aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2015-09-14 13:29:32 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2015-09-14 13:29:32 +0200
commit76bae60e9bda1acb7ee0e3d45ab187749d16bf82 (patch)
treeba22e87aeee1330e70e702dcfb4612fd951e6c7a /id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment
parent1131cdf040e608c3f79dd8987ec3b8444fc9bf0d (diff)
downloadmoa-id-spss-76bae60e9bda1acb7ee0e3d45ab187749d16bf82.tar.gz
moa-id-spss-76bae60e9bda1acb7ee0e3d45ab187749d16bf82.tar.bz2
moa-id-spss-76bae60e9bda1acb7ee0e3d45ab187749d16bf82.zip
move citizen-card authentication and validation (Security-layer communication) to discrete module
Diffstat (limited to 'id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment')
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java167
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java104
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java3
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java43
4 files changed, 315 insertions, 2 deletions
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
new file mode 100644
index 000000000..eeca78e60
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
@@ -0,0 +1,167 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.builder;
+
+import java.io.ByteArrayOutputStream;
+import java.security.MessageDigest;
+
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
+
+/**
+ * Builder for the SAML artifact, as defined in the
+ * Browser/Artifact profile of SAML.
+ *
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class SAMLArtifactBuilder {
+
+ /**
+ * The generic configuration parameter for an alternative SourceID.
+ */
+// private static final String GENERIC_CONFIG_PARAM_SOURCEID = "AuthenticationServer.SourceID";
+
+ /**
+ * Constructor for SAMLArtifactBuilder.
+ */
+ public SAMLArtifactBuilder() {
+ super();
+ }
+
+ /**
+ * Builds the SAML artifact, encoded BASE64.
+ * <ul>
+ * <li><code>TypeCode</code>: <code>0x0001</code>.</li>
+ * <li><code>SourceID</code>: SHA-1 hash of the authURL</li>
+ * <li><code>AssertionHandle</code>: SHA-1 hash of the <code>MOASessionID</code></li>
+ * </ul>
+ * @param authURL URL auf the MOA-ID Auth component to be used for construction
+ * of <code>SourceID</code>
+ * @param sessionID <code>MOASessionID</code> to be used for construction
+ * of <code>AssertionHandle</code>
+ * @return the 42-byte SAML artifact, encoded BASE64
+ */
+ public String build(String authURL, String sessionID, String sourceIdParam) throws BuildException {
+ try {
+ MessageDigest md = MessageDigest.getInstance("SHA-1");
+ byte[] sourceID;
+ // alternative sourceId
+ String alternativeSourceID = AuthConfigurationProviderFactory.getInstance().getAlternativeSourceID();
+
+ // if sourceID is given in GET/POST param - use this as source id
+ if (!ParepUtils.isEmpty(sourceIdParam)) {
+ // if GET/POST parameter sourceID is set, use that sourceID instead of authURL;
+ //sourceID = md.digest(sourceIdParam.getBytes());
+
+ // if sourceIdParam is too short (must have 20 characters) - add " "
+ int length = sourceIdParam.length();
+ if (length < 20) {
+ int l = 20 - length;
+ for (int i = 0; i < l; i++) {
+ sourceIdParam += " ";
+ }
+ }
+
+ sourceID = sourceIdParam.getBytes();
+ Logger.info("Building SAMArtifact from sourceID \"" + sourceIdParam + "\" instead of authURL \"" + authURL + "\".");
+
+ byte[] assertionHandle = md.digest(sessionID.getBytes());
+ ByteArrayOutputStream out = new ByteArrayOutputStream(42);
+ out.write(0);
+ out.write(1);
+ out.write(sourceID, 0, 20);
+ out.write(assertionHandle, 0, 20);
+ byte[] samlArtifact = out.toByteArray();
+ String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
+ return samlArtifactBase64;
+ }
+
+ // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL;
+ if (!ParepUtils.isEmpty(alternativeSourceID)) {
+ sourceID = md.digest(alternativeSourceID.getBytes());
+ Logger.info("Building SAMArtifact from sourceID \"" + alternativeSourceID + "\" instead of authURL \"" + authURL + "\".");
+
+ byte[] assertionHandle = md.digest(sessionID.getBytes());
+ ByteArrayOutputStream out = new ByteArrayOutputStream(42);
+ out.write(0);
+ out.write(1);
+ out.write(sourceID, 0, 20);
+ out.write(assertionHandle, 0, 20);
+ byte[] samlArtifact = out.toByteArray();
+ String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
+ return samlArtifactBase64;
+ }
+
+ // default: sourecID from authURL
+ sourceID = md.digest(authURL.getBytes());
+ byte[] assertionHandle = md.digest(sessionID.getBytes());
+ ByteArrayOutputStream out = new ByteArrayOutputStream(42);
+ out.write(0);
+ out.write(1);
+ out.write(sourceID, 0, 20);
+ out.write(assertionHandle, 0, 20);
+ byte[] samlArtifact = out.toByteArray();
+ String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
+ return samlArtifactBase64;
+
+ //System.out.println("sourceID: " + new String(sourceID));
+
+
+ }
+ catch (Throwable ex) {
+ throw new BuildException(
+ "builder.00",
+ new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()},
+ ex);
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java
new file mode 100644
index 000000000..0e0b42cde
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/parser/SAMLArtifactParser.java
@@ -0,0 +1,104 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/*
+ * Copyright 2003 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+package at.gv.egovernment.moa.id.auth.parser;
+
+import java.io.IOException;
+
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.util.Base64Utils;
+
+/**
+ * Parser for a SAML artifact.
+ * @author Paul Ivancsics
+ * @version $Id$
+ */
+public class SAMLArtifactParser {
+ /** byte array containing the SamlArtifact bytes */
+ private byte[] samlArtifactBytes;
+
+ /**
+ * Constructor
+ * @param samlArtifact as String
+ * @throws ParseException on any parsing error
+ */
+ public SAMLArtifactParser(String samlArtifact) throws ParseException {
+ try {
+ samlArtifactBytes = Base64Utils.decode(samlArtifact, false);
+ }
+ catch (IOException ex) {
+ throw new ParseException("parser.02", new Object[] {ex.toString()}, ex);
+ }
+ }
+ /**
+ * Parses the type code.
+ * @return type code
+ * @throws ParseException when SAML artifact is invalid
+ */
+ public byte[] parseTypeCode() throws ParseException {
+ try {
+ byte[] typeCode = new byte[] {samlArtifactBytes[0], samlArtifactBytes[1]};
+ return typeCode;
+ }
+ catch (Throwable ex) {
+ throw new ParseException("parser.02", new Object[] {ex.toString()}, ex);
+ }
+ }
+ /**
+ * Parses the assertion handle.
+ * @return assertion handle
+ * @throws ParseException when SAML artifact is invalid
+ */
+ public String parseAssertionHandle() throws ParseException {
+ try {
+ return new String(samlArtifactBytes, 22, 20);
+ }
+ catch (Throwable ex) {
+ throw new ParseException("parser.02", new Object[] {ex.toString()}, ex);
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index 2019b0d20..b94348856 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -31,7 +31,6 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
-import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -73,7 +72,7 @@ public class GetArtifactAction implements IAction {
// add other stork attributes to MOA assertion if available
if(null != authData.getStorkAttributes()) {
- List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = STORKResponseProcessor.addAdditionalSTORKAttributes(authData.getStorkAttributes());
+ List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = SAML1AuthenticationServer.addAdditionalSTORKAttributes(authData.getStorkAttributes());
authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes);
Logger.info("MOA assertion assembled and SAML Artifact generated.");
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index e70e71d49..eb869756e 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.saml1;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
+import java.util.Vector;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
@@ -33,9 +34,13 @@ import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
@@ -43,6 +48,7 @@ import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
@@ -120,6 +126,43 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
}
/**
+ * Transforms additional STORK attributes to MOA Extended attributes
+ * @param iPersonalAttributeList STORK attribute list
+ * @return
+ */
+ public static List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(IPersonalAttributeList iPersonalAttributeList) {
+ List<ExtendedSAMLAttribute> moaExtendedSAMLAttributeList = new Vector<ExtendedSAMLAttribute>();
+
+ if(null == iPersonalAttributeList)
+ return moaExtendedSAMLAttributeList;
+
+ Logger.trace("Adding the following attributes to MOA assertion: ");
+ int count = 0;
+
+ for (PersonalAttribute attribute : iPersonalAttributeList) {
+ Object attributeValue = attribute.getValue();
+ if (null == attributeValue)
+ attributeValue = attribute.getComplexValue();
+
+ // escape attributeValue
+ attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString());
+ // and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry!
+ attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1);
+
+ ExtendedSAMLAttribute extendedSAMLAttribute =
+ new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0);
+ moaExtendedSAMLAttributeList.add(extendedSAMLAttribute);
+ count++;
+ Logger.trace("Additional attribute: " + attribute.getName());
+ }
+
+ Logger.debug("Added " + count + " STORK attribute(s) to the MOA assertion.");
+
+ return moaExtendedSAMLAttributeList;
+ }
+
+
+ /**
* Retrieves <code>AuthenticationData</code> indexed by the SAML artifact.
* The <code>AuthenticationData</code> is deleted from the store upon end of
* this call.