update error handling in PVP metadata verification filter implemetations

9 files changed, 155 insertions, 23 deletions

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
index 7bf2cf93f..104ea51f5 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java
@@ -32,6 +32,7 @@ import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.security.x509.BasicX509Credential;
 
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
 
 public class MetaDataVerificationFilter implements MetadataFilter {
@@ -43,17 +44,18 @@ public class MetaDataVerificationFilter implements MetadataFilter {
 	}
 	
 	
-	public void doFilter(XMLObject metadata) throws FilterException {
+	public void doFilter(XMLObject metadata) throws SignatureValidationException {
+		
 		if (metadata instanceof EntitiesDescriptor) {
 			EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
 			if(entitiesDescriptor.getSignature() == null) {
-				throw new FilterException("Root element of metadata file has to be signed", null);
+				throw new SignatureValidationException("Root element of metadata file has to be signed");
 			}
 			try {
 				processEntitiesDescriptor(entitiesDescriptor);
 				
 			} catch (MOAIDException e) {
-				throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+				throw new SignatureValidationException("Invalid signature element in EntitiesDescriptor");
 			}
 			
 		} if (metadata instanceof EntityDescriptor) {									
@@ -63,10 +65,10 @@ public class MetaDataVerificationFilter implements MetadataFilter {
 					EntityVerifier.verify(entity, this.credential);
 				
 				else
-					throw new FilterException("Root element of metadata file has to be signed", null);
+					throw new SignatureValidationException("Root element of metadata file has to be signed", null);
 				
 			} catch (MOAIDException e) {
-				throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null);
+				throw new SignatureValidationException("Invalid signature element in EntityDescriptor", null);
 			}				
 		}
 	}
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index ba77b601b..37a170267 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -60,6 +60,8 @@ import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config;
 import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException;
 import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -181,15 +183,28 @@ public class OAPVP2ConfigValidation {
 			
 		} catch (MetadataProviderException e) {
 			
-			
-			//TODO: check exception handling
-			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
-				log.info("SSL Server certificate not trusted.", e);
-				errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+			try {
+				if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+					log.info("SSL Server certificate not trusted.", e);
+					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+
+				} else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
+					log.info("MetaDate verification failed", e);
+					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request));
+				
+				} else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+					log.info("MetaDate verification failed", e);
+					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request));
+								
+				} else {			
+					log.info("MetaDate verification failed", e);
+					errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
+				}
+				
+			} catch (Exception e1) {
+				log.info("MetaDate verification failed", e1);
+				errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
 				
-			} else {			
-				log.info("MetaDate verification failed", e);
-				errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
 			}
 			
 		} finally {			
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index 072f44981..c888a2d77 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -487,7 +487,9 @@ validation.stork.ap.attributes.valid=Ung\u00FCltige Attributconfiguration f\u00F
 validation.pvp2.metadataurl.empty=Keine Metadaten URL angegeben.
 validation.pvp2.metadataurl.valid=Die Metadaten URL wei\u00DFt kein g\u00FCltiges URL Format auf.
 validation.pvp2.metadataurl.read=Unter der angegebenen Metadaten URL konnten keine Informationen abgerufen werden.
-validation.pvp2.metadata.verify=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden.
+validation.pvp2.metadata.verify.sig=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden.
+validation.pvp2.metadata.verify.schema=Die Schema-Validierung der Metadaten ist fehlgeschlagen.
+validation.pvp2.metadata.verify.general=Bei der Validierung der Metadaten ist ein allgemeiner Fehler aufgetreten.
 validation.pvp2.certificate.format=Das angegebene PVP2 Zertifikat wei\u00DFt kein g\u00FCltiges Format auf. 
 validation.pvp2.certificate.notfound=Kein PVP2 Zertifikat eingef\u00FCgt.
 validation.pvp2.metadata.ssl=Das SSL Serverzertifikat des Metadaten Service ist nicht vertrauensw\u00FCrdig.
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index b717377e0..43dcfeac8 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -485,7 +485,9 @@ validation.stork.ap.attributes.valid=Invalid attribute configuration for Attribu
 validation.pvp2.metadataurl.empty=There is no metadata URL provided.
 validation.pvp2.metadataurl.valid=The metadata URL has invalid URL format .
 validation.pvp2.metadataurl.read=No information could be found under provided URL.
-validation.pvp2.metadata.verify=The metadata could not be verified with the provided certificate.
+validation.pvp2.metadata.verify.sig=The metadata could not be verified with the provided certificate.
+validation.pvp2.metadata.verify.schema=Metadata schema validation FAILED.
+validation.pvp2.metadata.verify.general=Metadata validation has an generic error.
 validation.pvp2.certificate.format=The provided PVP2 certificate has invalid format.
 validation.pvp2.certificate.notfound=There is no PVP2 inserted.
 validation.pvp2.metadata.ssl=The SSL server certificate is not trusted.
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java
new file mode 100644
index 000000000..8da5edeed
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SchemaValidationException.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SchemaValidationException extends FilterException {
+
+	/**
+	 * @param string
+	 */
+	public SchemaValidationException(String string) {
+		super(string);
+		
+	}
+
+	private static final long serialVersionUID = 1L;
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java
new file mode 100644
index 000000000..86a6a777b
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/filter/SignatureValidationException.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter;
+
+import org.opensaml.saml2.metadata.provider.FilterException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SignatureValidationException extends FilterException {
+
+	/**
+	 * @param string
+	 */
+	public SignatureValidationException(String string) {
+		super(string);
+		
+	}
+
+	/**
+	 * @param e
+	 */
+	public SignatureValidationException(Exception e) {
+		super(e);
+	}
+
+	/**
+	 * @param string
+	 * @param object
+	 */
+	public SignatureValidationException(String string, Exception e) {
+		super(string, e);
+	}
+
+	private static final long serialVersionUID = 1L;
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
index 12afa14bc..d493ef9e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java
@@ -55,6 +55,8 @@ import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException
 import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
@@ -380,10 +382,18 @@ public class MOAMetadataProvider implements MetadataProvider {
 			
 			return httpProvider;
 						
-		} catch (Throwable e) {
+		} catch (Throwable e) {			
 			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
 				Logger.warn("SSL-Server certificate for metadata " 
-						+ metadataURL + " not trusted.", e);				
+						+ metadataURL + " not trusted.", e);
+				
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
+				Logger.warn("Signature verification for metadata" 
+						+ metadataURL + " FAILED.", e);
+			
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+				Logger.warn("Schema validation for metadata " 
+						+ metadataURL + " FAILED.", e);								
 			}
 			
 			Logger.error(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
index 0405fa114..6dac4bba1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java
@@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -126,7 +127,7 @@ public class MetadataSignatureFilter implements MetadataFilter {
 		desc.getEntityDescriptors().addAll(verifiedEntIT);
 	}
 	
-	public void doFilter(XMLObject metadata) throws FilterException {
+	public void doFilter(XMLObject metadata) throws SignatureValidationException {
 		try {
 			if (metadata instanceof EntitiesDescriptor) {
 				EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata;
@@ -155,7 +156,7 @@ public class MetadataSignatureFilter implements MetadataFilter {
 			Logger.info("Metadata signature policy check done OK");
 		} catch (MOAIDException e) {
 			Logger.warn("Metadata signature policy check FAILED.", e);
-			throw new FilterException(e);
+			throw new SignatureValidationException(e);
 		}
 	}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
index 382adb108..f73b541bf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java
@@ -22,8 +22,6 @@
  */
 package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;
 
-import java.io.IOException;
-
 import org.opensaml.saml2.metadata.provider.FilterException;
 import org.opensaml.saml2.metadata.provider.MetadataFilter;
 import org.opensaml.xml.XMLObject;
@@ -38,6 +36,7 @@ import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.logging.Logger;
 
 /**
@@ -69,7 +68,7 @@ public class SchemaValidationFilter implements MetadataFilter {
 	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
 	 */
 	@Override
-	public void doFilter(XMLObject arg0) throws FilterException {
+	public void doFilter(XMLObject arg0) throws SchemaValidationException {
 		
 		String errString = null;
 		
@@ -100,7 +99,7 @@ public class SchemaValidationFilter implements MetadataFilter {
 				
 			}
 			
-			throw new FilterException("Metadata Schema validation FAILED with message: "+ errString);
+			throw new SchemaValidationException("Metadata Schema validation FAILED with message: "+ errString);
 			
 		} else		
 			Logger.info("Metadata Schema validation check is DEACTIVATED!");