Merge branch 'eIDAS_node_implementation' into development_preview

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-10-17 15:04:49 +0200
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-10-17 15:04:49 +0200
commit: 92834aed9d97772a0d37330b9c60aee18374c759 (patch)
tree: 30adff7052c6eca919aed447a9640522b2c94c3d /id/server/modules/moa-id-module-eIDAS/src/main/java/at
parent: 698a0066e84dee07f0f8de8aa408d9744f755660 (diff)
parent: 7c5d84f1f4054d2c85207364d5d996c4ec6fe1f8 (diff)
download: moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.gz
moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.bz2
moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.zip
5 files changed, 109 insertions, 28 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
 	
 	public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
 	
+	public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+	
 	
 	
 	//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..154006ed8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 
 import com.google.common.net.MediaType;
 
@@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 			authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
 			
 			//set correct SPType for this online application
-			if (oaConfig.getBusinessService())
+			if (oaConfig.hasBaseIdTransferRestriction())
 				authnRequestBuilder.spType(SpType.PRIVATE.getValue());
 			else
 				authnRequestBuilder.spType(SpType.PUBLIC.getValue());
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 
             context.put("RelayState", pendingReq.getRequestID());
             
-            Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+            Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
             context.put("action", authnReqEndpoint.getLocation());
 
             Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
@@ -269,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			
 			//validate request country-code against eIDAS node config
 			String reqCC = samlReq.getOriginCountryCode();
-			String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+			String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
 
 			//validate eIDAS target
 			Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS 
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			} else {
 				String[] splittedTarget = eIDASTarget.split("\\+");
 				if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
-					Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() 
+					Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() 
 						+ " Destination Country from request (" + reqCC 
-						+ ") does not match to configuration:" + eIDASTarget);
-					throw new MOAIDException("eIDAS.01", 
-							new Object[]{"Destination Country from request does not match to configuration"});
+						+ ") does not match to configuration:" + eIDASTarget
+						+ " --> Perform additional organisation check ...");
+					
+					//check if eIDAS domain for bPK calculation is a valid target  
+					if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {						
+						throw new MOAIDException("eIDAS.01", 
+								new Object[]{"Destination Country from request does not match to configuration"});
+						
+					}
+					
 					
 				}
-				Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+				Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+				
 			}
 			
 						
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
     public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
         return false;
     }
+    
+    private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+    	if (MiscUtil.isNotEmpty(reqCC)) {    	
+    		List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+    				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+    		if (allowedOrganisations.contains(bPKTargetArea)) {
+    			Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+    			return true;
+    		}
+    	}
+    	
+    	Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+    	return false;
+    }
 }
 
 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
index c008048cb..ea5a002e0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
@@ -22,7 +22,13 @@
  */
 package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
 
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
 import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -31,6 +37,31 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonS
 public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute {
 
 	@Override
+	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		if(authData.isUseMandate()) {
+			
+			//extract eIDAS unique Id prefix from naturalPerson bPK identifier
+			if (MiscUtil.isEmpty(authData.getBPKType())
+					|| !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+				Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+				throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+				
+			} 
+			
+			//add eIDAS eID prefix to legal person identifier
+			String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+			String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData);						
+			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, 
+					MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID);
+			
+		}
+		
+		return null;
+				
+	}
+	
+	@Override
 	public String getName() {
 		return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString();
 	}	
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..b91bbde9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction {
 	@Autowired protected MOAReversionLogger revisionsLogger;
 	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
 	
+
+	
 	@Override
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
 		EIDASData eidasRequest;
@@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction {
 		//gather attributes
 		ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();		
 		ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
-		//generate eIDAS attributes
-		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
-			Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
-					attr, req.getOnlineApplicationConfiguration(), authData);
-						
-			if(eIDASAttr == null) {				
-				if (attr.isRequired()) {
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
-					throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
-										
-				} else
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
 				
-			} else {
-				//add attribute to Map
-				attrMapBuilder.put(
-						(AttributeDefinition)eIDASAttr.getFirst(), 
-						(ImmutableSet)eIDASAttr.getSecond());
+		//generate eIDAS attributes
+		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+			buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+		
+		//Check if Mandate attributes are requested if mandates was used
+		if (authData.isUseMandate()) { 
+			if (reqAttributeList.getDefinitionByNameUri(
+						eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) {
+			Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'");
+			buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData);
+					
+			}
+			
+			if (reqAttributeList.getDefinitionByNameUri(
+					eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) {
+				Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'");
+				buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData);
 				
 			}
 		}
 		
+		//build final attibute set
+		ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+		
 		// construct eIDaS response
 		AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
 		
@@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
 		
 		//add attributes
-		responseBuilder.attributes(attrMapBuilder.build());
+		responseBuilder.attributes(eIDASAttrbutMap);
 		
 		//set success statuscode
 		responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction {
 		return "eIDAS_AuthnRequest";
 	}
 
+	private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+		Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+				attr, req.getOnlineApplicationConfiguration(), authData);
+					
+		if(eIDASAttr == null) {				
+			if (attr.isRequired()) {
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+				throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+									
+			} else
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
+			
+		} else {
+			//add attribute to Map
+			attrMapBuilder.put(
+					(AttributeDefinition)eIDASAttr.getFirst(), 
+					(ImmutableSet)eIDASAttr.getSecond());
+			
+		}			
+	}
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-10-17 15:04:49 +0200
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-10-17 15:04:49 +0200
commit	92834aed9d97772a0d37330b9c60aee18374c759 (patch)
tree	30adff7052c6eca919aed447a9640522b2c94c3d /id/server/modules/moa-id-module-eIDAS/src/main/java/at
parent	698a0066e84dee07f0f8de8aa408d9744f755660 (diff)
parent	7c5d84f1f4054d2c85207364d5d996c4ec6fe1f8 (diff)
download	moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.gz moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.bz2 moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.zip