diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-09-08 14:32:14 +0200 |
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-09-08 14:32:14 +0200 |
| commit | 656b8b4910798dec7b253ea8f4b7dbec77715012 (patch) | |
| tree | fe4298ebd26461fbf9ea89a3f4cd984e11713f27 /id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols | |
| parent | a512ce06caa134ea978ca54a87a8b78d5c10bf1c (diff) | |
| download | moa-id-spss-656b8b4910798dec7b253ea8f4b7dbec77715012.tar.gz moa-id-spss-656b8b4910798dec7b253ea8f4b7dbec77715012.tar.bz2 moa-id-spss-656b8b4910798dec7b253ea8f4b7dbec77715012.zip | |
update eIDAS bPK target validation
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols')
| -rw-r--r-- | id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 940b91b44..4b67370d6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } else { String[] splittedTarget = eIDASTarget.split("\\+"); if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { - Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() + Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() + " Destination Country from request (" + reqCC - + ") does not match to configuration:" + eIDASTarget); - throw new MOAIDException("eIDAS.01", - new Object[]{"Destination Country from request does not match to configuration"}); + + ") does not match to configuration:" + eIDASTarget + + " --> Perform additional organisation check ..."); + + //check if eIDAS domain for bPK calculation is a valid target + if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) { + throw new MOAIDException("eIDAS.01", + new Object[]{"Destination Country from request does not match to configuration"}); + + } + } - Logger.debug("CountryCode from request matches eIDAS-node configuration target"); + Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget); + } @@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return false; } + + private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) { + if (MiscUtil.isNotEmpty(reqCC)) { + List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase())); + if (allowedOrganisations.contains(bPKTargetArea)) { + Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC); + return true; + } + } + + Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC); + return false; + } } |