diff options
4 files changed, 82 insertions, 10 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 52488c3cb..7aa4cd1f7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -536,7 +536,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  			} else {  				Logger.debug("Found PVP QAA level. QAA mapping process starts ... ");				 -				String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel); +				String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel);  				if (MiscUtil.isNotEmpty(mappedQAA))  					authData.setQAALevel(mappedQAA); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index dab89b7c3..333bd35f1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -77,6 +77,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.SLOInformationContainer;  import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -87,9 +88,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest;  import at.gv.egovernment.moa.id.storage.AssertionStorage;  import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;  import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;  import at.gv.egovernment.moa.id.util.ParamValidatorUtils;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.logging.Logger; @@ -381,6 +384,7 @@ public class AuthenticationManager extends AuthServlet {  		//get IDP metadata  		try {  			OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); +			OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL());  			if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {  				Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); @@ -389,7 +393,7 @@ public class AuthenticationManager extends AuthServlet {  				return;  			}  -						 +			  			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().  					getEntityDescriptor(target.getRequestedIDP()); @@ -409,7 +413,7 @@ public class AuthenticationManager extends AuthServlet {  							redirectEndpoint == null )  						redirectEndpoint = sss;  				} -				 +								  				if (redirectEndpoint != null) {  					AuthnRequest authReq = SAML2Utils @@ -440,13 +444,55 @@ public class AuthenticationManager extends AuthServlet {  							SAML2Utils.createSAMLObject(RequestedAuthnContext.class);  					AuthnContextClassRef authnClassRef =  -							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);					 -					authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); +							SAML2Utils.createSAMLObject(AuthnContextClassRef.class); +					 +					if (sp != null && sp.isSTORKPVPGateway()){ +						//use PVP SecClass instead of STORK QAA level +						String secClass = null; +						if (target instanceof MOASTORKRequest) { +							 +							try { +								MOASTORKRequest storkReq = (MOASTORKRequest) target;	 +								secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( +										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); +							 +							} catch (Exception e) { +								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + +							}							 +						} +						 +						if (MiscUtil.isNotEmpty(secClass)) +							authnClassRef.setAuthnContextClassRef(secClass); +						else +							authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"); +											 +					} else { +						if (target instanceof MOASTORKRequest) { +							//use requested QAA level from STORK request +							try { +								MOASTORKRequest storkReq = (MOASTORKRequest) target; +								authnClassRef.setAuthnContextClassRef( +										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); +								Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef()  +										+ " from STORK request"); +								 +							} catch (Exception e) { +								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); +								 +							} +							 +						} +						 +						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))						 +							authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); +						 +					} +					  					reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);					  					reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);					  					authReq.setRequestedAuthnContext(reqAuthContext); -					 -					 +										  					IEncoder binding = null;  					if (redirectEndpoint.getBinding().equals(  							SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java index 0ea03e29d..fe3b780fb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.util.MiscUtil;  public class PVPtoSTORKMapper {  	private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; +	private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/";  	private static final String MAPPING_RESOURCE =   			"resources/properties/pvp-stork_mapping.properties"; @@ -67,12 +68,31 @@ public class PVPtoSTORKMapper {  	} +	/**Map a STORK QAA level to PVP SecClass +	 *  +	 * @param STORK-QAA level +	 * @return PVP SecClass pvpQAALevel +	 */	 +	public String mapToSecClass(String storkQAALevel) { +		if (mapping != null) { +			String input = storkQAALevel.substring(STORK_QAA_PREFIX.length());			 +			String mappedQAA = mapping.getProperty(input); +			if (MiscUtil.isNotEmpty(mappedQAA)) { +				Logger.info("Map STORK-QAA " + storkQAALevel + " to PVP SecClass " + mappedQAA); +				return mappedQAA; +				 +			}						 +		}		 +		Logger.warn("No mapping for STORK-QAA " + storkQAALevel +" !"); +		return null; +	} +	  	/**Map a PVP SecClass to STORK QAA level  	 *   	 * @param PVP SecClass pvpQAALevel  	 * @return STORK-QAA level  	 */	 -	public String mapQAALevel(String pvpQAALevel) { +	public String mapToQAALevel(String pvpQAALevel) {  		if (mapping != null) {  			String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length());			  			String mappedQAA = mapping.getProperty(input); diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties index 63745f826..1a8d8db58 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties @@ -2,8 +2,14 @@  viewer=CIRCABC/viewer  CIRCABC-viewer=CIRCABC/viewer -##PVP SecClass mapping +##PVP SecClass to STORK-QAA mapping  secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1  secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2  secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3 -secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
\ No newline at end of file +secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4 + +##STORK-QAA to PVP SecClass mapping +citizenQAALevel/1=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0 +citizenQAALevel/2=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-1 +citizenQAALevel/3=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2 +citizenQAALevel/4=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3
\ No newline at end of file | 
