diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:46:41 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2018-06-05 10:46:41 +0200 |
commit | cd5cef47db73c85cbb2defdec3b283655fdc859b (patch) | |
tree | 97a3f3ba121babcc4850b5048e63aee831399676 /id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks | |
parent | 84a55fe8bec3924102bd2217f7e39e7a698f2829 (diff) | |
download | moa-id-spss-cd5cef47db73c85cbb2defdec3b283655fdc859b.tar.gz moa-id-spss-cd5cef47db73c85cbb2defdec3b283655fdc859b.tar.bz2 moa-id-spss-cd5cef47db73c85cbb2defdec3b283655fdc859b.zip |
update SL20 implementation
Diffstat (limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks')
3 files changed, 78 insertions, 104 deletions
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java index 763454639..26283cab2 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java @@ -4,7 +4,6 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import javax.net.ssl.SSLSocketFactory; import javax.servlet.http.HttpServletRequest; @@ -17,6 +16,7 @@ import org.apache.http.client.methods.HttpPost; import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.message.BasicNameValuePair; +import org.jose4j.base64url.Base64Url; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -39,7 +39,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport; -import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -62,7 +61,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration(); //get basic configuration parameters - String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig); + String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig, executionContext); if (MiscUtil.isEmpty(vdaQualeIDUrl)) { Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ")"); throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"}); @@ -83,17 +82,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { //build qualifiedeID command Map<String, String> qualifiedeIDParams = new HashMap<String, String>(); qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID, oaConfig.getPublicURLPrefix()); - qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName()); + qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName()); + qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE, "AT"); //qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString()); + //TODO: JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters( authBlockId, dataURL, qualifiedeIDParams, - joseTools.getEncryptionCertificate()); + //joseTools.getEncryptionCertificate()); + null); //String qualeIDReqId = UUID.randomUUID().toString(); - String qualeIDReqId = SAML2Utils.getSecureIdentifier(); + //TODO: work-Around for A-trust + String qualeIDReqId = SAML2Utils.getSecureIdentifier().substring(0, 12); String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools); JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand); @@ -105,19 +108,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { sslFactory, authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); - //build post request + //build http POST request HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build()); - httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE); List<NameValuePair> parameters = new ArrayList<NameValuePair>();; - - //correct one - //parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()))); - - //A-Trust current version - parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM_OLD, sl20Req.toString())); + parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()))); httpReq.setEntity(new UrlEncodedFormEntity(parameters )); + //build http GET request +// URIBuilder sl20ReqUri = new URIBuilder(vdaQualeIDUrl); +// sl20ReqUri.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())); +// HttpGet httpReq = new HttpGet(sl20ReqUri.build()); + //set native client header + httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE); + + Logger.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes())); //request VDA HttpResponse httpResp = httpClient.execute(httpReq); @@ -190,26 +195,40 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { } - private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig) { - Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); - Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST); + private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig, ExecutionContext executionContext) { - for (Entry<String, String> el : listOfSPs.entrySet()) { - List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue()); - if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) { - Logger.trace("Select VDA endPoint with Id: " + el.getKey()); - if (listOfVDAs.containsKey(el.getKey())) - return listOfVDAs.get(el.getKey()); - - else - Logger.info("No VDA endPoint with Id: " + el.getKey()); - - } else - Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix()); + //selection based on EntityID +// Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); +// Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST); +// +// for (Entry<String, String> el : listOfSPs.entrySet()) { +// List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue()); +// if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) { +// Logger.trace("Select VDA endPoint with Id: " + el.getKey()); +// if (listOfVDAs.containsKey(el.getKey())) +// return listOfVDAs.get(el.getKey()); +// +// else +// Logger.info("No VDA endPoint with Id: " + el.getKey()); +// +// } else +// Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix()); +// +// } + + //selection based on request Header + String sl20VDATypeHeader = (String) executionContext.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase()); + if (MiscUtil.isNotEmpty(sl20VDATypeHeader)) { + String vdaURL = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST + sl20VDATypeHeader); + if (MiscUtil.isNotEmpty(vdaURL)) + return vdaURL.trim(); + else + Logger.info("Can NOT find VDA with Id: " + sl20VDATypeHeader + ". Use default VDA"); + } - Logger.debug("NO SP specific VDA endpoint found. Use default VDA"); + Logger.info("NO SP specific VDA endpoint found. Use default VDA"); return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT); } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java index b7fe579a3..357ecb6ec 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java @@ -12,6 +12,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.http.entity.ContentType; +import org.jose4j.base64url.Base64Url; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.StreamUtils; import at.gv.egovernment.moaspss.logging.Logger; @@ -55,17 +57,30 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { try { //get SL2.0 command or result from HTTP request Map<String, String> reqParams = getParameters(request); - String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); + String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); + if (MiscUtil.isEmpty(sl20Result)) { - Logger.info("NO SL2.0 commando or result FOUND."); - throw new SL20Exception("sl20.04", null); + + //TODO: remove + //Workaround for SIC Handy-Signature, because it sends result in InputStream + String test = StreamUtils.readStream(request.getInputStream(), "UTF-8"); + if (MiscUtil.isNotEmpty(test)) { + Logger.info("Use SIC Handy-Signature work-around!"); + sl20Result = test.substring("slcommand=".length()); + + } else { + Logger.info("NO SL2.0 commando or result FOUND."); + throw new SL20Exception("sl20.04", null); + } } - + + Logger.trace("Received SL2.0 result: " + sl20Result); + //parse SL2.0 command/result into JSON try { JsonParser jsonParser = new JsonParser(); - JsonElement sl20Req = jsonParser.parse(sl20Result); + JsonElement sl20Req = jsonParser.parse(Base64Url.decodeToUtf8String(sl20Result)); sl20ReqObj = sl20Req.getAsJsonObject(); } catch (JsonSyntaxException e) { @@ -111,16 +126,13 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result( payLoad, joseTools, authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true)); - + //extract attributes from result - String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true); - String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true); - String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true); - String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true); + Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult); + String idlB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL); + String authBlockB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK); + String ccsURL = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL); + String LoA = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA); //cache qualified eID data into pending request pendingReq.setGenericDataToSession( @@ -233,6 +245,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { redirectTwoCommand, null); + //workaround for SIC VDA if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) { Logger.debug("Client request containts 'native client' header ... "); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java index b5c84d315..cc74bb11a 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java @@ -6,14 +6,8 @@ import java.util.Calendar; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.opensaml.Configuration; import org.opensaml.saml2.core.Assertion; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; import org.springframework.stereotype.Component; -import org.w3c.dom.Element; -import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -28,9 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moaspss.logging.Logger; @@ -75,7 +67,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink(); IVerifiyXMLSignatureResponse authBlockVerificationResult = null; try { - Assertion authBlock = parseAuthBlockToSaml2Assertion(authBlockB64); + Assertion authBlock = QualifiedeIDVerifier.parseAuthBlockToSaml2Assertion(authBlockB64); AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock); @@ -126,55 +118,5 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { TransactionIDUtils.removeSessionId(); } - } - - private Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException { - try { - //parse authBlock into SAML2 Assertion - byte[] authBlockBytes = Base64Utils.decode(authblockB64, false); - Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes)); - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM); - XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM); - - //validate SAML2 Assertion - SAML2Utils.schemeValidation(samlAssertion); - - if (samlAssertion instanceof Assertion) - return (Assertion) samlAssertion; - else - throw new SL20eIDDataValidationException( - new Object[] { - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, - "AuthBlock is NOT of type SAML2 Assertion" - }); - - } catch (SL20eIDDataValidationException e) { - throw e; - - } catch (SAXException e) { - Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage()); - throw new SL20eIDDataValidationException( - new Object[] { - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, - e.getMessage() - }, - e); - - } catch (Exception e) { - Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage()); - Logger.trace("FullAuthBlock: " + authblockB64); - throw new SL20eIDDataValidationException( - new Object[] { - SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, - e.getMessage() - }, - e); - - } - - } - - - + } } |