aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-12-11 11:34:54 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-12-11 11:34:54 +0100
commit258bdb751beb4c2f82306e67f067d1bb9df2743a (patch)
tree6361089b8813665708a889bd1304ab63f248e6a9 /id/server/idserverlib/src
parentcaa1690996b62c0ffa7fa99162e583fcf98bd26c (diff)
parentf18f6318f7233b336ea2653f183460f17d6562f0 (diff)
downloadmoa-id-spss-258bdb751beb4c2f82306e67f067d1bb9df2743a.tar.gz
moa-id-spss-258bdb751beb4c2f82306e67f067d1bb9df2743a.tar.bz2
moa-id-spss-258bdb751beb4c2f82306e67f067d1bb9df2743a.zip
Merge branch 'development_preview' into eIDAS_node_implementation
# Conflicts: # id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java # id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java24
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java71
7 files changed, 77 insertions, 43 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index 332604257..d3e340a90 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -1311,7 +1311,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
String value = properties.getProperty(key);
if (MiscUtil.isNotEmpty(value))
- return Boolean.valueOf(value);
+ return Boolean.valueOf(value.trim());
return defaultValue;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 216d7a8b1..cdb85c563 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -259,6 +259,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController {
throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()});
} catch (MOAIDException e) {
+ String samlRequest = req.getParameter("SAMLRequest");
+ Logger.info("Receive INVALID protocol request: " + samlRequest);
throw e;
} catch (Throwable e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 45539da3f..196aa47af 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -373,7 +373,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
//get NameIDFormat from request
AuthnRequest authnReq = (AuthnRequestImpl) authnRequest;
- if (authnReq.getNameIDPolicy() != null) {
+ if (authnReq.getNameIDPolicy() != null &&
+ MiscUtil.isNotEmpty(authnReq.getNameIDPolicy().getFormat())) {
nameIDFormat = authnReq.getNameIDPolicy().getFormat();
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 585aac805..7f6f9b88c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -51,6 +51,7 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.IDestroyableObject;
import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
@@ -491,7 +492,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider
private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {
PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);
filterChain.getFilters().add(new SchemaValidationFilter());
- filterChain.getFilters().add(new PVPEntityCategoryFilter());
+ filterChain.getFilters().add(
+ new PVPEntityCategoryFilter(authConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER,
+ false)));
if (oaParam.isInderfederationIDP()) {
Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
index ab8fab5d1..4ae89466d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
@@ -28,6 +28,7 @@ import org.opensaml.saml2.core.NameIDPolicy;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
+import at.gv.egovernment.moaspss.logging.Logger;
/**
* @author tlenz
@@ -41,17 +42,20 @@ public class AuthnRequestValidator {
NameIDPolicy nameIDPolicy = req.getNameIDPolicy();
if (nameIDPolicy != null) {
String nameIDFormat = nameIDPolicy.getFormat();
-
- if ( !(nameIDFormat != null &&
- (NameID.TRANSIENT.equals(nameIDFormat) ||
- NameID.PERSISTENT.equals(nameIDFormat) ||
- NameID.UNSPECIFIED.equals(nameIDFormat))) ) {
-
- throw new NameIDFormatNotSupportedException(nameIDFormat);
+ if (nameIDFormat != null) {
+ if ( !(NameID.TRANSIENT.equals(nameIDFormat) ||
+ NameID.PERSISTENT.equals(nameIDFormat) ||
+ NameID.UNSPECIFIED.equals(nameIDFormat)) ) {
- }
- }
-
+ throw new NameIDFormatNotSupportedException(nameIDFormat);
+
+ }
+
+ } else
+ Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'");
+ } else
+ Logger.trace("AuthnRequest includes no 'NameIDPolicy'");
+
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
index 679bdd10f..589713c4b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
@@ -22,8 +22,6 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
-import iaik.x509.X509Certificate;
-
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Iterator;
@@ -31,16 +29,15 @@ import java.util.List;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.provider.FilterException;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.x509.BasicX509Credential;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
import at.gv.egovernment.moa.logging.Logger;
+import iaik.x509.X509Certificate;
public class MetadataSignatureFilter implements MetadataFilter {
@@ -87,8 +84,9 @@ public class MetadataSignatureFilter implements MetadataFilter {
//CHECK if Entity also match MetaData signature.
/*This check is necessary to prepend declaration of counterfeit OA metadata!!*/
+ Logger.debug("Validate metadata for entityID: " + entityID + " ..... ");
byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID);
-
+
if (entityCert != null) {
X509Certificate cert;
@@ -99,8 +97,10 @@ public class MetadataSignatureFilter implements MetadataFilter {
EntityVerifier.verify(desc, entityCrendential);
- //add entity to verified entity-list
+ //add entity to verified entity-list
verifiedEntIT.add(entity);
+ Logger.debug("Metadata for entityID: " + entityID + " valid");
+
} catch (Exception e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
index 95d30db49..caabfea30 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java
@@ -54,6 +54,17 @@ import at.gv.egovernment.moaspss.logging.Logger;
public class PVPEntityCategoryFilter implements MetadataFilter {
+ private boolean isUsed = false;
+
+ /**
+ * Filter to map PVP EntityCategories into a set of single PVP attributes
+ *
+ * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored
+ *
+ */
+ public PVPEntityCategoryFilter(boolean isUsed) {
+ this.isUsed = isUsed;
+ }
/* (non-Javadoc)
@@ -61,31 +72,38 @@ public class PVPEntityCategoryFilter implements MetadataFilter {
*/
@Override
public void doFilter(XMLObject metadata) throws FilterException {
- String entityId = null;
- try {
- if (metadata instanceof EntitiesDescriptor) {
- Logger.trace("Find EnitiesDescriptor ... ");
- EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
- if (entitiesDesc.getEntityDescriptors() != null) {
- for (EntityDescriptor el : entitiesDesc.getEntityDescriptors())
- resolveEntityCategoriesToAttributes(el);
+
+ if (isUsed) {
+ Logger.trace("Map PVP EntityCategory to single PVP Attributes ... ");
+ String entityId = null;
+ try {
+ if (metadata instanceof EntitiesDescriptor) {
+ Logger.trace("Find EnitiesDescriptor ... ");
+ EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata;
+ if (entitiesDesc.getEntityDescriptors() != null) {
+ for (EntityDescriptor el : entitiesDesc.getEntityDescriptors())
+ resolveEntityCategoriesToAttributes(el);
+
+ }
+
+ } else if (metadata instanceof EntityDescriptor) {
+ Logger.trace("Find EntityDescriptor");
+ resolveEntityCategoriesToAttributes((EntityDescriptor)metadata);
- }
-
- } else if (metadata instanceof EntityDescriptor) {
- Logger.trace("Find EntityDescriptor");
- resolveEntityCategoriesToAttributes((EntityDescriptor)metadata);
+
+ } else
+ throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null);
- } else
- throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null);
-
-
-
- } catch (Exception e) {
- Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e);
+
+ } catch (Exception e) {
+ Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e);
+
+ }
- }
+ } else
+ Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated");
+
}
private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) {
@@ -94,6 +112,7 @@ public class PVPEntityCategoryFilter implements MetadataFilter {
if (extensions != null) {
List<XMLObject> listOfExt = extensions.getUnknownXMLObjects();
if (listOfExt != null && !listOfExt.isEmpty()) {
+ Logger.trace("Find #" + listOfExt.size() + " 'Extension' elements ");
for (XMLObject el : listOfExt) {
Logger.trace("Find ExtensionElement: " + el.getElementQName().toString());
if (el instanceof EntityAttributes) {
@@ -132,9 +151,13 @@ public class PVPEntityCategoryFilter implements MetadataFilter {
Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!");
}
- }
- }
- }
+ }
+
+ } else
+ Logger.trace("'Extension' element is 'null' or empty");
+
+ } else
+ Logger.trace("No 'Extension' element found");
}