Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-09-26 21:33:33 +0200
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-09-26 21:33:33 +0200
commit: 27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (patch)
tree: 3cc65fc88f91073a4aaf2106ff0efade87f4fcb8 /id/server/modules/moa-id-module-eIDAS/src
parent: 4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (diff)
parent: c498c2812a9f2b97da2356774527aaec0ae1f608 (diff)
download: moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.gz
moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.bz2
moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.zip
6 files changed, 71 insertions, 11 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
 	
 	public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
 	
+	public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+	
 	
 	
 	//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..c55b5a749 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
 
 import com.google.common.net.MediaType;
 
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 
             context.put("RelayState", pendingReq.getRequestID());
             
-            Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+            Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
             context.put("action", authnReqEndpoint.getLocation());
 
             Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
index d0c003b31..bb52d2ffe 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
@@ -168,12 +168,12 @@ public class NewMoaEidasMetadata {
 		}
 
 		private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
-			if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) {
-				Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+			if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
+				Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
 				Set<String> digestMethods = new HashSet();
 				for (String signatureMethod : signatureMethods) {
 					digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
-				}
+				} 
 				for (String digestMethod : digestMethods) {
 					DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
 					if (dm != null) {
@@ -203,7 +203,7 @@ public class NewMoaEidasMetadata {
 			generateDigest(eidasExtensions);
 
 			if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
-				Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+				Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
 				for (String signMethod : signMethods) {
 					SigningMethod sm = (SigningMethod) BuilderFactoryUtil
 							.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index d469ca28c..02a5df098 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -28,6 +28,7 @@ import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.opensaml.common.xml.SAMLSchemaBuilder;
 import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.XMLConfigurator;
 
@@ -107,6 +108,9 @@ public class SAMLEngineUtils {
 				//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
 				initOpenSAMLConfig("own-saml-eidasnode-config.xml");
 				
+				//add eIDAS specific SAML2 extensions to eIDAS Schema validatior
+				SAMLSchemaBuilder.addExtensionSchema(
+						at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
 				
 				eIDASEngine = engine;
 				
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..4b67370d6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			} else {
 				String[] splittedTarget = eIDASTarget.split("\\+");
 				if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
-					Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() 
+					Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() 
 						+ " Destination Country from request (" + reqCC 
-						+ ") does not match to configuration:" + eIDASTarget);
-					throw new MOAIDException("eIDAS.01", 
-							new Object[]{"Destination Country from request does not match to configuration"});
+						+ ") does not match to configuration:" + eIDASTarget
+						+ " --> Perform additional organisation check ...");
+					
+					//check if eIDAS domain for bPK calculation is a valid target  
+					if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {						
+						throw new MOAIDException("eIDAS.01", 
+								new Object[]{"Destination Country from request does not match to configuration"});
+						
+					}
+					
 					
 				}
-				Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+				Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+				
 			}
 			
 						
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
     public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
         return false;
     }
+    
+    private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+    	if (MiscUtil.isNotEmpty(reqCC)) {    	
+    		List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+    				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+    		if (allowedOrganisations.contains(bPKTargetArea)) {
+    			Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+    			return true;
+    		}
+    	}
+    	
+    	Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+    	return false;
+    }
 }
 
 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+	<xsd:element name="SPType" type="eidas:SPTypeType"/>
+	<xsd:simpleType name="SPTypeType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="public"/>
+			<xsd:enumeration value="private"/>
+		</xsd:restriction>
+	</xsd:simpleType>
+	
+	<xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+	<xsd:complexType name="RequestedAttributesType">
+		<xsd:sequence>
+			<xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+	<xsd:complexType name="RequestedAttributeType">
+		<xsd:sequence>
+			<xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+		</xsd:sequence>
+		<xsd:attribute name="Name" type="xsd:string" use="required"/>
+		<xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+		<xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+		<xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+		<xsd:anyAttribute namespace="##other" processContents="lax" />
+	</xsd:complexType>
+	
+</xsd:schema>
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-09-26 21:33:33 +0200
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-09-26 21:33:33 +0200
commit	27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (patch)
tree	3cc65fc88f91073a4aaf2106ff0efade87f4fcb8 /id/server/modules/moa-id-module-eIDAS/src
parent	4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (diff)
parent	c498c2812a9f2b97da2356774527aaec0ae1f608 (diff)
download	moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.gz moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.bz2 moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.zip