add chainging filter to MOAMetadataProvider

5 files changed, 190 insertions, 14 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index 63b91f6d2..fe2117b9c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -492,11 +492,7 @@ public String getIDPAttributQueryServiceURL() {
 }
 
 public boolean isIDPPublicService() {
-	if (inderfederatedIDP != null)
-		return inderfederatedIDP.isPublicService();
-	
-	else
-		return false;
+	return !getBusinessService();
 	
 }
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index f2e3e7cb1..aa61172d1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -22,6 +22,7 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x.metadata;
 
+import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
@@ -48,7 +49,9 @@ import org.opensaml.xml.parse.BasicParserPool;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -156,11 +159,14 @@ public class MOAMetadataProvider implements MetadataProvider {
 						} else if ( MiscUtil.isNotEmpty(metadataurl) &&
 								!providersinuse.containsKey(metadataurl) ) {
 							//PVP2 OA is new, add it to MOAMetadataProvider
+													
 							Logger.info("Loading metadata for: " + oa.getFriendlyName());
 							httpProvider = createNewHTTPMetaDataProvider(
 									pvp2Config.getMetadataURL(), 
 									pvp2Config.getCertificate(),
-									oa.getFriendlyName());
+									oa.getFriendlyName(),
+									buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(), 
+											pvp2Config.getCertificate()));
 							
 							if (httpProvider != null)
 								providersinuse.put(metadataurl, httpProvider);
@@ -266,7 +272,9 @@ public class MOAMetadataProvider implements MetadataProvider {
 						httpProvider = createNewHTTPMetaDataProvider(
 								metadataURL, 
 								pvp2Config.getCertificate(),
-								oa.getFriendlyName());
+								oa.getFriendlyName(),
+								buildMetadataFilterChain(oa, metadataURL, 
+										pvp2Config.getCertificate()));
 					
 						if (httpProvider != null)
 							providersinuse.put(metadataURL, httpProvider);
@@ -305,7 +313,19 @@ public class MOAMetadataProvider implements MetadataProvider {
 		timestamp = new Date();
 	}
 	
-	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName) {
+	private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException {
+		MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate);
+		
+		if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) {
+			Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
+			filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType()));
+			
+		}
+		
+		return filterChain;		
+	}
+	
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) {
 		HTTPMetadataProvider httpProvider = null;
 		Timer timer= null;
 		
@@ -321,8 +341,9 @@ public class MOAMetadataProvider implements MetadataProvider {
 			
 			// TODO: use proper SSL checking
 			
-			MetadataFilter filter = new MetadataSignatureFilter(
-					metadataURL, certificate);
+			if (filter == null) {			
+				filter = new MetadataFilterChain(metadataURL, certificate);
+			}
 			httpProvider.setMetadataFilter(filter);
 			httpProvider.initialize();
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
new file mode 100644
index 000000000..3d608fd6d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType;
+import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class InterfederatedIDPPublicServiceFilter implements MetadataFilter {
+
+	private String metadataURL;
+	private boolean isPublicService = false;
+	
+	/**
+	 * 
+	 */
+	public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) {
+		Logger.debug("Add " + this.getClass().getName() + " to metadata policy");
+		this.metadataURL = metadataURL;
+		
+		if (oaType.equals("businessService"))		
+			this.isPublicService = false;		
+		else
+			this.isPublicService = true;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject arg0) throws FilterException {
+		
+		boolean metadatacheck = ValidationHelper.isPublicServiceAllowed(this.metadataURL);
+		
+		if (isPublicService && isPublicService != metadatacheck) {
+			Logger.warn("Interfederated IDP " + metadataURL + " is configured " +
+					"as Public-Servic IDP but PublicService policy check FAILED.");
+			throw new FilterException("Interfederated IDP " + metadataURL + " is configured " +
+					"as Public-Servic IDP but PublicService policy check FAILED.");
+			
+		}
+		
+		Logger.info("Metadata PublicService policy check done OK");
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java
new file mode 100644
index 000000000..4e1d939ff
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
+
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MetadataFilterChain implements MetadataFilter {
+
+	private List<MetadataFilter> filters = new ArrayList<MetadataFilter>();
+	
+	/**
+	 * @throws CertificateException 
+	 * 
+	 */
+	public MetadataFilterChain(String url, byte[] certificate) throws CertificateException {
+		addDefaultFilters(url, certificate);
+	}
+	
+	public void addDefaultFilters(String url, byte[] certificate) throws CertificateException {
+		filters.add(new MetadataSignatureFilter(url, certificate));
+		
+	}
+	
+	/**
+	 * @return the filter
+	 */
+	public List<MetadataFilter> getFilters() {
+		return filters;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject arg0) throws FilterException {
+		for (MetadataFilter filter : filters) {
+			Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName());
+			filter.doFilter(arg0);
+		}
+
+	}
+
+
+
+
+
+
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
index ed0cf9c62..0405fa114 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
@@ -20,7 +20,7 @@
  * The "NOTICE" text file is part of the distribution. Any derivative works
  * that you distribute must include a readable copy of the "NOTICE" text file.
  *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
+package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
 
 import iaik.x509.X509Certificate;
 
@@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class MetadataSignatureFilter implements MetadataFilter {
@@ -151,9 +152,9 @@ public class MetadataSignatureFilter implements MetadataFilter {
 			
 			ConfigurationDBUtils.closeSession();
 			
-			Logger.info("Metadata Filter done OK");
+			Logger.info("Metadata signature policy check done OK");
 		} catch (MOAIDException e) {
-			e.printStackTrace();
+			Logger.warn("Metadata signature policy check FAILED.", e);
 			throw new FilterException(e);
 		}
 	}