add configuration parameter to disable 'targetFriendlyName' validation in signed AuthBlock

3 files changed, 28 insertions, 8 deletions

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 7c435d0b0..3d0073276 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -4,6 +4,7 @@ package at.gv.egovernment.moa.id.auth;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
 import java.security.Principal;
 import java.security.cert.CertificateException;
 import java.util.Calendar;
@@ -20,6 +21,7 @@ import org.apache.xpath.XPathAPI;
 import org.opensaml.xml.util.Base64;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -65,6 +67,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate;
 import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
 import at.gv.egovernment.moa.id.data.Pair;
 import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
@@ -447,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		.build(authBlock, oaParam.getKeyBoxIdentifier(),
 				transformsInfos);
 		
-		SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+		SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes()));
 		SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());
 		SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
 		SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getGenericData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));	
@@ -962,7 +965,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
 		
 		else
-			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq);
+			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, 
+					authConfig.getBasicMOAIDConfigurationBoolean(
+							ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true));
 
 		// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
 		List<String> vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index ddd52c337..5730224e5 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE;
 
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
@@ -12,6 +13,7 @@ import org.apache.commons.fileupload.FileUploadException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
+import org.springframework.util.Base64Utils;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -19,9 +21,11 @@ import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
@@ -79,7 +83,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 	    }
 	    
 	    String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-	    		
+	    if (createXMLSignatureResponse != null)
+			SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes()));
+	    		    	    	   
 		try {
 			//check if authblock is received
 			if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 8e3ccb01b..1d2887e6a 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -54,6 +54,7 @@ import java.util.List;
 import javax.xml.bind.DatatypeConverter;
 
 import org.jaxen.SimpleNamespaceContext;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
@@ -135,7 +136,7 @@ public class CreateXMLSignatureResponseValidator {
  * @throws BuildException 
  * @throws ConfigurationException 
    */
-  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
+  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName)
    throws ValidateException, BuildException, ConfigurationException {
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
     IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
@@ -272,8 +273,16 @@ public class CreateXMLSignatureResponseValidator {
 	    			}
 	    			
 	    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
-	    			if (!refValueSector.equals((String)samlAttribute.getValue()))
-	    				throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});             
+	    			if (!refValueSector.equals((String)samlAttribute.getValue())) {
+	    				if (validateTargetFriendlyName)	    				
+	    					throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+	    				
+	    				else {
+	    					Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector);
+	    						    					
+	    				}
+	    				
+	    			}
 	    	  
 	    		} else
 	    			throw new ValidateException("validator.12", null);
@@ -429,7 +438,7 @@ public class CreateXMLSignatureResponseValidator {
 	  
 	  } catch (Exception e) {
 		  SpecificTraceLogger.trace("Validate AuthBlock without SSO");
-		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
 		  SpecificTraceLogger.trace("OA config: " + oaParam.toString());
 		  SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
 		  SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);		  
@@ -662,7 +671,7 @@ public class CreateXMLSignatureResponseValidator {
     
 	  } catch (Exception e) {
 		  SpecificTraceLogger.trace("Validate AuthBlock with SSO");
-		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
 		  SpecificTraceLogger.trace("OA config: " + pendingReq.getOnlineApplicationConfiguration().toString());		  
 		  throw e;