Refector eIDAS attribute generation do a dynamic way similar to the PVP attribute builder concept

The eIDAS attribute list in eIDAS metadata that contains currently supported attributes is also generated dynamical

3 files changed, 169 insertions, 48 deletions

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index eb5adcce1..36323f3a5 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -22,14 +22,9 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas;
 
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
 import org.apache.xml.security.signature.XMLSignature;
 import org.opensaml.xml.encryption.EncryptionConstants;
 import org.opensaml.xml.signature.SignatureConstants;
-//import eu.eidas.auth.engine.core.validator.eidas.EIDASAttributes;
 
 /**
  * @author tlenz
@@ -93,8 +88,6 @@ public class Constants {
 	//http endpoint descriptions
 	public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post";
 	public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect";
-	//public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post";
-	//public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect";
 	public static final String eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST = "/eidas/ColleagueRequest";
 	public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata";
 	
@@ -104,44 +97,6 @@ public class Constants {
 	public static final int eIDAS_REVERSIONSLOG_IDP_AUTHREQUEST = 3401;
 	public static final int eIDAS_REVERSIONSLOG_IDP_AUTHRESPONSE = 3402;
 		
-	//metadata constants
-//    public final static Map<String, EidasAttributesTypes> METADATA_POSSIBLE_ATTRIBUTES = Collections.unmodifiableMap(
-//            new HashMap<String, EidasAttributesTypes>(){
-//				private static final long serialVersionUID = 1L;
-//				{
-//                    put(EIDASAttributes.ATTRIBUTE_GIVENNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
-//                    put(EIDASAttributes.ATTRIBUTE_FIRSTNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
-//                    put(EIDASAttributes.ATTRIBUTE_DATEOFBIRTH, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
-//                    put(EIDASAttributes.ATTRIBUTE_PERSONIDENTIFIER, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
-//
-//                    //TODO: add additional attributes for eIDAS with mandates
-//                    //put(EIDASAttributes.ATTRIBUTE_LEGALIDENTIFIER, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
-//                    //put(EIDASAttributes.ATTRIBUTE_LEGALNAME, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
-//                }
-//            }
-//    );
-    	
-	//eIDAS attributes that can be provided by MOA-ID
-	public static final List<String> MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES;            
-	static {
-		List<String> supportAttrList = new ArrayList<String>();
-		//natural person attributes that can be provided by MOA-ID
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString());
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri().toString());
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri().toString());
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri().toString());
-		
-		//legal person attributes that can be provided by MOA-ID
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString());
-		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri().toString());
-		
-		//additionl person attributes that can be provided by MOA-ID
-		//supportAttrList.add("http://ehn/attributes/ehealth/patientidentifier");
-		
-		MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES = Collections.unmodifiableList(supportAttrList);
-		
-	}
-	
 	
     public static final String METADATA_ALLOWED_ALG_DIGIST = 
     		SignatureConstants.ALGO_ID_DIGEST_SHA256 + ";" + 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
index 1bebdebbf..9d397074b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
@@ -77,7 +77,6 @@ import org.slf4j.LoggerFactory;
 import com.google.common.collect.ImmutableSortedSet;
 import com.google.common.collect.Ordering;
 
-import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import eu.eidas.auth.commons.EIDASUtil;
 import eu.eidas.auth.commons.EidasStringUtil;
@@ -305,8 +304,8 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator {
     public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
         ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
                 new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
-        
-        for (String attr : Constants.MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES) {
+                
+        for (String attr : eIDASAttributeBuilder.getAllProvideableeIDASAttributes()) {
         	AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr);
         	builder.add(supAttr);
         }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java
new file mode 100644
index 000000000..1f34a912d
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java
@@ -0,0 +1,167 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ServiceLoader;
+
+import com.google.common.collect.ImmutableSet;
+
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder;
+import eu.eidas.auth.commons.attribute.AttributeValue;
+import eu.eidas.auth.commons.attribute.AttributeValueMarshaller;
+import eu.eidas.auth.commons.attribute.AttributeValueMarshallingException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASAttributeBuilder extends PVPAttributeBuilder {		
+	private static IAttributeGenerator<String> generator = new SimpleEidasAttributeGenerator();
+	
+	private static List<String> listOfSupportedeIDASAttributes;
+	private static ServiceLoader<IeIDASAttribute> eIDASAttributLoader = 
+			ServiceLoader.load(IeIDASAttribute.class);
+	
+	static {
+		List<String> supportAttrList = new ArrayList<String>();
+		
+		Logger.info("Select eIDAS attributes that are corrently providable:");
+		if (eIDASAttributLoader != null ) {		
+			Iterator<IeIDASAttribute> moduleLoaderInterator = eIDASAttributLoader.iterator();
+			while (moduleLoaderInterator.hasNext()) {
+				try {
+					IeIDASAttribute modul = moduleLoaderInterator.next();
+					Logger.info("Loading eIDAS attribut-builder Modul Information: " + modul.getName());
+					supportAttrList.add(modul.getName());
+					
+				} catch(Throwable e) {
+					Logger.error("Check configuration! " + "Some attribute-builder modul" + 
+							" is not a valid IAttributeBuilder", e);
+				}	
+			}
+		}
+		
+		listOfSupportedeIDASAttributes = Collections.unmodifiableList(supportAttrList);		
+		Logger.info("Selection of providable eIDAS attributes done");
+				
+	}
+	
+	public static List<String> getAllProvideableeIDASAttributes() {
+		return listOfSupportedeIDASAttributes;
+	}
+	
+	/**
+	 * 
+	 * @param attr
+	 * @param onlineApplicationConfiguration
+	 * @param authData
+	 * @return
+	 */
+	public static Pair<AttributeDefinition<?>,ImmutableSet<AttributeValue<?>>> buildAttribute(AttributeDefinition<?> attr, IOAAuthParameters onlineApplicationConfiguration,
+			IAuthData authData) {
+		
+		String attrName = attr.getNameUri().toString();
+		Logger.trace("Build eIDAS attribute: "+ attrName);
+		
+				
+		IAttributeBuilder attrBuilder = getAttributeBuilder(attrName);
+		if (attrBuilder != null) {
+			try {
+				String attrValue = attrBuilder.build(onlineApplicationConfiguration, authData, generator);
+				if (MiscUtil.isNotEmpty(attrValue)) {
+					//set uniqueIdentifier attribute, because eIDAS SAMLEngine use this flag to select the
+					//  Subject->NameID value from this attribute
+					Builder<?> eIDASAttrBuilder = AttributeDefinition.builder(attr);
+					eIDASAttrBuilder.uniqueIdentifier(evaluateUniqueID(attrName, authData.isUseMandate()));
+					AttributeDefinition<?> returnAttr = eIDASAttrBuilder.build();
+					
+					//unmarshal attribute value into eIDAS attribute  
+					AttributeValueMarshaller<?> attributeValueMarshaller = returnAttr.getAttributeValueMarshaller();
+		            ImmutableSet.Builder<AttributeValue<?>> builder = ImmutableSet.builder();
+						            
+		            AttributeValue<?> attributeValue = null;
+		            try {
+	                    attributeValue = attributeValueMarshaller.unmarshal(attrValue, false);
+	                    builder.add(attributeValue);
+	                    
+	                } catch (AttributeValueMarshallingException e) {
+	                    throw new IllegalStateException(e);
+	                    
+	                }
+					
+		            return Pair.newInstance(returnAttr, builder.build());
+										
+				} 
+								
+			} catch (AttributeException e) {
+				Logger.debug("Attribute can not generate requested attribute:" + attr.getNameUri().toString() + " Reason:" + e.getMessage());
+				
+			}
+			
+		} else				
+			Logger.warn("NO attribute builder FOUND for eIDAS attr: " + attrName);
+		
+		return null;
+	}
+
+	/**
+	 * This method use the information from authenticated session and 
+	 * evaluate the uniqueID flag according to eIDAS specification
+	 * 
+	 * @param attrName eIDAS attribute name that is evaluated
+	 * @param useMandate flag that indicates if the current authenticated session includes a mandate
+	 * @return true if eIDAS attribute holds the unique ID, otherwise false
+	 */
+	private static boolean evaluateUniqueID(String attrName, boolean useMandate) {
+		//if no mandate is used the natural person identifier is the unique ID
+		if (!useMandate && 
+				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString()))
+			return true;
+				
+		//if mandates are used the the legal person identifier or the natural person identifier of the mandator is the unique ID
+		else if (useMandate && 
+				attrName.equals(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString()))
+			return true;
+		
+		//TODO: implement flag selector for mandates and natural persons
+		
+		
+		return false;
+	}
+
+}