diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-12-17 08:33:18 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2013-12-17 08:33:18 +0100 |
commit | 3546cafb4942247edf298996186fcdfa32eb9954 (patch) | |
tree | f84dab4723d93f1d965e2c0c62775760c8c95321 /id/server | |
parent | ad6cd1e156a7fcdadedf7fe7b54dedf8c0c897b1 (diff) | |
download | moa-id-spss-3546cafb4942247edf298996186fcdfa32eb9954.tar.gz moa-id-spss-3546cafb4942247edf298996186fcdfa32eb9954.tar.bz2 moa-id-spss-3546cafb4942247edf298996186fcdfa32eb9954.zip |
First version for testing -> Exthex OAuth implementation
Diffstat (limited to 'id/server')
35 files changed, 2377 insertions, 453 deletions
diff --git a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml index d33cae207..2f17c7d98 100644 --- a/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml +++ b/id/server/auth/src/main/webapp/WEB-INF/urlrewrite.xml @@ -52,6 +52,16 @@ <to type="forward">/dispatcher?mod=id_pvp2x&action=Soap</to> </rule> + <rule match-type="regex"> + <from>^/oauth2/auth\\?(.*)$</from> + <to type="forward">/dispatcher?mod=id_oauth20&action=AUTH&%{query-string}</to> + </rule> + <rule match-type="regex"> + <from>^/oauth2/token\\?(.*)$</from> + <to type="forward">/dispatcher?mod=id_oauth20&action=TOKEN&%{query-string}</to> + </rule> + + <outbound-rule> <note> The outbound-rule specifies that when response.encodeURL is called (if diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index ab1a28091..3cc7c38de 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -1,4 +1,5 @@ -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>MOA.id</groupId>
<artifactId>moa-id</artifactId>
@@ -16,30 +17,30 @@ </properties>
<repositories>
- <repository>
- <id>shibboleth.internet2.edu</id>
- <name>Internet2</name>
- <url>https://build.shibboleth.net/nexus/content/groups/public/</url>
- </repository>
+ <repository>
+ <id>shibboleth.internet2.edu</id>
+ <name>Internet2</name>
+ <url>https://build.shibboleth.net/nexus/content/groups/public/</url>
+ </repository>
</repositories>
-
+
<dependencies>
- <dependency>
- <groupId>MOA.id</groupId>
- <artifactId>stork-saml-engine</artifactId>
- <version>1.5.2</version>
- </dependency>
- <dependency>
- <groupId>MOA.id.server</groupId>
- <artifactId>moa-id-commons</artifactId>
- <version>${pom.version}</version>
- </dependency>
+ <dependency>
+ <groupId>MOA.id</groupId>
+ <artifactId>stork-saml-engine</artifactId>
+ <version>1.5.2</version>
+ </dependency>
+ <dependency>
+ <groupId>MOA.id.server</groupId>
+ <artifactId>moa-id-commons</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
<dependency>
<groupId>MOA</groupId>
<artifactId>moa-common</artifactId>
<type>jar</type>
</dependency>
- <dependency>
+ <dependency>
<groupId>MOA</groupId>
<artifactId>moa-common</artifactId>
<type>test-jar</type>
@@ -96,10 +97,10 @@ <groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
</dependency>
- <dependency>
- <groupId>commons-httpclient</groupId>
- <artifactId>commons-httpclient</artifactId>
- </dependency>
+ <dependency>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ </dependency>
<dependency>
<groupId>dav4j</groupId>
<artifactId>dav4j</artifactId>
@@ -129,11 +130,8 @@ <groupId>iaik.prod</groupId>
<artifactId>iaik_X509TrustManager</artifactId>
</dependency>
-<!-- <dependency>
- <groupId>iaik</groupId>
- <artifactId>moa</artifactId>
- <version>1.28</version>
- </dependency> -->
+ <!-- <dependency> <groupId>iaik</groupId> <artifactId>moa</artifactId>
+ <version>1.28</version> </dependency> -->
<dependency>
<groupId>edu.internet2.middleware</groupId>
<artifactId>shibboleth-common</artifactId>
@@ -149,37 +147,69 @@ <groupId>regexp</groupId>
<artifactId>regexp</artifactId>
</dependency>
- <!-- <dependency>
- <groupId>commons-httpclient</groupId>
- <artifactId>commons-httpclient</artifactId>
- </dependency>-->
- <!-- <dependency>
- <groupId>at.gv.egovernment.moa.id</groupId>
- <artifactId>mandate-validate</artifactId>
- <version>1.1</version>
- </dependency>-->
+ <!-- <dependency> <groupId>commons-httpclient</groupId> <artifactId>commons-httpclient</artifactId>
+ </dependency> -->
+ <!-- <dependency> <groupId>at.gv.egovernment.moa.id</groupId> <artifactId>mandate-validate</artifactId>
+ <version>1.1</version> </dependency> -->
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>2.6</version>
+ </dependency>
+
+
+ <!-- JSON JWT implementation -->
+ <dependency>
+ <groupId>com.googlecode.jsontoken</groupId>
+ <artifactId>jsontoken</artifactId>
+ <version>1.0</version>
+ </dependency>
+
<dependency>
- <groupId>commons-lang</groupId>
- <artifactId>commons-lang</artifactId>
- <version>2.6</version>
- </dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.8</version>
+ </dependency>
+
+ <!-- Google OAuth Client -->
+ <dependency>
+ <groupId>com.google.http-client</groupId>
+ <artifactId>google-http-client-jackson2</artifactId>
+ <version>1.17.0-rc</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>com.google.oauth-client</groupId>
+ <artifactId>google-oauth-client-jetty</artifactId>
+ <version>1.17.0-rc</version>
+ <scope>test</scope>
+ </dependency>
+
+ <!-- TestNG -->
+ <dependency>
+ <groupId>org.testng</groupId>
+ <artifactId>testng</artifactId>
+ <version>6.1.1</version>
+ <scope>test</scope>
+ </dependency>
+
</dependencies>
<build>
<plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>1.5</source>
- <target>1.5</target>
- </configuration>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.5</source>
+ <target>1.5</target>
+ </configuration>
</plugin>
- <plugin>
+ <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
- <skipTests>true</skipTests>
+ <skipTests>true</skipTests>
<archive>
<addMavenDescriptor>false</addMavenDescriptor>
</archive>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java index 3bc152ec8..e4bf37417 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java @@ -36,7 +36,8 @@ public class StartAuthenticationBuilder { Logger.info("Starting authentication for a citizen of country: " + (StringUtils.isEmpty(moasession.getCcc()) ? "AT" : moasession.getCcc())); // STORK or normal authentication - if (storkConfig.isSTORKAuthentication(moasession.getCcc())) { + //TODO: commented because npe was thrown + /*if (storkConfig.isSTORKAuthentication(moasession.getCcc())) { //STORK authentication Logger.trace("Found C-PEPS configuration for citizen of country: " + moasession.getCcc()); Logger.debug("Starting STORK authentication"); @@ -44,13 +45,13 @@ public class StartAuthenticationBuilder { AuthenticationServer.startSTORKAuthentication(req, resp, moasession); return ""; - } else { + } else {*/ //normal MOA-ID authentication Logger.debug("Starting normal MOA-ID authentication"); String getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(moasession, req); return getIdentityLinkForm; - } + //} } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 9eaa13f04..1061a2802 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -1,24 +1,15 @@ /* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. + * Copyright 2003 Federal Chancellery Austria MOA-ID has been developed in a cooperation between + * BRZ, the Federal Chancellery Austria - ICT staff unit, and Graz University of Technology. + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: http://www.osor.eu/eupl/ + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. This product combines work with different licenses. See the "NOTICE" text file for + * details on the various modules and licenses. The "NOTICE" text file is part of the distribution. + * Any derivative works that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.auth.data; @@ -37,6 +28,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -44,43 +36,40 @@ import at.gv.egovernment.moa.util.DOMUtils; import eu.stork.mw.messages.saml.STORKAuthnRequest; /** - * Session data to be stored between <code>AuthenticationServer</code> API - * calls. + * Session data to be stored between <code>AuthenticationServer</code> API calls. * * @author Paul Ivancsics * @version $Id$ */ public class AuthenticationSession implements Serializable { - + /** * */ private static final long serialVersionUID = 1L; public static final String TARGET_PREFIX_ = Constants.URN_PREFIX_CDID + "+"; - public static final String REGISTERANDORDNR_PREFIX_ = Constants.URN_PREFIX_WBPK - + "+"; - + public static final String REGISTERANDORDNR_PREFIX_ = Constants.URN_PREFIX_WBPK + "+"; + /** * session ID */ private String sessionID; /** - * "Geschäftsbereich" the online application belongs to; maybe - * <code>null</code> if the online application is a business application + * "Geschäftsbereich" the online application belongs to; maybe <code>null</code> if the + * online application is a business application */ private String target; /** - * Friendly name for the target, if target is configured via MOA-ID - * configuration + * Friendly name for the target, if target is configured via MOA-ID configuration */ private String targetFriendlyName; - + /** * SourceID */ private String sourceID; - + /** * public online application URL requested */ @@ -97,28 +86,25 @@ public class AuthenticationSession implements Serializable { * HTML template URL */ private String templateURL; - + /** * URL of the BKU */ private String bkuURL; - + /** - * Indicates whether the corresponding online application is a business - * service or not + * Indicates whether the corresponding online application is a business service or not */ private boolean businessService; - //Store Mandate + // Store Mandate /** * Use mandate */ private boolean useMandate; - private boolean isOW = false; - /** * STORK */ @@ -126,33 +112,32 @@ public class AuthenticationSession implements Serializable { /** * - * Mandate element + * Mandate element */ private MISMandate mandate; /** - * Reference value for mandate - * bussiness service for the assertion + * Reference value for mandate bussiness service for the assertion */ private String mandateReferenceValue; - + /** * SessionID for MIS */ private String misSessionID; - //store Identitylink + // store Identitylink /** * identity link read from smartcard */ private IdentityLink identityLink; - -// /** -// * timestamp logging when identity link has been received -// */ -// private Date timestampIdentityLink; - //store Authblock + // /** + // * timestamp logging when identity link has been received + // */ + // private Date timestampIdentityLink; + + // store Authblock /** * authentication block to be signed by the user */ @@ -164,61 +149,56 @@ public class AuthenticationSession implements Serializable { * The issuing time of the AUTH-Block SAML assertion. */ private String issueInstant; - - //Signer certificate + + // Signer certificate /** * Signer certificate of the foreign citizen or for mandate mode */ - //private X509Certificate signerCertificate; + // private X509Certificate signerCertificate; private byte[] signerCertificate; - /** - * SAML attributes from an extended infobox validation to be appended to the - * SAML assertion delivered to the final online application. + * SAML attributes from an extended infobox validation to be appended to the SAML assertion + * delivered to the final online application. */ private List<ExtendedSAMLAttribute> extendedSAMLAttributesOA; - + /** - * The boolean value for either a target or a wbPK is provided as SAML - * Attribute in the SAML Assertion or not. + * The boolean value for either a target or a wbPK is provided as SAML Attribute in the SAML + * Assertion or not. */ private boolean samlAttributeGebeORwbpk; - + /** - * SAML attributes from an extended infobox validation to be appended to the - * SAML assertion of the AUTHBlock. + * SAML attributes from an extended infobox validation to be appended to the SAML assertion of + * the AUTHBlock. */ private List<ExtendedSAMLAttribute> extendedSAMLAttributesAUTH; - + /** - * If infobox validators are needed after signing, they can be stored in - * this list. + * If infobox validators are needed after signing, they can be stored in this list. */ private List infoboxValidators; - + /** - * The register and number in the register parameter in case of a business - * service application. + * The register and number in the register parameter in case of a business service application. */ private String domainIdentifier; - + /** - * This string contains all identifiers of infoboxes, the online application - * is configured to accept. The infobox identifiers are comma separated. + * This string contains all identifiers of infoboxes, the online application is configured to + * accept. The infobox identifiers are comma separated. */ private String pushInfobox; - + /** * The STORK AuthRequest to be sent to the C-PEPS */ private STORKAuthnRequest storkAuthnRequest; + // private AuthenticationData authData; - - //private AuthenticationData authData; - - //protocol selection + // protocol selection private String action; private String modul; @@ -227,82 +207,83 @@ public class AuthenticationSession implements Serializable { private boolean ssoRequested = false; -// /** -// * Indicates if target from configuration is used or not -// */ -// private boolean useTargetFromConfig; - -// /** -// * Authentication data for the assertion -// */ -// private AuthenticationData assertionAuthData; -// -// /** -// * Persondata for the assertion -// */ -// private String assertionPrPerson; -// -// /** -// * Authblock for the assertion -// */ -// private String assertionAuthBlock; -// -// /** -// * Identitylink assertion for the (MOA) assertion -// */ -// private String assertionIlAssertion; -// -// /** -// * Signer certificate (base64 encoded) for the assertion -// */ -// private String assertionSignerCertificateBase64; -// -// /** -// * bussiness service for the assertion -// */ -// boolean assertionBusinessService; -// -// /** -// * timestamp logging when authentication session has been created -// */ -// private Date timestampStart; -// private CreateXMLSignatureResponse XMLCreateSignatureResponse; + private OAuth20SessionObject oAuth20SessionObject; + + // /** + // * Indicates if target from configuration is used or not + // */ + // private boolean useTargetFromConfig; + + // /** + // * Authentication data for the assertion + // */ + // private AuthenticationData assertionAuthData; + // + // /** + // * Persondata for the assertion + // */ + // private String assertionPrPerson; + // + // /** + // * Authblock for the assertion + // */ + // private String assertionAuthBlock; + // + // /** + // * Identitylink assertion for the (MOA) assertion + // */ + // private String assertionIlAssertion; + // + // /** + // * Signer certificate (base64 encoded) for the assertion + // */ + // private String assertionSignerCertificateBase64; + // + // /** + // * bussiness service for the assertion + // */ + // boolean assertionBusinessService; + // + // /** + // * timestamp logging when authentication session has been created + // */ + // private Date timestampStart; + // private CreateXMLSignatureResponse XMLCreateSignatureResponse; private VerifyXMLSignatureResponse XMLVerifySignatureResponse; private boolean isForeigner; -// private String requestedProtocolURL = null; - + // private String requestedProtocolURL = null; + public String getModul() { return modul; } - + public void setModul(String modul) { this.modul = modul; } - + public String getAction() { return action; } - + public void setAction(String action) { this.action = action; } - -// public AuthenticationData getAuthData() { -// return authData; -// } -// -// public void setAuthData(AuthenticationData authData) { -// this.authData = authData; -// } - - + + // public AuthenticationData getAuthData() { + // return authData; + // } + // + // public void setAuthData(AuthenticationData authData) { + // this.authData = authData; + // } + public boolean isAuthenticatedUsed() { return authenticatedUsed; } - + public void setAuthenticatedUsed(boolean authenticatedUsed) { this.authenticatedUsed = authenticatedUsed; } @@ -314,16 +295,15 @@ public class AuthenticationSession implements Serializable { public void setAuthenticated(boolean authenticated) { this.authenticated = authenticated; } - - -// public String getRequestedProtocolURL() { -// return requestedProtocolURL; -// } -// -// public void setRequestedProtocolURL(String requestedProtocolURL) { -// this.requestedProtocolURL = requestedProtocolURL; -// } - + + // public String getRequestedProtocolURL() { + // return requestedProtocolURL; + // } + // + // public void setRequestedProtocolURL(String requestedProtocolURL) { + // this.requestedProtocolURL = requestedProtocolURL; + // } + /** * Constructor for AuthenticationSession. * @@ -332,14 +312,15 @@ public class AuthenticationSession implements Serializable { */ public AuthenticationSession(String id) { sessionID = id; -// setTimestampStart(); + // setTimestampStart(); infoboxValidators = new ArrayList(); } - - public X509Certificate getSignerCertificate(){ + + public X509Certificate getSignerCertificate() { try { return new X509Certificate(signerCertificate); - } catch (CertificateException e) { + } + catch (CertificateException e) { Logger.warn("Signer certificate can not be loaded from session database!", e); return null; } @@ -348,15 +329,16 @@ public class AuthenticationSession implements Serializable { public byte[] getEncodedSignerCertificate() { return this.signerCertificate; } - + public void setSignerCertificate(X509Certificate signerCertificate) { try { this.signerCertificate = signerCertificate.getEncoded(); - } catch (CertificateEncodingException e) { + } + catch (CertificateEncodingException e) { Logger.warn("Signer certificate can not be stored to session database!", e); } } - + /** * Returns the identityLink. * @@ -365,7 +347,7 @@ public class AuthenticationSession implements Serializable { public IdentityLink getIdentityLink() { return identityLink; } - + /** * Returns the sessionID. * @@ -374,7 +356,7 @@ public class AuthenticationSession implements Serializable { public String getSessionID() { return sessionID; } - + /** * Sets the identityLink. * @@ -384,7 +366,7 @@ public class AuthenticationSession implements Serializable { public void setIdentityLink(IdentityLink identityLink) { this.identityLink = identityLink; } - + /** * Sets the sessionID. * @@ -394,7 +376,7 @@ public class AuthenticationSession implements Serializable { public void setSessionID(String sessionId) { this.sessionID = sessionId; } - + /** * Returns the oaURLRequested. * @@ -403,7 +385,7 @@ public class AuthenticationSession implements Serializable { public String getOAURLRequested() { return oaURLRequested; } - + /** * Returns the oaURLRequested. * @@ -412,7 +394,7 @@ public class AuthenticationSession implements Serializable { public String getPublicOAURLPrefix() { return oaPublicURLPrefix; } - + /** * Returns the BKU URL. * @@ -421,7 +403,7 @@ public class AuthenticationSession implements Serializable { public String getBkuURL() { return bkuURL; } - + /** * Returns the target. * @@ -430,7 +412,7 @@ public class AuthenticationSession implements Serializable { public String getTarget() { return target; } - + /** * Returns the sourceID. * @@ -439,7 +421,7 @@ public class AuthenticationSession implements Serializable { public String getSourceID() { return sourceID; } - + /** * Returns the target friendly name. * @@ -448,7 +430,7 @@ public class AuthenticationSession implements Serializable { public String getTargetFriendlyName() { return targetFriendlyName; } - + /** * Sets the oaURLRequested. * @@ -458,7 +440,7 @@ public class AuthenticationSession implements Serializable { public void setOAURLRequested(String oaURLRequested) { this.oaURLRequested = oaURLRequested; } - + /** * Sets the oaPublicURLPrefix * @@ -468,7 +450,7 @@ public class AuthenticationSession implements Serializable { public void setPublicOAURLPrefix(String oaPublicURLPrefix) { this.oaPublicURLPrefix = oaPublicURLPrefix; } - + /** * Sets the bkuURL * @@ -478,10 +460,9 @@ public class AuthenticationSession implements Serializable { public void setBkuURL(String bkuURL) { this.bkuURL = bkuURL; } - + /** - * Sets the target. If the target includes the target prefix, the prefix - * will be stripped off. + * Sets the target. If the target includes the target prefix, the prefix will be stripped off. * * @param target * The target to set @@ -491,13 +472,12 @@ public class AuthenticationSession implements Serializable { // If target starts with prefix "urn:publicid:gv.at:cdid+"; remove // prefix this.target = target.substring(TARGET_PREFIX_.length()); - Logger.debug("Target prefix stripped off; resulting target: " - + this.target); + Logger.debug("Target prefix stripped off; resulting target: " + this.target); } else { this.target = target; } } - + /** * Sets the sourceID * @@ -507,10 +487,9 @@ public class AuthenticationSession implements Serializable { public void setSourceID(String sourceID) { this.sourceID = sourceID; } - + /** - * Sets the target. If the target includes the target prefix, the prefix - * will be stripped off. + * Sets the target. If the target includes the target prefix, the prefix will be stripped off. * * @param target * The target to set @@ -518,7 +497,7 @@ public class AuthenticationSession implements Serializable { public void setTargetFriendlyName(String targetFriendlyName) { this.targetFriendlyName = targetFriendlyName; } - + /** * Returns the authURL. * @@ -527,7 +506,7 @@ public class AuthenticationSession implements Serializable { public String getAuthURL() { return authURL; } - + /** * Sets the authURL. * @@ -537,7 +516,7 @@ public class AuthenticationSession implements Serializable { public void setAuthURL(String authURL) { this.authURL = authURL; } - + /** * Returns the authBlock. * @@ -546,7 +525,7 @@ public class AuthenticationSession implements Serializable { public String getAuthBlock() { return authBlock; } - + /** * Sets the authBlock. * @@ -556,17 +535,17 @@ public class AuthenticationSession implements Serializable { public void setAuthBlock(String authBlock) { this.authBlock = authBlock; } - + /** * Returns the businessService. * - * @return <code>true</code> if the corresponding online application is a - * business application, otherwise <code>false</code> + * @return <code>true</code> if the corresponding online application is a business application, + * otherwise <code>false</code> */ public boolean getBusinessService() { return businessService; } - + /** * Sets the businessService variable. * @@ -576,15 +555,14 @@ public class AuthenticationSession implements Serializable { public void setBusinessService(boolean businessService) { this.businessService = businessService; } - - + /** * @return template URL */ public String getTemplateURL() { return templateURL; } - + /** * @param string * the template URL @@ -592,21 +570,18 @@ public class AuthenticationSession implements Serializable { public void setTemplateURL(String string) { templateURL = string; } - + /** - * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe - * <code>null</code>. + * Returns the SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>. * - * @return The SAML Attributes to be appended to the AUTHBlock. Maybe - * <code>null</code>. + * @return The SAML Attributes to be appended to the AUTHBlock. Maybe <code>null</code>. */ public List<ExtendedSAMLAttribute> getExtendedSAMLAttributesAUTH() { - if (extendedSAMLAttributesAUTH == null) - extendedSAMLAttributesAUTH = new ArrayList<ExtendedSAMLAttribute>(); + if (extendedSAMLAttributesAUTH == null) extendedSAMLAttributesAUTH = new ArrayList<ExtendedSAMLAttribute>(); return extendedSAMLAttributesAUTH; } - + /** * Sets the SAML Attributes to be appended to the AUTHBlock. * @@ -616,53 +591,53 @@ public class AuthenticationSession implements Serializable { public void setExtendedSAMLAttributesAUTH(List<ExtendedSAMLAttribute> extendedSAMLAttributesAUTH) { this.extendedSAMLAttributesAUTH = extendedSAMLAttributesAUTH; } - + /** - * Returns the SAML Attributes to be appended to the SAML assertion - * delivered to the online application. Maybe <code>null</code>. + * Returns the SAML Attributes to be appended to the SAML assertion delivered to the online + * application. Maybe <code>null</code>. * - * @return The SAML Attributes to be appended to the SAML assertion - * delivered to the online application + * @return The SAML Attributes to be appended to the SAML assertion delivered to the online + * application */ public List<ExtendedSAMLAttribute> getExtendedSAMLAttributesOA() { return extendedSAMLAttributesOA; } - + /** - * Sets the SAML Attributes to be appended to the SAML assertion delivered - * to the online application. + * Sets the SAML Attributes to be appended to the SAML assertion delivered to the online + * application. * * @param extendedSAMLAttributesOA - * The SAML Attributes to be appended to the SAML assertion - * delivered to the online application. + * The SAML Attributes to be appended to the SAML assertion delivered to the online + * application. */ public void setExtendedSAMLAttributesOA(List<ExtendedSAMLAttribute> extendedSAMLAttributesOA) { this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; } - + /** - * Returns the boolean value for either a target or a wbPK is provided as - * SAML Attribute in the SAML Assertion or not. + * Returns the boolean value for either a target or a wbPK is provided as SAML Attribute in the + * SAML Assertion or not. * - * @return true either a target or a wbPK is provided as SAML Attribute in - * the SAML Assertion or false if not. + * @return true either a target or a wbPK is provided as SAML Attribute in the SAML Assertion or + * false if not. */ public boolean getSAMLAttributeGebeORwbpk() { return this.samlAttributeGebeORwbpk; } - + /** - * Sets the boolean value for either a target or a wbPK is provided as SAML - * Attribute in the SAML Assertion or not. + * Sets the boolean value for either a target or a wbPK is provided as SAML Attribute in the + * SAML Assertion or not. * * @param samlAttributeGebeORwbpk - * The boolean for value either a target or wbPK is provided as - * SAML Attribute in the SAML Assertion or not. + * The boolean for value either a target or wbPK is provided as SAML Attribute in the + * SAML Assertion or not. */ public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) { this.samlAttributeGebeORwbpk = samlAttributeGebeORwbpk; } - + /** * Returns the issuing time of the AUTH-Block SAML assertion. * @@ -671,7 +646,7 @@ public class AuthenticationSession implements Serializable { public String getIssueInstant() { return issueInstant; } - + /** * Sets the issuing time of the AUTH-Block SAML assertion. * @@ -681,40 +656,39 @@ public class AuthenticationSession implements Serializable { public void setIssueInstant(String issueInstant) { this.issueInstant = issueInstant; } - + /** * Returns the iterator to the stored infobox validators. * * @return Iterator */ public Iterator getInfoboxValidatorIterator() { - if (infoboxValidators == null) - return null; + if (infoboxValidators == null) return null; return infoboxValidators.iterator(); } - -// /** -// * Adds an infobox validator class to the stored infobox validators. -// * -// * @param infoboxIdentifier -// * the identifier of the infobox the validator belongs to -// * @param infoboxFriendlyName -// * the friendly name of the infobox -// * @param infoboxValidator -// * the infobox validator to add -// */ -// public Iterator addInfoboxValidator(String infoboxIdentifier, -// String infoboxFriendlyName, InfoboxValidator infoboxValidator) { -// if (infoboxValidators == null) -// infoboxValidators = new ArrayList(); -// Vector v = new Vector(3); -// v.add(infoboxIdentifier); -// v.add(infoboxFriendlyName); -// v.add(infoboxValidator); -// infoboxValidators.add(v); -// return infoboxValidators.iterator(); -// } - + + // /** + // * Adds an infobox validator class to the stored infobox validators. + // * + // * @param infoboxIdentifier + // * the identifier of the infobox the validator belongs to + // * @param infoboxFriendlyName + // * the friendly name of the infobox + // * @param infoboxValidator + // * the infobox validator to add + // */ + // public Iterator addInfoboxValidator(String infoboxIdentifier, + // String infoboxFriendlyName, InfoboxValidator infoboxValidator) { + // if (infoboxValidators == null) + // infoboxValidators = new ArrayList(); + // Vector v = new Vector(3); + // v.add(infoboxIdentifier); + // v.add(infoboxFriendlyName); + // v.add(infoboxValidator); + // infoboxValidators.add(v); + // return infoboxValidators.iterator(); + // } + /** * Tests for pending input events of the infobox validators. * @@ -726,100 +700,94 @@ public class AuthenticationSession implements Serializable { if (iter != null) { while (!result && iter.hasNext()) { Vector infoboxValidatorVector = (Vector) iter.next(); - InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector - .get(2); - if (!ParepUtils.isEmpty(infoboxvalidator.getForm())) - result = true; + InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector.get(2); + if (!ParepUtils.isEmpty(infoboxvalidator.getForm())) result = true; } } return result; } - -// /** -// * Returns the first pending infobox validator. -// * -// * @return the infobox validator class -// */ -// public InfoboxValidator getFirstPendingValidator() { -// Iterator iter = getInfoboxValidatorIterator(); -// if (iter != null) { -// while (iter.hasNext()) { -// Vector infoboxValidatorVector = (Vector) iter.next(); -// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector -// .get(2); -// String form = infoboxvalidator.getForm(); -// if (!ParepUtils.isEmpty(form)) -// return infoboxvalidator; -// } -// } -// return null; -// } - -// /** -// * Returns the input form of the first pending infobox validator input -// * processor. -// * -// * @return the form to show -// */ -// public String getFirstValidatorInputForm() { -// Iterator iter = getInfoboxValidatorIterator(); -// if (iter != null) { -// while (iter.hasNext()) { -// Vector infoboxValidatorVector = (Vector) iter.next(); -// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector -// .get(2); -// String form = infoboxvalidator.getForm(); -// if (!ParepUtils.isEmpty(form)) -// return form; -// } -// } -// return null; -// } - - /** - * Returns domain identifier (the register and number in the register - * parameter). <code>null</code> in the case of not a business service. + + // /** + // * Returns the first pending infobox validator. + // * + // * @return the infobox validator class + // */ + // public InfoboxValidator getFirstPendingValidator() { + // Iterator iter = getInfoboxValidatorIterator(); + // if (iter != null) { + // while (iter.hasNext()) { + // Vector infoboxValidatorVector = (Vector) iter.next(); + // InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector + // .get(2); + // String form = infoboxvalidator.getForm(); + // if (!ParepUtils.isEmpty(form)) + // return infoboxvalidator; + // } + // } + // return null; + // } + + // /** + // * Returns the input form of the first pending infobox validator input + // * processor. + // * + // * @return the form to show + // */ + // public String getFirstValidatorInputForm() { + // Iterator iter = getInfoboxValidatorIterator(); + // if (iter != null) { + // while (iter.hasNext()) { + // Vector infoboxValidatorVector = (Vector) iter.next(); + // InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector + // .get(2); + // String form = infoboxvalidator.getForm(); + // if (!ParepUtils.isEmpty(form)) + // return form; + // } + // } + // return null; + // } + + /** + * Returns domain identifier (the register and number in the register parameter). + * <code>null</code> in the case of not a business service. * * @return the domainIdentifier */ public String getDomainIdentifier() { return domainIdentifier; } - + /** - * Sets the register and number in the register parameter if the application - * is a business service. If the domain identifier includes the - * registerAndOrdNr prefix, the prefix will be stripped off. + * Sets the register and number in the register parameter if the application is a business + * service. If the domain identifier includes the registerAndOrdNr prefix, the prefix will be + * stripped off. * * @param domainIdentifier * the domain identifier to set */ public void setDomainIdentifier(String domainIdentifier) { - if (domainIdentifier != null - && domainIdentifier.startsWith(REGISTERANDORDNR_PREFIX_)) { + if (domainIdentifier != null && domainIdentifier.startsWith(REGISTERANDORDNR_PREFIX_)) { // If domainIdentifier starts with prefix // "urn:publicid:gv.at:wbpk+"; remove this prefix - this.domainIdentifier = domainIdentifier - .substring(REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + this.domainIdentifier); + this.domainIdentifier = domainIdentifier.substring(REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + this.domainIdentifier); } else { this.domainIdentifier = domainIdentifier; } } - + /** - * Gets all identifiers of infoboxes, the online application is configured - * to accept. The infobox identifiers are comma separated. + * Gets all identifiers of infoboxes, the online application is configured to accept. The + * infobox identifiers are comma separated. * * @return the string containing infobox identifiers */ public String getPushInfobox() { - if (pushInfobox == null) - return ""; + if (pushInfobox == null) return ""; return pushInfobox; } - + /** * @param pushInfobox * the infobox identifiers to set (comma separated) @@ -827,7 +795,7 @@ public class AuthenticationSession implements Serializable { public void setPushInfobox(String pushInfobox) { this.pushInfobox = pushInfobox; } - + /** * * @param useMandate @@ -838,9 +806,9 @@ public class AuthenticationSession implements Serializable { this.useMandate = true; else this.useMandate = false; - + } - + /** * Returns if mandate is used or not * @@ -849,7 +817,7 @@ public class AuthenticationSession implements Serializable { public boolean getUseMandate() { return this.useMandate; } - + /** * * @param misSessionID @@ -858,7 +826,7 @@ public class AuthenticationSession implements Serializable { public void setMISSessionID(String misSessionID) { this.misSessionID = misSessionID; } - + /** * Returns the MIS session ID * @@ -867,14 +835,14 @@ public class AuthenticationSession implements Serializable { public String getMISSessionID() { return this.misSessionID; } - + /** * @return the mandateReferenceValue */ public String getMandateReferenceValue() { return mandateReferenceValue; } - + /** * @param mandateReferenceValue * the mandateReferenceValue to set @@ -882,7 +850,7 @@ public class AuthenticationSession implements Serializable { public void setMandateReferenceValue(String mandateReferenceValue) { this.mandateReferenceValue = mandateReferenceValue; } - + /** * Gets the STORK SAML AuthnRequest * @@ -891,7 +859,7 @@ public class AuthenticationSession implements Serializable { public STORKAuthnRequest getStorkAuthnRequest() { return storkAuthnRequest; } - + /** * Sets the STORK SAML AuthnRequest * @@ -901,11 +869,11 @@ public class AuthenticationSession implements Serializable { public void setStorkAuthnRequest(STORKAuthnRequest storkAuthnRequest) { this.storkAuthnRequest = storkAuthnRequest; } - + public String getCcc() { return ccc; } - + public void setCcc(String ccc) { this.ccc = ccc; } @@ -913,23 +881,23 @@ public class AuthenticationSession implements Serializable { public boolean isForeigner() { return isForeigner; } - + public void setForeigner(boolean isForeigner) { this.isForeigner = isForeigner; } - + public VerifyXMLSignatureResponse getXMLVerifySignatureResponse() { return XMLVerifySignatureResponse; } - + public void setXMLVerifySignatureResponse(VerifyXMLSignatureResponse xMLVerifySignatureResponse) { XMLVerifySignatureResponse = xMLVerifySignatureResponse; } - + public MISMandate getMISMandate() { return mandate; } - + public void setMISMandate(MISMandate mandate) { this.mandate = mandate; } @@ -938,60 +906,75 @@ public class AuthenticationSession implements Serializable { try { byte[] byteMandate = mandate.getMandate(); String stringMandate = new String(byteMandate); - return DOMUtils.parseDocument(stringMandate, false, - null, null).getDocumentElement(); + return DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); - }catch (Throwable e) { + } + catch (Throwable e) { Logger.warn("Mandate content could not be generated from MISMandate."); return null; - } + } } - + /** * @return the ssoRequested */ - //TODO: SSO only allowed without mandates, actually!!!!!! + // TODO: SSO only allowed without mandates, actually!!!!!! public boolean isSsoRequested() { return ssoRequested && !useMandate; } - + /** - * @param ssoRequested the ssoRequested to set + * @param ssoRequested + * the ssoRequested to set */ public void setSsoRequested(boolean ssoRequested) { this.ssoRequested = ssoRequested; } - + /** * @return the isOW */ public boolean isOW() { return isOW; } - + /** - * @param isOW the isOW to set + * @param isOW + * the isOW to set */ public void setOW(boolean isOW) { this.isOW = isOW; } - + /** * @return the authBlockTokken */ public String getAuthBlockTokken() { return authBlockTokken; } - + /** - * @param authBlockTokken the authBlockTokken to set + * @param authBlockTokken + * the authBlockTokken to set */ public void setAuthBlockTokken(String authBlockTokken) { this.authBlockTokken = authBlockTokken; } + /** + * @return the oAuth20SessionObject + */ + public OAuth20SessionObject getoAuth20SessionObject() { + return oAuth20SessionObject; + } - + /** + * @param oAuth20SessionObject + * the oAuth20SessionObject to set + */ + public void setoAuth20SessionObject(OAuth20SessionObject oAuth20SessionObject) { + this.oAuth20SessionObject = oAuth20SessionObject; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index 7d76ce9d5..e5cf14d50 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -1,40 +1,30 @@ /* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. + * Copyright 2003 Federal Chancellery Austria MOA-ID has been developed in a cooperation between + * BRZ, the Federal Chancellery Austria - ICT staff unit, and Graz University of Technology. + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: http://www.osor.eu/eupl/ + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. This product combines work with different licenses. See the "NOTICE" text file for + * details on the various modules and licenses. The "NOTICE" text file is part of the distribution. + * Any derivative works that you distribute must include a readable copy of the "NOTICE" text file. */ - package at.gv.egovernment.moa.id.config; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; /** - * Configuration parameters belonging to an online application, - * to be used within both, the MOA ID Auth and the - * MOA ID PROXY component. + * Configuration parameters belonging to an online application, to be used within both, the MOA ID + * Auth and the MOA ID PROXY component. * * @author Harald Bratko */ public class OAParameter { - + public OAParameter(OnlineApplication oa) { this.oaType = oa.getType(); @@ -54,55 +44,68 @@ public class OAParameter { this.removePBKFromAuthblock = oa.isRemoveBPKFromAuthBlock(); + this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20(); + + } - /** - * type of the online application (maybe "PublicService" or "BusinessService") - */ - private String oaType; - - /** - * specifies whether the online application is a business application or not - * (<code>true</code> if value of {@link #oaType} is "businessService" - */ - private boolean businessService; - - /** - * public URL prefix of the online application - */ - private String publicURLPrefix; - - /** - * specifies a human readable name of the Online Application - */ - private String friendlyName; - - /** - * specified a specific target for the Online Application (overwrites the target in der request) - */ - private String target; - /** - * specifies a friendly name for the target - */ - private String targetFriendlyName; - - private boolean removePBKFromAuthblock; - + /** + * type of the online application (maybe "PublicService" or "BusinessService") + */ + private String oaType; + + /** + * specifies whether the online application is a business application or not (<code>true</code> + * if value of {@link #oaType} is "businessService" + */ + private boolean businessService; + + /** + * public URL prefix of the online application + */ + private String publicURLPrefix; + + /** + * specifies a human readable name of the Online Application + */ + private String friendlyName; + + /** + * specified a specific target for the Online Application (overwrites the target in der request) + */ + private String target; + /** + * specifies a friendly name for the target + */ + private String targetFriendlyName; + + private boolean removePBKFromAuthblock; + + /** + * Contains the oAuth 2.0 configuration (client id, secret and redirect uri) + */ + private OAOAUTH20 oAuth20Config; + public String getOaType() { return oaType; } + public boolean getBusinessService() { return businessService; } + public String getPublicURLPrefix() { return publicURLPrefix; } + public String getFriendlyName() { return friendlyName; } + public String getTarget() { return target; } + public String getTargetFriendlyName() { return targetFriendlyName; } @@ -110,5 +113,9 @@ public class OAParameter { public boolean isRemovePBKFromAuthBlock() { return removePBKFromAuthblock; } - + + public OAOAUTH20 getoAuth20Config() { + return oAuth20Config; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 304771edf..29f567324 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -76,7 +76,6 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.ExceptionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; -import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConfigurationUtils; @@ -84,6 +83,7 @@ import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.ConnectionParameterForeign; import at.gv.egovernment.moa.id.config.ConnectionParameterMOASP; import at.gv.egovernment.moa.id.config.ConnectionParameterMandate; +import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.IssuerAndSerial; import at.gv.egovernment.moa.logging.Logger; @@ -432,8 +432,10 @@ public class AuthConfigurationProvider extends ConfigurationProvider { if (foreign == null ) { Logger.warn("Error in MOA-ID Configuration. No STORK configuration found."); - } else - storkconfig = new STORKConfig(foreign.getSTORK(), props, rootConfigFileDir); + } + //TODO: commented because npe was thrown + //else + //storkconfig = new STORKConfig(foreign.getSTORK(), props, rootConfigFileDir); //load Chaining modes @@ -687,10 +689,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } - public Properties getGeneralPVP2ProperiesConfig() { + private Properties getGeneralProperiesConfig(final String propPrefix) { Properties configProp = new Properties(); for (Object key : props.keySet()) { - String propPrefix = "protocols.pvp2."; if (key.toString().startsWith(propPrefix)) { String propertyName = key.toString().substring(propPrefix.length()); configProp.put(propertyName, props.get(key.toString())); @@ -699,6 +700,14 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return configProp; } + public Properties getGeneralPVP2ProperiesConfig() { + return this.getGeneralProperiesConfig("protocols.pvp2."); + } + + public Properties getGeneralOAuth20ProperiesConfig() { + return this.getGeneralProperiesConfig("protocols.oauth20."); + } + public PVP2 getGeneralPVP2DBConfig() { return pvp2general; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 234641b4a..7130089ae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -69,7 +69,6 @@ public class DispatcherServlet extends AuthServlet{ protected void processRequest(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - boolean isValidSSOSession = false; boolean useSSOOA = false; String protocolRequestID = null; @@ -350,6 +349,7 @@ public class DispatcherServlet extends AuthServlet{ isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); useSSOOA = oaParam.useSSO(); + //if a legacy request is used SSO should not be allowed, actually boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(req); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java index 2a92f3ce5..31bf1ff58 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/ModulStorage.java @@ -10,7 +10,8 @@ public class ModulStorage { private static final String[] modulClasses = new String[]{ "at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol", - "at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol" + "at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol", + "at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Protocol" }; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20AuthAction.java new file mode 100644 index 000000000..949b06bb2 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20AuthAction.java @@ -0,0 +1,92 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.requests.OAuth20AuthRequest; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.logging.Logger; + +public class OAuth20AuthAction implements IAction { + + public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + AuthenticationSession moasession) throws MOAIDException { + + OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; + + // OAAuthParameter oaParam = + // AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); + // AuthenticationData authData = + // AuthenticationServer.buildAuthenticationData(moasession, oaParam, + // oAuthRequest.getTarget()); + + String responseType = oAuthRequest.getResponseType(); + + String code = AuthenticationSessionStoreage.changeSessionID(moasession); + Logger.debug("Stored session with id: " + code); + if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) { + OAuth20SessionObject o = new OAuth20SessionObject(); + o.setScope(oAuthRequest.getScope()); + o.setCode(code); + moasession.setoAuth20SessionObject(o); + try { + AuthenticationSessionStoreage.storeSession(moasession); + } + catch (MOADatabaseException e) { + throw new OAuth20ServerErrorException(); + } + + Logger.debug("Saved OAuth20SessionObject in session with id: " + moasession.getSessionID()); + } else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) { + throw new OAuth20ResponseTypeException(); + } + + // add code and state to redirect url + httpResp.setStatus(HttpServletResponse.SC_FOUND); + String redirectURI = oAuthRequest.getRedirectUri(); + String state = oAuthRequest.getState(); + + redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.RESPONSE_CODE, code); + redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.PARAM_STATE, state); + + String finalUrl = redirectURI; + httpResp.addHeader("Location", finalUrl); + Logger.debug("REDIRECT TO: " + finalUrl.toString()); + return null; + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls + * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + return true; + } + + private String addURLParameter(String url, String name, String value) { + String param = name + "=" + value; + if (url.indexOf("?") < 0) { + return url + "?" + param; + } else { + return url + "&" + param; + } + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + public String getDefaultActionName() { + return OAuth20Protocol.AUTH_ACTION; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java new file mode 100644 index 000000000..54c285b96 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java @@ -0,0 +1,51 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.util.Properties; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; + +public class OAuth20Configuration { + + private static OAuth20Configuration instance; + + public static OAuth20Configuration getInstance() { + if (instance == null) { + instance = new OAuth20Configuration(); + } + return instance; + } + + public static final String JWT_KEYSTORE = "jwt.ks.file"; + public static final String JWT_KEYSTORE_PASSWORD = "jwt.ks.password"; + public static final String JWT_KEY_NAME = "jwt.ks.key.name"; + public static final String JWT_KEY_PASSWORD = "jwt.ks.key.password"; + + private Properties props; + + private OAuth20Configuration() { + try { + props = AuthConfigurationProvider.getInstance().getGeneralOAuth20ProperiesConfig(); + } + catch (ConfigurationException e) { + e.printStackTrace(); + } + } + + public String getJWTKeyStore() { + return props.getProperty(JWT_KEYSTORE); + } + + public String getJWTKeyStorePassword() { + return props.getProperty(JWT_KEYSTORE_PASSWORD); + } + + public String getJWTKeyName() { + return props.getProperty(JWT_KEY_NAME); + } + + public String getJWTKeyPassword() { + return props.getProperty(JWT_KEY_PASSWORD); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java new file mode 100644 index 000000000..8189aa01b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java @@ -0,0 +1,45 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +public class OAuth20Constants { + + private OAuth20Constants() { + + } + + // error parameters and error codes + public static final String PARAM_ERROR = "error"; + public static final String PARAM_ERROR_DESCRIPTION = "error_description"; + public static final String PARAM_ERROR_URI = "error_uri"; + + public static final String ERROR_INVALID_REQUEST = "invalid_request"; + public static final String ERROR_UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type"; + public static final String ERROR_INVALID_CLIENT = "invalid_client"; + public static final String ERROR_ACCESS_DENIED = "access_denied"; + public static final String ERROR_SERVER_ERROR = "server_error"; + public static final String ERROR_INVALID_GRANT = "invalid_grant"; + public static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client"; + + // request parameters + //public static final String PARAM_OA_URL = "oaURL"; + public static final String PARAM_RESPONSE_TYPE = "response_type"; + public static final String PARAM_REDIRECT_URI = "redirect_uri"; + public static final String PARAM_STATE = "state"; + public static final String PARAM_GRANT_TYPE = "grant_type"; + public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code"; + public static final String PARAM_CLIENT_ID = "client_id"; + public static final String PARAM_CLIENT_SECRET = "client_secret"; + public static final String PARAM_SCOPE = "scope"; + public static final String PARAM_MOA_MOD = "mod"; + public static final String PARAM_MOA_ACTION = "action"; + + + // reponse parameters + public static final String RESPONSE_CODE = "code"; + public static final String RESPONSE_TOKEN = "token"; + public static final String RESPONSE_ACCESS_TOKEN = "access_token"; + public static final String RESPONSE_ID_TOKEN = "id_token"; + public static final String RESPONSE_EXPIRES_IN = "expires_in"; + public static final String RESPONSE_TOKEN_TYPE = "token_type"; + public static final String RESPONSE_TOKEN_TYPE_VALUE_BEARER = "Bearer"; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Protocol.java new file mode 100644 index 000000000..2c8aa8a73 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Protocol.java @@ -0,0 +1,166 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.net.URLEncoder; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; + +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IModulInfo; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.requests.OAuth20BaseRequest; +import at.gv.egovernment.moa.logging.Logger; + +import com.google.gson.JsonObject; + +public class OAuth20Protocol implements IModulInfo { + + public static final String NAME = OAuth20Protocol.class.getName(); + public static final String PATH = "id_oauth20"; + + public static final String AUTH_ACTION = "AUTH"; + public static final String TOKEN_ACTION = "TOKEN"; + + private static HashMap<String, IAction> actions = new HashMap<String, IAction>(); + + static { + actions.put(AUTH_ACTION, new OAuth20AuthAction()); + actions.put(TOKEN_ACTION, new OAuth20TokenAction()); + } + + public String getName() { + return NAME; + } + + public String getPath() { + return PATH; + } + + public IAction getAction(String action) { + return actions.get(action); + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#preProcess(javax.servlet.http.HttpServletRequest, + * javax.servlet.http.HttpServletResponse, java.lang.String) + */ + public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException { + // validation is done inside creation + OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request); + Logger.debug("Created: " + res); + return res; + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#canHandleRequest(javax.servlet.http.HttpServletRequest + * , javax.servlet.http.HttpServletResponse) + */ + public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) { + if (request.getParameter("action").equals(AUTH_ACTION)) { + return getAction(AUTH_ACTION); + } else if (request.getParameter("action").equals(TOKEN_ACTION)) { + return getAction(TOKEN_ACTION); + } + + return null;// getAction(AUTH_ACTION); + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IModulInfo#generateErrorMessage(java.lang.Throwable, + * javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, + * at.gv.egovernment.moa.id.moduls.IRequest) + */ + public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) + throws Throwable { + + StringBuilder url = new StringBuilder(); + + String paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + + if (e instanceof OAuth20Exception) { + + String action = request.getParameter("action"); + + Logger.debug("Going to throw O OAuth20Exception for action: " + action); + OAuth20Exception oAuth20Exception = ((OAuth20Exception) e); + + String errorCode = oAuth20Exception.getErrorCode(); + String errorDescription = oAuth20Exception.getMessage(); + // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; + + if (action.equals(AUTH_ACTION)) { + + // check if given redirect url is ok + if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { + url.append(paramRedirect); + + // otherwise throw an + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); + } + + String state = request.getParameter(OAuth20Constants.PARAM_STATE); + + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, + URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); + // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); + + response.setContentType("text/html"); + response.setStatus(HttpServletResponse.SC_FOUND); + response.addHeader("Location", url.toString()); + Logger.debug("REDIRECT TO: " + url.toString()); + return true; + + } else if (action.equals(TOKEN_ACTION)) { + Map<String, Object> params = new HashMap<String, Object>(); + params.put(OAuth20Constants.PARAM_ERROR, errorCode); + params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, + URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); + // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + response.setContentType("application/json"); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.getOutputStream().print(jsonResponse); + response.getOutputStream().close(); + + return true; + } + + } + + return false; + + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#validate(javax.servlet.http.HttpServletRequest, + * javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.moduls.IRequest) + */ + public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { + // we validate in the preProcess + return true; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java new file mode 100644 index 000000000..91c099d2c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java @@ -0,0 +1,39 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.io.Serializable; + +public class OAuth20SessionObject implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; + + private String scope; + + private String code; + + public String getScope() { + return scope; + } + + public void setScope(String scope) { + this.scope = scope; + } + + /** + * @return the code + */ + public String getCode() { + return code; + } + + /** + * @param code + * the code to set + */ + public void setCode(String code) { + this.code = code; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20TokenAction.java new file mode 100644 index 000000000..70f425148 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20TokenAction.java @@ -0,0 +1,346 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; +import java.util.UUID; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import net.oauth.jsontoken.JsonToken; +import net.oauth.jsontoken.crypto.Signer; + +import org.w3c.dom.Element; + +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; +import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException; +import at.gv.egovernment.moa.id.protocols.oauth20.requests.OAuth20TokenRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AttributeExtractor; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; + +import com.google.gson.JsonObject; + +public class OAuth20TokenAction implements IAction { + + private int expirationTime = 5 * 60; // in seconds + + public class Pair<T1, T2> { + private T1 first; + private T2 second; + + public Pair(T1 newFirst, T2 newSecond) { + first = newFirst; + second = newSecond; + } + + public T1 getFirst() { + return first; + } + + public T2 getSecond() { + return second; + } + } + + public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + AuthenticationSession moasession) throws MOAIDException { + + AuthenticationSession session = null; + try { + OAuth20TokenRequest oAuthRequest = (OAuth20TokenRequest) req; + + session = AuthenticationSessionStoreage.getSession(oAuthRequest.getCode()); + if (session == null) { + throw new OAuth20UnauthorizedClientException(); + } + + OAuth20SessionObject auth20SessionObject = session.getoAuth20SessionObject(); + Logger.debug("Loaded OAuth20SessionObject from session: " + auth20SessionObject); + + // do checking for different grant types and code + if (!auth20SessionObject.getCode().equals(oAuthRequest.getCode())) { + throw new OAuth20UnauthorizedClientException(); + + } + + final String accessToken = UUID.randomUUID().toString(); + + // create response + Map<String, Object> params = new HashMap<String, Object>(); + params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken); + params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER); + params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, this.expirationTime); + + // build id token and scope + Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, session); + Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); + params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); + Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); + params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond()); + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + httpResp.setContentType("application/json"); + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.getOutputStream().print(jsonResponse); + httpResp.getOutputStream().close(); + + return null; + } + catch (Exception e) { + throw new OAuth20ServerErrorException(); + } + finally { + if (session != null) { + // destroy session for clean up + try { + Logger.debug("Going to destroy session: " + session.getSessionID()); + AuthenticationSessionStoreage.destroySession(session.getSessionID()); + } + catch (MOADatabaseException e) { + } + } + } + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls + * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + return false; + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + public String getDefaultActionName() { + return OAuth20Protocol.TOKEN_ACTION; + } + + private Pair<String, String> buildIdToken(String scope, OAuth20TokenRequest oAuthRequest, AuthenticationSession session) + throws Exception { + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); + AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget()); + + Map<String, Object> params = new HashMap<String, Object>(); + StringBuilder resultScopes = new StringBuilder(); + // always fill with open id + this.fillScopeOpenId(params, authData); + resultScopes.append("openId"); + + for (String s : scope.split(" ")) { + + try { + if (s.equalsIgnoreCase("profile")) { + this.fillScopeProfile(params, authData); + resultScopes.append(" profile"); + } else if (s.equalsIgnoreCase("eID")) { + this.fillScopeEID(params, authData, session); + resultScopes.append(" eID"); + } else if (s.equalsIgnoreCase("eID_gov") && oaParam.getBusinessService()) { + this.fillScopeEID_GOV(params, authData, session); + resultScopes.append(" eID_gov"); + } else if (s.equalsIgnoreCase("mandate") && session.getUseMandate() && oaParam.getBusinessService()) { + this.fillScopeMandate(params, oaParam, authData, session); + resultScopes.append(" mandate"); + } + } + catch (Exception e) { + Logger.warn(e.getMessage(), e); + } + // TODO parser STORK + } + + // add properties and sign + // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id", + // "super_secure_pwd".getBytes()); + // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config()); + Signer signer = OAuth20Util.loadSigner(authData.getIssuer()); + JsonToken token = new JsonToken(signer); + OAuth20Util.addProperytiesToJsonObject(token.getPayloadAsJsonObject(), params); + return new Pair<String, String>(token.serializeAndSign(), resultScopes.toString()); + } + + private void fillScopeProfile(Map<String, Object> params, AuthenticationData authData) { + params.put("given_name", authData.getGivenName()); + params.put("family_name", authData.getFamilyName()); + params.put("birthdate", authData.getDateOfBirth()); + } + + private void fillScopeOpenId(Map<String, Object> params, AuthenticationData authData) { + params.put("iss", authData.getIssuer()); + params.put("sub", authData.getBPK()); + // params.put("aud", ""); // not used + params.put("exp", (long) (new Date().getTime() / 1000 + this.expirationTime)); + params.put("iat", (long) (new Date().getTime() / 1000)); + params.put("auth_time", (long) (authData.getTimestamp().getTime() / 1000)); + // params.put("acr", ""); //? + } + + private void fillScopeEID(Map<String, Object> params, AuthenticationData authData, AuthenticationSession session) throws Exception { + params.put(PVPConstants.EID_CCS_URL_FRIENDLY_NAME, authData.getBkuURL()); + // params.put("ENC-BPK-LIST", ); // not used + // params.put("MAIL", ); //not used + // params.put("TEL", ); //not used + + params.put(PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, 4); + params.put(PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME, "AT"); + params.put(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, authData.getBPKType()); + params.put(PVPConstants.EID_AUTH_BLOCK_FRIENDLY_NAME, Base64Utils.encode(session.getAuthBlock().getBytes())); + params.put(PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, Base64Utils.encode(session.getEncodedSignerCertificate())); + // params.put(PVPConstants.EID_STORK_TOKEN_FRIENDLY_NAME, ); //not used + + // bpk + String bpk = authData.getBPK(); + String type = authData.getBPKType(); + if (type.startsWith(Constants.URN_PREFIX_WBPK)) + type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); + else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + if (bpk.length() > PVPConstants.BPK_MAX_LENGTH) { + bpk = bpk.substring(0, PVPConstants.BPK_MAX_LENGTH); + } + params.put(PVPConstants.BPK_FRIENDLY_NAME, type + ":" + bpk); + } + + private void fillScopeEID_GOV(Map<String, Object> params, AuthenticationData authData, AuthenticationSession session) + throws Exception { + params.put(PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME, authData.getIdentificationValue()); + params.put(PVPConstants.EID_SOURCE_PIN_TYPE_FRIENDLY_NAME, authData.getIdentificationType()); + + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink().getSamlAssertion()); + params.put(PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME, + Base64Utils.encode(DOMUtils.serializeNode(resignedilAssertion).getBytes())); + } + + private void fillScopeMandate(Map<String, Object> params, OAAuthParameter oaParam, AuthenticationData authData, + AuthenticationSession session) { + Element mandate = session.getMandate(); + + if (mandate == null) { + throw new OAuth20ServerErrorException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new OAuth20ServerErrorException(); + } + + params.put(PVPConstants.MANDATE_TYPE_FRIENDLY_NAME, mandateObject.getAnnotation()); + params.put(PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, mandateObject.getMandateID()); + + // natural person + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson != null && physicalPerson.getIdentification().size() != 0) { + IdentificationType id = physicalPerson.getIdentification().get(0); + params.put(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME, id.getValue().getValue()); + params.put(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, id.getType()); + + try { + String bpk; + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { + if (session.getBusinessService()) { + bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); + } else { + bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); + } + } else { + bpk = id.getValue().getValue(); + } + params.put(PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME, bpk); + } + catch (BuildException e) { + // ignore + } + + // params.put(PVPConstants.MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, ); //not used + + StringBuilder sb = new StringBuilder(); + Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator(); + + while (fNamesit.hasNext()) { + sb.append(" " + fNamesit.next().getValue()); + } + params.put(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, sb.toString()); + + sb = new StringBuilder(); + Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator(); + + while (gNamesit.hasNext()) { + sb.append(" " + gNamesit.next()); + } + params.put(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, sb.toString()); + + try { + DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); + Date date = mandateFormat.parse(physicalPerson.getDateOfBirth()); + DateFormat pvpDateFormat = new SimpleDateFormat(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); + String dateString = pvpDateFormat.format(date); + params.put(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, dateString); + } + catch (ParseException e) { + // ignore + } + + } + + // legal person + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if (corporation != null && corporation.getIdentification().size() != 0) { + IdentificationType id = corporation.getIdentification().get(0); + params.put(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, id.getValue().getValue()); + params.put(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, id.getType()); + params.put(PVPConstants.MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, corporation.getFullName()); + } + + String oid = AttributeExtractor.extractSAMLAttributeOA(EXT_SAML_MANDATE_OID, session); + if (oid != null) { + params.put(PVPConstants.MANDATE_PROF_REP_OID_FRIENDLY_NAME, oid); + } + + String text = AttributeExtractor.extractSAMLAttributeOA(EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, session); + + if (text != null) { + params.put(PVPConstants.MANDATE_PROF_REP_DESC_FRIENDLY_NAME, oid); + } + + // params.put("MANDATE-FULL-MANDATE-LIST", ); // not used + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java new file mode 100644 index 000000000..4d3030a0f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java @@ -0,0 +1,134 @@ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.io.UnsupportedEncodingException; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import net.oauth.jsontoken.crypto.RsaSHA256Signer; +import net.oauth.jsontoken.crypto.Signer; + +import org.opensaml.xml.security.x509.BasicX509Credential; + +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20CertificateErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.StringUtils; + +import com.google.gson.JsonObject; + +public class OAuth20Util { + + public static final String REGEX_HTTPS = "^(https?)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]"; + public static final String REGEX_FILE = "^(file):/.[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]"; + + /** + * Simple helper function to add parameter to a url + * + * @param url + * @param name + * @param value + * @throws UnsupportedEncodingException + */ + public static void addParameterToURL(final StringBuilder url, final String name, final String value) + throws UnsupportedEncodingException { + if (url.indexOf("?") < 0) { + url.append("?"); + } else { + url.append("&"); + } + // URLEncoder.encode(value, "UTF-8") + url.append(name).append("=").append(value); + } + + public static boolean isUrl(final String url) { + Pattern urlPattern; + if (url.startsWith("file")) { + urlPattern = Pattern.compile(REGEX_FILE, Pattern.CASE_INSENSITIVE); + } else { + urlPattern = Pattern.compile(REGEX_HTTPS, Pattern.CASE_INSENSITIVE); + } + + Matcher matcher = urlPattern.matcher(url); + return matcher.find(); + } + + public static void addProperytiesToJsonObject(JsonObject jsonObject, Map<String, Object> params) { + for (Map.Entry<String, Object> param : params.entrySet()) { + if (param.getKey() != null && !"".equals(param.getKey()) && param.getValue() != null && !"".equals(param.getValue())) { + + // check for integer + try { + int i = Integer.parseInt(String.valueOf(param.getValue())); + jsonObject.addProperty(param.getKey(), i); + continue; + } + catch (NumberFormatException e) { + } + + // check for long + try { + long l = Long.parseLong(String.valueOf(param.getValue())); + jsonObject.addProperty(param.getKey(), l); + continue; + } + catch (NumberFormatException e) { + } + + // string + if (param.getValue() instanceof String) { + jsonObject.addProperty(param.getKey(), String.valueOf(param.getValue())); + } + } + } + } + + public static Signer loadSigner(String issuer) throws OAuth20Exception { + OAuth20Configuration globalConfig = OAuth20Configuration.getInstance(); + + if (StringUtils.isEmpty(globalConfig.getJWTKeyStore())) { + throw new OAuth20CertificateErrorException("keystore"); + } + + if (StringUtils.isEmpty(globalConfig.getJWTKeyName())) { + throw new OAuth20CertificateErrorException("key name"); + } + + try { + KeyStore ks = KeyStoreUtils.loadKeyStore(globalConfig.getJWTKeyStore(), globalConfig.getJWTKeyStorePassword()); + + X509Certificate certificate = (X509Certificate) ks.getCertificate(globalConfig.getJWTKeyName()); + + PrivateKey privateKey = (PrivateKey) ks.getKey(globalConfig.getJWTKeyName(), globalConfig.getJWTKeyPassword() + .toCharArray()); + BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityCertificate(certificate); + credential.setPrivateKey(privateKey); + + //Logger.debug("Going to use X509Certificate:"); + Logger.debug(certificate); + //Logger.debug("Going to use private key:"); + Logger.debug(privateKey); + + return new RsaSHA256Signer(issuer, globalConfig.getJWTKeyName(), (RSAPrivateKey) credential.getPrivateKey()); + + } + catch (Exception e) { + throw new OAuth20CertificateErrorException("keystore"); + } + + } + + public static boolean isValidStateValue(String state) { + Pattern urlPattern = Pattern.compile("javascript|<|>|&|;", Pattern.CASE_INSENSITIVE); + Matcher matcher = urlPattern.matcher(state); + return !matcher.find(); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java new file mode 100644 index 000000000..e4abd5bd1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20AccessDeniedException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20AccessDeniedException() { + super(OAuth20Constants.ERROR_ACCESS_DENIED, "oauth20.05", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java new file mode 100644 index 000000000..6f5a41ca5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20CertificateErrorException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20CertificateErrorException(final String name) { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.09", new Object[] { name }); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java new file mode 100644 index 000000000..1c4cb20ac --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java @@ -0,0 +1,49 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; + +public class OAuth20Exception extends RuntimeException { + + private static final long serialVersionUID = 1L; + + private String messageId; + + private String errorCode; + + public OAuth20Exception(final String errorCode, final String messageId, final Object[] parameters) { + super(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters)); + this.errorCode = errorCode; + this.messageId = messageId; + } + + /** + * @return the messageId + */ + public String getMessageId() { + return messageId; + } + + /** + * @param messageId + * the messageId to set + */ + public void setMessageId(String messageId) { + this.messageId = messageId; + } + + /** + * @return the errorCode + */ + public String getErrorCode() { + return errorCode; + } + + /** + * @param errorCode + * the errorCode to set + */ + public void setErrorCode(String errorCode) { + this.errorCode = errorCode; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java new file mode 100644 index 000000000..2a2ec4498 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidClientException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidClientException() { + super(OAuth20Constants.ERROR_INVALID_CLIENT, "oauth20.05", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java new file mode 100644 index 000000000..288667104 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidGrantException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidGrantException() { + super(OAuth20Constants.ERROR_INVALID_GRANT, "oauth20.07", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java new file mode 100644 index 000000000..30c1cb1cc --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java @@ -0,0 +1,13 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidRequestException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidRequestException() { + super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.04", new Object[] {}); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java new file mode 100644 index 000000000..5dd0a13c3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20ResponseTypeException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20ResponseTypeException() { + super(OAuth20Constants.ERROR_UNSUPPORTED_RESPONSE_TYPE, "oauth20.03", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java new file mode 100644 index 000000000..59855d511 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20ServerErrorException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20ServerErrorException() { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.06", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java new file mode 100644 index 000000000..28cc44968 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20UnauthorizedClientException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20UnauthorizedClientException() { + super(OAuth20Constants.ERROR_UNAUTHORIZED_CLIENT, "oauth20.08", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java new file mode 100644 index 000000000..24d151869 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java @@ -0,0 +1,12 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20WrongParameterException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20WrongParameterException(final String name) { + super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.02", new Object[] { name }); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20AuthRequest.java new file mode 100644 index 000000000..8aac75413 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20AuthRequest.java @@ -0,0 +1,134 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.requests; + +import javax.servlet.http.HttpServletRequest; + +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; + +public class OAuth20AuthRequest extends OAuth20BaseRequest { + + private static final long serialVersionUID = 1L; + + private String responseType; + private String state; + private String redirectUri; + private String scope; + private String clientID; + + /** + * @return the responseType + */ + public String getResponseType() { + return responseType; + } + + /** + * @param responseType + * the responseType to set + */ + public void setResponseType(String responseType) { + this.responseType = responseType; + } + + /** + * @return the state + */ + public String getState() { + return state; + } + + /** + * @param state + * the state to set + */ + public void setState(String state) { + this.state = state; + } + + /** + * @return the redirectUri + */ + public String getRedirectUri() { + return redirectUri; + } + + /** + * @param redirectUri + * the redirectUri to set + */ + public void setRedirectUri(String redirectUri) { + this.redirectUri = redirectUri; + } + + /** + * @return the scope + */ + public String getScope() { + return scope; + } + + /** + * @param scope + * the scope to set + */ + public void setScope(String scope) { + this.scope = scope; + } + + /** + * @return the clientID + */ + public String getClientID() { + return clientID; + } + + /** + * @param clientID + * the clientID to set + */ + public void setClientID(String clientID) { + this.clientID = clientID; + } + + @Override + protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception { + this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true)); + this.setState(this.getParam(request, OAuth20Constants.PARAM_STATE, true)); + this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true)); + this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false)); + + // check for response type + if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) { + throw new OAuth20ResponseTypeException(); + } + + // check state for invalid characters (like < > & ; ... javascript ... to prevent xss) + if (!OAuth20Util.isValidStateValue(this.getState())) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_STATE); + } + + // check if client id and redirect uri are ok + try { + // OAOAUTH20 cannot be null at this point. check was done in base request + OAOAUTH20 oAuthConfig = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(this.getOAURL()) + .getoAuth20Config(); + + if (!this.getClientID().equals(oAuthConfig.getOAuthClientId()) + || !this.getRedirectUri().equals(oAuthConfig.getOAuthRedirectUri())) { + throw new OAuth20AccessDeniedException(); + } + } + catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20BaseRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20BaseRequest.java new file mode 100644 index 000000000..05362c977 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20BaseRequest.java @@ -0,0 +1,118 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.requests; + +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang.StringUtils; + +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Protocol; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidRequestException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; + +public abstract class OAuth20BaseRequest extends RequestImpl { + + private static final long serialVersionUID = 1L; + + protected Set<String> allowedParameters = new HashSet<String>(); + + protected String getParam(final HttpServletRequest request, final String name, final boolean isNeeded) throws OAuth20Exception { + String param = request.getParameter(name); + Logger.debug("Reading param " + name + " from HttpServletRequest with value " + param); + + if (isNeeded && StringUtils.isEmpty(param)) { + throw new OAuth20WrongParameterException(name); + } + + this.allowedParameters.add(name); + + return param; + } + + protected void populateParameters(final HttpServletRequest request) throws OAuth20Exception { + + // moa id - load oa with client id! + try { + String oaURL = StringEscapeUtils.escapeHtml(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + if (!ParamValidatorUtils.isValidOA(oaURL)) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + this.setOAURL(oaURL); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); + + if (oaParam == null) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + this.setTarget(oaParam.getTarget()); + + OAOAUTH20 config = oaParam.getoAuth20Config(); + if (config == null) { + throw new OAuth20InvalidRequestException(); + } + if (StringUtils.isEmpty(config.getOAuthClientSecret()) || StringUtils.isEmpty(config.getOAuthClientId()) + || StringUtils.isEmpty(config.getOAuthRedirectUri())) { + throw new OAuth20ServerErrorException(); + } + } + catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + // oAuth + this.populateSpecialParameters(request); + + // cleanup parameters + this.checkAllowedParameters(request); + } + + private void checkAllowedParameters(final HttpServletRequest request) { + Logger.debug("Going to check for allowed parameters"); + this.allowedParameters.add(OAuth20Constants.PARAM_MOA_ACTION); + this.allowedParameters.add(OAuth20Constants.PARAM_MOA_MOD); + + @SuppressWarnings("rawtypes") + Iterator iter = request.getParameterMap().keySet().iterator(); + while (iter.hasNext()) { + String name = (String) iter.next(); + if (!this.allowedParameters.contains(name)) { + + Logger.debug("Found wrong parameter: " + name); + throw new OAuth20WrongParameterException(name); + } + } + + } + + protected abstract void populateSpecialParameters(final HttpServletRequest request) throws OAuth20Exception; + + public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request) throws OAuth20Exception { + OAuth20BaseRequest res; + + if (action.equals(OAuth20Protocol.AUTH_ACTION)) { + res = new OAuth20AuthRequest(); + } else if (action.equals(OAuth20Protocol.TOKEN_ACTION)) { + res = new OAuth20TokenRequest(); + } else { + throw new OAuth20InvalidRequestException(); + } + + res.setAction(action); + res.setModule(OAuth20Protocol.NAME); + + res.populateParameters(request); + return res; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20TokenRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20TokenRequest.java new file mode 100644 index 000000000..6d69f8238 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/requests/OAuth20TokenRequest.java @@ -0,0 +1,118 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.requests; + +import javax.servlet.http.HttpServletRequest; + +import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidGrantException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; + +public class OAuth20TokenRequest extends OAuth20BaseRequest { + + private static final long serialVersionUID = 1L; + + private String code; + private String grantType; + private String clientID; + private String clientSecret; + + /** + * @return the code + */ + public String getCode() { + return code; + } + + /** + * @param code + * the code to set + */ + public void setCode(String code) { + this.code = code; + } + + /** + * @return the grantType + */ + public String getGrantType() { + return grantType; + } + + /** + * @param grantType + * the grantType to set + */ + public void setGrantType(String grantType) { + this.grantType = grantType; + } + + /** + * @return the clientID + */ + public String getClientID() { + return clientID; + } + + /** + * @param clientID + * the clientID to set + */ + public void setClientID(String clientID) { + this.clientID = clientID; + } + + /** + * @return the clientSecret + */ + public String getClientSecret() { + return clientSecret; + } + + /** + * @param clientSecret + * the clientSecret to set + */ + public void setClientSecret(String clientSecret) { + this.clientSecret = clientSecret; + } + + @Override + protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception { + this.setCode(this.getParam(request, OAuth20Constants.RESPONSE_CODE, true)); + this.setGrantType(this.getParam(request, OAuth20Constants.PARAM_GRANT_TYPE, true)); + this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + this.setClientSecret(this.getParam(request, OAuth20Constants.PARAM_CLIENT_SECRET, true)); + + // check for grant type + if (!this.getGrantType().equals(OAuth20Constants.PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE)) { + throw new OAuth20InvalidGrantException(); + } + + // check if client id and secret are ok + try { + // OAOAUTH20 cannot be null at this point. check was done in base request + OAOAUTH20 oAuthConfig = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(this.getOAURL()) + .getoAuth20Config(); + + if (!this.getClientID().equals(oAuthConfig.getOAuthClientId())) { + throw new OAuth20AccessDeniedException(); + } + + if (!this.getClientSecret().equals(oAuthConfig.getOAuthClientSecret())) { + throw new OAuth20AccessDeniedException(); + } + + } + catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + //add valid parameters + this.allowedParameters.add(OAuth20Constants.PARAM_SCOPE); + this.allowedParameters.add(OAuth20Constants.PARAM_REDIRECT_URI); + } +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 6b664f692..37e35b6ce 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -217,4 +217,15 @@ pvp2.11=Binding {0} wird nicht unterstuetzt pvp2.12=NameID Format {0} wird nicht unterstuetzt
pvp2.13=Interner Server Fehler
pvp2.14=SAML Anfrage verweigert
-pvp2.15=Keine Metadateninformation gefunden +pvp2.15=Keine Metadateninformation gefunden
+
+
+oauth20.01=Fehlerhafte redirect url
+oauth20.02=Fehlender Parameter "{0}"
+oauth20.03=Angeforderter response_type ist nicht erlaubt
+oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt
+oauth20.05=Der angegebene Benutzer ist nicht berechtigt
+oauth20.06=Die angegebene OA kann nicht verwendet werden
+oauth20.07=Angeforderter grant_type ist nicht erlaubt
+oauth20.08=Nicht berechtigt für Token-Request
+oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}" diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java new file mode 100644 index 000000000..6452d5ae6 --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java @@ -0,0 +1,86 @@ +package test.at.gv.egovernment.moa.id.auth.oauth; + +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; + +import net.oauth.jsontoken.crypto.RsaSHA256Signer; +import net.oauth.jsontoken.crypto.RsaSHA256Verifier; + +import org.opensaml.xml.security.x509.BasicX509Credential; +import org.testng.annotations.Test; + +import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.StringUtils; +import eu.stork.vidp.messages.exception.SAMLException; + +public class CertTest { + + /** KeyStore Path */ + private String keyStorePath = "file:/D:/dev/work/exthex/workspace/OAuthTesting/resources/keys/test_keystore.jks"; + + /** KeyStore Password */ + private String keyStorePassword = "test12"; + + /** Specific Key Name as Credential */ + private String keyName = "1"; + + /** Key password */ + private String keyPassword = "test12"; + + + + + @Test(enabled = false) + public void loadCert() throws Exception { + + if (StringUtils.isEmpty(this.keyStorePath)) throw new SAMLException("No keyStorePath specified"); + + // KeyStorePassword optional + // if (StringUtils.isEmpty(this.keyStorePassword)) + // throw new SAMLException("No keyStorePassword specified"); + + if (StringUtils.isEmpty(this.keyName)) throw new SAMLException("No keyName specified"); + + // KeyStorePassword optional + // if (StringUtils.isEmpty(this.keyPassword)) + // throw new SAMLException("No keyPassword specified"); + + KeyStore ks = null; + try { + ks = KeyStoreUtils.loadKeyStore(this.keyStorePath, this.keyStorePassword); + } + catch (Exception e) { + e.printStackTrace(); + } + + // return new KeyStoreX509CredentialAdapter(ks, keyName, keyPwd.toCharArray()); + BasicX509Credential credential = null; + try { + java.security.cert.X509Certificate certificate = (X509Certificate) ks.getCertificate(this.keyName); + + PrivateKey privateKey = (PrivateKey) ks.getKey(this.keyName, this.keyPassword.toCharArray()); + credential = new BasicX509Credential(); + credential.setEntityCertificate(certificate); + credential.setPrivateKey(privateKey); + + System.out.println(privateKey); + + } + catch (Exception e) { + e.printStackTrace(); + + } + System.out.println(credential); + + String data = "someData"; + + RsaSHA256Signer signer = new RsaSHA256Signer("signer1", keyName, (RSAPrivateKey) credential.getPrivateKey()); + + byte[] signedData = signer.sign(data.getBytes()); + + RsaSHA256Verifier verifier = new RsaSHA256Verifier(credential.getPublicKey()); + verifier.verifySignature(data.getBytes(), signedData); + } +} diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java new file mode 100644 index 000000000..64179d75a --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java @@ -0,0 +1,190 @@ +package test.at.gv.egovernment.moa.id.auth.oauth; + +import java.io.IOException; +import java.util.Arrays; +import java.util.List; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.methods.GetMethod; +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.testng.Assert; +import org.testng.annotations.AfterMethod; +import org.testng.annotations.BeforeMethod; +import org.testng.annotations.DataProvider; +import org.testng.annotations.Test; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; + +import com.google.api.client.extensions.java6.auth.oauth2.VerificationCodeReceiver; +import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver; +import com.google.api.client.http.HttpTransport; +import com.google.api.client.http.javanet.NetHttpTransport; +import com.google.api.client.json.JsonFactory; +import com.google.api.client.json.jackson2.JacksonFactory; + +public class OAuth20ErrorsTests { + + final static Logger log = LoggerFactory.getLogger(OAuth20ErrorsTests.class); + + private static VerificationCodeReceiver receiver; + + // base uri + private static String OAUTH2_BASE_URI = "http://localhost:8080/moa-id-auth/dispatcher"; + // auth action + private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH"; + // token action + private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN"; + + // client id + private static String CLIENT_ID = "http://test"; + // client secret + private static String CLIENT_SECRET = "d435cf0a-3933-48f7-b142-339710c8f070"; + // OAuth 2.0 scopes + private static List<String> SCOPES = Arrays.asList("testScope1", "testScope2"); + // state + private static String STATE = "testState"; + // code + private static String CODE = "code"; + // redirect uri + private static String REDIRECT_URI = "http://localhost:59542/Callback"; + + @BeforeMethod + public void beforeTest() throws Exception { + receiver = new LocalServerReceiver.Builder().setPort(59542).build(); + // REDIRECT_URI = receiver.getRedirectUri(); + // start + receiver.getRedirectUri(); + } + + @AfterMethod + public void afterTest() { + try { + receiver.stop(); + } + catch (IOException e) { + } + } + + private void checkParam(final String paramString, final String paramName) { + String[] help = paramString.split("="); + Assert.assertEquals(help[0], paramName); + Assert.assertTrue(StringUtils.isNotEmpty(help[1])); + } + + private void checkParams(final String queryString) { + // System.out.println("QueryString: " + queryString); + + System.out.println("Result url: " + queryString); + + String[] params = queryString.split("&"); + + this.checkParam(params[0], OAuth20Constants.PARAM_ERROR); + this.checkParam(params[1], OAuth20Constants.PARAM_ERROR_DESCRIPTION); + // this.checkParam(params[2], OAuth20Constants.PARAM_ERROR_URI); + // this.checkParam(params[3], OAuth20Constants.PARAM_STATE); + this.checkParam(params[2], OAuth20Constants.PARAM_STATE); + } + + class OAuthRequestParameters { + String redirectUri; + String clientId; + String responseType; + String scope; + String state; + String error; + + public OAuthRequestParameters(String redirectUri, String clientId, String responseType, String scope, String state, + String error) { + this.redirectUri = redirectUri; + this.clientId = clientId; + this.responseType = responseType; + this.scope = scope; + this.state = state; + this.error = error; + } + } + + @DataProvider(name = "parameter") + public Object[][] parameterProvider() { + // parameter is missing + // OAuthRequestParameters p0 = new OAuthRequestParameters(null, OA_URL, CLIENT_ID, CODE, + // "testScope1", null, + // "User authorization failed (invalid_request)"); + // OAuthRequestParameters p1 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE, + // "testScope1", STATE, + // "User authorization failed (invalid_request)"); + OAuthRequestParameters p2 = new OAuthRequestParameters(REDIRECT_URI, null, CODE, "testScope1", STATE, + "User authorization failed (invalid_request)"); + OAuthRequestParameters p3 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, null, "testScope1", STATE, + "User authorization failed (invalid_request)"); + OAuthRequestParameters p4 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE, null, STATE, null); + OAuthRequestParameters p5 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE, "testScope1", null, + "User authorization failed (invalid_request)"); + + // wrong response type + OAuthRequestParameters p6 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, "WRONG_CODE", "testScope1", STATE, + "User authorization failed (unsupported_response_type)"); + // wrong client id + OAuthRequestParameters p7 = new OAuthRequestParameters(REDIRECT_URI, "wrongClient", CODE, "testScope1", STATE, + "User authorization failed (invalid_request)"); + // wrong redirect uri + // OAuthRequestParameters p9 = new OAuthRequestParameters("wrongURI", OA_URL, "wrongClient", + // CODE, "testScope1", STATE, + // "User authorization failed (access_denied)"); + + return new Object[][] { { p2 }, { p3 }, { p4 }, { p5 }, { p6 }, { p7 } }; + } + + @Test(dataProvider = "parameter", enabled = false) + public void testMissingParams(OAuthRequestParameters p) throws Exception { + StringBuilder url = new StringBuilder(); + url.append(OAUTH2_AUTH_URI); + + if (StringUtils.isNotEmpty(p.redirectUri)) OAuth20Util.addParameterToURL(url, "redirect_uri", p.redirectUri); + if (StringUtils.isNotEmpty(p.clientId)) OAuth20Util.addParameterToURL(url, "client_id", p.clientId); + if (StringUtils.isNotEmpty(p.responseType)) OAuth20Util.addParameterToURL(url, "response_type", p.responseType); + if (StringUtils.isNotEmpty(p.scope)) OAuth20Util.addParameterToURL(url, "scope", p.scope); + if (StringUtils.isNotEmpty(p.state)) OAuth20Util.addParameterToURL(url, "state", p.state); + + String finalUrl = url.toString(); + System.out.println("Calling: " + finalUrl); + + HttpClient client = new HttpClient(); + GetMethod get = new GetMethod(finalUrl); + int res = client.executeMethod(get); + Assert.assertEquals(res, HttpServletResponse.SC_OK); + + // assert + + if (p.error == null) { + Assert.assertFalse(get.getQueryString().contains("error")); + // receiver.waitForCode(); + } else { + // check if all error params are returned + this.checkParams(get.getQueryString()); + try { + receiver.waitForCode(); + Assert.assertTrue(false); + } + catch (Exception e) { + Assert.assertEquals(e.getMessage(), p.error); + } + } + } + + @Test(enabled = false) + public void testTokenErrorResponse() throws Exception { + HttpClient client = new HttpClient(); + GetMethod get = new GetMethod(OAUTH2_TOKEN_URI + "&client_id=" + CLIENT_ID + "&client_secret=" + CLIENT_SECRET + + "&code=test&grant_type=authorization_code"); + int res = client.executeMethod(get); + + System.out.println(res); + System.out.println(get.getResponseBodyAsString()); + } +} diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java new file mode 100644 index 000000000..7cf2ac82b --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java @@ -0,0 +1,136 @@ +package test.at.gv.egovernment.moa.id.auth.oauth; + +import java.awt.Desktop; +import java.awt.Desktop.Action; +import java.io.IOException; +import java.math.BigInteger; +import java.net.URI; +import java.security.SecureRandom; +import java.util.Arrays; +import java.util.List; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.testng.Assert; +import org.testng.annotations.Test; + +import com.google.api.client.auth.oauth2.AuthorizationCodeFlow; +import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl; +import com.google.api.client.auth.oauth2.BearerToken; +import com.google.api.client.auth.oauth2.ClientParametersAuthentication; +import com.google.api.client.auth.oauth2.TokenResponse; +import com.google.api.client.auth.openidconnect.IdToken; +import com.google.api.client.extensions.java6.auth.oauth2.VerificationCodeReceiver; +import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver; +import com.google.api.client.http.GenericUrl; +import com.google.api.client.http.HttpExecuteInterceptor; +import com.google.api.client.http.HttpTransport; +import com.google.api.client.http.javanet.NetHttpTransport; +import com.google.api.client.json.JsonFactory; +import com.google.api.client.json.jackson2.JacksonFactory; + +public class OAuth20GoogleClientTestCase { + + final static Logger log = LoggerFactory.getLogger(OAuth20GoogleClientTestCase.class); + + // private static FileDataStoreFactory DATA_STORE_FACTORY; + + // Global instance of the HTTP transport. + private static HttpTransport HTTP_TRANSPORT = new NetHttpTransport(); + // Global instance of the JSON factory. + private static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance(); + + private static String ISS = "https://localhost/moa-id-auth/"; + + // base uri + //private static String OAUTH2_BASE_URI = ISS + "dispatcher"; + // auth action + //private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH"; + private static String OAUTH2_AUTH_URI = ISS + "oauth2/auth"; + + // token action + //private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN"; + private static String OAUTH2_TOKEN_URI = ISS + "oauth2/token"; + + // client id + private static String CLIENT_ID = "http://test"; + // client secret + private static String CLIENT_SECRET = "d435cf0a-3933-48f7-b142-339710c8f070"; + // OAuth 2.0 scopes + private static final List<String> SCOPES = Arrays.asList("profile", "eID", "eID_gov", "mandate"); + + // open browser for bku login + private void openURL(String url) { + Assert.assertNotNull(url); + System.out.println(url); + if (Desktop.isDesktopSupported()) { + Desktop desktop = Desktop.getDesktop(); + if (desktop.isSupported(Action.BROWSE)) { + try { + desktop.browse(URI.create(url)); + return; + } + catch (IOException e) { + // handled below + } + } + } + // Finally just ask user to open in their browser using copy-paste + + log.info("Please open the following URL in your browser:"); + log.info(url); + } + + private TokenResponse authorize() throws Exception { + // set up a receiver for the callback + VerificationCodeReceiver receiver = new LocalServerReceiver.Builder().setPort(59542).build(); + + // create AuthorizationCodeFlow + GenericUrl token_uri = new GenericUrl(OAUTH2_TOKEN_URI); + HttpExecuteInterceptor credentials = new ClientParametersAuthentication(CLIENT_ID, CLIENT_SECRET); + AuthorizationCodeFlow flow = new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(), HTTP_TRANSPORT, + JSON_FACTORY, token_uri, credentials, CLIENT_ID, OAUTH2_AUTH_URI).setScopes(SCOPES).build(); + // .setDataStoreFactory(DATA_STORE_FACTORY) + + // create AuthorizationCodeRequestUrl + try { + String redirectUri = receiver.getRedirectUri(); + String state = new BigInteger(130, new SecureRandom()).toString(32); + AuthorizationCodeRequestUrl authorizationUrl = flow.newAuthorizationUrl().setRedirectUri(redirectUri).setState(state); + + // open in browser + this.openURL(authorizationUrl.build()); + + // receive authorization code and exchange it for an access token + String code = receiver.waitForCode(); + System.out.println(code); + TokenResponse response = flow.newTokenRequest(code).setRedirectUri(redirectUri).execute(); + return response; + } + finally { + // if anything fails, stop the receiver + receiver.stop(); + } + + } + + // eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdC9tb2EtaWQtYXV0aC8iLCJleHAiOi02MzE5MDMsInN1YiI6IncveThQY2pNTHBFTGZmUHRTSDNtbmd6M24rRVx1MDAzZCIsImJpcnRoZGF0ZSI6IjE5ODUtMDItMDEiLCJmYW1pbHlfbmFtZSI6IkhpZXNzIiwiZ2l2ZW5fbmFtZSI6Ik1pY2hhZWwiLCJpYXQiOi02MzIyMDN9.Z_jveITHlTtktPOOV3n_sMbg50YQ4YcOEcSUs_RJ-4FGedj1sVxk9gmlUQcBPfQaBrPgC6RoiPLTy8CKu2PBClEyv9c9HdzIGqBjWzaTSNASx_QL5bfG4EQ8VZmSEI9d0whzlaBgkUFNfhx-Q2ZVh-g8SJ-0JO0zFR18OSRNTxPTJ4PPl0APqn2H-98sU331_zQKiZxNOvl_6OG26VoIYwEuW5m_N5tsf4lLAlqYcdHR3iNTeu8AkAOvlEwv7Z3BeeOiP4u-OWuc6VusWBPxaI2NwmDIoorpyIxY-wEFb4CWICuyk61Wlq1SCNdl-f-ODwJBK3rlj0IMlYbAjKSB0g + private void verifyIdToken(TokenResponse response) throws Exception { + String id_token = (String) response.getUnknownKeys().get("id_token"); + log.info("going to parse id token: {}", id_token); + + IdToken idToken = IdToken.parse(JSON_FACTORY, id_token); + Assert.assertTrue(idToken.verifyIssuer(ISS)); + + log.info(idToken.getPayload().toPrettyString()); + } + + @Test(enabled = false) + public void testServerFlow() throws Exception { + TokenResponse response = this.authorize(); + log.info(response.toPrettyString()); + + this.verifyIdToken(response); + } + +} diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java new file mode 100644 index 000000000..83b92dbad --- /dev/null +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java @@ -0,0 +1,48 @@ +package test.at.gv.egovernment.moa.id.auth.oauth; + +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.testng.Assert; +import org.testng.annotations.Test; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; + +public class OAuth20UtilTest { + + @Test + public void validateURL() { + Assert.assertTrue(OAuth20Util.isUrl("file:/D:/dev/work/exthex/workspace/OAuthTesting/resources/keys/test_keystore.jks")); + Assert.assertTrue(OAuth20Util.isUrl("https://www.google.at/")); + Assert.assertTrue(OAuth20Util.isUrl("http://test")); + Assert.assertTrue(OAuth20Util.isUrl("http://localhost:59542/Callback")); + + + Assert.assertFalse(OAuth20Util.isUrl("http://")); + Assert.assertFalse(OAuth20Util.isUrl("123http://test")); + Assert.assertFalse(OAuth20Util.isUrl("test")); + } + + @Test + public void validateState() { + // check state for invalid characters (like < > & ; ... javascript ... to prevent xss) + + Assert.assertFalse(OAuth20Util.isValidStateValue("javascript")); + Assert.assertFalse(OAuth20Util.isValidStateValue("<Test")); + Assert.assertFalse(OAuth20Util.isValidStateValue("Test>")); + Assert.assertFalse(OAuth20Util.isValidStateValue("Tas<est")); + Assert.assertFalse(OAuth20Util.isValidStateValue("Te>st")); + Assert.assertFalse(OAuth20Util.isValidStateValue("Tes&t")); + Assert.assertFalse(OAuth20Util.isValidStateValue("Tes;t")); + Assert.assertTrue(OAuth20Util.isValidStateValue("secure_state")); + } + + + @Test + public void testExp() { + Pattern urlPattern = Pattern.compile("/oauth2/auth\\?(.*)$", Pattern.CASE_INSENSITIVE); + Matcher matcher = urlPattern.matcher("https://localhost/moa-id-auth/oauth2/auth?client_id=http://test&redirect_uri=http://localhost:59542/Callback&response_type=code&scope=profile%20eID%20eID_gov%20mandate&state=7gfnabf112ogg9segnnrfpi83q"); + System.out.println(matcher.find()); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index ed865d70f..97cc20d9f 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -12,14 +12,14 @@ import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; import javax.persistence.Lob; +import javax.persistence.NamedQueries; +import javax.persistence.NamedQuery; import javax.persistence.OneToMany; import javax.persistence.PrePersist; import javax.persistence.PreUpdate; import javax.persistence.Table; import javax.persistence.Temporal; import javax.persistence.TemporalType; -import javax.persistence.NamedQueries; -import javax.persistence.NamedQuery; import org.hibernate.annotations.DynamicUpdate; diff --git a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd index 085f187ff..481f12091 100644 --- a/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd +++ b/id/server/moa-id-commons/src/main/resources/config/moaid_config_2.0.xsd @@ -540,6 +540,7 @@ </xsd:element> <xsd:element ref="OA_SAML1" minOccurs="0"/> <xsd:element ref="OA_PVP2" minOccurs="0"/> + <xsd:element ref="OA_OAUTH20" minOccurs="0"/> </xsd:sequence> <!--xsd:element ref="pr:AbstractSimpleIdentification" minOccurs="0" maxOccurs="1"/ --> @@ -872,6 +873,7 @@ </xsd:sequence> </xsd:complexType> </xsd:element> + <xsd:element name="OA_PVP2"> <xsd:complexType> <xsd:sequence> @@ -898,6 +900,15 @@ </xsd:sequence> </xsd:complexType> </xsd:element> + <xsd:element name="OA_OAUTH20"> + <xsd:complexType> + <xsd:sequence> + <xsd:element name="oAuthClientId" type="xsd:string"/> + <xsd:element name="oAuthClientSecret" type="xsd:string"/> + <xsd:element name="oAuthRedirectUri" type="xsd:string"/> + </xsd:sequence> + </xsd:complexType> + </xsd:element> <xsd:element name="IdentificationNumber"> <xsd:complexType> <xsd:sequence> |