aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-01-12 09:46:57 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-01-12 09:46:57 +0100
commit1df90d0efe126150b5e1cfa245a5ad9280068243 (patch)
tree23ebaa9ac2cb669a05a700f0257a9753cc1ff0c1 /id/server
parent10d7450deaa812bb26026b4de09df5609bd6545b (diff)
downloadmoa-id-spss-1df90d0efe126150b5e1cfa245a5ad9280068243.tar.gz
moa-id-spss-1df90d0efe126150b5e1cfa245a5ad9280068243.tar.bz2
moa-id-spss-1df90d0efe126150b5e1cfa245a5ad9280068243.zip
update eIDAS inbound process managment implementation
Diffstat (limited to 'id/server')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/pom.xml7
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java1
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java44
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java21
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java74
5 files changed, 141 insertions, 6 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml
index 43ba6bc20..b43efac9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/pom.xml
+++ b/id/server/modules/moa-id-module-eIDAS/pom.xml
@@ -98,6 +98,13 @@
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>1.52</version>
+ <!-- <scope>provided</scope> -->
+ </dependency>
+
</dependencies>
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 3f94ca5e5..8e38facbf 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -54,4 +54,5 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "."
+ CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";
+ public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
index 0c31a87a4..556947572 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
@@ -22,14 +22,24 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas;
+import java.io.ByteArrayInputStream;
+
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServletRequest;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathFactory;
import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.util.xml.SimpleNamespaceContext;
+import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Base64Utils;
/**
* @author tlenz
@@ -58,9 +68,39 @@ public class eIDASSignalServlet extends ProcessEngineSignalServlet {
*
*/
public String getMoaSessionId(HttpServletRequest request) {
- //TODO: implement eIDAs specific session synchronization
+ String sessionId = super.getMoaSessionId(request);
- return StringEscapeUtils.escapeHtml(request.getParameter(MOAIDAuthConstants.PARAM_SESSIONID));
+ try {
+
+ // use SAML2 relayState
+ if (sessionId == null) {
+ sessionId = StringEscapeUtils.escapeHtml(request.getParameter("RelayState"));
+ }
+
+ // take from InResponseTo attribute of SAMLResponse
+ if (sessionId == null) {
+ String base64SamlToken = request.getParameter("SAMLResponse");
+ if (base64SamlToken != null && false) {
+// byte[] samlToken = Base64Utils.decode(base64SamlToken, false);
+// Document samlResponse = parseDocument(new ByteArrayInputStream(samlToken));
+//
+// XPath xPath = XPathFactory.newInstance().newXPath();
+// SimpleNamespaceContext nsContext = new SimpleNamespaceContext();
+// nsContext.bindNamespaceUri("saml2p", "urn:oasis:names:tc:SAML:2.0:protocol");
+// xPath.setNamespaceContext(nsContext);
+// XPathExpression expression = xPath.compile("string(/saml2p:Response/@InResponseTo)");
+// sessionId = (String) expression.evaluate(samlResponse, XPathConstants.STRING);
+// sessionId = StringEscapeUtils.escapeHtml(StringUtils.trimToNull(sessionId));
+ } else {
+ Logger.warn("No parameter 'SAMLResponse'. Unable to retrieve MOA session id.");
+ }
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Unable to retrieve moa session id.", e);
+ }
+
+ return sessionId;
}
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 8b1dae22e..9ae61edd9 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -96,19 +96,30 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
//TODO: load required attributes from OA configuration
PersonalAttribute attr = new PersonalAttribute();
attr.setName("eidas/attributes/CurrentFamilyName");
-
pAttList.add(attr);
+ PersonalAttribute attr1 = new PersonalAttribute();
+ attr1.setName("eidas/attributes/CurrentGivenName");
+ pAttList.add(attr1);
+
+ PersonalAttribute attr2 = new PersonalAttribute();
+ attr2.setName("eidas/attributes/DateOfBirth");
+ pAttList.add(attr2);
+
+ PersonalAttribute attr3 = new PersonalAttribute();
+ attr3.setName("eidas/attributes/PersonIdentifier");
+ pAttList.add(attr3);
+
//build eIDAS AuthnRequest
EIDASAuthnRequest authnRequest = new EIDASAuthnRequest();
String assertionConsumerURL="https://demo.a-sit.at/EidasNode/ColleagueRequest";
- authnRequest.setAssertionConsumerServiceURL(assertionConsumerURL);
+// authnRequest.setAssertionConsumerServiceURL(assertionConsumerURL);
String providerName = "sp3fr-moa";
authnRequest.setProviderName(providerName);
// int qaaLevel = 1;
// authnRequest.setQaa(qaaLevel); // not needed anymore. furthermore this may make the node think the request at hand is a stork request and we do not want that.
authnRequest.setPersonalAttributeList(pAttList);
- String issuer = "http://localhost:12344/moa-id-auth/eidas/metadata";
+ String issuer = "http://localhost:12343/moa-id-auth/eidas/metadata";
authnRequest.setIssuer(issuer);
authnRequest.setDestination(assertionConsumerURL);
authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED);
@@ -116,6 +127,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
authnRequest.setEidasLoACompareType(EidasLoaCompareType.MINIMUM.stringValue());
authnRequest.setAlias(providerName);
+ authnRequest.setSPType("public");
+
engine.initRequestedAttributes(pAttList);
authnRequest = engine.generateEIDASAuthnRequest(authnRequest);
@@ -134,6 +147,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
context.put(actionType, SAMLRequest);
Logger.debug("Encoded " + actionType + " original: " + SAMLRequest);
+ context.put("RelayState", moasessionid);
+
Logger.debug("Using assertion consumer url as action: " + assertionConsumerURL);
context.put("action", assertionConsumerURL);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index 8fdb40065..e80d62535 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -3,16 +3,88 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import eu.eidas.auth.commons.EIDASAuthnResponse;
+import eu.eidas.auth.commons.EIDASUtil;
+import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.moduls.RequestStorage;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
@Override
public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException {
- System.out.println(request.getContentLength());
+ try{
+ String moasessionid = (String) executionContext.get(MOAIDAuthConstants.PARAM_SESSIONID);
+ String pendingRequestID = (String) executionContext.get("pendingRequestID");
+
+ //load pending request
+ IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID);
+ if (pendingReq == null) {
+ Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+ throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+
+ }
+
+ //load MOASession object and OA-configuration
+ AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionid);
+ IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration();
+
+ //get SAML Response and decode it
+ String base64SamlToken = request.getParameter("SAMLResponse");
+ if (MiscUtil.isEmpty(base64SamlToken)) {
+ Logger.warn("No eIDAS SAMLReponse found in http request.");
+ throw new MOAIDException("HTTP request includes no eIDAS SAML-Response element.", null);
+
+ }
+ byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);
+
+ //get eIDAS SAML-engine
+ EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+
+ //validate SAML token
+ EIDASAuthnResponse samlResp = engine.validateEIDASAuthnResponse(decSamlToken,
+ request.getRemoteHost(), Constants.CONFIG_PROPS_SKEWTIME);
+
+ boolean encryptedResponse=engine.isEncryptedSamlResponse(decSamlToken);
+ if (encryptedResponse) {
+ Logger.info("Received encrypted eIDAS SAML-Response.");
+ //TODO: check if additional decryption operation is required
+
+ }
+
+
+
+
+ System.out.println(new String(decSamlToken));
+
+
+ }catch (EIDASSAMLEngineException e) {
+ Logger.error("eIDAS AuthnRequest generation FAILED.", e);
+ throw new TaskExecutionException("eIDAS AuthnRequest generation FAILED.",
+ new EIDASEngineException("Could not generate token for Saml Request", e));
+
+ } catch (EIDASEngineException | MOAIDException | MOADatabaseException e) {
+ throw new TaskExecutionException("eIDAS AuthnRequest generation FAILED.", e);
+
+ }
+
}
}