add garbage collector to remove unsed SAML2 metadata provider (influence PVP and eIDAS metadata)

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-01-15 13:48:58 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-01-15 13:48:58 +0100
commit: 135583cbc0b9041648ab24456d6cf7081705b814 (patch)
tree: 28c98eaf032165c8035dff57dc4dabcb518fc3af /id/server
parent: a91f760c83b1aebc782b28ddbf387f051d4e38e2 (diff)
download: moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.gz
moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.bz2
moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.zip
6 files changed, 177 insertions, 28 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index 953a478be..b3055eb34 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -4,7 +4,6 @@
 package at.gv.egovernment.moa.id.auth;
 
 import iaik.pki.PKIException;
-import iaik.pki.jsse.IAIKX509TrustManager;
 import iaik.security.ecc.provider.ECCProvider;
 import iaik.security.provider.IAIK;
 
@@ -17,9 +16,9 @@ import javax.net.ssl.SSLSocketFactory;
 
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigLoader;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
 import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.SSLUtils;
@@ -184,7 +183,7 @@ public class MOAIDAuthInitializer {
         
         // Starts the session cleaner thread to remove unpicked authentication data
         AuthenticationSessionCleaner.start();
-        AuthConfigLoader.start();
+        MOAGarbageCollector.start();
     }
     
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java
new file mode 100644
index 000000000..a1008e883
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.config.auth;
+
+/**
+ * @author tlenz
+ *
+ */
+public interface IGarbageCollectorProcessing {
+
+	/**
+	 * This method gets executed by the MOA garbage collector at regular intervals.
+	 * 
+	 */
+	public void runGarbageCollector();
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java
index 1f43a0d8a..1072bec5c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java
@@ -23,36 +23,53 @@
 package at.gv.egovernment.moa.id.config.auth;
 
 
-import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.logging.Logger;
+import java.util.ArrayList;
+import java.util.List;
 
+import at.gv.egovernment.moa.logging.Logger;
 
-public class AuthConfigLoader implements Runnable {
+public class MOAGarbageCollector implements Runnable {
 
-	private static final long INTERVAL = 24 * 60 * 60; // 24 hours
+	private static final long INTERVAL = 24 * 60 * 60; // 24 hours	
+	private static final List<IGarbageCollectorProcessing> processModules = 
+			new ArrayList<IGarbageCollectorProcessing>(); 
 	
 	public void run() {
 		while (true) {
 			try {
-				Thread.sleep(INTERVAL * 1000);						
-				Logger.trace("Check consistence of PVP2X metadata");										
-				MOAMetadataProvider.reInitialize();
+				Thread.sleep(INTERVAL * 1000);
+				
+				try {
+					for (IGarbageCollectorProcessing element : processModules)
+						element.runGarbageCollector();
 					
-						
+				} catch (Throwable e1) {
+					Logger.warn("Garbage collection FAILED in some module.", e1);
+				}
+								
 			} catch (Throwable e) {
-				Logger.warn("MOA-ID Configuration validation is not possible, actually. Reuse old configuration.", e);
+				Logger.warn("MOA-ID garbage collection is not possible, actually.", e);
 				
 			} finally {
-				
-				
+								
 			}
 		}	
 	}
 	
-	public static void start() {
+	/**
+	 * Add a module to MOA internal garbage collector. Every module is executed once a day 
+	 * 
+	 * @param modul Module which should be executed by the garbage collector.
+	 */
+	public static void addModulForGarbageCollection(IGarbageCollectorProcessing modul) {
+		processModules.add(modul);
+		
+	}
+	
+	public static void start() {				
 		// start the session cleanup thread
-		Thread configLoader = new Thread(new AuthConfigLoader(), "ConfigurationChecker");
-		configLoader.setName("ConfigurationChecker");
+		Thread configLoader = new Thread(new MOAGarbageCollector(), "MOAGarbageCollector");
+		configLoader.setName("MOAGarbageCollectorr");
 		configLoader.setDaemon(true);
 		configLoader.setPriority(Thread.MIN_PRIORITY);
 		configLoader.start();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index f4c099878..03fa686f9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -55,6 +55,8 @@ import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
+import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
@@ -66,7 +68,7 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
 import at.gv.egovernment.moa.util.MiscUtil;
 
-public class MOAMetadataProvider implements ObservableMetadataProvider{
+public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing {
 
 	private static MOAMetadataProvider instance = null;
 	private static Object mutex = new Object();
@@ -77,18 +79,32 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{
 			synchronized (mutex) {
 				if (instance == null) {
 					instance = new MOAMetadataProvider();
+					
+					//add this to MOA garbage collector
+					MOAGarbageCollector.addModulForGarbageCollection(instance);
+										
 				}
 			}
 		}
 		return instance;
 	}
 	
-	public static void reInitialize() {
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector()
+	 */
+	@Override
+	public void runGarbageCollector() {
+		reInitialize();
+		
+	}
+	
+	private static void reInitialize() {
 		synchronized (mutex) {
 			
 			/**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/
 			if (instance != null)
-				try {					
+				try {
+					Logger.trace("Check consistence of PVP2X metadata");	
 					instance.addAndRemoveMetadataProvider();
 					
 				} catch (ConfigurationException e) {
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 1d4556459..5166f090d 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -57,7 +57,8 @@ public class Constants {
 	//timeouts and clock skews
 	public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  			//2 minutes skew time for response validation
 	public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000;  	//20 seconds metadata socked timeout
-	
+	public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000;	//remove unused eIDAS metadata after 7 days
+		
 	//eIDAS attribute names
 	public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier";
 	public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth";
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index f1b14015b..965abcde1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -1,9 +1,12 @@
 package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
 
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Timer;
 
 import javax.net.ssl.SSLHandshakeException;
@@ -27,7 +30,8 @@ import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException
 import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
+import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
@@ -35,12 +39,13 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.engine.AbstractSAMLEngine;
 
-public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider {
+public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing {
 
 	private static MOAeIDASChainingMetadataProvider instance = null;
 	private static Object mutex = new Object();
 	
 	private MetadataProvider internalProvider;
+	private Map<String, Date> lastAccess = null;
 	
 	
 	public static MOAeIDASChainingMetadataProvider getInstance() {
@@ -48,6 +53,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 			synchronized (mutex) {
 				if (instance == null) {
 					instance = new MOAeIDASChainingMetadataProvider();
+					MOAGarbageCollector.addModulForGarbageCollection(instance);
 				}
 			}
 		}
@@ -57,9 +63,79 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 	
 	private MOAeIDASChainingMetadataProvider() {
 		internalProvider = new ChainingMetadataProvider();
+		lastAccess = new HashMap<String, Date>();
 		
 	}
-	    
+	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector()
+	 */
+	@Override
+	public void runGarbageCollector() {
+		if (!lastAccess.isEmpty()) {
+			Date now = new Date();
+			Date expioredate = new Date(now.getTime() - 
+					Constants.CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT);
+			Logger.debug("Starting eIDAS Metadata garbag collection (Expioredate:" 
+					+ expioredate + ")");
+			
+			List<String> expiredEntities = new ArrayList<String>();
+			
+			Iterator<Entry<String, Date>> lastAccessInterator = lastAccess.entrySet().iterator();
+			while(lastAccessInterator.hasNext()) {
+				Entry<String, Date> element = lastAccessInterator.next();
+				if (element.getValue().before(expioredate)) {
+					Logger.debug("Remove unused eIDAS Metadate: " + element.getKey());
+					expiredEntities.add(element.getKey());
+					
+				}								
+			}
+		
+			if (!expiredEntities.isEmpty()) {			
+				ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+			
+				//get all actually loaded metadata providers
+				Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders();
+			
+				for (String expired : expiredEntities) {
+					if (loadedproviders.containsKey(expired)) {
+						HTTPMetadataProvider provider = loadedproviders.get(expired);
+					
+						//destroy metadata provider
+						provider.destroy();
+					
+						//remove from map
+						loadedproviders.remove(expired);
+					
+						/*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException)
+						 *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/
+						//chainProvider.removeMetadataProvider(provider);					
+						Logger.info("Remove not used eIDAS MetadataProvider " + expired 
+								+ " after timeout.");
+										
+					} else
+						Logger.warn("eIDAS metadata for EntityID: " + expired 
+								+ " is marked as unsed, but no loaded metadata provider is found.");
+				
+				}
+			
+				try {
+					synchronized (chainProvider) {
+						chainProvider.setProviders(new ArrayList<MetadataProvider>(loadedproviders.values()));
+					
+						emitChangeEvent();	
+					}
+					
+				} catch (MetadataProviderException e) {
+					Logger.warn("ReInitalize eIDASA MetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy", e);
+				
+				}
+			}
+		}					
+	}
+	
+	
+	
 	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
 		HTTPMetadataProvider httpProvider = null;
 		Timer timer= null;
@@ -177,7 +253,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 				} else {
 					//load new Metadata Provider				
 					ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
-					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);					
+					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);										
 					chainProvider.addMetadataProvider(newMetadataProvider);
 					
 					emitChangeEvent();
@@ -238,12 +314,12 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 				Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
 						+ " Start refreshing process ...");
 				if (refreshMetadataProvider(entityID))
-					return internalProvider.getEntityDescriptor(entityID);
+					entityDesc =  internalProvider.getEntityDescriptor(entityID);
 									
 			} else {
 				if (!entityDesc.isValid())
 					if (refreshMetadataProvider(entityID))
-						return internalProvider.getEntityDescriptor(entityID);
+						entityDesc = internalProvider.getEntityDescriptor(entityID);
 									
 			}
 			
@@ -252,10 +328,13 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 			Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
 					+ " Start refreshing process ...");
 			if (refreshMetadataProvider(entityID))
-				return internalProvider.getEntityDescriptor(entityID);
+				entityDesc = internalProvider.getEntityDescriptor(entityID);
 			
 		}
 		
+		if (entityDesc != null)
+			lastAccess.put(entityID, new Date());
+		
 		return entityDesc;
 	}
 
@@ -287,4 +366,5 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 			if (observer != null)
 				observer.onEvent(this);
 	}
+
 }
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-01-15 13:48:58 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-01-15 13:48:58 +0100
commit	135583cbc0b9041648ab24456d6cf7081705b814 (patch)
tree	28c98eaf032165c8035dff57dc4dabcb518fc3af /id/server
parent	a91f760c83b1aebc782b28ddbf387f051d4e38e2 (diff)
download	moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.gz moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.bz2 moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.zip