7 files changed, 119 insertions, 24 deletions

diff --git a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
index 02183819c..570bebd37 100644
--- a/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
+++ b/common/src/main/resources/resources/schemas/MOA-ID-Configuration-1.4.3.xsd
@@ -179,6 +179,7 @@
 									<xsd:enumeration value="FrontendServlets.DataURLPrefix"/>

 									<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>

 									<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>

+									<xsd:enumeration value="AuthenticationServer.SourceID"/>

 								</xsd:restriction>

 							</xsd:simpleType>

 						</xsd:attribute>

diff --git a/id/history.txt b/id/history.txt
index c0f80c7c6..95ea0c78d 100644
--- a/id/history.txt
+++ b/id/history.txt
@@ -3,13 +3,34 @@ von MOA-ID auf.
 

 History MOA-ID:

 =====

+Version MOA-ID 1.4.4: Änderungen seit Version MOA-ID 1.4.3:

+

+Verbesserungen/Erweiterungen:

+- Bei der beruflichen Parteienvertretung wurde das Stammzahlenregister in den 

+  Beispielkonfigurationen vorkonfiguriert.

+  

+- MOA-ID erlaubt ab sofort Load-Balancing. Dies wird durch die Konfigurations-

+  möglichkeit der Source-ID für das SAML-Artifact gewährleistet. Das Border-

+  Gateway kann dann anhand dieser Kennung an den zuständigen Server zur Abholung

+  der SAML-Assertion weiterleiten. Über den Konfigurationsparameter

+  <GenericConfiguration name="AuthenticationServer.SourceID" value="Cluster-A"/>

+  kann die authURL bei der Kodierung des SAML-Artifakts durch eine fix 

+  definierte URI (z.B. "Cluster-A") ersetzt werden.

+  

+Fixes:

+- In der Kommunikation mit dem Stammzahlenregistergateway die beim Einsatz der 

+  beruflichen Parteienvertretung notwendig ist, verlangt das Service ein 

+  adaptiertes Anfrageformat. MOA-ID wurde im Zuge dessen auf dieses Anfrage-

+  format umgestellt (Version SZR-GW-0.0.2.xsd).

+

+=====

 Version MOA-ID 1.4.3-1 (Bugfix Release): Änderungen seit Version MOA-ID 1.4.3:

 

 Verbesserungen/Erweiterungen:

 - keine

  

 Fixes:

-- Falscher Schemabenennung in Constants.java des common-Projekts wurde korrigiert.

+- Falsche Schemabenennung in Constants.java des common-Projekts wurde korrigiert.

 

 =====

 Version MOA-ID 1.4.3: Änderungen seit Version MOA-ID 1.4.2:

@@ -41,6 +62,7 @@ Fixes:
       iaik-cms:          Version 4.01_MOA

       aik-moa:           Version 1.23

       iaik-ecc:          Version 2.16

+

 =====

 Version MOA-ID 1.4.2: Änderungen seit Version MOA-ID 1.4.2 beta2:

 

diff --git a/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer
new file mode 100644
index 000000000..c3b67e05d
--- /dev/null
+++ b/id/server/data/deploy/conf/moa-id/certs/ca-certs/gateway.stammzahlenregister.gv.at.cer
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----

+MIIFSDCCBDCgAwIBAgIDA/o/MA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJB

+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp

+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRYwFAYDVQQLDA1hLXNpZ24tU1NM

+LTAzMRYwFAYDVQQDDA1hLXNpZ24tU1NMLTAzMB4XDTA4MDUxOTA4MzUzNloXDTEz

+MDUxOTA4MzUzNlowgZYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0

+emtvbW1pc3Npb24xJDAiBgNVBAsMG1N0YW1temFobGVucmVnaXN0ZXJiZWhvZXJk

+ZTEqMCgGA1UEAwwhZ2F0ZXdheS5zdGFtbXphaGxlbnJlZ2lzdGVyLmd2LmF0MRUw

+EwYDVQQFEww2NTYwNzMwNDAyNjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

+AoIBAQCtAK7fsx5MgRrm7EIF3sxWKroNi+EBitJ1itnXix3L3npMIRUduDLIaMZm

+oLHSMkJmk0ePB74Wvsk/yJt2qTf6N0rDqmn9+lORF242cZeljJ9vVYhIRwbyj5IL

+Qng9vnIr0esCVadknSo357wQSss6oRBuclzf99cNt7zaPqT3+4kyLVtj3/N+ipgn

+8l5ZCNHq+kx+HjssXGARDUFgTFAFcJPDDR6bNWHjsa6Kq6DgXTqUX/tHaJATwkP8

+3bkn0ECAWF5hCVhzGd20MWzSVejkyWnjxxYSXVEsLM17hApDb5Ui01Qyb1RHyYuC

+hXpVuUqHXIZK4MyrUkfBcvMIExYJAgMBAAGjggGqMIIBpjATBgNVHSMEDDAKgAhA

+PqHTYrQD3TByBggrBgEFBQcBAQRmMGQwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw

+LmEtdHJ1c3QuYXQvb2NzcDA5BggrBgEFBQcwAoYtaHR0cDovL3d3dy5hLXRydXN0

+LmF0L2NlcnRzL2Etc2lnbi1zc2wtMDMuY3J0MEsGA1UdIAREMEIwQAYGKigAEQEU

+MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Et

+c2lnbi1zc2wwgY8GA1UdHwSBhzCBhDCBgaB/oH2Ge2xkYXA6Ly9sZGFwLmEtdHJ1

+c3QuYXQvb3U9YS1zaWduLVNTTC0wMyxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0

+ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlv

+bkF1dGhvcml0eTARBgNVHQ4ECgQIT1qEKtHyOygwDgYDVR0PAQH/BAQDAgWgMAkG

+A1UdEwQCMAAwDgYHKigACgEBAQQDAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBtb/dG

+Qn/r/MTqnjwFeHTlGwsuKyzx13PE3ZxBa5Q1YvNO9IbTHEi7dIb7LjdFQkkzn/sa

+PREGTRdaukD6JiUNFP0FV1hTNOUfctjiLy212VupdIyC6GYouL11A5UzBoZ5l5xq

+IpYWGJq0JP26jYlu93sSY0m35vVX6FLxJAuy8zQpOoqP4XcIZE4qDC5SqTvmRtLR

+AFCQD3C59/SaBKc73z3GQrfkXfUqKLd+8l0b58FnLNKjHCUvTlt/egmqb6ar/rGj

+fD9pCROYB6H1ryYWTbqCYyG4oNuZ9AwodY7GcDWpIPBP/VVyARgF6V1pEhAdAXMH

+zh/WsPsLHrdYA0/3

+-----END CERTIFICATE-----

diff --git a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
index 02183819c..570bebd37 100644
--- a/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
+++ b/id/server/doc/MOA-ID-Configuration-1.4.3.xsd
@@ -179,6 +179,7 @@
 									<xsd:enumeration value="FrontendServlets.DataURLPrefix"/>

 									<xsd:enumeration value="AuthenticationServer.KeepAssertion"/>

 									<xsd:enumeration value="AuthenticationServer.WriteAssertionToFile"/>

+									<xsd:enumeration value="AuthenticationServer.SourceID"/>

 								</xsd:restriction>

 							</xsd:simpleType>

 						</xsd:attribute>

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
index 27e19e830..b5d18b451 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLArtifactBuilder.java
@@ -4,6 +4,9 @@ import java.io.ByteArrayOutputStream;
 import java.security.MessageDigest;
 
 import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
 
 /**
@@ -16,6 +19,11 @@ import at.gv.egovernment.moa.util.Base64Utils;
 public class SAMLArtifactBuilder {
 
   /**
+   * The generic configuration parameter for an alternative SourceID.
+   */
+  private static final String GENERIC_CONFIG_PARAM_SOURCEID = "AuthenticationServer.SourceID";
+
+  /**
    * Constructor for SAMLArtifactBuilder.
    */
   public SAMLArtifactBuilder() {
@@ -36,25 +44,34 @@ public class SAMLArtifactBuilder {
    * @return the 42-byte SAML artifact, encoded BASE64
    */
   public String build(String authURL, String sessionID) throws BuildException {
-		try {
-			MessageDigest md = MessageDigest.getInstance("SHA-1");
-	  	byte[] sourceID = md.digest(authURL.getBytes());
-	  	byte[] assertionHandle = md.digest(sessionID.getBytes());
-			ByteArrayOutputStream out = new ByteArrayOutputStream(42);
-			out.write(0);
-			out.write(1);
-			out.write(sourceID, 0, 20);
-			out.write(assertionHandle, 0, 20);
-			byte[] samlArtifact = out.toByteArray();
-  		String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
-			return samlArtifactBase64;
-  	}
-		catch (Throwable ex) {
-			throw new BuildException(
-				"builder.00", 
-				new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()}, 
-				ex);
-		}
+    try {
+      MessageDigest md = MessageDigest.getInstance("SHA-1");
+      byte[] sourceID;
+      // alternative sourceId
+      String alternativeSourceID = AuthConfigurationProvider.getInstance().getGenericConfigurationParameter(GENERIC_CONFIG_PARAM_SOURCEID);
+      if (!ParepUtils.isEmpty(alternativeSourceID)) {
+        // if generic config parameter "AuthenticationServer.SourceID" is given, use that sourceID instead of authURL;
+        sourceID = md.digest(alternativeSourceID.getBytes());
+        Logger.info("Building SAMArtifact from sourceID \"" + alternativeSourceID + "\" instead of authURL \"" + authURL + "\".");
+      } else {
+        sourceID = md.digest(authURL.getBytes());
+      }
+      byte[] assertionHandle = md.digest(sessionID.getBytes());
+      ByteArrayOutputStream out = new ByteArrayOutputStream(42);
+      out.write(0);
+      out.write(1);
+      out.write(sourceID, 0, 20);
+      out.write(assertionHandle, 0, 20);
+      byte[] samlArtifact = out.toByteArray();
+      String samlArtifactBase64 = Base64Utils.encode(samlArtifact);
+      return samlArtifactBase64;
+    }
+    catch (Throwable ex) {
+      throw new BuildException(
+        "builder.00", 
+        new Object[] {"SAML Artifact, MOASessionID=" + sessionID, ex.toString()}, 
+        ex);
+    }
   }
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
index fe8e263ff..3077ba185 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/CreateMandateRequest.java
@@ -6,6 +6,7 @@ import java.util.List;
 import javax.xml.parsers.DocumentBuilder;

 import javax.xml.parsers.DocumentBuilderFactory;

 

+import org.apache.xpath.XPathAPI;

 import org.w3c.dom.Document;

 import org.w3c.dom.Element;

 import org.w3c.dom.Node;

@@ -204,11 +205,31 @@ public class CreateMandateRequest {
 	  Element representativeElem = representativeDocument.createElementNS(SZRGWConstants.SZRGW_REQUEST_NS, SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE);

 //	  representativeElem.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);

 //	  representativeElem.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);

+

+	  //Old Version 0.0.1 of SZR-Gateway

+//	  representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));

+//	  representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));

+//	  representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));

 	  

-	  representativeElem.appendChild(createIdentificationElem(representativeDocument, identificationType, identificationValue));

-	  representativeElem.appendChild(createNameElem(representativeDocument, params.getGivenName(), params.getFamilyName()));

-	  representativeElem.appendChild(createPersonDataElem(representativeDocument, SZRGWConstants.DATEOFBIRTH, params.getDateOfBirth()));

-	  

+	  //New since version 0.0.2 of SZR-Gateway:

+	  // we need to send an identity link and must replace its identification value

+    representativeElem.appendChild(representativeElem.getOwnerDocument().importNode(params.getIdentityLink(), true));

+    try {

+      Element nameSpaceNode = representativeElem.getOwnerDocument().createElement("NameSpaceNode");

+      nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);

+      nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SAML_POSTFIX, Constants.SAML_NS_URI);

+      nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.SZRGW_POSTFIX, SZRGWConstants.SZRGW_REQUEST_NS);

+      Element identificationValueElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Value", nameSpaceNode);

+      if (identificationValueElement != null) {

+        identificationValueElement.setTextContent(identificationValue);

+      }

+      Element identificationTypeElement = (Element) XPathAPI.selectSingleNode(representativeElem, "descendant-or-self::" + SZRGWConstants.SZRGW_PREFIX + SZRGWConstants.REPRESENTATIVE + "/" +SZRGWConstants.SAML_PREFIX + "Assertion/saml:AttributeStatement/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/pr:Person/pr:Identification/pr:Type", nameSpaceNode);

+      if (identificationTypeElement != null) {

+        identificationTypeElement.setTextContent(identificationType);

+      }

+    } catch (Exception e) {

+      throw new SZRGWClientException("validator.63", null);

+    }

 	  this.representative = representativeElem;

   }

 

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
index 006b2b9f2..cc0cc4862 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWConstants.java
@@ -10,6 +10,8 @@ public interface SZRGWConstants {
   //PersonData

   public static final String PD_PREFIX = "pr:";

   public static final String PD_POSTFIX = ":pr";

+  public static final String SAML_PREFIX = "saml:";

+  public static final String SAML_POSTFIX = ":saml";

   public static final String PERSON = "Person";

   public static final String PHYSICALPERSON = "PhysicalPerson";

   public static final String CORPORATEBODY = "CorporateBody";