diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-04-17 08:01:12 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2014-04-17 08:01:12 +0200 | 
| commit | 9d1cbc894680a3b93f98e1f173e6ffa27ffbca96 (patch) | |
| tree | 4897700216d1e34ac6c5ded5688a2e5109c62476 /id | |
| parent | 0304aba0acd4b0067d115cce3f2581093aab05d0 (diff) | |
| download | moa-id-spss-9d1cbc894680a3b93f98e1f173e6ffa27ffbca96.tar.gz moa-id-spss-9d1cbc894680a3b93f98e1f173e6ffa27ffbca96.tar.bz2 moa-id-spss-9d1cbc894680a3b93f98e1f173e6ffa27ffbca96.zip | |
+ preProcess inbound PVP2.1 assertion
+ add inbound PVP2.1 assertion to IReqeust
Diffstat (limited to 'id')
5 files changed, 147 insertions, 5 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index a33d39ba7..c29c3a1b3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,8 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.moduls; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +  public interface IRequest {  	public String getOAURL();  	public boolean isPassiv(); @@ -35,6 +37,7 @@ public interface IRequest {  	public void setRequestID(String id);  	public String getRequestID();	  	public String getRequestedIDP(); +	public MOAResponse getInterfederationResponse();  	//public void setTarget();  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index d3ab640f1..94851ee8f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.moduls;  import java.io.Serializable; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +  public class RequestImpl implements IRequest, Serializable{  	private static final long serialVersionUID = 1L; @@ -36,7 +38,10 @@ public class RequestImpl implements IRequest, Serializable{  	private String action = null;  	private String target = null;  	private String requestID; +	 +	//MOA-ID interfederation  	private String requestedIDP = null; +	private MOAResponse response = null;  	public void setOAURL(String value) { @@ -118,6 +123,21 @@ public class RequestImpl implements IRequest, Serializable{  	public void setRequestedIDP(String requestedIDP) {  		this.requestedIDP = requestedIDP;  	} + +	/** +	 * @return the response +	 */ +	public MOAResponse getInterfederationResponse() { +		return response; +	} + +	/** +	 * @param response the response to set +	 */ +	public void setInterfederationResponse(MOAResponse response) { +		this.response = response; +	} +	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index e7b64be6a..3ab4dd74c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -33,18 +33,29 @@ import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import org.apache.commons.lang.StringEscapeUtils; +import org.joda.time.DateTime;  import org.opensaml.common.xml.SAMLConstants;  import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion;  import org.opensaml.saml2.core.RequestAbstractType;  import org.opensaml.saml2.core.Response;  import org.opensaml.saml2.core.Status;  import org.opensaml.saml2.core.StatusCode;  import org.opensaml.saml2.core.StatusMessage;  import org.opensaml.saml2.core.impl.AuthnRequestImpl; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;  import org.opensaml.saml2.metadata.AssertionConsumerService;  import org.opensaml.saml2.metadata.AttributeConsumingService;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.opensaml.xml.security.x509.X509Credential;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -54,22 +65,23 @@ import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.moduls.IModulInfo;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.moduls.RequestStorage;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.VelocityLogAdapter; @@ -171,6 +183,28 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  				return preProcessAuthRequest(request, response, (MOARequest) msg);  			else if (msg instanceof MOAResponse) { +				//load service provider AuthRequest from session +											 +				IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); +				if (obj instanceof RequestImpl) { +					RequestImpl iReq = (RequestImpl) obj; + +					MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); +					 +					if ( processedMsg != null ) { +						iReq.setInterfederationResponse((MOAResponse) msg);						 +												 +					} else { +						Logger.info("Receive NO valid SSO session from " + msg.getEntityID()  +								+". Switch to local authentication process ..."); +						iReq.setRequestedIDP(null); +					} +									 +					return iReq; +					 +				} + +				Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type.");  				return null;  			} @@ -362,4 +396,79 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {  		return config;  	} +	 +	/** +	 * @param msg +	 */ +	private MOAResponse preProcessAuthResponse(MOAResponse msg) { +		Logger.debug("Start PVP21 assertion processing... "); +		Response samlResp = msg.getResponse(); +		 +		try { +			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { +				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); +				 +				//check encrypted Assertion +				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); +				if (encryAssertionList != null && encryAssertionList.size() > 0) { +					//decrypt assertions +					 +					Logger.debug("Found encryped assertion. Start decryption ..."); +									 +					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); +									 +					StaticKeyInfoCredentialResolver skicr = +							  new StaticKeyInfoCredentialResolver(authDecCredential); +					 +					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); +					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); +					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); +					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); +					 +					Decrypter samlDecrypter = +							  new Decrypter(null, skicr, encryptedKeyResolver); +					 +					for (EncryptedAssertion encAssertion : encryAssertionList) {							 +						saml2assertions.add(samlDecrypter.decrypt(encAssertion)); +	 +					} +					 +					Logger.debug("Assertion decryption finished. "); +					 +				} else { +					saml2assertions = samlResp.getAssertions(); +			 +				} +				 +				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { +					 +					Conditions conditions = saml2assertion.getConditions(); +					DateTime notbefore = conditions.getNotBefore(); +					DateTime notafter = conditions.getNotOnOrAfter(); +					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { +						Logger.warn("PVP2 Assertion is out of Date"); +						return null; +						 +					} +					 +					samlResp.getAssertions().clear(); +					samlResp.getEncryptedAssertions().clear(); +					samlResp.getAssertions().addAll(saml2assertions); +										 +					msg.setSAMLMessage(samlResp.getDOM()); +					return msg; +					 +				}							 +			} +			 +		} catch (CredentialsNotAvailableException e) { +			Logger.warn("Assertion decrypt FAILED - No Credentials", e); +			 +		} catch (DecryptionException e) { +			Logger.warn("Assertion decrypt FAILED.", e); +			 +		} +		 +		return null; +	}  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 03b65bc7e..6e749aaf0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x;  import at.gv.egovernment.moa.id.moduls.RequestImpl;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  public class PVPTargetConfiguration extends RequestImpl { @@ -55,6 +56,5 @@ public class PVPTargetConfiguration extends RequestImpl {  	public void setConsumerURL(String consumerURL) {  		this.consumerURL = consumerURL; -	} -	 +	}	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index 23b8b3f7a..0eb1b83ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.protocols.stork2;  import java.io.Serializable;  import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.logging.Logger;  import eu.stork.peps.auth.commons.IPersonalAttributeList;  import eu.stork.peps.auth.commons.STORKAttrQueryRequest; @@ -219,4 +220,13 @@ public class MOASTORKRequest implements IRequest, Serializable {  		// TODO Auto-generated method stub  		return null;  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.moduls.IRequest#getInterfederationResponse() +	 */ +	@Override +	public MOAResponse getInterfederationResponse() { +		// TODO Auto-generated method stub +		return null; +	}  } | 
