implement user restriction based on whitelisting

5 files changed, 170 insertions, 1 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
new file mode 100644
index 000000000..4853a5ab6
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/UserRestrictionTask.java
@@ -0,0 +1,85 @@
+package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class UserRestrictionTask extends AbstractAuthServletTask {
+		
+	public static final String CONFIG_PROPS_SP_LIST = "configuration.restrictions.sp.entityIds";
+	public static final String CONFIG_PROPS_CSV_USER_FILE = "configuration.restrictions.sp.users.url";
+	public static final String CONFIG_PROPS_CSV_USER_SECTOR = "configuration.restrictions.sp.users.sector";
+	
+	@Autowired(required=true) UserWhitelistStore whitelist;
+	
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws TaskExecutionException {
+		try {			
+			String spEntityId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix();			
+			List<String> restrictedSPs = KeyValueUtils.getListOfCSVValues(authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_SP_LIST));						
+			if (restrictedSPs.contains(spEntityId)) {
+				Logger.debug("SP:" + spEntityId + " has a user restrication. Check users bPK ... ");				
+				defaultTaskInitialization(request, executionContext);;
+				
+				//check if user idl is already loaded
+				if (moasession.getIdentityLink() == null) {
+					Logger.warn("PendingRequest contains NO IdentityLink. User restrictation NOT possible!");
+					throw new MOAIDException("process.03", null);
+					
+				}
+				
+				//calculate whitelist bPK for current user
+				String bpkTarget = authConfig.getBasicMOAIDConfiguration(CONFIG_PROPS_CSV_USER_SECTOR);
+				if (MiscUtil.isEmpty(bpkTarget)) {
+					Logger.info("NO bPK sector for user whitelist in configuration");
+					throw new MOAIDException("config.05", new Object[] {CONFIG_PROPS_CSV_USER_SECTOR});
+					
+				}
+				
+				Pair<String, String> pseudonym = new BPKBuilder().generateAreaSpecificPersonIdentifier(
+						moasession.getIdentityLink().getIdentificationValue(), 
+						moasession.getIdentityLink().getIdentificationType(), 
+						bpkTarget);
+				
+				
+				//check if user's bPK is whitelisted 
+				if (!whitelist.isUserbPKInWhitelist(pseudonym.getFirst())) {
+					Logger.info("User's bPK is not whitelisted. Authentication process stops ...");
+					Logger.trace("User's bPK: " + pseudonym.getFirst());
+					throw new MOAIDException("auth.35", null);
+					
+				}
+				
+				Logger.debug("User was found in whitelist. Continue authentication process ... ");
+				
+			} else
+				Logger.trace("SP: " + spEntityId + " has no user restrication.");
+			
+			
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		} catch (Exception e) {
+			Logger.warn("RestartAuthProzessManagement has an internal error", e);
+			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+			
+		}		
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
new file mode 100644
index 000000000..a300739b3
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/UserWhitelistStore.java
@@ -0,0 +1,73 @@
+package at.gv.egovernment.moa.id.config.auth.data;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.io.IOUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.Logger;
+
+@Service("UserWhiteList_Store")
+public class UserWhitelistStore {
+
+	@Autowired(required=true) AuthConfiguration authConfig;
+	
+	private List<String> whitelist = new ArrayList<String>();
+	
+	@PostConstruct
+	private void initialize() {
+		String whiteListUrl = authConfig.getBasicMOAIDConfiguration(UserRestrictionTask.CONFIG_PROPS_CSV_USER_FILE);
+		if (MiscUtil.isEmpty(whiteListUrl)) 
+			Logger.debug("Do not initialize user whitelist. Reason: No configuration path to CSV file.");
+		
+		else {
+			String absWhiteListUrl = FileUtils.makeAbsoluteURL(whiteListUrl, authConfig.getRootConfigFileDir());
+			try {			
+				InputStream is = new FileInputStream(new File(new URL(absWhiteListUrl).toURI()));
+				String whiteListString = IOUtils.toString(new InputStreamReader(is));
+				whitelist = KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(whiteListString));
+				Logger.info("User whitelist is initialized with " + whitelist.size() + " entries.");
+				 
+			} catch (FileNotFoundException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file with bPKs NOT found", e);
+
+			} catch (IOException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file is NOT readable", e);
+				
+			} catch (URISyntaxException e) {
+				Logger.warn("Do not initialize user whitelist. Reason: CSV file looks wrong", e);
+				
+			}
+			
+		}
+		
+	}
+	
+	/**
+	 * Check if bPK is in whitelist
+	 * 
+	 * @param bPK
+	 * @return true if bPK is in whitelist, otherwise false
+	 */
+	public boolean isUserbPKInWhitelist(String bPK) {		
+		return whitelist.contains(bPK);
+		
+	}
+}
diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
index ba8c47304..dc3022ab4 100644
--- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
+++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
@@ -42,6 +42,9 @@
 	<bean id="MOAID_SSOManager" 
 				class="at.gv.egovernment.moa.id.moduls.SSOManager"/>
 
+	<bean id="UserWhiteList_Store" 
+				class="at.gv.egovernment.moa.id.config.auth.data.UserWhitelistStore"/>
+
 	
 
 	<bean id="AuthenticationSessionStoreage" 
@@ -91,7 +94,11 @@
 				
 	<bean id="EvaluateSSOConsentsTaskImpl" 
 				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.EvaluateSSOConsentsTaskImpl"
-				scope="prototype"/>		
+				scope="prototype"/>
+				
+	<bean id="UserRestrictionTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.UserRestrictionTask"
+				scope="prototype"/>			
 				
 	<beans profile="advancedLogOn">
 		<bean id="StatisticLogger" 
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 84fd93773..799b32025 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -52,6 +52,7 @@ auth.31=Federated authentication FAILED. No information for AttributeQuery, mayb
 auth.32=Federated authentication FAILED. No configuration for IDP {0}

 auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. 

 auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested.

+auth.35=Der Anmeldevorgang wurde automatisiert abgebrochen, da der Benutzer nicht für dieses Onlineapplikation berechtigt ist. 

 

 init.00=MOA-ID-Auth wurde erfolgreich gestartet

 init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar

@@ -336,6 +337,7 @@ slo.02=Es wurde keine aktive SSO Session gefunden oder Sie sind bei keiner Onlin
 process.01=Fehler beim Ausf\u00FChren des Prozesses.

 process.02=Fehler beim Erstellen eines geeigneten Prozesses f\u00FCr die SessionID {0}.

 process.03=Fehler beim Weiterf\u00FChren es Prozesses. Msg:{0}

+process.03=Fehler beim Ausf\u00FChren des Prozesses. Interner state ung\u00FCltig.

 

 sl20.00=Allgemeiner Fehler w\u00e4hrend SL2.0 Authentifizierung. Msg: {0}

 sl20.01=Fehler beim Generieren des SL2.0 Kommandos. Msg: {0}

diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index d77ea437b..dae88889f 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -32,6 +32,7 @@ auth.31=4400
 auth.32=4401
 auth.33=4401
 auth.34=4401
+auth.35=1111
 
 init.00=9199
 init.01=9199
@@ -103,6 +104,7 @@ service.10=4500
 process.01=9104
 process.02=9104
 process.03=9105
+process.03=9104
  
 sp.pvp2.00=4501
 sp.pvp2.01=4501