aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-07-13 15:48:17 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-07-13 15:48:17 +0200
commit158d41705d0f8c67a858e84bda8d2c16377cf288 (patch)
tree8b75f57ff92112e0922f055b595f1800f3bf40af /id/server/modules/moa-id-module-AT_eIDAS_connector/src/main
parent017ecef03e90c176e040de1c39836f1a81d66b73 (diff)
downloadmoa-id-spss-158d41705d0f8c67a858e84bda8d2c16377cf288.tar.gz
moa-id-spss-158d41705d0f8c67a858e84bda8d2c16377cf288.tar.bz2
moa-id-spss-158d41705d0f8c67a858e84bda8d2c16377cf288.zip
some bug fixes
Diffstat (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main')
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java50
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java34
-rw-r--r--id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/Utils.java45
3 files changed, 83 insertions, 46 deletions
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
index c3c3331e1..c1229e3ff 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -29,7 +29,6 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.lang3.StringUtils;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.metadata.EntityDescriptor;
@@ -40,21 +39,20 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
-import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
-import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.logging.Logger;
@@ -92,7 +90,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
}
// get entityID for central ms-specific eIDAS node
- String msNodeEntityID = getCentraleIDASNodeEntityId(pendingReq.getServiceProviderConfiguration());
+ String msNodeEntityID = Utils.getCentraleIDASNodeEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);
if (MiscUtil.isEmpty(msNodeEntityID)) {
@@ -149,48 +147,24 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
} catch (MetadataProviderException e) {
- throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED.", e);
+
+ throw new TaskExecutionException(pendingReq,
+ "Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED.",
+ new AuthnRequestBuildException("sp.pvp2.02", new Object[] {"'national central eIDASNode'"},e ));
} catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) {
- Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
- throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+ Logger.error("Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED", e);
+ throw new TaskExecutionException(pendingReq,
+ e.getMessage(),
+ new AuthnRequestBuildException("sp.pvp2.13", new Object[] {"'national central eIDASNode'"},e ));
} catch (Exception e) {
- Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+ Logger.error("Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED", e);
throw new TaskExecutionException(pendingReq, e.getMessage(), e);
}
}
- private String getCentraleIDASNodeEntityId(ISPConfiguration spConfiguration) {
- //load from service-provider configuration
- String msNodeEntityID = spConfiguration.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_EXTERNAL_CENTRAL_EIDASNODE_SERVICE_URL);
-
- if (StringUtils.isEmpty(msNodeEntityID)) {
- Logger.debug("No SP-specific central eIDAS-node URL. Switch to general configuration ... ");
- if (authConfig instanceof AuthConfiguration) {
- AuthConfiguration moaAuthConfig = (AuthConfiguration)authConfig;
- List<String> configuratedEntityIDs = KeyValueUtils.getListOfCSVValues(
- moaAuthConfig.getConfigurationWithKey(MOAIDConfigurationConstants.GENERAL_AUTH_SERVICES_CENTRAL_EIDASNODE_URL));
-
- if (configuratedEntityIDs.size() > 0)
- msNodeEntityID = configuratedEntityIDs.get(0);
- else
- Logger.info("No central eIDAS-node URL in IDP configuration. Switch to backup configuration ... ");
-
- } else
- Logger.info("Basic configuration is NOT of type '" + AuthConfiguration.class.getName()
- + "' Switch to generic Type ... ");
-
-
- if (StringUtils.isEmpty(msNodeEntityID))
- msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
-
- }
-
- return msNodeEntityID;
- }
-
private List<EAAFRequestedAttribute> buildRequestedAttributes() {
List<EAAFRequestedAttribute> attributs = new ArrayList<EAAFRequestedAttribute>();
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
index c034dc95e..f3eaff11a 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
+import org.apache.commons.lang3.StringUtils;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
@@ -55,10 +56,12 @@ import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
@@ -129,7 +132,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
//validate entityId of response
- String msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+ String msNodeEntityID = Utils.getCentraleIDASNodeEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);
String respEntityId = msg.getEntityID();
if (!msNodeEntityID.equals(respEntityId)) {
Logger.warn("Response Issuer is not a 'ms-specific eIDAS node'. Stopping eIDAS authentication ...");
@@ -155,23 +158,28 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} catch (MessageDecodingException | SecurityException e) {
String samlRequest = request.getParameter("SAMLRequest");
Logger.warn("Receive INVALID PVP Response from 'ms-specific eIDAS node': " + samlRequest, e);
- throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e);
+ throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP",
+ new AuthnResponseValidationException("sp.pvp2.11", new Object[] {"'national central eIDASNode'"}, e));
} catch (IOException | MarshallingException | TransformerException e) {
Logger.warn("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
- throw new TaskExecutionException(pendingReq, "Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "Processing PVP response from 'ms-specific eIDAS node' FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'national central eIDASNode'", e.getMessage()}, e));
} catch (CredentialsNotAvailableException e) {
Logger.error("PVP response decrytion FAILED. No credential found.", e);
- throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.",
+ new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'national central eIDASNode'"}, e));
} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());
- throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'national central eIDASNode'"}, e));
} catch (Exception e) {
Logger.warn("PVP response validation FAILED. Msg:" + e.getMessage(), e);
- throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'national central eIDASNode'", e.getMessage()}, e));
}
@@ -182,19 +190,29 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//check if all attributes are include
if (!extractor.containsAllRequiredAttributes()
&& !extractor.containsAllRequiredAttributes(EidasCentralAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES)) {
- Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+ Logger.warn("PVP Response from 'ms-specific eIDAS node' contains not all requested attributes.");
throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
}
//copy attributes into MOASession
+ AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class);
Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
for (String el : includedAttrNames) {
String value = extractor.getSingleAttributeValue(el);
- pendingReq.setGenericDataToSession(el, value);
+ session.setGenericDataToSession(el, value);
Logger.debug("Add PVP-attribute " + el + " into MOASession");
}
+
+ //set foreigner flag
+ session.setForeigner(true);
+ if (extractor.getFullAssertion().getIssuer() != null &&
+ StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue()))
+ session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue());
+ else
+ session.setBkuURL("eIDAS_Authentication");
+
} catch (AssertionValidationExeption e) {
throw new BuildException("builder.06", null, e);
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/Utils.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/Utils.java
new file mode 100644
index 000000000..642008726
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/Utils.java
@@ -0,0 +1,45 @@
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils;
+
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class Utils {
+
+ public static String getCentraleIDASNodeEntityId(ISPConfiguration spConfiguration, IConfiguration authConfig) {
+ //load from service-provider configuration
+ String msNodeEntityID = spConfiguration.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_EXTERNAL_CENTRAL_EIDASNODE_SERVICE_URL);
+
+ if (StringUtils.isEmpty(msNodeEntityID)) {
+ Logger.debug("No SP-specific central eIDAS-node URL. Switch to general configuration ... ");
+ if (authConfig instanceof AuthConfiguration) {
+ AuthConfiguration moaAuthConfig = (AuthConfiguration)authConfig;
+ List<String> configuratedEntityIDs = KeyValueUtils.getListOfCSVValues(
+ moaAuthConfig.getConfigurationWithKey(MOAIDConfigurationConstants.GENERAL_AUTH_SERVICES_CENTRAL_EIDASNODE_URL));
+
+ if (configuratedEntityIDs.size() > 0)
+ msNodeEntityID = configuratedEntityIDs.get(0);
+ else
+ Logger.info("No central eIDAS-node URL in IDP configuration. Switch to backup configuration ... ");
+
+ } else
+ Logger.info("Basic configuration is NOT of type '" + AuthConfiguration.class.getName()
+ + "' Switch to generic Type ... ");
+
+
+ if (StringUtils.isEmpty(msNodeEntityID))
+ msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+
+ }
+
+ return msNodeEntityID;
+ }
+}