diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-09-26 21:33:33 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-09-26 21:33:33 +0200 |
commit | 27b687ed27fad429e6fbf1b3e69c579a8f2aae16 (patch) | |
tree | 3cc65fc88f91073a4aaf2106ff0efade87f4fcb8 /id/server/modules | |
parent | 4bbd3f88211399f41e8210ad3fbe5b0ea8910994 (diff) | |
parent | c498c2812a9f2b97da2356774527aaec0ae1f608 (diff) | |
download | moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.gz moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.tar.bz2 moa-id-spss-27b687ed27fad429e6fbf1b3e69c579a8f2aae16.zip |
Merge branch 'eIDAS_node_implementation' of https://gitlab.iaik.tugraz.at/egiz/moa-idspss into eIDAS_node_implementation
Diffstat (limited to 'id/server/modules')
10 files changed, 116 insertions, 31 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java index a09f0a2a8..602914229 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java @@ -46,10 +46,16 @@ package at.gv.egovernment.moa.id.auth.parser; +import java.io.IOException; + +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.util.DOMUtils; /** * Parses an <code><ErrorResponse></code>. @@ -84,15 +90,30 @@ public class ErrorResponseParser { */ public ErrorResponseParser(Element errorElement) throws ParseException { if (errorElement != null) { - String namespace = errorElement.getNamespaceURI(); - NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); - if (nl.getLength() == 1) { - errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } - nl = errorElement.getElementsByTagNameNS(namespace, "Info"); - if (nl.getLength() == 1) { - errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } + try { + String namespace = errorElement.getNamespaceURI(); + NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); + if (nl.getLength() == 1) { + errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + } + nl = errorElement.getElementsByTagNameNS(namespace, "Info"); + if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) { + errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + + } + } catch ( Exception e) { + try { + if (Logger.isDebugEnabled()) + Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ; + else + Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ; + + } catch (TransformerException | IOException e1) { + Logger.warn("Can not extract error code from BKU response.", e); + Logger.warn("Can not serialize error response.", e1); + + } + } } } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java index 275a85129..154092b03 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java @@ -150,6 +150,7 @@ public class InfoboxReadResponseParser { if ("InfoboxReadResponse".equals(responseElem.getLocalName())) { infoBoxElem_ = responseElem; + } else { ErrorResponseParser erp = new ErrorResponseParser(responseElem); throw new BKUException("auth.08", diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index 5bdead8b2..f3d8eeb36 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ <properties> <repositoryPath>${basedir}/../../../../repository</repositoryPath> - <eidas-commons.version>1.3.0</eidas-commons.version> - <eidas-light-commons.version>1.3.0</eidas-light-commons.version> - <eidas-saml-engine.version>1.3.0</eidas-saml-engine.version> - <eidas-encryption.version>1.3.0</eidas-encryption.version> - <eidas-configmodule.version>1.3.0</eidas-configmodule.version> + <eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version> + <eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version> + <eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version> + <eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version> + <eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version> </properties> diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index c0101b553..d975b6e0a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -69,6 +69,8 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url"; + public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target."; + //timeouts and clock skews diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 6f1d75bfe..c55b5a749 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.springframework.util.StringUtils; import com.google.common.net.MediaType; @@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { context.put("RelayState", pendingReq.getRequestID()); - Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation()); + Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); context.put("action", authnReqEndpoint.getLocation()); Logger.debug("Starting template merge"); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java index d0c003b31..bb52d2ffe 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java @@ -168,12 +168,12 @@ public class NewMoaEidasMetadata { } private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException { - if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) { - Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) { + Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods()); Set<String> digestMethods = new HashSet(); for (String signatureMethod : signatureMethods) { digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod)); - } + } for (String digestMethod : digestMethods) { DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME); if (dm != null) { @@ -203,7 +203,7 @@ public class NewMoaEidasMetadata { generateDigest(eidasExtensions); if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) { - Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods()); + Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods()); for (String signMethod : signMethods) { SigningMethod sm = (SigningMethod) BuilderFactoryUtil .buildXmlObject(SigningMethod.DEF_ELEMENT_NAME); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index d469ca28c..02a5df098 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -28,6 +28,7 @@ import java.net.URL; import java.util.HashMap; import java.util.Map; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.xml.ConfigurationException; import org.opensaml.xml.XMLConfigurator; @@ -107,6 +108,9 @@ public class SAMLEngineUtils { //overwrite eIDAS response validator suite because Condition-Valitator has not time jitter initOpenSAMLConfig("own-saml-eidasnode-config.xml"); + //add eIDAS specific SAML2 extensions to eIDAS Schema validatior + SAMLSchemaBuilder.addExtensionSchema( + at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); eIDASEngine = engine; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 940b91b44..4b67370d6 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } else { String[] splittedTarget = eIDASTarget.split("\\+"); if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { - Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() + Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() + " Destination Country from request (" + reqCC - + ") does not match to configuration:" + eIDASTarget); - throw new MOAIDException("eIDAS.01", - new Object[]{"Destination Country from request does not match to configuration"}); + + ") does not match to configuration:" + eIDASTarget + + " --> Perform additional organisation check ..."); + + //check if eIDAS domain for bPK calculation is a valid target + if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) { + throw new MOAIDException("eIDAS.01", + new Object[]{"Destination Country from request does not match to configuration"}); + + } + } - Logger.debug("CountryCode from request matches eIDAS-node configuration target"); + Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget); + } @@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return false; } + + private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) { + if (MiscUtil.isNotEmpty(reqCC)) { + List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase())); + if (allowedOrganisations.contains(bPKTargetArea)) { + Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC); + return true; + } + } + + Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC); + return false; + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd new file mode 100644 index 000000000..76b82a267 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified"> + + <xsd:element name="SPType" type="eidas:SPTypeType"/> + <xsd:simpleType name="SPTypeType"> + <xsd:restriction base="xsd:string"> + <xsd:enumeration value="public"/> + <xsd:enumeration value="private"/> + </xsd:restriction> + </xsd:simpleType> + + <xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/> + <xsd:complexType name="RequestedAttributesType"> + <xsd:sequence> + <xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/> + </xsd:sequence> + </xsd:complexType> + + <xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/> + <xsd:complexType name="RequestedAttributeType"> + <xsd:sequence> + <xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/> + </xsd:sequence> + <xsd:attribute name="Name" type="xsd:string" use="required"/> + <xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" /> + <xsd:attribute name="isRequired" type="xsd:boolean" use="required"/> + <xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/> + <xsd:anyAttribute namespace="##other" processContents="lax" /> + </xsd:complexType> + +</xsd:schema> diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java index 98f8d13c7..52970e240 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java @@ -30,7 +30,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils; import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; @@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask { //check if Service-Provider allows ELGA-mandates if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) { Logger.trace("Build GUI for mandate-service selection ..."); - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( - pendingReq, - ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, - GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, + GeneralProcessEngineSignalController.ENDPOINT_GENERIC, + authConfig.getRootConfigFileDir()); guiBuilder.build(response, config, "Mandate-Service selection"); |