change MOA eIDAS metadata provider to a cached version as chaining metadata provider

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-01-13 16:54:50 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-01-13 16:54:50 +0100
commit: 587d9f326ce905f9b60fda37af747df5dfcb33ec (patch)
tree: 6d67a9f1feab9f90acb64592f2a9d8ec8db7121b /id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
parent: 5eee67461938a372665b71c7ff9f6365450c01b5 (diff)
download: moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.tar.gz
moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.tar.bz2
moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.zip
1 files changed, 290 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
new file mode 100644
index 000000000..4d6cd62fa
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -0,0 +1,290 @@
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+
+import javax.net.ssl.SSLHandshakeException;
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.engine.AbstractSAMLEngine;
+
+public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider {
+
+	private static MOAeIDASChainingMetadataProvider instance = null;
+	private static Object mutex = new Object();
+	
+	private MetadataProvider internalProvider;
+	
+	
+	public static MOAeIDASChainingMetadataProvider getInstance() {
+		if (instance == null) {
+			synchronized (mutex) {
+				if (instance == null) {
+					instance = new MOAeIDASChainingMetadataProvider();
+				}
+			}
+		}
+		return instance;
+	}
+	
+	
+	private MOAeIDASChainingMetadataProvider() {
+		internalProvider = new ChainingMetadataProvider();
+		
+	}
+	    
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+		HTTPMetadataProvider httpProvider = null;
+		Timer timer= null;
+		MOAHttpClient httpClient = null;
+		try {
+			AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
+			
+			httpClient = new MOAHttpClient();
+			
+			HttpClientParams httpClientParams = new HttpClientParams();
+			httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+			httpClient.setParams(httpClientParams);
+			
+			if (metadataURL.startsWith("https:")) {
+				try {
+					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+							PVPConstants.SSLSOCKETFACTORYNAME, 
+							authConfig.getCertstoreDirectory(), 
+							authConfig.getTrustedCACertificates(),
+							null,
+							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
+							authConfig.isTrustmanagerrevoationchecking());
+					
+					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+				} catch (MOAHttpProtocolSocketFactoryException e) {
+					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+					
+				}
+			}
+			
+			timer = new Timer();
+			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
+					metadataURL);
+			httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool());
+			httpProvider.setRequireValidMetadata(true);
+			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+			//httpProvider.setRefreshDelayFactor(0.1F);
+			
+			//add Metadata filters
+			MetadataFilterChain filter = new MetadataFilterChain();
+			filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+			httpProvider.setMetadataFilter(filter);
+			
+			httpProvider.initialize();
+									
+			return httpProvider;
+						
+		} catch (Throwable e) {			
+			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+				Logger.warn("SSL-Server certificate for metadata " 
+						+ metadataURL + " not trusted.", e);
+				
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
+				Logger.warn("Signature verification for metadata" 
+						+ metadataURL + " FAILED.", e);
+			
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+				Logger.warn("Schema validation for metadata " 
+						+ metadataURL + " FAILED.", e);								
+			}
+			
+			Logger.error(
+					"Failed to add Metadata file for "
+							+ metadataURL + "[ "
+							+ e.getMessage() + " ]", e);
+						
+			if (httpProvider != null) {
+				Logger.debug("Destroy failed Metadata provider");
+				httpProvider.destroy();
+			}
+			
+			if (timer != null) {
+				Logger.debug("Destroy Timer.");
+				timer.cancel();
+			}
+
+			
+		}
+		
+		return null;	
+	}
+
+	private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
+		Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>();
+		ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+		
+		//make a Map of all actually loaded HTTPMetadataProvider
+		List<MetadataProvider> providers = chainProvider.getProviders();
+		for (MetadataProvider provider : providers) {
+			if (provider instanceof HTTPMetadataProvider) {
+				HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
+				loadedproviders.put(httpprovider.getMetadataURI(), httpprovider);
+
+			}
+		}
+		
+		return loadedproviders;		
+	}
+	
+	public boolean refreshMetadataProvider(String metadataURL) {
+		try {
+			if (MiscUtil.isNotEmpty(metadataURL)) {
+				Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders();
+
+				// check if MetadataProvider is actually loaded
+				if (actuallyLoadedProviders.containsKey(metadataURL)) {
+					actuallyLoadedProviders.get(metadataURL).refresh();						
+					Logger.info("eIDAS metadata for " 
+							+ metadataURL + " is refreshed.");
+					return true;
+					
+				} else {
+					//load new Metadata Provider				
+					ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
+					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);					
+					chainProvider.addMetadataProvider(newMetadataProvider);
+					
+					emitChangeEvent();
+					Logger.info("eIDAS metadata for " 
+							+ metadataURL + " is added.");
+					return true;
+										
+				}
+														
+			} else
+				Logger.debug("Can not refresh eIDAS metadata: NO eIDAS metadata URL.");
+																								
+		} catch (MetadataProviderException e) {
+			Logger.warn("Refresh eIDAS metadata for " 
+					+ metadataURL + " FAILED.", e);
+			
+		}
+		
+		return false;
+		
+	}
+	
+
+	public boolean requireValidMetadata() {
+		return internalProvider.requireValidMetadata();
+	}
+
+	public void setRequireValidMetadata(boolean requireValidMetadata) {
+		internalProvider.setRequireValidMetadata(requireValidMetadata);
+	}
+
+	public MetadataFilter getMetadataFilter() {
+		return internalProvider.getMetadataFilter();
+	}
+
+	public void setMetadataFilter(MetadataFilter newFilter)
+			throws MetadataProviderException {
+		internalProvider.setMetadataFilter(newFilter);
+	}
+
+	public XMLObject getMetadata() throws MetadataProviderException {
+		return internalProvider.getMetadata();
+	}
+
+	public EntitiesDescriptor getEntitiesDescriptor(String entitiesID)
+			throws MetadataProviderException {
+		Logger.warn("eIDAS metadata not support 'EntitiesDescriptor' elements!");		
+		return null;
+		
+	}
+
+	public EntityDescriptor getEntityDescriptor(String entityID)
+			throws MetadataProviderException {
+		EntityDescriptor entityDesc = null;
+		try {
+			entityDesc = internalProvider.getEntityDescriptor(entityID);
+			if (entityDesc == null) {
+				Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
+						+ " Start refreshing process ...");
+				if (refreshMetadataProvider(entityID))
+					return internalProvider.getEntityDescriptor(entityID);
+									
+			} else {
+				if (!entityDesc.isValid())
+					if (refreshMetadataProvider(entityID))
+						return internalProvider.getEntityDescriptor(entityID);
+									
+			}
+			
+			
+		} catch (MetadataProviderException e) {
+			Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
+					+ " Start refreshing process ...");
+			if (refreshMetadataProvider(entityID))
+				return internalProvider.getEntityDescriptor(entityID);
+			
+		}
+		
+		return entityDesc;
+	}
+
+	public List<RoleDescriptor> getRole(String entityID, QName roleName)
+			throws MetadataProviderException {
+		return internalProvider.getRole(entityID, roleName);
+	}
+
+	public RoleDescriptor getRole(String entityID, QName roleName,
+			String supportedProtocol) throws MetadataProviderException {
+		return internalProvider.getRole(entityID, roleName, supportedProtocol);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers()
+	 */
+	@Override
+	public List<Observer> getObservers() {
+		return ((ChainingMetadataProvider) internalProvider).getObservers();
+	}
+
+	protected void emitChangeEvent() {
+		if ((getObservers() == null) || (getObservers().size() == 0)) {
+			return;
+		}
+
+		List<Observer> tempObserverList = new ArrayList<Observer>(getObservers());
+		for (ObservableMetadataProvider.Observer observer : tempObserverList)
+			if (observer != null)
+				observer.onEvent(this);
+	}
+}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-01-13 16:54:50 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-01-13 16:54:50 +0100
commit	587d9f326ce905f9b60fda37af747df5dfcb33ec (patch)
tree	6d67a9f1feab9f90acb64592f2a9d8ec8db7121b /id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
parent	5eee67461938a372665b71c7ff9f6365450c01b5 (diff)
download	moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.tar.gz moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.tar.bz2 moa-id-spss-587d9f326ce905f9b60fda37af747df5dfcb33ec.zip