update SL20 implementation

3 files changed, 78 insertions, 104 deletions

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
index 763454639..26283cab2 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java
@@ -4,7 +4,6 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
@@ -17,6 +16,7 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.message.BasicNameValuePair;
+import org.jose4j.base64url.Base64Url;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -39,7 +39,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
-import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
@@ -62,7 +61,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
 				
 				//get basic configuration parameters
-				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig);				
+				String vdaQualeIDUrl = extractVDAURLForSpecificOA(oaConfig, executionContext);				
 				if (MiscUtil.isEmpty(vdaQualeIDUrl)) {
 					Logger.error("NO VDA URL for qualified eID (" + Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT + ")");
 					throw new SL20Exception("sl20.03", new Object[]{"NO VDA URL for qualified eID"});
@@ -83,17 +82,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 				//build qualifiedeID command
 				Map<String, String> qualifiedeIDParams = new HashMap<String, String>();
 				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPUNIQUEID, oaConfig.getPublicURLPrefix());
-				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName());			
+				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPFRIENDLYNAME, oaConfig.getFriendlyName());
+				qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_SPCOUNTRYCODE, "AT");
 				//qualifiedeIDParams.put(SL20Constants.SL20_COMMAND_PARAM_EID_ATTRIBUTES_MANDATEREFVALUE, UUID.randomUUID().toString());
 
+				//TODO:
 				JsonObject qualeIDCommandParams = SL20JSONBuilderUtils.createQualifiedeIDCommandParameters(
 						authBlockId, 
 						dataURL, 
 						qualifiedeIDParams, 
-						joseTools.getEncryptionCertificate());
+						//joseTools.getEncryptionCertificate());
+						null);
 								
 				//String qualeIDReqId = UUID.randomUUID().toString();
-				String qualeIDReqId = SAML2Utils.getSecureIdentifier();
+				//TODO: work-Around for A-trust
+				String qualeIDReqId = SAML2Utils.getSecureIdentifier().substring(0, 12);
 				String signedQualeIDCommand = SL20JSONBuilderUtils.createSignedCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID, qualeIDCommandParams, joseTools);
 				JsonObject sl20Req = SL20JSONBuilderUtils.createGenericRequest(qualeIDReqId, null, null, signedQualeIDCommand);
 								
@@ -105,19 +108,21 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 						sslFactory,
 						authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true));
 				
-				//build post request
+				//build http POST request
 				HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build());								
-				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
 				List<NameValuePair> parameters = new ArrayList<NameValuePair>();;
-				
-				//correct one
-				//parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
-				
-				//A-Trust current version
-				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM_OLD, sl20Req.toString()));
+				parameters.add(new BasicNameValuePair(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes())));
 				httpReq.setEntity(new UrlEncodedFormEntity(parameters ));				
 				
+				//build http GET request
+//				URIBuilder sl20ReqUri = new URIBuilder(vdaQualeIDUrl);
+//				sl20ReqUri.addParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM, Base64Url.encode(sl20Req.toString().getBytes()));
+//				HttpGet httpReq = new HttpGet(sl20ReqUri.build());
 				
+				//set native client header
+				httpReq.addHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE, SL20Constants.HTTP_HEADER_VALUE_NATIVE);
+
+				Logger.trace("Request VDA via SL20 with: " + Base64Url.encode(sl20Req.toString().getBytes()));
 				
 				//request VDA
 				HttpResponse httpResp = httpClient.execute(httpReq);
@@ -190,26 +195,40 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask {
 			
 	}
 	
-	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig) {		
-		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
-		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
+	private String extractVDAURLForSpecificOA(IOAAuthParameters oaConfig, ExecutionContext executionContext) {		
 		
-		for (Entry<String, String> el : listOfSPs.entrySet()) {
-			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
-			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
-				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
-				if (listOfVDAs.containsKey(el.getKey()))					
-					return listOfVDAs.get(el.getKey());
-				
-				else
-					Logger.info("No VDA endPoint with Id: " + el.getKey());
-				
-			} else
-				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
+		//selection based on EntityID
+//		Map<String, String> listOfVDAs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST);
+//		Map<String, String> listOfSPs = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_SP_LIST);
+//		
+//		for (Entry<String, String> el : listOfSPs.entrySet()) {
+//			List<String> spEntityIds = KeyValueUtils.getListOfCSVValues(el.getValue());
+//			if (spEntityIds.contains(oaConfig.getPublicURLPrefix())) {
+//				Logger.trace("Select VDA endPoint with Id: " + el.getKey());
+//				if (listOfVDAs.containsKey(el.getKey()))					
+//					return listOfVDAs.get(el.getKey());
+//				
+//				else
+//					Logger.info("No VDA endPoint with Id: " + el.getKey());
+//				
+//			} else
+//				Logger.trace("SP list: " + el.getKey() + " does not contain OAIdentifier: " + oaConfig.getPublicURLPrefix());
+//			
+//		}
+
+		//selection based on request Header
+		String sl20VDATypeHeader = (String)  executionContext.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase());
+		if (MiscUtil.isNotEmpty(sl20VDATypeHeader)) {
+			String vdaURL = authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST + sl20VDATypeHeader);
+			if (MiscUtil.isNotEmpty(vdaURL))
+				return vdaURL.trim();
 			
+			else
+				Logger.info("Can NOT find VDA with Id: " + sl20VDATypeHeader + ". Use default VDA");
+						
 		}
 		
-		Logger.debug("NO SP specific VDA endpoint found. Use default VDA");
+		Logger.info("NO SP specific VDA endpoint found. Use default VDA");
 		return authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_DEFAULT);
 		
 	}
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index b7fe579a3..357ecb6ec 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -12,6 +12,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.http.entity.ContentType;
+import org.jose4j.base64url.Base64Url;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -37,6 +38,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moa.util.StreamUtils;
 import at.gv.egovernment.moaspss.logging.Logger;
 
 
@@ -55,17 +57,30 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			try {
 				//get SL2.0 command or result from HTTP request
 				Map<String, String> reqParams = getParameters(request);
-				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM); 			
+				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				
 				if (MiscUtil.isEmpty(sl20Result)) {
-					Logger.info("NO SL2.0 commando or result FOUND.");
-					throw new SL20Exception("sl20.04", null);
+					
+					//TODO: remove
+					//Workaround for SIC Handy-Signature, because it sends result in InputStream
+					String test = StreamUtils.readStream(request.getInputStream(), "UTF-8");					
+					if (MiscUtil.isNotEmpty(test)) {
+						Logger.info("Use SIC Handy-Signature work-around!");
+						sl20Result = test.substring("slcommand=".length());
+						
+					} else {					
+						Logger.info("NO SL2.0 commando or result FOUND.");
+						throw new SL20Exception("sl20.04", null);
+					}
 					
 				}
-							
+
+				Logger.trace("Received SL2.0 result: " + sl20Result);
+				
 				//parse SL2.0 command/result into JSON			
 				try {
 					JsonParser jsonParser = new JsonParser();
-					JsonElement sl20Req = jsonParser.parse(sl20Result);
+					JsonElement sl20Req = jsonParser.parse(Base64Url.decodeToUtf8String(sl20Result));
 					sl20ReqObj = sl20Req.getAsJsonObject();
 					
 				} catch (JsonSyntaxException e) {
@@ -111,16 +126,13 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 					JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result(
 							payLoad, joseTools, 
 							authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_ENCRYPTION, true));
-					
+
 					//extract attributes from result
-					String idlB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-											SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, true);
-					String authBlockB64 = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, true);
-					String ccsURL = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, true);
-					String LoA = SL20JSONExtractorUtils.getStringValue(qualeIDResult.getAsJsonObject(), 
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, true);
+					Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult);
+					String idlB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL);					
+					String authBlockB64 = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK);
+					String ccsURL  = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL);					
+					String LoA = eIDData.get(SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA);
 					
 					//cache qualified eID data into pending request
 					pendingReq.setGenericDataToSession(
@@ -233,6 +245,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				redirectTwoCommand, 
 				null); 
 		
+		//workaround for SIC VDA
 		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
 				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
 			Logger.debug("Client request containts 'native client' header ... ");												
diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
index b5c84d315..cc74bb11a 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java
@@ -6,14 +6,8 @@ import java.util.Calendar;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.opensaml.Configuration;
 import org.opensaml.saml2.core.Assertion;
-import org.opensaml.xml.XMLObject;
-import org.opensaml.xml.io.Unmarshaller;
-import org.opensaml.xml.io.UnmarshallerFactory;
 import org.springframework.stereotype.Component;
-import org.w3c.dom.Element;
-import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
@@ -28,9 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.util.Base64Utils;
-import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moaspss.logging.Logger;
 
@@ -75,7 +67,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink();
 			IVerifiyXMLSignatureResponse authBlockVerificationResult = null;
 			try {				
-				Assertion authBlock = parseAuthBlockToSaml2Assertion(authBlockB64);
+				Assertion authBlock = QualifiedeIDVerifier.parseAuthBlockToSaml2Assertion(authBlockB64);
 				AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock);
 
 			
@@ -126,55 +118,5 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask {
 			TransactionIDUtils.removeSessionId();
 			
 		}
-	}
-
-	private Assertion parseAuthBlockToSaml2Assertion(String authblockB64) throws SL20eIDDataValidationException {
-		try {
-			//parse authBlock into SAML2 Assertion
-			byte[] authBlockBytes = Base64Utils.decode(authblockB64, false);			
-			Element authBlockDOM = DOMUtils.parseXmlValidating(new ByteArrayInputStream(authBlockBytes));
-			UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
-			Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDOM);			 
-			XMLObject samlAssertion = unmarshaller.unmarshall(authBlockDOM);
-			
-			//validate SAML2 Assertion
-			SAML2Utils.schemeValidation(samlAssertion);
-			
-			if (samlAssertion instanceof Assertion)			
-				return (Assertion) samlAssertion;			
-			else 
-				throw new SL20eIDDataValidationException(
-						new Object[] {
-							SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-							"AuthBlock is NOT of type SAML2 Assertion"
-						});
-				
-		} catch (SL20eIDDataValidationException e) {
-			throw e;
-				
-		} catch (SAXException e) {
-			Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e.getMessage());
-			throw new SL20eIDDataValidationException(
-					new Object[] {
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-						e.getMessage()
-					}, 
-					e);
-			
-		} catch (Exception e) {
-			Logger.info("Can not parse AuthBlock. Reason: " + e.getMessage());
-			Logger.trace("FullAuthBlock: " + authblockB64);
-			throw new SL20eIDDataValidationException(
-					new Object[] {
-						SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK,
-						e.getMessage()
-					}, 
-					e);
-		
-		}
-						
-	}
-
-	
-	
+	}	
 }