aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-08-02 14:48:56 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-08-02 14:48:56 +0200
commita9b9c5177217de2f99298a416a25f912944d6383 (patch)
tree6556dec0479e3eb21b23eebb3b06a704c4bd4162 /id/server
parentd63a3e5b0ae43808cddd89d62f57868278eb50eb (diff)
downloadmoa-id-spss-a9b9c5177217de2f99298a416a25f912944d6383.tar.gz
moa-id-spss-a9b9c5177217de2f99298a416a25f912944d6383.tar.bz2
moa-id-spss-a9b9c5177217de2f99298a416a25f912944d6383.zip
First untested version of refactor eIDAS module, which uses eIDAS SAMLEngine v1.1 from JoinUp
Diffstat (limited to 'id/server')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java74
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDAsExtensionProcessor.java)36
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java32
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLInstanceConfigurationImpl.java45
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java83
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java44
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestProcessingException.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestProcessingException.java)10
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestValidationException.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestValidationException.java)4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineException.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASException.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASException.java)6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseBuildException.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseBuildException.java)6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseNotSuccessException.java (renamed from id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseNotSuccessException.java)6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAttributeException.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java53
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java174
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java38
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAOrderedAttributeIterator.java66
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAPersonalAttributeList.java686
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java99
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java613
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java91
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java22
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java124
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java34
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java115
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java18
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java77
28 files changed, 1794 insertions, 770 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index d93d739b1..b0d27cc32 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -22,15 +22,12 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.signature.SignatureConstants;
+//import eu.eidas.auth.engine.core.validator.eidas.EIDASAttributes;
-import eu.eidas.auth.engine.core.eidas.EidasAttributesTypes;
-import eu.eidas.auth.engine.core.validator.eidas.EIDASAttributes;
+import eu.eidas.auth.commons.attribute.AttributeRegistries;
+import eu.eidas.auth.commons.attribute.AttributeRegistry;
/**
* @author tlenz
@@ -68,19 +65,22 @@ public class Constants {
public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation
public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout
public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days
-
- //eIDAS attribute names
- public static final String eIDAS_ATTR_PERSONALIDENTIFIER = EIDASAttributes.ATTRIBUTE_NAME_SUFFIX_PERSONIDENTIFIER;
- public static final String eIDAS_ATTR_DATEOFBIRTH = EIDASAttributes.ATTRIBUTE_NAME_SUFFIX_DATEOFBIRTH;
- public static final String eIDAS_ATTR_CURRENTGIVENNAME = EIDASAttributes.ATTRIBUTE_NAME_SUFFIX_FIRSTNAME;
- public static final String eIDAS_ATTR_CURRENTFAMILYNAME = EIDASAttributes.ATTRIBUTE_NAME_SUFFIX_GIVENNAME;
+
+ //eIDAS request parameters
+ public static final String eIDAS_REQ_NAMEID_FORMAT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+
+ //eIDAS attribute names
+ public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier";
+ public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth";
+ public static final String eIDAS_ATTR_CURRENTGIVENNAME = "FirstName";
+ public static final String eIDAS_ATTR_CURRENTFAMILYNAME = "FamilyName";
//http endpoint descriptions
public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post";
public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect";
- public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post";
+ //public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post";
+ //public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect";
public static final String eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST = "/eidas/ColleagueRequest";
- public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect";
public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata";
@@ -92,22 +92,38 @@ public class Constants {
public static final int eIDAS_REVERSIONSLOG_SP_AUTHRESPONSE= 3404;
//metadata constants
- public final static Map<String, EidasAttributesTypes> METADATA_POSSIBLE_ATTRIBUTES = Collections.unmodifiableMap(
- new HashMap<String, EidasAttributesTypes>(){
- private static final long serialVersionUID = 1L;
- {
- put(EIDASAttributes.ATTRIBUTE_GIVENNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
- put(EIDASAttributes.ATTRIBUTE_FIRSTNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
- put(EIDASAttributes.ATTRIBUTE_DATEOFBIRTH, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
- put(EIDASAttributes.ATTRIBUTE_PERSONIDENTIFIER, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
-
- //TODO: add additional attributes for eIDAS with mandates
- //put(EIDASAttributes.ATTRIBUTE_LEGALIDENTIFIER, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
- //put(EIDASAttributes.ATTRIBUTE_LEGALNAME, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
- }
- }
- );
+// public final static Map<String, EidasAttributesTypes> METADATA_POSSIBLE_ATTRIBUTES = Collections.unmodifiableMap(
+// new HashMap<String, EidasAttributesTypes>(){
+// private static final long serialVersionUID = 1L;
+// {
+// put(EIDASAttributes.ATTRIBUTE_GIVENNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
+// put(EIDASAttributes.ATTRIBUTE_FIRSTNAME, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
+// put(EIDASAttributes.ATTRIBUTE_DATEOFBIRTH, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
+// put(EIDASAttributes.ATTRIBUTE_PERSONIDENTIFIER, EidasAttributesTypes.NATURAL_PERSON_MANDATORY);
+//
+// //TODO: add additional attributes for eIDAS with mandates
+// //put(EIDASAttributes.ATTRIBUTE_LEGALIDENTIFIER, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
+// //put(EIDASAttributes.ATTRIBUTE_LEGALNAME, EidasAttributesTypes.LEGAL_PERSON_MANDATORY);
+// }
+// }
+// );
+ public static final AttributeRegistry NAT_ATTR =
+ AttributeRegistries.of( eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER,
+ eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME,
+ eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME,
+ eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH
+ );
+
+ public static final AttributeRegistry LEGAL_ATTR =
+ AttributeRegistries.of( eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER,
+ eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME
+ );
+
+ public static final AttributeRegistry MOA_IDP_ATTR_REGISTRY =
+ AttributeRegistries.copyOf(NAT_ATTR, LEGAL_ATTR);
+
+
public static final String METADATA_ALLOWED_ALG_DIGIST =
SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256 + ";" +
SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512 ;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDAsExtensionProcessor.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java
index 5837d7dbf..302c12aaa 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDAsExtensionProcessor.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOASWSigner.java
@@ -20,29 +20,37 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
-package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+package at.gv.egovernment.moa.id.auth.modules.eidas.config;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.Map;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
-import eu.eidas.auth.engine.core.ExtensionProcessorI;
-import eu.eidas.auth.engine.core.eidas.EidasExtensionProcessor;
+import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
+import eu.eidas.auth.engine.configuration.dom.ConfigurationAdapter;
+import eu.eidas.auth.engine.configuration.dom.ConfigurationKey;
+import eu.eidas.auth.engine.core.impl.KeyStoreProtocolSigner;
+import eu.eidas.samlengineconfig.CertificateConfigurationManager;
/**
* @author tlenz
*
*/
-public class MOAeIDAsExtensionProcessor extends EidasExtensionProcessor implements ExtensionProcessorI {
+public class MOASWSigner extends KeyStoreProtocolSigner {
+ public MOASWSigner(Map<String, String> properties) throws SamlEngineConfigurationException {
+ super(properties);
+
+ }
+
/**
- * Add only eIDAS attributes which are supported by Austrian eIDAS node
- *
+ * @param configManager
+ * @throws SamlEngineConfigurationException
*/
- @Override
- public Set<String> getSupportedAttributes(){
- Set<String> supportedAttributes=new HashSet<String>( Constants.METADATA_POSSIBLE_ATTRIBUTES.keySet());
-
- return supportedAttributes;
- }
+ public MOASWSigner(CertificateConfigurationManager configManager) throws SamlEngineConfigurationException {
+ super(ConfigurationAdapter.adapt(configManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey()).getParameters());
+
+ }
+
+
+
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java
index 5d1874157..9f6ba4af4 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java
@@ -42,9 +42,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
-
import eu.eidas.samlengineconfig.BinaryParameter;
-import eu.eidas.samlengineconfig.ConfigurationParameter;
import eu.eidas.samlengineconfig.EngineInstance;
import eu.eidas.samlengineconfig.InstanceConfiguration;
import eu.eidas.samlengineconfig.PropsParameter;
@@ -57,10 +55,10 @@ import eu.eidas.samlengineconfig.SamlEngineConfiguration;
public class MOAeIDASSAMLEngineConfigurationImpl extends
SamlEngineConfiguration {
- private static final String KEYSTORE_PATH="keystorePath";
- private static final String METADATA_KEYSTORE_PATH="metadata.keystorePath";
+ private static final String KEYSTORE_PATH="keyStorePath";
+ private static final String METADATA_KEYSTORE_PATH="metadata.keyStorePath";
private static final String ENCRYPTION_ACTIVATION="encryptionActivation";
- private static final String[] BINARY_PARAMETERS={KEYSTORE_PATH, ENCRYPTION_ACTIVATION,METADATA_KEYSTORE_PATH};
+ public static final String[] BINARY_PARAMETERS={KEYSTORE_PATH, ENCRYPTION_ACTIVATION,METADATA_KEYSTORE_PATH};
public List<EngineInstance> getInstances(){
return super.getInstances();
@@ -95,7 +93,7 @@ public class MOAeIDASSAMLEngineConfigurationImpl extends
//add basic eIDAS SAML-engine configuration
MOAeIDASSAMLInstanceConfigurationImpl samlBaseConfig = new MOAeIDASSAMLInstanceConfigurationImpl();
samlBaseConfig.setName(Constants.eIDAS_SAML_ENGINE_NAME_ID_BASICCONFIG);
- samlBaseConfig.addParameter(loadConfigurationFromExternalFile(Constants.CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE));
+ samlBaseConfig.addParameter(buildPropsParameter(Constants.CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE));
engineConfigs.add(samlBaseConfig);
//add signing eIDAS SAML-engine configuration
@@ -103,7 +101,7 @@ public class MOAeIDASSAMLEngineConfigurationImpl extends
samlSignConfig.setName(Constants.eIDAS_SAML_ENGINE_NAME_ID_SIGNATURECONFIG);
samlSignConfig.addParameter(Constants.eIDAS_SAML_ENGINE_NAME_ID_CLASS,
Constants.SAML_SIGNING_IMPLENTATION);
-
+
//TODO: load signing keys directly from MOA-ID configuration in finale version
samlSignConfig.addParameter(loadConfigurationFromExternalFile(Constants.CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE));
engineConfigs.add(samlSignConfig);
@@ -122,16 +120,16 @@ public class MOAeIDASSAMLEngineConfigurationImpl extends
super.addInstance(engineInst);
}
-
+
/**
* Load an external eIDAS SAML-engine configuration file, which is referenced from MOA-ID configuration
*
* @param key Configuration key, which is used in property based MOA-ID configuration file
- * @return eIDAS SAML-engine configuration object
+ * @return eIDAS SAML-engine configuration Properties
* @throws ConfigurationException
*/
- private ConfigurationParameter loadConfigurationFromExternalFile(String key) throws ConfigurationException {
+ private Properties loadConfigurationFromExternalFile(String key) throws ConfigurationException {
String configFile =
AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfiguration(key);
if (MiscUtil.isEmpty(configFile)) {
@@ -141,15 +139,21 @@ public class MOAeIDASSAMLEngineConfigurationImpl extends
return null;
}
- Properties inputProps = loadPropsFromXml(configFile);
- return buildPropsParameter(inputProps, configFile);
+ Properties inputProps = loadPropsFromXml(configFile);
+ return inputProps;
+ //return buildPropsParameter(inputProps, configFile);
}
- private PropsParameter buildPropsParameter(Properties inputProps, String fileName) throws EIDASEngineConfigurationException {
+ private PropsParameter buildPropsParameter(String configKey) throws ConfigurationException {
+ Properties inputProps = loadConfigurationFromExternalFile(configKey);
+
+ String configFile =
+ AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfiguration(configKey);
+
PropsParameter outputProps = new PropsParameter();
- outputProps.setFileName(fileName);
+ outputProps.setFileName(configFile);
//original eIDAS SAML-engine use this identifier
outputProps.setName("fileConfiguration");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLInstanceConfigurationImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLInstanceConfigurationImpl.java
index dccd39905..2d76be206 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLInstanceConfigurationImpl.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLInstanceConfigurationImpl.java
@@ -22,9 +22,20 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas.config;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.util.FileUtils;
import eu.eidas.samlengineconfig.ConfigurationParameter;
import eu.eidas.samlengineconfig.InstanceConfiguration;
import eu.eidas.samlengineconfig.StringParameter;
@@ -56,5 +67,39 @@ public class MOAeIDASSAMLInstanceConfigurationImpl extends
addParameter(param);
}
+
+ public void addParameter(Properties parameters) {
+ Iterator<Entry<Object, Object>> paramInterator = parameters.entrySet().iterator();
+ while (paramInterator.hasNext()) {
+ Entry<Object, Object> next = paramInterator.next();
+
+ StringParameter param = new StringParameter();
+ String keyName = (String) next.getKey();
+ param.setName(keyName);
+
+ //make path to binary files absolute
+ if (Arrays.asList(MOAeIDASSAMLEngineConfigurationImpl.BINARY_PARAMETERS).contains(keyName))
+ try {
+ String absoluteConfigFile = FileUtils.makeAbsoluteURL(
+ (String)next.getValue(),
+ AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir());
+
+ URI uri = new URL(absoluteConfigFile).toURI();
+ param.setValue(uri.getRawPath().substring(1));
+
+ } catch (ConfigurationException | MalformedURLException | URISyntaxException e) {
+ //TODO: make final!!!!
+ e.printStackTrace();
+ param.setValue(next.getValue());
+
+ }
+ else
+ param.setValue(next.getValue());
+
+ addParameter(param);
+
+ }
+
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
index 1ba344fd1..9ad5f0db3 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java
@@ -1,18 +1,95 @@
package at.gv.egovernment.moa.id.auth.modules.eidas.config;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import org.apache.commons.lang.StringUtils;
+
+import com.google.common.collect.ImmutableMap;
+import com.sun.istack.Nullable;
+
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.engine.core.impl.EncryptionSW;
+import eu.eidas.auth.commons.EidasErrorKey;
+import eu.eidas.auth.commons.io.ReloadableProperties;
+import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
+import eu.eidas.auth.engine.configuration.dom.EncryptionKey;
+import eu.eidas.auth.engine.core.impl.CertificateValidator;
+import eu.eidas.auth.engine.core.impl.KeyStoreSamlEngineEncryption;
+import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
/**
* This encryption module asks the moa configuration on whether to encrypt the response or not. In doubt, encryption is enforced.
*/
-public class ModifiedEncryptionSW extends EncryptionSW {
+public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption {
+
+ private final ImmutableMap<String, String> properties;
+
+ private final ReloadableProperties encryptionActivationProperties;
+
+ private static ReloadableProperties initActivationConf(Map<String, String> properties) {
+ String activationConfigurationFile = EncryptionKey.ENCRYPTION_ACTIVATION.getAsString(properties);
+ Logger.debug("File containing encryption configuration: \"" + activationConfigurationFile + "\"");
+ return new ReloadableProperties(activationConfigurationFile);
+ }
+
+ /**
+ * @param properties
+ * @throws SamlEngineConfigurationException
+ */
+ public ModifiedEncryptionSW(Map<String, String> properties) throws SamlEngineConfigurationException {
+ super(properties);
+ this.properties = ImmutableMap.copyOf(properties);
+ encryptionActivationProperties = initActivationConf(properties);
+ }
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.core.ProtocolEncrypterI#getEncryptionCertificate(java.lang.String)
+ */
+ @Override
+ @Nullable
+ public X509Certificate getEncryptionCertificate(@Nullable String destinationCountryCode)
+ throws EIDASSAMLEngineException {
+ if (isEncryptionEnabled(destinationCountryCode)) {
+ String issuerKey = new StringBuilder(EncryptionKey.RESPONSE_TO_POINT_ISSUER_PREFIX.getKey()).append(
+ destinationCountryCode).toString();
+ String serialNumberKey =
+ new StringBuilder(EncryptionKey.RESPONSE_TO_POINT_SERIAL_NUMBER_PREFIX.getKey()).append(
+ destinationCountryCode).toString();
+ String serialNumber = properties.get(serialNumberKey);
+ String responseToPointIssuer = properties.get(issuerKey);
+ if (StringUtils.isNotBlank(responseToPointIssuer)) {
+ for (final X509Certificate certificate : getEncryptionCertificates()) {
+ if (CertificateUtil.matchesCertificate(serialNumber, responseToPointIssuer, certificate)) {
+
+ if (isDisallowedSelfSignedCertificate()) {
+ CertificateValidator.checkCertificateIssuer(certificate);
+ }
+ if (isCheckedValidityPeriod()) {
+ CertificateValidator.checkCertificateValidityPeriod(certificate);
+ }
+
+ return certificate;
+ }
+ }
+ throw new EIDASSAMLEngineException(EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorCode(),
+ EidasErrorKey.SAML_ENGINE_INVALID_CERTIFICATE.errorMessage());
+ } else {
+ Logger.error("Encryption of SAML Response NOT done, because no \"" + issuerKey +
+ "\" configured!");
+ }
+ }
+ return null;
+ }
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.core.ProtocolEncrypterI#isEncryptionEnabled(java.lang.String)
+ */
@Override
- public boolean isEncryptionEnable(String countryCode) {
+ public boolean isEncryptionEnabled(String countryCode) {
// - encrypt if so configured
try {
AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index f062ad3c2..ca36b5ee5 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -40,7 +40,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetad
import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
-import eu.eidas.auth.engine.AbstractSAMLEngine;
+import eu.eidas.auth.engine.AbstractProtocolEngine;
@Service("eIDASMetadataProvider")
public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider,
@@ -222,7 +222,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
timer = new Timer(true);
httpProvider = new HTTPMetadataProvider(timer, httpClient,
metadataURL);
- httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool());
+ httpProvider.setParserPool(AbstractProtocolEngine.getSecuredParserPool());
httpProvider.setRequireValidMetadata(true);
httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
index 7537c4d84..c5e56502b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
@@ -31,15 +31,17 @@ import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.MetadataProcessorI;
+import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.metadata.MetadataFetcherI;
+import eu.eidas.auth.engine.metadata.MetadataSignerI;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import eu.eidas.engine.exceptions.SAMLEngineException;
/**
* @author tlenz
*
*/
-public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
+public class MOAeIDASMetadataProviderDecorator implements MetadataFetcherI {
private MetadataProvider metadataprovider = null;
@@ -51,10 +53,31 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
}
+
/* (non-Javadoc)
- * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+ * @see eu.eidas.auth.engine.metadata.MetadataFetcherI#getEntityDescriptor(java.lang.String, eu.eidas.auth.engine.metadata.MetadataSignerI)
*/
@Override
+ public EntityDescriptor getEntityDescriptor(String url, MetadataSignerI paramMetadataSignerI)
+ throws EIDASSAMLEngineException {
+ try {
+ /*TODO: maybe implement metadata signature validation on every request,
+ * but it is not needed in case of cached metadata provider,
+ * because signature must be only validated in case of cache reload operation
+ */
+ return this.metadataprovider.getEntityDescriptor(url);
+
+ } catch (MetadataProviderException e) {
+ throw new EIDASSAMLEngineException("eIDAS Metadata processing FAILED.", e);
+
+ }
+ }
+
+
+ /* (non-Javadoc)
+ * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+ */
+ @Deprecated
public EntityDescriptor getEntityDescriptor(String url)
throws SAMLEngineException {
try {
@@ -69,7 +92,7 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
/* (non-Javadoc)
* @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String)
*/
- @Override
+ @Deprecated
public SPSSODescriptor getSPSSODescriptor(String url)
throws SAMLEngineException {
return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
@@ -79,7 +102,7 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
/* (non-Javadoc)
* @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String)
*/
- @Override
+ @Deprecated
public IDPSSODescriptor getIDPSSODescriptor(String url)
throws SAMLEngineException {
return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
@@ -89,8 +112,8 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
/* (non-Javadoc)
* @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine)
*/
- @Override
- public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine)
+ @Deprecated
+ public void checkValidMetadataSignature(String url, ProtocolEngineI engine)
throws SAMLEngineException {
//Do nothing, because metadata signature is already validated during
//metadata provider initialization
@@ -102,7 +125,7 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
/* (non-Javadoc)
* @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore)
*/
- @Override
+ @Deprecated
public void checkValidMetadataSignature(String url, KeyStore trustStore)
throws SAMLEngineException {
//Do nothing, because metadata signature is already validated during
@@ -110,6 +133,7 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
}
+ @Deprecated
protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){
for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){
if(clazz.isInstance(rd)){
@@ -119,4 +143,6 @@ public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
return null;
}
+
+
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestProcessingException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestProcessingException.java
index c96af37ef..d51629d9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestProcessingException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestProcessingException.java
@@ -30,7 +30,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
* @author tlenz
*
*/
-public class eIDASAuthnRequestProcessingException extends eIDASException {
+public class EIDASAuthnRequestProcessingException extends EIDASException {
private String subStatusCode = null;
@@ -43,20 +43,20 @@ public class eIDASAuthnRequestProcessingException extends eIDASException {
* @param messageId
* @param parameters
*/
- public eIDASAuthnRequestProcessingException(String messageId, Object[] parameters) {
+ public EIDASAuthnRequestProcessingException(String messageId, Object[] parameters) {
super(messageId, parameters);
}
- public eIDASAuthnRequestProcessingException(String subStatusCode, String messageId, Object[] parameters) {
+ public EIDASAuthnRequestProcessingException(String subStatusCode, String messageId, Object[] parameters) {
super(messageId, parameters);
this.subStatusCode = subStatusCode;
}
- public eIDASAuthnRequestProcessingException(String messageId, Object[] parameters, Throwable e) {
+ public EIDASAuthnRequestProcessingException(String messageId, Object[] parameters, Throwable e) {
super(messageId, parameters, e );
}
- public eIDASAuthnRequestProcessingException(String subStatusCode, String messageId, Object[] parameters, Throwable e) {
+ public EIDASAuthnRequestProcessingException(String subStatusCode, String messageId, Object[] parameters, Throwable e) {
super(messageId, parameters, e );
this.subStatusCode = subStatusCode;
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestValidationException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestValidationException.java
index 2a15ee18a..a6da769b7 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAuthnRequestValidationException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASAuthnRequestValidationException.java
@@ -28,7 +28,7 @@ import org.opensaml.saml2.core.StatusCode;
* @author tlenz
*
*/
-public class eIDASAuthnRequestValidationException extends eIDASException {
+public class EIDASAuthnRequestValidationException extends EIDASException {
/**
*
@@ -39,7 +39,7 @@ public class eIDASAuthnRequestValidationException extends eIDASException {
* @param messageId
* @param parameters
*/
- public eIDASAuthnRequestValidationException(String messageId, Object[] parameters) {
+ public EIDASAuthnRequestValidationException(String messageId, Object[] parameters) {
super(messageId, parameters);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineException.java
index 234c4e038..8bf7f7452 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineException.java
@@ -28,7 +28,7 @@ import org.opensaml.saml2.core.StatusCode;
* @author tlenz
*
*/
-public class EIDASEngineException extends eIDASException {
+public class EIDASEngineException extends EIDASException {
/**
* @param objects
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASException.java
index f42004abc..e3d6c5a2e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASException.java
@@ -28,7 +28,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
* @author tlenz
*
*/
-public abstract class eIDASException extends MOAIDException {
+public abstract class EIDASException extends MOAIDException {
/**
*
@@ -44,7 +44,7 @@ public abstract class eIDASException extends MOAIDException {
* @param messageId
* @param parameters
*/
- public eIDASException(String messageId, Object[] parameters) {
+ public EIDASException(String messageId, Object[] parameters) {
super(messageId, parameters);
}
@@ -52,7 +52,7 @@ public abstract class eIDASException extends MOAIDException {
* @param messageId
* @param parameters
*/
- public eIDASException(String messageId, Object[] parameters, Throwable e) {
+ public EIDASException(String messageId, Object[] parameters, Throwable e) {
super(messageId, parameters, e);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseBuildException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseBuildException.java
index 0ffcf11ef..5e6b87b39 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseBuildException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseBuildException.java
@@ -28,7 +28,7 @@ import org.opensaml.saml2.core.StatusCode;
* @author tlenz
*
*/
-public class eIDASResponseBuildException extends eIDASException {
+public class EIDASResponseBuildException extends EIDASException {
/**
*
@@ -39,11 +39,11 @@ public class eIDASResponseBuildException extends eIDASException {
* @param messageId
* @param parameters
*/
- public eIDASResponseBuildException(String messageId, Object[] parameters) {
+ public EIDASResponseBuildException(String messageId, Object[] parameters) {
super(messageId, parameters);
}
- public eIDASResponseBuildException(String messageId, Object[] parameters, Throwable e) {
+ public EIDASResponseBuildException(String messageId, Object[] parameters, Throwable e) {
super(messageId, parameters, e);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseNotSuccessException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseNotSuccessException.java
index d10ca1c88..460561eb3 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASResponseNotSuccessException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASResponseNotSuccessException.java
@@ -28,14 +28,14 @@ import org.opensaml.saml2.core.StatusCode;
* @author tlenz
*
*/
-public class eIDASResponseNotSuccessException extends eIDASException {
+public class EIDASResponseNotSuccessException extends EIDASException {
/**
*
*/
private static final long serialVersionUID = 6145402939313568907L;
- public eIDASResponseNotSuccessException(String messageId, Object[] parameters) {
+ public EIDASResponseNotSuccessException(String messageId, Object[] parameters) {
super(messageId, parameters);
}
@@ -44,7 +44,7 @@ public class eIDASResponseNotSuccessException extends eIDASException {
* @param parameters
* @param e
*/
- public eIDASResponseNotSuccessException(String messageId, Object[] parameters, Throwable e) {
+ public EIDASResponseNotSuccessException(String messageId, Object[] parameters, Throwable e) {
super(messageId, parameters, e);
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAttributeException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAttributeException.java
index b25895eca..17f0a9b72 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAttributeException.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/eIDASAttributeException.java
@@ -28,7 +28,7 @@ import org.opensaml.saml2.core.StatusCode;
* @author tlenz
*
*/
-public class eIDASAttributeException extends eIDASException {
+public class eIDASAttributeException extends EIDASException {
private static final long serialVersionUID = 1L;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
index a56e6c3cd..6be64ba72 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
@@ -28,6 +28,7 @@ import java.text.SimpleDateFormat;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.joda.time.DateTime;
import org.springframework.stereotype.Component;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -39,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASAttributeException;
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
@@ -47,7 +49,7 @@ import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.XPathUtils;
-import eu.eidas.auth.commons.IPersonalAttributeList;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
/**
* @author tlenz
@@ -67,9 +69,9 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
defaultTaskInitialization(request, executionContext);
//get eIDAS attributes from MOA-Session
- IPersonalAttributeList eIDASAttributes = moasession.getGenericDataFromSession(
+ ImmutableAttributeMap eIDASAttributes = moasession.getGenericDataFromSession(
AuthenticationSessionStorageConstants.eIDAS_ATTRIBUTELIST,
- IPersonalAttributeList.class);
+ ImmutableAttributeMap.class);
IdentityLink identityLink = null;
@@ -86,13 +88,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
// replace data
Element idlassertion = identityLink.getSamlAssertion();
-
+
// - set fake baseID;
Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
- if(!eIDASAttributes.containsKey(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
- throw new eIDASAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER);
- String eIdentifier = eIDASAttributes.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).getValue().get(0);
- prIdentification.getFirstChild().setNodeValue(eIdentifier);
+
+
+ Object eIdentifier = eIDASAttributes.getFirstValue(
+ SAMLEngineUtils.getMapOfAllAvailableAttributes().get(
+ Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+ if (eIdentifier == null || !(eIdentifier instanceof String))
+ throw new eIDASAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER);
+ prIdentification.getFirstChild().setNodeValue((String) eIdentifier);
//build personal identifier which looks like a baseID
// String fakeBaseID = new BPKBuilder().buildBPK(eIdentifier, "baseID");
@@ -100,26 +106,33 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
// prIdentification.getFirstChild().setNodeValue(fakeBaseID);
// - set last name
- Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
- if(!eIDASAttributes.containsKey(Constants.eIDAS_ATTR_CURRENTFAMILYNAME))
+ Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+ Object familyName = eIDASAttributes.getFirstValue(
+ SAMLEngineUtils.getMapOfAllAvailableAttributes().get(
+ Constants.eIDAS_ATTR_CURRENTFAMILYNAME));
+ if (familyName == null || !(familyName instanceof String))
throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTFAMILYNAME);
- String familyName = eIDASAttributes.get(Constants.eIDAS_ATTR_CURRENTFAMILYNAME).getValue().get(0);
- prFamilyName.getFirstChild().setNodeValue(familyName);
+ prFamilyName.getFirstChild().setNodeValue((String) familyName);
// - set first name
Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
- if(!eIDASAttributes.containsKey(Constants.eIDAS_ATTR_CURRENTGIVENNAME))
+ Object givenName = eIDASAttributes.getFirstValue(
+ SAMLEngineUtils.getMapOfAllAvailableAttributes().get(
+ Constants.eIDAS_ATTR_CURRENTGIVENNAME));
+ if (givenName == null || !(givenName instanceof String))
throw new eIDASAttributeException(Constants.eIDAS_ATTR_CURRENTGIVENNAME);
- String givenName = eIDASAttributes.get(Constants.eIDAS_ATTR_CURRENTGIVENNAME).getValue().get(0);
- prGivenName.getFirstChild().setNodeValue(givenName);
+ prGivenName.getFirstChild().setNodeValue((String) givenName);
// - set date of birth
- Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
- if(!eIDASAttributes.containsKey(Constants.eIDAS_ATTR_DATEOFBIRTH))
+ Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+ Object dateOfBirth = eIDASAttributes.getFirstValue(
+ SAMLEngineUtils.getMapOfAllAvailableAttributes().get(
+ Constants.eIDAS_ATTR_DATEOFBIRTH));
+ if (dateOfBirth == null || !(dateOfBirth instanceof DateTime))
throw new eIDASAttributeException(Constants.eIDAS_ATTR_DATEOFBIRTH);
- String dateOfBirth = eIDASAttributes.get(Constants.eIDAS_ATTR_DATEOFBIRTH).getValue().get(0);
- dateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(new SimpleDateFormat("yyyyMMdd").parse(dateOfBirth));
- prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
+
+ String formatedDateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(((DateTime)dateOfBirth).toDate());
+ prDateOfBirth.getFirstChild().setNodeValue(formatedDateOfBirth);
identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 2f10df540..ee71e8e6b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -23,7 +23,9 @@
package at.gv.egovernment.moa.id.auth.modules.eidas.tasks;
import java.io.StringWriter;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -33,6 +35,10 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@@ -54,15 +60,17 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.commons.EIDASAuthnRequest;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.commons.EidasLoaCompareType;
-import eu.eidas.auth.commons.EidasLoaLevels;
-import eu.eidas.auth.commons.IPersonalAttributeList;
-import eu.eidas.auth.commons.PersonalAttribute;
-import eu.eidas.auth.commons.PersonalAttributeList;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.core.eidas.SPType;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.attribute.AttributeDefinition.Builder;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
+import eu.eidas.auth.commons.protocol.IRequestMessage;
+import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;
+import eu.eidas.auth.commons.protocol.eidas.LevelOfAssuranceComparison;
+import eu.eidas.auth.commons.protocol.eidas.SpType;
+import eu.eidas.auth.commons.protocol.eidas.impl.EidasAuthenticationRequest;
+import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
/**
@@ -100,9 +108,42 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
throw new AuthenticationException("eIDAS.04", new Object[] {citizenCountryCode});
}
Logger.debug("Found eIDaS Node/C-PEPS configuration for citizen of country: " + citizenCountryCode);
- String destination = cpeps.getPepsURL().toString().split(";")[1].trim(); // FIXME convenience for metadata url and assertion destination
+ String destination = null;
String metadataUrl = cpeps.getPepsURL().toString().split(";")[0].trim();
+ try {
+ EntityDescriptor eIDASNodeMetadata = eIDASMetadataProvider.getEntityDescriptor(metadataUrl);
+ if (eIDASNodeMetadata != null) {
+ SingleSignOnService ssoDescr = selectSingleSignOnServiceFromMetadata(eIDASNodeMetadata);
+ if (ssoDescr != null) {
+ destination = ssoDescr.getLocation();
+ Logger.debug("Use destination URL:" + destination + " from eIDAS metadata:" + metadataUrl);
+
+ } else
+ Logger.warn("eIDAS metadata for node:" + metadataUrl + " has no IDPSSODescriptor or no SingleSignOnService information.");
+
+ } else
+ Logger.warn("No eIDAS metadata for node:" + metadataUrl + " ");
+
+ } catch (MetadataProviderException e) {
+ Logger.warn("Load eIDAS metadata from node:" + metadataUrl + " FAILED with an error.", e);
+
+ }
+
+
+ if (MiscUtil.isEmpty(destination)) {
+ destination = cpeps.getPepsURL().toString().split(";")[1].trim(); // FIXME convenience for metadata url and assertion destination
+
+ if (MiscUtil.isNotEmpty(destination))
+ Logger.debug("Use eIDAS node destination URL:" + destination + " from configuration");
+
+ else {
+ Logger.error("No eIDAS-node destination URL FOUND. Request eIDAS node not possible.");
+ throw new MOAIDException("eIDAS.02", new Object[]{"No eIDAS-node Destination-URL FOUND"});
+
+ }
+
+ }
//TODO: switch to entityID
revisionsLogger.logEvent(oaConfig, pendingReq,
@@ -113,50 +154,69 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
Collection<StorkAttribute> attributesFromConfig = oaConfig.getRequestedSTORKAttributes();
// - prepare attribute list
- IPersonalAttributeList pAttList = new PersonalAttributeList();
-
+ ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+
// - fill container
- for (StorkAttribute current : attributesFromConfig) {
- PersonalAttribute newAttribute = new PersonalAttribute();
- newAttribute.setName(current.getName());
-
- boolean globallyMandatory = false;
- for (StorkAttribute currentGlobalAttribute : authConfig.getStorkConfig().getStorkAttributes())
- if (current.getName().equals(currentGlobalAttribute.getName())) {
- globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.getMandatory());
- break;
- }
-
- newAttribute.setIsRequired(current.getMandatory() || globallyMandatory);
- pAttList.add(newAttribute);
+ List<AttributeDefinition<?>> reqAttrList = new ArrayList<AttributeDefinition<?>>();
+ for (StorkAttribute current : attributesFromConfig) {
+ AttributeDefinition<?> newAttribute = SAMLEngineUtils.getMapOfAllAvailableAttributes().get(current.getName());
+
+ if (newAttribute == null) {
+ Logger.warn("eIDAS attribute with friendlyName:" + current.getName() + " is not supported.");
+
+ } else {
+ boolean globallyMandatory = false;
+ for (StorkAttribute currentGlobalAttribute : authConfig.getStorkConfig().getStorkAttributes())
+ if (current.getName().equals(currentGlobalAttribute.getName())) {
+ globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.getMandatory());
+ break;
+ }
+
+ Builder<?> attrBuilder = AttributeDefinition.builder(newAttribute).required(current.getMandatory() || globallyMandatory);
+ reqAttrList.add(attrBuilder.build());
+
+ }
}
-
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
-
- //build eIDAS AuthnRequest
- EIDASAuthnRequest authnRequest = new EIDASAuthnRequest();
- authnRequest.setProviderName(pendingReq.getAuthURL());
- authnRequest.setPersonalAttributeList(pAttList);
- authnRequest.setIssuer(pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
+ //build requested attribute set
+ ImmutableAttributeMap reqAttrMap = new ImmutableAttributeMap.Builder().putAll(reqAttrList).build();
- authnRequest.setDestination(destination);
- authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED);
- authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue());
- authnRequest.setEidasLoACompareType(EidasLoaCompareType.MINIMUM.stringValue());
+ //build eIDAS AuthnRequest
+ EidasAuthenticationRequest.Builder authnRequestBuilder = new EidasAuthenticationRequest.Builder();
+
+ authnRequestBuilder.id(eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils.generateNCName());
+ authnRequestBuilder.providerName(pendingReq.getAuthURL());
+ String issur = pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
+ authnRequestBuilder.issuer(issur);
+ authnRequestBuilder.destination(destination);
+
+ authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
+ authnRequestBuilder.nameIdFormat(Constants.eIDAS_REQ_NAMEID_FORMAT);
+ //TODO: load from OA-Configuration
+ authnRequestBuilder.levelOfAssurance(LevelOfAssurance.LOW);
//set correct SPType for this online application
if (oaConfig.getBusinessService())
- authnRequest.setSPType("private");
+ authnRequestBuilder.spType(SpType.PRIVATE);
else
- authnRequest.setSPType(SPType.DEFAULT_VALUE);
-
- engine.initRequestedAttributes(pAttList);
- authnRequest = engine.generateEIDASAuthnRequest(authnRequest);
+ authnRequestBuilder.spType(SpType.PUBLIC);
+
+
+ //TODO: make it loadable from config
+ authnRequestBuilder.serviceProviderCountryCode("AT");
+
+ //set citizen country code for foreign uses
+ authnRequestBuilder.citizenCountryCode(cpeps.getCountryCode());
+
+ //add requested attributes
+ authnRequestBuilder.requestedAttributes(reqAttrMap);
+
+
+ IRequestMessage authnRequest = engine.generateRequestMessage(authnRequestBuilder.build(), issur);
//encode AuthnRequest
- byte[] token = authnRequest.getTokenSaml();
- String SAMLRequest = EIDASUtil.encodeSAMLToken(token);
+ byte[] token = authnRequest.getMessageBytes();
+ String SAMLRequest = EidasStringUtil.encodeToBase64(token);
//send
@@ -188,7 +248,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
revisionsLogger.logEvent(oaConfig, pendingReq,
MOAIDEventConstants.AUTHPROCESS_PEPS_REQUESTED,
- authnRequest.getSamlId());
+ authnRequest.getRequest().getId());
} catch (Exception e) {
Logger.error("Velocity general error: " + e.getMessage());
@@ -210,4 +270,28 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
}
}
+ private SingleSignOnService selectSingleSignOnServiceFromMetadata(EntityDescriptor idpEntity) {
+ //select SingleSignOn Service endpoint from IDP metadata
+ SingleSignOnService endpoint = null;
+ if (idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) == null) {
+ return null;
+
+ }
+
+ for (SingleSignOnService sss :
+ idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) {
+
+ // use POST binding as default if it exists
+ if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI))
+ endpoint = sss;
+
+// else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)
+// && endpoint == null )
+// endpoint = sss;
+
+ }
+
+ return endpoint;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index daa4d8b02..fd7a19be8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -14,8 +14,7 @@ import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASResponseNotSuccessException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList;
+import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASResponseNotSuccessException;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
@@ -23,9 +22,9 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
-import eu.eidas.auth.commons.EIDASAuthnResponse;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.protocol.IAuthenticationResponse;
+import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
@Component("ReceiveAuthnResponseTask")
@@ -49,27 +48,29 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
defaultTaskInitialization(request, executionContext);
//decode SAML response
- byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);
+ byte[] decSamlToken = EidasStringUtil.decodeBytesFromBase64(base64SamlToken);
//get eIDAS SAML-engine
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
-
+ ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+
//validate SAML token
- EIDASAuthnResponse samlResp = engine.validateEIDASAuthnResponse(decSamlToken,
- request.getRemoteHost(), Constants.CONFIG_PROPS_SKEWTIME);
-
- boolean encryptedResponse=engine.isEncryptedSamlResponse(decSamlToken);
- if (encryptedResponse) {
+ IAuthenticationResponse samlResp = engine.unmarshallResponseAndValidate(decSamlToken,
+ request.getRemoteHost(),
+ Constants.CONFIG_PROPS_SKEWTIME,
+ pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
+
+ if (samlResp.isEncrypted()) {
Logger.info("Received encrypted eIDAS SAML-Response.");
//TODO: check if additional decryption operation is required
}
+
//check response StatusCode
if (!samlResp.getStatusCode().equals(StatusCode.SUCCESS_URI)) {
Logger.info("Receice eIDAS Response with StatusCode:" + samlResp.getStatusCode()
- + " Subcode:" + samlResp.getSubStatusCode() + " Msg:" + samlResp.getMessage());
- throw new eIDASResponseNotSuccessException("eIDAS.11", new Object[]{samlResp.getMessage()});
+ + " Subcode:" + samlResp.getSubStatusCode() + " Msg:" + samlResp.getStatusMessage());
+ throw new EIDASResponseNotSuccessException("eIDAS.11", new Object[]{samlResp.getStatusMessage()});
}
@@ -78,11 +79,12 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//update MOA-Session data with received information
Logger.debug("Store eIDAS response information into MOA-session.");
- moasession.setQAALevel(samlResp.getAssuranceLevel());
+
+ moasession.setQAALevel(samlResp.getLevelOfAssurance());
moasession.setGenericDataToSession(
AuthenticationSessionStorageConstants.eIDAS_ATTRIBUTELIST,
- new MOAPersonalAttributeList(samlResp.getPersonalAttributeList()));
+ samlResp.getAttributes());
moasession.setGenericDataToSession(
AuthenticationSessionStorageConstants.eIDAS_RESPONSE,
@@ -96,7 +98,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq,
MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED,
- samlResp.getSamlId());
+ samlResp.getId());
}catch (EIDASSAMLEngineException e) {
Logger.error("eIDAS AuthnRequest generation FAILED.", e);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAOrderedAttributeIterator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAOrderedAttributeIterator.java
deleted file mode 100644
index 573163af0..000000000
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAOrderedAttributeIterator.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
-
-import java.util.Iterator;
-import java.util.NoSuchElementException;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-import eu.eidas.auth.commons.PersonalAttribute;
-import eu.eidas.auth.commons.PersonalAttributeList;
-
-
-/**
- * @author tlenz
- *
- */
-public class MOAOrderedAttributeIterator implements Iterator<PersonalAttribute> {
-
- private MOAPersonalAttributeList pal;
- private Iterator<String> keyIterator;
-
- public MOAOrderedAttributeIterator(MOAPersonalAttributeList palArg) {
- this.pal = palArg;
- keyIterator = palArg.getInsertOrder().iterator();
- }
-
- @Override
- public boolean hasNext() {
- return keyIterator.hasNext();
- }
-
- @Override
- public PersonalAttribute next() {
- if (!hasNext()) {
- throw new NoSuchElementException();
- }
- return pal.get(keyIterator.next());
- }
-
- @Override
- public void remove() {
- Logger.error("Not implemented");
- }
-
-}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAPersonalAttributeList.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAPersonalAttributeList.java
index 5cc100b70..d559cdba7 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAPersonalAttributeList.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAPersonalAttributeList.java
@@ -1,343 +1,343 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
-
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.StringTokenizer;
-import java.util.concurrent.ConcurrentHashMap;
-
-import org.apache.commons.lang.StringUtils;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-import eu.eidas.auth.commons.AttributeConstants;
-import eu.eidas.auth.commons.AttributeUtil;
-import eu.eidas.auth.commons.EIDASErrors;
-import eu.eidas.auth.commons.EIDASParameters;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.commons.EIDASValues;
-import eu.eidas.auth.commons.IPersonalAttributeList;
-import eu.eidas.auth.commons.PersonalAttribute;
-import eu.eidas.auth.commons.exceptions.InternalErrorEIDASException;
-
-/**
- * @author tlenz
- *
- */
-public final class MOAPersonalAttributeList extends
- ConcurrentHashMap<String, PersonalAttribute> implements IPersonalAttributeList {
-
- /**
- *
- */
- private static final long serialVersionUID = -4488124133022713089L;
-
- public MOAPersonalAttributeList(IPersonalAttributeList eIDASAttributeList) {
- super();
- Iterator<PersonalAttribute> element = eIDASAttributeList.iterator();
- while(element.hasNext())
- add(element.next());
-
- }
-
- /**
- * Hash with the latest fetched attribute name alias.
- */
- private Map<String, Integer> latestAttrAlias =
- new HashMap<String, Integer>();
-
- /**
- * Hash with mapping number of alias or the attribute name.
- */
- private Map<String, Integer> attrAliasNumber =
- new HashMap<String, Integer>();
- private List<String> insertOrder = new ArrayList<String>();
-
- /**
- * Obtain the insertOrder Collection
- *
- * @return defensive copy of the collection
- */
- List<String> getInsertOrder() {
- return Collections.unmodifiableList(this.insertOrder);
- }
-
- /**
- * Default constructor.
- */
- public MOAPersonalAttributeList() {
- super();
-
- }
-
- /**
- * Constructor with initial capacity for the PersonalAttributeList size.
- *
- * @param capacity The initial capacity for the PersonalAttributeList.
- */
- public MOAPersonalAttributeList(final int capacity) {
- super(capacity);
- }
-
- /**
- * {@inheritDoc}
- */
- public Iterator<PersonalAttribute> iterator() {
- return new MOAOrderedAttributeIterator(this);
- }
-
- /**
- * {@inheritDoc}
- */
- public PersonalAttribute get(final Object key) {
- String attrName = (String) key;
-
- if (this.latestAttrAlias == null)
- this.latestAttrAlias = new HashMap<String, Integer>();
-
- if (this.attrAliasNumber == null)
- this.attrAliasNumber = new HashMap<String, Integer>();
-
- if (this.latestAttrAlias.containsKey(key)) {
- attrName = attrName + this.latestAttrAlias.get(key);
- } else {
- if (this.attrAliasNumber.containsKey(key)) {
- this.latestAttrAlias.put(attrName, this.attrAliasNumber.get(key));
- }
- }
- return super.get(attrName);
- }
-
- /**
- * {@inheritDoc}
- */
- public void add(final PersonalAttribute value) {
- if (value != null) {
- this.put(value.getName(), value);
- }
- }
-
- /**
- * {@inheritDoc}
- */
- public PersonalAttribute put(final String key, final PersonalAttribute val) {
- if (StringUtils.isNotEmpty(key) && val != null) {
- // Validate if attribute name already exists!
- String attrAlias = key;
- if (this.containsKey(attrAlias)) {
- if (this.attrAliasNumber == null)
- this.attrAliasNumber = new HashMap<String, Integer>();
- if (!val.isEmptyValue() && StringUtils.isNumeric(val.getValue().get(0))) {
- final String attrValue = val.getValue().get(0);
- attrAlias = key + attrValue;
- this.attrAliasNumber.put(key, Integer.valueOf(attrValue));
- } else {
- final PersonalAttribute attr = super.get(key);
- if (!attr.isEmptyValue()
- && StringUtils.isNumeric(attr.getValue().get(0))) {
- attrAlias = key + attr.getValue().get(0);
- super.put(key, (PersonalAttribute) attr);
- this.attrAliasNumber.put(key, null);
- }
- }
- } else {
- if (insertOrder == null)
- insertOrder = new ArrayList<String>();
-
- insertOrder.add(key);
- }
- return super.put(attrAlias, val);
- } else {
- return null;
- }
- }
-
- @Override
- public PersonalAttribute remove(Object key) {
- insertOrder.remove(key);
- return super.remove(key);
- }
-
- /**
- * {@inheritDoc}
- */
- public void populate(final String attrList) {
- final StringTokenizer strToken =
- new StringTokenizer(attrList, EIDASValues.ATTRIBUTE_SEP.toString());
-
- while (strToken.hasMoreTokens()) {
- final PersonalAttribute persAttr = new PersonalAttribute();
- String[] tuples =
- strToken.nextToken().split(EIDASValues.ATTRIBUTE_TUPLE_SEP.toString(),
- AttributeConstants.NUMBER_TUPLES.intValue());
-
- // Convert to the new format if needed!
- tuples = convertFormat(tuples);
-
- if (AttributeUtil.hasValidTuples(tuples)) {
- final int attrValueIndex =
- AttributeConstants.ATTR_VALUE_INDEX.intValue();
- final String tmpAttrValue =
- tuples[attrValueIndex].substring(1,
- tuples[attrValueIndex].length() - 1);
- final String[] vals =
- tmpAttrValue.split(EIDASValues.ATTRIBUTE_VALUE_SEP.toString());
-
- persAttr.setName(tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()]);
- persAttr.setIsRequired(Boolean
- .valueOf(tuples[AttributeConstants.ATTR_TYPE_INDEX.intValue()]));
- // check if it is a complex value
- if (tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()]
- .equals(EIDASParameters.COMPLEX_ADDRESS_VALUE.toString())) {
- persAttr.setComplexValue(createComplexValue(vals));
- } else {
- persAttr.setValue(createValues(vals));
- }
-
- if (tuples.length == AttributeConstants.NUMBER_TUPLES.intValue()) {
- persAttr.setStatus(tuples[AttributeConstants.ATTR_STATUS_INDEX
- .intValue()]);
- }
- this.put(tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()],
- persAttr);
-
- } else {
- Logger.info("BUSINESS EXCEPTION : Invalid personal attribute list tuples");
- }
-
- }
- }
-
- /**
- * Returns a copy of this <tt>IPersonalAttributeList</tt> instance.
- *
- * @return The copy of this IPersonalAttributeList.
- */
- public Object clone() {
- try {
- MOAPersonalAttributeList theClone= (MOAPersonalAttributeList)super.clone();
- theClone.insertOrder=new ArrayList<String>(insertOrder);
- return theClone;
-
- } catch (CloneNotSupportedException e) {
- throw new InternalErrorEIDASException(
- EIDASUtil.getConfig(EIDASErrors.INTERNAL_ERROR.errorCode()),
- EIDASUtil.getConfig(EIDASErrors.INTERNAL_ERROR.errorMessage()), e);
- }
- }
-
- /**
- * Creates a string in the following format.
- *
- * attrName:attrType:[attrValue1,attrValue2=attrComplexValue]:attrStatus;
- *
- * @return {@inheritDoc}
- */
- @Override
- public String toString() {
- final StringBuilder strBuilder = new StringBuilder();
- final Iterator<String> iteratorInsertOrder = insertOrder.iterator();
- while (iteratorInsertOrder.hasNext()) {
- String key = iteratorInsertOrder.next();
- final PersonalAttribute attr = get(key);
- strBuilder.append(attr.toString());
- if (isNumberAlias(key)) {
- strBuilder.append(get(key).toString());
- }
- }
- return strBuilder.toString();
- }
-
- /**
- * Validates and creates the attribute's complex values.
- *
- * @param values The complex values.
- * @return The {@link Map} with the complex values.
- * @see Map
- */
- private Map<String, String> createComplexValue(final String[] values) {
- final Map<String, String> complexValue = new HashMap<String, String>();
- for (final String val : values) {
- final String[] tVal = val.split("=");
- if (StringUtils.isNotEmpty(val) && tVal.length == 2) {
- complexValue.put(tVal[0], AttributeUtil.unescape(tVal[1]));
- }
- }
- return complexValue;
- }
-
- /**
- * Validates and creates the attribute values.
- *
- * @param vals The attribute values.
- * @return The {@link List} with the attribute values.
- * @see List
- */
- private List<String> createValues(final String[] vals) {
- final List<String> values = new ArrayList<String>();
- for (final String val : vals) {
- if (StringUtils.isNotEmpty(val)) {
- values.add(AttributeUtil.unescape(val));
- }
- }
- return values;
- }
-
- //////////////////
- /**
- * Converts the attribute tuple (attrName:attrType...) to the new format.
- *
- * @param tuples The attribute tuples to convert.
- * @return The attribute tuples in the new format.
- */
- private String[] convertFormat(final String[] tuples) {
- final String[] newFormatTuples =
- new String[AttributeConstants.NUMBER_TUPLES.intValue()];
- if (tuples != null) {
- System.arraycopy(tuples, 0, newFormatTuples, 0, tuples.length);
-
- for (int i = tuples.length; i < newFormatTuples.length; i++) {
- if (i == AttributeConstants.ATTR_VALUE_INDEX.intValue()) {
- newFormatTuples[i] = "[]";
- } else {
- newFormatTuples[i] = "";
- }
- }
- }
- return newFormatTuples;
- }
-
- public boolean isNumberAlias(String key) {
- return this.attrAliasNumber.containsKey(key);
- }
-
-
-
-}
+///*
+// * Copyright 2014 Federal Chancellery Austria
+// * MOA-ID has been developed in a cooperation between BRZ, the Federal
+// * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+// *
+// * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+// * the European Commission - subsequent versions of the EUPL (the "Licence");
+// * You may not use this work except in compliance with the Licence.
+// * You may obtain a copy of the Licence at:
+// * http://www.osor.eu/eupl/
+// *
+// * Unless required by applicable law or agreed to in writing, software
+// * distributed under the Licence is distributed on an "AS IS" basis,
+// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// * See the Licence for the specific language governing permissions and
+// * limitations under the Licence.
+// *
+// * This product combines work with different licenses. See the "NOTICE" text
+// * file for details on the various modules and licenses.
+// * The "NOTICE" text file is part of the distribution. Any derivative works
+// * that you distribute must include a readable copy of the "NOTICE" text file.
+// */
+//package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+//
+//import java.io.IOException;
+//import java.io.ObjectInputStream;
+//import java.util.ArrayList;
+//import java.util.Collections;
+//import java.util.HashMap;
+//import java.util.Iterator;
+//import java.util.List;
+//import java.util.Map;
+//import java.util.StringTokenizer;
+//import java.util.concurrent.ConcurrentHashMap;
+//
+//import org.apache.commons.lang.StringUtils;
+//
+//import at.gv.egovernment.moa.logging.Logger;
+//
+//import eu.eidas.auth.commons.AttributeConstants;
+//import eu.eidas.auth.commons.AttributeUtil;
+//import eu.eidas.auth.commons.EIDASErrors;
+//import eu.eidas.auth.commons.EIDASParameters;
+//import eu.eidas.auth.commons.EIDASUtil;
+//import eu.eidas.auth.commons.EIDASValues;
+//import eu.eidas.auth.commons.IPersonalAttributeList;
+//import eu.eidas.auth.commons.PersonalAttribute;
+//import eu.eidas.auth.commons.exceptions.InternalErrorEIDASException;
+//
+///**
+// * @author tlenz
+// *
+// */
+//public final class MOAPersonalAttributeList extends
+// ConcurrentHashMap<String, PersonalAttribute> implements IPersonalAttributeList {
+//
+// /**
+// *
+// */
+// private static final long serialVersionUID = -4488124133022713089L;
+//
+// public MOAPersonalAttributeList(IPersonalAttributeList eIDASAttributeList) {
+// super();
+// Iterator<PersonalAttribute> element = eIDASAttributeList.iterator();
+// while(element.hasNext())
+// add(element.next());
+//
+// }
+//
+// /**
+// * Hash with the latest fetched attribute name alias.
+// */
+// private Map<String, Integer> latestAttrAlias =
+// new HashMap<String, Integer>();
+//
+// /**
+// * Hash with mapping number of alias or the attribute name.
+// */
+// private Map<String, Integer> attrAliasNumber =
+// new HashMap<String, Integer>();
+// private List<String> insertOrder = new ArrayList<String>();
+//
+// /**
+// * Obtain the insertOrder Collection
+// *
+// * @return defensive copy of the collection
+// */
+// List<String> getInsertOrder() {
+// return Collections.unmodifiableList(this.insertOrder);
+// }
+//
+// /**
+// * Default constructor.
+// */
+// public MOAPersonalAttributeList() {
+// super();
+//
+// }
+//
+// /**
+// * Constructor with initial capacity for the PersonalAttributeList size.
+// *
+// * @param capacity The initial capacity for the PersonalAttributeList.
+// */
+// public MOAPersonalAttributeList(final int capacity) {
+// super(capacity);
+// }
+//
+// /**
+// * {@inheritDoc}
+// */
+// public Iterator<PersonalAttribute> iterator() {
+// return new MOAOrderedAttributeIterator(this);
+// }
+//
+// /**
+// * {@inheritDoc}
+// */
+// public PersonalAttribute get(final Object key) {
+// String attrName = (String) key;
+//
+// if (this.latestAttrAlias == null)
+// this.latestAttrAlias = new HashMap<String, Integer>();
+//
+// if (this.attrAliasNumber == null)
+// this.attrAliasNumber = new HashMap<String, Integer>();
+//
+// if (this.latestAttrAlias.containsKey(key)) {
+// attrName = attrName + this.latestAttrAlias.get(key);
+// } else {
+// if (this.attrAliasNumber.containsKey(key)) {
+// this.latestAttrAlias.put(attrName, this.attrAliasNumber.get(key));
+// }
+// }
+// return super.get(attrName);
+// }
+//
+// /**
+// * {@inheritDoc}
+// */
+// public void add(final PersonalAttribute value) {
+// if (value != null) {
+// this.put(value.getName(), value);
+// }
+// }
+//
+// /**
+// * {@inheritDoc}
+// */
+// public PersonalAttribute put(final String key, final PersonalAttribute val) {
+// if (StringUtils.isNotEmpty(key) && val != null) {
+// // Validate if attribute name already exists!
+// String attrAlias = key;
+// if (this.containsKey(attrAlias)) {
+// if (this.attrAliasNumber == null)
+// this.attrAliasNumber = new HashMap<String, Integer>();
+// if (!val.isEmptyValue() && StringUtils.isNumeric(val.getValue().get(0))) {
+// final String attrValue = val.getValue().get(0);
+// attrAlias = key + attrValue;
+// this.attrAliasNumber.put(key, Integer.valueOf(attrValue));
+// } else {
+// final PersonalAttribute attr = super.get(key);
+// if (!attr.isEmptyValue()
+// && StringUtils.isNumeric(attr.getValue().get(0))) {
+// attrAlias = key + attr.getValue().get(0);
+// super.put(key, (PersonalAttribute) attr);
+// this.attrAliasNumber.put(key, null);
+// }
+// }
+// } else {
+// if (insertOrder == null)
+// insertOrder = new ArrayList<String>();
+//
+// insertOrder.add(key);
+// }
+// return super.put(attrAlias, val);
+// } else {
+// return null;
+// }
+// }
+//
+// @Override
+// public PersonalAttribute remove(Object key) {
+// insertOrder.remove(key);
+// return super.remove(key);
+// }
+//
+// /**
+// * {@inheritDoc}
+// */
+// public void populate(final String attrList) {
+// final StringTokenizer strToken =
+// new StringTokenizer(attrList, EIDASValues.ATTRIBUTE_SEP.toString());
+//
+// while (strToken.hasMoreTokens()) {
+// final PersonalAttribute persAttr = new PersonalAttribute();
+// String[] tuples =
+// strToken.nextToken().split(EIDASValues.ATTRIBUTE_TUPLE_SEP.toString(),
+// AttributeConstants.NUMBER_TUPLES.intValue());
+//
+// // Convert to the new format if needed!
+// tuples = convertFormat(tuples);
+//
+// if (AttributeUtil.hasValidTuples(tuples)) {
+// final int attrValueIndex =
+// AttributeConstants.ATTR_VALUE_INDEX.intValue();
+// final String tmpAttrValue =
+// tuples[attrValueIndex].substring(1,
+// tuples[attrValueIndex].length() - 1);
+// final String[] vals =
+// tmpAttrValue.split(EIDASValues.ATTRIBUTE_VALUE_SEP.toString());
+//
+// persAttr.setName(tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()]);
+// persAttr.setIsRequired(Boolean
+// .valueOf(tuples[AttributeConstants.ATTR_TYPE_INDEX.intValue()]));
+// // check if it is a complex value
+// if (tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()]
+// .equals(EIDASParameters.COMPLEX_ADDRESS_VALUE.toString())) {
+// persAttr.setComplexValue(createComplexValue(vals));
+// } else {
+// persAttr.setValue(createValues(vals));
+// }
+//
+// if (tuples.length == AttributeConstants.NUMBER_TUPLES.intValue()) {
+// persAttr.setStatus(tuples[AttributeConstants.ATTR_STATUS_INDEX
+// .intValue()]);
+// }
+// this.put(tuples[AttributeConstants.ATTR_NAME_INDEX.intValue()],
+// persAttr);
+//
+// } else {
+// Logger.info("BUSINESS EXCEPTION : Invalid personal attribute list tuples");
+// }
+//
+// }
+// }
+//
+// /**
+// * Returns a copy of this <tt>IPersonalAttributeList</tt> instance.
+// *
+// * @return The copy of this IPersonalAttributeList.
+// */
+// public Object clone() {
+// try {
+// MOAPersonalAttributeList theClone= (MOAPersonalAttributeList)super.clone();
+// theClone.insertOrder=new ArrayList<String>(insertOrder);
+// return theClone;
+//
+// } catch (CloneNotSupportedException e) {
+// throw new InternalErrorEIDASException(
+// EIDASUtil.getConfig(EIDASErrors.INTERNAL_ERROR.errorCode()),
+// EIDASUtil.getConfig(EIDASErrors.INTERNAL_ERROR.errorMessage()), e);
+// }
+// }
+//
+// /**
+// * Creates a string in the following format.
+// *
+// * attrName:attrType:[attrValue1,attrValue2=attrComplexValue]:attrStatus;
+// *
+// * @return {@inheritDoc}
+// */
+// @Override
+// public String toString() {
+// final StringBuilder strBuilder = new StringBuilder();
+// final Iterator<String> iteratorInsertOrder = insertOrder.iterator();
+// while (iteratorInsertOrder.hasNext()) {
+// String key = iteratorInsertOrder.next();
+// final PersonalAttribute attr = get(key);
+// strBuilder.append(attr.toString());
+// if (isNumberAlias(key)) {
+// strBuilder.append(get(key).toString());
+// }
+// }
+// return strBuilder.toString();
+// }
+//
+// /**
+// * Validates and creates the attribute's complex values.
+// *
+// * @param values The complex values.
+// * @return The {@link Map} with the complex values.
+// * @see Map
+// */
+// private Map<String, String> createComplexValue(final String[] values) {
+// final Map<String, String> complexValue = new HashMap<String, String>();
+// for (final String val : values) {
+// final String[] tVal = val.split("=");
+// if (StringUtils.isNotEmpty(val) && tVal.length == 2) {
+// complexValue.put(tVal[0], AttributeUtil.unescape(tVal[1]));
+// }
+// }
+// return complexValue;
+// }
+//
+// /**
+// * Validates and creates the attribute values.
+// *
+// * @param vals The attribute values.
+// * @return The {@link List} with the attribute values.
+// * @see List
+// */
+// private List<String> createValues(final String[] vals) {
+// final List<String> values = new ArrayList<String>();
+// for (final String val : vals) {
+// if (StringUtils.isNotEmpty(val)) {
+// values.add(AttributeUtil.unescape(val));
+// }
+// }
+// return values;
+// }
+//
+// //////////////////
+// /**
+// * Converts the attribute tuple (attrName:attrType...) to the new format.
+// *
+// * @param tuples The attribute tuples to convert.
+// * @return The attribute tuples in the new format.
+// */
+// private String[] convertFormat(final String[] tuples) {
+// final String[] newFormatTuples =
+// new String[AttributeConstants.NUMBER_TUPLES.intValue()];
+// if (tuples != null) {
+// System.arraycopy(tuples, 0, newFormatTuples, 0, tuples.length);
+//
+// for (int i = tuples.length; i < newFormatTuples.length; i++) {
+// if (i == AttributeConstants.ATTR_VALUE_INDEX.intValue()) {
+// newFormatTuples[i] = "[]";
+// } else {
+// newFormatTuples[i] = "";
+// }
+// }
+// }
+// return newFormatTuples;
+// }
+//
+// public boolean isNumberAlias(String key) {
+// return this.attrAliasNumber.containsKey(key);
+// }
+//
+//
+//
+//}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java
new file mode 100644
index 000000000..f29d2bb65
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAProtocolEngineFactory.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
+import at.gv.egovernment.moa.logging.Logger;
+import eu.eidas.auth.engine.ProtocolEngineFactory;
+import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
+import eu.eidas.auth.engine.configuration.dom.ProtocolEngineConfigurationFactory;
+import eu.eidas.samlengineconfig.CertificateConfigurationManager;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAProtocolEngineFactory extends ProtocolEngineFactory {
+
+ /**
+ * Initialization-on-demand holder idiom.
+ * <p/>
+ * See item 71 of Effective Java 2nd Edition.
+ * <p/>
+ * See http://en.wikipedia.org/wiki/Initialization-on-demand_holder_idiom.
+ */
+ private static final class LazyHolder {
+
+ private static final MOAProtocolEngineFactory DEFAULT_SAML_ENGINE_FACTORY;
+
+ private static final Exception INITIALIZATION_EXCEPTION;
+
+ static {
+ Exception initializationException = null;
+ MOAProtocolEngineFactory defaultProtocolEngineFactory = null;
+ try {
+ //get eIDAS SAMLengine configuration from MOA-ID configuration
+ CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
+
+ ProtocolEngineConfigurationFactory engineConfigurationFactory = new ProtocolEngineConfigurationFactory(configManager);
+ defaultProtocolEngineFactory = new MOAProtocolEngineFactory(engineConfigurationFactory);
+
+ } catch (Exception ex) {
+ initializationException = ex;
+ Logger.error("Unable to instantiate default SAML engines: " + ex, ex);
+
+ }
+
+ DEFAULT_SAML_ENGINE_FACTORY = defaultProtocolEngineFactory;
+ INITIALIZATION_EXCEPTION = initializationException;
+ }
+
+ static MOAProtocolEngineFactory getDefaultSamlEngineFactory() {
+ if (null == INITIALIZATION_EXCEPTION) {
+ return DEFAULT_SAML_ENGINE_FACTORY;
+
+ } else {
+ throw new IllegalStateException(INITIALIZATION_EXCEPTION);
+
+ }
+ }
+ }
+
+
+ public static MOAProtocolEngineFactory getInstance() {
+ return LazyHolder.getDefaultSamlEngineFactory();
+
+ }
+
+ /**
+ * @param configurationFactory
+ * @throws SamlEngineConfigurationException
+ */
+ private MOAProtocolEngineFactory(ProtocolEngineConfigurationFactory configurationFactory)
+ throws SamlEngineConfigurationException {
+ super(configurationFactory);
+
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
new file mode 100644
index 000000000..c614e6490
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
@@ -0,0 +1,613 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.lang.StringUtils;
+import org.joda.time.DateTime;
+import org.joda.time.DurationFieldType;
+import org.opensaml.Configuration;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.common.Extensions;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeValue;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.Company;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.ContactPersonTypeEnumeration;
+import org.opensaml.saml2.metadata.EmailAddress;
+import org.opensaml.saml2.metadata.EncryptionMethod;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.GivenName;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.KeyDescriptor;
+import org.opensaml.saml2.metadata.LocalizedString;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.OrganizationDisplayName;
+import org.opensaml.saml2.metadata.OrganizationURL;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.SSODescriptor;
+import org.opensaml.saml2.metadata.SingleSignOnService;
+import org.opensaml.saml2.metadata.SurName;
+import org.opensaml.saml2.metadata.TelephoneNumber;
+import org.opensaml.samlext.saml2mdattr.EntityAttributes;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.XMLObjectBuilderFactory;
+import org.opensaml.xml.schema.XSString;
+import org.opensaml.xml.schema.impl.XSStringBuilder;
+import org.opensaml.xml.security.SecurityException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.security.credential.UsageType;
+import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
+import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
+import org.opensaml.xml.signature.KeyInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.ImmutableSortedSet;
+import com.google.common.collect.Ordering;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import eu.eidas.auth.commons.EIDASUtil;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.protocol.impl.SamlNameIdFormat;
+import eu.eidas.auth.commons.xml.opensaml.OpenSamlHelper;
+import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.core.SAMLExtensionFormat;
+import eu.eidas.auth.engine.core.eidas.DigestMethod;
+import eu.eidas.auth.engine.core.eidas.EidasConstants;
+import eu.eidas.auth.engine.core.eidas.SPType;
+import eu.eidas.auth.engine.core.eidas.SigningMethod;
+import eu.eidas.auth.engine.metadata.Contact;
+import eu.eidas.auth.engine.metadata.EntityDescriptorContainer;
+import eu.eidas.auth.engine.metadata.MetadataConfigParams;
+import eu.eidas.auth.engine.metadata.MetadataGenerator;
+import eu.eidas.auth.engine.metadata.MetadataSignerI;
+import eu.eidas.auth.engine.xml.opensaml.BuilderFactoryUtil;
+import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
+import eu.eidas.encryption.exception.UnmarshallException;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
+import eu.eidas.engine.exceptions.SAMLEngineException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataGenerator extends MetadataGenerator {
+ private static final Logger LOGGER = LoggerFactory.getLogger(MetadataGenerator.class.getName());
+
+ MetadataConfigParams params;
+
+ XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
+
+ SPSSODescriptor spSSODescriptor = null;
+
+ IDPSSODescriptor idpSSODescriptor = null;
+
+ private String ssoLocation;
+
+ /**
+ * @return a String representation of the entityDescriptr built based on the attributes previously set
+ */
+ public String generateMetadata() throws EIDASSAMLEngineException {
+ EntityDescriptor entityDescriptor;
+ try {
+ entityDescriptor = (EntityDescriptor) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME)
+ .buildObject(EntityDescriptor.DEFAULT_ELEMENT_NAME);
+
+ entityDescriptor.setEntityID(params.getEntityID());
+ entityDescriptor.setOrganization(buildOrganization());
+ entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.SUPPORT));
+ entityDescriptor.getContactPersons().add(buildContact(ContactPersonTypeEnumeration.TECHNICAL));
+ entityDescriptor.setValidUntil(getExpireDate());
+
+ X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
+ keyInfoGeneratorFactory.setEmitEntityCertificate(true);
+ Extensions e = generateExtensions();
+ if (!e.getUnknownXMLObjects().isEmpty()) {
+ entityDescriptor.setExtensions(e);
+ }
+ if (spSSODescriptor != null) {
+ generateSPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+ }
+ if (idpSSODescriptor != null) {
+ generateIDPSSODescriptor(entityDescriptor, keyInfoGeneratorFactory);
+ }
+ if (params.getSpEngine() != null) {
+ ProtocolEngineI spEngine = params.getSpEngine();
+ ((MetadataSignerI) spEngine.getSigner()).signMetadata(entityDescriptor);
+ } else if (params.getIdpEngine() != null) {
+ ProtocolEngineI idpEngine = params.getIdpEngine();
+ ((MetadataSignerI) idpEngine.getSigner()).signMetadata(entityDescriptor);
+ }
+ return EidasStringUtil.toString(OpenSamlHelper.marshall(entityDescriptor, false));
+ } catch (Exception ex) {
+ LOGGER.info("ERROR : SAMLException ", ex.getMessage());
+ LOGGER.debug("ERROR : SAMLException ", ex);
+ throw new IllegalStateException(ex);
+ }
+ }
+
+ private void generateSPSSODescriptor(final EntityDescriptor entityDescriptor,
+ final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
+ throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
+ SAMLEngineException, EIDASSAMLEngineException {
+ //the node has SP role
+ spSSODescriptor.setWantAssertionsSigned(params.isWantAssertionsSigned());
+ spSSODescriptor.setAuthnRequestsSigned(true);
+ spSSODescriptor.setID(idpSSODescriptor == null ? params.getEntityID()
+ : ("SP" + params.getEntityID()));
+ if (params.getSPSignature() != null) {
+ spSSODescriptor.setSignature(params.getSPSignature());
+ }
+ if (params.getSpSigningCredential() != null) {
+ spSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpSigningCredential(), UsageType.SIGNING));
+
+ } else if (params.getSigningCredential() != null) {
+ spSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
+ }
+
+ if (params.getSpEncryptionCredential() != null) {
+ spSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSpEncryptionCredential(),
+ UsageType.ENCRYPTION));
+ } else if (params.getEncryptionCredential() != null) {
+ spSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
+ }
+ spSSODescriptor.addSupportedProtocol(params.getSpSamlProtocol());
+ if (!StringUtils.isEmpty(params.getAssertionConsumerUrl())) {
+ addAssertionConsumerService();
+ }
+ fillNameIDFormat(spSSODescriptor);
+ if (params.getSpEngine() != null) {
+ ProtocolEngineI spEngine = params.getSpEngine();
+ ((MetadataSignerI) spEngine.getSigner()).signMetadata(spSSODescriptor);
+ }
+ entityDescriptor.getRoleDescriptors().add(spSSODescriptor);
+
+ }
+
+ private void fillNameIDFormat(SSODescriptor ssoDescriptor) throws EIDASSAMLEngineException {
+ NameIDFormat persistentFormat =
+ (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+ persistentFormat.setFormat(SamlNameIdFormat.PERSISTENT.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(persistentFormat);
+ NameIDFormat transientFormat =
+ (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+ transientFormat.setFormat(SamlNameIdFormat.TRANSIENT.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(transientFormat);
+ NameIDFormat unspecifiedFormat =
+ (NameIDFormat) BuilderFactoryUtil.buildXmlObject(NameIDFormat.DEFAULT_ELEMENT_NAME);
+ unspecifiedFormat.setFormat(SamlNameIdFormat.UNSPECIFIED.getNameIdFormat());
+ ssoDescriptor.getNameIDFormats().add(unspecifiedFormat);
+ }
+
+ private void generateIDPSSODescriptor(final EntityDescriptor entityDescriptor,
+ final X509KeyInfoGeneratorFactory keyInfoGeneratorFactory)
+ throws org.opensaml.xml.security.SecurityException, IllegalAccessException, NoSuchFieldException,
+ SAMLEngineException, EIDASSAMLEngineException {
+ //the node has IDP role
+ idpSSODescriptor.setWantAuthnRequestsSigned(true);
+ idpSSODescriptor.setID(spSSODescriptor == null ? params.getEntityID()
+ : ("IDP" + params.getEntityID()));
+ if (params.getIDPSignature() != null) {
+ idpSSODescriptor.setSignature(params.getIDPSignature());
+ }
+ if (params.getIdpSigningCredential() != null) {
+ idpSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpSigningCredential(), UsageType.SIGNING));
+ } else if (params.getSigningCredential() != null) {
+ idpSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getSigningCredential(), UsageType.SIGNING));
+ }
+ if (params.getIdpEncryptionCredential() != null) {
+ idpSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getIdpEncryptionCredential(),
+ UsageType.ENCRYPTION));
+ } else if (params.getEncryptionCredential() != null) {
+ idpSSODescriptor.getKeyDescriptors()
+ .add(getKeyDescriptor(keyInfoGeneratorFactory, params.getEncryptionCredential(), UsageType.ENCRYPTION));
+ }
+ idpSSODescriptor.addSupportedProtocol(params.getIdpSamlProtocol());
+ fillNameIDFormat(idpSSODescriptor);
+ if (params.getIdpEngine() != null) {
+ if (params.getIdpEngine().getProtocolProcessor() != null
+ && params.getIdpEngine().getProtocolProcessor().getFormat() == SAMLExtensionFormat.EIDAS10) {
+
+ /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
+ * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
+ *
+ * INFO: Maybe, this code can be removed in a future version of the eIDAS engine
+ */
+ generateSupportedAttributes(idpSSODescriptor, getAllSupportedAttributes());
+ }
+ ProtocolEngineI idpEngine = params.getIdpEngine();
+ ((MetadataSignerI) idpEngine.getSigner()).signMetadata(idpSSODescriptor);
+ }
+
+ idpSSODescriptor.getSingleSignOnServices().addAll(buildSingleSignOnServicesBindingLocations());
+
+ entityDescriptor.getRoleDescriptors().add(idpSSODescriptor);
+
+ }
+
+ /*TODO: Only a work-around to add eIDAS attributes, which could be provided from MOA-ID, to IDP metadata
+ * If we restrict the eIDAS Engine attribute definitions then also additional incoming attributes can not processed any more.
+ */
+ public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
+ ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
+ new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
+ builder.addAll(Constants.MOA_IDP_ATTR_REGISTRY.getAttributes());
+ return builder.build();
+ }
+
+ private ArrayList<SingleSignOnService> buildSingleSignOnServicesBindingLocations()
+ throws NoSuchFieldException, IllegalAccessException {
+ ArrayList<SingleSignOnService> singleSignOnServices = new ArrayList<SingleSignOnService>();
+
+ HashMap<String, String> bindingLocations = params.getProtocolBindingLocation();
+ for (String binding : bindingLocations.keySet()) {
+ SingleSignOnService ssos = BuilderFactoryUtil.buildXmlObject(SingleSignOnService.class);
+ ssos.setBinding(binding);
+ ssos.setLocation(bindingLocations.get(binding));
+ singleSignOnServices.add(ssos);
+ }
+
+ return singleSignOnServices;
+ }
+
+ /**
+ * @param metadata
+ * @return an EntityDescriptor parsed from the given String or null
+ */
+ // TODO (commented by donydgr) Move to a eu.eidas.auth.engine.metadata.MetadataUtil ? Throw an exception if the metadata is invalid instead of returning null ?
+ public static EntityDescriptorContainer deserializeEntityDescriptor(String metadata) {
+ EntityDescriptorContainer result = new EntityDescriptorContainer();
+ try {
+ byte[] metaDataBytes = EidasStringUtil.getBytes(metadata);
+ XMLObject obj = OpenSamlHelper.unmarshall(metaDataBytes);
+ if (obj instanceof EntityDescriptor) {
+ result.addEntityDescriptor((EntityDescriptor) obj, metaDataBytes);
+ } else if (obj instanceof EntitiesDescriptor) {
+ EntitiesDescriptor ed = (EntitiesDescriptor) obj;
+ result.setEntitiesDescriptor(ed);
+ result.getEntityDescriptors().addAll(((EntitiesDescriptor) obj).getEntityDescriptors());
+ result.setSerializedEntitesDescriptor(metaDataBytes);
+ }
+ } catch (UnmarshallException ue) {
+ LOGGER.info("ERROR : unmarshalling error", ue.getMessage());
+ LOGGER.debug("ERROR : unmarshalling error", ue);
+ }
+ return result;
+ }
+
+ private KeyDescriptor getKeyDescriptor(X509KeyInfoGeneratorFactory keyInfoGeneratorFactory,
+ Credential credential,
+ UsageType usage)
+ throws NoSuchFieldException, IllegalAccessException, SecurityException, EIDASSAMLEngineException {
+ KeyDescriptor keyDescriptor = null;
+ if (credential != null) {
+ keyDescriptor = BuilderFactoryUtil.buildXmlObject(KeyDescriptor.class);
+ KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
+
+ KeyInfo keyInfo = keyInfoGenerator.generate(credential);
+ keyDescriptor.setUse(usage);
+ keyDescriptor.setKeyInfo(keyInfo);
+ if (usage == UsageType.ENCRYPTION && params.getEncryptionAlgorithms() != null) {
+ Set<String> encryptionAlgos = EIDASUtil.parseSemicolonSeparatedList(params.getEncryptionAlgorithms());
+ for (String encryptionAlgo : encryptionAlgos) {
+ EncryptionMethod em =
+ (EncryptionMethod) BuilderFactoryUtil.buildXmlObject(EncryptionMethod.DEFAULT_ELEMENT_NAME);
+ em.setAlgorithm(encryptionAlgo);
+ keyDescriptor.getEncryptionMethods().add(em);
+ }
+ }
+
+ }
+ return keyDescriptor;
+ }
+
+ private Organization buildOrganization() {
+ Organization organization = null;
+ try {
+ organization = BuilderFactoryUtil.buildXmlObject(Organization.class);
+ OrganizationDisplayName odn = BuilderFactoryUtil.buildXmlObject(OrganizationDisplayName.class);
+ odn.setName(new LocalizedString(params.getCountryName(), "en"));
+ organization.getDisplayNames().add(odn);
+ OrganizationURL url = BuilderFactoryUtil.buildXmlObject(OrganizationURL.class);
+ url.setURL(new LocalizedString(params.getNodeUrl(), "en"));
+ organization.getURLs().add(url);
+ } catch (IllegalAccessException iae) {
+ LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
+ LOGGER.debug("ERROR : error generating the Organization: {}", iae);
+ } catch (NoSuchFieldException nfe) {
+ LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
+ LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
+ }
+ return organization;
+ }
+
+ private ContactPerson buildContact(ContactPersonTypeEnumeration contactType) {
+ ContactPerson contact = null;
+ try {
+ Contact currentContact = null;
+ if (contactType == ContactPersonTypeEnumeration.SUPPORT) {
+ currentContact = params.getSupportContact();
+ } else if (contactType == ContactPersonTypeEnumeration.TECHNICAL) {
+ currentContact = params.getTechnicalContact();
+ } else {
+ LOGGER.error("ERROR: unsupported contact type");
+ }
+ contact = BuilderFactoryUtil.buildXmlObject(ContactPerson.class);
+ if (currentContact == null) {
+ LOGGER.error("ERROR: cannot retrieve contact from the configuration");
+ return contact;
+ }
+
+ EmailAddress emailAddressObj = BuilderFactoryUtil.buildXmlObject(EmailAddress.class);
+ Company company = BuilderFactoryUtil.buildXmlObject(Company.class);
+ GivenName givenName = BuilderFactoryUtil.buildXmlObject(GivenName.class);
+ SurName surName = BuilderFactoryUtil.buildXmlObject(SurName.class);
+ TelephoneNumber phoneNumber = BuilderFactoryUtil.buildXmlObject(TelephoneNumber.class);
+ contact.setType(contactType);
+ emailAddressObj.setAddress(currentContact.getEmail());
+ company.setName(currentContact.getCompany());
+ givenName.setName(currentContact.getGivenName());
+ surName.setName(currentContact.getSurName());
+ phoneNumber.setNumber(currentContact.getPhone());
+
+ populateContact(contact, currentContact, emailAddressObj, company, givenName, surName, phoneNumber);
+
+ } catch (IllegalAccessException iae) {
+ LOGGER.info("ERROR : error generating the Organization: {}", iae.getMessage());
+ LOGGER.debug("ERROR : error generating the Organization: {}", iae);
+ } catch (NoSuchFieldException nfe) {
+ LOGGER.info("ERROR : error generating the Organization: {}", nfe.getMessage());
+ LOGGER.debug("ERROR : error generating the Organization: {}", nfe);
+ }
+ return contact;
+ }
+
+ private void populateContact(ContactPerson contact,
+ Contact currentContact,
+ EmailAddress emailAddressObj,
+ Company company,
+ GivenName givenName,
+ SurName surName,
+ TelephoneNumber phoneNumber) {
+ if (!StringUtils.isEmpty(currentContact.getEmail())) {
+ contact.getEmailAddresses().add(emailAddressObj);
+ }
+ if (!StringUtils.isEmpty(currentContact.getCompany())) {
+ contact.setCompany(company);
+ }
+ if (!StringUtils.isEmpty(currentContact.getGivenName())) {
+ contact.setGivenName(givenName);
+ }
+ if (!StringUtils.isEmpty(currentContact.getSurName())) {
+ contact.setSurName(surName);
+ }
+ if (!StringUtils.isEmpty(currentContact.getPhone())) {
+ contact.getTelephoneNumbers().add(phoneNumber);
+ }
+
+ }
+
+ /**
+ * @param engine a EIDASSamlEngine from which signing and encryption information is extracted
+ */
+
+ public void initialize(ProtocolEngineI engine) throws EIDASSAMLEngineException {
+
+ X509Certificate decryptionCertificate = engine.getDecryptionCertificate();
+ if (null != decryptionCertificate) {
+ params.setEncryptionCredential(CertificateUtil.toCredential(decryptionCertificate));
+ }
+ params.setSigningCredential(CertificateUtil.toCredential(engine.getSigningCertificate()));
+ params.setIdpEngine(engine);
+ params.setSpEngine(engine);
+ }
+
+ /**
+ * @param spEngine a EIDASSamlEngine for the
+ */
+
+ public void initialize(ProtocolEngineI spEngine, ProtocolEngineI idpEngine) throws EIDASSAMLEngineException {
+ if (idpEngine != null) {
+ idpEngine.getProtocolProcessor().configure();
+ params.setIdpSigningCredential(CertificateUtil.toCredential(idpEngine.getSigningCertificate()));
+
+ final X509Certificate idpEngineDecryptionCertificate = idpEngine.getDecryptionCertificate();
+ if (idpEngineDecryptionCertificate != null) {
+ params.setIdpEncryptionCredential(CertificateUtil.toCredential(idpEngineDecryptionCertificate));
+ }
+
+ }
+ if (spEngine != null) {
+ spEngine.getProtocolProcessor().configure();
+ params.setSpSigningCredential(CertificateUtil.toCredential(spEngine.getSigningCertificate()));
+
+ final X509Certificate spEngineDecryptionCertificate = spEngine.getDecryptionCertificate();
+ if (spEngineDecryptionCertificate != null) {
+ params.setSpEncryptionCredential(CertificateUtil.toCredential(spEngineDecryptionCertificate));
+ }
+ }
+
+ params.setIdpEngine(idpEngine);
+ params.setSpEngine(spEngine);
+ }
+
+ public void addSPRole() throws EIDASSAMLEngineException {
+ try {
+ if (spSSODescriptor == null) {
+ spSSODescriptor = BuilderFactoryUtil.buildXmlObject(SPSSODescriptor.class);
+ }
+ } catch (IllegalAccessException iae) {
+ throw new EIDASSAMLEngineException(iae);
+ } catch (NoSuchFieldException nsfe) {
+ throw new EIDASSAMLEngineException(nsfe);
+ }
+ }
+
+ public void addIDPRole() throws EIDASSAMLEngineException {
+ try {
+ if (idpSSODescriptor == null) {
+ idpSSODescriptor = BuilderFactoryUtil.buildXmlObject(IDPSSODescriptor.class);
+ }
+ } catch (IllegalAccessException iae) {
+ throw new EIDASSAMLEngineException(iae);
+ } catch (NoSuchFieldException nsfe) {
+ throw new EIDASSAMLEngineException(nsfe);
+ }
+ }
+
+ private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+ if (!StringUtils.isEmpty(params.getDigestMethods())) {
+ Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods());
+ Set<String> digestMethods = new HashSet<String>();
+ for (String signatureMethod : signatureMethods) {
+ digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
+ }
+ for (String digestMethod : digestMethods) {
+ final DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
+ if (dm != null) {
+ dm.setAlgorithm(digestMethod);
+ eidasExtensions.getUnknownXMLObjects().add(dm);
+ } else {
+ LOGGER.info("BUSINESS EXCEPTION error adding DigestMethod extension");
+ }
+ }
+ }
+
+ }
+
+ private Extensions generateExtensions() throws EIDASSAMLEngineException {
+ Extensions eidasExtensions = BuilderFactoryUtil.generateExtension();
+ if (params.getAssuranceLevel() != null) {
+ generateLoA(eidasExtensions);
+ }
+ if (!StringUtils.isEmpty(params.getSpType())) {
+ final SPType spTypeObj = (SPType) BuilderFactoryUtil.buildXmlObject(SPType.DEF_ELEMENT_NAME);
+ if (spTypeObj != null) {
+ spTypeObj.setSPType(params.getSpType());
+ eidasExtensions.getUnknownXMLObjects().add(spTypeObj);
+ } else {
+ LOGGER.info("BUSINESS EXCEPTION error adding SPType extension");
+ }
+ }
+ generateDigest(eidasExtensions);
+
+ if (!StringUtils.isEmpty(params.getSigningMethods())) {
+ Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(params.getDigestMethods());
+ for (String signMethod : signMethods) {
+ final SigningMethod sm =
+ (SigningMethod) BuilderFactoryUtil.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
+ if (sm != null) {
+ sm.setAlgorithm(signMethod);
+ eidasExtensions.getUnknownXMLObjects().add(sm);
+ } else {
+ LOGGER.info("BUSINESS EXCEPTION error adding SigningMethod extension");
+ }
+ }
+ }
+ return eidasExtensions;
+ }
+
+ private void generateLoA(Extensions eidasExtensions) throws EIDASSAMLEngineException {
+ EntityAttributes loa =
+ (EntityAttributes) BuilderFactoryUtil.buildXmlObject(EntityAttributes.DEFAULT_ELEMENT_NAME);
+ Attribute loaAttrib = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+ loaAttrib.setName(EidasConstants.LEVEL_OF_ASSURANCE_NAME);
+ loaAttrib.setNameFormat(Attribute.URI_REFERENCE);
+ XSStringBuilder stringBuilder =
+ (XSStringBuilder) Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME);
+ XSString stringValue = stringBuilder.buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
+ stringValue.setValue(params.getAssuranceLevel());
+ loaAttrib.getAttributeValues().add(stringValue);
+ loa.getAttributes().add(loaAttrib);
+ eidasExtensions.getUnknownXMLObjects().add(loa);
+
+ }
+
+ private static final Set<String> DEFAULT_BINDING = new HashSet<String>() {{
+ this.add(SAMLConstants.SAML2_POST_BINDING_URI);
+ }};
+
+ private void addAssertionConsumerService() throws EIDASSAMLEngineException {
+ int index = 0;
+ Set<String> bindings = params.getProtocolBinding().isEmpty() ? DEFAULT_BINDING : params.getProtocolBinding();
+ for (String binding : bindings) {
+ AssertionConsumerService asc = (AssertionConsumerService) BuilderFactoryUtil.buildXmlObject(
+ AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+ asc.setLocation(params.getAssertionConsumerUrl());
+ asc.setBinding(checkBinding(binding));
+ asc.setIndex(index);
+ if (index == 0) {
+ asc.setIsDefault(true);
+ }
+ index++;
+ spSSODescriptor.getAssertionConsumerServices().add(asc);
+ }
+ }
+
+ private String checkBinding(String binding) {
+ if (binding != null && (binding.equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) || binding.equals(
+ SAMLConstants.SAML2_POST_BINDING_URI))) {
+ return binding;
+ }
+ return SAMLConstants.SAML2_POST_BINDING_URI;
+ }
+
+ private DateTime getExpireDate() {
+ DateTime expiryDate = DateTime.now();
+ expiryDate =
+ expiryDate.withFieldAdded(DurationFieldType.seconds(), (int) (getConfigParams().getValidityDuration()));
+ return expiryDate;
+ }
+
+ private void generateSupportedAttributes(IDPSSODescriptor idpssoDescriptor,
+ ImmutableSortedSet<AttributeDefinition<?>> attributeDefinitions)
+ throws EIDASSAMLEngineException {
+ List<Attribute> attributes = idpssoDescriptor.getAttributes();
+ for (AttributeDefinition<?> attributeDefinition : attributeDefinitions) {
+ Attribute a = (Attribute) BuilderFactoryUtil.buildXmlObject(Attribute.DEFAULT_ELEMENT_NAME);
+ a.setName(attributeDefinition.getNameUri().toASCIIString());
+ a.setFriendlyName(attributeDefinition.getFriendlyName());
+ a.setNameFormat(Attribute.URI_REFERENCE);
+ attributes.add(a);
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index 68640caf7..cdae92e58 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -22,15 +22,22 @@
*/
package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
+import java.util.HashMap;
+import java.util.Map;
+
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
+import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOASWSigner;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
-import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDAsExtensionProcessor;
import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.core.ExtensionProcessorI;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.SamlEngineSystemClock;
+import eu.eidas.auth.engine.core.eidas.EidasProtocolProcessor;
+import eu.eidas.auth.engine.metadata.MetadataFetcherI;
+import eu.eidas.auth.engine.metadata.MetadataSignerI;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import eu.eidas.samlengineconfig.CertificateConfigurationManager;
@@ -40,28 +47,36 @@ import eu.eidas.samlengineconfig.CertificateConfigurationManager;
*/
public class SAMLEngineUtils {
- private static EIDASSAMLEngine eIDASEngine = null;
+ private static ProtocolEngineI eIDASEngine = null;
+ private static MetadataSignerI metadataSigner = null;
+ private static MetadataFetcherI metadataFetcher = null;
+ private static Map<String, AttributeDefinition<?>> allSupportedAttributeMap =
+ new HashMap<String, AttributeDefinition<?>>();
- public static synchronized EIDASSAMLEngine createSAMLEngine(MOAeIDASChainingMetadataProvider moaeIDASMetadataProvider) throws EIDASEngineException{
+ public static synchronized ProtocolEngineI createSAMLEngine(MOAeIDASChainingMetadataProvider moaeIDASMetadataProvider) throws EIDASEngineException{
if (eIDASEngine == null) {
try {
//get eIDAS SAMLengine configuration from MOA-ID configuration
CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
+
+ //set metadata management to eIDAS SAMLengine
+ metadataFetcher = new MOAeIDASMetadataProviderDecorator(moaeIDASMetadataProvider);
+
+ //set metadata signer
+ metadataSigner = new MOASWSigner(configManager);
+
+ //build eIDAS SAML eninge
+ ProtocolEngineI engine = MOAProtocolEngineFactory.createProtocolEngine(
+ Constants.eIDAS_SAML_ENGINE_NAME,
+ configManager,
+ new EidasProtocolProcessor(metadataFetcher, metadataSigner),
+ new SamlEngineSystemClock());
- //initial eIDAS SAMLengine
- EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME,
- configManager);
-
- //set metadata management to eIDAS SAMLengine
- engine.setMetadataProcessor(
- new MOAeIDASMetadataProviderDecorator(
- moaeIDASMetadataProvider));
-
- //set MOA specific extension processor
- ExtensionProcessorI extensionProcessor = new MOAeIDAsExtensionProcessor();
- engine.setExtensionProcessor(extensionProcessor);
-
+ //build a map with all actually supported attributes
+ for (AttributeDefinition<?> el : engine.getProtocolProcessor().getAllSupportedAttributes())
+ allSupportedAttributeMap.put(el.getFriendlyName(), el);
+
eIDASEngine = engine;
} catch (EIDASSAMLEngineException e) {
@@ -73,5 +88,45 @@ public class SAMLEngineUtils {
return eIDASEngine;
}
+
+ /**
+ * Get a map of all eIDAS attributes, which are actually supported by eIDAS engine
+ *
+ * @return Map<Attr. FriendlyName, AttributeDefinition>
+ */
+ public static Map<String, AttributeDefinition<?>> getMapOfAllAvailableAttributes() {
+ return allSupportedAttributeMap;
+
+ }
+
+ /**
+ * @return the metadataSigner
+ */
+ public static MetadataSignerI getMetadataSigner() {
+ if (eIDASEngine != null)
+ return metadataSigner;
+
+ else {
+ Logger.error("eIDAS SAMLEngine is not initialized.");
+ return null;
+
+ }
+ }
+
+ /**
+ * @return the metadataFetcher
+ */
+ public static MetadataFetcherI getMetadataFetcher() {
+ if (eIDASEngine != null)
+ return metadataFetcher;
+
+ else {
+ Logger.error("eIDAS SAMLEngine is not initialized.");
+ return null;
+
+ }
+ }
+
+
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
index 4dffba575..7647b4cab 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
@@ -7,9 +7,9 @@ import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
-import eu.eidas.auth.commons.EIDASAuthnRequest;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
+import eu.eidas.auth.commons.protocol.IAuthenticationRequest;
@Component("EIDASData")
@Scope(value = BeanDefinition.SCOPE_PROTOTYPE)
@@ -19,10 +19,10 @@ public class EIDASData extends RequestImpl {
private static final long serialVersionUID = 8765755670214923910L;
/** The attributes requested by the eIDaS. */
- private MOAPersonalAttributeList attributes;
+ private ImmutableAttributeMap attributes;
/** The incoming eIDaS SAML2 AuthnRequest. */
- private EIDASAuthnRequest authnRequest;
+ private IAuthenticationRequest authnRequest;
/** The ip address of the requester. */
private String remoteIPAddress;
@@ -40,17 +40,17 @@ public class EIDASData extends RequestImpl {
*
* @return the requested attributes
*/
- public MOAPersonalAttributeList getEidasRequestedAttributes() {
- return (MOAPersonalAttributeList) attributes.clone();
+ public ImmutableAttributeMap getEidasRequestedAttributes() {
+ return attributes;
}
/**
* Sets the eidas requested attributes.
*
- * @param personalAttributeList the requested attributes
+ * @param immutableAttributeMap the requested attributes
*/
- public void setEidasRequestedAttributes(MOAPersonalAttributeList personalAttributeList) {
- attributes = personalAttributeList;
+ public void setEidasRequestedAttributes(ImmutableAttributeMap immutableAttributeMap) {
+ attributes = immutableAttributeMap;
}
/**
@@ -58,7 +58,7 @@ public class EIDASData extends RequestImpl {
*
* @return the eidas request
*/
- public EIDASAuthnRequest getEidasRequest() {
+ public IAuthenticationRequest getEidasRequest() {
return authnRequest;
}
@@ -67,7 +67,7 @@ public class EIDASData extends RequestImpl {
*
* @param request the new eidas request
*/
- public void setEidasRequest(EIDASAuthnRequest request) {
+ public void setEidasRequest(IAuthenticationRequest request) {
authnRequest = request;
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index fc935e2ef..cf9414a3b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -45,10 +45,9 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
-import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASAuthnRequestProcessingException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASAuthnRequestValidationException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASException;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList;
+import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestProcessingException;
+import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASAuthnRequestValidationException;
+import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASException;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -57,10 +56,12 @@ import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
-import eu.eidas.auth.commons.EIDASAuthnRequest;
-import eu.eidas.auth.commons.EIDASAuthnResponse;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.protocol.IAuthenticationRequest;
+import eu.eidas.auth.commons.protocol.IResponseMessage;
+import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse;
+import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse.Builder;
+import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.auth.engine.metadata.MetadataUtil;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
@@ -82,7 +83,8 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
Logger.debug("Registering servlet " + getClass().getName() +
" with mappings '" + Constants.eIDAS_HTTP_ENDPOINT_METADATA +
"' and '" + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST +
- "' and '" + Constants.eIDAS_HTTP_ENDPOINT_IDP_POST +"'.");
+ //"' and '" + Constants.eIDAS_HTTP_ENDPOINT_IDP_POST +
+ "'.");
}
@@ -172,13 +174,15 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
try {
//decode SAML2 token
- byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);
+ byte[] decSamlToken = EidasStringUtil.decodeBytesFromBase64(base64SamlToken);
//get eIDAS SAML-engine
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+ ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+ //TODO: change to configurable COUNTRY-CODE
+ String cititzenCountryCode = "AT";
//validate SAML token
- EIDASAuthnRequest samlReq = engine.validateEIDASAuthnRequest(decSamlToken);
+ IAuthenticationRequest samlReq = engine.unmarshallRequestAndValidate(decSamlToken, cititzenCountryCode );
// - memorize remote ip
pendingReq.setRemoteAddress(request.getRemoteAddr());
@@ -189,13 +193,15 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
// - memorize country code of target country
pendingReq.setGenericDataToSession(
- RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getCountry());
+ RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getOriginCountryCode());
- // - memorize requested attributes
- pendingReq.setEidasRequestedAttributes(new MOAPersonalAttributeList(samlReq.getPersonalAttributeList()));
+ //TODO: store level of assurance
+
+
+ // - memorize requested attributes
+ pendingReq.setEidasRequestedAttributes(samlReq.getRequestedAttributes());
- // - memorize whole request
- samlReq.setPersonalAttributeList(pendingReq.getEidasRequestedAttributes()); // circumvent non-serializable eidas personal attribute list
+ // - memorize whole request
pendingReq.setEidasRequest(samlReq);
//validate Destination against MOA-ID-Auth configuration
@@ -203,7 +209,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
if (MiscUtil.isEmpty(reqDestination) ||
!reqDestination.startsWith(pendingReq.getAuthURL())) {
Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
- throw new eIDASAuthnRequestValidationException("stork.01",
+ throw new EIDASAuthnRequestValidationException("stork.01",
new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
}
@@ -223,7 +229,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
if (!isValid) {
Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
- throw new eIDASAuthnRequestValidationException("stork.01",
+ throw new EIDASAuthnRequestValidationException("stork.01",
new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
}
@@ -236,18 +242,19 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
// - memorize OA config
IOAAuthParameters oaConfig = authConfig.getOnlineApplicationParameter(pendingReq.getOAURL());
if (oaConfig == null)
- throw new eIDASAuthnRequestProcessingException("eIDAS.08", new Object[]{pendingReq.getOAURL()});
+ throw new EIDASAuthnRequestProcessingException("eIDAS.08", new Object[]{pendingReq.getOAURL()});
pendingReq.setOnlineApplicationConfiguration(oaConfig);
- String spType = samlReq.getSPType();
- if (MiscUtil.isEmpty(spType)) {
- Logger.info("Load SPType from metadata ... IS NOT IMPLEMENTED YET!!!");
- //TODO: maybe implement this if required
-
- }
-
- Logger.debug("eIDAS request has SPType:" + spType);
+ //TODO: is not supported any more ?!?
+// String spType = samlReq.getSPType();
+// if (MiscUtil.isEmpty(spType)) {
+// Logger.info("Load SPType from metadata ... IS NOT IMPLEMENTED YET!!!");
+// //TODO: maybe implement this if required
+//
+// }
+//
+// Logger.debug("eIDAS request has SPType:" + spType);
} catch (MOAIDException e) {
Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage());
@@ -255,11 +262,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} catch (EIDASSAMLEngineException e) {
Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage());
- throw new eIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e.getMessage()}, e);
+ throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e.getMessage()}, e);
} catch(Exception e) {
Logger.warn("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage(), e);
- throw new eIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e.getMessage()}, e);
+ throw new EIDASAuthnRequestProcessingException("eIDAS.06", new Object[]{e.getMessage()}, e);
}
}
@@ -273,43 +280,50 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
}
try {
- EIDASAuthnResponse eIDASResp = new EIDASAuthnResponse();
- eIDASResp.setIssuer(pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
-
- if (e instanceof eIDASException) {
- eIDASResp.setStatusCode(((eIDASException) e).getStatusCodeFirstLevel());
- eIDASResp.setSubStatusCode(((eIDASException) e).getStatusCodeSecondLevel());
- eIDASResp.setMessage(e.getMessage());
+ Builder eIDASRespBuilder = new AuthenticationResponse.Builder();
+ eIDASRespBuilder.issuer(pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA);
+
+ if (e instanceof EIDASException) {
+ eIDASRespBuilder.statusCode(((EIDASException) e).getStatusCodeFirstLevel());
+ eIDASRespBuilder.subStatusCode(((EIDASException) e).getStatusCodeSecondLevel());
+ eIDASRespBuilder.statusMessage(e.getMessage());
} else if (e instanceof MOAIDException ) {
- eIDASResp.setStatusCode(StatusCode.RESPONDER_URI);
- eIDASResp.setSubStatusCode(StatusCode.AUTHN_FAILED_URI);
- eIDASResp.setMessage(e.getMessage());
+ eIDASRespBuilder.statusCode(StatusCode.RESPONDER_URI);
+ eIDASRespBuilder.subStatusCode(StatusCode.AUTHN_FAILED_URI);
+ eIDASRespBuilder.statusMessage(e.getMessage());
} else {
- eIDASResp.setStatusCode(StatusCode.RESPONDER_URI);
- eIDASResp.setSubStatusCode(StatusCode.AUTHN_FAILED_URI);
- eIDASResp.setMessage(e.getMessage());
+ eIDASRespBuilder.statusCode(StatusCode.RESPONDER_URI);
+ eIDASRespBuilder.subStatusCode(StatusCode.AUTHN_FAILED_URI);
+ eIDASRespBuilder.statusMessage(e.getMessage());
}
-
-
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
-
+
if(null == eidasReq.getEidasRequest().getAssertionConsumerServiceURL()) {
- String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata(
- new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider),
- engine,
+ String assertionConsumerUrl = MetadataUtil.getAssertionConsumerUrlFromMetadata(
+ SAMLEngineUtils.getMetadataFetcher(),
+ SAMLEngineUtils.getMetadataSigner(),
eidasReq.getEidasRequest());
- eidasReq.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl);
- }
+ //TODO: set AssertionConsumerService is required?
+
+ }
+
+ eIDASRespBuilder.id(eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils.generateNCName());
+ eIDASRespBuilder.inResponseTo(eidasReq.getEidasRequest().getId());
+
+ //build response
+ AuthenticationResponse eIDASResp = eIDASRespBuilder.build();
+
//get eIDAS SAML-engine
+ ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+
+ //build response message
+ IResponseMessage eIDASRespMsg = engine.generateResponseErrorMessage(eidasReq.getEidasRequest(),eIDASResp, eidasReq.getRemoteAddress());
- eIDASResp = engine.generateEIDASAuthnResponseFail(eidasReq.getEidasRequest(), eIDASResp,
- eidasReq.getRemoteAddress(), true);
- String token = EIDASUtil.encodeSAMLToken(eIDASResp.getTokenSaml());
+ String token = EidasStringUtil.encodeToBase64(eIDASRespMsg.getMessageBytes());
VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
index 3fc13406c..a93dff3b3 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
@@ -21,6 +21,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.metadata.ContactPerson;
import org.opensaml.saml2.metadata.Organization;
import org.springframework.beans.factory.annotation.Autowired;
@@ -39,11 +40,11 @@ import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.auth.engine.ProtocolEngineI;
import eu.eidas.auth.engine.metadata.Contact;
import eu.eidas.auth.engine.metadata.MetadataConfigParams;
import eu.eidas.auth.engine.metadata.MetadataGenerator;
-import eu.eidas.engine.exceptions.SAMLEngineException;
+import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
/**
@@ -65,10 +66,10 @@ public class EidasMetaDataRequest implements IAction {
try {
String pubURLPrefix = req.getAuthURL();
- String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
+ String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
+ String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST;
- String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST;
- String metaData = generateMetadata(metadata_url, sp_return_url);
+ String metaData = generateMetadata(req, metadata_url, sp_return_url);
Logger.trace(metaData);
@@ -104,10 +105,10 @@ public class EidasMetaDataRequest implements IAction {
}
- public String generateMetadata(String metadata_url, String sp_return_url) throws SAMLEngineException, EIDASEngineException{
+ public String generateMetadata(IRequest pendingReq, String metadata_url, String sp_return_url) throws EIDASSAMLEngineException, EIDASEngineException{
String metadata="invalid metadata";
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+ ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
MetadataGenerator generator = new MetadataGenerator();
MetadataConfigParams mcp=new MetadataConfigParams();
@@ -116,6 +117,9 @@ public class EidasMetaDataRequest implements IAction {
mcp.setEntityID(metadata_url);
mcp.setAssertionConsumerUrl(sp_return_url);
+ mcp.getProtocolBindingLocation().put(
+ SAMLConstants.SAML2_POST_BINDING_URI,
+ pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_IDP_COLLEAGUEREQUEST);
//TODO: make it configurable
@@ -137,11 +141,17 @@ public class EidasMetaDataRequest implements IAction {
Contact technicalContact = new Contact();
List<ContactPerson> contacts = PVPConfiguration.getInstance().getIDPContacts();
- if (contacts != null && contacts.size() >= 1) {
- technicalContact.setEmail(contacts.get(0).getEmailAddresses().get(0).getAddress());
- technicalContact.setGivenName(contacts.get(0).getGivenName().getName());
- technicalContact.setSurName(contacts.get(0).getSurName().getName());
- technicalContact.setPhone(contacts.get(0).getTelephoneNumbers().get(0).getNumber());
+ if (contacts != null && contacts.size() >= 1) {
+ ContactPerson contact = contacts.get(0);
+ technicalContact.setGivenName(contact.getGivenName().getName());
+ technicalContact.setSurName(contact.getSurName().getName());
+
+ if (!contact.getEmailAddresses().isEmpty())
+ technicalContact.setEmail(contact.getEmailAddresses().get(0).getAddress());
+
+ if (!contact.getTelephoneNumbers().isEmpty())
+ technicalContact.setPhone(contact.getTelephoneNumbers().get(0).getNumber());
+
mcp.setTechnicalContact(technicalContact );
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index 2beb419fb..9e29c01f3 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -24,7 +24,6 @@ package at.gv.egovernment.moa.id.protocols.eidas;
import java.io.StringWriter;
import java.text.SimpleDateFormat;
-import java.util.Map.Entry;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -36,13 +35,12 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Service;
+import com.google.common.collect.ImmutableSet;
+
import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
-import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList;
-import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.data.IAuthData;
@@ -50,12 +48,16 @@ import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
-import eu.eidas.auth.commons.EIDASAuthnResponse;
-import eu.eidas.auth.commons.EIDASStatusCode;
-import eu.eidas.auth.commons.EIDASUtil;
-import eu.eidas.auth.commons.PersonalAttribute;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.MetadataUtil;
+import eu.eidas.auth.commons.EidasStringUtil;
+import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.attribute.AttributeValue;
+import eu.eidas.auth.commons.attribute.AttributeValueMarshaller;
+import eu.eidas.auth.commons.attribute.AttributeValueMarshallingException;
+import eu.eidas.auth.commons.attribute.ImmutableAttributeMap;
+import eu.eidas.auth.commons.protocol.IResponseMessage;
+import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse;
+import eu.eidas.auth.engine.ProtocolEngineI;
+import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils;
/**
@@ -80,14 +82,16 @@ public class eIDASAuthenticationRequest implements IAction {
throw new MOAIDException("got wrong IRequest type. is: {}, should be: {}", new String[] {req.getClass().toString(), EIDASData.class.toString()});
- // gather attributes
- MOAPersonalAttributeList resultingAttributeList = (MOAPersonalAttributeList) eidasRequest.getEidasRequestedAttributes().clone();
+ //gather attributes
+ ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();
+
+ ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
- for(Entry<String, PersonalAttribute> current : resultingAttributeList.entrySet()) {
+ for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
String newValue = "";
-
+
// TODO make use of proper builder
- switch(current.getKey()) {
+ switch(attr.getFriendlyName()) {
case Constants.eIDAS_ATTR_DATEOFBIRTH: newValue = new SimpleDateFormat("YYYY-MM-dd").format(authData.getDateOfBirth()); break;
case Constants.eIDAS_ATTR_CURRENTFAMILYNAME: newValue = authData.getFamilyName();break;
case Constants.eIDAS_ATTR_CURRENTGIVENNAME: newValue = authData.getGivenName();break;
@@ -95,50 +99,75 @@ public class eIDASAuthenticationRequest implements IAction {
}
- if(MiscUtil.isEmpty(newValue))
- current.getValue().setStatus(EIDASStatusCode.STATUS_NOT_AVAILABLE.toString());
-
- else {
- current.getValue().getValue().clear();
- current.getValue().getValue().add(newValue);
- current.getValue().setStatus(EIDASStatusCode.STATUS_AVAILABLE.toString());
+ if(MiscUtil.isEmpty(newValue)) {
+// current.getValue().setStatus(EIDASStatusCode.STATUS_NOT_AVAILABLE.toString());
+ Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");
+
+ } else {
+ AttributeValueMarshaller<?> attributeValueMarshaller = attr.getAttributeValueMarshaller();
+ ImmutableSet.Builder<AttributeValue<?>> builder = ImmutableSet.builder();
+
+ AttributeValue<?> attributeValue = null;
+ try {
+ attributeValue = attributeValueMarshaller.unmarshal(newValue, false);
+
+ } catch (AttributeValueMarshallingException e) {
+ throw new IllegalStateException(e);
+
+ }
+
+ //TODO: check for 'isAvailable flag'!
+
+ attrMapBuilder.put((AttributeDefinition)attr, (ImmutableSet) builder.build());
}
+
+
+
}
// construct eIDaS response
- EIDASAuthnResponse response = new EIDASAuthnResponse();
- response.setPersonalAttributeList(resultingAttributeList);
+ AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
- // - create metadata url
- String pubURLPrefix = req.getAuthURL();
+ responseBuilder.id(SAMLEngineUtils.generateNCName());
+ responseBuilder.inResponseTo(eidasRequest.getEidasRequest().getId());
+
+ String pubURLPrefix = req.getAuthURL();
String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
- response.setIssuer(metadata_url);
-
- response.setAssuranceLevel(authData.getEIDASQAALevel());
+ responseBuilder.issuer(metadata_url);
+
+ responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
+
+ //add attributes
+ responseBuilder.attributes(attrMapBuilder.build());
+
+ //build response
+ AuthenticationResponse response = responseBuilder.build();
String token = null;
try {
- EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
+ ProtocolEngineI engine = at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
// encryption is done by the SamlEngine, i.e. by the module we provide in the config
// but we need to set the appropriate request issuer
- engine.setRequestIssuer(eidasRequest.getEidasRequest().getIssuer());
-
-
- if(null == eidasRequest.getEidasRequest().getAssertionConsumerServiceURL()) {
- String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata(
- new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider),
- engine,
- eidasRequest.getEidasRequest());
- eidasRequest.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl);
-
- }
+ //engine.setRequestIssuer(eidasRequest.getEidasRequest().getIssuer());
+
+ IResponseMessage eIDASRespMsg = engine.generateResponseMessage(eidasRequest.getEidasRequest(),
+ response, true, eidasRequest.getRemoteAddress());
+
+// if(null == eidasRequest.getEidasRequest().getAssertionConsumerServiceURL()) {
+// String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata(
+// new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider),
+// engine,
+// eidasRequest.getEidasRequest());
+// eidasRequest.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl);
+//
+// }
- response = engine.generateEIDASAuthnResponse(eidasRequest.getEidasRequest(), response, eidasRequest.getRemoteAddress(), true);
+// response = engine.generateEIDASAuthnResponse(eidasRequest.getEidasRequest(), response, eidasRequest.getRemoteAddress(), true);
- token = EIDASUtil.encodeSAMLToken(response.getTokenSaml());
+ token = EidasStringUtil.encodeToBase64(eIDASRespMsg.getMessageBytes());
} catch(Exception e) {
e.printStackTrace();
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index c421bf8cc..d3ebffdfd 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -22,16 +22,12 @@
*******************************************************************************/
package at.gv.egovernment.moa.id.protocols.saml1;
-import java.util.List;
-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
@@ -43,7 +39,6 @@ import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.URLEncoder;
-import eu.eidas.auth.commons.IPersonalAttributeList;
@Service("SAML1_GetArtifactAction")
public class GetArtifactAction implements IAction {
@@ -74,13 +69,16 @@ public class GetArtifactAction implements IAction {
try {
IOAAuthParameters oaParam = req.getOnlineApplicationConfiguration();
+ //TODO: add eIDAS to SAML1 protocol if it is really necessary
+
// add other stork attributes to MOA assertion if available
- IPersonalAttributeList storkAttributes = authData.getGenericData(
- AuthenticationSessionStorageConstants.STORK_ATTRIBUTELIST,
- IPersonalAttributeList.class);
+// IPersonalAttributeList storkAttributes = authData.getGenericData(
+// AuthenticationSessionStorageConstants.STORK_ATTRIBUTELIST,
+// IPersonalAttributeList.class);
+ Object storkAttributes = null;
if(null != storkAttributes) {
- List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = saml1server.addAdditionalSTORKAttributes(storkAttributes);
- authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes);
+// List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = saml1server.addAdditionalSTORKAttributes(storkAttributes);
+// authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes);
Logger.info("MOA assertion assembled and SAML Artifact generated.");
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 113fb943f..0a760cb5a 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -25,7 +25,6 @@ package at.gv.egovernment.moa.id.protocols.saml1;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.List;
-import java.util.Vector;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -37,7 +36,6 @@ import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
-import org.apache.commons.lang3.StringEscapeUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
@@ -52,7 +50,6 @@ import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder;
import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
-import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
@@ -82,8 +79,6 @@ import at.gv.util.xsd.persondata.IdentificationType.Value;
import at.gv.util.xsd.persondata.PersonNameType;
import at.gv.util.xsd.persondata.PersonNameType.FamilyName;
import at.gv.util.xsd.persondata.PhysicalPersonType;
-import eu.eidas.auth.commons.IPersonalAttributeList;
-import eu.eidas.auth.commons.PersonalAttribute;
//import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
@Service("SAML1AuthenticationServer")
@@ -127,41 +122,43 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
return error;
}
- /**
- * Transforms additional STORK attributes to MOA Extended attributes
- * @param iPersonalAttributeList STORK attribute list
- * @return
- */
- public List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(IPersonalAttributeList iPersonalAttributeList) {
- List<ExtendedSAMLAttribute> moaExtendedSAMLAttributeList = new Vector<ExtendedSAMLAttribute>();
-
- if(null == iPersonalAttributeList)
- return moaExtendedSAMLAttributeList;
-
- Logger.trace("Adding the following attributes to MOA assertion: ");
- int count = 0;
-
- for (PersonalAttribute attribute : iPersonalAttributeList) {
- Object attributeValue = attribute.getValue();
- if (null == attributeValue)
- attributeValue = attribute.getComplexValue();
-
- // escape attributeValue
- attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString());
- // and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry!
- attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1);
-
- ExtendedSAMLAttribute extendedSAMLAttribute =
- new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0);
- moaExtendedSAMLAttributeList.add(extendedSAMLAttribute);
- count++;
- Logger.trace("Additional attribute: " + attribute.getName());
- }
-
- Logger.debug("Added " + count + " STORK attribute(s) to the MOA assertion.");
-
- return moaExtendedSAMLAttributeList;
- }
+
+ //TODO: add eIDAS to SAML1 protocol if it is really necessary
+// /**
+// * Transforms additional STORK attributes to MOA Extended attributes
+// * @param iPersonalAttributeList STORK attribute list
+// * @return
+// */
+// public List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(IPersonalAttributeList iPersonalAttributeList) {
+// List<ExtendedSAMLAttribute> moaExtendedSAMLAttributeList = new Vector<ExtendedSAMLAttribute>();
+//
+// if(null == iPersonalAttributeList)
+// return moaExtendedSAMLAttributeList;
+//
+// Logger.trace("Adding the following attributes to MOA assertion: ");
+// int count = 0;
+//
+// for (PersonalAttribute attribute : iPersonalAttributeList) {
+// Object attributeValue = attribute.getValue();
+// if (null == attributeValue)
+// attributeValue = attribute.getComplexValue();
+//
+// // escape attributeValue
+// attributeValue = StringEscapeUtils.escapeXml10(attributeValue.toString());
+// // and remove trailing and tailing brackets. Might break something but we never saw an array with more than one entry!
+// attributeValue = ((String) attributeValue).substring(1, ((String) attributeValue).length() - 1);
+//
+// ExtendedSAMLAttribute extendedSAMLAttribute =
+// new ExtendedSAMLAttributeImpl(attribute.getName(), attributeValue, Constants.STORK_NS_URI, 0);
+// moaExtendedSAMLAttributeList.add(extendedSAMLAttribute);
+// count++;
+// Logger.trace("Additional attribute: " + attribute.getName());
+// }
+//
+// Logger.debug("Added " + count + " STORK attribute(s) to the MOA assertion.");
+//
+// return moaExtendedSAMLAttributeList;
+// }
/**