move authentication protocol implementation to separate modules.

authentication protocol modules are loaded by SPI now.

1 files changed, 213 insertions, 0 deletions

diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
new file mode 100644
index 000000000..d90df51e7
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -0,0 +1,213 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.security.SignatureException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.moduls.IAction;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
+import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
+import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+class OAuth20AuthAction implements IAction {
+	
+	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
+			IAuthData authData) throws MOAIDException {
+		
+		OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;		
+		String responseType = oAuthRequest.getResponseType();
+		
+		MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
+		
+		String code = Random.nextRandom();		
+				
+		try {
+			
+			String accessToken = UUID.randomUUID().toString();
+			
+			Logger.debug("Stored session with id: " + code);
+			OAuth20SessionObject o = new OAuth20SessionObject();
+			if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) {
+				o.setScope(oAuthRequest.getScope());
+				o.setCode(code);
+				
+				//generate idToken from MOASession
+				Map<String, Object> idToken = generateIDToken(o, oAuthRequest, authData, accessToken);
+				o.setAuthDataSession(idToken);
+				
+			} else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) {
+				throw new OAuth20ResponseTypeException();
+			}
+			
+			// store data in oath session			
+			AssertionStorage.getInstance().put(code, o);
+			
+			Logger.debug("Saved OAuth20SessionObject in session with id: " + code);
+			
+			// add code and state to redirect url
+			httpResp.setStatus(HttpServletResponse.SC_FOUND);
+			String redirectURI = oAuthRequest.getRedirectUri();
+			String state = oAuthRequest.getState();
+			
+			redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.RESPONSE_CODE, code);
+			redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.PARAM_STATE, state);
+			
+			String finalUrl = redirectURI;
+			httpResp.addHeader("Location", finalUrl);
+			Logger.debug("REDIRECT TO: " + finalUrl.toString());
+			
+			
+			//TODO: maybe add bPK / wbPK to SLO information
+			SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule());
+			
+			return sloInformation;
+		}
+		catch (Exception e) {
+
+			//remove OAuthSessionObject if it already exists
+			if (AssertionStorage.getInstance().containsKey(code)) {
+				AssertionStorage.getInstance().remove(code);
+			}
+			
+			if (e instanceof OAuth20Exception) {
+				throw (OAuth20Exception) e;
+			}
+			throw new OAuth20ServerErrorException();
+		}
+		
+	}
+	
+	private Map<String, Object> generateIDToken(OAuth20SessionObject auth20SessionObject, 
+			OAuth20AuthRequest oAuthRequest, IAuthData authData, String accessToken) throws SignatureException, MOAIDException {
+		
+		// create response
+		Map<String, Object> params = new HashMap<String, Object>();
+		params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
+		params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
+		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);		
+		// build id token and scope
+		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
+				authData);
+		Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
+		params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
+		Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
+		params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
+		
+		return params;
+		
+	}
+	
+	private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, IAuthData authData)
+			throws MOAIDException, SignatureException {
+		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
+		
+		OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
+		OAuthJsonToken token = new OAuthJsonToken(signer);
+		
+		StringBuilder resultScopes = new StringBuilder();
+		// always fill with open id
+		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest);
+		resultScopes.append("openId");
+		
+		for (String s : scope.split(" ")) {
+			if (s.equalsIgnoreCase("profile")) {
+				OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" profile");
+			} else if (s.equalsIgnoreCase("eID")) {
+				OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" eID");
+			} else if (s.equalsIgnoreCase("eID_gov")) {
+				OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" eID_gov");
+			} else if (s.equalsIgnoreCase("mandate")) {
+				OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" mandate");
+			} else if (s.equalsIgnoreCase("stork")) {
+				OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" stork");
+			}
+		}
+		
+		// add properties and sign
+		// HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
+		// "super_secure_pwd".getBytes());
+		// Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
+		
+		return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls
+	 * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) {
+		return true;
+	}
+	
+	private String addURLParameter(String url, String name, String value) {
+		String param = name + "=" + value;
+		if (url.indexOf("?") < 0) {
+			return url + "?" + param;
+		} else {
+			return url + "&" + param;
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName()
+	 */
+	public String getDefaultActionName() {
+		return OAuth20Protocol.AUTH_ACTION;
+	}
+	
+}