diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:44:40 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:44:40 +0200 |
commit | 709197ce12c5502f86e16da1167b97ca318f47fa (patch) | |
tree | 17a96fd5d68ddd9eb6390989bcd4590ade8de46d /id/server/idserverlib/src | |
parent | ecf9de84e76dde785ced8c1632c7909d1d57f94a (diff) | |
download | moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.gz moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.tar.bz2 moa-id-spss-709197ce12c5502f86e16da1167b97ca318f47fa.zip |
implement user restriction based on whitelisting
Diffstat (limited to 'id/server/idserverlib/src')
5 files changed, 170 insertions, 1 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java new file mode 100644 index 000000000..4853a5ab6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java @@ -0,0 +1,85 @@ +package at.gv.egovernment.moa.id.auth.modules.internal.tasks; + +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class UserRestrictionTask extends AbstractAuthServletTask { + + public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds"; + public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url"; + public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector"; + + @Autowired(required=true) UserWhitelistStore whitelist; + + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try { + String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix(); + List<String> restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST)); + if (restrictedSPs.contains(spEntityId)) { + Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... "); + defaultTaskInitialization(request, executionContext);; + + //check if user idl is already loaded + if (moasession.getIdentityLink() == null) { + Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!"); + throw new MOAIDException("process.03", null); + + } + + //calculate whitelist bPK for current user + String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR); + if (MiscUtil.isEmpty(bpkTarget)) { + Logger.info("NO bPK sector for user whitelist in configuration"); + throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR}); + + } + + Pair<String, String> pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier( + moasession.getIdentityLink().getIdentificationValue(), + moasession.getIdentityLink().getIdentificationType(), + bpkTarget); + + + //check if user's bPK is whitelisted + if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) { + Logger.info("User's bPK is not whitelisted. Authentication process stops ..."); + Logger.trace("User's bPK: " + pseudonym.getFirst()); + throw new MOAIDException("auth.35", null); + + } + + Logger.debug("User was found in whitelist. Continue authentication process ... "); + + } else + Logger.trace("SP: " + spEntityId + " has no user restrication."); + + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + Logger.warn("RestartAuthProzessManagement has an internal error", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java new file mode 100644 index 000000000..a300739b3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java @@ -0,0 +1,73 @@ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.URISyntaxException; +import java.net.URL; +import java.util.ArrayList; +import java.util.List; + +import javax.annotation.PostConstruct; + +import org.apache.commons.io.IOUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; + +@Service("UserWhiteList_Store") +public class UserWhitelistStore { + + @Autowired(required=true) AuthConfiguration authConfig; + + private List<String> whitelist = new ArrayList<String>(); + + @PostConstruct + private void initialize() { + String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE); + if (MiscUtil.isEmpty(whiteListUrl)) + Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file."); + + else { + String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir()); + try { + InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI())); + String whiteListString = IOUtils.toString(new InputStreamReader(is)); + whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString)); + Logger.info("User whitelist is initialized with " + whitelist.size() + " entries."); + + } catch (FileNotFoundException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e); + + } catch (IOException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e); + + } catch (URISyntaxException e) { + Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e); + + } + + } + + } + + /** + * Check if bPK is in whitelist + * + * @param bPK + * @return true if bPK is in whitelist, otherwise false + */ + public boolean isUserbPKInWhitelist(String bPK) { + return whitelist.contains(bPK); + + } +} diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml index ba8c47304..dc3022ab4 100644 --- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml +++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml @@ -42,6 +42,9 @@ <bean id="MOAID_SSOManager" class="at.gv.egovernment.moa.id.moduls.SSOManager"/> + <bean id="UserWhiteList_Store" + class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/> + <bean id="AuthenticationSessionStoreage" @@ -91,7 +94,11 @@ <bean id="EvaluateSSOConsentsTaskImpl" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl" - scope="prototype"/> + scope="prototype"/> + + <bean id="UserRestrictionTask" + class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask" + scope="prototype"/> <beans profile="advancedLogOn"> <bean id="StatisticLogger" diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 84fd93773..799b32025 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -52,6 +52,7 @@ auth.31=Federated authentication FAILED. No information for AttributeQuery, mayb auth.32=Federated authentication FAILED. No configuration for IDP {0}
auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages.
auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.
+auth.35=Der Anmeldevorgang wurde automatisiert abgebrochen, da der Benutzer nicht für dieses Onlineapplikation berechtigt ist.
init.00=MOA-ID-Auth wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -336,6 +337,7 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin process.01=Fehler beim Ausf\u00FChren des Prozesses.
process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.
process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}
+process.03=Fehler beim Ausf\u00FChren des Prozesses. Interner state ung\u00FCltig.
sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}
sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index d77ea437b..dae88889f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -32,6 +32,7 @@ auth.31=4400 auth.32=4401 auth.33=4401 auth.34=4401 +auth.35=1111 init.00=9199 init.01=9199 @@ -103,6 +104,7 @@ service.10=4500 process.01=9104 process.02=9104 process.03=9105 +process.03=9104 sp.pvp2.00=4501 sp.pvp2.01=4501 |