Bugfix: Error Handling

3 files changed, 90 insertions, 137 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
index 473efc10a..db15516e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.oauth20.json;
 
 import java.security.NoSuchAlgorithmException;
@@ -69,6 +47,7 @@ public enum OAuthSignatureAlgorithm {
 	 */
 	public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException {
 		if (!StringUtils.isEmpty(this.providerName)) {
+			//return Signature.getInstance(this.signatureName, this.providerName);
 			return Signature.getInstance(this.signatureName, this.providerName);
 		} else {
 			return Signature.getInstance(this.signatureName);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 7ef5a2068..47b81c5ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
 
 import java.net.URLEncoder;
@@ -30,10 +8,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringUtils;
+import org.hibernate.annotations.common.util.StringHelper;
 
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -79,13 +56,6 @@ public class OAuth20Protocol implements IModulInfo {
 	 */
 	public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException {
 		// validation is done inside creation
-		
-		if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isOAUTHActive()) {
-			Logger.info("OAuth is deaktivated!");
-			throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
-			
-		}
-	
 		OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request);
 		Logger.debug("Created: " + res);
 		return res;
@@ -98,10 +68,12 @@ public class OAuth20Protocol implements IModulInfo {
 	 * , javax.servlet.http.HttpServletResponse)
 	 */
 	public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) {
-		if (request.getParameter("action").equals(AUTH_ACTION)) {
-			return getAction(AUTH_ACTION);
-		} else if (request.getParameter("action").equals(TOKEN_ACTION)) {
-			return getAction(TOKEN_ACTION);
+		if (!StringUtils.isEmpty(request.getParameter("action"))) {
+			if (request.getParameter("action").equals(AUTH_ACTION)) {
+				return getAction(AUTH_ACTION);
+			} else if (request.getParameter("action").equals(TOKEN_ACTION)) {
+				return getAction(TOKEN_ACTION);
+			}
 		}
 		
 		return null;// getAction(AUTH_ACTION);
@@ -116,71 +88,95 @@ public class OAuth20Protocol implements IModulInfo {
 	public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest)
 			throws Throwable {
 		
-		StringBuilder url = new StringBuilder();
-		
-		String paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI);
+		// get error code and description
+		String errorCode;
+		String errorDescription;
+		// String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11";
 		
 		if (e instanceof OAuth20Exception) {
-			
-			String action = request.getParameter("action");
-			
-			Logger.debug("Going to throw O OAuth20Exception for action: " + action);
-			OAuth20Exception oAuth20Exception = ((OAuth20Exception) e);
-			
-			String errorCode = oAuth20Exception.getErrorCode();
-			String errorDescription = oAuth20Exception.getMessage();
-			// String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11";
-			
-			if (action.equals(AUTH_ACTION)) {
+			errorCode = ((OAuth20Exception) e).getErrorCode();
+			errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8");
+		} else {
+			errorCode = OAuth20Constants.ERROR_SERVER_ERROR;
+			errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8");
+		}
+		
+		String paramRedirect = null;
+		String state = null;
+		boolean isAuthRequest = false;
+		if (protocolRequest != null) {
+			if (protocolRequest instanceof OAuth20AuthRequest) {
+				isAuthRequest = true;
 				
-				// check if given redirect url is ok
-				if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) {
-					url.append(paramRedirect);
+				paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri();
+				state = ((OAuth20AuthRequest) protocolRequest).getState();
+			} else {
+				isAuthRequest = false;
+			}
+		} else {
+			String action = request.getParameter("action");
+			if (!StringHelper.isEmpty(action)) {
+				if (action.equals(AUTH_ACTION)) {
 					
-					// otherwise throw an
-				} else {
-					throw new MOAIDException("oauth20.01", new Object[] {});
+					paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI);
+					state = request.getParameter(OAuth20Constants.PARAM_STATE);
+					isAuthRequest = true;
 				}
+			} else {
+				throw new MOAIDException("oauth20.01", new Object[] {});
+			}
+		}
+		
+		// if (action.equals(AUTH_ACTION)) {
+		if (isAuthRequest) {
+			Logger.debug("Going to throw O OAuth20Exception for auth request");
+			
+			StringBuilder url = new StringBuilder();
+			
+			// check if given redirect url is ok
+			if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) {
+				url.append(paramRedirect);
 				
-				String state = request.getParameter(OAuth20Constants.PARAM_STATE);
-				
-				OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode);
-				OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION,
-						URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8"));
-				// OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri);
-				OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state);
-				
-				response.setContentType("text/html");
-				response.setStatus(HttpServletResponse.SC_FOUND);
-				response.addHeader("Location", url.toString());
-				Logger.debug("REDIRECT TO: " + url.toString());
-				return true;
-				
-			} else if (action.equals(TOKEN_ACTION)) {
-				Map<String, Object> params = new HashMap<String, Object>();
-				params.put(OAuth20Constants.PARAM_ERROR, errorCode);
-				params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION,
-						URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8"));
-				// params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri);
-				
-				// create response
-				JsonObject jsonObject = new JsonObject();
-				OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
-				String jsonResponse = jsonObject.toString();
-				Logger.debug("JSON Response: " + jsonResponse);
-				
-				// write respone to http response
-				response.setContentType("application/json");
-				response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-				response.getOutputStream().print(jsonResponse);
-				response.getOutputStream().close();
-				
-				return true;
+				// otherwise throw an
+			} else {
+				throw new MOAIDException("oauth20.01", new Object[] {});
 			}
 			
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode);
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+			// OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri);
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state);
+			
+			response.setContentType("text/html");
+			response.setStatus(HttpServletResponse.SC_FOUND);
+			response.addHeader("Location", url.toString());
+			Logger.debug("REDIRECT TO: " + url.toString());
+			return true;
+			
+		} else {
+			Logger.debug("Going to throw O OAuth20Exception for token request");
+			
+			Map<String, Object> params = new HashMap<String, Object>();
+			params.put(OAuth20Constants.PARAM_ERROR, errorCode);
+			params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+			// params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri);
+			
+			// create response
+			JsonObject jsonObject = new JsonObject();
+			OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
+			String jsonResponse = jsonObject.toString();
+			Logger.debug("JSON Response: " + jsonResponse);
+			
+			// write respone to http response
+			response.setContentType("application/json");
+			response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+			response.getOutputStream().print(jsonResponse);
+			response.getOutputStream().close();
+			
+			return true;
 		}
 		
-		return false;
+		// return false;
 		
 	}
 	
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
index 113a033a6..abfca4f36 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
 package test.at.gv.egovernment.moa.id.auth.oauth;
 
 import java.io.IOException;
@@ -50,11 +28,11 @@ public class OAuth20ErrorsTests {
 	private static VerificationCodeReceiver receiver;
 	
 	// base uri
-	private static String OAUTH2_BASE_URI = "http://localhost:8080/moa-id-auth/dispatcher";
+	private static String OAUTH2_BASE_URI = "https://localhost/moa-id-auth/";
 	// auth action
-	private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH";
+	private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "oauth2/auth";
 	// token action
-	private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN";
+	private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "oauth2/token";
 	
 	// client id
 	private static String CLIENT_ID = "http://test";