some small updates and handbook update

4 files changed, 30 insertions, 33 deletions

diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
index 55864f3c9..0f4f81122 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -55,7 +55,7 @@ public class EidasCentralAuthConstants {
 	public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
 	public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
 	public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";	
-	public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additinal.attributes";	
+	public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes";	
 	public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId";
 	public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
 	public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";	
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
index ebbe08588..8376f3aad 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
@@ -48,6 +48,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
 	private String scopeRequesterId;
 	private String providerName;
 	private List<EAAFRequestedAttribute> requestedAttributes;
+	private String reqId;
 	
 	
 	/* (non-Javadoc)
@@ -186,7 +187,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
 	 */
 	@Override
 	public String getRequestID() {
-		return null;
+		return this.reqId;
 	}
 
 	/* (non-Javadoc)
@@ -256,6 +257,15 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq
 		this.requestedAttributes = requestedAttributes;
 	}
 	
+	/**
+	 * Set a RequestId for this Authn. Request
+	 * 
+	 * @param reqId
+	 */
+	public void setRequestId(String reqId) {
+		this.reqId = reqId;
+	}
+	
 	
 
 	
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
index 08ae845cb..e312299f8 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -29,6 +29,7 @@ import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
@@ -45,6 +46,7 @@ import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
 import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
 import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
 import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
@@ -76,6 +78,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
 			throws TaskExecutionException {
 		try{
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_SELECTED);
+			
 			//check if eIDAS authentication is enabled for this SP
 			if (!Boolean.parseBoolean(pendingReq.getServiceProviderConfiguration().getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_STORK_ENABLED, String.valueOf(false)))) {
 				Logger.info("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
@@ -114,6 +118,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
 			
 			//setup AuthnRequestBuilder configuration
 			EidasCentralAuthRequestBuilderConfiguration authnReqConfig = new EidasCentralAuthRequestBuilderConfiguration();
+			SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+			authnReqConfig.setRequestId(gen.generateIdentifier());
 			authnReqConfig.setIdpEntity(entityDesc);
 			authnReqConfig.setPassive(false);
 			authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
@@ -130,6 +136,10 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
 			//build and transmit AuthnRequest
 			authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
 
+			revisionsLogger.logEvent(pendingReq, 
+					MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_REQUESTED,
+					authnReqConfig.getRequestID());
+			
 		} catch (MOAIDException e) {
 			throw new TaskExecutionException(pendingReq, e.getMessage(), e);
 						
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
index f9686029f..214a23f88 100644
--- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
 import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
-import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
@@ -112,7 +111,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			msg = (InboundMessage) decoder.decode(
 					request, response, metadataProvider, true,
 					comperator);
-			 
+			
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
 				throw new InvalidProtocolRequestException("sp.pvp2.04", 
 						new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING},
@@ -126,9 +125,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 				msg.setVerified(true);
 								
 			}
-			
-			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
-			
+						
 			//validate assertion
 			PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
 			
@@ -153,7 +150,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			requestStoreage.storePendingRequest(pendingReq);
 			
 			//write log entries
-			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);				
+			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_MDS_VALID);				
 			Logger.info("Receive a valid assertion from IDP " + msg.getEntityID()); 
 											
 		} catch (MessageDecodingException | SecurityException e) {
@@ -208,32 +205,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			
 		}
 	}
-	
-	/**
-	 * @param executionContext
-	 * @param idpConfig
-	 * @param message 
-	 * @param objects 
-	 * @throws TaskExecutionException 
-	 * @throws Throwable 
-	 */
-	private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException {
-
-		if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
-			Logger.info("Switch to local authentication on this IDP ... ");
-		
-			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
-			executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
 		
-			executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
-			
-		} else {
-			throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
-			
-		}
-		
-	}
-	
 	/**
 	 * PreProcess AuthResponse and Assertion 
 	 * @param msg
@@ -257,11 +229,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 					EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING);
 
 			msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+			revisionsLogger.logEvent(pendingReq, 
+					MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED,
+					samlResp.getID());
 			return msg;
 				
 		} else {
 			Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() 
 				+ " from 'ms-specific eIDAS node'.");
+			revisionsLogger.logEvent(pendingReq, 
+					MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR);			
 			throw new AuthnResponseValidationException("sp.pvp2.05", 
 					new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});