aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-01-13 14:05:48 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-01-13 14:05:48 +0100
commit0247b654a6278acff55999e8b6318a6db4354510 (patch)
tree048356df9df6c0fe55ff368a3d75bfc238281a4e /id/server/modules/moa-id-module-eIDAS
parent28884c5d5ee4685aaf88309b1b6b340b65ffbe86 (diff)
downloadmoa-id-spss-0247b654a6278acff55999e8b6318a6db4354510.tar.gz
moa-id-spss-0247b654a6278acff55999e8b6318a6db4354510.tar.bz2
moa-id-spss-0247b654a6278acff55999e8b6318a6db4354510.zip
reimplement eIDAS metadata provider which use MOA-SP to verify metadata
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java184
1 files changed, 165 insertions, 19 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
index 2aec81db5..a8099f42e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
@@ -1,50 +1,196 @@
package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
import java.security.KeyStore;
+import java.util.Timer;
+import javax.net.ssl.SSLHandshakeException;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.apache.commons.lang.StringUtils;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.parse.BasicParserPool;
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor;
+import eu.eidas.auth.engine.metadata.MetadataProcessorI;
import eu.eidas.engine.exceptions.SAMLEngineException;
-public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor {
+public class MOAeIDASSimpleMetadataProvider implements MetadataProcessorI {
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+ */
@Override
- public EntityDescriptor getEntityDescriptor(String url) {
- EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url);
-
- if(Logger.isDebugEnabled()){
- Logger.debug("got entityDescriptor: " + entityDescriptor);
+ public EntityDescriptor getEntityDescriptor(String url)
+ throws SAMLEngineException {
+ EntityDescriptor entityDescriptor=null;
+ try {
+ if (StringUtils.isNotEmpty(url)) {
+ HTTPMetadataProvider provider = createNewHTTPMetaDataProvider(url);
+ entityDescriptor = provider.getEntityDescriptor(url);
+
+ } else {
+ throw new MetadataProviderException("the metadata url parameter is null or empty");
+
+ }
+ } catch (MetadataProviderException mpe) {
+ Logger.error("error getting a metadataprovider {}", mpe);
+
}
return entityDescriptor;
+
}
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String)
+ */
@Override
- public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException {
+ public SPSSODescriptor getSPSSODescriptor(String url)
+ throws SAMLEngineException {
return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
}
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String)
+ */
@Override
- public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException {
+ public IDPSSODescriptor getIDPSSODescriptor(String url)
+ throws SAMLEngineException {
return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
}
- @Override
- public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException {
- //TODO: implement Metadata signature validation
- Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata");
-
- }
- @Override
- public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException {
- //not implemented
-
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine)
+ */
+ @Override
+ public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine)
+ throws SAMLEngineException {
+ //Do nothing, because metadata signature is already validated during
+ //metadata provider initialization
+
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore)
+ */
+ @Override
+ public void checkValidMetadataSignature(String url, KeyStore trustStore)
+ throws SAMLEngineException {
+ //Do nothing, because metadata signature is already validated during
+ //metadata provider initialization
+
+ }
+
+ protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){
+ for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){
+ if(clazz.isInstance(rd)){
+ return (T)rd;
+ }
+ }
+ return null;
}
+
+ private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+ HTTPMetadataProvider httpProvider = null;
+ Timer timer= null;
+ MOAHttpClient httpClient = null;
+ try {
+ AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
+
+ httpClient = new MOAHttpClient();
+
+ HttpClientParams httpClientParams = new HttpClientParams();
+ httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+ httpClient.setParams(httpClientParams);
+
+ if (metadataURL.startsWith("https:")) {
+ try {
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ authConfig.getCertstoreDirectory(),
+ authConfig.getTrustedCACertificates(),
+ null,
+ AuthConfiguration.DEFAULT_X509_CHAININGMODE,
+ authConfig.isTrustmanagerrevoationchecking());
+
+ httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException e) {
+ Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+
+ }
+ }
+
+ timer = new Timer();
+ httpProvider = new HTTPMetadataProvider(timer, httpClient,
+ metadataURL);
+ httpProvider.setParserPool(new BasicParserPool());
+ httpProvider.setRequireValidMetadata(true);
+ httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+ httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+ //httpProvider.setRefreshDelayFactor(0.1F);
+
+ //add Metadata filters
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+ httpProvider.setMetadataFilter(filter);
+
+ httpProvider.initialize();
+
+
+ return httpProvider;
+
+ } catch (Throwable e) {
+ if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+ Logger.warn("SSL-Server certificate for metadata "
+ + metadataURL + " not trusted.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
+ Logger.warn("Signature verification for metadata"
+ + metadataURL + " FAILED.", e);
+
+ } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+ Logger.warn("Schema validation for metadata "
+ + metadataURL + " FAILED.", e);
+ }
+
+ Logger.error(
+ "Failed to add Metadata file for "
+ + metadataURL + "[ "
+ + e.getMessage() + " ]", e);
+
+ if (httpProvider != null) {
+ Logger.debug("Destroy failed Metadata provider");
+ httpProvider.destroy();
+ }
+
+ if (timer != null) {
+ Logger.debug("Destroy Timer.");
+ timer.cancel();
+ }
+
+
+ }
+
+ return null;
+ }
}