long serialVersionUID = -3964192953884089323L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/RequestDeniedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/RequestDeniedException.java deleted file mode 100644 index 8f12f3cce..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/RequestDeniedException.java +++ /dev/null @@ -1,39 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class RequestDeniedException extends PVP2Exception { - - public RequestDeniedException() { - super("pvp2.14", null); - this.statusCodeValue = StatusCode.REQUEST_DENIED_URI; - } - - /** - * - */ - private static final long serialVersionUID = 4415896615794730553L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/ResponderErrorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/ResponderErrorException.java deleted file mode 100644 index fe921f8b5..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/ResponderErrorException.java +++ /dev/null @@ -1,44 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class ResponderErrorException extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = -425416760138285446L; - - public ResponderErrorException(String messageId, Object[] parameters, - Throwable wrapped) { - super(messageId, parameters, wrapped); - this.statusCodeValue = StatusCode.RESPONDER_URI; - } - - public ResponderErrorException(String messageId, Object[] parameters) { - super(messageId, parameters); - this.statusCodeValue = StatusCode.RESPONDER_URI; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSignedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSignedException.java deleted file mode 100644 index 65def4602..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSignedException.java +++ /dev/null @@ -1,44 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class SAMLRequestNotSignedException extends PVP2Exception { - - public SAMLRequestNotSignedException() { - super("pvp2.07", null); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - public SAMLRequestNotSignedException(Throwable e) { - super("pvp2.07", null, e); - this.statusCodeValue = StatusCode.REQUESTER_URI; - } - - /** - * - */ - private static final long serialVersionUID = 1L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSupported.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSupported.java deleted file mode 100644 index 8a386c951..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SAMLRequestNotSupported.java +++ /dev/null @@ -1,40 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - - -public class SAMLRequestNotSupported extends PVP2Exception { - - public SAMLRequestNotSupported() { - super("pvp2.09", null); - this.statusCodeValue = StatusCode.REQUEST_UNSUPPORTED_URI; - } - - /** - * - */ - private static final long serialVersionUID = 1244883178458802767L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java deleted file mode 100644 index 9f1b6168e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class SLOException extends PVP2Exception { - private static final long serialVersionUID = -5284624715788385022L; - - /** - * @param messageId - * @param parameters - */ - public SLOException(String messageId, Object[] parameters) { - super(messageId, parameters); - // TODO Auto-generated constructor stub - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java deleted file mode 100644 index fc4ed1f28..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -/** - * @author tlenz - * - */ -public class SchemaValidationException extends PVP2Exception { - - /** - * - */ - private static final long serialVersionUID = 1L; - - /** - * @param messageId - * @param parameters - */ - public SchemaValidationException(String messageId, Object[] parameters) { - super(messageId, parameters); - } - - /** - * @param messageId - * @param parameters - */ - public SchemaValidationException(String messageId, Object[] parameters, Throwable e) { - super(messageId, parameters, e); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/UnprovideableAttributeException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/UnprovideableAttributeException.java deleted file mode 100644 index a8bfe1070..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/UnprovideableAttributeException.java +++ /dev/null @@ -1,37 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; - -import org.opensaml.saml2.core.StatusCode; - -public class UnprovideableAttributeException extends PVP2Exception { - /** - * - */ - private static final long serialVersionUID = 3972197758163647157L; - - public UnprovideableAttributeException(String attributeName) { - super("pvp2.10", new Object[] {attributeName}); - this.statusCodeValue = StatusCode.UNKNOWN_ATTR_PROFILE_URI; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java deleted file mode 100644 index 8da5edeed..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; - -import org.opensaml.saml2.metadata.provider.FilterException; - -/** - * @author tlenz - * - */ -public class SchemaValidationException extends FilterException { - - /** - * @param string - */ - public SchemaValidationException(String string) { - super(string); - - } - - private static final long serialVersionUID = 1L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java deleted file mode 100644 index 86a6a777b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter; - -import org.opensaml.saml2.metadata.provider.FilterException; - -/** - * @author tlenz - * - */ -public class SignatureValidationException extends FilterException { - - /** - * @param string - */ - public SignatureValidationException(String string) { - super(string); - - } - - /** - * @param e - */ - public SignatureValidationException(Exception e) { - super(e); - } - - /** - * @param string - * @param object - */ - public SignatureValidationException(String string, Exception e) { - super(string, e); - } - - private static final long serialVersionUID = 1L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html deleted file mode 100644 index 5ae76ed96..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html +++ /dev/null @@ -1,851 +0,0 @@ -<!DOCTYPE html> -<html> -<head> -<meta content="text/html; charset=utf-8" http-equiv="Content-Type"> - -<!-- MOA-ID 2.x BKUSelection Layout CSS --> -<style type="text/css"> -@media screen and (min-width: 650px) { - body { - margin: 0; - padding: 0; - color: #000; - background-color: #fff; - text-align: center; - background-color: #6B7B8B; - } - #localBKU p { - font-size: 0.7em; - } - #localBKU input { - font-size: 0.7em; - /*border-radius: 5px;*/ - } - #bkuselectionarea input[type=button] { - font-size: 0.85em; - /*border-radius: 7px;*/ - margin-bottom: 25px; - min-width: 80px; - } - #mandateLogin { - font-size: 0.85em; - } - #bku_header h2 { - font-size: 0.8em; - } - #page { - display: block; - border: 2px solid rgb(0, 0, 0); - width: 650px; - height: 440px; - margin: 0 auto; - margin-top: 5%; - position: relative; - border-radius: 25px; - background: rgb(255, 255, 255); - } - #page1 { - text-align: center; - } - #main { - /* clear:both; */ - position: relative; - margin: 0 auto; - width: 250px; - text-align: center; - } - .OA_header { - /* background-color: white;*/ - font-size: 20pt; - margin-bottom: 25px; - margin-top: 25px; - } - #leftcontent { - /*float:left; */ - width: 250px; - margin-bottom: 25px; - text-align: left; - border: 1px solid rgb(0, 0, 0); - } - #selectArea { - font-size: 15px; - padding-bottom: 65px; - } - #leftcontent { - width: 300px; - margin-top: 30px; - } - #bku_header { - height: 5%; - padding-bottom: 3px; - padding-top: 3px; - } - #bkulogin { - overflow: hidden; - min-width: 190px; - min-height: 180px; - /*height: 260px;*/ - } - h2#tabheader { - font-size: 1.1em; - padding-left: 2%; - padding-right: 2%; - position: relative; - } - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 100px; - height: 30px - } - #leftbutton { - width: 30%; - float: left; - margin-left: 40px; - } - #rightbutton { - width: 30%; - float: right; - margin-right: 45px; - text-align: right; - } - button { - height: 25px; - width: 75px; - margin-bottom: 10px; - } - #validation { - position: absolute; - bottom: 0px; - margin-left: 270px; - padding-bottom: 10px; - } -} - -@media screen and (max-width: 205px) { - #localBKU p { - font-size: 0.6em; - } - #localBKU input { - font-size: 0.6em; - min-width: 60px; - /* max-width: 65px; */ - min-height: 1.0em; - /* border-radius: 5px; */ - } - #bkuselectionarea input[type=button] { - font-size: 0.7em; - min-width: 55px; - /*min-height: 1.1em; - border-radius: 5px;*/ - margin-bottom: 2% - } - #mandateLogin { - font-size: 0.65em; - } - #bku_header h2 { - font-size: 0.8em; - margin-top: -0.4em; - padding-top: 0.4em; - } - #bkulogin { - min-height: 150px; - } -} - -@media screen and (max-width: 249px) and (min-width: 206px) { - #localBKU p { - font-size: 0.7em; - } - #localBKU input { - font-size: 0.7em; - min-width: 70px; - /* max-width: 75px; */ - min-height: 0.95em; - /* border-radius: 6px; */ - } - #bkuselectionarea input[type=button] { - font-size: 0.75em; - min-width: 60px; - /* min-height: 0.95em; - border-radius: 6px; */ - margin-bottom: 5% - } - #mandateLogin { - font-size: 0.75em; - } - #bku_header h2 { - font-size: 0.9em; - margin-top: -0.45em; - padding-top: 0.45em; - } - #bkulogin { - min-height: 180px; - } -} - -@media screen and (max-width: 299px) and (min-width: 250px) { - #localBKU p { - font-size: 0.9em; - } - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 75px; */ - /* border-radius: 6px; */ - } - #bkuselectionarea input[type=button] { - font-size: 0.85em; - /* min-height: 1.05em; - border-radius: 7px; */ - margin-bottom: 10%; - } - #mandateLogin { - font-size: 1em; - } - #bku_header h2 { - font-size: 1.0em; - margin-top: -0.50em; - padding-top: 0.50em; - } -} - -@media screen and (max-width: 399px) and (min-width: 300px) { - #localBKU p { - font-size: 0.9em; - } - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 75px; */ - /* border-radius: 6px; */ - } - #bkuselectionarea input[type=button] { - font-size: 0.9em; - /* min-height: 1.2em; - border-radius: 8px; */ - margin-bottom: 10%; - max-width: 80px; - } - #mandateLogin { - font-size: 1em; - } - #bku_header h2 { - font-size: 1.1em; - margin-top: -0.55em; - padding-top: 0.55em; - } -} - -@media screen and (max-width: 649px) and (min-width: 400px) { - #localBKU p { - font-size: 0.9em; - } - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 80px; */ - /* border-radius: 6px; */ - } - #bkuselectionarea input[type=button] { - font-size: 1.0em; - /* min-height: 1.3em; - border-radius: 10px; */ - margin-bottom: 10%; - max-width: 85px; - } - #mandateLogin { - font-size: 1.2em; - } - #bku_header h2 { - font-size: 1.3em; - margin-top: -0.65em; - padding-top: 0.65em; - } -} - -@media screen and (max-width: 649px) { - body { - margin: 0; - padding: 0; - color: #000; - text-align: center; - font-size: 100%; - background-color: #MAIN_BACKGOUNDCOLOR#; - } - #page { - visibility: hidden; - margin-top: 0%; - } - #page1 { - visibility: hidden; - } - #main { - visibility: hidden; - } - #validation { - visibility: hidden; - display: none; - } - .OA_header { - margin-bottom: 0px; - margin-top: 0px; - font-size: 0pt; - visibility: hidden; - } - #leftcontent { - visibility: visible; - margin-bottom: 0px; - text-align: left; - border: none; - vertical-align: middle; - min-height: 173px; - min-width: 204px; - } - #bku_header { - height: 10%; - min-height: 1.2em; - margin-top: 1%; - } - h2#tabheader { - padding-left: 2%; - padding-right: 2%; - position: relative; - top: 50%; - } - #bkulogin { - min-width: 190px; - min-height: 155px; - } - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - input[type=button] { - /* height: 11%; */ - width: 70%; - } -} - - - @media screen and (max-width: 649px) { - - body { - margin:0; - padding:0; - color : #000; - text-align: center; - font-size: 100%; - background-color: #MAIN_BACKGOUNDCOLOR#; - } - - #page { - visibility: hidden; - margin-top: 0%; - } - - #page1 { - visibility: hidden; - } - - #main { - visibility: hidden; - } - - #validation { - visibility: hidden; - display: none; - } - - .OA_header { - margin-bottom: 0px; - margin-top: 0px; - font-size: 0pt; - visibility: hidden; - } - - #leftcontent { - visibility: visible; - margin-bottom: 0px; - text-align: left; - border:none; - vertical-align: middle; - min-height: 173px; - min-width: 204px; - - } - - #bku_header { - height: 10%; - min-height: 1.2em; - margin-top: 1%; - } - - h2#tabheader{ - padding-left: 2%; - padding-right: 2%; - position: relative; - top: 50%; - } - - #bkulogin { - min-width: 190px; - min-height: 155px; - } - - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - - input[type=button] { -/* height: 11%; */ - width: 70%; - } - } - - * { - margin: 0; - padding: 0; - font-family: #FONTTYPE#; - } - - #selectArea { - padding-top: 10px; - padding-bottom: 55px; - padding-left: 10px; - } - - .setAssertionButton { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - - #leftbutton { - width: 35%; - float:left; - margin-left: 15px; - } - - #rightbutton { - width: 35%; - float:right; - margin-right: 25px; - text-align: right; - } - - #mandateLogin { - padding-bottom: 4%; - padding-top: 4%; - height: 10%; - position: relative; - text-align: center; - } - - .verticalcenter { - vertical-align: middle; - } - - #mandateLogin div { - clear: both; - margin-top: -1%; - position: relative; - top: 50%; - } - - #bkuselectionarea { - position: relative; - display: block; - } - - #localBKU { - padding-left: 5%; - padding-right: 2%; - padding-bottom: 4%; - padding-top: 4%; - position: relative; - clear: both; - } - - #bkukarte { - float:left; - text-align:center; - width:40%; - min-height: 70px; - padding-left: 5%; - padding-top: 2%; - } - - #bkuhandy { - float:right; - text-align:center; - width:40%; - min-height: 90px; - padding-right: 5%; - padding-top: 2%; - } - - .bkuimage { - width: 90%; - height: auto; - } - - #mandate{ - text-align:center; - padding : 5px 5px 5px 5px; - } - -/* input[type=button], .sendButton { - background: #BUTTON_BACKGROUNDCOLOR#; - color: #BUTTON_COLOR#; -/* border:1px solid #000; */ -/* cursor: pointer; -/* box-shadow: 3px 3px 3px #222222; */ -/* } - -/* button:hover, button:focus, button:active, - .sendButton:hover , .sendButton:focus, .sendButton:active, - #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active { - background: #BUTTON_BACKGROUNDCOLOR_FOCUS#; - color: #BUTTON_COLOR#; -/* border:1px solid #000; */ -/* cursor: pointer; -/* box-shadow: -1px -1px 3px #222222; */ -/* } - -*/ -input { - /*border:1px solid #000;*/ - cursor: pointer; -} - -#localBKU input { - /* color: #BUTTON_COLOR#; */ - border: 0px; - display: inline-block; -} - -#localBKU input:hover,#localBKU input:focus,#localBKU input:active { - text-decoration: underline; -} - -#installJava,#BrowserNOK { - clear: both; - font-size: 0.8em; - padding: 4px; -} - -.selectText { - -} - -.selectTextHeader { - -} - -.sendButton { - width: 30%; - margin-bottom: 1%; -} - -#leftcontent a { - text-decoration: none; - color: #000; - /* display:block;*/ - padding: 4px; -} - -#leftcontent a:hover,#leftcontent a:focus,#leftcontent a:active { - text-decoration: underline; - color: #000; -} - -.infobutton { - background-color: #005a00; - color: white; - font-family: serif; - text-decoration: none; - padding-top: 2px; - padding-right: 4px; - padding-bottom: 2px; - padding-left: 4px; - font-weight: bold; -} - -.hell { - background-color: #MAIN_BACKGOUNDCOLOR#; - color: #MAIN_COLOR#; -} - -.dunkel { - background-color: #HEADER_BACKGROUNDCOLOR#; - color: #HEADER_COLOR#; -} - -.main_header { - color: black; - font-size: 32pt; - position: absolute; - right: 10%; - top: 40px; -} -</style> -<!-- MOA-ID 2.x BKUSelection JavaScript fucnctions--> -<script type="text/javascript"> - function isIE() { - return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); - } - function isFullscreen() { - try { - return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); - } catch (e) { - return false; - } - } - function isActivexEnabled() { - var supported = null; - try { - supported = !!new ActiveXObject("htmlfile"); - } catch (e) { - supported = false; - } - return supported; - } - function isMetro() { - if (!isIE()) - return false; - return !isActivexEnabled() && isFullscreen(); - } - window.onload=function() { - document.getElementById("localBKU").style.display="block"; - return; - } - function bkuOnlineClicked() { - if (isMetro()) - document.getElementById("metroDetected").style.display="block"; - document.getElementById("localBKU").style.display="block"; -/* if (checkMandateSSO()) - return; */ - - setMandateSelection(); -/* setSSOSelection(); */ - - var iFrameURL = "#AUTH_URL#" + "?"; - iFrameURL += "bkuURI=" + "#ONLINE#"; - iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; -/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ - iFrameURL += "&MODUL=" + "#MODUL#"; - iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; - generateIFrame(iFrameURL); - } - function bkuHandyClicked() { - document.getElementById("localBKU").style.display="none"; -/* if (checkMandateSSO()) - return; */ - - setMandateSelection(); -/* setSSOSelection(); */ - - var iFrameURL = "#AUTH_URL#" + "?"; - iFrameURL += "bkuURI=" + "#HANDY#"; - iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; -/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ - iFrameURL += "&MODUL=" + "#MODUL#"; - iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; - generateIFrame(iFrameURL); - } - function storkClicked() { - document.getElementById("localBKU").style.display="none"; -/* if (checkMandateSSO()) - return; */ - - setMandateSelection(); -/* setSSOSelection(); */ - - var ccc = "AT"; - var countrySelection = document.getElementById("cccSelection"); - if (countrySelection != null) { - ccc = document.getElementById("cccSelection").value; - } - var iFrameURL = "#AUTH_URL#" + "?"; - iFrameURL += "bkuURI=" + "#ONLINE#"; - iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; - iFrameURL += "&CCC=" + ccc; -/* iFrameURL += "&SSO=" + document.getElementById("useSSO").value; */ - iFrameURL += "&MODUL=" + "#MODUL#"; - iFrameURL += "&ACTION=" + "#ACTION#"; - iFrameURL += "&MOASessionID=" + "#SESSIONID#"; - generateIFrame(iFrameURL); - } - function generateIFrame(iFrameURL) { - var el = document.getElementById("bkulogin"); - var width = el.clientWidth; - var heigth = el.clientHeight - 20; - var parent = el.parentNode; - - iFrameURL += "&heigth=" + heigth; - iFrameURL += "&width=" + width; - - var iframe = document.createElement("iframe"); - iframe.setAttribute("src", iFrameURL); - iframe.setAttribute("width", el.clientWidth - 1); - iframe.setAttribute("height", el.clientHeight - 1); - iframe.setAttribute("frameborder", "0"); - iframe.setAttribute("scrolling", "no"); - iframe.setAttribute("title", "Login"); - parent.replaceChild(iframe, el); - } - function setMandateSelection() { - document.getElementById("moaidform").action = "#AUTH_URL#"; - document.getElementById("useMandate").value = "false"; - var checkbox = document.getElementById("mandateCheckBox"); - if (checkbox != null) { - if (document.getElementById("mandateCheckBox").checked) { - document.getElementById("useMandate").value = "true"; - } - } - } - function onChangeChecks() { - if (top.innerWidth < 650) { - document.getElementById("moaidform").setAttribute("target","_parent"); - } else { - document.getElementById("moaidform").removeAttribute("target"); - } - - } -/* function setSSOSelection() { - document.getElementById("useSSO").value = "false"; - var checkbox = document.getElementById("SSOCheckBox"); - if (checkbox != null) { - if (document.getElementById("SSOCheckBox").checked) { - document.getElementById("useSSO").value = "true"; - } - } - } */ - -/* function checkMandateSSO() { - var sso = document.getElementById("SSOCheckBox"); - var mandate = document.getElementById("mandateCheckBox"); - - - if (sso.checked && mandate.checked) { - alert("Anmeldung in Vertretung in kombination mit Single Sign-On wird aktuell noch nicht unterstützt!") - mandate.checked = false; - sso.checked = false; - return true; - } else { - return false; - } - } */ - </script> -<title>Anmeldung mittels Bürgerkarte oder Handy-Signatur</title> -</head> -<body onload="onChangeChecks();" onresize="onChangeChecks();"> - <div id="page"> - <div id="page1" class="case selected-case" role="main"> - <h2 class="OA_header" role="heading">Anmeldung an: #OAName#</h2> - <div id="main"> - <div id="leftcontent" class="hell" role="application"> - <div id="bku_header" class="dunkel"> - <h2 id="tabheader" class="dunkel" role="heading">#HEADER_TEXT#</h2> - </div> - <div id="bkulogin" class="hell" role="form"> - <div id="mandateLogin" style=""> - <div> - <input tabindex="1" type="checkbox" name="Mandate" - id="mandateCheckBox" class="verticalcenter" role="checkbox" - onClick='document.getElementById("mandateCheckBox").setAttribute("aria-checked", document.getElementById("mandateCheckBox").checked);'#MANDATECHECKED#> - <label for="mandateCheckBox" class="verticalcenter">in - Vertretung anmelden</label> - <!--a href="info_mandates.html" - target="_blank" - class="infobutton verticalcenter" - tabindex="5">i</a--> - </div> - </div> - <div id="bkuselectionarea"> - <div id="bkukarte"> - <img class="bkuimage" src="#CONTEXTPATH#/img/online-bku.png" - alt="OnlineBKU" /> <input name="bkuButtonOnline" type="button" - onClick="bkuOnlineClicked();" tabindex="2" role="button" - value="Karte" /> - </div> - <div id="bkuhandy"> - <img class="bkuimage" src="#CONTEXTPATH#/img/mobile-bku.png" - alt="HandyBKU" /> <input name="bkuButtonHandy" type="button" - onClick="bkuHandyClicked();" tabindex="3" role="button" - value="HANDY" /> - </div> - </div> - <div id="localBKU"> - <form method="get" id="moaidform" action="#AUTH_URL#" - class="verticalcenter" target="_parent"> - <input type="hidden" name="bkuURI" value="#LOCAL#"> <input - type="hidden" name="useMandate" id="useMandate"> <input - type="hidden" name="SSO" id="useSSO"> <input - type="hidden" name="CCC" id="ccc"> <input type="hidden" - name="MODUL" value="#MODUL#"> <input type="hidden" - name="ACTION" value="#ACTION#"> <input type="hidden" - name="MOASessionID" value="#SESSIONID#"> <input - type="submit" value=">lokale Bürgerkartenumgebung" tabindex="4" - role="button" class="hell"> - <!--p> - <small>Alternativ können Sie eine lokal installierte BKU verwenden.</small> - </p--> - </form> - </div> - <div id="stork" align="center" style="#STORKVISIBLE#"> - <h2 id="tabheader" class="dunkel">Home Country Selection</h2> - <p> - <select name="cccSelection" id="cccSelection" size="1" style="width: 120px; margin-right: 5px;" > - <option value="BE">België/Belgique</option> - <option value="EE">Eesti</option> - <option value="ES">España</option> - <option value="IS">Ísland</option> - <option value="IT">Italia</option> - <option value="LI">Liechtenstein</option> - <option value="LT">Lithuania</option> - <option value="PT">Portugal</option> - <option value="SI">Slovenija</option> - <option value="FI">Suomi</option> - <option value="SE">Sverige</option> - </select> - <button name="bkuButton" type="button" onClick="storkClicked();">Proceed</button> - <a href="info_stork.html" target="_blank" class="infobutton" style="color:#FFF">i</a> - </p> - </div> - - <div id="metroDetected" style="display: none"> - <p>Anscheinend verwenden Sie Internet Explorer im - Metro-Modus. Wählen Sie bitte "Auf dem Desktop anzeigen" aus den - Optionen um die Karten-Anmeldung starten zu können.</p> - </div> - </div> - </div> - </div> - </div> - <div id="validation"> - <a href="http://validator.w3.org/check?uri="> <img - style="border: 0; width: 88px; height: 31px" - src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" /> - </a> <a href="http://jigsaw.w3.org/css-validator/"> <img - style="border: 0; width: 88px; height: 31px" - src="https://jigsaw.w3.org/css-validator/images/vcss-blue" - alt="CSS ist valide!" /> - </a> - </div> - </div> -</body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java deleted file mode 100644 index 8c8345bbf..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.messages; - -import java.io.Serializable; - -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class InboundMessage implements InboundMessageInterface, Serializable{ - - private static final long serialVersionUID = 2395131650841669663L; - - private Element samlMessage = null; - private boolean verified = false; - private String entityID = null; - private String relayState = null; - - - public EntityDescriptor getEntityMetadata(MetadataProvider metadataProvider) throws NoMetadataInformationException { - try { - if (metadataProvider == null) - throw new NullPointerException("No PVP MetadataProvider found."); - - return metadataProvider.getEntityDescriptor(this.entityID); - - } catch (MetadataProviderException e) { - Logger.warn("No Metadata for EntitiyID " + entityID); - throw new NoMetadataInformationException(); - } - } - - /** - * @param entitiyID the entitiyID to set - */ - public void setEntityID(String entitiyID) { - this.entityID = entitiyID; - } - - public void setVerified(boolean verified) { - this.verified = verified; - } - - /** - * @param relayState the relayState to set - */ - public void setRelayState(String relayState) { - this.relayState = relayState; - } - - public void setSAMLMessage(Element msg) { - this.samlMessage = msg; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getRelayState() - */ - @Override - public String getRelayState() { - return relayState; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getEntityID() - */ - @Override - public String getEntityID() { - return entityID; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#isVerified() - */ - @Override - public boolean isVerified() { - return verified; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getInboundMessage() - */ - @Override - public Element getInboundMessage() { - return samlMessage; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java deleted file mode 100644 index 60a6f069a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.messages; - -import org.w3c.dom.Element; - -/** - * @author tlenz - * - */ -public interface InboundMessageInterface { - - public String getRelayState(); - public String getEntityID(); - public boolean isVerified(); - public Element getInboundMessage(); - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java deleted file mode 100644 index 7679e74a6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java +++ /dev/null @@ -1,66 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.messages; - - -import org.opensaml.Configuration; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; -import org.opensaml.xml.io.UnmarshallingException; -import org.opensaml.xml.signature.SignableXMLObject; - -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.logging.Logger; - -public class MOARequest extends InboundMessage{ - - private static final long serialVersionUID = 8613921176727607896L; - - private String binding = null; - - public MOARequest(SignableXMLObject inboundMessage, String binding) { - setSAMLMessage(inboundMessage.getDOM()); - this.binding = binding; - - } - - public String getRequestBinding() { - return binding; - } - - public SignableXMLObject getSamlRequest() { - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); - - try { - return (SignableXMLObject) unmashaller.unmarshall(getInboundMessage()); - - } catch (UnmarshallingException e) { - Logger.warn("AuthnRequest Unmarshaller error", e); - return null; - } - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java deleted file mode 100644 index f2512b122..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java +++ /dev/null @@ -1,56 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.messages; - -import org.opensaml.Configuration; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; -import org.opensaml.xml.io.UnmarshallingException; - -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.logging.Logger; - -public class MOAResponse extends InboundMessage { - - private static final long serialVersionUID = -1133012928130138501L; - - public MOAResponse(StatusResponseType response) { - setSAMLMessage(response.getDOM()); - } - - public StatusResponseType getResponse() { - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); - - try { - return (StatusResponseType) unmashaller.unmarshall(getInboundMessage()); - - } catch (UnmarshallingException e) { - Logger.warn("AuthnResponse Unmarshaller error", e); - return null; - } - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java deleted file mode 100644 index 3da4dc18a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; - -/** - * @author tlenz - * - */ -public interface IMOARefreshableMetadataProvider { - - /** - * Refresh a entity or load a entity in a metadata provider - * - * @param entityID - * @return true, if refresh is success, otherwise false - */ - public boolean refreshMetadataProvider(String entityID); -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 7d43732a6..1fa17c683 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -23,401 +23,91 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; import java.io.IOException; +import java.net.MalformedURLException; import java.security.cert.CertificateException; import java.util.ArrayList; -import java.util.Collection; -import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Map.Entry; -import java.util.Timer; -import javax.xml.namespace.QName; - -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.provider.BaseMetadataProvider; -import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider; -import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.MOAHttpClient; +import org.apache.commons.httpclient.params.HttpClientParams; import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; -import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; -import at.gv.egovernment.moa.id.auth.IDestroyableObject; -import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.PVPEntityCategoryFilter; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; @Service("PVPMetadataProvider") -public class MOAMetadataProvider extends SimpleMOAMetadataProvider - implements ObservableMetadataProvider, IGarbageCollectorProcessing, - IMOARefreshableMetadataProvider, IDestroyableObject { +public class MOAMetadataProvider extends AbstractChainingMetadataProvider { - //private static final int METADATA_GARBAGE_TIMEOUT_SEC = 604800; //7 days - -// private static MOAMetadataProvider instance = null; - MetadataProvider internalProvider = null; - private Timer timer = null; - private static Object mutex = new Object(); - //private Map<String, Date> lastAccess = null; - - - public MOAMetadataProvider() { - internalProvider = new ChainingMetadataProvider(); - //lastAccess = new HashMap<String, Date>(); + @Autowired(required=true) AuthConfiguration moaAuthConfig; - } - -// public static MOAMetadataProvider getInstance() { -// if (instance == null) { -// synchronized (mutex) { -// if (instance == null) { -// instance = new MOAMetadataProvider(); -// -// //add this to MOA garbage collector -// MOAGarbageCollector.addModulForGarbageCollection(instance); -// -// } -// } -// } -// return instance; -// } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector() - */ @Override - public void runGarbageCollector() { - synchronized (mutex) { - - /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ - try { - Logger.trace("Check consistence of PVP2X metadata"); - addAndRemoveMetadataProvider(); - - } catch (ConfigurationException | EAAFConfigurationException e) { - Logger.error("Access to MOA-ID configuration FAILED.", e); - - } - } + protected String getMetadataURL(String entityId) throws EAAFConfigurationException { + ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(entityId); + if (oaParam != null) + return oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - } - - -// private static void reInitialize() { -// synchronized (mutex) { -// -// /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ -// if (instance != null) -// try { -// Logger.trace("Check consistence of PVP2X metadata"); -// instance.addAndRemoveMetadataProvider(); -// -// } catch (ConfigurationException e) { -// Logger.error("Access to MOA-ID configuration FAILED.", e); -// -// } -// else -// Logger.info("MOAMetadataProvider is not loaded."); -// } -// } - - public void fullyDestroy() { - internalDestroy(); + else { + Logger.debug("Can not process PVP2X metadata: NO onlineApplication with Id: " + entityId); + return null; + } + } - - @Override - public synchronized boolean refreshMetadataProvider(String entityID) { - try { - //check if metadata provider is already loaded - try { - if (internalProvider.getEntityDescriptor(entityID) != null) - return true; - - } catch (MetadataProviderException e) {} - + protected MetadataProvider createNewMetadataProvider(String entityId) throws EAAFConfigurationException, IOException, CertificateException { + ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(entityId); + if (oaParam != null) { + String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + byte[] cert = Base64Utils.decode(certBase64, false); + String oaFriendlyName = oaParam.getUniqueIdentifier(); + + return createNewSimpleMetadataProvider(metadataURL, + buildMetadataFilterChain(oaParam, metadataURL, cert), + oaFriendlyName, + getTimer(), + new BasicParserPool(), + createHttpClient(metadataURL)); - //reload metadata provider - ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(entityID); - if (oaParam != null) { - String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - if (MiscUtil.isNotEmpty(metadataURL)) { - Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders(); - - // check if MetadataProvider is actually loaded - if (actuallyLoadedProviders.containsKey(metadataURL)) { - actuallyLoadedProviders.get(metadataURL).refresh(); - Logger.info("PVP2X metadata for onlineApplication: " - + entityID + " is refreshed."); - return true; - - } else { - //load new Metadata Provider - String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64)) { - byte[] cert = Base64Utils.decode(certBase64, false); - String oaFriendlyName = oaParam.getUniqueIdentifier(); - - if (timer == null) - timer = new Timer(true); - - ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - MetadataProvider newMetadataProvider = createNewMoaMetadataProvider(metadataURL, - buildMetadataFilterChain(oaParam, metadataURL, cert), - oaFriendlyName, - timer, - new BasicParserPool()); - - chainProvider.addMetadataProvider(newMetadataProvider); - - emitChangeEvent(); - - Logger.info("PVP2X metadata for onlineApplication: " - + entityID + " is added."); - return true; - - } else - Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata certificate for OA with Id: " + entityID); - - } - - } else - Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata URL for OA with Id: " + entityID); - } else - Logger.debug("Can not refresh PVP2X metadata: NO onlineApplication with Id: " + entityID); - - - } catch (MetadataProviderException e) { - Logger.warn("Refresh PVP2X metadata for onlineApplication: " - + entityID + " FAILED.", e); - - } catch (IOException e) { - Logger.warn("Refresh PVP2X metadata for onlineApplication: " - + entityID + " FAILED.", e); - - } catch (CertificateException e) { - Logger.warn("Refresh PVP2X metadata for onlineApplication: " - + entityID + " FAILED.", e); + Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata certificate for OA with Id: " + entityId); - } catch (ConfigurationException e) { - Logger.warn("Refresh PVP2X metadata for onlineApplication: " - + entityID + " FAILED.", e); - - } catch (EAAFConfigurationException e) { - Logger.warn("Refresh PVP2X metadata for onlineApplication: " - + entityID + " FAILED.", e); - } - - return false; - - } - - private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() { - Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); - ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - - //make a Map of all actually loaded HTTPMetadataProvider - List<MetadataProvider> providers = chainProvider.getProviders(); - for (MetadataProvider provider : providers) { - if (provider instanceof HTTPMetadataProvider) { - HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; - loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); - - } } - return loadedproviders; - } - - - private void addAndRemoveMetadataProvider() throws ConfigurationException, EAAFConfigurationException { - if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { - Logger.info("Reload MOAMetaDataProvider."); - - /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) - *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ - Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - - //get all actually loaded metadata providers - Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders(); + Logger.debug("Can not process PVP2X metadata: NO onlineApplication with Id: " + entityId); + return null; - /* TODO: maybe add metadata provider destroy after timeout. - * But could be a problem if one Metadataprovider load an EntitiesDescriptor - * with more the multiple EntityDescriptors. If one of this EntityDesciptors - * are expired the full EntitiesDescriptor is removed. - * - * Timeout requires a better solution in this case! - */ -// Date now = new Date(); -// Date expioredate = new Date(now.getTime() - (METADATA_GARBAGE_TIMEOUT_SEC * 1000)); -// Logger.debug("Starting PVP Metadata garbag collection (Expioredate:" -// + expioredate + ")"); - - //load all PVP2 OAs form ConfigurationDatabase and - //compare actually loaded Providers with configured PVP2 OAs - Map<String, String> allOAs = authConfig.getConfigurationWithWildCard( - MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES - + ".%." - + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); - - if (allOAs != null) { - Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator(); - while (oaInterator.hasNext()) { - Entry<String, String> oaKeyPair = oaInterator.next(); - - ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(oaKeyPair.getValue()); - if (oaParam != null) { - String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - - HTTPMetadataProvider httpProvider = null; - try { - if (MiscUtil.isNotEmpty(metadataurl)) { - if (loadedproviders.containsKey(metadataurl)) { - // PVP2 OA is actually loaded, to nothing - providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); - loadedproviders.remove(metadataurl); - - - //INFO: load metadata dynamically if they are requested -// } else if ( MiscUtil.isNotEmpty(metadataurl) && -// !providersinuse.containsKey(metadataurl) ) { -// //PVP2 OA is new, add it to MOAMetadataProvider -// String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); -// if (MiscUtil.isNotEmpty(certBase64)) { -// byte[] cert = Base64Utils.decode(certBase64, false); -// String oaFriendlyName = oaParam.getFriendlyName(); -// -// -// Logger.info("Loading metadata for: " + oaFriendlyName); -// httpProvider = createNewHTTPMetaDataProvider( -// metadataurl, -// buildMetadataFilterChain(oaParam, metadataurl, cert), -// oaFriendlyName); -// -// if (httpProvider != null) -// providersinuse.put(metadataurl, httpProvider); -// } - - } - } - } catch (Throwable e) { - Logger.error( - "Failed to add Metadata (unhandled reason: " - + e.getMessage(), e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - - } - } - } - } - - //remove all actually loaded MetadataProviders with are not in ConfigurationDB any more - Collection<HTTPMetadataProvider> notusedproviders = loadedproviders.values(); - for (HTTPMetadataProvider provider : notusedproviders) { - String metadataurl = provider.getMetadataURI(); - - try { - - provider.destroy(); - - /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) - *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ - //chainProvider.removeMetadataProvider(provider); - - Logger.info("Remove not used MetadataProvider with MetadataURL " + metadataurl); - - } catch (Throwable e) { - Logger.error("HTTPMetadataProvider with URL " + metadataurl - + " can not be removed from the list of actually loaded Providers.", e); - - } - - } - - try { - chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); - - emitChangeEvent(); - - } catch (MetadataProviderException e) { - Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy", e); - - } - - - - } else { - Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); - } - } - - public void internalDestroy() { - if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { - Logger.info("Destrorying PVP-Authentication MetaDataProvider."); - ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - - List<MetadataProvider> providers = chainProvider.getProviders(); - for (MetadataProvider provider : providers) { - if (provider instanceof HTTPMetadataProvider) { - HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; - Logger.debug("Destroy HTTPMetadataProvider +" + httpprovider.getMetadataURI()); - httpprovider.destroy(); - - } else { - Logger.warn("MetadataProvider can not be destroyed."); - } - } - - internalProvider = new ChainingMetadataProvider(); - - if (timer != null) - timer.cancel(); - - } else { - Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); - } - } - - @Deprecated - /** - * Load all PVP metadata from OA configuration - * - * This method is deprecated because OA metadata should be loaded dynamically - * if the corresponding OA is requested. - */ - private void loadAllPVPMetadataFromKonfiguration() throws EAAFConfigurationException { - ChainingMetadataProvider chainProvider = new ChainingMetadataProvider(); - Logger.info("Loading metadata"); - Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - Map<String, String> allOAs = authConfig.getConfigurationWithWildCard( + @Override + protected List<String> getAllMetadataURLsFromConfiguration() throws EAAFConfigurationException { + List<String> metadataURLs = new ArrayList<String>(); + + Map<String, String> allOAs = moaAuthConfig.getConfigurationWithWildCard( MOAIDConfigurationConstants.PREFIX_MOAID_SERVICES + ".%." + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); @@ -430,71 +120,56 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(oaKeyPair.getValue()); if (oaParam != null) { String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - String oaFriendlyName = oaParam.getUniqueIdentifier(); - MetadataProvider httpProvider = null; - - try { - String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64) && MiscUtil.isNotEmpty(metadataurl)) { - byte[] cert = Base64Utils.decode(certBase64, false); - - - if (timer == null) - timer = new Timer(true); - - Logger.info("Loading metadata for: " + oaFriendlyName); - if (!providersinuse.containsKey(metadataurl)) { - httpProvider = createNewMoaMetadataProvider( - metadataurl, - buildMetadataFilterChain(oaParam, metadataurl, cert), - oaFriendlyName, - timer, - new BasicParserPool()); + if (MiscUtil.isNotEmpty(metadataurl)) + metadataURLs.add(metadataurl); + else + Logger.trace("OA: " + oaParam.getUniqueIdentifier() + " has NO PVP2 metadata URL"); - if (httpProvider != null) - providersinuse.put(metadataurl, httpProvider); - - } else { - Logger.info(metadataurl + " are already added."); - } - - } else { - Logger.info(oaFriendlyName - + " is not a PVP2 Application skipping"); - } - } catch (Throwable e) { - Logger.error( - "Failed to add Metadata (unhandled reason: " - + e.getMessage(), e); - - if (httpProvider != null && httpProvider instanceof BaseMetadataProvider) { - Logger.debug("Destroy failed Metadata provider"); - ((BaseMetadataProvider)httpProvider).destroy(); - - } - } - } + } else + Logger.warn("Something is suspect! OA is in Set of OAs, but no specific OA configuration is found."); } - } else - Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); - - try { - chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + } else + Logger.debug("No OA configuration found."); + + return metadataURLs; + } - } catch (MetadataProviderException e) { - Logger.error( - "Failed to add Metadata (unhandled reason: " - + e.getMessage(), e); + private HttpClient createHttpClient(String metadataURL) { + MOAHttpClient httpClient = new MOAHttpClient(); + HttpClientParams httpClientParams = new HttpClientParams(); + httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); + httpClient.setParams(httpClientParams); + + if (metadataURL.startsWith("https:")) { + try { + //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + moaAuthConfig.getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + moaAuthConfig.isTrustmanagerrevoationchecking(), + moaAuthConfig.getRevocationMethodOrder(), + moaAuthConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException | MalformedURLException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); + + } } - internalProvider = chainProvider; + return httpClient; } - - private PVPMetadataFilterChain buildMetadataFilterChain(ISPConfiguration oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { - PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); - filterChain.getFilters().add(new SchemaValidationFilter()); + + private MetadataFilterChain buildMetadataFilterChain(ISPConfiguration oaParam, String metadataURL, byte[] certificate) throws CertificateException{ + MetadataFilterChain filterChain = new MetadataFilterChain(); + filterChain.getFilters().add(new SchemaValidationFilter(moaAuthConfig.isPVPSchemaValidationActive())); + filterChain.getFilters().add(new MetadataSignatureFilter(metadataURL, certificate)); filterChain.getFilters().add( new PVPEntityCategoryFilter(authConfig.getBasicMOAIDConfigurationBoolean( AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER, @@ -511,116 +186,4 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider return filterChain; } - public boolean requireValidMetadata() { - return internalProvider.requireValidMetadata(); - } - - public void setRequireValidMetadata(boolean requireValidMetadata) { - internalProvider.setRequireValidMetadata(requireValidMetadata); - } - - public MetadataFilter getMetadataFilter() { - return internalProvider.getMetadataFilter(); - } - - public void setMetadataFilter(MetadataFilter newFilter) - throws MetadataProviderException { - internalProvider.setMetadataFilter(newFilter); - } - - public XMLObject getMetadata() throws MetadataProviderException { - return internalProvider.getMetadata(); - } - - public EntitiesDescriptor getEntitiesDescriptor(String entitiesID) - throws MetadataProviderException { - EntitiesDescriptor entitiesDesc = null; - try { - entitiesDesc = internalProvider.getEntitiesDescriptor(entitiesID); - - if (entitiesDesc == null) { - Logger.debug("Can not find PVP metadata for entityID: " + entitiesID - + " Start refreshing process ..."); - if (refreshMetadataProvider(entitiesID)) - return internalProvider.getEntitiesDescriptor(entitiesID); - - } - - } catch (MetadataProviderException e) { - Logger.debug("Can not find PVP metadata for entityID: " + entitiesID - + " Start refreshing process ..."); - if (refreshMetadataProvider(entitiesID)) - return internalProvider.getEntitiesDescriptor(entitiesID); - - } - - return entitiesDesc; - } - - public EntityDescriptor getEntityDescriptor(String entityID) - throws MetadataProviderException { - EntityDescriptor entityDesc = null; - try { - entityDesc = internalProvider.getEntityDescriptor(entityID); - if (entityDesc == null) { - Logger.debug("Can not find PVP metadata for entityID: " + entityID - + " Start refreshing process ..."); - if (refreshMetadataProvider(entityID)) - return internalProvider.getEntityDescriptor(entityID); - - } - - } catch (MetadataProviderException e) { - Logger.debug("Can not find PVP metadata for entityID: " + entityID - + " Start refreshing process ..."); - if (refreshMetadataProvider(entityID)) - return internalProvider.getEntityDescriptor(entityID); - - } - -// if (entityDesc != null) -// lastAccess.put(entityID, new Date()); - - return entityDesc; - } - - public List<RoleDescriptor> getRole(String entityID, QName roleName) - throws MetadataProviderException { - List<RoleDescriptor> result = internalProvider.getRole(entityID, roleName); - -// if (result != null) -// lastAccess.put(entityID, new Date()); - - return result; - } - - public RoleDescriptor getRole(String entityID, QName roleName, - String supportedProtocol) throws MetadataProviderException { - RoleDescriptor result = internalProvider.getRole(entityID, roleName, supportedProtocol); - -// if (result != null) -// lastAccess.put(entityID, new Date()); - - return result; - } - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers() - */ - @Override - public List<Observer> getObservers() { - return ((ChainingMetadataProvider) internalProvider).getObservers(); - } - - protected void emitChangeEvent() { - if ((getObservers() == null) || (getObservers().size() == 0)) { - return; - } - - List<Observer> tempObserverList = new ArrayList<Observer>(getObservers()); - for (ObservableMetadataProvider.Observer observer : tempObserverList) - if (observer != null) - observer.onEvent(this); - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java deleted file mode 100644 index c87b7515f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java +++ /dev/null @@ -1,257 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; - -import java.io.File; -import java.net.MalformedURLException; -import java.util.Timer; - -import javax.net.ssl.SSLHandshakeException; - -import org.apache.commons.httpclient.MOAHttpClient; -import org.apache.commons.httpclient.params.HttpClientParams; -import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; -import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.xml.parse.ParserPool; -import org.springframework.beans.factory.annotation.Autowired; - -import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; -import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.FileUtils; - -/** - * @author tlenz - * - */ -public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ - - private static final String URI_PREFIX_HTTP = "http:"; - private static final String URI_PREFIX_HTTPS = "https:"; - private static final String URI_PREFIX_FILE = "file:"; - - - @Autowired - //protected IConfiguration authConfig; - protected AuthConfiguration authConfig; - - /** - * Create a single SAML2 MOA specific metadata provider - * - * @param metadataLocation where the metadata should be loaded, but never null. If the location starts with http(s):, than a http - * based metadata provider is used. If the location starts with file:, than a filesystem based metadata provider is used - * @param filter Filters, which should be used to validate the metadata - * @param IdForLogging Id, which is used for Logging - * @param timer {@link Timer} which is used to schedule metadata refresh operations - * - * @return SAML2 Metadata Provider, or null if the metadata provider can not initialized - */ - protected MetadataProvider createNewMoaMetadataProvider(String metadataLocation, MetadataFilter filter, - String IdForLogging, Timer timer, ParserPool pool) { - if (metadataLocation.startsWith(URI_PREFIX_HTTP) || metadataLocation.startsWith(URI_PREFIX_HTTPS)) - return createNewHTTPMetaDataProvider(metadataLocation, filter, IdForLogging, timer, pool); - - else { - String absoluteMetadataLocation; - try { - absoluteMetadataLocation = FileUtils.makeAbsoluteURL( - metadataLocation, - authConfig.getConfigurationRootDirectory().toURL().toString()); - - if (absoluteMetadataLocation.startsWith(URI_PREFIX_FILE)) { - File metadataFile = new File(absoluteMetadataLocation); - if (metadataFile.exists()) - return createNewFileSystemMetaDataProvider(metadataFile, filter, IdForLogging, timer, pool); - - else { - Logger.warn("SAML2 metadata file: " + absoluteMetadataLocation + " not found or not exist"); - return null; - } - - } - - - } catch (MalformedURLException e) { - Logger.warn("SAML2 metadata URL is invalid: " + metadataLocation, e); - - } - - } - - Logger.warn("SAML2 metadata has an unsupported metadata location prefix: " + metadataLocation); - return null; - - } - - - /** - * Create a single SAML2 filesystem based metadata provider - * - * @param metadataFile File, where the metadata should be loaded - * @param filter Filters, which should be used to validate the metadata - * @param IdForLogging Id, which is used for Logging - * @param timer {@link Timer} which is used to schedule metadata refresh operations - * @param pool - * - * @return SAML2 Metadata Provider - */ - private MetadataProvider createNewFileSystemMetaDataProvider(File metadataFile, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) { - FilesystemMetadataProvider fileSystemProvider = null; - try { - fileSystemProvider = new FilesystemMetadataProvider(timer, metadataFile); - fileSystemProvider.setParserPool(pool); - fileSystemProvider.setRequireValidMetadata(true); - fileSystemProvider.setMinRefreshDelay(1000*60*15); //15 minutes - fileSystemProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours - //httpProvider.setRefreshDelayFactor(0.1F); - - fileSystemProvider.setMetadataFilter(filter); - fileSystemProvider.initialize(); - - fileSystemProvider.setRequireValidMetadata(true); - - return fileSystemProvider; - - } catch (Exception e) { - Logger.warn( - "Failed to load Metadata file for " - + IdForLogging + "[ " - + "File: " + metadataFile.getAbsolutePath() - + " Msg: " + e.getMessage() + " ]", e); - - - Logger.warn("Can not initialize SAML2 metadata provider from filesystem: " + metadataFile.getAbsolutePath() - + " Reason: " + e.getMessage(), e); - - if (fileSystemProvider != null) - fileSystemProvider.destroy(); - - } - - return null; - - } - - - - /** - * Create a single SAML2 HTTP metadata provider - * - * @param metadataURL URL, where the metadata should be loaded - * @param filter Filters, which should be used to validate the metadata - * @param IdForLogging Id, which is used for Logging - * @param timer {@link Timer} which is used to schedule metadata refresh operations - * @param pool - * - * @return SAML2 Metadata Provider - */ - private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging, Timer timer, ParserPool pool) { - HTTPMetadataProvider httpProvider = null; - //Timer timer= null; - MOAHttpClient httpClient = null; - try { - httpClient = new MOAHttpClient(); - - HttpClientParams httpClientParams = new HttpClientParams(); - httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); - httpClient.setParams(httpClientParams); - - if (metadataURL.startsWith("https:")) { - try { - //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 - MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, - authConfig.getTrustedCACertificates(), - null, - AuthConfiguration.DEFAULT_X509_CHAININGMODE, - authConfig.isTrustmanagerrevoationchecking(), - authConfig.getRevocationMethodOrder(), - authConfig.getBasicMOAIDConfigurationBoolean( - AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); - - httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); - - } catch (MOAHttpProtocolSocketFactoryException e) { - Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); - - } - } - -// timer = new Timer(true); - httpProvider = new HTTPMetadataProvider(timer, httpClient, - metadataURL); - httpProvider.setParserPool(pool); - httpProvider.setRequireValidMetadata(true); - httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes - httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours - //httpProvider.setRefreshDelayFactor(0.1F); - - httpProvider.setMetadataFilter(filter); - httpProvider.initialize(); - - httpProvider.setRequireValidMetadata(true); - - return httpProvider; - - } catch (Throwable e) { - if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { - Logger.warn("SSL-Server certificate for metadata " - + metadataURL + " not trusted.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { - Logger.warn("Signature verification for metadata" - + metadataURL + " FAILED.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { - Logger.warn("Schema validation for metadata " - + metadataURL + " FAILED.", e); - } - - Logger.warn( - "Failed to load Metadata file for " - + IdForLogging + "[ " - + e.getMessage() + " ]", e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - -// if (timer != null) { -// Logger.debug("Destroy Timer."); -// timer.cancel(); -// } - - - } - - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java deleted file mode 100644 index dd94e0093..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java +++ /dev/null @@ -1,218 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.signer; - -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.interfaces.ECPrivateKey; -import java.security.interfaces.RSAPrivateKey; - -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.x509.X509Credential; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.KeyStoreUtils; -import at.gv.egovernment.moa.util.MiscUtil; - -public abstract class AbstractCredentialProvider { - - private KeyStore keyStore = null; - - /** - * Get a friendlyName for this keyStore implementation - * This friendlyName is used for logging - * - * @return keyStore friendlyName - */ - public abstract String getFriendlyName(); - - /** - * Get KeyStore - * - * @return URL to the keyStore - * @throws ConfigurationException - */ - public abstract String getKeyStoreFilePath() throws ConfigurationException; - - /** - * Get keyStore password - * - * @return Password of the keyStore - */ - public abstract String getKeyStorePassword(); - - /** - * Get alias of key for metadata signing - * - * @return key alias - */ - public abstract String getMetadataKeyAlias(); - - /** - * Get password of key for metadata signing - * - * @return key password - */ - public abstract String getMetadataKeyPassword(); - - /** - * Get alias of key for request/response signing - * - * @return key alias - */ - public abstract String getSignatureKeyAlias(); - - /** - * Get password of key for request/response signing - * - * @return key password - */ - public abstract String getSignatureKeyPassword(); - - /** - * Get alias of key for IDP response encryption - * - * @return key alias - */ - public abstract String getEncryptionKeyAlias(); - - /** - * Get password of key for IDP response encryption - * - * @return key password - */ - public abstract String getEncryptionKeyPassword(); - - - public X509Credential getIDPMetaDataSigningCredential() - throws CredentialsNotAvailableException { - try { - - if (keyStore == null) - keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), - getKeyStorePassword()); - - MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( - keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray()); - - credentials.setUsageType(UsageType.SIGNING); - if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { - Logger.error(getFriendlyName() + " Metadata Signing credentials is not found or contains no PrivateKey."); - throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: " - + getMetadataKeyAlias() + ") is not found or contains no PrivateKey."}); - - } - return credentials; - } catch (Exception e) { - Logger.error("Failed to generate " + getFriendlyName() + " Metadata Signing credentials"); - e.printStackTrace(); - throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); - } - } - - public X509Credential getIDPAssertionSigningCredential() - throws CredentialsNotAvailableException { - try { - if (keyStore == null) - keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), - getKeyStorePassword()); - - MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( - keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray()); - - credentials.setUsageType(UsageType.SIGNING); - if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { - Logger.error(getFriendlyName() + " Assertion Signing credentials is not found or contains no PrivateKey."); - throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: " - + getSignatureKeyAlias() + ") is not found or contains no PrivateKey."}); - - } - - return (X509Credential) credentials; - } catch (Exception e) { - Logger.error("Failed to generate " + getFriendlyName() + " Assertion Signing credentials"); - e.printStackTrace(); - throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); - } - } - - public X509Credential getIDPAssertionEncryptionCredential() - throws CredentialsNotAvailableException { - try { - if (keyStore == null) - keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), - getKeyStorePassword()); - - //if no encryption key is configured return null - if (MiscUtil.isEmpty(getEncryptionKeyAlias())) - return null; - - MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( - keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray()); - - credentials.setUsageType(UsageType.ENCRYPTION); - - if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) { - Logger.error(getFriendlyName() + " Assertion Encryption credentials is not found or contains no PrivateKey."); - throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Encryption credentials (Alias: " - + getEncryptionKeyAlias() + ") is not found or contains no PrivateKey."}); - - } - - return (X509Credential) credentials; - - } catch (Exception e) { - Logger.error("Failed to generate " + getFriendlyName() + " Assertion Encryption credentials"); - e.printStackTrace(); - throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e); - } - } - - public static Signature getIDPSignature(Credential credentials) { - PrivateKey privatekey = credentials.getPrivateKey(); - Signature signer = SAML2Utils.createSAMLObject(Signature.class); - - if (privatekey instanceof RSAPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - - } else if (privatekey instanceof ECPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256); - - } else { - Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); - - - } - - signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); - signer.setSigningCredential(credentials); - return signer; - - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialsNotAvailableException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialsNotAvailableException.java deleted file mode 100644 index 85de666c9..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialsNotAvailableException.java +++ /dev/null @@ -1,44 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.signer; - -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; - -public class CredentialsNotAvailableException extends MOAIDException { - - public CredentialsNotAvailableException(String messageId, - Object[] parameters) { - super(messageId, parameters); - } - - public CredentialsNotAvailableException(String messageId, - Object[] parameters, Throwable e) { - super(messageId, parameters, e); - } - - /** - * - */ - private static final long serialVersionUID = -2564476345552842599L; - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java index ebaef348c..389d97b18 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java @@ -25,14 +25,14 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer; import java.util.Properties; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; -@Service("IDPCredentialProvider") +//@Service("PVPIDPCredentialProvider") public class IDPCredentialProvider extends AbstractCredentialProvider { public static final String IDP_JAVAKEYSTORE = "idp.ks.file"; public static final String IDP_KS_PASS = "idp.ks.kspassword"; @@ -54,7 +54,7 @@ public class IDPCredentialProvider extends AbstractCredentialProvider { * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() */ @Override - public String getKeyStoreFilePath() throws ConfigurationException { + public String getKeyStoreFilePath() throws EAAFException { if (props == null) props = authConfig.getGeneralPVP2ProperiesConfig(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java deleted file mode 100644 index ef64efb56..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java +++ /dev/null @@ -1,27 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.signer; - -public class SAMLSigner { - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java deleted file mode 100644 index 9d585bc86..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ /dev/null @@ -1,292 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Date; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeStatement; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.core.Subject; -import org.opensaml.xml.XMLObject; - -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -public class AssertionAttributeExtractor { - - private Assertion assertion = null; - private Map<String, List<String>> attributs = new HashMap<String, List<String>>(); - //private PersonalAttributeList storkAttributes = new PersonalAttributeList(); - - private final List<String> minimalMDSAttributeNamesList = Arrays.asList( - PVPConstants.PRINCIPAL_NAME_NAME, - PVPConstants.GIVEN_NAME_NAME, - PVPConstants.BIRTHDATE_NAME, - PVPConstants.BPK_NAME); - - private final List<String> minimalIDLAttributeNamesList = Arrays.asList( - PVPConstants.EID_IDENTITY_LINK_NAME, - PVPConstants.EID_SOURCE_PIN_NAME, - PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - - /** - * Parse the SAML2 Response element and extracts included information - * <br><br> - * <b>INFO:</b> Actually, only the first SAML2 Assertion of the SAML2 Response is used! - * - * @param samlResponse SAML2 Response - * @throws AssertionAttributeExtractorExeption - */ - public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { - if (samlResponse != null && samlResponse instanceof Response) { - List<Assertion> assertions = ((Response) samlResponse).getAssertions(); - if (assertions.size() == 0) - throw new AssertionAttributeExtractorExeption("Assertion"); - - else if (assertions.size() > 1) - Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - - assertion = assertions.get(0); - - if (assertion.getAttributeStatements() != null && - assertion.getAttributeStatements().size() > 0) { - AttributeStatement attrStat = assertion.getAttributeStatements().get(0); - for (Attribute attr : attrStat.getAttributes()) { - if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { - List<String> storkAttrValues = new ArrayList<String>(); - for (XMLObject el : attr.getAttributeValues()) - storkAttrValues.add(el.getDOM().getTextContent()); - -// PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), -// false, storkAttrValues , "Available"); -// storkAttributes.put(attr.getName(), storkAttr ); - - } else { - List<String> attrList = new ArrayList<String>(); - for (XMLObject el : attr.getAttributeValues()) - attrList.add(el.getDOM().getTextContent()); - - attributs.put(attr.getName(), attrList); - - } - } - - } - - } else - throw new AssertionAttributeExtractorExeption(); - } - - /** - * Get all SAML2 attributes from first SAML2 AttributeStatement element - * - * @return List of SAML2 Attributes - */ - public List<Attribute> getAllResponseAttributesFromFirstAttributeStatement() { - return assertion.getAttributeStatements().get(0).getAttributes(); - - } - - /** - * Get all SAML2 attributes of specific SAML2 AttributeStatement element - * - * @param attrStatementID List ID of the AttributeStatement element - * @return List of SAML2 Attributes - */ - public List<Attribute> getAllResponseAttributes(int attrStatementID) { - return assertion.getAttributeStatements().get(attrStatementID).getAttributes(); - - } - - /** - * check attributes from assertion with minimal required attribute list - * @return - */ - public boolean containsAllRequiredAttributes() { - return containsAllRequiredAttributes(minimalMDSAttributeNamesList) - || containsAllRequiredAttributes(minimalIDLAttributeNamesList); - - } - - /** - * check attributes from assertion with attributeNameList - * bPK or enc_bPK are always needed - * - * @param List of attributes which are required - * - * @return - */ - public boolean containsAllRequiredAttributes(Collection<String> attributeNameList) { - - //first check if a bPK or an encrypted bPK is available - boolean flag = true; - for (String attr : attributeNameList) { - if (!attributs.containsKey(attr)) { - flag = false; - Logger.debug("Assertion contains no Attribute " + attr); - - } - - } - - if (flag) - return flag; - - else { - Logger.debug("Assertion contains no all minimum attributes from: " + attributeNameList.toString()); - return false; - - } - } - - public boolean containsAttribute(String attributeName) { - return attributs.containsKey(attributeName); - - } - - public String getSingleAttributeValue(String attributeName) { - if (attributs.containsKey(attributeName) && attributs.get(attributeName).size() > 0) - return attributs.get(attributeName).get(0); - else - return null; - - } - - public List<String> getAttributeValues(String attributeName) { - return attributs.get(attributeName); - - } - - /** - * Return all include PVP attribute names - * - * @return - */ - public Set<String> getAllIncludeAttributeNames() { - return attributs.keySet(); - - } - -// public PersonalAttributeList getSTORKAttributes() { -// return storkAttributes; -// } - - - public String getNameID() throws AssertionAttributeExtractorExeption { - if (assertion.getSubject() != null) { - Subject subject = assertion.getSubject(); - - if (subject.getNameID() != null) { - if (MiscUtil.isNotEmpty(subject.getNameID().getValue())) - return subject.getNameID().getValue(); - - else - Logger.error("SAML2 NameID Element is empty."); - } - } - - throw new AssertionAttributeExtractorExeption("nameID"); - } - - public String getSessionIndex() throws AssertionAttributeExtractorExeption { - AuthnStatement authn = getAuthnStatement(); - - if (MiscUtil.isNotEmpty(authn.getSessionIndex())) - return authn.getSessionIndex(); - - else - throw new AssertionAttributeExtractorExeption("SessionIndex"); - } - - /** - * @return - * @throws AssertionAttributeExtractorExeption - */ - public String getQAALevel() throws AssertionAttributeExtractorExeption { - AuthnStatement authn = getAuthnStatement(); - if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) { - AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef(); - - if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef())) - return qaaClass.getAuthnContextClassRef(); - - else - throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)"); - } - - throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); - } - - public Assertion getFullAssertion() { - return assertion; - } - - - /** - * Get the Assertion validTo period - * - * Primarily, the 'SessionNotOnOrAfter' attribute in the SAML2 'AuthnStatment' element is used. - * If this is empty, this method returns value of SAML 'Conditions' element. - * - * @return Date, until this SAML2 assertion is valid - */ - public Date getAssertionNotOnOrAfter() { - if (getFullAssertion().getAuthnStatements() != null - && getFullAssertion().getAuthnStatements().size() > 0) { - for (AuthnStatement el : getFullAssertion().getAuthnStatements()) { - if (el.getSessionNotOnOrAfter() != null) - return (el.getSessionNotOnOrAfter().toDate()); - } - - } - - return getFullAssertion().getConditions().getNotOnOrAfter().toDate(); - - } - - private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { - List<AuthnStatement> authnList = assertion.getAuthnStatements(); - if (authnList.size() == 0) - throw new AssertionAttributeExtractorExeption("AuthnStatement"); - - else if (authnList.size() > 1) - Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used."); - - return authnList.get(0); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index e02ecb662..d7ada1f36 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -35,6 +35,7 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java deleted file mode 100644 index 29dd70545..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ /dev/null @@ -1,145 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.io.IOException; -import java.security.NoSuchAlgorithmException; -import java.util.List; - -import javax.xml.namespace.QName; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.TransformerException; - -import org.opensaml.Configuration; -import org.opensaml.common.impl.SecureRandomIdentifierGenerator; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.ws.soap.soap11.Body; -import org.opensaml.ws.soap.soap11.Envelope; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.XMLObjectBuilderFactory; -import org.opensaml.xml.io.Marshaller; -import org.opensaml.xml.io.MarshallingException; -import org.w3c.dom.Document; - -import at.gv.egiz.eaaf.core.impl.utils.Random; - -public class SAML2Utils { - - public static <T> T createSAMLObject(final Class<T> clazz) { - try { - XMLObjectBuilderFactory builderFactory = Configuration - .getBuilderFactory(); - - QName defaultElementName = (QName) clazz.getDeclaredField( - "DEFAULT_ELEMENT_NAME").get(null); - @SuppressWarnings("unchecked") - T object = (T) builderFactory.getBuilder(defaultElementName) - .buildObject(defaultElementName); - return object; - } catch (Throwable e) { - e.printStackTrace(); - return null; - } - } - - public static String getSecureIdentifier() { - return "_".concat(Random.nextHexRandom16()); - - /*Bug-Fix: There are open problems with RandomNumberGenerator via Java SPI and Java JDK 8.121 - * Generation of a 16bit Random identifier FAILES with an Caused by: java.lang.ArrayIndexOutOfBoundsException - * Caused by: java.lang.ArrayIndexOutOfBoundsException - at iaik.security.random.o.engineNextBytes(Unknown Source) - at iaik.security.random.SecRandomSpi.engineNextBytes(Unknown Source) - at java.security.SecureRandom.nextBytes(SecureRandom.java:468) - at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:62) - at org.opensaml.common.impl.SecureRandomIdentifierGenerator.generateIdentifier(SecureRandomIdentifierGenerator.java:56) - at at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils.getSecureIdentifier(SAML2Utils.java:69) - */ - //return idGenerator.generateIdentifier(); - } - - private static SecureRandomIdentifierGenerator idGenerator; - - private static DocumentBuilder builder; - static { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - try { - builder = factory.newDocumentBuilder(); - } catch (ParserConfigurationException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - try { - idGenerator = new SecureRandomIdentifierGenerator(); - } catch(NoSuchAlgorithmException e) { - e.printStackTrace(); - } - } - - public static Document asDOMDocument(XMLObject object) throws IOException, - MarshallingException, TransformerException { - Document document = builder.newDocument(); - Marshaller out = Configuration.getMarshallerFactory().getMarshaller( - object); - out.marshall(object, document); - return document; - } - - public static Status getSuccessStatus() { - Status status = SAML2Utils.createSAMLObject(Status.class); - StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); - statusCode.setValue(StatusCode.SUCCESS_URI); - status.setStatusCode(statusCode); - return status; - } - - public static int getDefaultAssertionConsumerServiceIndex(SPSSODescriptor spSSODescriptor) { - - List<AssertionConsumerService> assertionConsumerList = spSSODescriptor.getAssertionConsumerServices(); - - for (AssertionConsumerService el : assertionConsumerList) { - if (el.isDefault()) - return el.getIndex(); - - } - - return 0; - } - - public static Envelope buildSOAP11Envelope(XMLObject payload) { - XMLObjectBuilderFactory bf = Configuration.getBuilderFactory(); - Envelope envelope = (Envelope) bf.getBuilder(Envelope.DEFAULT_ELEMENT_NAME).buildObject(Envelope.DEFAULT_ELEMENT_NAME); - Body body = (Body) bf.getBuilder(Body.DEFAULT_ELEMENT_NAME).buildObject(Body.DEFAULT_ELEMENT_NAME); - - body.getUnknownXMLObjects().add(payload); - envelope.setBody(body); - - return envelope; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java deleted file mode 100644 index 86ca591ee..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.validation; - -import javax.xml.namespace.QName; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.ws.message.MessageContext; -import org.opensaml.ws.security.SecurityPolicyException; -import org.opensaml.ws.security.SecurityPolicyRule; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.validation.ValidationException; -import org.w3c.dom.Element; -import org.xml.sax.SAXException; - -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -public abstract class AbstractRequestSignedSecurityPolicyRule implements SecurityPolicyRule { - - private SignatureTrustEngine trustEngine = null; - private QName peerEntityRole = null; - /** - * @param peerEntityRole - * - */ - public AbstractRequestSignedSecurityPolicyRule(SignatureTrustEngine trustEngine, QName peerEntityRole) { - this.trustEngine = trustEngine; - this.peerEntityRole = peerEntityRole; - - } - - - /** - * Reload the PVP metadata for a given entity - * - * @param entityID for which the metadata should be refreshed. - * @return true if the refresh was successful, otherwise false - */ - protected abstract boolean refreshMetadataProvider(String entityID); - - - protected abstract SignableSAMLObject getSignedSAMLObject(XMLObject inboundData); - - /* (non-Javadoc) - * @see org.opensaml.ws.security.SecurityPolicyRule#evaluate(org.opensaml.ws.message.MessageContext) - */ - @Override - public void evaluate(MessageContext context) throws SecurityPolicyException { - try { - verifySignature(context); - - } catch (SecurityPolicyException e) { - if (MiscUtil.isEmpty(context.getInboundMessageIssuer())) { - throw e; - - } - Logger.debug("PVP2X message validation FAILED. Reload metadata for entityID: " + context.getInboundMessageIssuer()); - if (!refreshMetadataProvider(context.getInboundMessageIssuer())) - throw e; - - else { - Logger.trace("PVP2X metadata reload finished. Check validate message again."); - verifySignature(context); - - } - Logger.trace("Second PVP2X message validation finished"); - - } - - - } - - private void verifySignature(MessageContext context) throws SecurityPolicyException { - SignableSAMLObject samlObj = getSignedSAMLObject(context.getInboundMessage()); - if (samlObj != null && samlObj.getSignature() != null) { - - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (ValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); - - } catch (SchemaValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); - - } - - - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(context.getInboundMessageIssuer()) ); - criteriaSet.add( new MetadataCriteria(peerEntityRole, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); - - try { - if (!trustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new SecurityPolicyException("Signature validation FAILED."); - - } - Logger.debug("PVP message signature valid."); - - } catch (org.opensaml.xml.security.SecurityException e) { - Logger.info("PVP2x message signature validation FAILED. Message:" + e.getMessage()); - throw new SecurityPolicyException("Signature validation FAILED."); - - } - - } else { - throw new SecurityPolicyException("PVP Message is not signed."); - - } - - } - - private void performSchemaValidation(Element source) throws SchemaValidationException { - - String err = null; - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - val.validate(new DOMSource(source)); - Logger.debug("Schema validation check done OK"); - return; - - } catch (SAXException e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } catch (Exception e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } - - throw new SchemaValidationException("pvp2.22", new Object[]{err}); - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java deleted file mode 100644 index 7b7ba6883..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.validation; - -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; - -import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; -import at.gv.egovernment.moaspss.logging.Logger; - -/** - * @author tlenz - * - */ -public class AuthnRequestValidator { - - public static void validate(AuthnRequest req) throws AuthnRequestValidatorException{ - - //validate NameIDPolicy - NameIDPolicy nameIDPolicy = req.getNameIDPolicy(); - if (nameIDPolicy != null) { - String nameIDFormat = nameIDPolicy.getFormat(); - if (nameIDFormat != null) { - if ( !(NameID.TRANSIENT.equals(nameIDFormat) || - NameID.PERSISTENT.equals(nameIDFormat) || - NameID.UNSPECIFIED.equals(nameIDFormat)) ) { - - throw new NameIDFormatNotSupportedException(nameIDFormat); - - } - - } else - Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'"); - } else - Logger.trace("AuthnRequest includes no 'NameIDPolicy'"); - - - - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java index a9f9b206e..91de943d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java @@ -28,7 +28,8 @@ import java.util.List; import org.opensaml.saml2.core.RequestAbstractType; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.ISAMLValidator; public class ChainSAMLValidator implements ISAMLValidator { @@ -39,7 +40,7 @@ private List<ISAMLValidator> validator = new ArrayList<ISAMLValidator>(); } public void validateRequest(RequestAbstractType request) - throws MOAIDException { + throws EAAFException { Iterator<ISAMLValidator> validatorIterator = validator.iterator(); while(validatorIterator.hasNext()) { ISAMLValidator validator = validatorIterator.next(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java deleted file mode 100644 index 4f697d986..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java +++ /dev/null @@ -1,31 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.validation; - -import org.opensaml.saml2.core.RequestAbstractType; - -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; - -public interface ISAMLValidator { - public void validateRequest(RequestAbstractType request) throws MOAIDException; -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java deleted file mode 100644 index 7b3f890e9..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.validation; - -import javax.xml.namespace.QName; - -import org.opensaml.common.SignableSAMLObject; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.signature.SignatureTrustEngine; - -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class MOAPVPSignedRequestPolicyRule extends - AbstractRequestSignedSecurityPolicyRule { - - private IMOARefreshableMetadataProvider metadataProvider = null; - - /** - * @param metadataProvider - * @param trustEngine - * @param peerEntityRole - */ - public MOAPVPSignedRequestPolicyRule(MetadataProvider metadataProvider, SignatureTrustEngine trustEngine, - QName peerEntityRole) { - super(trustEngine, peerEntityRole); - if (metadataProvider instanceof IMOARefreshableMetadataProvider) - this.metadataProvider = (IMOARefreshableMetadataProvider) metadataProvider; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#refreshMetadataProvider(java.lang.String) - */ - @Override - protected boolean refreshMetadataProvider(String entityID) { - if (metadataProvider != null) - return metadataProvider.refreshMetadataProvider(entityID); - - return false; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.validation.AbstractRequestSignedSecurityPolicyRule#getSignedSAMLObject(org.opensaml.xml.XMLObject) - */ - @Override - protected SignableSAMLObject getSignedSAMLObject(XMLObject inboundData) { - if (inboundData instanceof SignableSAMLObject) - return (SignableSAMLObject) inboundData; - - else - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java deleted file mode 100644 index efcf21b50..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.validation; - -import org.opensaml.common.binding.SAMLMessageContext; -import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; -import org.opensaml.ws.transport.http.HTTPInTransport; -import org.opensaml.xml.util.DatatypeHelper; - -/** - * @author tlenz - * - */ -public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { - - @Override - protected boolean isMessageSigned(SAMLMessageContext messageContext) { - // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. - HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); - String sigParam = inTransport.getParameterValue("Signature"); - boolean isSigned = !DatatypeHelper.isEmpty(sigParam); - - String sigAlgParam = inTransport.getParameterValue("SigAlg"); - boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam); - - return isSigned && isSigAlgExists; - - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java index 952a6024a..9abaf9330 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java @@ -27,13 +27,14 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.validation.ValidationException; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.ISAMLValidator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.SAMLRequestNotSignedException; public class SAMLSignatureValidator implements ISAMLValidator { public void validateRequest(RequestAbstractType request) - throws MOAIDException { + throws EAAFException { if (request.getSignature() == null) { throw new SAMLRequestNotSignedException(); } @@ -48,7 +49,7 @@ public class SAMLSignatureValidator implements ISAMLValidator { } public static void validateSignable(SignableSAMLObject signableObject) - throws MOAIDException { + throws EAAFException { if (signableObject.getSignature() == null) { throw new SAMLRequestNotSignedException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index d89d04664..e8aa93d43 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -23,7 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.io.IOException; -import java.util.List; +import java.security.cert.CertificateException; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; @@ -36,79 +36,34 @@ import org.opensaml.xml.validation.ValidationException; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.SAMLRequestNotSignedException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; public class EntityVerifier { - public static byte[] fetchSavedCredential(String entityID) { -// List<OnlineApplication> oaList = ConfigurationDBRead -// .getAllActiveOnlineApplications(); - try { - ISPConfiguration oa = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); - - if (oa == null) { - Logger.debug("No OnlineApplication with EntityID: " + entityID); - return null; - - } - - String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); - if (MiscUtil.isNotEmpty(certBase64)) { - return Base64Utils.decode(certBase64, false); - - } - - } catch (ConfigurationException | EAAFConfigurationException e) { - Logger.error("Access MOA-ID configuration FAILED.", e); - - } catch (IOException e) { - Logger.warn("Decoding PVP2X metadata certificate FAILED.", e); - - } - - return null; - } - public static void verify(EntityDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - + throws EAAFException { + Credential credential = getSPTrustedCredential(entityDescriptor.getEntityID()); if (credential == null) { throw new NoCredentialsException(entityDescriptor.getEntityID()); } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } + + verify(entityDescriptor, credential); + } public static void verify(EntityDescriptor entityDescriptor, Credential cred) - throws MOAIDException { + throws EAAFException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } @@ -131,7 +86,7 @@ public class EntityVerifier { } public static void verify(EntitiesDescriptor entityDescriptor, - Credential cred) throws MOAIDException { + Credential cred) throws EAAFException { if (entityDescriptor.getSignature() == null) { throw new SAMLRequestNotSignedException(); } @@ -153,55 +108,11 @@ public class EntityVerifier { throw new SAMLRequestNotSignedException(e); } } - - public static void verify(EntitiesDescriptor entityDescriptor) - throws MOAIDException { - if (entityDescriptor.getSignature() == null) { - throw new SAMLRequestNotSignedException(); - } - - try { - SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); - sigValidator.validate(entityDescriptor.getSignature()); - } catch (ValidationException e) { - Logger.error("Failed to validate Signature", e); - throw new SAMLRequestNotSignedException(e); - } - - List<EntityDescriptor> entities = entityDescriptor - .getEntityDescriptors(); - - if (entities.size() > 0) { - - if (entities.size() > 1) { - Logger.warn("More then one EntityID in Metadatafile with Name " - + entityDescriptor.getName() - + " defined. Actually only the first" - + " entryID is used to select the certificate to perform Metadata verification."); - } - - Credential credential = getSPTrustedCredential(entities.get(0).getEntityID()); - - if (credential == null) { - throw new NoCredentialsException("moaID IDP"); - } - - SignatureValidator sigValidator = new SignatureValidator(credential); - try { - sigValidator.validate(entityDescriptor.getSignature()); - - } catch (ValidationException e) { - Logger.error("Failed to verfiy Signature", e); - throw new SAMLRequestNotSignedException(e); - } - } - } - + public static Credential getSPTrustedCredential(String entityID) throws CredentialsNotAvailableException { - iaik.x509.X509Certificate cert = PVPConfiguration.getInstance() - .getTrustEntityCertificate(entityID); + iaik.x509.X509Certificate cert = getTrustEntityCertificate(entityID); if (cert == null) { throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", null); @@ -214,5 +125,46 @@ public class EntityVerifier { return credential; } + + private static iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + Logger.trace("Load metadata signing certificate for online application " + entityID); + ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); + if (oaParam == null) { + Logger.info("Online Application with ID " + entityID + " not found!"); + return null; + } + + String pvp2MetadataCertificateString = + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { + Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); + return null; + + } + + X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); + Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); + return cert; + + } catch (CertificateException e) { + Logger.warn("Metadata signer certificate is not parsed.", e); + return null; + + } catch (ConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } catch (IOException e) { + Logger.warn("Metadata signer certificate is not decodeable.", e); + return null; + + } catch (EAAFConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java deleted file mode 100644 index 50bc7fb68..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ /dev/null @@ -1,197 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; - -import javax.xml.namespace.QName; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.validation.ValidationException; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; -import org.w3c.dom.Element; -import org.xml.sax.SAXException; - -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -@Service("SAMLVerificationEngine") -public class SAMLVerificationEngine { - - @Autowired(required=true) MOAMetadataProvider metadataProvider; - - public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { - try { - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); - - } catch (InvalidProtocolRequestException e) { - if (MiscUtil.isEmpty(msg.getEntityID())) { - throw e; - - } - Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID()); - - if (metadataProvider == null || !metadataProvider.refreshMetadataProvider(msg.getEntityID())) - throw e; - - else { - Logger.trace("PVP2X metadata reload finished. Check validate message again."); - - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyIDPResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); - - } - Logger.trace("Second PVP2X message validation finished"); - } - } - - public void verifyIDPResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine) throws InvalidProtocolRequestException{ - verifyResponse(samlObj, sigTrustEngine, IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - - } - - public void verifySLOResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { - verifyResponse(samlObj, sigTrustEngine, SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - } - - private void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine, QName defaultElementName) throws InvalidProtocolRequestException{ - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (ValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature is not conform to SAML signature profile"); - - } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, "SAML response does not fit XML scheme"); - - } - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(defaultElementName, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); - - try { - if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML response"); - } - } catch (org.opensaml.xml.security.SecurityException e) { - Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML response"); - } - } - - public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { - SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (ValidationException e) { - Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Scheme validation FAILED on SAML request"); - - } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, "Scheme verification FAILED on SAML request"); - - } - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); - - try { - if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML request"); - } - } catch (org.opensaml.xml.security.SecurityException e) { - Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML request"); - } - } - - protected void performSchemaValidation(Element source) throws SchemaValidationException { - - String err = null; - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - val.validate(new DOMSource(source)); - Logger.debug("Schema validation check done OK"); - return; - - } catch (SAXException e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } catch (Exception e) { - err = e.getMessage(); - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Schema validation FAILED with exception:", e); - else - Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); - - } - - throw new SchemaValidationException("pvp2.22", new Object[]{err}); - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java index 385fe90fb..d1d8c9368 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java @@ -47,11 +47,12 @@ import org.opensaml.xml.validation.ValidationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SAMLVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java deleted file mode 100644 index 3ea124db6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ /dev/null @@ -1,87 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoProvider; -import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; -import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; -import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; -//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; -//import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; - -public class TrustEngineFactory { - -// public static SignatureTrustEngine getSignatureTrustEngine() { -// try { -// MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( -// MOAMetadataProvider.getInstance()); -// -// List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); -// keyInfoProvider.add(new DSAKeyValueProvider()); -// keyInfoProvider.add(new RSAKeyValueProvider()); -// keyInfoProvider.add(new InlineX509DataProvider()); -// -// KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( -// keyInfoProvider); -// -// PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( -// mdResolver, keyInfoResolver); -// -// return engine; -// -// } catch (Exception e) { -// e.printStackTrace(); -// return null; -// } -// } - - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) { - MetadataCredentialResolver resolver; - - resolver = new MetadataCredentialResolver(provider); - - List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); - - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); - - ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( - resolver, keyInfoResolver); - - return engine; - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index 589713c4b..57f1c2f9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -23,23 +23,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; import java.security.cert.CertificateException; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.BasicX509Credential; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.AbstractMetadataSignatureFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; import iaik.x509.X509Certificate; -public class MetadataSignatureFilter implements MetadataFilter { +public class MetadataSignatureFilter extends AbstractMetadataSignatureFilter { private String metadataURL; private BasicX509Credential savedCredential; @@ -52,111 +49,52 @@ public class MetadataSignatureFilter implements MetadataFilter { savedCredential.setEntityCertificate(cert); } - public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { - -// String entityID = desc.getEntityID(); - - EntityVerifier.verify(desc); - } - - public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { - Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); - - if(desc.getSignature() != null) { - EntityVerifier.verify(desc, this.savedCredential); + @Override + protected void verify(EntityDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc); + + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for entity: " + desc.getEntityID() + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for entity: " + desc.getEntityID(), null, e); } - while(entID.hasNext()) { - processEntitiesDescriptor(entID.next()); - } - - Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); + } - List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); - - //check every Entity - - while(entIT.hasNext()) { - - EntityDescriptor entity = entIT.next(); - - String entityID = entity.getEntityID(); - - //CHECK if Entity also match MetaData signature. - /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ - Logger.debug("Validate metadata for entityID: " + entityID + " ..... "); - byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - - if (entityCert != null) { + @Override + protected void verify(EntitiesDescriptor desc) throws PVP2MetadataException { + try { + EntityVerifier.verify(desc, this.savedCredential); - X509Certificate cert; - try { - cert = new X509Certificate(entityCert); - BasicX509Credential entityCrendential = new BasicX509Credential(); - entityCrendential.setEntityCertificate(cert); - - EntityVerifier.verify(desc, entityCrendential); - - //add entity to verified entity-list - verifiedEntIT.add(entity); - Logger.debug("Metadata for entityID: " + entityID + " valid"); - - - } catch (Exception e) { - - //remove entity of signature can not be verified. - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity verification error: " + e.getMessage()); -// throw new MOAIDException("The App", null, e); - } - - } else { - //remove entity if it is not registrated as OA - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity is not registrated or no certificate is found!"); -// throw new NoCredentialsException("NO Certificate found for OA " + entityID); - } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - //TODO: insert to support signed Entity-Elements - //processEntityDescriptorr(entIT.next()); - } + } - //set only verified entity elements - desc.getEntityDescriptors().clear(); - desc.getEntityDescriptors().addAll(verifiedEntIT); } - - public void doFilter(XMLObject metadata) throws SignatureValidationException { + + @Override + protected void verify(EntityDescriptor entity, EntitiesDescriptor entities) throws PVP2MetadataException { try { - if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { - throw new MOAIDException("Root element of metadata file has to be signed", null); - } - processEntitiesDescriptor(entitiesDescriptor); - - - if (entitiesDescriptor.getEntityDescriptors().size() == 0) { - throw new MOAIDException("No valid entity in metadata " - + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); - } - - - } else if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - processEntityDescriptorr(entityDescriptor); + if (entity.isSigned()) { + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is signed. Starting signature verification ... "); + EntityVerifier.verify(entity); } else { - throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + Logger.debug("EntityDescriptor: " + entity.getEntityID() + " is not signed. Verify EntitiesDescriptor by using 'Entity' certificate ... "); + Credential entityCredential = EntityVerifier.getSPTrustedCredential(entity.getEntityID()); + EntityVerifier.verify(entities, entityCredential); + } + } catch (EAAFException e) { + Logger.info("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL + + " Reason: " + e.getMessage()); + throw new PVP2MetadataException("PVP2 metadata verification FAILED for metadata from URL: " + metadataURL, null, e); - - Logger.info("Metadata signature policy check done OK"); - } catch (MOAIDException e) { - Logger.warn("Metadata signature policy check FAILED.", e); - throw new SignatureValidationException(e); } } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java deleted file mode 100644 index caabfea30..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.common.Extensions; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.samlext.saml2mdattr.EntityAttributes; -import org.opensaml.xml.XMLObject; - -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.data.Trible; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moaspss.logging.Logger; - -/** - * @author tlenz - * - */ -public class PVPEntityCategoryFilter implements MetadataFilter { - - - private boolean isUsed = false; - - /** - * Filter to map PVP EntityCategories into a set of single PVP attributes - * - * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored - * - */ - public PVPEntityCategoryFilter(boolean isUsed) { - this.isUsed = isUsed; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject metadata) throws FilterException { - - if (isUsed) { - Logger.trace("Map PVP EntityCategory to single PVP Attributes ... "); - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - Logger.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); - - } - - } else if (metadata instanceof EntityDescriptor) { - Logger.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - - - } else - throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - - - - } catch (Exception e) { - Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); - - } - - } else - Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); - - } - - private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { - Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); - Extensions extensions = metadata.getExtensions(); - if (extensions != null) { - List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); - if (listOfExt != null && !listOfExt.isEmpty()) { - Logger.trace("Find #" + listOfExt.size() + " 'Extension' elements "); - for (XMLObject el : listOfExt) { - Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); - if (el instanceof EntityAttributes) { - EntityAttributes entityAttrElem = (EntityAttributes)el; - if (entityAttrElem.getAttributes() != null) { - Logger.trace("Find EntityAttributes. Start attribute processing ..."); - for (Attribute entityAttr : entityAttrElem.getAttributes()) { - if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { - if (!entityAttr.getAttributeValues().isEmpty()) { - String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); - if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { - Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - - } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { - Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - } else - Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); - - } else - Logger.info("EntityAttribute: No attribute value"); - - } else - Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); - - } - - } else - Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); - - } - } - - } else - Logger.trace("'Extension' element is 'null' or empty"); - - } else - Logger.trace("No 'Extension' element found"); - - } - - /** - * @param metadata - * @param attrList - */ - private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) { - SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - if (spSSODesc != null) { - if (spSSODesc.getAttributeConsumingServices() == null || - spSSODesc.getAttributeConsumingServices().isEmpty()) { - Logger.trace("No 'AttributeConsumingServices' found. Added it ..."); - - AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); - attributeService.setIndex(0); - attributeService.setIsDefault(true); - ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); - serviceName.setName(new LocalizedString("Default Service", "en")); - attributeService.getNames().add(serviceName); - - if (attrList != null && !attrList.isEmpty()) { - attributeService.getRequestAttributes().addAll(attrList); - Logger.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); - - } - - spSSODesc.getAttributeConsumingServices().add(attributeService); - - } else { - Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); - for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { - Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); - - //load currently requested attributes - List<String> currentlyReqAttr = new ArrayList<String>(); - for (RequestedAttribute reqAttr : el.getRequestAttributes()) - currentlyReqAttr.add(reqAttr.getName()); - - - //check against EntityAttribute List - for (RequestedAttribute entityAttrListEl : attrList) { - if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { - el.getRequestAttributes().add(entityAttrListEl); - - } else - Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); - - } - - } - - } - - } else - Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); - - } - - private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) { - List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); - for (Trible<String, String, Boolean> el : attrSet) - requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); - - return requestedAttributes; - - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java deleted file mode 100644 index 4c1da747b..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPMetadataFilterChain.java +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; - -import java.security.cert.CertificateException; - -import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; - -/** - * @author tlenz - * - */ -public class PVPMetadataFilterChain extends MetadataFilterChain { - - - /** - * @throws CertificateException - * - */ - public PVPMetadataFilterChain(String url, byte[] certificate) throws CertificateException { - addDefaultFilters(url, certificate); - } - - public void addDefaultFilters(String url, byte[] certificate) throws CertificateException { - addFilter(new MetadataSignatureFilter(url, certificate)); - - } - - - - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java deleted file mode 100644 index 83a2b61d2..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; - -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; -import org.xml.sax.SAXException; - -import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class SchemaValidationFilter implements MetadataFilter { - - private boolean isActive = true; - - public SchemaValidationFilter() { - try { - isActive = AuthConfigurationProviderFactory.getInstance().isPVPSchemaValidationActive(); - - } catch (ConfigurationException e) { - e.printStackTrace(); - } - } - - /** - * - */ - public SchemaValidationFilter(boolean useSchemaValidation) { - this.isActive = useSchemaValidation; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject arg0) throws SchemaValidationException { - - String errString = null; - - if (isActive) { - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - DOMSource source = new DOMSource(arg0.getDOM()); - val.validate(source); - Logger.info("Metadata Schema validation check done OK"); - return; - - } catch (SAXException e) { - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Metadata Schema validation FAILED with exception:", e); - else - Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } catch (Exception e) { - if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) - Logger.warn("Metadata Schema validation FAILED with exception:", e); - else - Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } - - throw new SchemaValidationException("Metadata Schema validation FAILED with message: "+ errString); - - } else - Logger.info("Metadata Schema validation check is DEACTIVATED!"); - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java deleted file mode 100644 index e7412a0fc..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/saml2/MetadataFilterChain.java +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.saml2; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; - -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class MetadataFilterChain implements MetadataFilter { - - private List<MetadataFilter> filters = new ArrayList<MetadataFilter>(); - - /** - * Return all actually used Metadata filters - * - * @return List of Metadata filters - */ - public List<MetadataFilter> getFilters() { - return filters; - } - - /** - * Add a new Metadata filter to filterchain - * - * @param filter - */ - public void addFilter(MetadataFilter filter) { - filters.add(filter); - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject arg0) throws FilterException { - for (MetadataFilter filter : filters) { - Logger.trace("Use MOAMetadataFilter " + filter.getClass().getName()); - filter.doFilter(arg0); - } - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index c5f02e7de..f303adfe5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -44,6 +44,8 @@ import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; @@ -60,8 +62,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.JsonMapper; import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.EncryptedData; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index ff9c4e358..5f2ec046a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -28,6 +28,8 @@ import java.util.List; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; @@ -38,8 +40,6 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionSto import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; /** * @author tlenz diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java index 3e3d9dafc..10e22c806 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java @@ -25,6 +25,9 @@ package at.gv.egovernment.moa.id.util; import java.io.IOException; import java.util.Properties; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; import at.gv.egovernment.moa.id.data.AuthenticationRole; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -33,7 +36,8 @@ import at.gv.egovernment.moa.util.MiscUtil; * @author tlenz * */ -public class LoALevelMapper { +@Service("MOAIDLoALevelMapper") +public class LoALevelMapper implements ILoALevelMapper{ private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/"; @@ -46,18 +50,8 @@ public class LoALevelMapper { private static final String MAPPING_EIDAS_PREFIX = "eidas_"; private Properties mapping = null; - - private static LoALevelMapper instance = null; - - public static LoALevelMapper getInstance() { - if (instance == null) { - instance = new LoALevelMapper(); - } - - return instance; - } - - private LoALevelMapper() { + + public LoALevelMapper() { try { mapping = new Properties(); mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); @@ -72,6 +66,43 @@ public class LoALevelMapper { } + public String mapToeIDASLoA(String qaa) { + if (qaa.startsWith(STORK_QAA_PREFIX)) + return mapSTORKQAAToeIDASQAA(qaa); + + else if (qaa.startsWith(PVP_SECCLASS_PREFIX)) + return mapSTORKQAAToeIDASQAA(mapSecClassToQAALevel(qaa)); + + else if (qaa.startsWith(MAPPING_EIDAS_PREFIX)) + return qaa; + + else { + Logger.info("QAA: " + qaa + " is NOT supported by LoA level mapper"); + return null; + + } + + } + + public String mapToSecClass(String qaa) { + if (qaa.startsWith(STORK_QAA_PREFIX)) + return mapStorkQAAToSecClass(qaa); + + else if (qaa.startsWith(MAPPING_EIDAS_PREFIX)) + return mapStorkQAAToSecClass(mapeIDASQAAToSTORKQAA(qaa)); + + else if (qaa.startsWith(PVP_SECCLASS_PREFIX)) + return qaa; + + else { + Logger.info("QAA: " + qaa + " is NOT supported by LoA level mapper"); + return null; + + } + + } + + /** * Map STORK QAA level to eIDAS QAA level * @@ -118,7 +149,7 @@ public class LoALevelMapper { * @param STORK-QAA level * @return PVP SecClass pvpQAALevel */ - public String mapToSecClass(String storkQAALevel) { + public String mapStorkQAAToSecClass(String storkQAALevel) { if (mapping != null) { String input = storkQAALevel.substring(STORK_QAA_PREFIX.length()); String mappedQAA = mapping.getProperty(MAPPING_SECCLASS_PREFIX + input); @@ -137,7 +168,7 @@ public class LoALevelMapper { * @param PVP SecClass pvpQAALevel * @return STORK-QAA level */ - public String mapToQAALevel(String pvpQAALevel) { + public String mapSecClassToQAALevel(String pvpQAALevel) { if (mapping != null) { String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length()); String mappedQAA = mapping.getProperty(input); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java deleted file mode 100644 index ca71ad946..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.util; - -import at.gv.egiz.eaaf.core.api.data.EAAFConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotAllowedException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class QAALevelVerifier { - - public static void verifyQAALevel(String qaaAuth, String qaaRequest) throws QAANotAllowedException { - - if (EAAFConstants.EIDAS_QAA_LOW.equals(qaaRequest) && - (EAAFConstants.EIDAS_QAA_LOW.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - ) - Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); - - else if (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaRequest) && - (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || - EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - ) - Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); - - else if (EAAFConstants.EIDAS_QAA_HIGH.equals(qaaRequest) && EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) - Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); - - else - throw new QAANotAllowedException(qaaAuth, qaaRequest); - - } -} diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index d8565112b..5ccacf350 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -22,6 +22,30 @@ <context:component-scan base-package="at.gv.egovernment.moa.id.auth.servlet" /> <context:component-scan base-package="at.gv.egovernment.moa.id.protocols" /> + <bean id="PVPIDPCredentialProvider" + class="at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider" /> + + <bean id="PVP2XProtocol" + class="at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol"> + <property name="pvpIDPCredentials"> + <ref bean="PVPIDPCredentialProvider" /> + </property> + </bean> + + <bean id="pvpMetadataService" + class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.MetadataAction"> + <property name="pvpIDPCredentials"> + <ref bean="PVPIDPCredentialProvider" /> + </property> + </bean> + + <bean id="PVPAuthenticationRequestAction" + class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AuthenticationAction"> + <property name="pvpIDPCredentials"> + <ref bean="PVPIDPCredentialProvider" /> + </property> + </bean> + <bean id="MOAID_AuthenticationManager" class="at.gv.egovernment.moa.id.moduls.AuthenticationManager"/> @@ -50,6 +74,12 @@ <bean id="MOAGarbageCollector" class="at.gv.egovernment.moa.id.auth.MOAGarbageCollector"/> + <bean id="MOAIDLoALevelMapper" + class="at.gv.egovernment.moa.id.util.LoALevelMapper"/> + + <bean id="MOASAML2SubjectNameIDGenerator" + class="at.gv.egovernment.moa.id.auth.builder.MOAIDSubjectNameIdGenerator" /> + <!-- <bean id="taskExecutor" class="org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor"> <property name="corePoolSize" value="5" /> <property name="maxPoolSize" value="10" /> @@ -64,11 +94,7 @@ <bean id="EvaluateBKUSelectionTask" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateBKUSelectionTask" scope="prototype"/> - - <bean id="RestartAuthProzessManagement" - class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.RestartAuthProzessManagement" - scope="prototype"/> - + <bean id="GenerateSSOConsentEvaluatorFrameTask" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GenerateSSOConsentEvaluatorFrameTask" scope="prototype"/> diff --git a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java index b3a9d367f..b0494534a 100644 --- a/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java +++ b/id/server/idserverlib/src/test/java/test/MOAIDTestCase.java @@ -54,9 +54,9 @@ import javax.xml.transform.TransformerException; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.impl.utils.StreamUtils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; -import at.gv.egovernment.moa.util.StreamUtils; import at.gv.egovernment.moa.util.XPathUtils; import iaik.ixsil.algorithms.Transform; import iaik.ixsil.algorithms.TransformImplExclusiveCanonicalXML; diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/MOAIDAuthInitialiserTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/MOAIDAuthInitialiserTest.java index 1cd54d61b..299bbee23 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/MOAIDAuthInitialiserTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/MOAIDAuthInitialiserTest.java @@ -50,8 +50,8 @@ import java.security.KeyStore; import java.util.Enumeration; import test.at.gv.egovernment.moa.id.UnitTestCase; +import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; import at.gv.egovernment.moa.id.util.SSLUtils; -import at.gv.egovernment.moa.util.KeyStoreUtils; /** * @author Paul Ivancsics |