aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 17:14:41 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2018-05-17 17:14:41 +0200
commitcbc72b4eb01828e56e3244bcfe121d729e7e852a (patch)
treec0c427ba0b4fb60f32d5fea51950e489e1f02c6c /id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv
parent1cf340e047d2d701d9bfe442f291231ec477d2f4 (diff)
downloadmoa-id-spss-cbc72b4eb01828e56e3244bcfe121d729e7e852a.tar.gz
moa-id-spss-cbc72b4eb01828e56e3244bcfe121d729e7e852a.tar.bz2
moa-id-spss-cbc72b4eb01828e56e3244bcfe121d729e7e852a.zip
add some work-arounds into federated authentication module to make it usable with MOA-ID 3.2.0 to 3.2.2
Diffstat (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv')
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java41
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java38
2 files changed, 73 insertions, 6 deletions
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
index c3d5e8032..1fff56f8d 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
@@ -22,7 +22,10 @@
*/
package at.gv.egovernment.moa.id.auth.modules.federatedauth.config;
+import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
import java.util.List;
import org.opensaml.saml2.core.Attribute;
@@ -35,6 +38,10 @@ import org.opensaml.xml.security.credential.Credential;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
@@ -263,7 +270,39 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo
*/
@Override
public List<RequestedAttribute> getSPRequiredAttributes() {
- return null;
+ /*TODO:
+ * Work for bug in AttributeQuery Client that includes a wrong EntityID for SP
+ */
+ final List<Trible<String, String, Boolean>> REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //add PVP Version attribute
+ add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, true));
+
+ //request entity information
+ add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CCS_URL_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_IDENTITY_LINK_NAME, PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_NAME, PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, PVPConstants.EID_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_AUTH_BLOCK_NAME, PVPConstants.EID_AUTH_BLOCK_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_FULL_MANDATE_NAME, PVPConstants.MANDATE_FULL_MANDATE_FRIENDLY_NAME, false));
+
+
+
+ }
+ });
+
+ List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+ for (Trible<String, String, Boolean> el : REQUIRED_PVP_ATTRIBUTES)
+ requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+
+ return requestedAttributes;
}
/* (non-Javadoc)
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 8f5a231ee..dea5e4894 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -23,6 +23,7 @@
package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
import java.io.IOException;
+import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Set;
@@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageExcepti
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
@@ -244,12 +246,23 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig,
IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
+ /*TODO:
+ * only workaround for oe.gv.at project
+ */
+ final List<String> minimalIDLAttributeNamesList = Arrays.asList(
+ PVPConstants.EID_IDENTITY_LINK_NAME,
+ PVPConstants.EID_SOURCE_PIN_NAME,
+ PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
+
try {
Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);
//check if SAML2 Assertion contains a minimal set of attributes
- if (!extractor.containsAllRequiredAttributes()) {
+
+ //TODO: switch back to correct attribute query
+ if (!extractor.containsAllRequiredAttributes()
+ && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {
Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
//build attributQuery request
@@ -257,16 +270,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
//request IDP to get additional attributes
- extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
+ extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(),
+ idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);
} else {
Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
}
+ //TODO: switch back to correct attribute query
//check if all attributes are include
- if (!extractor.containsAllRequiredAttributes(
- pendingReq.getRequestedAttributes(metadataProvider))) {
+ //if (!extractor.containsAllRequiredAttributes(requestedAttr)) {
+ if (!extractor.containsAllRequiredAttributes()
+ && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {
Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
@@ -275,7 +291,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//copy attributes into MOASession
Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
for (String el : includedAttrNames) {
- moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+ String value = extractor.getSingleAttributeValue(el);
+
+ //TODO: check in future version
+ //update PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME to prefixed version
+ if (el.equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) {
+ Logger.trace("Find PVP-attribute " + el + ". Start mapping if neccessary ... ");
+ if (!value.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
+ value = PVPConstants.STORK_QAA_PREFIX + value;
+ Logger.debug("Prefix '" + el + "' with: "+ PVPConstants.STORK_QAA_PREFIX);
+ }
+ }
+
+ moasession.setGenericDataToSession(el, value);
Logger.debug("Add PVP-attribute " + el + " into MOASession");
}