add code for SEMPER eIDAS extensions

5 files changed, 209 insertions, 9 deletions

diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
index 19950a078..96c78abb4 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -27,6 +27,7 @@ import java.util.Collections;
 import java.util.List;
 
 import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.data.Trible;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 
@@ -60,6 +61,8 @@ public class EidasCentralAuthConstants {
 	public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
 	public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";	
 	
+	public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX + "semper.mandates.active";
+	public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX + "semper.msproxy.list";
 	
 	public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH;	
 	public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = 
@@ -81,6 +84,22 @@ public class EidasCentralAuthConstants {
 				}
 			});
 	
+	public static final List<Pair<String, Boolean>> DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES = 
+      Collections.unmodifiableList(new ArrayList<Pair<String, Boolean>>() {
+        private static final long serialVersionUID = 1L;
+        {           
+          //request entity information
+          add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, false));
+          add(Pair.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, false));
+          
+          add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, false));
+          add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, false));
+          add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, false));
+          
+                    
+        }
+      });
+	
 	public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = 
 			Collections.unmodifiableList(new ArrayList<String>() {
 				private static final long serialVersionUID = 1L;
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
index aad1244f1..2bb384c74 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
@@ -334,7 +334,7 @@ public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilde
 	 * @param additionalAttr List of PVP attribute name and isRequired flag 
 	 */
 	public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) {
-		if (additionalAttr != null) {
+		if (additionalAttr != null && !additionalAttr.isEmpty()) {
 			additionalAttributes = new ArrayList<RequestedAttribute>();
 			for (Pair<String, Boolean> el : additionalAttr) {
 				Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst());
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
index a6a7084f5..a0c1fa30b 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
@@ -109,9 +109,17 @@ public class EidasCentralAuthMetadataController extends AbstractController {
 	}
 
 	private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() {
-		Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
-		if (addReqAttributes != null) {
-			List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+	  List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+	  
+	  //load SEMPER attributes if required
+	  if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) {
+	    result.addAll(EidasCentralAuthConstants.DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES);
+	      
+	  }
+	  
+	  //load attributes from configuration
+	  Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);		
+		if (addReqAttributes != null) {			
 			for (String el : addReqAttributes.values()) {
 				if (MiscUtil.isNotEmpty(el)) {
 					Logger.trace("Parse additional attr. definition: " + el);
@@ -123,12 +131,12 @@ public class EidasCentralAuthMetadataController extends AbstractController {
 						Logger.info("IGNORE additional attr. definition: " + el
 								+ " Reason: Format not valid");
 				}				
-			}
-			
-			return result;
+			}			
 		}
 				
-		return null;
+		return result;
+				
+
 	}
 		
 }
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java
new file mode 100644
index 000000000..222ba812c
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java
@@ -0,0 +1,151 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.xml.XMLObject;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.MOAIDConstants;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class AuthnRequestSemperProcessor implements IAuthnRequestPostProcessor {
+    
+  @Autowired IConfiguration authConfig;
+  
+  @Override
+  public void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq,
+      SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException {    
+    if (authConfig.getBasicConfigurationBoolean(
+        EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false) 
+        && isSpAllowed(authReq)) { 
+      
+      Logger.debug("SEMPER mode detected. Starting SP-Info extraction from requested attributes ...");
+      extractRequestedAttributeInformation(authReq, pendingReq);
+                       
+    } else {
+      Logger.trace("Skip: " + AuthnRequestSemperProcessor.class.getSimpleName() + " because is's not active or not allowed");
+      
+    }
+
+  }
+  
+  private boolean isSpAllowed(AuthnRequest authReq) {
+    String csvOfAllowedProxies = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST);
+    List<String> allowedProxies = KeyValueUtils.getListOfCSVValues(csvOfAllowedProxies);
+    Logger.trace("Validate SP-EntityId: " + authReq.getIssuer().getValue() 
+        + " with allowed MS-Proxies: [" + StringUtils.join(allowedProxies, ", ") + "]");    
+    return allowedProxies.contains(authReq.getIssuer().getValue());
+       
+  }
+
+
+  private void extractRequestedAttributeInformation(AuthnRequest authnReq, IRequest pendingReq) throws AuthnRequestValidatorException {
+    // validate and process requested attributes
+    boolean hasValidBpkTarget = false;
+    if (authnReq.getExtensions() != null) {
+      final List<XMLObject> requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects();
+      for (final XMLObject reqAttrObj : requestedAttributes) {
+        if (reqAttrObj instanceof EAAFRequestedAttributes) {
+          final EAAFRequestedAttributes reqAttr = (EAAFRequestedAttributes) reqAttrObj;
+          if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) {
+            for (final EAAFRequestedAttribute el : reqAttr.getAttributes()) {
+              Logger.trace("Processing req. attribute '" + el.getName() + "' ... ");           
+              if (el.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) {
+                hasValidBpkTarget = extractBpkTarget(el, pendingReq);
+              
+              } else if (el.getName().equals(ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME )) {
+                extractMandateProfiles(el, pendingReq);
+                              
+              } else {
+                Logger.debug("Ignore req. attribute: " + el.getName());
+              }
+  
+            }
+  
+          } else {
+            Logger.debug("No requested Attributes in Authn. Request");
+          }
+  
+        } else {
+          Logger.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString());
+        }
+  
+      }
+    }
+
+    if (!hasValidBpkTarget) {
+      Logger.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information.");
+      throw new AuthnRequestValidatorException("pvp2.22", new Object[] {
+          "NO or NO VALID target-sector information" });
+
+    }
+    
+  }
+  
+  private void extractMandateProfiles(EAAFRequestedAttribute el, IRequest pendingReq) {
+    if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+      final String profiles = el.getAttributeValues().get(0).getDOM().getTextContent();
+      Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration();     
+      Logger.debug("Set MandateProfiles to: " + profiles);
+      configProps.put(
+          MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE,
+          String.valueOf(true));
+      configProps.put(
+          MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES,
+          profiles);        
+                  
+    } else {
+      Logger.info("Req. attribute '" + el.getName()
+          + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
+    }
+        
+  }
+
+
+  private boolean extractBpkTarget(final EAAFRequestedAttribute el, IRequest pendingReq) {
+    if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) {
+      final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent();                
+      Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration();                 
+      if (sectorId.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) {
+        Logger.debug("Set eIDAS target to: " + sectorId);
+        configProps.put(
+            MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, 
+            MOAIDConstants.IDENIFICATIONTYPE_EIDAS);
+        configProps.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, 
+            sectorId.substring(EAAFConstants.URN_PREFIX_EIDAS.length()));                  
+        return true;  
+          
+      } else {
+        Logger.info("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: "
+            + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+        
+      }
+
+    } else {
+      Logger.info("Req. attribute '" + el.getName()
+          + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute");
+    }
+
+    return false;
+    
+  }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
index f3eaff11a..7f44c4deb 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
@@ -64,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentral
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -194,7 +196,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
 				
 			}
-			
+						
 			//copy attributes into MOASession
 			AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class); 
 			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
@@ -207,12 +209,32 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			
 			//set foreigner flag
 			session.setForeigner(true);
+			
+			//set CCE URL
 			if (extractor.getFullAssertion().getIssuer() != null && 
 					StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue()))
 				session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue());
 			else
 				session.setBkuURL("eIDAS_Authentication");
 			
+	     if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) {
+	        if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME)) {
+	          Logger.trace("Check attributes in SEMPER eIDAS mode.");
+	          if (!extractor.containsAllRequiredAttributes(Arrays.asList(
+	              PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME,
+	              PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME,
+	              PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME))) {
+	            Logger.warn("PVP Response from 'ms-specific eIDAS node' contains not all required attributes for eIDAS SEMPER process.");
+	            throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+	            
+	          }
+	          
+	          Logger.info("SEMPER mode is active and mandates are found. Activing mandates for eIDAS login ... ");
+	          session.setUseMandates(true);
+	                    
+	        }                  
+	      }
+			
 												
 		} catch (AssertionValidationExeption e) {
 			throw new BuildException("builder.06", null, e);