Merge branch 'eIDAS_node_implementation' of gitlab.iaik.tugraz.at:egiz/moa-idspss into eIDAS_node_implementation

5 files changed, 72 insertions, 37 deletions

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 09c64c267..7bb07df74 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -94,24 +94,24 @@ public class ParepUtils {
     return str == null || "".equals(str);
   }
 
-  /**
-   * Reads a XML document from an input stream (namespace-aware).
-   * 
-   * @param is
-   *          the input stream to read from.
-   * @return the read XML document.
-   * @throws SZRGWClientException
-   *           if an error occurs reading the document from the input stream.
-   */
-  public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
-    try {
-      DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
-      f.setNamespaceAware(true);
-      return f.newDocumentBuilder().parse(is);
-    } catch (Exception e) {
-      throw new SZRGWClientException(e);
-    }
-  }
+//  /**
+//   * Reads a XML document from an input stream (namespace-aware).
+//   * 
+//   * @param is
+//   *          the input stream to read from.
+//   * @return the read XML document.
+//   * @throws SZRGWClientException
+//   *           if an error occurs reading the document from the input stream.
+//   */
+//  public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
+//    try {
+//      DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
+//      f.setNamespaceAware(true);
+//      return f.newDocumentBuilder().parse(is);
+//    } catch (Exception e) {
+//      throw new SZRGWClientException(e);
+//    }
+//  }
 
 //  /*
 //   * 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index d975b6e0a..74cf665ca 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -22,10 +22,17 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas;
 
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
 import org.apache.xml.security.signature.XMLSignature;
 import org.opensaml.xml.encryption.EncryptionConstants;
 import org.opensaml.xml.signature.SignatureConstants;
 
+import at.gv.egovernment.moa.id.data.Trible;
+
 /**
  * @author tlenz
  *
@@ -119,4 +126,15 @@ public class Constants {
     		EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128 + ";" + 
     		EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256;
     
+    public static final List<URI> NATURALPERSONMINIMUMDATASETLIST = Collections.unmodifiableList(new ArrayList<URI>() {
+		private static final long serialVersionUID = 1L;
+		{
+			add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri());
+			add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri());
+			add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri());
+			add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri());
+		}
+	});
+
+    
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 1ce900ebb..8fb81082f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.eidas;
 
 import java.io.IOException;
 import java.io.StringWriter;
+import java.net.URI;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -62,6 +63,7 @@ import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
 import eu.eidas.auth.commons.protocol.IAuthenticationRequest;
 import eu.eidas.auth.commons.protocol.IResponseMessage;
 import eu.eidas.auth.commons.protocol.eidas.IEidasAuthenticationRequest;
@@ -302,7 +304,37 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 				
 			}
 			
-						
+			//validate service-provider type from eIDAS request
+			String spType = null;
+			if (eIDASSamlReq.getSpType() != null)
+				spType = eIDASSamlReq.getSpType();
+				
+			if (MiscUtil.isEmpty(spType))
+				spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc);
+							
+			if (MiscUtil.isNotEmpty(spType))
+				Logger.debug("eIDAS request has SPType:" + spType);			
+			else {
+				Logger.warn("eIDAS request and eIDAS metadata contains NO 'SPType' element.");
+				throw new EIDASAuthnRequestProcessingException("eIDAS.06", 
+						new Object[]{"eIDAS request and eIDAS metadata contains NO 'SPType' element."});
+				
+			}
+				
+			//validate if minimal data-set if it is not fully requested
+			//TODO: must be tested!!!!
+			ImmutableAttributeMap reqAttrList = eIDASSamlReq.getRequestedAttributes();
+			for (URI el : Constants.NATURALPERSONMINIMUMDATASETLIST) {
+				if(reqAttrList.getAttributeValuesByNameUri(el) == null) {
+					Logger.warn("Minimum data-set attribute: " + el + " is not requested.");
+					throw new EIDASAuthnRequestProcessingException("eIDAS.06", 
+							new Object[]{"eIDAS request does not contain all attributes of minimum data-set for natural person"});
+					
+				}
+			}
+			
+			
+			
 			//*************************************************
 			//*****  store eIDAS request information  *********
 			//*************************************************
@@ -335,19 +367,6 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 	
 			// - memorize OA config
 			pendingReq.setOnlineApplicationConfiguration(oaConfig);
-			
-			// - memorize service-provider type from eIDAS request
-			String spType = null;
-			if (eIDASSamlReq.getSpType() != null)
-				spType = eIDASSamlReq.getSpType();
-				
-			if (MiscUtil.isEmpty(spType))
-				spType = MetadataUtil.getSPTypeFromMetadata(eIDASNodeEntityDesc);
-							
-			if (MiscUtil.isNotEmpty(spType))
-				Logger.debug("eIDAS request has SPType:" + spType);			
-			else
-				Logger.info("eIDAS request and eIDAS metadata contains NO 'SPType' element.");
 					
 		} catch (MOAIDException e) {
 			Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage());
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index b2522ea33..b7c54203f 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -71,7 +71,7 @@ class OAuth20AuthAction implements IAction {
 		
 		revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
 		
-		String code = Random.nextRandom();		
+		String code = Random.nextHexRandom32();		
 				
 		try {
 			
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index 16b4ba841..dc55df05b 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -187,7 +187,7 @@ public class SSOTransferServlet{
 		Logger.debug("Receive " + this.getClass().getName() + " request");
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {
 				Logger.debug("Load token:" + token + " from storage.");
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000);
@@ -286,7 +286,7 @@ public class SSOTransferServlet{
 		
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {								
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut);
 				if (container != null) {				
@@ -403,8 +403,6 @@ public class SSOTransferServlet{
 					null);
 			
 			if (ssomanager.isValidSSOSession(ssoid, null)) {
-				//Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR);		
-				
 				//create first step of SSO Transfer GUI
 								
 				IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid);