diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-10-17 15:04:49 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-10-17 15:04:49 +0200 |
commit | 92834aed9d97772a0d37330b9c60aee18374c759 (patch) | |
tree | 30adff7052c6eca919aed447a9640522b2c94c3d /id/server | |
parent | 698a0066e84dee07f0f8de8aa408d9744f755660 (diff) | |
parent | 7c5d84f1f4054d2c85207364d5d996c4ec6fe1f8 (diff) | |
download | moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.gz moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.tar.bz2 moa-id-spss-92834aed9d97772a0d37330b9c60aee18374c759.zip |
Merge branch 'eIDAS_node_implementation' into development_preview
Diffstat (limited to 'id/server')
120 files changed, 2994 insertions, 2077 deletions
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html index 32f0a7d4d..1f365c104 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html +++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html @@ -12,7 +12,8 @@ <title>Anmeldung mittels Bürgerkarte oder Handy-Signatur</title> </head> -<body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();"> +<!--body onload="onChangeChecks();checkIfBrowserSupportsJava();" onresize="onChangeChecks();"--> +<body onload="onChangeChecks();" onresize="onChangeChecks();"> <div id="page"> <div id="page1" class="case selected-case" role="main"> <h2 class="OA_header" role="heading">Anmeldung an: $OAName</h2> @@ -37,19 +38,32 @@ </div> <div id="bkuselectionarea"> <div id="bkukarte"> - <img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png" - alt="OnlineBKU" /> <input name="bkuButtonOnline" type="button" - onClick="bkuOnlineClicked();" tabindex="2" role="button" - value="Karte" /> + <img id="bkuimage" class="bkuimage" src="$contextPath/img/karte.png" alt="OnlineBKU" /> + + <!-- Remove support for Online BKU and swith the card button to local BKU--> + <!--input name="bkuButtonOnline" type="button" onClick="bkuOnlineClicked();" tabindex="2" role="button" value="Karte" /--> + + <form method="get" id="moaidform" action="$contextPath$submitEndpoint" class="verticalcenter" target="_parent"> + <input type="hidden" name="bkuURI" value="$bkuLocal" /> + <input type="hidden" name="useMandate" id="useMandate" /> + <input type="hidden" name="SSO" id="useSSO" /> + <input type="hidden" name="ccc" id="ccc" /> + <input type="hidden" name="pendingid" value="$pendingReqID" /> + <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();"> + </form> + + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe> + + <!-- BKU detection with static template--> + <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe--> + </div> <div id="bkuhandy"> - <img class="bkuimage" src="$contextPath/img/handysign.png" - alt="HandyBKU" /> <input name="bkuButtonHandy" type="button" - onClick="bkuHandyClicked();" tabindex="3" role="button" - value="HANDY" /> + <img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" /> + <input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" /> </div> </div> - <div id="localBKU"> + <!--div id="localBKU"> <form method="get" id="moaidform" action="$contextPath$submitEndpoint" class="verticalcenter" target="_parent"> <input type="hidden" name="bkuURI" value="$bkuLocal" /> @@ -60,7 +74,8 @@ <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - </div> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe> + </div--> <!-- Single Sign-On Session transfer functionality --> <!--div id="ssoSessionTransferBlock"> diff --git a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties index 63b053228..512319d75 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties +++ b/id/server/data/deploy/conf/moa-id-configuration/moa-id-configtool.properties @@ -21,7 +21,7 @@ general.pvp.schemavalidation=true hibernate.dialect=org.hibernate.dialect.MySQLDialect hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true hibernate.connection.charSet=utf-8 -hibernate.connection.driver_class=com.mysql.jdbc.Driver +hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver hibernate.connection.username= hibernate.connection.password= diff --git a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html index 52abf83fb..52abf83fb 100644 --- a/id/server/data/deploy/conf/moa-id/SLTemplates/template_onlineBKU.html +++ b/id/server/data/deploy/conf/moa-id/SLTemplates/template_thirdBKU.html diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html index 53c4f0d5d..1f365c104 100644 --- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html @@ -51,8 +51,12 @@ <input type="hidden" name="pendingid" value="$pendingReqID" /> <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe> - + + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe> + + <!-- BKU detection with static template--> + <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe--> + </div> <div id="bkuhandy"> <img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" /> @@ -70,7 +74,7 @@ <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe> </div--> <!-- Single Sign-On Session transfer functionality --> diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html index 64e88a688..4ea9a4873 100644 --- a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/pvp_postbinding_template.html @@ -31,11 +31,9 @@ <form action="${action}" method="post" target="_parent"> <div> - #if($RelayState)<input type="hidden" name="RelayState" - value="${RelayState}" />#end #if($SAMLRequest)<input type="hidden" - name="SAMLRequest" value="${SAMLRequest}" />#end #if($SAMLResponse)<input - type="hidden" name="SAMLResponse" value="${SAMLResponse}" />#end - + #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end + #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end + #if($SAMLResponse) <inputtype="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end </div> <noscript> <div> diff --git a/id/server/data/deploy/conf/moa-id/log4j.properties b/id/server/data/deploy/conf/moa-id/log4j.properties index d83e8e550..f37100a5b 100644 --- a/id/server/data/deploy/conf/moa-id/log4j.properties +++ b/id/server/data/deploy/conf/moa-id/log4j.properties @@ -19,8 +19,7 @@ log4j.logger.at.gv.egovernment.moa.id.configuration=info,CONFIGTOOL # configure the stdout appender log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -#log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %20c | %10t | %m%n -log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} |%20.20c | %10t | %m%n +log4j.appender.stdout.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} |%20.20c | %10t | %m%n # configure the rolling file appender (R) log4j.appender.R=org.apache.log4j.RollingFileAppender @@ -28,7 +27,7 @@ log4j.appender.R.File=${catalina.base}/logs/moa-id.log log4j.appender.R.MaxFileSize=10000KB log4j.appender.R.MaxBackupIndex=1 log4j.appender.R.layout=org.apache.log4j.PatternLayout -log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n +log4j.appender.R.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n # configure the rolling file appender (R) log4j.appender.CONFIGTOOL=org.apache.log4j.RollingFileAppender @@ -36,4 +35,4 @@ log4j.appender.CONFIGTOOL.File=${catalina.base}/logs/moa-id-webgui.log log4j.appender.CONFIGTOOL.MaxFileSize=10000KB log4j.appender.CONFIGTOOL.MaxBackupIndex=1 log4j.appender.CONFIGTOOL.layout=org.apache.log4j.PatternLayout -log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{transactionId} | %t | %m%n
\ No newline at end of file +log4j.appender.CONFIGTOOL.layout.ConversionPattern=%5p | %d{dd HH:mm:ss,SSS} | %X{sessionId} | %X{transactionId} | %X{oaId} | %t | %m%n
\ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index 26ed52176..78572a96f 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -71,7 +71,7 @@ protocols.oauth20.jwt.ks.key.password=password moasession.hibernate.dialect=org.hibernate.dialect.MySQLDialect moasession.hibernate.connection.url=jdbc:mysql://localhost/moa-id-session?charSet=utf-8&serverTimezone=UTC moasession.hibernate.connection.charSet=utf-8 -moasession.hibernate.connection.driver_class=com.mysql.jdbc.Driver +moasession.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver moasession.hibernate.connection.username= moasession.hibernate.connection.password= @@ -103,7 +103,7 @@ configuration.hibernate.show_sql=false configuration.hibernate.connection.url=jdbc:mysql://localhost/moa-id-config?charSet=utf-8&autoReconnect=true&serverTimezone=UTC configuration.hibernate.connection.charSet=utf-8 -configuration.hibernate.connection.driver_class=com.mysql.jdbc.Driver +configuration.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver configuration.hibernate.connection.username= configuration.hibernate.connection.password= configuration.dbcp.connectionProperties= @@ -123,7 +123,7 @@ configuration.dbcp.validationQuery=SELECT 1 advancedlogging.hibernate.dialect=org.hibernate.dialect.MySQLDialect advancedlogging.hibernate.connection.url=jdbc:mysql://localhost/moa-id-statistic?charSet=utf-8&autoReconnect=true&serverTimezone=UTC advancedlogging.hibernate.connection.charSet=utf-8 -advancedlogging.hibernate.connection.driver_class=com.mysql.jdbc.Driver +advancedlogging.hibernate.connection.driver_class=com.mysql.cj.jdbc.Driver advancedlogging.hibernate.connection.username= advancedlogging.hibernate.connection.password= diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index 0361442ac..e6b86204a 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -1070,14 +1070,9 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> <p>Hiermit werden die URLs zu den Default Bürgerkartenumgebungen (BKUs) definiert die von MOA-ID-Auth für einen Anmeldevorgang verwendet werden, wenn die Bürgerkartenauswahl nicht bereits auf Seiten der Online-Applikation erfolgt ist (siehe <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a>) oder in der Online-Applikationskonfiguration keine BKU URLs konfiguriert wurden (siehe <a href="#konfigurationsparameter_oa_bku">Kapitel 3.2.2</a>).</p> <table class="configtable"> <tr> - <th>Name</th> - <th>Beispielwert</th> - <th>Beschreibung</th> - </tr> - <tr> - <td>Online BKU</td> - <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td> - <td>URL zu einer Online-BKU Instanz</td> + <th width="16%">Name</th> + <th width="42%">Beispielwert</th> + <th width="42%">Beschreibung</th> </tr> <tr> <td>Handy BKU</td> @@ -1089,6 +1084,12 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> <td>https://127.0.0.1:3496/https-security-layer-request</td> <td>URL auf die lokale BKU Instanz</td> </tr> + <tr> + <td>Optionale dritte BKU</td> + <td><p>https://demo.egiz.gv.at/demoportal_bkuonline/https-security-layer-request</p></td> + <td><p>URL zu einer optionalen dritten BKU Instanz.</p> + <p><strong>Hinweis:</strong> Hiermit kann z.B. die OnlineBKU eingebunden werden</p></td> + </tr> </table> <h4><a name="konfigurationsparameter_allgemein_sl-templates" id="konfigurationsparameter_allgemein_bku2"></a>3.1.3 Security-Layer Request Templates</h4> <p>Security-Layer (SL) Templates dienen der Kommunikation mit der gewählten Bürgerkartenumgebung. Die hier hinterlegen SL-Templates werden für die Kommunikation mit der jeweiligen BKU verwendet. Nähere Details zum Aufbau dieser SL-Templates finden Sie im <a href="#import_template_sltemplate">Kapitel 4.3</a>. </p> @@ -1101,11 +1102,6 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> <th>Beschreibung</th> </tr> <tr> - <td>Online BKU</td> - <td><p>SLTemplates/template_onlineBKU.html</p></td> - <td><p>SL Template zur Kommunikation mit der Online-BKU.</p></td> - </tr> - <tr> <td>Handy BKU</td> <td>SLTemplates/template_handyBKU.html</td> <td>SL Template zur Kommunikation mit der Handy-BKU</td> @@ -1115,6 +1111,11 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet</pre> <td>SLTemplates/template_localeBKU.html</td> <td>SL Template zur Kommunikation mit einer lokalen BKU Instanz</td> </tr> + <tr> + <td>Dritte BKU</td> + <td><p>SLTemplates/template_thirdBKU.html</p></td> + <td><p>SL Template zur Kommunikation mit der optionalen dritten BKU Instanz.</p></td> + </tr> </table> <h4><a name="konfigurationsparameter_allgemein_certvalidation" id="konfigurationsparameter_allgemein_bku3"></a>3.1.4 Zertifikatsprüfung</h4> <p>Dieser Bereich behandelt die allgemeine Einstellungen zur Zertifikatsprüfung und die Konfiguration von vertrauenswürdigen Zertifikaten.</p> @@ -1688,15 +1689,6 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der <th>Beschreibung</th> </tr> <tr> - <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Online BKU</span></td> - <td><p>https://demo.egiz.gv.at/<br> - demoportal_bkuonline/<br> - https-security-layer-request</p></td> - <td align="center">X</td> - <td align="center">X</td> - <td>URL zu einer applikationsspezifischen Online-BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">Online-BKU der allgemeinen Konfiguration</a> für den Anmeldevorgang verwendet.</td> - </tr> - <tr> <td><p><span id="wwlbl_newOA_generalOA_bkuHandyURL">Handy BKU</span></p></td> <td>https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx</td> <td align="center">X</td> @@ -1711,6 +1703,15 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der <td>URL auf die lokale BKU Instanz. Erfolgt keine applikationsspezifischen Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">locale BKU der allgemeinen Konfiguration</a> für den Anmeldevorgang verwendet.</td> </tr> <tr> + <td><span id="wwlbl_newOA_generalOA_bkuOnlineURL">Dritte BKU</span></td> + <td><p>https://demo.egiz.gv.at/<br> + demoportal_bkuonline/<br> + https-security-layer-request</p></td> + <td align="center">X</td> + <td align="center">X</td> + <td>URL zu einer applikationsspezifischen dritten BKU Instanz. Erfolgt keine applikationsspezifische Konfiguration wird die <a href="#konfigurationsparameter_allgemein_bku">dritte BKU der allgemeinen Konfiguration</a> für den Anmeldevorgang verwendet.</td> + </tr> + <tr> <td><span id="wwlbl_newOA_generalOA_keyBoxIdentifier">KeyBoxIdentifier</span></td> <td><span id="wwctrl_newOA_generalOA_keyBoxIdentifier">SecureSignatureKeypair</span></td> <td align="center">X</td> @@ -1724,20 +1725,6 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der <td align="center">X</td> <td>Über diese Funktion können drei zusätzliche SecurtityLayer-Request Templates für diese Online-Applikation definiert werden. Diese hier definierten Templates dienen als zusätzliche WhiteList für Templates welche im „StartAuthentication“ Request mit dem Parameter „template“ übergeben werden. Sollte im „StartAuthentication“ Request der Parameter „template“ fehlen, es wurde jedoch eine „bkuURL“ übergeben, dann wird für den Authentifizierungsvorgang das erste Template in dieser Liste verwendet. Detailinformationen zum <a href="./../protocol/protocol.html#allgemeines_legacy">Legacy Request</a> finden Sie im Kapitel Protokolle.</td> </tr> - <tr> - <td>BKU-Selection Template</td> - <td> </td> - <td align="center">X</td> - <td align="center">X</td> - <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die Bürgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td> - </tr> - <tr> - <td>Send-Assertion Template</td> - <td> </td> - <td align="center">X</td> - <td align="center">X</td> - <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die zusätzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td> - </tr> </table> <h4><a name="konfigurationsparameter_oa_testcredentials" id="uebersicht_zentraledatei_aktualisierung10"></a> 3.2.3 Test Identitäten</h4> <p>In diesem Abschnitt können für diese Online-Applikation Testidentitäten erlaubt werden. Diese Testidentitäten können auch bei produktiven Instanzen freigeschalten werden, da die Unterschiedung zwischen Produkt- und Testidentität anhand einer speziellen OID im Signaturzertifikat der Testidentität getroffen wird. Folgende Konfigurationsparameter stehen hierfür zur Verfügung.</p> @@ -2007,6 +1994,13 @@ Soll die Bürgerkartenauswahl weiterhin, wie in MOA-ID 1.5.1 im Kontext der <td align="center"> </td> <td>Zertifikat mit dem die Metadaten der Online-Applikation signiert sind. Dieses wird benötigt um die Metadaten zu verifizieren.</td> </tr> + <tr> + <td>SAML2 Post-Binding Template</td> + <td> </td> + <td align="center">X</td> + <td align="center">X</td> + <td>Pfad zum online-applikationsspezifischen Template für SAML2 (PVP2 S-Profil) http POST-Binding. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden.</td> + </tr> </table> <h5><a name="konfigurationsparameter_oa_protocol_openIDConnect" id="uebersicht_zentraledatei_aktualisierung27"></a>3.2.8.3 OpenID Connect</h5> <p>In diesem Bereich erfolgt die applikationsspezifische Konfiguration für OpenID Connect (OAuth 2.0). </p> @@ -2074,7 +2068,30 @@ wenn die individuelle Security-Layer Transformation den Formvorschriften der Sp <td align="center">X</td> <td>Wird diese Option gewählt wird im AuthBlock, welcher im Anmeldevorgang signiert wird, keine bPK oder wbPK dargestellt.</td> </tr> + <tr> + <td>BKU-Selection Template</td> + <td> </td> + <td align="center">X</td> + <td align="center">X</td> + <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die Bürgerkartenauswahl. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_bku">Kapitel 4.1</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen. </td> + </tr> + <tr> + <td>Send-Assertion Template</td> + <td> </td> + <td align="center">X</td> + <td align="center">X</td> + <td>Dieses Feld erlaubt die Konfiguration eines online-applikationsspezifischen Templates für die zusätzliche Anmeldeabfrage im Falle einer Single Sign-On Anmeldung. Dieses Template muss in die Konfiguration hochgeladen werden und muss die Mindestanforderungen aus <a href="#import_template_sso">Kapitel 4.2</a> umsetzen. Da diese Templates direkt in den Authentifizierungsprozess eingreifen und diese somit eine potentielle Angriffsstelle für Cross-Site Scripting (XSS) bieten wird die Verwendung von online-applikationsspezifischen Templates nicht empfohlen.</td> + </tr> + <tr> + <td>Vollmachtenservice Auswahlseite Template</td> + <td> </td> + <td align="center">X</td> + <td align="center">X</td> + <td>Pfad zum online-applikationsspezifischen Template zur Auswahl des gewünschten Vollmachtenservices. Relative Pfadangaben werden dabei relativ zum Verzeichnis, in dem sich die MOA-ID-Auth Basiskonfigurationsdatei befindet, interpretiert. Das Template kann ausschließlich aus dem Dateisystem geladen werden.</td> + </tr> </table> +<h5> </h5> +<h5> </h5> <h5><a name="konfigurationsparameter_oa_additional_formular" id="uebersicht_zentraledatei_aktualisierung29"></a>3.2.9.1 Login-Fenster Konfiguration</h5> <p>Diese Konfigurationsparameter bieten zusätzliche Einstellungen für eine Anpassung der Bürgerkartenauswahl welche von MOA-ID-Auth generiert wird. Zur besseren Handhabung werden die angegebenen Parameter direkt in einer Vorschau dargestellt. diff --git a/id/server/doc/handbook/index.html b/id/server/doc/handbook/index.html index 0eab8f187..e72105816 100644 --- a/id/server/doc/handbook/index.html +++ b/id/server/doc/handbook/index.html @@ -29,7 +29,7 @@ </div> <div class="container"> - <h2>Übersicht zur Dokumentation der Version 3.1.x </h2> + <h2>Übersicht zur Dokumentation der Version 3.3.x </h2> <dl> <dt><a href="./intro/intro.html">Einführung</a></dt> diff --git a/id/server/doc/handbook/install/install.html b/id/server/doc/handbook/install/install.html index aa4114539..db96cda3c 100644 --- a/id/server/doc/handbook/install/install.html +++ b/id/server/doc/handbook/install/install.html @@ -235,8 +235,8 @@ https://<host>:<port>/egiz-configuration-webapp/</pre> <h5><a name="webservice_basisinstallation_logging_format" id="webservice_basisinstallation_logging_format"></a>2.1.3.1 Format der Log-Meldungen</h5> <p> Anhand einer konkreten Log-Meldung wird das Format der MOA SP/SS Log-Meldungen erläutert: </p> <pre> -INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1 - MSG=Starte neue Transaktion: TID=1049225059594-100, Service=SignatureVerification + INFO | 2017-09-18 10:29:22,904 | SID-7947921060553739539 | TID-4708232418268334030 | https://sso.demosp.at/handysignatur + | ajp-nio-28109-exec-7 | No SSO Session cookie found </pre> <p> Der Wert <code>INFO</code> besagt, dass die Log-Meldung im Log-Level <code>INFO</code> entstanden ist. Folgende Log-Levels existieren:</p> <ul> @@ -257,7 +257,10 @@ INFO | 01 21:25:26,540 | Thread-3 | TID=1049225059594-100 NID=node1 </li> </ul> <p>Der nächste Wert <code>01 21:25:26,540</code> gibt den Zeitpunkt an, zu dem die Log-Meldung generiert wurde (in diesem Fall den 1. Tag im aktuellen Monat, sowie die genaue Uhrzeit). </p> - <p> Der Wert <code>Thread-3</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p> + <p>Der Wert <code>SID-7947921060553739539</code> bezeichnet die SessionID, welche diesem Request zugeordnet wurde. Eine SessionID ist innerhalb einer SSO auch über mehrere Authentifizierungsrequests eindeutig. Das Loggen der SessionID kann mittels <code>%X{sessionId}</code> in der log4j Konfiguration gesetzt werden</p> + <p>Der Wert <code>TID-4708232418268334030</code> bezeichnet die TransactionsID, welche diesem Request zugeordnet wurde. Eine TransactionsID ist innerhalb eines Authentifizierungsrequests eindeutig. Das Loggen der TransactionsID kann mittels <code>%X{transactionId}</code> in der log4j Konfiguration gesetzt werden</p> + <p>Der Wert <code>https://sso.demosp.at/handysignatur</code> bezeichnet die Online Applikation (eindeutiger Identifier dieses Service Providers) für welchen dieser Authentifizierungsrequest durchgeführt wird. Das Loggen des OA Identifiers kann mittels <code>%X{oaId}</code> in der log4j Konfiguration gesetzt werden</p> + <p>Der Wert <code>ajp-nio-28109-exec-7</code> bezeichnet den Thread, von dem die Anfrage bearbeitet wird.</p> <p> Der Rest der Zeile einer Log-Meldung ist der eigentliche Text, mit dem das System bestimmte Informationen anzeigt. Im Fehlerfall ist häufig ein Java Stack-Trace angefügt, der eine genauere Ursachen-Forschung ermöglicht.</p> <h5> <a name="webservice_basisinstallation_logging_messages" id="webservice_basisinstallation_logging_messages"></a>2.1.3.2 Wichtige Log-Meldungen</h5> <p> Neben den im Abschnitt <a href="#webservice_basisinstallation_installation_tomcatstartstop_verify">2.1.2.4.3</a> beschriebenen Log-Meldungen, die anzeigen, ob das Service ordnungsgemäß gestartet wurde, geben nachfolgenden Log-Meldungen Aufschluss über die Abarbeitung von Anfragen. </p> diff --git a/id/server/doc/htmlTemplates/BKU-selection.html b/id/server/doc/htmlTemplates/BKU-selection.html index 53c4f0d5d..1f365c104 100644 --- a/id/server/doc/htmlTemplates/BKU-selection.html +++ b/id/server/doc/htmlTemplates/BKU-selection.html @@ -51,8 +51,12 @@ <input type="hidden" name="pendingid" value="$pendingReqID" /> <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe> - + + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe> + + <!-- BKU detection with static template--> + <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe--> + </div> <div id="bkuhandy"> <img class="bkuimage" src="$contextPath/img/handysign.png" alt="HandyBKU" /> @@ -70,7 +74,7 @@ <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe> </div--> <!-- Single Sign-On Session transfer functionality --> diff --git a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html index 32f0a7d4d..aaf931b7d 100644 --- a/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html +++ b/id/server/doc/htmlTemplates/BKU-selection_with_OnlineBKU.html @@ -60,6 +60,10 @@ <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" role="button" onclick="setMandateSelection();"> </form> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"><\/iframe> + + <!-- BKU detection with static template--> + <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe--> </div> <!-- Single Sign-On Session transfer functionality --> diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 55b1a7c9a..72aef5fed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -116,16 +116,18 @@ public class StatisticLogger implements IStatisticLogger{ //set actual date and time dblog.setTimestamp(new Date()); - - //set OA databaseID - //dblog.setOaID(dbOA.getHjid()); - + //log basic AuthInformation dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - boolean isbusinessservice = isBusinessService(dbOA); - dblog.setBusinessservice(isbusinessservice); + try { + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + } + dblog.setOatarget(authData.getBPKType()); @@ -266,9 +268,14 @@ public class StatisticLogger implements IStatisticLogger{ if (dbOA != null) { dblog.setOaurlprefix(getMessageWithMaxLength(dbOA.getPublicURLPrefix(), MAXOAIDENTIFIER_LENGTH)); dblog.setOafriendlyName(dbOA.getFriendlyName()); - dblog.setOatarget(dbOA.getTarget()); - //dblog.setOaID(dbOA.getHjid()); - dblog.setBusinessservice(isBusinessService(dbOA)); + + try { + dblog.setOatarget(dbOA.getAreaSpecificTargetIdentifier()); + dblog.setBusinessservice(dbOA.hasBaseIdTransferRestriction()); + } catch (Exception e) { + Logger.warn("Can not extract some information for StatisticLogger.", e); + + } IAuthenticationSession moasession = null; if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) { @@ -314,15 +321,7 @@ public class StatisticLogger implements IStatisticLogger{ } } - - private boolean isBusinessService(IOAAuthParameters dbOA) { - if (dbOA.getOaType().equals("businessService")) - return true; - else - return false; - } - private String getMessageWithMaxLength(String msg, int maxlength) { return getErrorMessageWithMaxLength(msg, maxlength); @@ -391,15 +390,15 @@ public class StatisticLogger implements IStatisticLogger{ if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.LOCALBKU))) return IOAAuthParameters.LOCALBKU; - if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.ONLINEBKU))) - return IOAAuthParameters.ONLINEBKU; + if (bkuURL.equals(dbOA.getBKUURL(OAAuthParameter.THIRDBKU))) + return IOAAuthParameters.THIRDBKU; } Logger.trace("Staticic Log search BKUType from DefaultBKUs"); try { - if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU))) - return IOAAuthParameters.ONLINEBKU; + if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.THIRDBKU))) + return IOAAuthParameters.THIRDBKU; if (bkuURL.equals(authConfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU))) return IOAAuthParameters.LOCALBKU; @@ -422,12 +421,7 @@ public class StatisticLogger implements IStatisticLogger{ Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU); return IOAAuthParameters.HANDYBKU; } - - if (bkuURL.contains(GENERIC_ONLINE_BKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); - return IOAAuthParameters.ONLINEBKU; - } - + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.AUTHTYPE_OTHERS); return IOAAuthParameters.AUTHTYPE_OTHERS; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java index 6d53fd510..0b066f3b9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/TransactionIDUtils.java @@ -23,10 +23,8 @@ package at.gv.egovernment.moa.id.advancedlogging; -import java.util.Date; - import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.id.commons.api.IRequest; /** * @author tlenz @@ -34,6 +32,43 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class TransactionIDUtils { + /** + * Set all MDC variables from pending request to this threat context<br> + * These includes SessionID, TransactionID, and unique service-provider identifier + * + * @param pendingRequest + */ + public static void setAllLoggingVariables(IRequest pendingRequest) { + setTransactionId(pendingRequest.getUniqueTransactionIdentifier()); + setSessionId(pendingRequest.getUniqueSessionIdentifier()); + setServiceProviderId(pendingRequest.getOnlineApplicationConfiguration().getPublicURLPrefix()); + + } + + /** + * Remove all MDC variables from this threat context + * + */ + public static void removeAllLoggingVariables() { + removeSessionId(); + removeTransactionId(); + removeServiceProviderId(); + + } + + + public static void setServiceProviderId(String oaUniqueId) { + org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId); + org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID, oaUniqueId); + + } + + public static void removeServiceProviderId() { + org.apache.log4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID); + org.slf4j.MDC.remove(MOAIDAuthConstants.MDC_SERVICEPROVIDER_ID); + + } + public static void setTransactionId(String pendingRequestID) { org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_TRANSACTION_ID, "TID-" + pendingRequestID); @@ -50,9 +85,9 @@ public class TransactionIDUtils { public static void setSessionId(String uniqueSessionId) { org.apache.log4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, - "TID-" + uniqueSessionId); + "SID-" + uniqueSessionId); org.slf4j.MDC.put(MOAIDAuthConstants.MDC_SESSION_ID, - "TID-" + uniqueSessionId); + "SID-" + uniqueSessionId); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java index bbb322a4f..34d0d4be1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java @@ -74,20 +74,26 @@ public class AuthenticationSessionCleaner implements Runnable { ExceptionContainer exContainer = (ExceptionContainer) entry; if (exContainer.getExceptionThrown() != null) { - //add session and transaction ID to log if exists + //add session, transaction, and service-provider IDs into logging context if exists if (MiscUtil.isNotEmpty(exContainer.getUniqueTransactionID())) TransactionIDUtils.setTransactionId(exContainer.getUniqueTransactionID()); if (MiscUtil.isNotEmpty(exContainer.getUniqueSessionID())) TransactionIDUtils.setSessionId(exContainer.getUniqueSessionID()); + if (MiscUtil.isNotEmpty(exContainer.getUniqueServiceProviderId())) + TransactionIDUtils.setServiceProviderId(exContainer.getUniqueServiceProviderId()); + //log exception to technical log logExceptionToTechnicalLog(exContainer.getExceptionThrown()); //remove session and transaction ID from thread - TransactionIDUtils.removeSessionId(); - TransactionIDUtils.removeTransactionId(); - } + TransactionIDUtils.removeAllLoggingVariables(); + + } else { + Logger.warn("Receive an ExceptionContainer that includes no 'Exception' object. Somethinge is suspect!!!!!"); + + } } } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index cad3354f5..5a5d0bcf6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //#################################################### //set general authData info's authData.setIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setIsBusinessService(oaParam.getBusinessService()); - + authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); + //#################################################### //parse user info's from identityLink @@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @param oaParam Service-Provider configuration, never null * @param bPKType bPK-Type to check * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false + * @throws ConfigurationException */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) { - String oaTarget = null; - if (oaParam.getBusinessService()) { - oaTarget = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - - if (oaTarget.equals(bPKType)) - return true; - else - return false; + private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { + return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); + } private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { @@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, * or <code>null</code> if no attribute exists or can not decrypted + * @throws ConfigurationException */ private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - AuthenticationData authData, IOAAuthParameters spConfig) { + AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { //set List of encrypted bPKs to authData DAO String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { @@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { String second = fullEncbPK.substring(0, index); int secIndex = second.indexOf("+"); if (secIndex >= 0) { - if (spConfig.getTarget().equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget()); - - } else { - Logger.error("bPK decryption FAILED."); - + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } } @@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException { - if (oaParam.getBusinessService()) { + if (oaParam.hasBaseIdTransferRestriction()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); @@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException { + private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { - String bPK; - String bPKType; - String baseID = authData.getIdentificationValue(); - String baseIDType = authData.getIdentificationType(); - - if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { - //Calculate eIDAS identifier - if (oaParam.getBusinessService() && - oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { - String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+"); - String cititzenCountryCode = splittedTarget[1]; - String eIDASOutboundCountry = splittedTarget[2]; - - if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { - Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); - - } - - Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID, - cititzenCountryCode, eIDASOutboundCountry); - Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond()); - return eIDASID; - - } else if (oaParam.getBusinessService()) { - //is Austrian private-service application - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr); - bPKType = registerAndOrdNr; - - } else { - // only compute bPK if online application is a public service and we have the Stammzahl - String target = null; - Class<?> saml1RequstTemplate = null; - try { - saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(pendingReq)) { - target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); + String baseIDType = authData.getIdentificationType(); + Pair<String, String> sectorSpecId = null; + + if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { + //SAML1 legacy target parameter work-around + String oaTargetId = null; + Class<?> saml1RequstTemplate = null; + try { + saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); - } + } - } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + + if (MiscUtil.isEmpty(oaTargetId)) { + oaTargetId = oaParam.getAreaSpecificTargetIdentifier(); + Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration"); - if (MiscUtil.isEmpty(target)) - target = oaParam.getTarget(); - - bPK = new BPKBuilder().buildBPK(baseID, target); - bPKType = Constants.URN_PREFIX_CDID + "+" + target; - - } - + } else + Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation"); + + //calculate sector specific unique identifier + sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId); + + } else { - Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); - bPK = baseID; - bPKType = baseIDType; - + Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); + sectorSpecId = Pair.newInstance(baseID, baseIDType); + } - Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType); - return Pair.newInstance(bPK, bPKType); + Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond()); + return sectorSpecId; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 32ac8ad68..a7f6e873f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -60,6 +60,7 @@ import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -76,77 +77,192 @@ import at.gv.egovernment.moa.util.MiscUtil; */ public class BPKBuilder { - /** - * Builds the bPK from the given parameters. - * - * @param identificationValue Base64 encoded "Stammzahl" - * @param target "Bereich lt. Verordnung des BKA" - * @return bPK in a BASE64 encoding - * @throws BuildException if an error occurs on building the bPK - */ - public String buildBPK(String identificationValue, String target) - throws BuildException { - - if ((identificationValue == null || - identificationValue.length() == 0 || - target == null || - target.length() == 0)) { - throw new BuildException("builder.00", - new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",target=" + target}); - } - String basisbegriff; - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - basisbegriff = identificationValue + "+" + target; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; + /** + * Calculates an area specific unique person-identifier from a baseID + * + * @param baseID baseId from user but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{ + return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier); + + } + + /** + * Calculates an area specific unique person-identifier from an unique identifier with a specific type + * + * @param baseID baseId from user but never null + * @param baseIdType Type of the baseID but never null + * @param targetIdentifier target identifier for area specific identifier calculation but never null + * @return Pair<unique person identifier for this target, targetArea> but never null + * @throws BuildException if some input data are not valid + */ + public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{ + if (MiscUtil.isEmpty(baseID)) + throw new BuildException("builder.00", new Object[]{"baseID is empty or null"}); - return calculatebPKwbPK(basisbegriff); - } + if (MiscUtil.isEmpty(baseIdType)) + throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"}); + + if (MiscUtil.isEmpty(targetIdentifier)) + throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"}); + if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) { + Logger.trace("Find baseID. Starting unique identifier caluclation for this target"); + + if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) || + targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) { + Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier); + return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier); + + } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) { + Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier); + String[] splittedTarget = targetIdentifier.split("\\+"); + String cititzenCountryCode = splittedTarget[1]; + String eIDASOutboundCountry = splittedTarget[2]; + + if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { + Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); + + } + return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry); + + + } else + throw new BuildException("builder.00", + new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"}); + + } else { + Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ..."); + if (baseIdType.equals(targetIdentifier)) { + Logger.debug("Unique identifier is already area specific. Is nothing todo"); + return Pair.newInstance(baseID, targetIdentifier); + + } else { + Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!"); + throw new BuildException("builder.00", + new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"}); + + } + } + } + + /** - * Builds the wbPK from the given parameters. + * Builds the storkeid from the given parameters. * - * @param identificationValue Base64 encoded "Stammzahl" - * @param registerAndOrdNr type of register + "+" + number in register. - * @return wbPK in a BASE64 encoding + * @param baseID baseID of the citizen + * @param baseIDType Type of the baseID + * @param sourceCountry CountryCode of that country, which build the eIDAs ID + * @param destinationCountry CountryCode of that country, which receives the eIDAs ID + * + * @return Pair<eIDAs, bPKType> in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildWBPK(String identificationValue, String registerAndOrdNr) - throws BuildException { + private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) + throws BuildException { + String bPK = null; + String bPKType = null; + + // check if we have been called by public sector application + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; + Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); + bPK = calculatebPKwbPK(baseID + "+" + bPKType); + + } else { // if not, sector identification value is already calculated by BKU + Logger.debug("eIDAS eIdentifier already provided by BKU"); + bPK = baseID; + } - if ((identificationValue == null || - identificationValue.length() == 0 || - registerAndOrdNr == null || - registerAndOrdNr.length() == 0)) { + if ((MiscUtil.isEmpty(bPK) || + MiscUtil.isEmpty(sourceCountry) || + MiscUtil.isEmpty(destinationCountry))) { throw new BuildException("builder.00", - new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); + new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + + bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); } - - String basisbegriff; - if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) - basisbegriff = identificationValue + "+" + registerAndOrdNr; - else - basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; - - return calculatebPKwbPK(basisbegriff); - } - - public String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { - if (MiscUtil.isEmpty(baseID) || - !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || - bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { - throw new BuildException("builder.00", - new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget - + " has an unkown prefix."}); - - } - - return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); - + + Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); + String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; + + return Pair.newInstance(eIdentifier, bPKType); } + +// /** +// * Builds the bPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param target "Bereich lt. Verordnung des BKA" +// * @return bPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the bPK +// */ +// private String buildBPK(String identificationValue, String target) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// target == null || +// target.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",target=" + target}); +// } +// String basisbegriff; +// if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) +// basisbegriff = identificationValue + "+" + target; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// /** +// * Builds the wbPK from the given parameters. +// * +// * @param identificationValue Base64 encoded "Stammzahl" +// * @param registerAndOrdNr type of register + "+" + number in register. +// * @return wbPK in a BASE64 encoding +// * @throws BuildException if an error occurs on building the wbPK +// */ +// private String buildWBPK(String identificationValue, String registerAndOrdNr) +// throws BuildException { +// +// if ((identificationValue == null || +// identificationValue.length() == 0 || +// registerAndOrdNr == null || +// registerAndOrdNr.length() == 0)) { +// throw new BuildException("builder.00", +// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + +// identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); +// } +// +// String basisbegriff; +// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) +// basisbegriff = identificationValue + "+" + registerAndOrdNr; +// else +// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; +// +// return calculatebPKwbPK(basisbegriff); +// } +// +// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { +// if (MiscUtil.isEmpty(baseID) || +// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || +// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { +// throw new BuildException("builder.00", +// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget +// + " has an unkown prefix."}); +// +// } +// +// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); +// +// } public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { MiscUtil.assertNotNull(bpk, "BPK"); @@ -199,48 +315,7 @@ public class BPKBuilder { return null; } } - - /** - * Builds the storkeid from the given parameters. - * - * @param baseID baseID of the citizen - * @param baseIDType Type of the baseID - * @param sourceCountry CountryCode of that country, which build the eIDAs ID - * @param destinationCountry CountryCode of that country, which receives the eIDAs ID - * - * @return Pair<eIDAs, bPKType> in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - public Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String bPK = null; - String bPKType = null; - - // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); - bPK = calculatebPKwbPK(baseID + "+" + bPKType); - - } else { // if not, sector identification value is already calculated by BKU - Logger.debug("eIDAS eIdentifier already provided by BKU"); - bPK = baseID; - } - - if ((MiscUtil.isEmpty(bPK) || - MiscUtil.isEmpty(sourceCountry) || - MiscUtil.isEmpty(destinationCountry))) { - throw new BuildException("builder.00", - new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + - bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); - } - - Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; - return Pair.newInstance(eIdentifier, bPKType); - } - private String calculatebPKwbPK(String basisbegriff) throws BuildException { try { MessageDigest md = MessageDigest.getInstance("SHA-1"); @@ -281,6 +356,4 @@ public class BPKBuilder { result = cipher.doFinal(encryptedBytes); return result; } - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 73fe961eb..4c4af4239 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -53,9 +53,11 @@ import java.util.List; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; /** @@ -156,8 +158,9 @@ public class CreateXMLSignatureRequestBuilder implements Constants { * @param oaParam parameter for the OA * @param session current session * @return String representation of <code><CreateXMLSignatureRequest></code> + * @throws ConfigurationException */ - public String buildForeignID(String subject, IRequest pendingReq) { + public String buildForeignID(String subject, IRequest pendingReq) throws ConfigurationException { String request = ""; request += "<sl:CreateXMLSignatureRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">"; @@ -181,11 +184,22 @@ public class CreateXMLSignatureRequestBuilder implements Constants { return request; } - public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) { + public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException { IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - String target = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); + String target = null; + String sectorName = null; + + + String saml1Target = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + if (MiscUtil.isNotEmpty(saml1Target)) { + target = saml1Target; + sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(saml1Target); + + } else { + target = oaParam.getAreaSpecificTargetIdentifier(); + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } Calendar cal = Calendar.getInstance(); String date = DateTimeUtils.buildDate(cal); @@ -243,11 +257,11 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += oaParam.getPublicURLPrefix(); request += "</td>"; request += "</tr>"; - boolean business = oaParam.getBusinessService(); - if (business) { + + if (!target.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { // OA is businessservice - String identifierType = oaParam.getIdentityLinkDomainIdentifierType(); - String identifier = oaParam.getIdentityLinkDomainIdentifier(); + String identifierType = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + String identifier = oaParam.getAreaSpecificTargetIdentifier(); request += "<tr>"; request += "<td class=\"italicstyle\">"; request += identifierType + ":"; @@ -263,7 +277,7 @@ public class CreateXMLSignatureRequestBuilder implements Constants { request += "<td class=\"italicstyle\">"; request += "Sektor (Sector):</td>"; request += "<td class=\"normalstyle\">"; - request += target + " (" + sectorName + ")"; + request += target.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; request += "</td>"; request += "</tr>"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index f4f6e82ba..fc5489673 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -31,14 +31,10 @@ import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -57,13 +53,14 @@ public class DynamicOAAuthParameterBuilder { if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { - dynamicOA.setBusinessService(false); - dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + //dynamicOA.setBusinessService(false); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || - attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { - dynamicOA.setBusinessService(true); - dynamicOA.setTarget(attrValue); + attrValue.startsWith(Constants.URN_PREFIX_STORK) || + attrValue.startsWith(Constants.URN_PREFIX_EIDAS)) { + //dynamicOA.setBusinessService(true); + dynamicOA.setAreaSpecificTargetIdentifier(attrValue); } else { Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); @@ -84,13 +81,16 @@ public class DynamicOAAuthParameterBuilder { * @param oaParam * @param protocolRequest * @return + * @throws ConfigurationException */ public static IOAAuthParameters buildFromAuthnRequest( - IOAAuthParameters oaParam, IRequest protocolRequest) { + IOAAuthParameters oaParam, IRequest protocolRequest) throws ConfigurationException { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - dynOAParams.setBusinessService(oaParam.getBusinessService()); + + dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); + dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); Object storkRequst = null; try { @@ -98,9 +98,9 @@ public class DynamicOAAuthParameterBuilder { if (storkRequst != null && protocolRequest.getClass().isInstance(storkRequst)) { - dynOAParams.setBusinessTarget(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + dynOAParams.setAreaSpecificTargetIdentifier(Constants.URN_PREFIX_STORK + "+" + "AT" + "+" + protocolRequest.getClass().getMethod("getSpCountry", null).invoke(protocolRequest, null)); - dynOAParams.setBusinessService(true); + //dynOAParams.setBusinessService(true); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java index a82ba501c..d5ca89656 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/invoke/SignatureVerificationInvoker.java @@ -56,12 +56,16 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.SignatureVerificationService; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureRequestParser; import at.gv.egovernment.moa.spss.api.xmlbind.VerifyXMLSignatureResponseBuilder; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moaspss.logging.Logger; /** * Invoker of the <code>SignatureVerification</code> web service of MOA-SPSS.<br> @@ -108,6 +112,18 @@ public class SignatureVerificationInvoker { } + public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest cmsSigVerifyReq) throws ServiceException { + try { + return svs.verifyCMSSignature(cmsSigVerifyReq); + + } catch (MOAException e) { + Logger.warn("CMS signature verification has an error.", e); + throw new ServiceException("service.03", new Object[] { e.toString()}, e); + + } + + } + /** * Method verifyXMLSignature. * @param request to be sent diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java index c582050ad..710008714 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateBKUSelectionFrameTask.java @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -68,10 +68,10 @@ public class GenerateBKUSelectionFrameTask extends AbstractAuthServletTask { throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() }); } - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_BKUSELECTION, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_BKUSELECTION, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); guiBuilder.build(response, config, "BKU-Selection form"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java index ca99e9ba3..475009cf2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GenerateSSOConsentEvaluatorFrameTask.java @@ -31,7 +31,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -67,10 +67,10 @@ public class GenerateSSOConsentEvaluatorFrameTask extends AbstractAuthServletTas //store pending request requestStoreage.storePendingRequest(pendingReq); - //build consents evaluator form - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + //build consents evaluator form + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_SENDASSERTION, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_SENDASSERTION, GeneralProcessEngineSignalController.ENDPOINT_SENDASSERTION_EVALUATION); guiBuilder.build(response, config, "SendAssertion-Evaluation"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 92d76751f..b2db8d5a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -52,7 +52,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ @Autowired AuthConfiguration authConfig; public void parse(IAuthenticationSession moasession, - String target, + String reqTarget, String oaURL, String bkuURL, String templateURL, @@ -61,10 +61,11 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ HttpServletRequest req, IRequest protocolReq) throws WrongParametersException, MOAIDException { - String targetFriendlyName = null; - + String resultTargetFriendlyName = null; + String resultTarget = null; + // escape parameter strings - target = StringEscapeUtils.escapeHtml(target); + reqTarget = StringEscapeUtils.escapeHtml(reqTarget); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); @@ -102,66 +103,70 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ // get target and target friendly name from config - String targetConfig = oaParam.getTarget(); - String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); + String targetConfig = oaParam.getAreaSpecificTargetIdentifier(); + String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + + //SAML1 legacy work-around for public area targets in request + if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && + !StringUtils.isEmpty(reqTarget)) { + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter + if (!ParamValidatorUtils.isValidTarget(reqTarget)) { + Logger.error("Selected target is invalid. Used target: " + reqTarget); + throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); + } + resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget; - if (!oaParam.getBusinessService()) { - if (StringUtils.isEmpty(targetConfig) - || (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && - !StringUtils.isEmpty(target)) - ) { - //INFO: ONLY SAML1 legacy mode - // if SAML1 is used and target attribute is given in request - // use requested target - // check target parameter - if (!ParamValidatorUtils.isValidTarget(target)) { - Logger.error("Selected target is invalid. Using target: " + target); - throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); - } - if (MiscUtil.isNotEmpty(targetConfig)) - targetFriendlyName = targetFriendlyNameConfig; + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget); + if (MiscUtil.isNotEmpty(sectorName)) + resultTargetFriendlyName = sectorName; + + else { + //check target contains subSector + int delimiter = reqTarget.indexOf("-"); + if (delimiter > 0) { + resultTargetFriendlyName = + TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter)); - else { - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (MiscUtil.isNotEmpty(sectorName)) - targetFriendlyName = sectorName; - - else { - //check target contains subSector - int delimiter = target.indexOf("-"); - if (delimiter > 0) { - targetFriendlyName = - TargetToSectorNameMapper.getSectorNameViaTarget(target.substring(0, delimiter)); - - } - } - } - - } else { - // use target from config - target = targetConfig; - targetFriendlyName = targetFriendlyNameConfig; + } } - if (isEmpty(target)) - throw new WrongParametersException("StartAuthentication", - PARAM_TARGET, "auth.05"); - - protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, target); + if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName)) + resultTargetFriendlyName = targetFriendlyNameConfig; + + //set info's into request-context. (It's required to support SAML1 requested target parameters) + protocolReq.setGenericDataToSession(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget); protocolReq.setGenericDataToSession( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, targetFriendlyName); - Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + target); - - } else { - Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName); - if (useMandateBoolean) { - Logger.error("Online-Mandate Mode for business application not supported."); - throw new AuthenticationException("auth.17", null); - } + } else { + Logger.trace("Use oa sector-identifier from configuration"); + resultTarget = targetConfig; + resultTargetFriendlyName = targetFriendlyNameConfig; } - + + //check if target is found + if (MiscUtil.isEmpty(resultTarget)) + throw new WrongParametersException("StartAuthentication", + PARAM_TARGET, "auth.05"); + + //check if mandates are allowed + if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) { + Logger.error("Online-Mandate Mode for business application not supported."); + throw new AuthenticationException("auth.17", null); + + } + + if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget); + else + Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget); + + + //Validate BKU URI List<String> allowedbkus = oaParam.getBKUURL(); allowedbkus.addAll(authConfig.getDefaultBKUURLs()); @@ -247,16 +252,4 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq); } - - /** - * Checks a parameter. - * - * @param param - * parameter - * @return true if the parameter is null or empty - */ - private boolean isEmpty(String param) { - return param == null || param.length() == 0; - } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 1431911a3..353261085 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -33,6 +33,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.ExceptionHandler; import com.google.common.net.MediaType; + import at.gv.egovernment.moa.id.advancedlogging.IStatisticLogger; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; @@ -139,13 +140,11 @@ public abstract class AbstractController extends MOAIDAuthConstants { if (pendingReq != null) { revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR); transactionStorage.put(key, - new ExceptionContainer(pendingReq.getUniqueSessionIdentifier(), - pendingReq.getUniqueTransactionIdentifier(), loggedException),-1); + new ExceptionContainer(pendingReq, loggedException),-1); } else { transactionStorage.put(key, - new ExceptionContainer(null, - null, loggedException),-1); + new ExceptionContainer(null, loggedException),-1); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java index 0ce7b0050..32f103ca7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractProcessEngineSignalController.java @@ -45,11 +45,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont //change pending-request ID
requestStorage.changePendingRequestID(pendingReq);
pendingRequestID = pendingReq.getRequestID();
-
- //add transactionID and unique sessionID to Logger
- TransactionIDUtils.setSessionId(pendingReq.getUniqueSessionIdentifier());
- TransactionIDUtils.setTransactionId(pendingReq.getUniqueTransactionIdentifier());
-
+
// process instance is mandatory
if (pendingReq.getProcessInstanceId() == null) {
throw new MOAIllegalStateException("process.03", new Object[]{"MOA session does not provide process instance id."});
@@ -64,8 +60,7 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont } finally {
//MOASessionDBUtils.closeSession();
- TransactionIDUtils.removeTransactionId();
- TransactionIDUtils.removeSessionId();
+ TransactionIDUtils.removeAllLoggingVariables();
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java index 9b658d81b..49145a850 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java @@ -33,9 +33,11 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egovernment.moa.id.auth.frontend.builder.AbstractServiceProviderSpecificGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithDBLoad; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.moduls.IRequestStorage; @@ -52,6 +54,7 @@ public class GUILayoutBuilderServlet extends AbstractController { public static final String ENDPOINT_CSS = "/css/buildCSS"; public static final String ENDPOINT_JS = "/js/buildJS"; + public static final String ENDPOINT_BKUDETECTION = "/feature/bkuDetection"; @Autowired AuthConfiguration authConfig; @Autowired IRequestStorage requestStoreage; @@ -65,30 +68,65 @@ public class GUILayoutBuilderServlet extends AbstractController { } + @RequestMapping(value = ENDPOINT_BKUDETECTION, method = {RequestMethod.GET}) + public void buildBkuDetectionFrame(HttpServletRequest req, HttpServletResponse resp) throws IOException { + try { + IRequest pendingReq = extractPendingRequest(req); + + //initialize GUI builder configuration + AbstractServiceProviderSpecificGUIFormBuilderConfiguration config = null; + if (pendingReq != null) + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( + pendingReq, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC, + null); + + else { + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( + HTTPUtils.extractAuthURLFromRequest(req), + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_BKUDETECTION_GENERIC, + null); + config.setTemplateClasspahtDir( + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_MAINGUI_DIRECTORY); + + } + + //build GUI component + formBuilder.build(resp, config, MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8, "BKUDetection-Frame"); + + + } catch (Exception e) { + Logger.warn("GUI ressource:'BKUDetection' generation FAILED.", e); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); + + } + + } + @RequestMapping(value = "/css/buildCSS", method = {RequestMethod.GET}) public void buildCSS(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { IRequest pendingReq = extractPendingRequest(req); //initialize GUI builder configuration - ServiceProviderSpecificGUIFormBuilderConfiguration config = null; + SPSpecificGUIBuilderConfigurationWithDBLoad config = null; if (pendingReq != null) - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, null); else - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( HTTPUtils.extractAuthURLFromRequest(req), - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_CSS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_CSS, null); //build GUI component formBuilder.build(resp, config, "text/css; charset=UTF-8", "CSS-Form"); } catch (Exception e) { - Logger.warn("GUI ressource:'CSS' generation FAILED."); + Logger.warn("GUI ressource:'CSS' generation FAILED.", e); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); } @@ -100,24 +138,24 @@ public class GUILayoutBuilderServlet extends AbstractController { IRequest pendingReq = extractPendingRequest(req); //initialize GUI builder configuration - ServiceProviderSpecificGUIFormBuilderConfiguration config = null; + SPSpecificGUIBuilderConfigurationWithDBLoad config = null; if (pendingReq != null) - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( pendingReq, - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); else - config = new ServiceProviderSpecificGUIFormBuilderConfiguration( + config = new SPSpecificGUIBuilderConfigurationWithDBLoad( HTTPUtils.extractAuthURLFromRequest(req), - ServiceProviderSpecificGUIFormBuilderConfiguration.VIEW_TEMPLATE_JS, + SPSpecificGUIBuilderConfigurationWithDBLoad.VIEW_TEMPLATE_JS, GeneralProcessEngineSignalController.ENDPOINT_BKUSELECTION_EVALUATION); //build GUI component formBuilder.build(resp, config, "text/javascript; charset=UTF-8", "JavaScript"); } catch (Exception e) { - Logger.warn("GUI ressource:'JavaScript' generation FAILED."); + Logger.warn("GUI ressource:'JavaScript' generation FAILED.", e); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Created resource failed"); } @@ -142,6 +180,7 @@ public class GUILayoutBuilderServlet extends AbstractController { } catch (Exception e) { Logger.warn("GUI-Layout builder-servlet has an error during request-preprocessing.", e); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java index bedc67513..466364adb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java @@ -57,8 +57,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId); if (MiscUtil.isEmpty(uniqueSessionIdentifier)) uniqueSessionIdentifier = Random.nextRandom(); - TransactionIDUtils.setSessionId(uniqueSessionIdentifier); + TransactionIDUtils.setSessionId(uniqueSessionIdentifier); request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); return true; @@ -79,8 +79,8 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { - // TODO Auto-generated method stub - + TransactionIDUtils.removeAllLoggingVariables(); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java index c31666bbb..fc5cc0495 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/TargetToSectorNameMapper.java @@ -52,6 +52,8 @@ package at.gv.egovernment.moa.id.config; import java.util.HashMap;
import java.util.Map;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+
/**
* @author bzwattendorfer
*
@@ -106,6 +108,8 @@ public class TargetToSectorNameMapper implements TargetsAndSectorNames { }
public static String getSectorNameViaTarget(String target) {
+ if (target.startsWith(MOAIDAuthConstants.PREFIX_CDID))
+ target = target.substring(MOAIDAuthConstants.PREFIX_CDID.length());
return targetMap.get(target) != null ? (String) targetMap.get(target) : "";
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 6a6359058..3d04a142e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -60,7 +60,9 @@ import java.util.Set; import org.apache.commons.lang.SerializationUtils; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.MOAIDConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IStorkConfig; import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters; @@ -96,10 +98,31 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ final public static String DEFAULT_KEYBOXIDENTIFIER = "SecureSignatureKeypair"; private Map<String, String> oaConfiguration; + private List<String> targetAreasWithNoInteralBaseIdRestriction = new ArrayList<String>(); + private List<String> targetAreasWithNoBaseIdTransmissionRestriction = new ArrayList<String>(); - - public OAAuthParameter(final Map<String, String> oa) { + public OAAuthParameter(final Map<String, String> oa, AuthConfiguration authConfig) { this.oaConfiguration = oa; + + //set oa specific restrictions + targetAreasWithNoInteralBaseIdRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL, + MOAIDAuthConstants.PREFIX_CDID)); + + targetAreasWithNoBaseIdTransmissionRestriction = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration( + CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION, + MOAIDAuthConstants.PREFIX_CDID)); + + if (Logger.isTraceEnabled()) { + Logger.trace("Internal policy for OA: " + getPublicURLPrefix()); + for (String el : targetAreasWithNoInteralBaseIdRestriction) + Logger.trace(" Allow baseID processing for prefix " + el); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) + Logger.trace(" Allow baseID transfer for prefix " + el); + + } } @@ -111,12 +134,54 @@ public class OAAuthParameter implements IOAAuthParameters, Serializable{ return this.oaConfiguration.get(key); } + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoInteralBaseIdRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); + for (String el : targetAreasWithNoBaseIdTransmissionRestriction) { + if (targetAreaIdentifier.startsWith(el)) + return false; + + } + return true; + + } + + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + if (getBusinessService()) + return getIdentityLinkDomainIdentifier(); + else + return MOAIDAuthConstants.PREFIX_CDID + getTarget(); + + } + + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException{ + if (getBusinessService()) + return getIdentityLinkDomainIdentifierType(); + else + return getTargetFriendlyName(); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() */ -@Override -public String getIdentityLinkDomainIdentifier() { +//@Override +private String getIdentityLinkDomainIdentifier() { String type = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE); if (MiscUtil.isNotEmpty(type) && MiscUtil.isNotEmpty(value)) { @@ -138,8 +203,8 @@ public String getIdentityLinkDomainIdentifier() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ -@Override -public String getIdentityLinkDomainIdentifierType() { +//@Override +private String getIdentityLinkDomainIdentifierType() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE); if (MiscUtil.isNotEmpty(value)) return MOAIDConfigurationConstants.BUSINESSSERVICENAMES.get(value); @@ -151,8 +216,8 @@ public String getIdentityLinkDomainIdentifierType() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() */ -@Override -public String getTarget() { +//@Override +private String getTarget() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_TARGET); @@ -171,8 +236,8 @@ public String getTarget() { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ -@Override -public String getTargetFriendlyName() { +//@Override +private String getTargetFriendlyName() { if (Boolean.parseBoolean(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_USE_OWN))) return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME); @@ -265,8 +330,8 @@ public String getKeyBoxIdentifier() { */ @Override public String getBKUURL(String bkutype) { - if (bkutype.equals(ONLINEBKU)) { - return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE); + if (bkutype.equals(THIRDBKU)) { + return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD); } else if (bkutype.equals(HANDYBKU)) { return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY); @@ -274,10 +339,15 @@ public String getKeyBoxIdentifier() { } else if (bkutype.equals(LOCALBKU)) { return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL); + } else if (bkutype.equals(ONLINEBKU)) { + return oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD); + } + + Logger.warn("BKU Type does not match: " - + ONLINEBKU + " or " + HANDYBKU + " or " + LOCALBKU); + + THIRDBKU + " or " + HANDYBKU + " or " + LOCALBKU); return null; } @@ -288,8 +358,8 @@ public String getKeyBoxIdentifier() { public List<String> getBKUURL() { List<String> list = new ArrayList<String>(); - if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)) - list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)); + if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)) + list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)); if (oaConfiguration.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)) list.add(oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)); @@ -648,8 +718,8 @@ public boolean isInterfederationSSOStorageAllowed() { return false; } -public boolean isIDPPublicService() { - return !getBusinessService(); +public boolean isIDPPublicService() throws ConfigurationException { + return !hasBaseIdTransferRestriction(); } @@ -735,11 +805,7 @@ public String getPublicURLPrefix() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ -@Override -public boolean getBusinessService() { +private boolean getBusinessService() { String value = oaConfiguration.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE); if (MiscUtil.isNotEmpty(value)) return Boolean.parseBoolean(value); @@ -780,16 +846,16 @@ public String getFriendlyName() { } -/* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ -@Override -public String getOaType() { - if (getBusinessService()) - return "businessService"; - else - return "publicService"; -} +///* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() +// */ +//@Override +//public String getOaType() { +// if (getBusinessService()) +// return "businessService"; +// else +// return "publicService"; +//} /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 35d052acd..332604257 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -412,7 +412,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide return null; } - return new OAAuthParameter(oa); + return new OAAuthParameter(oa, this); } /** @@ -676,7 +676,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide templatesList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)); templatesList.add(configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)); templatesList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY)); @@ -701,9 +701,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide try { switch (type) { - case IOAAuthParameters.ONLINEBKU: + case IOAAuthParameters.THIRDBKU: slRequestTemplate = configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD); break; case IOAAuthParameters.LOCALBKU: slRequestTemplate = configuration.getStringValue( @@ -714,7 +714,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY); break; default: - Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + Logger.warn("getSLRequestTemplates: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); } @@ -736,7 +736,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide List<String> bkuurlsList = new ArrayList<String>(); try { bkuurlsList.add(configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)); bkuurlsList.add(configuration.getStringValue( MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)); bkuurlsList.add(configuration.getStringValue( @@ -762,9 +762,9 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide String defaultBKUUrl = null; try { switch (type) { - case IOAAuthParameters.ONLINEBKU: + case IOAAuthParameters.THIRDBKU: defaultBKUUrl = configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE); + MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD); break; case IOAAuthParameters.LOCALBKU: defaultBKUUrl = configuration.getStringValue( @@ -775,7 +775,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY); break; default: - Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + Logger.warn("getDefaultBKUURL: BKU Type does not match: " + IOAAuthParameters.THIRDBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); } @@ -817,7 +817,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide public String getSSOFriendlyName() { try { return configuration.getStringValue( - MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "Default MOA-ID friendly name for SSO"); + MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "Default MOA-ID friendly name for SSO"); } catch (at.gv.egiz.components.configuration.api.ConfigurationException e) { Logger.warn("Single Sign-On FriendlyName can not be read from configuration.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index 9fd58b5c7..f3db82315 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -45,33 +46,84 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ private static final long serialVersionUID = 1648437815185614566L; private String publicURLPrefix; - - private String businessTarget; - - private boolean businessService; - + private boolean isInderfederationIDP; - private String IDPQueryURL; - private String target; - + private boolean hasBaseIdProcessingRestriction; + private boolean hasBaseIdTransfergRestriction; + private String oaTargetAreaIdentifier; + + /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() */ @Override - public String getTarget() { - return this.target; + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return this.hasBaseIdProcessingRestriction; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return this.hasBaseIdTransfergRestriction; } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + return this.oaTargetAreaIdentifier; + } + + /** + * @param hasBaseIdProcessingRestriction the hasBaseIdProcessingRestriction to set + */ + public void setHasBaseIdProcessingRestriction(boolean hasBaseIdProcessingRestriction) { + this.hasBaseIdProcessingRestriction = hasBaseIdProcessingRestriction; + } + + /** + * @param hasBaseIdTransfergRestriction the hasBaseIdTransfergRestriction to set + */ + public void setHasBaseIdTransfergRestriction(boolean hasBaseIdTransfergRestriction) { + this.hasBaseIdTransfergRestriction = hasBaseIdTransfergRestriction; + } + + /** + * @param oaTargetAreaIdentifier the oaTargetAreaIdentifier to set + */ + public void setAreaSpecificTargetIdentifier(String oaTargetAreaIdentifier) { + this.oaTargetAreaIdentifier = oaTargetAreaIdentifier; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() */ @Override - public String getIdentityLinkDomainIdentifier() { - return this.businessTarget; + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + return null; } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() +// */ +// //@Override +// public String getTarget() { +// return this.target; +// } +// +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() +// */ +// //@Override +// public String getIdentityLinkDomainIdentifier() { +// return this.businessTarget; +// } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() */ @@ -164,7 +216,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ - @Override + //@Override public String getIdentityLinkDomainIdentifierType() { // TODO Auto-generated method stub return null; @@ -251,26 +303,26 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return null; } - /** - * @param isBusinessService the isBusinessService to set - */ - public void setBusinessService(boolean isBusinessService) { - businessService = isBusinessService; - } - - /** - * @param target the target to set - */ - public void setTarget(String target) { - this.target = target; - } - - /** - * @param businessTarget the businessTarget to set - */ - public void setBusinessTarget(String businessTarget) { - this.businessTarget = businessTarget; - } +// /** +// * @param isBusinessService the isBusinessService to set +// */ +// public void setBusinessService(boolean isBusinessService) { +// businessService = isBusinessService; +// } + +// /** +// * @param target the target to set +// */ +// public void setTarget(String target) { +// this.target = target; +// } +// +// /** +// * @param businessTarget the businessTarget to set +// */ +// public void setBusinessTarget(String businessTarget) { +// this.businessTarget = businessTarget; +// } /** * @param inderfederatedIDP the inderfederatedIDP to set @@ -400,27 +452,18 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ return this.publicURLPrefix; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return this.businessService; - } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() +// */ +// //@Override +// public boolean getBusinessService() { +// return this.businessService; +// } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() */ - @Override + //@Override public String getTargetFriendlyName() { // TODO Auto-generated method stub return null; @@ -487,4 +530,6 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ // TODO Auto-generated method stub return false; } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index f5f056ccc..7f56f519b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -120,7 +120,8 @@ public class AuthenticationData implements IAuthData, Serializable { * the corresponding <code>lt;saml:Assertion></code> */ - private boolean businessService; + private boolean isBaseIDTransferRestrication = true; + /** * STORK attributes from response @@ -742,13 +743,15 @@ public class AuthenticationData implements IAuthData, Serializable { * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() */ @Override - public boolean isBusinessService() { - return this.businessService; + public boolean isBaseIDTransferRestrication() { + return isBaseIDTransferRestrication; } - - public void setIsBusinessService(boolean flag) { - this.businessService = flag; - + + /** + * @param isBaseIDTransmittionAllowed the isBaseIDTransmittionAllowed to set + */ + public void setBaseIDTransferRestrication(boolean isBaseIDTransferRestrication) { + this.isBaseIDTransferRestrication = isBaseIDTransferRestrication; } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java index 1c6fdcb65..4820b6fdc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/ExceptionContainer.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.data; import java.io.Serializable; +import at.gv.egovernment.moa.id.commons.api.IRequest; + /** * @author tlenz * @@ -34,13 +36,21 @@ public class ExceptionContainer implements Serializable { private Throwable exceptionThrown = null; private String uniqueSessionID = null; private String uniqueTransactionID = null; + private String uniqueServiceProviderId = null; /** * */ - public ExceptionContainer(String uniqueSessionID, String uniqueTransactionID, Throwable exception) { - this.uniqueSessionID = uniqueSessionID; - this.uniqueTransactionID = uniqueTransactionID; + public ExceptionContainer(IRequest pendingReq, Throwable exception) { + if (pendingReq != null) { + this.uniqueSessionID = pendingReq.getUniqueSessionIdentifier(); + this.uniqueTransactionID = pendingReq.getUniqueTransactionIdentifier(); + + if (pendingReq.getOnlineApplicationConfiguration() != null) + this.uniqueServiceProviderId = pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix(); + + } + this.exceptionThrown = exception; } @@ -62,6 +72,14 @@ public class ExceptionContainer implements Serializable { public String getUniqueTransactionID() { return uniqueTransactionID; } + + /** + * @return the uniqueServiceProviderId + */ + public String getUniqueServiceProviderId() { + return uniqueServiceProviderId; + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 4c15cd3d1..e9fef4676 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -38,8 +38,8 @@ public interface IAuthData { Date getIssueInstant(); String getIssuer(); - - boolean isBusinessService(); + boolean isBaseIDTransferRestrication(); + boolean isSsoSession(); //boolean isInterfederatedSSOSession(); boolean isUseMandate(); @@ -90,5 +90,6 @@ public interface IAuthData { String getCcc(); public <T> T getGenericData(String key, final Class<T> clazz); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index ab0a1ec40..aff2c83ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -47,6 +48,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; +import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; @@ -89,6 +91,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("MOAID_AuthenticationManager") public class AuthenticationManager extends MOAIDAuthConstants { + private static List<String> reqParameterWhiteListeForModules = new ArrayList<String>(); public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; @@ -202,6 +205,14 @@ public class AuthenticationManager extends MOAIDAuthConstants { public AuthenticationSession doAuthentication(HttpServletRequest httpReq, HttpServletResponse httpResp, RequestImpl pendingReq) throws MOADatabaseException, ServletException, IOException, MOAIDException { + //load OA configuration from pending request + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + + //set logging context and log unique OA identifier to revision log + TransactionIDUtils.setServiceProviderId(pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()); + revisionsLogger.logEvent(oaParam, + pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); + //generic authentication request validation if (pendingReq.isPassiv() && pendingReq.forceAuth()) { @@ -236,12 +247,8 @@ public class AuthenticationManager extends MOAIDAuthConstants { boolean isValidSSOSession = ssoManager.isValidSSOSession(ssoId, pendingReq); // check if Service-Provider allows SSO sessions - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); boolean useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); - - revisionsLogger.logEvent(oaParam, - pendingReq, MOAIDEventConstants.AUTHPROCESS_SERVICEPROVIDER, pendingReq.getOAURL()); - + //if a legacy request is used SSO should not be allowed in case of mandate authentication boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(httpReq); @@ -304,6 +311,18 @@ public class AuthenticationManager extends MOAIDAuthConstants { } /** + * Add a request parameter to whitelist. All parameters that are part of the white list are added into {@link ExecutionContext} + * + * @param httpReqParam http parameter name, but never null + */ + public void addParameterNameToWhiteList(String httpReqParam) { + if (MiscUtil.isNotEmpty(httpReqParam)) + reqParameterWhiteListeForModules.add(httpReqParam); + + } + + + /** * Checks if a authenticated MOASession already exists and if {protocolRequest} is authenticated * * @param protocolRequest Authentication request which is actually in process @@ -381,17 +400,25 @@ public class AuthenticationManager extends MOAIDAuthConstants { executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); + + //add X509 SSL client certificate if exist + if (httpReq.getAttribute("javax.servlet.request.X509Certificate") != null) { + Logger.debug("Find SSL-client-certificate on request --> Add it to context"); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE, + ((X509Certificate[])httpReq.getAttribute("javax.servlet.request.X509Certificate"))); + + } - //add leagcy parameters to context - if (leagacyMode) { + //add additional http request parameter to context + if (!reqParameterWhiteListeForModules.isEmpty() || leagacyMode) { Enumeration<String> reqParamNames = httpReq.getParameterNames(); while(reqParamNames.hasMoreElements()) { String paramName = reqParamNames.nextElement(); if (MiscUtil.isNotEmpty(paramName) && - MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName)) + ( MOAIDAuthConstants.LEGACYPARAMETERWHITELIST.contains(paramName) + || reqParameterWhiteListeForModules.contains(paramName) )) executionContext.put(paramName, - StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); - + StringEscapeUtils.escapeHtml(httpReq.getParameter(paramName))); } } @@ -615,7 +642,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { //send SLO response to SLO request issuer SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); } else { //print SLO information directly @@ -651,7 +678,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { if (pvpReq != null) { SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java index eec48e0f3..90ccb3c27 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestStorage.java @@ -52,9 +52,8 @@ public class RequestStorage implements IRequestStorage{ } //set transactionID and sessionID to Logger - TransactionIDUtils.setTransactionId(pendingRequest.getUniqueTransactionIdentifier()); - TransactionIDUtils.setSessionId(pendingRequest.getUniqueSessionIdentifier()); - + TransactionIDUtils.setAllLoggingVariables(pendingRequest); + return pendingRequest; } catch (MOADatabaseException | NullPointerException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java new file mode 100644 index 000000000..b05e60e94 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/opemsaml/MOAIDHTTPPostEncoder.java @@ -0,0 +1,114 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.opemsaml; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStreamWriter; +import java.io.Writer; + +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.opensaml.common.binding.SAMLMessageContext; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.transport.http.HTTPOutTransport; +import org.opensaml.ws.transport.http.HTTPTransportUtils; + +import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOAIDHTTPPostEncoder extends HTTPPostEncoder { + + private VelocityEngine velocityEngine; + private IGUIBuilderConfiguration guiConfig; + private GUIFormBuilderImpl guiBuilder; + + /** + * @param engine + * @param templateId + */ + public MOAIDHTTPPostEncoder(IGUIBuilderConfiguration guiConfig, GUIFormBuilderImpl guiBuilder, VelocityEngine engine) { + super(engine, null); + this.velocityEngine = engine; + this.guiConfig = guiConfig; + this.guiBuilder = guiBuilder; + + } + + /** + * Base64 and POST encodes the outbound message and writes it to the outbound transport. + * + * @param messageContext current message context + * @param endpointURL endpoint URL to which to encode message + * + * @throws MessageEncodingException thrown if there is a problem encoding the message + */ + protected void postEncode(SAMLMessageContext messageContext, String endpointURL) throws MessageEncodingException { + Logger.debug("Invoking Velocity template to create POST body"); + InputStream is = null; + try { + //build Velocity Context from GUI input paramters + VelocityContext context = guiBuilder.generateVelocityContextFromConfiguration(guiConfig); + + //load template + is = guiBuilder.getTemplateInputStream(guiConfig); + + //populate velocity context with SAML2 parameters + populateVelocityContext(context, messageContext, endpointURL); + + //populate transport parameter + HTTPOutTransport outTransport = (HTTPOutTransport) messageContext.getOutboundMessageTransport(); + HTTPTransportUtils.addNoCacheHeaders(outTransport); + HTTPTransportUtils.setUTF8Encoding(outTransport); + HTTPTransportUtils.setContentType(outTransport, "text/html"); + + //evaluate template and write content to response + Writer out = new OutputStreamWriter(outTransport.getOutgoingStream(), "UTF-8"); + velocityEngine.evaluate(context, out, "SAML2_POST_BINDING", new BufferedReader(new InputStreamReader(is))); + out.flush(); + + } catch (Exception e) { + Logger.error("Error invoking Velocity template", e); + throw new MessageEncodingException("Error creating output document", e); + + } finally { + if (is != null) { + try { + is.close(); + + } catch (IOException e) { + Logger.error("Can NOT close GUI-Template InputStream.", e); + } + } + + } + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java index eff839e4e..c13c5e288 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -51,6 +50,9 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) + type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java index a6a5f1dd4..b4846db12 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java @@ -38,7 +38,7 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java index 1d836802a..ccaecb3b6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePINType.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -37,7 +36,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authData.isBusinessService()) + if (authData.isBaseIDTransferRestrication()) throw new UnavailableAttributeException(EID_SOURCE_PIN_TYPE_NAME); else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 97043a3a0..f85fd7cae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -60,7 +60,7 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute } CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); if (corporation == null) { - Logger.error("No corporation mandate"); + Logger.info("No corporation mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index 46472c983..7e0815ab2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -42,41 +42,12 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authData.isUseMandate()) { - - //get PVP attribute directly, if exists - String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); - - if (MiscUtil.isEmpty(sourcePin)) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if(corporation == null) { - Logger.error("No corporation mandate"); - throw new NoMandateDataAttributeException(); - - } - if(corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - - } - - sourcePin = corporation.getIdentification().get(0).getValue().getValue(); - - } - + if(authData.isUseMandate()) { return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, - MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin); + MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData)); + } + return null; } @@ -84,4 +55,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { return g.buildEmptyAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_NAME); } + + + protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException { + //get PVP attribute directly, if exists + String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + + if (MiscUtil.isEmpty(sourcePin)) { + Element mandate = authData.getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if(corporation == null) { + Logger.info("No corporation mandate"); + throw new NoMandateDataAttributeException(); + + } + if(corporation.getIdentification().size() == 0) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + + sourcePin = corporation.getIdentification().get(0).getValue().getValue(); + + } + + return sourcePin; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index 41c35dad3..8b22acc01 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -59,12 +59,12 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr } CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); if (corporation == null) { - Logger.error("No corporate mandate"); + Logger.info("No corporate mandate"); throw new NoMandateDataAttributeException(); } if (corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index df8f86f7e..15eed3d44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -30,9 +30,12 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -50,6 +53,7 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui //get PVP attribute directly, if exists String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); + String type = null; if (MiscUtil.isEmpty(bpk)) { //read bPK from mandate if it is not directly included @@ -63,38 +67,53 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); if (id == null) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } try { - if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); - - } else { - bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); - - } - + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { + Pair<String, String> calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), + oaParam.getAreaSpecificTargetIdentifier()); + bpk = calcResult.getFirst(); + type = calcResult.getSecond(); + } else bpk = id.getValue().getValue(); + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + + if (type.startsWith(Constants.URN_PREFIX_WBPK)) + type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) + type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); + + if (bpk.length() > BPK_MAX_LENGTH) { + bpk = bpk.substring(0, BPK_MAX_LENGTH); + } + + } - catch (BuildException e) { + catch (BuildException | ConfigurationException e) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } } - return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk); + Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type); + return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, type + ":" + bpk); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index a64880889..b9ac891a9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -65,7 +65,7 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index 085579108..d29df66e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -62,7 +62,7 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if(physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4cd2ca670..32efe061e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -59,7 +59,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib } PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 69a731e53..6f0a49ce0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -27,10 +27,7 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; @@ -58,18 +55,18 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri PhysicalPersonType physicalPerson = mandateObject.getMandator() .getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - if(oaParam.getBusinessService()) { + if(authData.isBaseIDTransferRestrication()) { throw new AttributePolicyException(this.getName()); } if(id == null) { - Logger.error("Failed to generate IdentificationType"); + Logger.info("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 41a821c98..f7d1af33f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -28,7 +28,6 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; @@ -55,7 +54,7 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt PhysicalPersonType physicalPerson = mandateObject.getMandator() .getPhysicalPerson(); if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); + Logger.info("No physicalPerson mandate"); throw new NoMandateDataAttributeException(); } IdentificationType id = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 365a31fe1..72691a034 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; @@ -79,6 +80,7 @@ public class AttributQueryAction implements IAction { @Autowired private IDPCredentialProvider pvpCredentials; @Autowired private AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -141,9 +143,9 @@ public class AttributQueryAction implements IAction { metadataProvider, issuerEntityID, attrQuery, date, assertion, authConfig.isPVP2AssertionEncryptionActive()); - SoapBinding decoder = new SoapBinding(); + SoapBinding decoder = springContext.getBean("PVPSOAPBinding", SoapBinding.class); decoder.encodeRespone(httpReq, httpResp, authResponse, null, null, - pvpCredentials.getIDPAssertionSigningCredential()); + pvpCredentials.getIDPAssertionSigningCredential(), pendingReq); return null; } catch (MessageEncodingException e) { @@ -225,9 +227,9 @@ public class AttributQueryAction implements IAction { } //check next IDP service area policy. BusinessService IDPs can only request wbPKs - if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { + if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) { Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes."); + + " is a BusinessService-IDP but requests PublicService attributes."); throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index aac49844e..9d60ae4b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -35,6 +35,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -62,6 +63,7 @@ public class AuthenticationAction implements IAction { @Autowired IDPCredentialProvider pvpCredentials; @Autowired AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -102,11 +104,11 @@ public class AuthenticationAction implements IAction { if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } @@ -117,7 +119,7 @@ public class AuthenticationAction implements IAction { try { binding.encodeRespone(httpReq, httpResp, authResponse, consumerService.getLocation(), moaRequest.getRelayState(), - pvpCredentials.getIDPAssertionSigningCredential()); + pvpCredentials.getIDPAssertionSigningCredential(), req); //set protocol type sloInformation.setProtocolType(req.requestedModule()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index a7a249eed..216d7a8b1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -444,13 +444,13 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { IEncoder encoder = null; if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - encoder = new RedirectBinding(); + encoder = applicationContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - encoder = new PostBinding(); + encoder = applicationContext.getBean("PVPPOSTBinding", PostBinding.class); } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { - encoder = new SoapBinding(); + encoder = applicationContext.getBean("PVPSOAPBinding", SoapBinding.class); } if(encoder == null) { @@ -465,7 +465,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential(); encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(), - relayState, signCred); + relayState, signCred, protocolRequest); return true; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index ff703d585..f709da213 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -111,7 +111,7 @@ public class SingleLogOutAction implements IAction { //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null); Logger.info("Sending SLO success message to requester ..."); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq); return null; } else { @@ -127,7 +127,7 @@ public class SingleLogOutAction implements IAction { //LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, null); Logger.info("Sending SLO success message to requester ..."); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState(), pvpReq); return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index 3b2fb3687..ccbef6e6c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -31,6 +31,7 @@ import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; public interface IEncoder { @@ -43,12 +44,13 @@ public interface IEncoder { * @param targetLocation URL, where the request should be transmit * @param relayState token for session handling * @param credentials Credential to sign the request object + * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null * @throws MessageEncodingException * @throws SecurityException * @throws PVP2Exception */ public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception; /** @@ -59,10 +61,11 @@ public interface IEncoder { * @param targetLocation URL, where the request should be transmit * @param relayState token for session handling * @param credentials Credential to sign the response object + * @param pendingReq Internal MOA-ID request object that contains session-state informations but never null * @throws MessageEncodingException * @throws SecurityException */ public void encodeRespone(HttpServletRequest req, - HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials) + HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 9977e607b..c7688c14b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -25,13 +25,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.velocity.app.VelocityEngine; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; -import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -49,8 +47,17 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.auth.frontend.builder.GUIFormBuilderImpl; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.opemsaml.MOAIDHTTPPostEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -62,10 +69,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPPOSTBinding") public class PostBinding implements IDecoder, IEncoder { + + @Autowired(required=true) AuthConfiguration authConfig; + @Autowired(required=true) GUIFormBuilderImpl guiBuilder; public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { try { @@ -75,9 +86,18 @@ public class PostBinding implements IDecoder, IEncoder { //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); - VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); - HTTPPostEncoder encoder = new HTTPPostEncoder(engine, - "resources/templates/pvp_postbinding_template.html"); + //initialize POST binding encoder with template decoration + IGUIBuilderConfiguration guiConfig = + new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + "pvp_postbinding_template.html", + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, + null, + authConfig.getRootConfigFileDir()); + MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, + VelocityProvider.getClassPathVelocityEngine()); + + //set OpenSAML2 process parameter into binding context dao HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); @@ -103,22 +123,27 @@ public class PostBinding implements IDecoder, IEncoder { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials) + StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { try { -// X509Credential credentials = credentialProvider -// .getIDPAssertionSigningCredential(); - //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); Logger.debug("create SAML POSTBinding response"); - VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); - - HTTPPostEncoder encoder = new HTTPPostEncoder(engine, - "resources/templates/pvp_postbinding_template.html"); + //initialize POST binding encoder with template decoration + IGUIBuilderConfiguration guiConfig = + new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + "pvp_postbinding_template.html", + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, + null, + authConfig.getRootConfigFileDir()); + MOAIDHTTPPostEncoder encoder = new MOAIDHTTPPostEncoder(guiConfig, guiBuilder, + VelocityProvider.getClassPathVelocityEngine()); + + //set OpenSAML2 process parameter into binding context dao HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( resp, true); BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 279038967..95c4f1726 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -31,7 +31,6 @@ import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; -import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; @@ -50,7 +49,9 @@ import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -58,14 +59,16 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOASAML2AuthRequestSignedRole; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPRedirectBinding") public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { // try { @@ -100,7 +103,7 @@ public class RedirectBinding implements IDecoder, IEncoder { public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, - Credential credentials) throws MessageEncodingException, SecurityException { + Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException { // try { // X509Credential credentials = credentialProvider // .getIDPAssertionSigningCredential(); @@ -156,10 +159,10 @@ public class RedirectBinding implements IDecoder, IEncoder { SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); + MOASAML2AuthRequestSignedRole signedRole = new MOASAML2AuthRequestSignedRole(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); + policy.getPolicyRules().add(signedRole); + policy.getPolicyRules().add(signatureRule); SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( policy); messageContext.setSecurityPolicyResolver(resolver); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 94d91694a..552b64ac6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -48,7 +48,9 @@ import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.SignableXMLObject; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; @@ -60,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("PVPSOAPBinding") public class SoapBinding implements IDecoder, IEncoder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; @@ -136,13 +139,13 @@ public class SoapBinding implements IDecoder, IEncoder { } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState, Credential credentials) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState, Credential credentials) + StatusResponseType response, String targetLocation, String relayState, Credential credentials, IRequest pendingReq) throws MessageEncodingException, SecurityException, PVP2Exception { // try { // Credential credentials = credentialProvider diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 2df72637d..4aa4f7419 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; /** * @author tlenz @@ -70,7 +69,7 @@ public class AttributQueryBuilder { @Autowired IDPCredentialProvider credentialProvider; - public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) { + public List<Attribute> buildSAML2AttributeList(IOAAuthParameters oa, Iterator<String> iterator) throws ConfigurationException { Logger.debug("Build OA specific Attributes for AttributQuery request"); @@ -87,17 +86,13 @@ public class AttributQueryBuilder { } else { //add OA specific information if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - if (oa.getBusinessService()) - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), oa.getIdentityLinkDomainIdentifier()); - else - attr = generator.buildStringAttribute(attr.getFriendlyName(), - attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget()); + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), oa.getAreaSpecificTargetIdentifier()); + } //TODO: add attribute values for SSO with mandates (ProfileList) - - + attrList.add(attr); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index 01ef4a43d..f29418853 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -44,6 +44,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -64,6 +66,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("PVPAuthnRequestBuilder") public class PVPAuthnRequestBuilder { + @Autowired(required=true) ApplicationContext springContext; /** * Build a PVP2.x specific authentication request @@ -202,17 +205,17 @@ public class PVPAuthnRequestBuilder { IEncoder binding = null; if (endpoint.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (endpoint.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } //encode message binding.encodeRequest(null, httpResp, authReq, - endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential()); + endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index de59e6055..4fef52aec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -59,6 +59,7 @@ import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.Signer; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import org.w3c.dom.Document; @@ -95,7 +96,9 @@ import at.gv.egovernment.moa.logging.Logger; public class SingleLogOutBuilder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired(required=true) ApplicationContext springContext; @Autowired private IDPCredentialProvider credentialProvider; + public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) { Status status = logOutResp.getStatus(); @@ -185,15 +188,15 @@ public class SingleLogOutBuilder { public void sendFrontChannelSLOMessage(SingleLogoutService consumerService, LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, - String relayState) throws MOAIDException { + String relayState, PVPTargetConfiguration pvpReq) throws MOAIDException { IEncoder binding = null; if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); + binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); + binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } @@ -204,7 +207,7 @@ public class SingleLogOutBuilder { try { binding.encodeRespone(req, resp, sloResp, consumerService.getLocation(), relayState, - credentialProvider.getIDPAssertionSigningCredential()); + credentialProvider.getIDPAssertionSigningCredential(), pvpReq); } catch (MessageEncodingException e) { Logger.error("Message Encoding exception", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 55d8fa1ff..45539da3f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -60,11 +60,11 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; @@ -338,20 +338,8 @@ public class PVP2AssertionBuilder implements PVPConstants { } //set bPK-Type from configuration, because it MUST be equal to service-provider type - if (oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - bpktype = oaParam.getIdentityLinkDomainIdentifier(); - else - bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - bpktype = oaParam.getTarget(); - else - bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - + bpktype = oaParam.getAreaSpecificTargetIdentifier(); + } else { //sourcePin is include --> check sourcePinType if (MiscUtil.isEmpty(bpktype)) @@ -365,21 +353,10 @@ public class PVP2AssertionBuilder implements PVPConstants { } - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier()); - - } else { - subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget())); - if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) - subjectNameID.setNameQualifier(oaParam.getTarget()); - else - subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } + if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { + Pair<String, String> calcbPK = new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, oaParam.getAreaSpecificTargetIdentifier()); + subjectNameID.setValue(calcbPK.getFirst()); + subjectNameID.setNameQualifier(calcbPK.getSecond()); } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 5380d7f53..ab355646c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -217,6 +217,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider Logger.warn("Refresh PVP2X metadata for onlineApplication: " + entityID + " FAILED.", e); + } catch (ConfigurationException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); } return false; @@ -484,13 +487,13 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } - private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException { + private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); - filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService())); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction())); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java new file mode 100644 index 000000000..efcf21b50 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOASAML2AuthRequestSignedRole.java @@ -0,0 +1,49 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import org.opensaml.common.binding.SAMLMessageContext; +import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; +import org.opensaml.ws.transport.http.HTTPInTransport; +import org.opensaml.xml.util.DatatypeHelper; + +/** + * @author tlenz + * + */ +public class MOASAML2AuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { + + @Override + protected boolean isMessageSigned(SAMLMessageContext messageContext) { + // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. + HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); + String sigParam = inTransport.getParameterValue("Signature"); + boolean isSigned = !DatatypeHelper.isEmpty(sigParam); + + String sigAlgParam = inTransport.getParameterValue("SigAlg"); + boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam); + + return isSigned && isSigAlgExists; + + } +} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 50b2c5ece..05f58d5bc 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -88,6 +88,8 @@ config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix. config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt.
config.26=Federated IDP {0} contains no AttributeQuery URL.
config.27=Fehler beim Verarbeiten eines Konfigurationsparameters. Msg:{0}
+config.28=Fehler beim initialisieren des SSL-TrustManagers. Zertifikat {0} kann nicht geladen werden; Ursache: {1}
+config.29=Fehler beim initialisieren des SSL-TrustManagers. TrustStore: {0} | Ursache: {1}
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
@@ -273,6 +275,7 @@ eIDAS.13=Generation of eIDAS Response FAILED. Reason:{0} eIDAS.14=eIDAS Response validation FAILED: LevelOfAssurance {0} is to low.
eIDAS.15=Generation of eIDAS Response FAILED. Required attribute: {0} is NOT available.
eIDAS.16=eIDAS Response attribute-validation FAILED. Attribute:{0} Reason: {1}.
+eIDAS.17=Generation of eIDAS Response FAILED. Citzen use mandates for authentication but there are no mandate attributes requested
pvp2.01=Fehler beim kodieren der PVP2 Antwort
pvp2.02=Ungueltiges Datumsformat
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index c6d0844ce..0a37fdc91 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -230,6 +230,7 @@ eIDAS.13=1307 eIDAS.14=1301 eIDAS.15=1307 eIDAS.16=1301 +eIDAS.17=1307 pvp2.01=6100 pvp2.06=6100 diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html deleted file mode 100644 index f5bca7f1f..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/ParepMinTemplate.html +++ /dev/null @@ -1,193 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsmäßige Parteieinvertretung</title>
-</head>
-<body>
- Berufsmäßige Parteienvertretung einer
- natürlichen/juristischen Person
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsmäßig
- berechtigt für die nachfolgend genannte Person in deren Namen
- mit der Bürgerkarte einzuschreiten.</em></td>
- <td> </td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" /> natürliche
- Person: </td>
- </tr>
- <tr>
- <td align="right">Vorname <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" /> <img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Straße </td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Straße laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer </td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" /> <img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr. </td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" /> <img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl </td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" /> <img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde </td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" /> <img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3"> </td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ > juristische
- Person: </td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!" src="img/stern.gif"
- alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" /> <img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Ergänzungsreg.</option>
- </select> <img title=" Dieses Feld muss ausgefüllt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" /> <img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre Bürgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="<?xml version='1.0' encoding='UTF-8'?><NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zurücksetzen" />
- </p>
- <br />
- </form>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html b/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html deleted file mode 100644 index cffc46981..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/ParepTemplate.html +++ /dev/null @@ -1,235 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
-
-<html>
-<head>
-<BASE href="<BASE_href>">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Berufsmäßige Parteieinvertretung</title>
- <link href="css/styles.css" type="text/css" rel="stylesheet">
- <link href="css/styles_opera.css" type="text/css" rel="stylesheet">
- <link href="css/mandates.css" type="text/css" rel="stylesheet">
-
- <script src="formallg.js" type="text/javascript"></script>
- <script src="fa.js" type="text/javascript"></script>
-</head>
-<body>
-
-
- <div class="hleft">
- <!--Stammzahlenregisterbehörde<br/>-->
-
- <!--Ballhausplatz 2<br/>-->
- <!--1014 Wien-->
- </div>
- <div class="hright" align="right">
- <img src="img/egov_schrift.gif" alt="E-Gov Logo" />
- </div>
- <div class="htitle" align="left">
- <h1>Berufsmäßige Parteienvertretung</h1>
- </div>
- <div class="leiste1" align="center">Bitte beachten Sie</div>
- <div class="leiste2" align="center"></div>
- <div class="leiste3">
- <img title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /> Feld muss
- ausgefüllt sein
- </div>
- <div class="leiste3">
- <img title=" Hilfe zum Ausfüllen " alt="Info" src="img/info.gif"
- width="10" height="16" /> Ausfüllhilfe
- </div>
- <div class="leiste3">
- <img title=" Angabe bitte ergänzen oder richtig stellen! "
- alt="Rufezeichen" src="img/rufezeichen.gif" width="10" height="16" />
- Fehlerhinweis
- </div>
- <div style="clear: both"> </div>
-
- <h2>Berufsmäßige Parteienvertretung einer
- natürlichen/juristischen Person</h2>
- <div class="boundingbox">
- <form name="ProcessInputForm" method="post" accept-charset="UTF-8"
- enctype="application/x-www-form-urlencoded" action="<BKU>">
- <table width="80%" border="0">
- <tr />
- <tr />
- <tr>
- <td colspan="3"><em>Vertreter:</em></td>
- </tr>
- <tr>
- <td align="right" width="20%">Vorname <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpgivenname_" type="text" disabled="true"
- id="rpgivenname" value="<rpgivenname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpfamilyname_" type="text" disabled="true"
- id="rpfamilyname" value="<rpfamilyname>" size="50" readonly="true" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="rpdobyear_" type="text" disabled="true"
- id="rpdobyear" value="<rpdobyear>" size="4" maxlength="4"
- readonly="true" /> - <input name="rpdobmonth_" type="text"
- disabled="true" id="rpdobmonth" value="<rpdobmonth>" size="2"
- maxlength="2" readonly="true" /> - <input name="rpdobday_"
- type="text" disabled="true" id="rpdobday" value="<rpdobday>"
- size="2" maxlength="2" readonly="true" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="2"><br /> <em>Ich bin berufsmäßig
- berechtigt für die nachfolgend genannte Person in deren
- Namen mit der Bürgerkarte einzuschreiten.</em></td>
- <td> </td>
- </tr>
- <tr>
- <td colspan="3"><br /> <em>Vertretene Person:</em></td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- physdisabled="" value="true" physselected="" /> natürliche
- Person: </td>
- </tr>
- <tr>
- <td align="right">Vorname <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="givenname_" type="text" id="givenname"
- value="<givenname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Vorname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="familyname_" type="text" id="familyname"
- value="<familyname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Familienname laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Geburtsdatum <img
- title=" Dieses Feld muss ausgefüllt sein!" alt="Stern"
- src="img/stern.gif" width="10" height="16" /></td>
- <td><input name="dobyear_" type="text" id="dobyear" size="4"
- maxlength="4" value="<dobyear>" physdisabled="" /> - <input
- name="dobmonth_" type="text" id="dobmonth" size="2" maxlength="2"
- value="<dobmonth>" physdisabled="" /> - <input name="dobday_"
- type="text" id="dobday" size="2" maxlength="2" value="<dobday>"
- physdisabled="" /> <img src="img/info.gif"
- title="Format: JJJJ-MM-TT" alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="center"><em>optional:</em></td>
- <td colspan="2" />
- </tr>
- <tr>
- <td align="right">Straße </td>
- <td><input name="streetname_" type="text" id="streetname"
- value="<streetname>" physdisabled="" size="50" /> <img
- src="img/info.gif" title="Straße laut ZMR Schreibweise"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Hausnummer </td>
- <td><input name="buildingnumber_" type="text"
- id="buildingnumber" value="<buildingnumber>" physdisabled=""
- size="50" /> <img src="img/info.gif"
- title="Hausnummer laut ZMR Schreibweise" alt="Info" border="0" />
- </td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Einh. Nr. </td>
- <td><input name="unit_" type="text" id="unit" value="<unit>"
- size="50" physdisabled="" /> <img src="img/info.gif"
- title="Nutzungseinheitsnummer laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Postleitzahl </td>
- <td><input name="postalcode_" type="text" id="postalcode"
- value="<postalcode>" size="50" physdisabled="" /> <img
- src="img/info.gif" title="Postleitzahl laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right">Gemeinde </td>
- <td><input name="municipality_" type="text" id="municipality"
- value="<municipality>" size="50" physdisabled="" /> <img
- src="img/info.gif" title="Gemeinde laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td colspan="3"> </td>
- </tr>
- <tr>
- <td colspan="3"><input name="physical_" type="radio"
- cbdisabled="" value="false" cbselected=""/ > juristische
- Person: </td>
- </tr>
- <tr>
- <td align="right">Name <img
- title=" Dieses Feld muss ausgefüllt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="fullname_" type="text" cbdisabled=""
- id="fullname" value="<fullname>" size="50" /> <img
- src="img/info.gif"
- title="Name der Organisation laut ZMR Schreibweise" alt="Info"
- border="0" /></td>
- <td></td>
- </tr>
- <tr>
- <td align="right" nowrap="nowrap"><select
- name="cbidentificationtype_" size="1" cbseldisabled="">
- <option value="urn:publicid:gv.at:baseid+XFN" fnselected="">Firmenbuchnummer</option>
- <option value="urn:publicid:gv.at:baseid+XZVR" vrselected="">Vereinsnummer</option>
- <option value="urn:publicid:gv.at:baseid+XERSB" ersbselected="">Ord.Nr.im
- Ergänzungsreg.</option>
- </select> <img title=" Dieses Feld muss ausgefüllt sein!"
- src="img/stern.gif" alt="Stern" width="10" height="16" /></td>
- <td><input name="cbidentificationvalue_" type="text"
- cbdisabled="" id="cbidentificationvalue"
- value="<cbidentificationvalue>" size="50" /> <img
- src="img/info.gif" title="Ordnungsbegriff laut ZMR Schreibweise"
- alt="Info" border="0" /></td>
- <td></td>
- </tr>
- </table>
- <br />
- <errortext>
- <p>
- <em>Bitte halten Sie Ihre Bürgerkartenumgebung bereit.</em>
- </p>
- <p>
- <input name="XMLRequest" type="hidden"
- value="<?xml version='1.0' encoding='UTF-8'?><NullOperationRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'/>" />
- <input name="DataURL" type="hidden" value="<DataURL>" /> <input
- type="submit" name="Submit" value=" Weiter " /> <input
- name="Clear" type="reset" id="Clear"
- value="Formular zurücksetzen" />
- </p>
- <br />
- </form>
- </div>
-</body>
-</html>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html b/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html deleted file mode 100644 index f47ee53ff..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/fetchGender.html +++ /dev/null @@ -1,16 +0,0 @@ -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - - <body> - <form action="${action}" method="post" target="_parent"> - <div> - <input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/> - </div> - <p>Please indicate the gender of the represented.</p> - <div> - <input type="submit" name="gender" value="M"/> - <input type="submit" name="gender" value="F"/> - </div> - </form> - - </body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm b/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm deleted file mode 100644 index 7fcc1bb36..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/oasis_dss_webform_binding.vm +++ /dev/null @@ -1,36 +0,0 @@ -## -## Velocity Template for OASIS WEBFORM BINDING -## -## Velocity context may contain the following properties -## action - String - the action URL for the form -## signresponse - String - the Base64 encoded SAML Request -## verifyresponse - String - the Base64 encoded SAML Response -## clienturl - String - URL where the USer gets redirected after the signature process - -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> - - <body onload="document.forms[0].submit()"> - <noscript> - <p> - <strong>Note:</strong> Since your browser does not support JavaScript, - you must press the Continue button once to proceed. - </p> - </noscript> - - <form action="${action}" method="post"> - <div> - #if($signrequest)<input type="hidden" name="signrequest" value="${signrequest}"/>#end - - #if($verifyrequest)<input type="hidden" name="verifyrequest" value="${verifyrequest}"/>#end - #if($clienturl)<input type="hidden" name="clienturl" value="${clienturl}"/>#end - - </div> - <noscript> - <div> - <input type="submit" value="Continue"/> - </div> - </noscript> - </form> - - </body> -</html>
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html new file mode 100644 index 000000000..45c183215 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/templates/pvp_postbinding_template.html @@ -0,0 +1,46 @@ +## ## Velocity Template for SAML 2 HTTP-POST binding ## ## Velocity +##context may contain the following properties ## action - String - the +##action URL for the form ## RelayState - String - the relay state for the +##message ## SAMLRequest - String - the Base64 encoded SAML Request ## +##SAMLResponse - String - the Base64 encoded SAML Response +<!DOCTYPE html> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + +<body onload="document.forms[0].submit()"> + <noscript> + <p> + <strong>Note:</strong> Since your browser does not support + JavaScript, you must press the Continue button once to proceed. + </p> + </noscript> + + + <div id="alert">Your login is being processed. Thank you for + waiting.</div> + + <style type="text/css"> +<!-- +#alert { + margin: 100px 250px; + font-family: Verdana, Arial, Helvetica, sans-serif; + font-size: 14px; + font-weight: normal; +} +--> +</style> + + <form action="${action}" method="post" target="_parent"> + <div> + #if($RelayState) <input type="hidden" name="RelayState" value="${RelayState}"/> #end + #if($SAMLRequest) <input type="hidden" name="SAMLRequest" value="${SAMLRequest}" /> #end + #if($SAMLResponse) <input type="hidden" name="SAMLResponse" value="${SAMLResponse}" /> #end + </div> + <noscript> + <div> + <input type="submit" value="Continue" /> + </div> + </noscript> + </form> + +</body> +</html>
\ No newline at end of file diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index c4007fc80..fd8ddc7fb 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -215,7 +215,7 @@ <dependency> <groupId>com.sun.xml.bind</groupId> <artifactId>jaxb-xjc</artifactId> - <version>2.2.11</version> + <version>2.3.0</version> </dependency> <dependency> @@ -227,7 +227,7 @@ <dependency> <groupId>org.jvnet.jaxb2_commons</groupId> <artifactId>jaxb2-basics-runtime</artifactId> - <version>0.11.0</version> + <version>1.11.1</version> </dependency> <dependency> @@ -257,7 +257,7 @@ <dependency> <groupId>org.springframework.data</groupId> <artifactId>spring-data-jpa</artifactId> - <version>1.10.4.RELEASE</version> + <version>${org.springframework.data.spring-data-jpa}</version> </dependency> @@ -301,7 +301,7 @@ <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-dbcp2</artifactId> - <version>2.1.1</version> + <version>${org.apache.commons.commons.dbcp2}</version> </dependency> <dependency> diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java index b16941f51..6f6735d48 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -9,6 +9,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import iaik.asn1.ObjectID; @@ -123,12 +124,12 @@ public class MOAIDAuthConstants extends MOAIDConstants{ /** List of OWs */ public static final List<ObjectID> OW_LIST = Arrays.asList( new ObjectID(OW_ORGANWALTER)); - - /**BKU type identifiers to use bkuURI from configuration*/ - public static final String REQ_BKU_TYPE_LOCAL = "local"; - public static final String REQ_BKU_TYPE_ONLINE = "online"; - public static final String REQ_BKU_TYPE_HANDY = "handy"; - public static final List<String> REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY); + + public static final List<String> REQ_BKU_TYPES = Arrays.asList( + IOAAuthParameters.HANDYBKU, + IOAAuthParameters.LOCALBKU, + IOAAuthParameters.THIRDBKU, + IOAAuthParameters.ONLINEBKU); public static final List<String> LEGACYPARAMETERWHITELIST = Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID); @@ -171,24 +172,32 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; + //MDC variables for logging public static final String MDC_TRANSACTION_ID = "transactionId"; public static final String MDC_SESSION_ID = "sessionId"; + public static final String MDC_SERVICEPROVIDER_ID = "oaId"; //AuthnRequest IssueInstant validation public static final int TIME_JITTER = 5; //all 5 minutes time jitter - + + //General MOASession data-store keys + public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; + + //Process context keys public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication"; public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection"; public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest"; public static final String PROCESSCONTEXT_UNIQUE_OA_IDENTFIER = "uniqueSPId"; + public static final String PROCESSCONTEXT_SSL_CLIENT_CERTIFICATE = MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE; //General protocol-request data-store keys + public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + + @Deprecated public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; + @Deprecated public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; - public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; - //General MOASession data-store keys - public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; - + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java index e9f9a7e80..98f0616a5 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDConstants.java @@ -28,6 +28,8 @@ import java.util.Hashtable; import java.util.List; import java.util.Map; +import at.gv.egovernment.moa.util.Constants; + /** * @author tlenz * @@ -40,9 +42,15 @@ public class MOAIDConstants { public static final String FILE_URI_PREFIX = "file:/"; - public static final String PREFIX_WPBK = "urn:publicid:gv.at:wbpk+"; - public static final String PREFIX_STORK = "urn:publicid:gv.at:storkid+"; - public static final String PREFIX_EIDAS = "urn:publicid:gv.at:eidasid+"; + public static final String PREFIX_BASEID = Constants.URN_PREFIX_BASEID; + public static final String PREFIX_PBK = Constants.URN_PREFIX_BPK; + public static final String PREFIX_HPI = Constants.URN_PREFIX_HPI; + + public static final String PREFIX_CDID = Constants.URN_PREFIX_CDID + "+"; + public static final String PREFIX_WPBK = Constants.URN_PREFIX_WBPK + "+"; + public static final String PREFIX_STORK = Constants.URN_PREFIX_STORK + "+"; + public static final String PREFIX_EIDAS = Constants.URN_PREFIX_EIDAS + "+"; + public static final String IDENIFICATIONTYPE_FN = "FN"; public static final String IDENIFICATIONTYPE_ERSB = "ERSB"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java index bba6d0541..1e1bfa94b 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -38,9 +39,16 @@ import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; */ public interface IOAAuthParameters { - public static final String ONLINEBKU = "online"; + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_INTERNAL = "configuration.restrictions.baseID.idpProcessing"; + public static final String CONFIG_KEY_RESTRICTIONS_BASEID_TRANSMISSION = "configuration.restrictions.baseID.spTransmission"; + + public static final String THIRDBKU = "thirdBKU"; public static final String HANDYBKU = "handy"; public static final String LOCALBKU = "local"; + + @Deprecated + public static final String ONLINEBKU = "online"; + public static final String INDERFEDERATEDIDP = "interfederated"; public static final String EIDAS = "eIDAS"; public static final String AUTHTYPE_OTHERS = "others"; @@ -63,20 +71,52 @@ public interface IOAAuthParameters { public String getFriendlyName(); public String getPublicURLPrefix(); - - public String getOaType(); - public boolean getBusinessService(); + /** + * Indicates if this online applications has private area restrictions that disallow baseId processing in general + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.idpProcessing' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs + * + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException; + /** - * Get target of a public service-provider + * Indicates if this online applications has private area restrictions that disallow baseId transfer to OA + * This restriction is evaluated from area-identifier of this online application and a policy from configuration. + * The configuration key 'configuration.restrictions.baseID.spTransmission' specifies a list of comma-separated values + * of area-identifier prefixes that are allowed to receive a baseID. By default only the prefix + * 'urn:publicid:gv.at:cdid+' is allowed to receive baseIDs * - * @return target identifier without prefix + * @return true if there is a restriction, otherwise false + * @throws ConfigurationException In case of online-application configuration has public and private identifies */ - public String getTarget(); + public boolean hasBaseIdTransferRestriction() throws ConfigurationException; - public String getTargetFriendlyName(); + /** + * Get the full area-identifier for this online application to calculate the + * area-specific unique person identifier (bPK, wbPK, eIDAS unique identifier, ...). + * This identifier always contains the full prefix + * + * @return area identifier with prefix + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifier() throws ConfigurationException; + + /** + * Get a friendly name for the specific area-identifier of this online application + * + * @return fiendly name of the area-identifier + * @throws ConfigurationException In case of online-application configuration has public and private identifies + */ + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException; + + public boolean isInderfederationIDP(); public boolean isSTORKPVPGateway(); @@ -84,13 +124,6 @@ public interface IOAAuthParameters { public boolean isRemovePBKFromAuthBlock(); /** - * Return the private-service domain-identifier with PreFix - * - * @return the identityLinkDomainIdentifier - */ - public String getIdentityLinkDomainIdentifier(); - - /** * @return the keyBoxIdentifier */ public String getKeyBoxIdentifier(); @@ -138,11 +171,6 @@ public interface IOAAuthParameters { */ public List<String> getMandateProfiles(); - /** - * @return the identityLinkDomainIdentifierType - */ - public String getIdentityLinkDomainIdentifierType(); - public boolean isShowMandateCheckBox(); public boolean isOnlyMandateAllowed(); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java index b8284c8f9..93f26051c 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/ConfigurationMigrationUtils.java @@ -143,7 +143,9 @@ public class ConfigurationMigrationUtils { if (MiscUtil.isNotEmpty(oa.getEventCodes())) { result.put(MOAIDConfigurationConstants.SERVICE_REVERSION_LOGS_EVENTCODES, oa.getEventCodes()); } - + + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, oa.getMandateServiceSelectionTemplateURL()); + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL, oa.getSaml2PostBindingTemplateURL()); //convert target String target_full = oa.getTarget(); @@ -206,7 +208,7 @@ public class ConfigurationMigrationUtils { if (bkuurls != null) { result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, bkuurls.getHandyBKU()); result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, bkuurls.getLocalBKU()); - result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE, bkuurls.getOnlineBKU()); + result.put(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, bkuurls.getOnlineBKU()); } @@ -769,6 +771,9 @@ public class ConfigurationMigrationUtils { } dbOA.setSelectedSZRGWServiceURL(oa.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_SZRGW_SERVICE_URL)); + + dbOA.setMandateServiceSelectionTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL)); + dbOA.setSaml2PostBindingTemplateURL(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL)); if (Boolean.valueOf(oa.get(MOAIDConfigurationConstants.SERVICE_BUSINESSSERVICE))) { dbOA.setType(MOA_CONFIG_BUSINESSSERVICE); @@ -826,7 +831,7 @@ public class ConfigurationMigrationUtils { authoa.setBKUURLS(bkuruls); bkuruls.setHandyBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY)); bkuruls.setLocalBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL)); - bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_ONLINE)); + bkuruls.setOnlineBKU(oa.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD)); //store SecurtiyLayerTemplates TemplatesType templates = authoa.getTemplates(); @@ -1433,7 +1438,7 @@ public class ConfigurationMigrationUtils { defaultbkus.getHandyBKU()); result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL, defaultbkus.getLocalBKU()); - result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE, + result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD, defaultbkus.getOnlineBKU()); } @@ -1443,7 +1448,7 @@ public class ConfigurationMigrationUtils { slreq.getHandyBKU()); result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL, slreq.getLocalBKU()); - result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE, + result.put(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD, slreq.getOnlineBKU()); } @@ -1706,8 +1711,8 @@ public class ConfigurationMigrationUtils { if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY))) dbbkus.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_HANDY)); - if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE))) - dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_ONLINE)); + if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD))) + dbbkus.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_THIRD)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL))) dbbkus.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_BKU_LOCAL)); @@ -1895,8 +1900,8 @@ public class ConfigurationMigrationUtils { slrequesttempl.setHandyBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_HANDY)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL))) slrequesttempl.setLocalBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_LOCAL)); - if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE))) - slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_ONLINE)); + if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD))) + slrequesttempl.setOnlineBKU(moaconfig.get(MOAIDConfigurationConstants.GENERAL_DEFAULTS_TEMPLATES_THIRD)); if (MiscUtil.isNotEmpty(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL))) dbconfig.setTrustedCACertificates(moaconfig.get(MOAIDConfigurationConstants.GENERAL_AUTH_TRUSTSTORE_URL)); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java index 9fe90daa4..695df3123 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/config/MOAIDConfigurationConstants.java @@ -70,7 +70,7 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { public static final String SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME = SERVICE_AUTH_TARGET_PUBLIC + ".own.name"; private static final String SERVICE_AUTH_BKU = AUTH + "." + BKU; - public static final String SERVICE_AUTH_BKU_ONLINE = SERVICE_AUTH_BKU + ".onlineBKU"; + public static final String SERVICE_AUTH_BKU_THIRD = SERVICE_AUTH_BKU + ".onlineBKU"; public static final String SERVICE_AUTH_BKU_LOCAL = SERVICE_AUTH_BKU + ".localBKU"; public static final String SERVICE_AUTH_BKU_HANDY = SERVICE_AUTH_BKU + ".handyBKU"; public static final String SERVICE_AUTH_BKU_KEYBOXIDENTIFIER = SERVICE_AUTH_BKU + ".keyBoxIdentifier"; @@ -105,6 +105,9 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.hight"; public static final String SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH = SERVICE_AUTH_TEMPLATES_CUSTOMIZATION + ".applet.width"; + public static final String SERVICE_AUTH_TEMPLATES_SAML2POSTBINDING_URL = SERVICE_AUTH_TEMPLATES + ".saml2.postbinding.url"; + public static final String SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL = SERVICE_AUTH_TEMPLATES + ".elga.mandateserviceselection.url"; + private static final String SERVICE_AUTH_TESTCREDENTIALS = AUTH + "." + TESTCREDENTIALS; public static final String SERVICE_AUTH_TESTCREDENTIALS_ENABLED = SERVICE_AUTH_TESTCREDENTIALS + ".enabled"; public static final String SERVICE_AUTH_TESTCREDENTIALS_OIDs = SERVICE_AUTH_TESTCREDENTIALS + ".oids"; @@ -193,13 +196,13 @@ public final class MOAIDConfigurationConstants extends MOAIDConstants { private static final String GENERAL_DEFAULTS = PREFIX_MOAID_GENERAL + ".defaults"; private static final String GENERAL_DEFAULTS_BKU = GENERAL_DEFAULTS + "." + BKU; - public static final String GENERAL_DEFAULTS_BKU_ONLINE = GENERAL_DEFAULTS_BKU + ".onlineBKU"; + public static final String GENERAL_DEFAULTS_BKU_THIRD = GENERAL_DEFAULTS_BKU + ".onlineBKU"; public static final String GENERAL_DEFAULTS_BKU_HANDY = GENERAL_DEFAULTS_BKU + ".handyBKU"; public static final String GENERAL_DEFAULTS_BKU_LOCAL = GENERAL_DEFAULTS_BKU + ".localBKU"; private static final String GENERAL_DEFAULTS_TEMPLATES = GENERAL_DEFAULTS + "." + TEMPLATES; public static final String GENERAL_DEFAULTS_TEMPLATES_LOCAL = GENERAL_DEFAULTS_TEMPLATES + ".localBKU"; public static final String GENERAL_DEFAULTS_TEMPLATES_HANDY = GENERAL_DEFAULTS_TEMPLATES + ".handyBKU"; - public static final String GENERAL_DEFAULTS_TEMPLATES_ONLINE = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU"; + public static final String GENERAL_DEFAULTS_TEMPLATES_THIRD = GENERAL_DEFAULTS_TEMPLATES + ".onlineBKU"; private static final String GENERAL_AUTH = PREFIX_MOAID_GENERAL + ".auth"; private static final String GENERAL_AUTH_CERTIFICATE = GENERAL_AUTH + ".certificate"; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java index 4aee10bc1..196923ce6 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/config/deprecated/OnlineApplication.java @@ -109,10 +109,44 @@ public class OnlineApplication @XmlTransient protected String selectedSZRGWServiceURL = null; + @XmlTransient + protected String saml2PostBindingTemplateURL = null; + + @XmlTransient + protected String mandateServiceSelectionTemplateURL = null; + /** + * @return the saml2PostBindingTemplateURL + */ + public String getSaml2PostBindingTemplateURL() { + return saml2PostBindingTemplateURL; + } + + /** + * @param saml2PostBindingTemplateURL the saml2PostBindingTemplateURL to set + */ + public void setSaml2PostBindingTemplateURL(String saml2PostBindingTemplateURL) { + this.saml2PostBindingTemplateURL = saml2PostBindingTemplateURL; + } + + /** + * @return the mandateServiceSelectionTemplateURL + */ + public String getMandateServiceSelectionTemplateURL() { + return mandateServiceSelectionTemplateURL; + } + + /** + * @param mandateServiceSelectionTemplateURL the mandateServiceSelectionTemplateURL to set + */ + public void setMandateServiceSelectionTemplateURL(String mandateServiceSelectionTemplateURL) { + this.mandateServiceSelectionTemplateURL = mandateServiceSelectionTemplateURL; + } + + /** * @return the selectedSZRGWServiceURL */ public String getSelectedSZRGWServiceURL() { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java index 9fc6f799d..dd606ea18 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/MOAIDTrustManager.java @@ -57,6 +57,8 @@ import java.util.ArrayList; import java.util.List; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.jsse.IAIKX509TrustManager; @@ -72,21 +74,27 @@ import iaik.pki.jsse.IAIKX509TrustManager; public class MOAIDTrustManager extends IAIKX509TrustManager { /** an x509Certificate array containing all accepted server certificates*/ - private X509Certificate[] acceptedServerCertificates; + private X509Certificate[] acceptedServerCertificates = null; /** * Constructor * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store * @throws GeneralSecurityException occurs on security errors * @throws IOException occurs on IO errors + * @throws SSLConfigurationException */ public MOAIDTrustManager(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { + throws IOException, GeneralSecurityException, SSLConfigurationException { - if (acceptedServerCertificateStoreURL != null) - buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); - else - acceptedServerCertificates = null; + if (acceptedServerCertificateStoreURL != null && MiscUtil.isNotEmpty(acceptedServerCertificateStoreURL.trim())) { + Logger.info("Initialize SSL-TrustStore with explicit accepted server-certificates"); + buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); + + } else { + Logger.info("Initialize SSL-TrustStore without explicit accepted server-certificates"); + acceptedServerCertificates = null; + + } } @@ -111,26 +119,72 @@ public class MOAIDTrustManager extends IAIKX509TrustManager { * containing accepted server X509 certificates * @throws GeneralSecurityException on security errors * @throws IOException on any IO errors + * @throws SSLConfigurationException */ private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - + throws IOException, GeneralSecurityException, SSLConfigurationException { List<X509Certificate> certList = new ArrayList<X509Certificate>(); URL storeURL = new URL(acceptedServerCertificateStoreURL); + + //check URL to TrustStore + if (storeURL.getFile() == null) { + Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL + + " is NOT found"); + throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "File or Directory NOT found!"}); + + } File storeDir = new File(storeURL.getFile()); - // list certificate files in directory - File[] certFiles = storeDir.listFiles(); + + //check directory and files + if (storeDir == null || storeDir.listFiles() == null) { + Logger.error("Can NOT initialize SSLTrustManager. TrustStore: " + acceptedServerCertificateStoreURL + + " is NOT found"); + throw new SSLConfigurationException("config.29", new Object[]{acceptedServerCertificateStoreURL, "Files or Directory NOT found!"}); + + } + + // list certificate files in directory + File[] certFiles = storeDir.listFiles(); for (int i = 0; i < certFiles.length; i++) { - // for each: create an X509Certificate and store it in list - File certFile = certFiles[i]; - FileInputStream fis = new FileInputStream(certFile.getPath()); - CertificateFactory certFact = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); - fis.close(); - certList.add(cert); + // for each: create an X509Certificate and store it in list + File certFile = certFiles[i]; + FileInputStream fis = null; + try { + fis = new FileInputStream(certFile.getPath()); + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); + certList.add(cert); + + } catch (Exception e) { + Logger.error("Can NOT initialize SSLTrustManager. Certificate: " + certFile.getPath() + + " is not loadable, Reason: " + e.getMessage()); + + if (Logger.isDebugEnabled()) { + try { + if (fis != null) + Logger.debug("Certificate: " + Base64Utils.encode(fis)); + + } catch (Exception e1) { + Logger.warn("Can NOT log content of certificate: " + certFile.getPath() + + ". Reason: " + e.getMessage(), e); + + } + } + + throw new SSLConfigurationException("config.28", new Object[]{certFile.getPath(), e.getMessage()}, e); + + } finally { + if (fis != null) + fis.close(); + + } } + // store acceptedServerCertificates acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); + Logger.debug("Add #" + acceptedServerCertificates.length + + " certificates as 'AcceptedServerCertificates' from: " + acceptedServerCertificateStoreURL ); + } /** diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java index 109390132..abf2d211c 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/ssl/SSLUtils.java @@ -49,7 +49,6 @@ package at.gv.egovernment.moa.id.commons.utils.ssl; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.KeyStore; -import java.security.Security; import java.util.HashMap; import java.util.Map; @@ -66,8 +65,6 @@ import at.gv.egovernment.moaspss.logging.LoggingContextManager; import iaik.pki.DefaultPKIConfiguration; import iaik.pki.PKIException; import iaik.pki.PKIFactory; -//import iaik.pki.jsse.IAIKX509TrustManager; -import iaik.security.provider.IAIK; /** @@ -83,18 +80,18 @@ public class SSLUtils { /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>(); - /** - * Initializes the SSLSocketFactory store. - */ - public static void initialize() { - sslSocketFactories = new HashMap<String, SSLSocketFactory>(); - // JSSE Abhängigkeit - //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); - Security.addProvider(new IAIK()); - //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); - - - } +// /** +// * Initializes the SSLSocketFactory store. +// */ +// public static void initialize() { +// sslSocketFactories = new HashMap<String, SSLSocketFactory>(); +// // JSSE Abhängigkeit +// //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); +// Security.addProvider(new IAIK()); +// //System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); +// +// +// } /** * IAIK PKI module and MOA-SIG uses a ThreadLocal variable for logging diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java index 2a4e3b362..1d94e5da0 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -454,7 +454,6 @@ public interface Constants { /** URN prefix for context dependent id (stork). */ public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid"; - //TODO: update to eIDAS prefix /** URN prefix for context dependent id (eIDAS). */ public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":eidasid"; diff --git a/id/server/moa-id-frontend-resources/pom.xml b/id/server/moa-id-frontend-resources/pom.xml index 64ebc14b6..342cedac8 100644 --- a/id/server/moa-id-frontend-resources/pom.xml +++ b/id/server/moa-id-frontend-resources/pom.xml @@ -29,6 +29,78 @@ <repositoryPath>${basedir}/../../../../repository</repositoryPath> </properties> + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>groovy-maven-plugin</artifactId> + <version>1.5</version> + <executions> + <execution> + <phase>generate-resources</phase> + <goals> + <goal>execute</goal> + </goals> + <configuration> + <source> + <![CDATA[ + println("==== Creating version.txt ===="); + File mainDir = new File("${basedir}/src/main/resources"); + if(mainDir.exists() && !mainDir.isDirectory()) { + println("Main dir does not exist, wont create version.txt!"); + return; + } + File confDir = new File("${basedir}/src/main/resources/mainGUI"); + if(confDir.exists() && !confDir.isDirectory()) { + println("Conf dir is not a directory, wont create version.txt!"); + return; + } + if(!confDir.exists()) { + confDir.mkdir(); + } + File versionFile = new File("${basedir}/src/main/resources/mainGUI/version.txt"); + if(versionFile.exists() && versionFile.isDirectory()) { + println("Version file exists and is directory! Wont overwrite"); + return; + } + if(versionFile.exists() && !versionFile.isDirectory()) { + println("Version file already exists, overwriting!"); + } + println("Creating Version File"); + BufferedWriter writer = new BufferedWriter(new FileWriter(versionFile)); + + writer.write("groupId = ${project.groupId}"); + writer.newLine(); + writer.write("version = ${project.version}"); + writer.newLine(); + writer.write("timestamp = ${maven.build.timestamp}"); + + String buildTag = ""; + String buildNumber = ""; + String buildId = ""; + try { + buildTag = "${BUILD_TAG}"; + buildNumber = "${BUILD_NUMBER}"; + buildId = "${BUILD_ID}"; + + writer.write("BUILD_TAG = " + buildTag + "\n"); + writer.write("BUILD_NUMBER = " + buildNumber + "\n"); + writer.write("BUILD_ID = " + buildId + "\n"); + + } catch (Exception e) { + println("============= Could not find BUILD_TAG probably this is not a Jenkins/Hudson build ==========="); + } + + writer.close(); + ]]> + </source> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + <dependencies> <dependency> <groupId>MOA.id.server</groupId> diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java index 63df81b3c..da38e3bef 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -39,21 +39,30 @@ import at.gv.egovernment.moa.util.MiscUtil; * @author tlenz * */ -public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { +public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { + public static final String VIEW_TEMPLATE_MAINGUI_DIRECTORY = "mainGUI/"; + public static final String VIEW_BKUSELECTION = "loginFormFull.html"; public static final String VIEW_SENDASSERTION = "sendAssertionFormFull.html"; public static final String VIEW_TEMPLATE_CSS = "css_template.css"; - public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js"; + public static final String VIEW_TEMPLATE_JS = "javascript_tempalte.js"; + public static final String VIEW_TEMPLATE_BKUDETECTION_SP_SPECIFIC = "iframeLBKUdetectSPSpecific.html"; + public static final String VIEW_TEMPLATE_BKUDETECTION_GENERIC = "iframeLBKUdetect.html"; public static final String PARAM_BKU_ONLINE = "bkuOnline"; public static final String PARAM_BKU_HANDY = "bkuHandy"; - public static final String PARAM_BKU_LOCAL = "bkuLocal"; + public static final String PARAM_BKU_LOCAL = "bkuLocal"; + + public static final String PARAM_BKU_URL_HANDY = "bkuURLHandy"; + public static final String PARAM_BKU_URL_LOCAL = "bkuURLLocal"; + public static final String PARAM_BKU_URL_THIRD = "bkuURLThird"; public static final String PARAM_OANAME = "OAName"; public static final String PARAM_COUNTRYLIST = "countryList"; - private IRequest pendingReq = null; + protected IRequest pendingReq = null; + protected String templateClasspahtDir = null; /** * @param authURL PublicURLPrefix of the IDP but never null @@ -61,7 +70,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract * @param formSubmitEndpoint EndPoint on which the form should be submitted, * or null if the form must not submitted */ - public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, + public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, String formSubmitEndpoint) { super(authURL, viewName, formSubmitEndpoint); @@ -73,7 +82,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract * @param formSubmitEndpoint EndPoint on which the form should be submitted, * or null if the form must not submitted */ - public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, + public AbstractServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, String formSubmitEndpoint) { super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); this.pendingReq = pendingReq; @@ -86,7 +95,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract @Override public Map<String, Object> getSpecificViewParameters() { Map<String, Object> params = new HashMap<String, Object>(); - params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU); + params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU); params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU); @@ -97,10 +106,23 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); if (oaParam != null) { params.put(PARAM_OANAME, oaParam.getFriendlyName()); + + //set BKU URLs + if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU))) + params.put(PARAM_BKU_URL_LOCAL, oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)); + else + params.put(PARAM_BKU_URL_LOCAL, MOAIDAuthConstants.DEFAULT_BKU_HTTPS); + if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.HANDYBKU))) + params.put(PARAM_BKU_URL_HANDY, oaParam.getBKUURL(IOAAuthParameters.HANDYBKU)); + if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.THIRDBKU))) + params.put(PARAM_BKU_URL_THIRD, oaParam.getBKUURL(IOAAuthParameters.THIRDBKU)); + //set eIDAS login information if requird if (oaParam.isShowStorkLogin()) addCountrySelection(params, oaParam); + else + params.put(PARAM_COUNTRYLIST, ""); FormBuildUtils.customiceLayoutBKUSelection(params, oaParam); @@ -150,7 +172,7 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract */ @Override public String getClasspathTemplateDir() { - return null; + return templateClasspahtDir; } /* (non-Javadoc) @@ -183,4 +205,17 @@ public class ServiceProviderSpecificGUIFormBuilderConfiguration extends Abstract return null; } + /** + * Set a specific classPath directory for this template configuration. + * <br> If the directory is null then the default directory /templates is used. + * + * @param templateClasspahtDir the templateClasspahtDir to set + */ + public void setTemplateClasspahtDir(String templateClasspahtDir) { + this.templateClasspahtDir = templateClasspahtDir; + } + + + + } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java index e8cd60afb..285c90163 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -78,24 +78,16 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { build(httpResp, config, getInternalContentType(config), loggerName); } - - + @Override public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType, String loggerName) throws GUIBuildException { InputStream is = null; try { - String viewName = config.getViewName(); + String viewName = config.getViewName(); + is = getTemplateInputStream(config); - //load Tempate - is = getInternalTemplate(config); - if (is == null) { - Logger.warn("No GUI with viewName:" + viewName + " FOUND."); - throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND."); - - } - //build Velocity Context from input paramters VelocityContext context = buildContextFromViewParams(config.getViewParameters()); @@ -137,6 +129,35 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { } + /** + * Generate a new {@link VelocityContext} and populate it with MOA-ID GUI parameters + * + * @param config + * @return + */ + public VelocityContext generateVelocityContextFromConfiguration(IGUIBuilderConfiguration config) { + return buildContextFromViewParams(config.getViewParameters()); + + } + + /** + * Load the template from different resources + * + * @param config + * @return An {@link InputStream} but never null. The {@link InputStream} had to be closed be the invoking method + * @throws GUIBuildException + */ + public InputStream getTemplateInputStream(IGUIBuilderConfiguration config) throws GUIBuildException { + InputStream is = getInternalTemplate(config); + if (is == null) { + Logger.warn("No GUI with viewName:" + config.getViewName() + " FOUND."); + throw new GUIBuildException("No GUI with viewName:" + config.getViewName() + " FOUND."); + + } + return is; + + } + private String getInternalContentType(IGUIBuilderConfiguration config) { if (MiscUtil.isEmpty(config.getDefaultContentType())) return DEFAULT_CONTENT_TYPE; @@ -167,7 +188,7 @@ public class GUIFormBuilderImpl implements IGUIFormBuilder { } catch (Exception e) { //load template from classpath as backup - Logger.info("GUI template:" + viewName + " is not found in configuration directory. " + Logger.debug("GUI template:" + viewName + " is not found in configuration directory. " + " Load template from project library ... "); try { pathLocation = getInternalClasspathTemplateDir(config) + viewName; diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java index 198220e97..8e8a63094 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java @@ -64,4 +64,5 @@ public interface IGUIFormBuilder { */ void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType, String loggerName) throws GUIBuildException; + } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java new file mode 100644 index 000000000..13d8d3bb7 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java @@ -0,0 +1,82 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; + +import at.gv.egovernment.moa.id.commons.api.IRequest; + +/** + * @author tlenz + * + */ +public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration { + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithDBLoad(String authURL, String viewName, + String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithDBLoad(IRequest pendingReq, String viewName, + String formSubmitEndpoint) { + super(pendingReq, viewName, formSubmitEndpoint); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) { + + byte[] oatemplate = null; + if (VIEW_BKUSELECTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate(); + + else if (VIEW_SENDASSERTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate(); + + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) + return new ByteArrayInputStream(oatemplate); + } + + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java new file mode 100644 index 000000000..b5c50004b --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithFileSystemLoad.java @@ -0,0 +1,110 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URL; + +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class SPSpecificGUIBuilderConfigurationWithFileSystemLoad extends AbstractServiceProviderSpecificGUIFormBuilderConfiguration { + + private String configKeyIdentifier = null; + private String configRootContextDir = null; + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template + * @param formSubmitEndpoint EndPoint on which the form should be submitted + * @param configRootContextDir Path to MOA-ID-Auth configuration root directory + * or null if the form must not submitted + */ + public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(String authURL, String viewName, + String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) { + super(authURL, viewName, formSubmitEndpoint); + this.configKeyIdentifier = configKeyIdentifier; + this.configRootContextDir = configRootContextDir; + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param configKeyIdentifier Identifier of the configuration key in OA configuration that holds the filesystem URI to template + * @param formSubmitEndpoint EndPoint on which the form should be submitted + * @param configRootContextDir Path to MOA-ID-Auth configuration root directory + */ + public SPSpecificGUIBuilderConfigurationWithFileSystemLoad(IRequest pendingReq, String viewName, + String configKeyIdentifier, String formSubmitEndpoint, String configRootContextDir) { + super(pendingReq, viewName, formSubmitEndpoint); + this.configKeyIdentifier = configKeyIdentifier; + this.configRootContextDir = configRootContextDir; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null && + configKeyIdentifier != null) { + try { + String templateURL = pendingReq.getOnlineApplicationConfiguration().getConfigurationValue(configKeyIdentifier); + if (MiscUtil.isNotEmpty(templateURL)) { + String absURL = FileUtils.makeAbsoluteURL(templateURL, configRootContextDir); + if (!absURL.startsWith("file:")) { + Logger.warn("GUI template are only loadable from filesystem! " + + "(templateURL: " + absURL + ")"); + return null; + } + + Logger.debug("Load template URL for view: " + viewName + " from: " + absURL); + URI uri = new URL(absURL).toURI(); + return new FileInputStream(new File(uri)); + + } + } catch (FileNotFoundException | URISyntaxException | MalformedURLException e) { + Logger.warn("Template for view: " + viewName + " is NOT loadable! -> Switch to default template", e); + + } + } + Logger.trace("NO ServiceProvider specific template for view: " + viewName + " available"); + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html index 54dc9d910..261e19a33 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html @@ -24,7 +24,7 @@ document.write('</form>'); try { document.bkudetectform.submit(); - } catch(e) {} + } catch(e) {console.log(e)} } //--> </script> diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html index 5f7e92321..7fc2b0298 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/index.html @@ -2,7 +2,7 @@ <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf8" > - <title>MOA-ID 3.2.x</title> + <title>MOA-ID 3.3.x</title> <link rel="stylesheet" href="./common/main.css" type="text/css"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <link href='https://fonts.googleapis.com/css?family=Roboto:300,400' rel='stylesheet' type='text/css'> diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html new file mode 100644 index 000000000..a9932d49d --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/template_thirdBKU.html @@ -0,0 +1,37 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="de"> + <head> + <title></title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> + <script language="javascript" type="text/javascript"> + function onAnmeldeSubmit() { + document.CustomizedForm.submit(); + document.CustomizedForm.Senden.disabled=true; + } + </script> + </head> + <body onLoad="onAnmeldeSubmit()"> + <form name="CustomizedForm" action="<BKU>" method="post" enctype="multipart/form-data"> + Falls Sie nicht automatisch weitergeleitet werden klicken Sie bitte hier: + <input class="button" type="hidden" value="Starte Anmeldung" name="Senden"> + <input type="hidden" name="XMLRequest" value="<XMLRequest>"> + <input type="hidden" name="DataURL" value="<DataURL>"> + <input type="hidden" name="PushInfobox" value="<PushInfobox>"> + + <!-- Angabe der Parameter fuer die Online-BKU --> + <input type="hidden" name="appletWidth" value="<APPLETWIDTH>"> + <input type="hidden" name="appletHeight" value="<APPLETHEIGHT>"> + + <!-- [OPTIONAL] Aendern Sie hier die Hintergrundfarbe der Online-BKU --> + <input type="hidden" name="appletBackgroundColor" value="<COLOR>"> + <input type="hidden" name="redirectTarget" value="<REDIRECTTARGET>"> + </form> + + <form name="CustomizedInfoForm" action="<BKU>" method="post"> + <input type="hidden" name="XMLRequest" value="<CertInfoXMLRequest>"> + <input type="hidden" name="DataURL" value="<CertInfoDataURL>"> + </form> + <form name="DummyForm" action="<BKU>" method="post"> + </form> + </body> +</html> diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html new file mode 100644 index 000000000..79a217946 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/iframeLBKUdetectSPSpecific.html @@ -0,0 +1,12 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="de"> +<head> +<title>BKU-Erkennung</title> +</head> +<body style="background-color:transparent" onload="parent.setBKUAvailable(false);document.forms[0].submit();"> + <form name="bkudetectform" method="POST" target="bkudetect" action="$bkuURLLocal" enctype="application/x-www-form-urlencoded"> + <input type="hidden" name="XMLRequest" value="<?xml version="1.0" encoding="UTF-8"?><NullOperationRequest xmlns="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>" /> + <input type="hidden" name="RedirectURL" value="$contextPath/iframeLBKUdetected.html"/> + </form> +</body> +</html> diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html index 53c4f0d5d..c4da51dc1 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html @@ -50,8 +50,11 @@ <input type="hidden" name="ccc" id="ccc" /> <input type="hidden" name="pendingid" value="$pendingReqID" /> <input type="submit" value=" Karte " tabindex="4" role="button" onclick="setMandateSelection();"> - </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe> + </form> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection?pendingid=$pendingReqID"></iframe> + + <!-- BKU detection with static template--> + <!--iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"></iframe--> </div> <div id="bkuhandy"> @@ -59,6 +62,7 @@ <input name="bkuButtonHandy" type="button" onClick="bkuHandyClicked();" tabindex="3" role="button" value="HANDY" /> </div> </div> + <!--div id="localBKU"> <form method="get" id="moaidform" action="$contextPath$submitEndpoint" class="verticalcenter" target="_parent"> @@ -70,7 +74,7 @@ <input type="submit" value=" Lokale Bürgerkartenumgebung " tabindex="4" role="button" onclick="setMandateSelection();"> </form> - <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/iframeLBKUdetect.html"><\/iframe> + <iframe name="bkudetect" width="0" height="0" scrolling="no" marginheight="0" marginwidth="0" frameborder="0" src="$contextPath/feature/bkuDetection"><\/iframe> </div--> <!-- Single Sign-On Session transfer functionality --> diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 9294f3658..0a2371575 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; @@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer { Logger.debug("Non-SSO Login requested or SSO not allowed/possible"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.getBusinessService(), oaParam - .getIdentityLinkDomainIdentifier()); + oaParam.hasBaseIdInternalProcessingRestriction(), oaParam + .getAreaSpecificTargetIdentifier()); } @@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { try { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam - .getBusinessService()); + .hasBaseIdTransferRestriction()); - validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction()); } catch (SAXException e) { @@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { * @return <code><saml:Assertion></code> as a String * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. + * @throws ConfigurationException */ private String buildAuthenticationBlock(IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException { + IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException { IIdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); @@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer { String identificationValue = null; String identificationType = null; + String identificationTypeFriendlyName = null; //get processing data from pending-request String authURL = pendingReq.getAuthURL(); - String requestedTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( + + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); @@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer { if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - - String bpkBase64 = new BPKBuilder().buildWBPK(identityLink - .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); - identificationValue = bpkBase64; - - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = oaParam.getIdentityLinkDomainIdentifier(); - else - identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), requestedTarget); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget; + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) { + Logger.debug("Build AuthBlock bPK from SAML1 requested target"); + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = saml1RequestedFriendlyName; + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } - } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } //set AuthBlock generation time to session - String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance()); + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()); session.setIssueInstant(issueInstant); - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - + //load extend attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + //load special authblock text patterns for replacement + Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder. + generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant); + String authBlock = null; if (pendingReq.needSingleSignOnFunctionality()) { String oaURL = pendingReq.getAuthURL(); @@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer { oaURL = oaURL.replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - + .buildAuthBlockSSO(issuer, issueInstant, authURL, + oaURL, gebDat, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } else { String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); + .buildAuthBlock(issuer, issueInstant, authURL, + identificationValue, + identificationType, + gebDat, + oaURL, + identificationTypeFriendlyName, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } @@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Value"); - String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target); + valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - bpkBase64)); + targedId.getFirst())); Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Type"); typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ecc91991e..80702795b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -28,7 +28,11 @@ import java.io.StringWriter; import java.text.MessageFormat; import java.text.SimpleDateFormat; import java.util.Calendar; +import java.util.HashMap; +import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; import javax.xml.bind.DatatypeConverter; import javax.xml.transform.Result; @@ -46,7 +50,9 @@ import org.w3c.dom.Node; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion public static final int NUM_OF_SAML_ATTRIBUTES = 5; public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; + public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\""; + + public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#"; + public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#"; + public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#"; + public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#"; + + public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap"; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion super(); } + public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) { + Map<String, String> result = new HashMap<String, String>(); + + //convert issueInstant + Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); + SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); + SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); + + //set default values + result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer); + result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat); + result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime())); + result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime())); + + //set other values from pendingReq if exists + Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class); + if (processSpecificElements != null && !processSpecificElements.isEmpty()) { + Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ..."); + Iterator<?> mapIterator = processSpecificElements.entrySet().iterator(); + while (mapIterator.hasNext()) { + Object objEl = mapIterator.next(); + if (objEl instanceof Entry<?, ?>) { + try { + @SuppressWarnings("unchecked") + Entry<String, String> el = (Entry<String, String>) objEl; + Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue()); + if (result.containsKey(el.getKey())) + Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists."); + else + result.put(el.getKey(), el.getValue()); + + } catch (Exception e) { + Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e); + + } + } + } + } + + return result; + } + + /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. + * @param issuer + * @param issueInstant + * @param authURL + * @param sectorSpecificUniqueId + * @param sectorSpecificUniqueIdType + * @param gebDat + * @param oaURL + * @param spTargetAreaFriendlyName + * @param extendedSAMLAttributes + * @param session + * @param oaParam + * @return + * @throws BuildException + * @throws ConfigurationException */ public String buildAuthBlock( String issuer, String issueInstant, - String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, + String authURL, + String sectorSpecificUniqueId, + String sectorSpecificUniqueIdType, + String gebDat, + String oaURL, + String spTargetAreaFriendlyName, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) + throws BuildException, ConfigurationException { + + //initialize state + session.setSAMLAttributeGebeORwbpk(true); + String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY; + String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY; + + + if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK + + if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) { + //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType}); + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; - //adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + //adding type of wbPK domain identifier + ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = + new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); + extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + + } + } else { + // OA is a govermental application + + //convert sector identifier into friendly name and add it to AuthBlock + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType); + if (StringUtils.isEmpty(sectorName)) { + if (spTargetAreaFriendlyName != null) + sectorName = spTargetAreaFriendlyName; + + } + publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, + new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" }); - } else { - // OA is a govermental application - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - - - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - - //no business service, adding bPK - if (identityLinkValue != null) { - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - // String s = xmlToString(bpkSamlValueElement); - // System.out.println("bpkSamlValueElement: " + s); - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(bpkAttribute); - } - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); - - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } - - - - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - } - - //adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); + //add bPK to AuthBlock if it is not empty + if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) { + Element bpkSamlValueElement; + try { + bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); + + } catch (Exception e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } + + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + } + + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; + } + //check if mandates should be used + if (session.isMandateUsed()) { + + //generate mandate reference value + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + + //adding friendly name of OA + String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + //generate special AuthBlock text + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); + + //generate unique AuthBlock tokken + String uniquetokken = Random.nextProcessReferenceValue(); + session.setAuthBlockTokken(uniquetokken); String assertion; try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, + usedwbPKbPKNamespaceDeclaration, issuer, issueInstant, authURL, - gebeORwbpk, + publicSectorIdOrwbPK, oaURL, gebDat, specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); - } catch (ParseException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - return assertion; - - } - - /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. - * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - public String buildAuthBlockForeignID( - String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, - List<ExtendedSAMLAttribute> extendedSAMLAttributes, - IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - - //BZ.., adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ - - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } - } else { - // OA is a govermental application - //BZ.. - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - - //BZ.., no business service, adding bPK - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(bpkAttribute); - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ - } - - //BZ.., adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ - - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); - - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); - - String assertion; - try { - assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, - issuer, - issueInstant, - authURL, - gebeORwbpk, - oaURL, - gebDat, - specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } return assertion; } - public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) { - Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); - SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); - SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); - - String text = inputtext.replaceAll("#NAME#", issuer); - text = text.replaceAll("#BIRTHDAY#", gebDat); - text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime())); - text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime())); - - return text; + public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) { + Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator(); + String text = inputtext; + while (it.hasNext()) { + Entry<String, String> el = it.next(); + text = text.replaceAll(el.getKey(), el.getValue()); + + } + + return text; + } public static String xmlToString(Node node) { @@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String issuer, String issueInstant, String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, String oaURL, String gebDat, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - if (target != null) { - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); + + //add mandate reference-value if mandates are used + if (session.isMandateUsed()) { + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } + extendedSAMLAttributes.add(mandateReferenceValueAttribute); } + //adding friendly name of OA String friendlyname; try { - friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - - - String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); + friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + //generate special AuthBlock text + String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); if (MiscUtil.isEmpty(text)) text=""; String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); + //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); + String uniquetokken = Random.nextProcessReferenceValue(); session.setAuthBlockTokken(uniquetokken); - String assertion; - - assertion = MessageFormat.format( + String assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 608f50200..88a235978 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { //get Target from config or from request in case of SAML 1 String target = null; - if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && + if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) && pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) - target = pendingReq.getGenericData("target", String.class); - else - target = oaParam.getTarget(); - + target = pendingReq.getGenericData("saml1_target", String.class); + + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java index 975dec429..d2fd4d1de 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java @@ -35,7 +35,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask { byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8"); //TODO: check in case of SSO!!! - String targetType = null; - if(oaParam.getBusinessService()){ - targetType = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } + String targetType = oaParam.getAreaSpecificTargetIdentifier(); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java index a09f0a2a8..602914229 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/ErrorResponseParser.java @@ -46,10 +46,16 @@ package at.gv.egovernment.moa.id.auth.parser; +import java.io.IOException; + +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.util.DOMUtils; /** * Parses an <code><ErrorResponse></code>. @@ -84,15 +90,30 @@ public class ErrorResponseParser { */ public ErrorResponseParser(Element errorElement) throws ParseException { if (errorElement != null) { - String namespace = errorElement.getNamespaceURI(); - NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); - if (nl.getLength() == 1) { - errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } - nl = errorElement.getElementsByTagNameNS(namespace, "Info"); - if (nl.getLength() == 1) { - errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); - } + try { + String namespace = errorElement.getNamespaceURI(); + NodeList nl = errorElement.getElementsByTagNameNS(namespace, "ErrorCode"); + if (nl.getLength() == 1) { + errorCode_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + } + nl = errorElement.getElementsByTagNameNS(namespace, "Info"); + if (nl.getLength() == 1 && ((Element)nl.item(0)).getFirstChild() != null) { + errorInfo_ = ((Element)nl.item(0)).getFirstChild().getNodeValue(); + + } + } catch ( Exception e) { + try { + if (Logger.isDebugEnabled()) + Logger.warn("Can not extract error code from BKU response. Full-response: " + DOMUtils.serializeNode(errorElement), e) ; + else + Logger.warn("Can not extract error code from BKU response. Exception: " + e.getMessage()) ; + + } catch (TransformerException | IOException e1) { + Logger.warn("Can not extract error code from BKU response.", e); + Logger.warn("Can not serialize error response.", e1); + + } + } } } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java index 275a85129..154092b03 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/parser/InfoboxReadResponseParser.java @@ -150,6 +150,7 @@ public class InfoboxReadResponseParser { if ("InfoboxReadResponse".equals(responseElem.getLocalName())) { infoBoxElem_ = responseElem; + } else { ErrorResponseParser erp = new ErrorResponseParser(responseElem); throw new BKUException("auth.08", diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index a227ab5be..da96bfe54 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; @@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; @@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator { * @param session * @param pendingReq * @throws ValidateException + * @throws BuildException + * @throws ConfigurationException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) - throws ValidateException { + throws ValidateException, BuildException, ConfigurationException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - String gbTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); String oaURL = oaParam.getPublicURLPrefix(); - boolean businessService = oaParam.getBusinessService(); - IIdentityLink identityLink = session.getIdentityLink(); + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + + //validate issuer String issuer = samlAssertion.getAttribute("Issuer"); if (issuer == null) { // should not happen, because parser would dedect this throw new ValidateException("validator.32", null); } // replace ' in name with ' - issuer = issuer.replaceAll("'", "'"); + issuer = issuer.replaceAll("'", "'"); + if (!issuer.equals(identityLink.getName())) + throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()}); + + //validate issuerInstant String issueInstant = samlAssertion.getAttribute("IssueInstant"); - if (!issueInstant.equals(session.getIssueInstant())) { - throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - } + if (!issueInstant.equals(session.getIssueInstant())) + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - String name = identityLink.getName(); - if (!issuer.equals(name)) { - throw new ValidateException("validator.33", new Object[] {issuer, name}); - } - + //validate extended attributes SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; @@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator { boolean foundWBPK = false; int offset = 0; - // check number of SAML aatributes + // check number of SAML attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); int extendedSAMLAttributesNum = 0; if (extendedSAMLAttributes != null) { - extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); } - int expectedSAMLAttributeNumber = - AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + + //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + + //check number of attributes in AuthBlock response against expected number of attributes int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { - Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + - expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); - throw new ValidateException( - "validator.36", - new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException("validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } - SAMLAttribute samlAttribute; - if (session.getSAMLAttributeGebeORwbpk()) { - // check the first attribute ("Geschaeftsbereich" or "wbPK") - samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } - } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - gbTarget = gbTarget + " (" + sectorName + ")"; - //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")"; + //now check every single attribute + SAMLAttribute samlAttribute = null; + Pair<String, String> userSectorId = null; + if (session.getSAMLAttributeGebeORwbpk()) { + //check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + + //calculate bPK or wbPK as reference value for validation + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + else + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + + //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix + // is internally handled as an AuthBlock with wbPK + if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + + } else { + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(userSectorId.getFirst())) + throw new ValidateException("validator.28", null); - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } - } - } else { - offset--; - } + if (!type.equals(userSectorId.getSecond())) + throw new ValidateException("validator.28", null); + + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + + } else + throw new ValidateException("validator.30", null); + + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) + throw new ValidateException("validator.26", null); + + else + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond()); + if (StringUtils.isEmpty(sectorName)) { + if (saml1RequestedFriendlyName != null) + sectorName = saml1RequestedFriendlyName; + else + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } + + String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; + if (!refValueSector.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.13", null); + + } else + throw new ValidateException("validator.12", null); + + } + + } else + //check nothing if wbPK or public SP target is not part of AuthBlock + offset--; + + // check the second attribute (must be "OA") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("OA")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + + } else + throw new ValidateException("validator.15", null); - // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1 + offset]; - if (!samlAttribute.getName().equals("OA")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundOA = true; - if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); - } - } else { - throw new ValidateException("validator.15", null); - } - // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2 + offset]; - if (!samlAttribute.getName().equals("Geburtsdatum")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlDateOfBirth = (String)samlAttribute.getValue(); - String dateOfBirth = identityLink.getDateOfBirth(); - if (!samlDateOfBirth.equals(dateOfBirth)) { - throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); - } - } else { - throw new ValidateException("validator.35", null); - } + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + + } else + throw new ValidateException("validator.35", null); - // check four attribute could be a special text - samlAttribute = samlAttributes[3 + offset]; - if (!samlAttribute.getName().equals("SpecialText")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlSpecialText = (String)samlAttribute.getValue(); - samlSpecialText = samlSpecialText.replaceAll("'", "'"); + // check four attribute could be a special text + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } - } else { - throw new ValidateException("validator.35", null); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); + if (!samlSpecialText.equals(specialText)) + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + + } else + throw new ValidateException("validator.35", null); - } - - - //check unique AuthBlock tokken - samlAttribute = samlAttributes[4 + offset]; - if (!samlAttribute.getName().equals("UniqueTokken")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String uniquetokken = (String)samlAttribute.getValue(); + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); - if (!uniquetokken.equals(session.getAuthBlockTokken())) { - throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); - } - } else { - throw new ValidateException("validator.35", null); - } - - - // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; - if (extendedSAMLAttributes != null) { - Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); - while (it.hasNext()) { - ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); - samlAttribute = samlAttributes[i]; - String actualName = samlAttribute.getName(); - String expectedName = extendedSAMLAttribute.getName(); - if (!actualName.equals(expectedName)) { - throw new ValidateException( - "validator.38", - new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); - } - String actualNamespace = samlAttribute.getNamespace(); - String expectedNamespace = extendedSAMLAttribute.getNameSpace(); - if (!actualNamespace.equals(expectedNamespace)) { - throw new ValidateException( - "validator.38", - new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); - } - Object expectedValue = extendedSAMLAttribute.getValue(); - Object actualValue = samlAttribute.getValue(); - try { - if (expectedValue instanceof String) { - // replace \r\n because text might be base64-encoded - String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); - expValue = StringUtils.replaceAll(expValue,"\n",""); - String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); - actValue = StringUtils.replaceAll(actValue,"\n",""); - if (!expValue.equals(actValue)) { - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); - } - } else if (expectedValue instanceof Element) { - // only check the name of the element - String actualElementName = ((Element)actualValue).getNodeName(); - String expectedElementName = ((Element)expectedValue).getNodeName(); - if (!(expectedElementName.equals(actualElementName))){ - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); - } - } else { - // should not happen - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); - } - } catch (ClassCastException e) { - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); - } - i++; - } - } - + if (!uniquetokken.equals(session.getAuthBlockTokken())) + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } else + throw new ValidateException("validator.35", null); - if (!foundOA) throw new ValidateException("validator.14", null); - if (businessService) { - if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); - } else { - if (!foundGB) throw new ValidateException("validator.11", null); - } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; + if (extendedSAMLAttributes != null) { + Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) + throw new ValidateException("validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) + throw new ValidateException("validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + + } else + // should not happen + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + + } catch (ClassCastException e) { + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + + i++; + } + } + + if (!foundOA) + throw new ValidateException("validator.14", null); + + if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) + throw new ValidateException("validator.31", null); + + } else { + if (!foundGB) + throw new ValidateException("validator.11", null); + } - //Check if dsig:Signature exists -// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -// if (nl.getLength() != 1) { -// throw new ValidateException("validator.05", null); -// } - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); - if (dsigSignature == null) { - throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; - } + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } /** @@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator { try { if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) { text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); - Logger.info("Use addional AuthBlock Text from SSO=" +text); + Logger.debug("Use addional AuthBlock Text from SSO=" +text); } else @@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4953dad02..c4ea80df9 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator { // to be ignored boolean ignoreManifestValidationResult = false; if (whatToCheck.equals(CHECK_IDENTITY_LINK)) - ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true : false; if (ignoreManifestValidationResult) { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 55562176d..09c64c267 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -66,10 +66,10 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; @@ -688,7 +688,7 @@ public class ParepUtils { * <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements. * @return The element where Stammzahlen are hidden. */ - public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank) + public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank) throws BuildException { try { if (hideElement != null) { @@ -706,20 +706,11 @@ public class ParepUtils { } if (blank) { idValueNode.setNodeValue(""); - } else { - String idValue = idValueNode.getNodeValue(); - if (businessApplication) { - // wbPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID); - String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID); - idValueNode.setNodeValue(bpkBase64); - - } else { - // bPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK); - String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target); - idValueNode.setNodeValue(bpkBase64); - } + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId); + idValueNode.setNodeValue(calcId.getFirst()); + } } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml index 0db2b26a8..0207eb6c9 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml @@ -7,4 +7,35 @@ </parent> <artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId> <description>BKA MobileAuth Test for SAML2 applications</description> + + <dependencies> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-jdk15on</artifactId> + <version>1.52</version> + </dependency> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + <version>1.52</version> + </dependency> + + <!-- JSON JWT implementation --> + <dependency> + <groupId>com.googlecode.jsontoken</groupId> + <artifactId>jsontoken</artifactId> + <version>1.1</version> + <exclusions> + <exclusion> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </exclusion> + <exclusion> + <artifactId>google-collections</artifactId> + <groupId>com.google.collections</groupId> + </exclusion> + </exclusions> + </dependency> + </dependencies> + </project>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java index 44554e21d..0cef4cb41 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java @@ -30,9 +30,11 @@ import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -45,7 +47,8 @@ public class BKAMobileAuthModule implements AuthModule { private int priority = 1; - @Autowired protected AuthConfiguration authConfig; + @Autowired(required=true) protected AuthConfiguration authConfig; + @Autowired(required=true) private AuthenticationManager authManager; private List<String> uniqueIDsDummyAuthEnabled = new ArrayList<String>(); @@ -77,7 +80,10 @@ public class BKAMobileAuthModule implements AuthModule { for (String el : uniqueIDsDummyAuthEnabled) Logger.info(" EntityID: " + el); } - } + } + + //parameter to whiteList + authManager.addParameterNameToWhiteList(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); } /* (non-Javadoc) @@ -87,10 +93,22 @@ public class BKAMobileAuthModule implements AuthModule { public String selectProcess(ExecutionContext context) { String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER); if (MiscUtil.isNotEmpty(spEntityID)) { - if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) - return "BKAMobileAuthentication"; - - } + if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) { + String eIDBlob = (String)context.get(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); + if (eIDBlob != null && MiscUtil.isNotEmpty(eIDBlob.trim())) { + return "BKAMobileAuthentication"; + + } else { + Logger.debug("Dummy-auth are enabled for " + spEntityID + " but no '" + + FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available."); + + } + + } else + Logger.debug("Unique SP-Id: " + spEntityID + " is not in whitelist of mobile-auth module."); + + } else + Logger.debug("No unique service-provider identifier!"); return null; } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java index 884129453..aa16a9172 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java @@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid */ @Override public String getName() { - return "BKA MobileAuth SAML2 Test"; + return "Module for 'Mobile-Auth with Crypto-Binding'"; } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java index 66112edc5..43043ddd6 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java @@ -22,16 +22,56 @@ */ package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; +import javax.security.cert.CertificateException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; +import org.bouncycastle.cms.CMSSignedData; +import org.joda.time.DateTime; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import com.google.gson.JsonObject; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; + +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; /** @@ -41,6 +81,20 @@ import at.gv.egovernment.moa.logging.Logger; @Component("FirstBKAMobileAuthTask") public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { + private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile"; + private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter"; + private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass"; + + private static final String EIDCONTAINER_KEY_SALT = "salt"; + private static final String EIDCONTAINER_KEY_IV = "iv"; + private static final String EIDCONTAINER_EID = "eid"; + private static final String EIDCONTAINER_KEY_IDL = "idl"; + private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert"; + + public static final String REQ_PARAM_eID_BLOW = "eidToken"; + + @Autowired(required=true) private AuthConfiguration authConfig; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -48,9 +102,196 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - Logger.info("Redirect to Second BKA Mobile Auth task"); - performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + try { + String eIDBlobRawB64 = request.getParameter(REQ_PARAM_eID_BLOW); + if (MiscUtil.isEmpty(eIDBlobRawB64)) { + //TODO: add dummy-auth functionality + + Logger.warn("NO eID data blob included!"); + throw new MOAIDException("NO eID data blob included!", null); + } + + parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession(), eIDBlobRawB64); + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + + //Logger.info("Redirect to Second BKA Mobile Auth task"); + //performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + } + + /** + * @param pendingReq + * @param moaSession + * @param eIDBlobRaw + * @throws MOAIDException + * @throws IOException + */ + private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession, String eIDBlobRawB64) throws MOAIDException, IOException { + Logger.debug("Check eID blob signature ... "); + byte[] eIDBlobRaw = Base64Utils.decode(eIDBlobRawB64.trim(), false); + + VerifyCMSSignatureResponse cmsResp = SignatureVerificationInvoker.getInstance().verifyCMSSignature( + createCMSVerificationReq(eIDBlobRaw)); + + if (cmsResp.getResponseElements().isEmpty()) { + Logger.warn("No CMS signature-verification response"); + throw new MOAIDException("Signature verification FAILED: No response", null); + + } + VerifyCMSSignatureResponseElement sigVerifyResp = (VerifyCMSSignatureResponseElement) cmsResp.getResponseElements().get(0); + analyseCMSSignatureVerificationResponse(sigVerifyResp); + + + Logger.info("eID blob signature is VALID!"); + byte[] decRawEidBlob = null; + byte[] signedData = null; + try { + Logger.debug("Starting eID information extraction ... "); + CMSSignedData cmsContent = new CMSSignedData(eIDBlobRaw); + signedData = (byte[])cmsContent.getSignedContent().getContent(); + if (!cmsContent.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) { + Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1"); + throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", null); + } + if (signedData == null) { + Logger.warn("CMS SignedData is empty or null"); + throw new MOAIDException("CMS SignedData is empty or null", null); + } + Logger.info("Signed content extracted"); + + + Logger.debug("Starting signed content decryption ... "); + JsonParser parser = new JsonParser(); + JsonObject signedDataJson = (JsonObject) parser.parse(new String(signedData, "UTF-8")); + byte[] salt = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_SALT).getAsString(), false); + byte[] ivraw = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_IV).getAsString(), false); + byte[] encRawEidBlob = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_EID).getAsString(), false); + SecretKey seckey = generateDecryptionKey(salt); + IvParameterSpec iv = new IvParameterSpec(ivraw); + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + cipher.init(Cipher.DECRYPT_MODE, seckey, iv); + decRawEidBlob = cipher.doFinal(encRawEidBlob); + Logger.info("eID data decryption completed"); + + + Logger.debug("Starting eID-blob parsing ..."); + JsonObject eIDBlobJson = (JsonObject) parser.parse(new String(decRawEidBlob, "UTF-8")); + String idlB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_IDL).getAsString(); + String bindingCertB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_BINDINGCERT).getAsString(); + javax.security.cert.X509Certificate bindingCert = javax.security.cert.X509Certificate.getInstance(Base64Utils.decode(bindingCertB64, false)); + if (!sigVerifyResp.getSignerInfo().getSignerCertificate().equals(bindingCert)) { + Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!"); + Logger.info("BindingCert: " + bindingCert.toString()); + Logger.info("SigningCert: " + sigVerifyResp.getSignerInfo().getSignerCertificate().toString()); + throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", null); + + } + Logger.info("eID-blob parsing completed"); + + + Logger.debug("Parse eID information into MOA-Session ..."); + byte[] rawIDL = Base64Utils.decode(idlB64, false); + IIdentityLink identityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(rawIDL)).parseIdentityLink(); + moaSession.setIdentityLink(identityLink); + moaSession.setUseMandates(false); + moaSession.setForeigner(false); + moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest"); + moaSession.setQAALevel(PVPConstants.STORK_QAA_1_3); + Logger.info("Session Restore completed"); + + + } catch (MOAIDException e) { + throw e; + + } catch (JsonParseException e) { + if (decRawEidBlob != null) + Logger.error("eID-blob parse error! blob: " + new String(decRawEidBlob, "UTF-8"), e); + + if (signedData != null) + Logger.error("eID-blob parse error! blob: " + new String(signedData, "UTF-8"), e); + + if (decRawEidBlob == null && signedData == null) + Logger.error("eID-blob parse error!", e); + + throw new MOAIDException("eID-blob parse error!", null); + + } catch (org.bouncycastle.cms.CMSException e) { + Logger.error("Can not parse CMS signature.", e); + throw new MOAIDException("Can not parse CMS signature.", null, e); + + } catch (InvalidAlgorithmParameterException| NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) { + Logger.error("Can not decrypte eID data.", e); + throw new MOAIDException("Can not decrypte eID data", null, e); + } catch (CertificateException e) { + Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e); + throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", null, e); + + } finally { + + } + + } + + private SecretKey generateDecryptionKey(byte[] salt) throws MOAIDException { + String decryptionPassPhrase = authConfig.getBasicMOAIDConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD"); + try { + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); + KeySpec spec = new PBEKeySpec(decryptionPassPhrase.toCharArray(), salt, 2000, 128); + SecretKey derivedKey = factory.generateSecret(spec); + SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); + return symKeySpec; + + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { + Logger.error("Mobile-Auth Module has an internal errror.", e); + throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e); + + } + } + + /** + * @throws MOAIDException + * + */ + private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifySigResult) throws MOAIDException { + //validate CMS signature verification response + if (verifySigResult.getSignatureCheck().getCode() != 0) { + Logger.warn("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode()); + throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode(), null); + + } + if (verifySigResult.getCertificateCheck().getCode() != 0) { + Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode()); + throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode(), null); + + } + SignerInfo signerInfos = verifySigResult.getSignerInfo(); + DateTime date = new DateTime(signerInfos.getSigningTime().getTime()); + Integer signingTimeJitter = Integer.valueOf(authConfig.getBasicMOAIDConfiguration(CONF_SIGNING_TIME_JITTER, "5")); + if (date.plusMinutes(signingTimeJitter).isBeforeNow()) { + Logger.warn("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter)); + throw new MOAIDException("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter), null); + + } + } + private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] eIDBlobRaw) { + VerifyCMSSignatureRequestImpl cmsSigVerifyReq = new VerifyCMSSignatureRequestImpl(); + cmsSigVerifyReq.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES); + cmsSigVerifyReq.setExtended(false); + cmsSigVerifyReq.setPDF(false); + cmsSigVerifyReq.setTrustProfileId(authConfig.getBasicMOAIDConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!")); + cmsSigVerifyReq.setCMSSignature(new ByteArrayInputStream(eIDBlobRaw)); + return cmsSigVerifyReq; + } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml index 4a0f4d5f2..6f41f347a 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml @@ -12,8 +12,10 @@ <pd:StartEvent id="start" /> <pd:Transition from="start" to="firstStep" /> - <pd:Transition from="firstStep" to="secondStep"/> - <pd:Transition from="secondStep" to="finalizeAuthentication" /> + <!-- pd:Transition from="firstStep" to="secondStep"/> + <pd:Transition from="secondStep" to="finalizeAuthentication" /--> + + <pd:Transition from="firstStep" to="finalizeAuthentication" /> <pd:Transition from="finalizeAuthentication" to="end" /> diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index f3d8eeb36..cf3325d24 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ <properties> <repositoryPath>${basedir}/../../../../repository</repositoryPath> - <eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version> - <eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version> - <eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version> - <eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version> - <eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version> + <eidas-commons.version>1.4.0</eidas-commons.version> + <eidas-light-commons.version>1.4.0</eidas-light-commons.version> + <eidas-saml-engine.version>1.4.0</eidas-saml-engine.version> + <eidas-encryption.version>1.4.0</eidas-encryption.version> + <eidas-configmodule.version>1.4.0</eidas-configmodule.version> </properties> diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index c0101b553..d975b6e0a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -69,6 +69,8 @@ public class Constants { public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url"; + public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target."; + //timeouts and clock skews diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 6f1d75bfe..154006ed8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.springframework.util.StringUtils; import com.google.common.net.MediaType; @@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); //set correct SPType for this online application - if (oaConfig.getBusinessService()) + if (oaConfig.hasBaseIdTransferRestriction()) authnRequestBuilder.spType(SpType.PRIVATE.getValue()); else authnRequestBuilder.spType(SpType.PUBLIC.getValue()); @@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { context.put("RelayState", pendingReq.getRequestID()); - Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation()); + Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); context.put("action", authnReqEndpoint.getLocation()); Logger.debug("Starting template merge"); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 940b91b44..1ce900ebb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -269,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { //validate request country-code against eIDAS node config String reqCC = samlReq.getOriginCountryCode(); - String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier(); + String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier(); //validate eIDAS target Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS @@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { } else { String[] splittedTarget = eIDASTarget.split("\\+"); if (!splittedTarget[2].equalsIgnoreCase(reqCC)) { - Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() + Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() + " Destination Country from request (" + reqCC - + ") does not match to configuration:" + eIDASTarget); - throw new MOAIDException("eIDAS.01", - new Object[]{"Destination Country from request does not match to configuration"}); + + ") does not match to configuration:" + eIDASTarget + + " --> Perform additional organisation check ..."); + + //check if eIDAS domain for bPK calculation is a valid target + if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) { + throw new MOAIDException("eIDAS.01", + new Object[]{"Destination Country from request does not match to configuration"}); + + } + } - Logger.debug("CountryCode from request matches eIDAS-node configuration target"); + Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget); + } @@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { return false; } + + private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) { + if (MiscUtil.isNotEmpty(reqCC)) { + List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues( + authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase())); + if (allowedOrganisations.contains(bPKTargetArea)) { + Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC); + return true; + } + } + + Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC); + return false; + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java index c008048cb..ea5a002e0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java @@ -22,7 +22,13 @@ */ package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -31,6 +37,31 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonS public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute { @Override + public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + if(authData.isUseMandate()) { + + //extract eIDAS unique Id prefix from naturalPerson bPK identifier + if (MiscUtil.isEmpty(authData.getBPKType()) + || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { + Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); + throw new AttributeException("Suspect bPKType for eIDAS identifier generation"); + + } + + //add eIDAS eID prefix to legal person identifier + String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); + String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData); + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID); + + } + + return null; + + } + + @Override public String getName() { return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString(); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index d0cda38c7..b91bbde9e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction { @Autowired protected MOAReversionLogger revisionsLogger; @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + + @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { EIDASData eidasRequest; @@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction { //gather attributes ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes(); ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder(); - - //generate eIDAS attributes - for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) { - Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( - attr, req.getOnlineApplicationConfiguration(), authData); - - if(eIDASAttr == null) { - if (attr.isRequired()) { - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); - throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); - - } else - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); - } else { - //add attribute to Map - attrMapBuilder.put( - (AttributeDefinition)eIDASAttr.getFirst(), - (ImmutableSet)eIDASAttr.getSecond()); + //generate eIDAS attributes + for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) + buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData); + + + //Check if Mandate attributes are requested if mandates was used + if (authData.isUseMandate()) { + if (reqAttributeList.getDefinitionByNameUri( + eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) { + Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'"); + buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData); + + } + + if (reqAttributeList.getDefinitionByNameUri( + eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) { + Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'"); + buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData); } } + //build final attibute set + ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build(); + // construct eIDaS response AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder(); @@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction { responseBuilder.levelOfAssurance(authData.getEIDASQAALevel()); //add attributes - responseBuilder.attributes(attrMapBuilder.build()); + responseBuilder.attributes(eIDASAttrbutMap); //set success statuscode responseBuilder.statusCode(StatusCode.SUCCESS_URI); @@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction { return "eIDAS_AuthnRequest"; } + private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException { + Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( + attr, req.getOnlineApplicationConfiguration(), authData); + + if(eIDASAttr == null) { + if (attr.isRequired()) { + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); + throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); + + } else + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); + + } else { + //add attribute to Map + attrMapBuilder.put( + (AttributeDefinition)eIDASAttr.getFirst(), + (ImmutableSet)eIDASAttr.getSecond()); + + } + } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index d65d74c3f..299eb442e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; @@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { String sourcePinType = moasession.getIdentityLink().getIdentificationType(); String sourcePinValue = moasession.getIdentityLink().getIdentificationValue(); if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) { - representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget); + Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget); + representativeBPK = userId.getFirst(); } else { Logger.debug("No 'SourcePin' found for representative. " diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java index 98f8d13c7..52970e240 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java @@ -30,7 +30,7 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration; import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; -import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.SPSpecificGUIBuilderConfigurationWithFileSystemLoad; import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils; import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; @@ -60,11 +61,13 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask { //check if Service-Provider allows ELGA-mandates if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) { Logger.trace("Build GUI for mandate-service selection ..."); - - IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration( - pendingReq, - ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, - GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + IGUIBuilderConfiguration config = new SPSpecificGUIBuilderConfigurationWithFileSystemLoad( + pendingReq, + ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION, + MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_ELGAMANDATESERVICESELECTION_URL, + GeneralProcessEngineSignalController.ENDPOINT_GENERIC, + authConfig.getRootConfigFileDir()); guiBuilder.build(response, config, "Mandate-Service selection"); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 2f6a54027..4ce77d861 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() - */ - @Override - public boolean isBusinessService() { - return this.isIDPPrivateService; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession() */ @Override @@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData { return this.authSession.getGenericDataFromSession(key, clazz); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication() + */ + @Override + public boolean isBaseIDTransferRestrication() { + return this.isIDPPrivateService; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 3affa17b3..c2132c1f9 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { public SSOTransferOnlineApplication() { } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return false; - } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() */ @@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() - */ - @Override - public String getTarget() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() - */ - @Override - public String getTargetFriendlyName() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() */ @Override @@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() - */ - @Override - public String getIdentityLinkDomainIdentifier() { - // TODO Auto-generated method stub - return null; - } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() @@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() - */ - @Override - public String getIdentityLinkDomainIdentifierType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() */ @Override @@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() + */ + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() + */ + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java index fe859c7bc..8ca087e1d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java @@ -232,6 +232,14 @@ public class Tests { */ public static void main(String[] args) { + String org_resp = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8+PGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU+TWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI+PHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+RHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+bW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+WndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+"; + String org_req = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8%2BPGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BcVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU%2BTWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI%2BPHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BRHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BbW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BWndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B"; + String req = java.net.URLEncoder.encode(org_resp); + + System.out.println(org_resp); + System.out.println(req); + System.out.println(org_req); + /* * Test verifyable random functions with RSA diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index d3ebffdfd..9981e8156 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @Service("SAML1_GetArtifactAction") @@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction { String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); + String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class); + if (authData.isSsoSession()) { String url = req.getAuthURL() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); - if (!oaParam.getBusinessService()) + if (MiscUtil.isNotEmpty(oaTargetArea)) url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); @@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction { } else { String redirectURL = oaURL; - if (!oaParam.getBusinessService()) { + if (MiscUtil.isNotEmpty(oaTargetArea)) { redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index df8f13544..bf4a55e46 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; @@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() - || oaParam.getBusinessService(); + || oaParam.hasBaseIdTransferRestriction(); String prPerson = ""; String ilAssertion = ""; @@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { id.setValue(value ); if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && - saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) { + saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) { //add baseID if it is requested and available and SP is publicService value.setValue(authData.getIdentificationValue()); id.setType(authData.getIdentificationType()); @@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - authData.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), oaAttributes, useCondition, conditionLength); @@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); @@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson = ParepUtils.extractPrPersonOfMandate(mandate); if (physical - && oaParam.getBusinessService() + && oaParam.hasBaseIdTransferRestriction() && identificationType != null && Constants.URN_PREFIX_BASEID .equals(identificationType)) { // now we calculate the wbPK and do so if we got it from the // BKU - - //load IdentityLinkDomainType from OAParam - String type = oaParam.getIdentityLinkDomainIdentifier(); - if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = type; - else - identificationType = Constants.URN_PREFIX_WBPK + "+" - + type; - - - identificationValue = new BPKBuilder().buildWBPK( - identificationValue, identificationType); - ParepUtils - .HideStammZahlen(prPerson, true, null, null, true); + //load IdentityLinkDomainType from OAParam + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identificationValue, oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = targedId.getFirst(); + identificationType = targedId.getSecond(); + + ParepUtils.HideStammZahlen(prPerson, true, null, true); } } @@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl(); - String oatargetType; - if(oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - oatargetType = oaParam.getIdentityLinkDomainIdentifier(); - else - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } - + String oatargetType = oaParam.getAreaSpecificTargetIdentifier(); Element prIdentification = (Element) prPerson. getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0); @@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String baseid = getBaseId(prPerson); Element identificationBpK; if (MiscUtil.isNotEmpty(baseid)) { - identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget()); + identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType); if (!provideStammzahl) { prIdentification.getFirstChild().setTextContent(""); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 37d66d29b..19fadb318 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; @@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { //preProcess SAML1 Request preProcess(req, resp, pendingReq); - + performAuthentication(req, resp, pendingReq); return; @@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { if (MiscUtil.isNotEmpty(target)) { pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target); - pendingRequest.setTarget(target); + pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target); + + } else { + String targetArea = oaParam.getAreaSpecificTargetIdentifier(); + pendingRequest.setTarget(targetArea); + + if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, + targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length())); - } - else { - pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget()); - pendingRequest.setTarget(oaParam.getTarget()); } + //AuthnRequest needs authentication pendingRequest.setNeedAuthentication(true); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6372fefa8..a56be1f46 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface { domVerifyXMLSignatureResponse).parseData(); DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); - oaParam.setBusinessService(true); + oaParam.setHasBaseIdProcessingRestriction(true); + oaParam.setHasBaseIdTransfergRestriction(true); VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, |