Updates für bPK Berechnung Organwalter

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1305 d688527b-c9ab-4aba-bd8d-4036d912da1d

6 files changed, 226 insertions, 20 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index a2c1d6131..d783c74d9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -647,6 +647,58 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	}
 
 	/**
+	 * Processes an <code>&lt;InfoboxReadResponse&gt;</code> sent by the
+	 * security layer implementation.<br>
+	 * <ul>
+	 * <li>Validates given <code>&lt;InfoboxReadResponse&gt;</code></li>
+	 * <li>Parses identity link enclosed in
+	 * <code>&lt;InfoboxReadResponse&gt;</code></li>
+	 * <li>Verifies identity link by calling the MOA SP component</li>
+	 * <li>Checks certificate authority of identity link</li>
+	 * <li>Stores identity link in the session</li>
+	 * <li>Verifies all additional infoboxes returned from the BKU</li>
+	 * <li>Creates an authentication block to be signed by the user</li>
+	 * <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code>
+	 * containg the authentication block, meant to be returned to the security
+	 * layer implementation</li>
+	 * </ul>
+	 * 
+	 * @param sessionID
+	 *            ID of associated authentication session data
+	 * @param infoboxReadResponseParameters
+	 *            The parameters from the response returned from the BKU
+	 *            including the <code>&lt;InfoboxReadResponse&gt;</code>
+	 * @return String representation of the
+	 *         <code>&lt;CreateXMLSignatureRequest&gt;</code>
+	 */
+	public String verifyCertificate(String sessionID,
+			X509Certificate certificate) throws AuthenticationException,
+			BuildException, ParseException, ConfigurationException,
+			ValidateException, ServiceException {
+
+		if (isEmpty(sessionID))
+			throw new AuthenticationException("auth.10", new Object[] {
+					REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID });
+
+		// check if person is a Organwalter
+		// if true - don't show bPK in AUTH Block
+		boolean isOW = false;
+//		String oid = null;
+//		if (oid.equalsIgnoreCase(MISMandate.OID_ORGANWALTER))
+//			isOW = true;
+//		
+		AuthenticationSession session = getSession(sessionID);
+		AuthConfigurationProvider authConf = AuthConfigurationProvider
+				.getInstance();
+
+		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+
+		return getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(session,
+				authConf, oaParam, isOW);
+	}
+	
+	/**
 	 * Processes an <code>Mandate</code> sent by the MIS.<br>
 	 * <ul>
 	 * <li>Validates given <code>Mandate</code></li>
@@ -781,6 +833,70 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	}
 
 	/**
+	 * 
+	 * @param session
+	 * @param authConf
+	 * @param oaParam
+	 * @return
+	 * @throws ConfigurationException
+	 * @throws BuildException
+	 * @throws ValidateException
+	 */
+	public String getCreateXMLSignatureRequestAuthBlockOrRedirectForOW(
+			AuthenticationSession session, AuthConfigurationProvider authConf,
+			OAAuthParameter oaParam, boolean isOW) throws ConfigurationException,
+			BuildException, ValidateException {
+
+		// check for intermediate processing of the infoboxes
+		if (session.isValidatorInputPending())
+			return "Redirect to Input Processor";
+
+		if (authConf == null)
+			authConf = AuthConfigurationProvider.getInstance();
+		if (oaParam == null)
+			oaParam = AuthConfigurationProvider.getInstance()
+					.getOnlineApplicationParameter(
+							session.getPublicOAURLPrefix());
+
+		// BZ.., calculate bPK for signing to be already present in AuthBlock
+		IdentityLink identityLink = session.getIdentityLink();
+		if (identityLink.getIdentificationType().equals(
+				Constants.URN_PREFIX_BASEID)) {
+			// only compute bPK if online application is a public service and we
+			// have the Stammzahl
+			if (isOW) {
+				// if person is OW, delete identification value (bPK is calculated via MIS)
+				identityLink.setIdentificationValue(null);
+				identityLink.setIdentificationType(null);
+			}
+			else {
+			String bpkBase64 = new BPKBuilder().buildBPK(identityLink
+					.getIdentificationValue(), session.getTarget());
+				identityLink.setIdentificationValue(bpkBase64);
+			}
+		}
+		// ..BZ
+		// }
+
+		// builds the AUTH-block
+		String authBlock = buildAuthenticationBlockForOW(session, oaParam, isOW);
+
+		// session.setAuthBlock(authBlock);
+		// builds the <CreateXMLSignatureRequest>
+		String[] transformsInfos = oaParam.getTransformsInfos();
+		if ((transformsInfos == null) || (transformsInfos.length == 0)) {
+			// no OA specific transforms specified, use default ones
+			transformsInfos = authConf.getTransformsInfos();
+		}
+		String createXMLSignatureRequest = new CreateXMLSignatureRequestBuilder()
+				.build(authBlock, oaParam.getKeyBoxIdentifier(),
+						transformsInfos, oaParam.getSlVersion12());
+		
+		System.out.println("XML: " + createXMLSignatureRequest);
+		
+		return createXMLSignatureRequest;
+	}
+	/**
 	 * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>
 	 * <ul>
 	 * <li>Creates an CreateXMLSignatureRequest to be signed by the user</li>
@@ -988,6 +1104,60 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	}
 
 	/**
+	 * Builds an authentication block <code>&lt;saml:Assertion&gt;</code> from
+	 * given session data.
+	 * 
+	 * @param session
+	 *            authentication session
+	 * 
+	 * @return <code>&lt;saml:Assertion&gt;</code> as a String
+	 * 
+	 * @throws BuildException
+	 *             If an error occurs on serializing an extended SAML attribute
+	 *             to be appended to the AUTH-Block.
+	 */
+	private String buildAuthenticationBlockForOW(AuthenticationSession session,
+			OAAuthParameter oaParam, boolean isOW) throws BuildException {
+		IdentityLink identityLink = session.getIdentityLink();
+		String issuer = identityLink.getName();
+		String gebDat = identityLink.getDateOfBirth();
+		String identificationValue = identityLink.getIdentificationValue();
+		String identificationType = identityLink.getIdentificationType();
+
+		String issueInstant = DateTimeUtils.buildDateTime(Calendar
+				.getInstance(), oaParam.getUseUTC());
+		session.setIssueInstant(issueInstant);
+		String authURL = session.getAuthURL();
+		String target = session.getTarget();
+		String targetFriendlyName = session.getTargetFriendlyName();
+		// Bug #485
+		// (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105)
+		// String oaURL = session.getPublicOAURLPrefix();
+		String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&amp;");
+		List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH();
+		Iterator it = extendedSAMLAttributes.iterator();
+		// delete bPK attribute from extended SAML attributes
+		if (isOW) {
+			ExtendedSAMLAttribute toDelete = null;
+			while (it.hasNext()) {
+				ExtendedSAMLAttribute attr = (ExtendedSAMLAttribute)it.next();
+				if (attr.getName().equalsIgnoreCase("bPK"))
+					toDelete = attr;
+			}		
+			if (toDelete != null)
+				extendedSAMLAttributes.remove(toDelete);
+		}
+		
+		String authBlock = new AuthenticationBlockAssertionBuilder()
+				.buildAuthBlock(issuer, issueInstant, authURL, target,
+						targetFriendlyName, identificationValue,
+						identificationType, oaURL, gebDat,
+						extendedSAMLAttributes, session);
+
+		return authBlock;
+	}
+	
+	/**
 	 * Verifies the infoboxes (except of the identity link infobox) returned by
 	 * the BKU by calling appropriate validator classes.
 	 * 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 53c1168c5..412f1db81 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -204,22 +204,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
       gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
       
       //no business service, adding bPK
+
+      System.out.println("identityLinkValue: " + identityLinkValue);
+      if (identityLinkValue != null) {
+    	  Element bpkSamlValueElement;
+    	  try {
+    		  bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
+    	  } catch (Exception e) {
+    		  Logger.error("Error on building AUTH-Block: " + e.getMessage());
+    		  throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
+    	  } 
+	      
+	//      String s = xmlToString(bpkSamlValueElement);
+	//      System.out.println("bpkSamlValueElement: " + s);
+	      
+    	  ExtendedSAMLAttribute bpkAttribute = 
+    		  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+    	  extendedSAMLAttributes.add(bpkAttribute);
+      }
       
-      Element bpkSamlValueElement;
-      try {
-         bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
-      } catch (Exception e) {
-         Logger.error("Error on building AUTH-Block: " + e.getMessage());
-          throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
-      } 
-      
-//      String s = xmlToString(bpkSamlValueElement);
-//      System.out.println("bpkSamlValueElement: " + s);
-      
-      ExtendedSAMLAttribute bpkAttribute = 
-    	  new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
-      extendedSAMLAttributes.add(bpkAttribute);
-    	  
       boolean useMandate = session.getUseMandate();
       if (useMandate) {
     	  String mandateReferenceValue = Random.nextRandom();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index a1b03fcad..04fbc0588 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -171,7 +171,8 @@ public class GetMISSessionIDServlet extends AuthServlet {
 	    	Element mandateDoc = DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement();
 
 	    	//TODO OW bPK (Offen: was bei saml:NameIdentifier NameQualifier="urn:publicid:gv.at:cdid+bpk"> und <saml:Attribute AttributeName="bPK" )
-	    	//System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK());
+	    	System.out.println("\n\n\n OW BPK: " + mandate.getOWbPK());
+	    	// TODO wenn OW bPK vorhanden - in SAML Assertion setzen!
 	    	
 	    	String redirectURL = null;
 	    	String samlArtifactBase64 = 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index acd96dee0..51ec82e2d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -138,8 +138,11 @@ public class VerifyCertificateServlet extends AuthServlet {
 	    	
 	    	

 	    	if (useMandate) {

-	    		Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
-    			throw new AuthenticationException("auth.13", null);    	          

+
+	    		// verify certificate for OrganWalter
+	    		String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(sessionID, cert);
+	    		
+	    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");

 	    	}

 	    	else {

 	    		// Foreign Identities Modus	

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 17f7deb9b..5178e27d3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -173,7 +173,36 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     	    
     	}
     	else {
-    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+    		// @TODO: unteren InfoboxReadRequest zu, Signer-Cert auslesen (wegen Cert Abfrage auf Organwalter OID),
+    		// nach oben verschoben vor verifyIdentityLink (da hier schon bPK berechnet, die aber für OW nicht in
+    		// AUTH Block aufscheinen darf. --> D.h. verifyIdentityLink umbauen - verify und AUTH Block bauen trennen)
+    		boolean useMandate = session.getUseMandate();
+    		if (useMandate) { // Mandate modus
+    			// read certificate and set dataurl to 
+    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+    			
+    
+     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+     		   // build dataurl (to the GetForeignIDSerlvet)
+     		   String dataurl =
+                 new DataURLBuilder().buildDataURL(
+                   session.getAuthURL(),
+                   REQ_VERIFY_CERTIFICATE,
+                   session.getSessionID());
+           
+          
+     		  //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+     		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+     		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+    			
+    		}
+    		else {
+    			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+    		}
+    		
+    		
     	}
       
     }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
index 80f2d744c..d97953270 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -35,7 +35,7 @@ public class MISMandate {
 	final static private String OID_ZIVILTECHNIKER = "1.2.40.0.10.3.3";

 	final static private String TEXT_ZIVILTECHNIKER = "berufsmäßige(r) Parteienvertreter(in) mit Ziviltechnikerinneneigenschaft";

 

-	final static private String OID_ORGANWALTER = "1.2.40.0.10.3.4";

+	final static public String OID_ORGANWALTER = "1.2.40.0.10.3.4";

 	final static private String TEXT_ORGANWALTER = "Organwalter";