diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-11-20 11:47:29 +0100 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-11-28 10:23:04 +0100 | 
| commit | bbc999c5d7912d0658216e7a8f59619135731ebf (patch) | |
| tree | ca54a4766a9c3d62866322632e439ccf54cf2d98 /id/server/idserverlib | |
| parent | d5e50b587485a778d6fdd8b52958318204000d00 (diff) | |
| download | moa-id-spss-bbc999c5d7912d0658216e7a8f59619135731ebf.tar.gz moa-id-spss-bbc999c5d7912d0658216e7a8f59619135731ebf.tar.bz2 moa-id-spss-bbc999c5d7912d0658216e7a8f59619135731ebf.zip | |
Add PVP metadata SAML2 EntityAttribute resolver filter
Diffstat (limited to 'id/server/idserverlib')
2 files changed, 209 insertions, 0 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index ab355646c..585aac805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;  import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;  import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;  import at.gv.egovernment.moa.logging.Logger; @@ -490,6 +491,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider  	private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException {  		PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate);  		filterChain.getFilters().add(new SchemaValidationFilter()); +		filterChain.getFilters().add(new PVPEntityCategoryFilter());  		if (oaParam.isInderfederationIDP()) {  			Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java new file mode 100644 index 000000000..95d30db49 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -0,0 +1,207 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.common.Extensions; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.samlext.saml2mdattr.EntityAttributes; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moaspss.logging.Logger; + +/** + * @author tlenz + * + */ +public class PVPEntityCategoryFilter implements MetadataFilter { + + +	 +	 +	/* (non-Javadoc) +	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) +	 */ +	@Override +	public void doFilter(XMLObject metadata) throws FilterException { +		String entityId = null; +		try { +			if (metadata instanceof EntitiesDescriptor) { +				Logger.trace("Find EnitiesDescriptor ... "); +				EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; +				if (entitiesDesc.getEntityDescriptors() != null) { +					for (EntityDescriptor el : entitiesDesc.getEntityDescriptors())  +						resolveEntityCategoriesToAttributes(el); +					 +				} +								 +			} else if (metadata instanceof EntityDescriptor) { +				Logger.trace("Find EntityDescriptor"); +				resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); +				 +				 +			} else +				throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); +			 +			 +			 +		} catch (Exception e) { +			Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); +			 +		} +	} + +	private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { +		Logger.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); +		Extensions extensions = metadata.getExtensions(); +		if (extensions != null) { +			List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); +			if (listOfExt != null && !listOfExt.isEmpty()) { +				for (XMLObject el : listOfExt) { +					Logger.trace("Find ExtensionElement: " + el.getElementQName().toString()); +					if (el instanceof EntityAttributes) { +						EntityAttributes entityAttrElem = (EntityAttributes)el; +						if (entityAttrElem.getAttributes() != null) { +							Logger.trace("Find EntityAttributes. Start attribute processing ..."); +							for (Attribute entityAttr : entityAttrElem.getAttributes()) { +								if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { +									if (!entityAttr.getAttributeValues().isEmpty()) { +										String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); +										if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { +											Logger.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); +											addAttributesToEntityDescriptor(metadata,  +													buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES),  +													entityAttrValue); +											 +																													 +										} else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { +											Logger.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); +											addAttributesToEntityDescriptor(metadata,  +													buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES),  +													entityAttrValue); +											 +										} else +											Logger.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); +																			 +									} else +										Logger.info("EntityAttribute: No attribute value"); +																		 +								} else  +									Logger.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); +								 +							} +										 +						} else +							Logger.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); +						 +					}					 +				}				 +			}			 +		} +				 +	} +	 +	/** +	 * @param metadata +	 * @param attrList +	 */ +	private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) { +		SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); +		if (spSSODesc != null) { +			if (spSSODesc.getAttributeConsumingServices() == null ||  +					spSSODesc.getAttributeConsumingServices().isEmpty()) { +				Logger.trace("No 'AttributeConsumingServices' found. Added it ..."); +				 +				AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class);						 +				attributeService.setIndex(0); +				attributeService.setIsDefault(true); +				ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); +				serviceName.setName(new LocalizedString("Default Service", "en")); +				attributeService.getNames().add(serviceName); +				 +				if (attrList != null && !attrList.isEmpty()) { +					attributeService.getRequestAttributes().addAll(attrList); +					Logger.info("Add  " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); +					 +				} +				 +				spSSODesc.getAttributeConsumingServices().add(attributeService); +				 +			} else { +				Logger.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); +				for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { +					Logger.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); +					 +					//load currently requested attributes +					List<String> currentlyReqAttr = new ArrayList<String>(); +					for (RequestedAttribute reqAttr : el.getRequestAttributes()) +						currentlyReqAttr.add(reqAttr.getName()); +						 + +					//check against EntityAttribute List +					for (RequestedAttribute entityAttrListEl : attrList) { +						if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { +							el.getRequestAttributes().add(entityAttrListEl); +							 +						} else +							Logger.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); +						 +					} +					 +				} +				 +			} +			 +		} else +			Logger.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); +		 +	} + +	private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) { +		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); +		for (Trible<String, String, Boolean> el : attrSet) +			requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));	 +					 +		return requestedAttributes; +		 +		 +	} +	 	 +} | 
