diff options
author | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2015-03-17 08:31:52 +0100 |
---|---|---|
committer | Alexander Marsalek <amarsalek@iaik.tugraz.at> | 2015-03-17 08:31:52 +0100 |
commit | 0fed62d7df1d29190b7a88233ab77abcbb3349d6 (patch) | |
tree | a46d8a1d8c0c4a270398ed1c1c9a1e23c26624dc /id | |
parent | 6b6c98ae7af48c15e86b189e0db9e39bc1d14edb (diff) | |
parent | c0613b08431899c6d97affc570a237b81dfcda80 (diff) | |
download | moa-id-spss-0fed62d7df1d29190b7a88233ab77abcbb3349d6.tar.gz moa-id-spss-0fed62d7df1d29190b7a88233ab77abcbb3349d6.tar.bz2 moa-id-spss-0fed62d7df1d29190b7a88233ab77abcbb3349d6.zip |
Merge branch 'merge' into 2.2.x-STORK-Snapshot
Diffstat (limited to 'id')
6 files changed, 109 insertions, 30 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index c638c6324..eab7c511e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -11,9 +11,11 @@ import java.io.InputStream; import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.math.BigInteger; +import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.cert.CertificateException; +import java.text.SimpleDateFormat; import java.util.ArrayList; //import java.security.cert.CertificateFactory; import java.util.Calendar; @@ -1846,6 +1848,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { //send moasession.setStorkAuthnRequest(authnRequest); + // do PEPS-conform logging for easier evaluation + try { + // 2015-03-12 16:44:27.144#S-PEPS receives request from SP#spurl#spepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1# + Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives request from SP#" + + moasession.getPublicOAURLPrefix() + "#" + issuerValue + "#" + spApplication + "#" + + new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() + + "#_hash_#" + moasession.getProcessInstanceId() + "#"); + } catch (Exception e1) { + Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage()); + } + AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId()); @@ -1878,6 +1891,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { } Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); + + // do PEPS-conform logging for easier evaluation + try { + // 2015-03-12 16:44:27.144#S-PEPS generates request to C-PEPS#spepsurl#cpepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1#id2# + Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates request to C-PEPS#" + + issuerValue + "#" + destination + "#" + spApplication + "#" + + new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() + + "#_hash_#" + moasession.getProcessInstanceId() + "#" + authnRequest.getSamlId() + "#"); + } catch (Exception e1) { + Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage()); + } } private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 82e079459..cd751ce7f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -906,7 +906,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } catch (Exception e) { - Logger.error("Failed to extract country code from certificate", e); + Logger.error("Failed to extract country code from certificate with message: " + e.getMessage()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index 7357818c8..24daa76a3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -28,8 +28,10 @@ import java.io.IOException; import java.io.InputStream;
import java.io.StringWriter;
import java.net.URL;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Date;
import java.util.List;
import java.util.Properties;
@@ -201,6 +203,15 @@ public class PEPSConnectorServlet extends AuthServlet { Logger.debug("STORK response: ");
Logger.debug(authnResponse.toString());
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" +
+ authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+ Logger.debug("Trying to find MOA Session-ID ...");
//String moaSessionID = request.getParameter(PARAM_SESSIONID);
//first use SAML2 relayState
@@ -554,6 +565,15 @@ public class PEPSConnectorServlet extends AuthServlet { // stork did the authentication step
moaSession.setAuthenticated(true);
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" +
+ "#NA#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
// //TODO: found better solution, but QAA Level in response could be not supported yet
// try {
//
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index c746c0888..d33a9ea92 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -1042,6 +1042,16 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return null; } + /** + * Gets the countries for which it is configured to require no signature + * + * @return the stork no signature countries + */ + public List<String> getStorkNoSignatureCountries() { + String prop = props.getProperty("stork.fakeIdL.noSignatureCountries", ""); + return Arrays.asList(prop.replaceAll(" ", "").split(",")); + } + public boolean isMonitoringActive() { String prop = props.getProperty("configuration.monitoring.active", "false"); return Boolean.valueOf(prop); diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java index be6d7d01e..13d680b78 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java @@ -44,14 +44,13 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; -import org.apache.log4j.Logger; +import at.gv.egovernment.moa.logging.Logger; public class ValidationHelper { public static final String PUBLICSERVICE_URL_POSTFIX = ".gv.at"; - private static final Logger log = Logger.getLogger(ValidationHelper.class); private static final String TEMPLATE_DATEFORMAT = "dd.MM.yyyy"; @@ -68,7 +67,7 @@ public class ValidationHelper { host = host.substring(0, host.length()-1); if (url.getHost().endsWith(PUBLICSERVICE_URL_POSTFIX)) { - log.debug("PublicURLPrefix with .gv.at Domain found."); + Logger.debug("PublicURLPrefix with .gv.at Domain found."); return true; } else { @@ -95,7 +94,7 @@ public class ValidationHelper { return false; } else { - log.info("Found correct X509 Extension in server certificate. PublicService is allowed"); + Logger.info("Found correct X509 Extension in server certificate. PublicService is allowed"); return true; } } @@ -104,27 +103,27 @@ public class ValidationHelper { } } catch (MalformedURLException e) { - log.warn("PublicURLPrefix can not parsed to URL", e); + Logger.warn("PublicURLPrefix can not parsed to URL", e); return false; } catch (UnknownHostException e) { - log.warn("Can not connect to PublicURLPrefix Server", e); + Logger.warn("Can not connect to PublicURLPrefix Server", e); return false; } catch (IOException e) { - log.warn("Can not connect to PublicURLPrefix Server", e); + Logger.warn("Can not connect to PublicURLPrefix Server", e); return false; } catch (CertificateEncodingException e) { - log.warn("Can not parse X509 server certificate", e); + Logger.warn("Can not parse X509 server certificate", e); return false; } catch (CertificateException e) { - log.warn("Can not read X509 server certificate", e); + Logger.warn("Can not read X509 server certificate", e); return false; } catch (X509ExtensionInitException e) { - log.warn("Can not read X509 server certificate extension", e); + Logger.warn("Can not read X509 server certificate extension", e); return false; } @@ -133,7 +132,7 @@ public class ValidationHelper { try { socket.close(); } catch (IOException e) { - log.warn("SSL Socket can not be closed.", e); + Logger.warn("SSL Socket can not be closed.", e); } } } @@ -148,7 +147,7 @@ public class ValidationHelper { return true; } catch (Throwable t) { - log.warn("No valid DataBase OAID received! " + oaIDObj); + Logger.warn("No valid DataBase OAID received! " + oaIDObj); } } return false; @@ -156,7 +155,7 @@ public class ValidationHelper { public static boolean validateNumber(String value) { - log.debug("Validate Number " + value); + Logger.debug("Validate Number " + value); try { Float.valueOf(value); @@ -171,7 +170,7 @@ public class ValidationHelper { } public static boolean validatePhoneNumber(String value) { - log.debug ("Validate PhoneNumber " + value); + Logger.debug ("Validate PhoneNumber " + value); /* ************************************************************************************************ * Legende: @@ -187,11 +186,11 @@ public class ValidationHelper { Matcher matcher = pattern.matcher(value); boolean b = matcher.matches(); if (b) { - log.debug("Parameter PhoneNumber erfolgreich ueberprueft"); + Logger.debug("Parameter PhoneNumber erfolgreich ueberprueft"); return true; } else { - log.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $"); + Logger.error("Fehler Ueberpruefung Parameter PhoneNumber. PhoneNumber entspricht nicht den Kriterien ^ [a-zA-Z .,;:/\\-]* [ ]* [(]{0,1}[ ]*[+]{0,1}[ ]*[0-9]{0,2}[ ]*[)]{0,1} [ ]* [0-9]*[ ]*[/\\-]{0,1} [ ]*[ ]* [0-9]* [ ]* [a-zA-Z .,;:\\/-]* $"); return false; } @@ -200,7 +199,7 @@ public class ValidationHelper { public static boolean validateURL(String urlString) { - log.debug("Validate URL " + urlString); + Logger.debug("Validate URL " + urlString); if (urlString.startsWith("http") || urlString.startsWith("https")) { try { @@ -216,7 +215,7 @@ public class ValidationHelper { // public static boolean validateGeneralURL(String urlString) { // -// log.debug("Validate URL " + urlString); +// Logger.debug("Validate URL " + urlString); // // try { // new URL(urlString); @@ -231,17 +230,17 @@ public class ValidationHelper { public static boolean isValidAdminTarget(String target) { - log.debug("Ueberpruefe Parameter Target"); + Logger.debug("Ueberpruefe Parameter Target"); Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}"); Matcher matcher = pattern.matcher(target); boolean b = matcher.matches(); if (b) { - log.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService."); + Logger.debug("Parameter SSO-Target erfolgreich ueberprueft. SSO Target is PublicService."); return true; } else { - log.info("Parameter SSO-Target entspricht nicht den Kriterien " + + Logger.info("Parameter SSO-Target entspricht nicht den Kriterien " + "(nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang) fuer den oeffentlichen Bereich. " + "Valiere SSO-Target fuer privatwirtschaftliche Bereiche."); return false; @@ -250,14 +249,14 @@ public class ValidationHelper { public static boolean isValidTarget(String target) { - log.debug("Ueberpruefe Parameter Target"); + Logger.debug("Ueberpruefe Parameter Target"); if (TargetValidator.isValidTarget(target)) { - log.debug("Parameter Target erfolgreich ueberprueft"); + Logger.debug("Parameter Target erfolgreich ueberprueft"); return true; } else { - log.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)"); + Logger.error("Fehler Ueberpruefung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)"); return false; } @@ -265,17 +264,17 @@ public class ValidationHelper { public static boolean isValidSourceID(String sourceID) { - log.debug("Ueberpruefe Parameter sourceID"); + Logger.debug("Ueberpruefe Parameter sourceID"); Pattern pattern = Pattern.compile("[\\w-_]{1,20}"); Matcher matcher = pattern.matcher(sourceID); boolean b = matcher.matches(); if (b) { - log.debug("Parameter sourceID erfolgreich ueberprueft"); + Logger.debug("Parameter sourceID erfolgreich ueberprueft"); return true; } else { - log.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)"); + Logger.error("Fehler Ueberpruefung Parameter sourceID. SourceID entspricht nicht den Kriterien (nur Zeichen a-z, A-Z, - und _, sowie 1-20 Zeichen lang)"); return false; } } diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java index 59f54f957..6e0bd19ff 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java @@ -6,8 +6,10 @@ import java.io.IOException; import java.io.InputStream;
import java.io.StringWriter;
import java.net.URL;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Date;
import java.util.List;
import java.util.Properties;
@@ -28,6 +30,7 @@ import org.apache.velocity.Template; import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.core.StatusCode;
+import org.springframework.format.datetime.DateFormatter;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -170,6 +173,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.debug("STORK response: ");
Logger.debug(authnResponse.toString());
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" +
+ authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
Logger.debug("Trying to find MOA Session-ID ...");
// String moaSessionID = request.getParameter(PARAM_SESSIONID);
// first use SAML2 relayState
@@ -315,9 +327,13 @@ public class PepsConnectorTask extends AbstractAuthServletTask { // ////////////////////////////////////////////////////////////////////////
+ AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+ String citizenSignature = null;
+ if(config.isStorkFakeIdLActive() && config.getStorkNoSignatureCountries().contains(storkAuthnRequest.getCitizenCountryCode()) && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+ Logger.debug("signedDoc extraction skipped due to configuration");
+ } else {
Logger.debug("Starting extraction of signedDoc attribute");
// extract signed doc element and citizen signature
- String citizenSignature = null;
try {
if (authnResponse.getPersonalAttributeList().get("signedDoc") == null
@@ -398,6 +414,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { Logger.error("Could not extract citizen signature from C-PEPS", e);
throw new MOAIDException("stork.09", null);
}
+ }
Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)");
Logger.debug("Citizen signature will be verified by SZR Gateway!");
@@ -430,7 +447,6 @@ public class PepsConnectorTask extends AbstractAuthServletTask { IdentityLink identityLink = null;
executionContext.put("identityLinkAvailable", false);
try {
- AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
// create fake IdL
// - fetch IdL template from resources
@@ -467,6 +483,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask { if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
throw new STORKException("dateOfBirth is missing");
String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+ dateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(new SimpleDateFormat("yyyyMMdd").parse(dateOfBirth));
prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
@@ -549,6 +566,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask { // stork did the authentication step
moaSession.setAuthenticated(true);
+ // do PEPS-conform logging for easier evaluation
+ try {
+ // 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+ Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" +
+ "#" + moaSession.getProcessInstanceId() + "#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+ } catch (Exception e1) {
+ Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+ }
+
// TODO: found better solution, but QAA Level in STORK response is not be supported yet
// try {
//
|