diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-15 13:48:58 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2016-01-15 13:48:58 +0100 |
commit | 135583cbc0b9041648ab24456d6cf7081705b814 (patch) | |
tree | 28c98eaf032165c8035dff57dc4dabcb518fc3af /id | |
parent | a91f760c83b1aebc782b28ddbf387f051d4e38e2 (diff) | |
download | moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.gz moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.tar.bz2 moa-id-spss-135583cbc0b9041648ab24456d6cf7081705b814.zip |
add garbage collector to remove unsed SAML2 metadata provider (influence PVP and eIDAS metadata)
Diffstat (limited to 'id')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java | 5 | ||||
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java | 36 | ||||
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java) | 45 | ||||
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java | 22 | ||||
-rw-r--r-- | id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java | 3 | ||||
-rw-r--r-- | id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java | 94 |
6 files changed, 177 insertions, 28 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 953a478be..b3055eb34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -4,7 +4,6 @@ package at.gv.egovernment.moa.id.auth; import iaik.pki.PKIException; -import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.ecc.provider.ECCProvider; import iaik.security.provider.IAIK; @@ -17,9 +16,9 @@ import javax.net.ssl.SSLSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConnectionParameter; -import at.gv.egovernment.moa.id.config.auth.AuthConfigLoader; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -184,7 +183,7 @@ public class MOAIDAuthInitializer { // Starts the session cleaner thread to remove unpicked authentication data AuthenticationSessionCleaner.start(); - AuthConfigLoader.start(); + MOAGarbageCollector.start(); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java new file mode 100644 index 000000000..a1008e883 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IGarbageCollectorProcessing.java @@ -0,0 +1,36 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth; + +/** + * @author tlenz + * + */ +public interface IGarbageCollectorProcessing { + + /** + * This method gets executed by the MOA garbage collector at regular intervals. + * + */ + public void runGarbageCollector(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java index 1f43a0d8a..1072bec5c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/MOAGarbageCollector.java @@ -23,36 +23,53 @@ package at.gv.egovernment.moa.id.config.auth; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.logging.Logger; +import java.util.ArrayList; +import java.util.List; +import at.gv.egovernment.moa.logging.Logger; -public class AuthConfigLoader implements Runnable { +public class MOAGarbageCollector implements Runnable { - private static final long INTERVAL = 24 * 60 * 60; // 24 hours + private static final long INTERVAL = 24 * 60 * 60; // 24 hours + private static final List<IGarbageCollectorProcessing> processModules = + new ArrayList<IGarbageCollectorProcessing>(); public void run() { while (true) { try { - Thread.sleep(INTERVAL * 1000); - Logger.trace("Check consistence of PVP2X metadata"); - MOAMetadataProvider.reInitialize(); + Thread.sleep(INTERVAL * 1000); + + try { + for (IGarbageCollectorProcessing element : processModules) + element.runGarbageCollector(); - + } catch (Throwable e1) { + Logger.warn("Garbage collection FAILED in some module.", e1); + } + } catch (Throwable e) { - Logger.warn("MOA-ID Configuration validation is not possible, actually. Reuse old configuration.", e); + Logger.warn("MOA-ID garbage collection is not possible, actually.", e); } finally { - - + } } } - public static void start() { + /** + * Add a module to MOA internal garbage collector. Every module is executed once a day + * + * @param modul Module which should be executed by the garbage collector. + */ + public static void addModulForGarbageCollection(IGarbageCollectorProcessing modul) { + processModules.add(modul); + + } + + public static void start() { // start the session cleanup thread - Thread configLoader = new Thread(new AuthConfigLoader(), "ConfigurationChecker"); - configLoader.setName("ConfigurationChecker"); + Thread configLoader = new Thread(new MOAGarbageCollector(), "MOAGarbageCollector"); + configLoader.setName("MOAGarbageCollectorr"); configLoader.setDaemon(true); configLoader.setPriority(Thread.MIN_PRIORITY); configLoader.start(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index f4c099878..03fa686f9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -55,6 +55,8 @@ import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; +import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; @@ -66,7 +68,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; -public class MOAMetadataProvider implements ObservableMetadataProvider{ +public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing { private static MOAMetadataProvider instance = null; private static Object mutex = new Object(); @@ -77,18 +79,32 @@ public class MOAMetadataProvider implements ObservableMetadataProvider{ synchronized (mutex) { if (instance == null) { instance = new MOAMetadataProvider(); + + //add this to MOA garbage collector + MOAGarbageCollector.addModulForGarbageCollection(instance); + } } } return instance; } - public static void reInitialize() { + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector() + */ + @Override + public void runGarbageCollector() { + reInitialize(); + + } + + private static void reInitialize() { synchronized (mutex) { /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ if (instance != null) - try { + try { + Logger.trace("Check consistence of PVP2X metadata"); instance.addAndRemoveMetadataProvider(); } catch (ConfigurationException e) { diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 1d4556459..5166f090d 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -57,7 +57,8 @@ public class Constants { //timeouts and clock skews public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000; //2 minutes skew time for response validation public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000; //20 seconds metadata socked timeout - + public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000; //remove unused eIDAS metadata after 7 days + //eIDAS attribute names public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier"; public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth"; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index f1b14015b..965abcde1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -1,9 +1,12 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.engine; import java.util.ArrayList; +import java.util.Date; import java.util.HashMap; +import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; @@ -27,7 +30,8 @@ import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; +import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; @@ -35,12 +39,13 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.engine.AbstractSAMLEngine; -public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider { +public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing { private static MOAeIDASChainingMetadataProvider instance = null; private static Object mutex = new Object(); private MetadataProvider internalProvider; + private Map<String, Date> lastAccess = null; public static MOAeIDASChainingMetadataProvider getInstance() { @@ -48,6 +53,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi synchronized (mutex) { if (instance == null) { instance = new MOAeIDASChainingMetadataProvider(); + MOAGarbageCollector.addModulForGarbageCollection(instance); } } } @@ -57,9 +63,79 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi private MOAeIDASChainingMetadataProvider() { internalProvider = new ChainingMetadataProvider(); + lastAccess = new HashMap<String, Date>(); } - + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector() + */ + @Override + public void runGarbageCollector() { + if (!lastAccess.isEmpty()) { + Date now = new Date(); + Date expioredate = new Date(now.getTime() - + Constants.CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT); + Logger.debug("Starting eIDAS Metadata garbag collection (Expioredate:" + + expioredate + ")"); + + List<String> expiredEntities = new ArrayList<String>(); + + Iterator<Entry<String, Date>> lastAccessInterator = lastAccess.entrySet().iterator(); + while(lastAccessInterator.hasNext()) { + Entry<String, Date> element = lastAccessInterator.next(); + if (element.getValue().before(expioredate)) { + Logger.debug("Remove unused eIDAS Metadate: " + element.getKey()); + expiredEntities.add(element.getKey()); + + } + } + + if (!expiredEntities.isEmpty()) { + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + + //get all actually loaded metadata providers + Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders(); + + for (String expired : expiredEntities) { + if (loadedproviders.containsKey(expired)) { + HTTPMetadataProvider provider = loadedproviders.get(expired); + + //destroy metadata provider + provider.destroy(); + + //remove from map + loadedproviders.remove(expired); + + /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) + *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ + //chainProvider.removeMetadataProvider(provider); + Logger.info("Remove not used eIDAS MetadataProvider " + expired + + " after timeout."); + + } else + Logger.warn("eIDAS metadata for EntityID: " + expired + + " is marked as unsed, but no loaded metadata provider is found."); + + } + + try { + synchronized (chainProvider) { + chainProvider.setProviders(new ArrayList<MetadataProvider>(loadedproviders.values())); + + emitChangeEvent(); + } + + } catch (MetadataProviderException e) { + Logger.warn("ReInitalize eIDASA MetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy", e); + + } + } + } + } + + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) { HTTPMetadataProvider httpProvider = null; Timer timer= null; @@ -177,7 +253,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi } else { //load new Metadata Provider ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL); chainProvider.addMetadataProvider(newMetadataProvider); emitChangeEvent(); @@ -238,12 +314,12 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + " Start refreshing process ..."); if (refreshMetadataProvider(entityID)) - return internalProvider.getEntityDescriptor(entityID); + entityDesc = internalProvider.getEntityDescriptor(entityID); } else { if (!entityDesc.isValid()) if (refreshMetadataProvider(entityID)) - return internalProvider.getEntityDescriptor(entityID); + entityDesc = internalProvider.getEntityDescriptor(entityID); } @@ -252,10 +328,13 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi Logger.debug("Can not find eIDAS metadata for entityID: " + entityID + " Start refreshing process ..."); if (refreshMetadataProvider(entityID)) - return internalProvider.getEntityDescriptor(entityID); + entityDesc = internalProvider.getEntityDescriptor(entityID); } + if (entityDesc != null) + lastAccess.put(entityID, new Date()); + return entityDesc; } @@ -287,4 +366,5 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi if (observer != null) observer.onEvent(this); } + } |