diff options
57 files changed, 1444 insertions, 617 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 1a9018563..c7ef73b47 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -184,5 +184,7 @@ public class MOAIDAuthConstants extends MOAIDConstants{    public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName";    public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; +  //General MOASession data-store keys +  public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert";  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 8a9999d85..999f289e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -45,10 +45,6 @@ import javax.xml.bind.Marshaller;  import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.AttributeQuery;  import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.SecurityException;  import org.springframework.beans.factory.annotation.Autowired;  import org.springframework.stereotype.Service;  import org.w3c.dom.Element; @@ -82,7 +78,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.config.ConfigurationException;  import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.AuthenticationData;  import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory;  import at.gv.egovernment.moa.id.data.IAuthData; @@ -91,7 +86,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.moduls.RequestImpl;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; @@ -99,7 +93,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;  import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; @@ -125,140 +118,62 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  	@Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage;  	@Autowired protected AuthConfiguration authConfig; -	@Autowired private AttributQueryBuilder attributQueryBuilder; -	@Autowired private SAMLVerificationEngine samlVerificationEngine; -	public IAuthData buildAuthenticationData(IRequest protocolRequest,  -            AuthenticationSession session, List<Attribute> reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {		 -		AuthenticationData authdata = null;		 +	public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq,  +            AuthenticationSession session, List<Attribute> reqAttributes) { +		AuthenticationData authdata = new AuthenticationData(); -		//only needed for SAML1 legacy support  		try { -			//check if SAML1 authentication module is in Classpath -			Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); -			IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance();			 -			if (saml1RequstTemplate != null &&  -					saml1RequstTemplate.isInstance(protocolRequest)) {				 -				//request is SAML1  --> invoke SAML1 protocol specific methods  -				if (session.getExtendedSAMLAttributesOA() == null) { -					saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList<ExtendedSAMLAttribute>()); -					 -				} else { -					saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); -				} +			//mark AttributeQuery as used if it exists +			OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); +			if (activeOA != null) { +				//reuse some parameters if it is a Service-Provider reauthentication +				authdata.setSessionIndex(activeOA.getAssertionSessionID()); +				authdata.setNameID(activeOA.getUserNameID()); +				authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); -				authdata = (AuthenticationData) saml1authdata; -							 -			} else {			 -				authdata = new AuthenticationData(); -							 -			} -						 -		} catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {			 -			authdata = new AuthenticationData(); -			 -		} -		 -		//reuse some parameters if it is a Service-Provider reauthentication -		OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, protocolRequest.getOAURL(), protocolRequest.requestedModule()); -		if (activeOA != null) { -			authdata.setSessionIndex(activeOA.getAssertionSessionID()); -			authdata.setNameID(activeOA.getUserNameID()); -			authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); -			 -			//mark AttributeQuery as used -			if ( protocolRequest instanceof PVPTargetConfiguration &&  -					((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest && -					((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) {				 -				try { -					activeOA.setAttributeQueryUsed(true); -					MOASessionDBUtils.saveOrUpdate(activeOA); +				//mark  +				if ( pendingReq instanceof PVPTargetConfiguration &&  +						((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && +						((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) {				 +					try { +						activeOA.setAttributeQueryUsed(true); +						MOASessionDBUtils.saveOrUpdate(activeOA); -				} catch (MOADatabaseException e) { -					Logger.error("MOASession interfederation information can not stored to database.", e); +					} catch (MOADatabaseException e) { +						Logger.error("MOASession interfederation information can not stored to database.", e); -				}				 +					}				 +				}  			} -		} -		 -		//search federated IDP information in MOASession -		InterfederationSessionStore interfIDP = authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); -		IOAAuthParameters oaParam = null;				 -		if (reqAttributes == null) { -			//get OnlineApplication from MOA-ID-Auth configuration -			oaParam = protocolRequest.getOnlineApplicationConfiguration(); - -			//build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway			  -			if (oaParam.isSTORKPVPGateway()) -				oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest); -						 -		} else { -			//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) -			oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); +			getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp,  reqAttributes); -		} -		 -		if (interfIDP != null ) { -			//authentication by using a federated IDP -			if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && -					!(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { -				//IDP is a chained interfederated IDP and Authentication is requested -				 -				//only set minimal response attributes -				authdata.setQAALevel(interfIDP.getQAALevel()); -				authdata.setBPK(interfIDP.getUserNameID()); - -			} else {						 -				//get attributes from interfederated IDP -				OAAuthParameter idp = authConfig.getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); -				getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp,  reqAttributes); +			 +			 +			 +			 +			 +			//mark attribute request as used 				 +			try { +				interfIDP.setAttributesRequested(true); +				MOASessionDBUtils.saveOrUpdate(interfIDP); +														 +			} catch (MOADatabaseException e) { +				Logger.error("MOASession interfederation information can not stored to database.", e); -				//mark attribute request as used 				 -				try { -					interfIDP.setAttributesRequested(true); -					MOASessionDBUtils.saveOrUpdate(interfIDP); -															 -				} catch (MOADatabaseException e) { -					Logger.error("MOASession interfederation information can not stored to database.", e); -					 -				}  			} -		} else { -			//build AuthenticationData from MOASession -			buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest); -					 -		} -		return authdata;								 +			return authdata; +			 +		} catch (DynamicOABuildException e) { +			//TODO: +			 +		}  	} -	/** -	 * @param req -	 * @param session -	 * @param reqAttributes -	 * @return -	 * @throws WrongParametersException  -	 * @throws ConfigurationException  -	 * @throws BuildException  -	 * @throws DynamicOABuildException  -	 */ -	public IAuthData buildAuthenticationData(IRequest req, -			AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException { -		return buildAuthenticationData(req, session, null); -	} -	/** -	 * @param authdata -	 * @param session -	 * @param oaParam -	 * @param protocolRequest -	 * @param interfIDP -	 * @param idp  -	 * @param reqQueryAttr  -	 * @throws ConfigurationException  -	 */  	private void getAuthDataFromInterfederation(  			AuthenticationData authdata, AuthenticationSession session,  			IOAAuthParameters oaParam, IRequest req, @@ -363,6 +278,76 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  		}  	} +	 +	public IAuthData buildAuthenticationData(IRequest pendingReq,  +            AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException {		 +		AuthenticationData authdata = null;		 +		 +		//only needed for SAML1 legacy support +		try { +			//check if SAML1 authentication module is in Classpath +			Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); +			IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance();			 +			if (saml1RequstTemplate != null &&  +					saml1RequstTemplate.isInstance(pendingReq)) {				 +				//request is SAML1  --> invoke SAML1 protocol specific methods  +				if (session.getExtendedSAMLAttributesOA() == null) { +					saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList<ExtendedSAMLAttribute>()); +					 +				} else { +					saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); +				} +				 +				authdata = (AuthenticationData) saml1authdata; +							 +			} else {			 +				authdata = new AuthenticationData(); +							 +			} +						 +		} catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {			 +			authdata = new AuthenticationData(); +			 +		} +				 +		OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); +		//reuse authentication information in case of service-provider reauthentication +		if (activeOA != null) { +			authdata.setSessionIndex(activeOA.getAssertionSessionID()); +			authdata.setNameID(activeOA.getUserNameID()); +			authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); +						 +		} +		 +		//get OnlineApplication from MOA-ID-Auth configuration +		IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();				 + +		//TODO: move to eIDAS-Code in case of ISA1.18 action is enabled for eIDAS +		//build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway			  +		if (oaParam.isSTORKPVPGateway()) +			oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); +		 +		//check if minimal response is required +		 +		//TODO check if really required +		Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( +				PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); +		if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { +			//only set minimal response attributes			 +			authdata.setQAALevel( +					pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); +			authdata.setBPK( +					pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); +						 +		} else { +			//build AuthenticationData from MOASession +			buildAuthDataFormMOASession(authdata, session, oaParam, pendingReq); +			 +		} +		 +		return authdata;								 +	} +	  	private  void buildAuthDataFormInterfederationResponse(  			AuthenticationData authData,   			AuthenticationSession session,  @@ -982,19 +967,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {  			MISMandate mandate = session.getMISMandate(); -			authData.setMISMandate(mandate); -			authData.setUseMandate(session.getUseMandate()); +			if (session.getUseMandate() && mandate == null) { +				Logger.error("Mandate is requested but NO mandate-data is found!."); +				throw new BuildException("builder.00", new Object[]{ +	                    "Mandate", "Mandate is requested but NO mandate-data is found!"}); +				 +			} +			  			authData.setMandateReferenceValue(session.getMandateReferenceValue()); +			if (mandate != null) { +				//set MIS mandate to authdata +				authData.setMISMandate(mandate); +				authData.setUseMandate(session.getUseMandate());				 +				 +			} else { +				//check if ELGA mandates exists +				String mandateType = session.getGenericDataFromSession( +						PVPConstants.MANDATE_TYPE_NAME, String.class); +				if (MiscUtil.isNotEmpty(mandateType)) { +					//switch to mandate-mode for authdata generation, because mandate-information +					// is directly included in MOA-Session as PVP attributes +					Logger.debug("AuthDataBuilder find directly included 'MandateType' attribute." +							+ " --> Switch to mandate-mode for authdata generation."); +					authData.setUseMandate(true); +					 +				} +				 +				 +			} +				  			if (session.getUseMandate() && session.isOW()   					&& mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) {				  				authData.setBPK(mandate.getOWbPK());  				authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); -				 +					  				//TODO: check in case of mandates for business services  				authData.setIdentityLink(identityLink);  				Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - +	              } else {              	buildOAspecificbPK(protocolRequest, oaParam, authData,               			identityLink.getIdentificationValue(),  @@ -1004,7 +1015,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {              } -					 +			//TODO +		} catch (BuildException e) { +			throw e; +			          } catch (Throwable ex) {              throw new BuildException("builder.00", new Object[]{                      "AuthenticationData", ex.toString()}, ex); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index 79b09503f..ab43f2f79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -45,7 +45,7 @@ import at.gv.egovernment.moa.util.Constants;   */  public class DynamicOAAuthParameterBuilder { -	public static IOAAuthParameters buildFromAttributeQuery(List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { +	public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException {  		Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java new file mode 100644 index 000000000..9af247714 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java @@ -0,0 +1,125 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.io.Serializable; + +import at.gv.egovernment.moa.id.util.Random; + +/** + * @author tlenz + * + */ +public class FederatedAuthenticatenContainer implements Serializable { + +	/** +	 *  +	 */ +	private static final long serialVersionUID = 6075571915585105988L; +	 +	private String id; +	private String moaSessionID; +	 +	private String idpEntityID; +	private String userNameID; +	private String userQAALevel; +	 +	/** +	 * Build a new data-container for federated authentication with Attribute-Query +	 *  +	 */ +	public FederatedAuthenticatenContainer() { +		this.id = Random.nextRandom(); +		 +	} +	 +	/** +	 * Get the identifier of this container +	 *  +	 * @return the identifier of this container, but never null +	 */ +	public String getId() { +		return id; +	} +	 +	/** +	 * Get the MOASessionID, of the corresponding MOASession +	 *  +	 * @return the moaSessionID, or null if no MOASession exists  +	 */ +	public String getMoaSessionID() { +		return moaSessionID; +	} +	/** +	 * @param moaSessionID the moaSessionID to set +	 */ +	public void setMoaSessionID(String moaSessionID) { +		this.moaSessionID = moaSessionID; +	} +	/** +	 * Get the Entity of the federated IDP, which has the authentication data +	 *  +	 * @return the idpEntityID, but never null +	 */ +	public String getIdpEntityID() { +		return idpEntityID; +	} +	/** +	 * @param idpEntityID the idpEntityID to set +	 */ +	public void setIdpEntityID(String idpEntityID) { +		this.idpEntityID = idpEntityID; +	} +	/** +	 * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP  +	 *  +	 * @return the SAML2 NameID, but never null +	 */ +	public String getUserNameID() { +		return userNameID; +	} +	/** +	 * @param userNameID the userNameID to set +	 */ +	public void setUserNameID(String userNameID) { +		this.userNameID = userNameID; +	} +	/** +	 * Get the SAML2 QAA-level, which should be send to the federated IDP +	 *  +	 * @return the userQAALevel, but never null +	 */ +	public String getUserQAALevel() { +		return userQAALevel; +	} +	/** +	 * @param userQAALevel the userQAALevel to set +	 */ +	public void setUserQAALevel(String userQAALevel) { +		this.userQAALevel = userQAALevel; +	} +	 +	 +	 + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index a97486097..21ef38732 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -70,6 +70,7 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -499,7 +500,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {  				} else {  					samlVerificationEngine.verifySLOResponse(sloResp,  -							TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +							TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));  				} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index e1edb6b77..d5d0e6c48 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,8 @@   *******************************************************************************/  package at.gv.egovernment.moa.id.moduls; +import java.util.Collection; +  import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; @@ -189,4 +191,12 @@ public interface IRequest {  	 * @param b true, if the user has abort the authentication process, otherwise false  	 */  	public void setAbortedByUser(boolean isAborted); +	 +	/** +	 * This method get a Set of PVP 2.1 attribute, which are request by this pending-request. +	 *  +	 * @return A set of PVP attribute names or null if no attributes are requested  +	 * 			or the Service Provider, which sends this request needs no attributes +	 */ +	public Collection<String> getRequestedAttributes();  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 4dade61fa..e05bedac8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -48,7 +48,7 @@ public abstract class RequestImpl implements IRequest, Serializable{  	public static final String DATAID_INTERFEDERATIOIDP_URL = "interIDPURL";  	public static final String DATAID_INTERFEDERATIOIDP_RESPONSE = "interIDPResponse"; -	public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; +	public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes";	  	private static final long serialVersionUID = 1L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 3b7c99d5a..db4022cdc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -150,12 +150,11 @@ public class SSOManager {  				return false;  			} -			//check if request starts an interfederated SSO session +			//check if stored SSO session is a federated SSO session  			if (protocolRequest != null &&  -					protocolRequest instanceof RequestImpl && -					storedSession.isInterfederatedSSOSession() && -					!storedSession.isAuthenticated()) { - +					storedSession.isInterfederatedSSOSession()) {				 +				//in case of federated SSO session, jump to federated IDP for authentication +				  				String interfederationIDP =   						protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); @@ -164,6 +163,7 @@ public class SSOManager {  					if (selectedIDP != null) {				  						//no local SSO session exist -> request interfederated IDP +						Logger.info("SSO Session refer to federated IDP: " + selectedIDP.getIdpurlprefix());  						protocolRequest.setGenericDataToSession(  								RequestImpl.DATAID_INTERFEDERATIOIDP_URL, selectedIDP.getIdpurlprefix()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 7144ebe6d..67eb92d9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -27,12 +27,12 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttributeBuilder { @@ -43,22 +43,32 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); -			if (corporation == null) { -				Logger.error("No corporation mandate"); -				throw new NoMandateDataAttributeException(); -			} +			//get PVP attribute directly, if exists  +			String fullName = authData.getGenericData(MANDATE_LEG_PER_FULL_NAME_NAME, String.class); +			 +			if (MiscUtil.isEmpty(fullName)) { +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); +				if (corporation == null) { +					Logger.error("No corporation mandate"); +					throw new NoMandateDataAttributeException(); +					 +				} +				fullName = corporation.getFullName(); +			}  			return g.buildStringAttribute(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, MANDATE_LEG_PER_FULL_NAME_NAME, -					corporation.getFullName()); +					fullName); +			  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index 12dc8877b..9474cd832 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -26,14 +26,13 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateLegalPersonSourcePinAttributeBuilder  implements IPVPAttributeBuilder  { @@ -44,36 +43,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder  implements IPVPAttribu  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if(authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if(mandate == null) { -				throw new NoMandateDataAttributeException(); +			 +			//get PVP attribute directly, if exists  +			String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); +			 +			if (MiscUtil.isEmpty(sourcePin)) { +				Element mandate = authData.getMandate(); +				if(mandate == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if(mandateObject == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); +				if(corporation == null) { +					Logger.error("No corporation mandate"); +					throw new NoMandateDataAttributeException(); +					 +				} +				if(corporation.getIdentification().size() == 0) { +					Logger.error("Failed to generate IdentificationType"); +					throw new NoMandateDataAttributeException(); +					 +				} +				 +				sourcePin =  corporation.getIdentification().get(0).getValue().getValue(); +				  			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if(mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); -			if(corporation == null) { -				Logger.error("No corporation mandate"); -				throw new NoMandateDataAttributeException(); -			} -			IdentificationType id = null; -			if(corporation.getIdentification().size() == 0) { -				Logger.error("Failed to generate IdentificationType"); -				throw new NoMandateDataAttributeException(); -			} -			id =  corporation.getIdentification().get(0); -			/*if(authSession.getBusinessService()) { -				id = MandateBuilder.getWBPKIdentification(corporation); -			} else { -				id = MandateBuilder.getBPKIdentification(corporation); -			}*/ -			/*if(id == null) { -				Logger.error("Failed to generate IdentificationType"); -				throw new NoMandateDataAttributeException(); -			}*/ +				  			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,  -					MANDATE_LEG_PER_SOURCE_PIN_NAME, id.getValue().getValue()); +					MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index a7a9a757b..8391c8230 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -26,14 +26,13 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttributeBuilder { @@ -44,32 +43,37 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); +			//get PVP attribute directly, if exists  +			String sourcePinType = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); +						 +			if (MiscUtil.isEmpty(sourcePinType)) {  +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); +				if (corporation == null) { +					Logger.error("No corporate mandate"); +					throw new NoMandateDataAttributeException(); +					 +				} +				if (corporation.getIdentification().size() == 0) { +					Logger.error("Failed to generate IdentificationType"); +					throw new NoMandateDataAttributeException(); +					 +				} +				sourcePinType = corporation.getIdentification().get(0).getType(); +				  			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); -			if (corporation == null) { -				Logger.error("No corporate mandate"); -				throw new NoMandateDataAttributeException(); -			} -			IdentificationType id = null; -			if (corporation.getIdentification().size() == 0) { -				Logger.error("Failed to generate IdentificationType"); -				throw new NoMandateDataAttributeException(); -			} -			id = corporation.getIdentification().get(0); -			/* -			 * id = MandateBuilder.getBPKIdentification(corporate); if (id == null) { -			 * Logger.error("Failed to generate IdentificationType"); throw new -			 * NoMandateDataAttributeException(); } -			 */ +			  			return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, -					id.getType()); +					sourcePinType);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index be6372913..df077a631 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -30,13 +30,13 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers  import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;  import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBuilder { @@ -45,49 +45,53 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui  	}  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, -			IAttributeGenerator<ATT> g) throws AttributeException { -		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); -			if (physicalPerson == null) { -				Logger.error("No physicalPerson mandate"); -				throw new NoMandateDataAttributeException(); -			} -			IdentificationType id = null; -			id = physicalPerson.getIdentification().get(0); -			if (id == null) { -				Logger.error("Failed to generate IdentificationType"); -				throw new NoMandateDataAttributeException(); -			} +			IAttributeGenerator<ATT> g) throws AttributeException {		 +		if (authData.isUseMandate()) {			 -			String bpk; -			try { +			//get PVP attribute directly, if exists  +			String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); +			 +			if (MiscUtil.isEmpty(bpk)) { +				//read bPK from mandate if it is not directly included +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +				} +				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); +				if (physicalPerson == null) { +					Logger.error("No physicalPerson mandate"); +					throw new NoMandateDataAttributeException(); +				} +				IdentificationType id = null; +				id = physicalPerson.getIdentification().get(0); +				if (id == null) { +					Logger.error("Failed to generate IdentificationType"); +					throw new NoMandateDataAttributeException(); +				} -				if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { -					if (oaParam.getBusinessService()) { -						bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); +				try {					 +					if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { +						if (oaParam.getBusinessService()) { +							bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); +							 +						} else { +							bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); +							 +						} -					} +					} else +						bpk = id.getValue().getValue(); -					else { -						bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); -						 -					} +				} +				catch (BuildException e) { +					Logger.error("Failed to generate IdentificationType"); +					throw new NoMandateDataAttributeException(); -				} else -					bpk = id.getValue().getValue(); -				 -			} -			catch (BuildException e) { -				Logger.error("Failed to generate IdentificationType"); -				throw new NoMandateDataAttributeException(); +				}  			}  			return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index e644f49e4..663e927fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -32,13 +32,13 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttributeBuilder { @@ -49,33 +49,56 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); -			if (physicalPerson == null) { -				Logger.error("No physicalPerson mandate"); -				throw new NoMandateDataAttributeException(); -			} -			String dateOfBirth = physicalPerson.getDateOfBirth(); -			try { -				DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); -				Date date = mandateFormat.parse(dateOfBirth); -				DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); -				String dateString = pvpDateFormat.format(date); +			//get PVP attribute directly, if exists  +			String birthDayString = authData.getGenericData(MANDATE_NAT_PER_BIRTHDATE_NAME, String.class); +			 +			if (MiscUtil.isEmpty(birthDayString)) { +				//read bPK from mandate if it is not directly included +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +				} +				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); +				if (physicalPerson == null) { +					Logger.error("No physicalPerson mandate"); +					throw new NoMandateDataAttributeException(); +				} +				 +				String dateOfBirth = physicalPerson.getDateOfBirth(); +				try { +					DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); +					mandateFormat.setLenient(false); +					Date date = mandateFormat.parse(dateOfBirth); +					DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); +					birthDayString = pvpDateFormat.format(date); +							 +				} +				catch (ParseException e) { +					Logger.warn("MIS mandate birthday has an incorrect formt. (Value:" + dateOfBirth, e); +					throw new InvalidDateFormatAttributeException(); +					 +				} +				 +			} else { +				try { +					DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); +					pvpDateFormat.setLenient(false); +					pvpDateFormat.parse(birthDayString); +					 +				} catch (ParseException e) { +					Logger.warn("Format of direct included PVP Attribute " + MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME  +							+ " has an incorrect formt. (Value:" + birthDayString, e); +					throw new InvalidDateFormatAttributeException(); +				} -				return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, dateString); -			} -			catch (ParseException e) { -				e.printStackTrace(); -				throw new InvalidDateFormatAttributeException();  			} +			 +			return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index fa3ad691d..dd49b2a1e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -30,12 +30,12 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName;  import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateNaturalPersonFamilyNameAttributeBuilder  implements IPVPAttributeBuilder { @@ -46,29 +46,38 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder  implements IPVPAttr  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException {  		if(authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if(mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if(mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); -			if(physicalPerson == null) { -				Logger.error("No physicalPerson mandate"); -				throw new NoMandateDataAttributeException(); -			} -			StringBuilder sb = new StringBuilder(); -			Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator(); +			//get PVP attribute directly, if exists  +			String familyName = authData.getGenericData(MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class); -			while(fNamesit.hasNext()) { -				sb.append(" " + fNamesit.next().getValue()); +			if (MiscUtil.isEmpty(familyName)) { +				//read mandator familyName from mandate if it is not directly included +				Element mandate = authData.getMandate(); +				if(mandate == null) { +					throw new NoMandateDataAttributeException(); +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if(mandateObject == null) { +					throw new NoMandateDataAttributeException(); +				} +				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); +				if(physicalPerson == null) { +					Logger.error("No physicalPerson mandate"); +					throw new NoMandateDataAttributeException(); +				} +				 +				StringBuilder sb = new StringBuilder(); +				Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator(); +				 +				while(fNamesit.hasNext()) +					sb.append(" " + fNamesit.next().getValue()); + +				familyName = sb.toString(); +				  			}  			return g.buildStringAttribute(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME,  -					MANDATE_NAT_PER_FAMILY_NAME_NAME, sb.toString()); +					MANDATE_NAT_PER_FAMILY_NAME_NAME, familyName);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4c725c1c5..8948f1227 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -29,12 +29,12 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttributeBuilder { @@ -44,29 +44,36 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException { -		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} -			PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); -			if (physicalPerson == null) { -				Logger.error("No physicalPerson mandate"); -				throw new NoMandateDataAttributeException(); -			} -			 -			StringBuilder sb = new StringBuilder(); -			Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator(); +		if (authData.isUseMandate()) {			 +			//get PVP attribute directly, if exists  +			String givenName = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); -			while (gNamesit.hasNext()) { -				sb.append(" " + gNamesit.next()); +			if (MiscUtil.isEmpty(givenName)) { +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +				} +				PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); +				if (physicalPerson == null) { +					Logger.error("No physicalPerson mandate"); +					throw new NoMandateDataAttributeException(); +				} +				 +				StringBuilder sb = new StringBuilder(); +				Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator(); +				 +				while (gNamesit.hasNext()) +					sb.append(" " + gNamesit.next()); +				 +				givenName = sb.toString(); +				  			} -			return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, sb.toString()); +			return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, givenName);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java index e70326114..d1da36aa3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -26,7 +26,6 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.MISMandate;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -42,35 +41,37 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException { -		if(authData.isUseMandate()) { -			String text = null; +		if(authData.isUseMandate()) {						 +			String profRepName = authData.getGenericData(MANDATE_PROF_REP_DESC_NAME, String.class); -			MISMandate misMandate = authData.getMISMandate(); -			 -			if(misMandate == null) { -				throw new NoMandateDataAttributeException(); -			} -		 -			text = misMandate.getTextualDescriptionOfOID(); -			 -			if (MiscUtil.isEmpty(text)) {			 -				Element mandate = authData.getMandate(); -				if (mandate == null) { +			if (MiscUtil.isEmpty(profRepName)) {			 +				MISMandate misMandate = authData.getMISMandate(); +				 +				if(misMandate == null) {  					throw new NoMandateDataAttributeException();  				} -				Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); -				if (mandateObject == null) { -					throw new NoMandateDataAttributeException(); -				} - -				text = mandateObject.getAnnotation(); +				profRepName = misMandate.getTextualDescriptionOfOID(); +				 +				if (MiscUtil.isEmpty(profRepName)) {			 +					Element mandate = authData.getMandate(); +					if (mandate == null) { +						throw new NoMandateDataAttributeException(); +					} +					Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); +					if (mandateObject == null) { +						throw new NoMandateDataAttributeException(); +					} +	 +					profRepName = mandateObject.getAnnotation(); +					 +				}  			} -			if(MiscUtil.isNotEmpty(text))  +			if(MiscUtil.isNotEmpty(profRepName))   				return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME,  -						MANDATE_PROF_REP_DESC_NAME, text); +						MANDATE_PROF_REP_DESC_NAME, profRepName);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java index 89e9198b6..3cfc40d22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java @@ -23,7 +23,6 @@  package at.gv.egovernment.moa.id.protocols.builder.attributes;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.data.MISMandate;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -38,19 +37,23 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder {  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException { -		if (authData.isUseMandate()) { +		if (authData.isUseMandate()) {			 +			String profRepOID = authData.getGenericData(MANDATE_PROF_REP_OID_NAME, String.class);			 -			MISMandate mandate = authData.getMISMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); +			if (MiscUtil.isEmpty(profRepOID)) {			 +				MISMandate mandate = authData.getMISMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +				} +						 +				profRepOID = mandate.getProfRep(); +				  			} -			 -			String oid = mandate.getProfRep(); -			if(MiscUtil.isEmpty(oid))  +			if(MiscUtil.isEmpty(profRepOID))   				return null;				  			else			 -				return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); +				return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, profRepOID);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java index 040174e26..573f0584a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java @@ -26,11 +26,11 @@ import org.w3c.dom.Element;  import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.util.MiscUtil;  public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { @@ -40,17 +40,26 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder {  	public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,  			IAttributeGenerator<ATT> g) throws AttributeException { -		if (authData.isUseMandate()) { -			Element mandate = authData.getMandate(); -			if (mandate == null) { -				throw new NoMandateDataAttributeException(); -			} -			Mandate mandateObject = MandateBuilder.buildMandate(mandate); -			if (mandateObject == null) { -				throw new NoMandateDataAttributeException(); -			} +		if (authData.isUseMandate()) {						 +			//get PVP attribute directly, if exists  +			String mandateType = authData.getGenericData(MANDATE_TYPE_NAME, String.class); -			return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateObject.getAnnotation()); +			if (MiscUtil.isEmpty(mandateType)) { +				Element mandate = authData.getMandate(); +				if (mandate == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				Mandate mandateObject = MandateBuilder.buildMandate(mandate); +				if (mandateObject == null) { +					throw new NoMandateDataAttributeException(); +					 +				} +				mandateType = mandateObject.getAnnotation(); +				 +			} +				 +			return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateType);  		}  		return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index bd6399377..c733e662a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -50,7 +50,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; @@ -80,31 +79,29 @@ public class AttributQueryAction implements IAction {  	 * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData)  	 */  	@Override -	public SLOInformationInterface processRequest(IRequest req, +	public SLOInformationInterface processRequest(IRequest pendingReq,  			HttpServletRequest httpReq, HttpServletResponse httpResp,  			IAuthData authData) throws MOAIDException { -		if (req instanceof PVPTargetConfiguration &&  -				((PVPTargetConfiguration) req).getRequest() instanceof MOARequest &&  -				((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest() instanceof AttributeQuery) { +		if (pendingReq instanceof PVPTargetConfiguration &&  +				((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest &&  +				((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest() instanceof AttributeQuery) { -			AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest();			 +			//set time reference +			DateTime date = new DateTime(); -			//load moaSession -			String nameID = attrQuery.getSubject().getNameID().getValue(); +			//load session and request information +			AuthenticationSession moaSession =  +					pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class); +			 +			AttributeQuery attrQuery =  +					(AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); -			AuthenticationSession session = authenticationSessionStorage.getSessionWithUserNameID(nameID); -			if (session == null) { -				Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); -				throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); -				 -			} - -			DateTime date = new DateTime(); -			//generate authData -			authData = authDataBuilder.buildAuthenticationData(req, session, attrQuery.getAttributes()); +			//generate authData for AttributQueryRequest +			authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes()); +			  			//add default attributes in case of mandates or STORK is in use  			List<String> attrList = addDefaultAttributes(attrQuery, authData);			 diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 08d9f67b6..57c1aa8af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -57,11 +57,15 @@ import org.springframework.web.bind.annotation.RequestMethod;  import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;  import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; @@ -83,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; @@ -188,7 +193,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  					req.getRemoteAddr());  			//get POST-Binding decoder implementation -			InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, false); +			InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false);  			pendingReq.setRequest(msg);  			//preProcess Message @@ -236,7 +241,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  					req.getRemoteAddr());  			//get POST-Binding decoder implementation -			InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, false); +			InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false);  			pendingReq.setRequest(msg);  			//preProcess Message @@ -261,9 +266,57 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  	} +	//PVP2.x IDP SOAP-Binding end-point +	@RequestMapping(value = "/pvp2/soap", method = {RequestMethod.POST}) +	public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { +		if (!authConfig.getAllowedProtocols().isPVP21Active()) { +			Logger.info("PVP2.1 is deaktivated!"); +			throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); +			 +		} +		 +		try { +			//create pendingRequest object +			PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); +			pendingReq.initialize(req); +			pendingReq.setModule(NAME); +			 +			revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); +			revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());						 +			revisionsLogger.logEvent( +					pendingReq.getUniqueSessionIdentifier(),  +					pendingReq.getUniqueTransactionIdentifier(),  +					MOAIDEventConstants.TRANSACTION_IP,  +					req.getRemoteAddr()); +			 +			//get POST-Binding decoder implementation +			InboundMessage msg = (InboundMessage) new SoapBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); +			pendingReq.setRequest(msg); +			 +			//preProcess Message +			preProcess(req, resp, pendingReq); +						 +		} catch (SecurityPolicyException e) { +			String samlRequest = req.getParameter("SAMLRequest");			 +			Logger.warn("Receive INVALID protocol request: " + samlRequest, e); +			throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); +			 +		} catch (SecurityException e) { +			String samlRequest = req.getParameter("SAMLRequest");			 +			Logger.warn("Receive INVALID protocol request: " + samlRequest, e); +			throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); +			 +		} catch (Throwable e) {			 +			String samlRequest = req.getParameter("SAMLRequest");			 +			Logger.warn("Receive INVALID protocol request: " + samlRequest, e); +						 +			throw new MOAIDException(e.getMessage(), new Object[] {}); +		}					 +	} +	 -	public void preProcess(HttpServletRequest request, +	private void preProcess(HttpServletRequest request,  			HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable {  			InboundMessage msg = pendingReq.getRequest(); @@ -274,7 +327,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  			}  			if(!msg.isVerified()) { -				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +				samlVerificationEngine.verify(msg,  +						TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));  				msg.setVerified(true);  			} @@ -521,7 +575,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  			throw new WrongParametersException("StartAuthentication",  					PARAM_OA, "auth.12"); -		OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); +		OAAuthParameter oa = authConfig.getOnlineApplicationParameter(moaRequest.getEntityID());  		if (!oa.isInderfederationIDP()) {  			Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs.");  			throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); @@ -533,17 +587,39 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {  			throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null);  		} +					 +		//check active MOASession +		String nameID = attrQuery.getSubject().getNameID().getValue();			 +		AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID); +		if (session == null) { +			Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); +			throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); +		} +		 +		//search federated IDP information for this MOASession +		 +		 +		InterfederationSessionStore interfIDP =  +				authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); +	 +		//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration +		IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP); + +		//set preProcessed information into pending-request  		pendingReq.setRequest(moaRequest);  		pendingReq.setOAURL(moaRequest.getEntityID()); -		pendingReq.setOnlineApplicationConfiguration(oa); +		pendingReq.setOnlineApplicationConfiguration(spConfig);  		pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); -		//Attribute-Query Request needs authentication  -		pendingReq.setNeedAuthentication(true); -		 +		//Attribute-Query Request needs authentication, because session MUST be already authenticated  +		pendingReq.setNeedAuthentication(false); +				  		//set protocol action, which should be executed after authentication  		pendingReq.setAction(AttributQueryAction.class.getName()); + +		//add moasession +		pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session);  		//write revisionslog entry  		revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 1d2754e3f..c2b61aaa7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -276,6 +276,6 @@ public interface PVPConstants {  	public static final int CHARGE_CODE_MAX_LENGTH = 32767;  	public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx"; -	public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_VERSION_OID; +	public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID;  	public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE";  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 27773a248..a8e02c317 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -46,6 +46,12 @@ import at.gv.egovernment.moa.logging.Logger;  @Scope(value = BeanDefinition.SCOPE_PROTOTYPE)  public class PVPTargetConfiguration extends RequestImpl { +	public static final String DATAID_MOASESSION = "moasession"; +	public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse"; +	public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; +	public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel";	 +	public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID"; +	  	private static final long serialVersionUID = 4889919265919638188L;  	InboundMessage request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 6619876dc..86b31f1eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse; +import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.xml.security.SecurityException; @@ -33,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface  public interface IDecoder {  	public InboundMessageInterface decode(HttpServletRequest req,  -			HttpServletResponse resp, boolean isSPEndPoint) +			HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint)  					throws MessageDecodingException, SecurityException, PVP2Exception;  	public boolean handleDecode(String action, HttpServletRequest req); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index ebb4b2991..6d376faa0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -37,6 +37,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.saml2.metadata.SingleSignOnService;  import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException;  import org.opensaml.ws.security.SecurityPolicyResolver; @@ -56,7 +57,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;  import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -146,7 +146,7 @@ public class PostBinding implements IDecoder, IEncoder {  	}  	public InboundMessageInterface decode(HttpServletRequest req, -			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, +			HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,  			SecurityException {  		HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); @@ -168,13 +168,13 @@ public class PostBinding implements IDecoder, IEncoder {  			throw new SecurityException(e);  		} -		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); +		messageContext.setMetadataProvider(metadataProvider);  		//set security policy context  		BasicSecurityPolicy policy = new BasicSecurityPolicy();  		policy.getPolicyRules().add(  				new MOAPVPSignedRequestPolicyRule( -						TrustEngineFactory.getSignatureKnownKeysTrustEngine(), +						TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider),  						messageContext.getPeerEntityRole()));		  		SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy);  		messageContext.setSecurityPolicyResolver(secResolver); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 0ff18d903..683a72e67 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -38,6 +38,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor;  import org.opensaml.saml2.metadata.SPSSODescriptor;  import org.opensaml.saml2.metadata.SingleSignOnService;  import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException;  import org.opensaml.ws.security.SecurityPolicyResolver; @@ -133,7 +134,7 @@ public class RedirectBinding implements IDecoder, IEncoder {  	}  	public InboundMessageInterface decode(HttpServletRequest req, -			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, +			HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,  			SecurityException {  		HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( @@ -159,10 +160,10 @@ public class RedirectBinding implements IDecoder, IEncoder {  		} -		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); +		messageContext.setMetadataProvider(metadataProvider);  		SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( -				TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +				TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));  		SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule();  		BasicSecurityPolicy policy = new BasicSecurityPolicy();  		policy.getPolicyRules().add(signatureRule); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index cc3553551..12b571ed1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -34,6 +34,7 @@ import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder;  import org.opensaml.saml2.core.RequestAbstractType;  import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.ws.message.decoder.MessageDecodingException;  import org.opensaml.ws.message.encoder.MessageEncodingException;  import org.opensaml.ws.soap.soap11.Envelope; @@ -63,7 +64,7 @@ public class SoapBinding implements IDecoder, IEncoder {  	@Autowired private IDPCredentialProvider credentialProvider;  	public InboundMessageInterface decode(HttpServletRequest req, -			HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, +			HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException,  			SecurityException, PVP2Exception {  		HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool());  		BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext =  @@ -71,7 +72,7 @@ public class SoapBinding implements IDecoder, IEncoder {  		messageContext  				.setInboundMessageTransport(new HttpServletRequestAdapter(  						req));		 -		messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); +		messageContext.setMetadataProvider(metadataProvider);  		//TODO: update in a futher version:   		//      requires a special SignedSOAPRequestPolicyRole because  diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 23ea4d7ee..164583f77 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -29,24 +29,22 @@ import java.util.List;  import java.util.ServiceLoader;  import org.opensaml.saml2.core.Attribute; - -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import org.opensaml.saml2.metadata.RequestedAttribute;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.data.IAuthData; - +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; -  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; -  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidDateFormatException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger;  public class PVPAttributeBuilder { @@ -148,4 +146,13 @@ public class PVPAttributeBuilder {  		return attributes;  	} +	public static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) { +		RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class); +		attribute.setIsRequired(required); +		attribute.setName(name); +		attribute.setFriendlyName(friendlyName); +		attribute.setNameFormat(Attribute.URI_REFERENCE); +		return attribute; +	} +	  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index 312bb823d..0a0be2a2c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -33,9 +33,11 @@ import org.opensaml.saml2.core.AuthnContextClassRef;  import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;  import org.opensaml.saml2.core.AuthnRequest;  import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID;  import org.opensaml.saml2.core.NameIDPolicy;  import org.opensaml.saml2.core.NameIDType;  import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.Subject;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.SingleSignOnService;  import org.opensaml.ws.message.encoder.MessageEncodingException; @@ -51,6 +53,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildExce  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  /**   * @author tlenz @@ -98,7 +101,7 @@ public class PVPAuthnRequestBuilder {  		if (endpoint == null) {  			Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID()   					+ " does not support POST or Redirect Binding."); -			throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()}); +			throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{config.getSPNameForLogging(), idpEntity.getEntityID()});  		} else  			authReq.setDestination(endpoint.getLocation()); @@ -148,7 +151,23 @@ public class PVPAuthnRequestBuilder {  			reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);					  			authReq.setRequestedAuthnContext(reqAuthContext);  		} -				 +						 +		//set request Subject element +		if (MiscUtil.isNotEmpty(config.getSubjectNameID())) { +			Subject reqSubject = SAML2Utils.createSAMLObject(Subject.class); +			NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); +			 +			subjectNameID.setValue(config.getSubjectNameID()); +			if (MiscUtil.isNotEmpty(config.getSubjectNameIDFormat())) +				subjectNameID.setFormat(config.getSubjectNameIDFormat()); +			else +				subjectNameID.setFormat(NameID.TRANSIENT); +			 +			reqSubject.setNameID(subjectNameID); +			authReq.setSubject(reqSubject ); +						 +		} +		  		//TODO: implement requested attributes  		//maybe: config.getRequestedAttributes(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index af22a2d7e..03cfe27d7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -284,6 +284,7 @@ public class PVP2AssertionBuilder implements PVPConstants {  		NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);  		//build nameID and nameID Format from moasession +		//TODO: nameID generation  		if (authData.isUseMandate()) {  			Element mandate = authData.getMandate();  			if(mandate == null) { @@ -395,7 +396,10 @@ public class PVP2AssertionBuilder implements PVPConstants {  			subjectNameID.setValue(authData.getNameID());  			sessionIndex = authData.getSessionIndex(); -		} else +		} +		 +		// +		if (MiscUtil.isEmpty(sessionIndex))  			sessionIndex = SAML2Utils.getSecureIdentifier();  		SubjectConfirmationData subjectConfirmationData = SAML2Utils diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java index e0994ff19..9a51e75e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java @@ -285,4 +285,12 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura  		return null;  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging() +	 */ +	@Override +	public String getSPNameForLogging() { +		return "MOA-ID-Auth"; +	} +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java index d51231044..e209d0bc5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java @@ -33,6 +33,13 @@ import org.opensaml.xml.security.credential.Credential;  public interface IPVPAuthnRequestBuilderConfiguruation {  	/** +	 * Defines a unique name for this PVP Service-provider, which is used for logging +	 *  +	 * @return +	 */ +	public String getSPNameForLogging(); +	 +	/**  	 * If true, the SAML2 isPassive flag is set in the AuthnRequest  	 *   	 * @return @@ -110,5 +117,13 @@ public interface IPVPAuthnRequestBuilderConfiguruation {  	 * @return SubjectNameID, or null if no SubjectNameID should be used  	 */  	public String getSubjectNameID(); + +	/** +	 * Define the format of the subjectNameID, which is included in authn-request +	 *  +	 *  +	 * @return nameIDFormat, of SAML2 'transient' if nothing is defined +	 */ +	public String getSubjectNameIDFormat();  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java index 52096fd19..56274535b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java @@ -40,6 +40,13 @@ public interface IPVPMetadataBuilderConfiguration {  	/** +	 * Defines a unique name for this PVP Service-provider, which is used for logging +	 *  +	 * @return +	 */ +	public String getSPNameForLogging(); +	 +	/**  	 * Set metadata valid area  	 *   	 * @return valid until in hours [h] diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 03fa686f9..6e87abb06 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -31,12 +31,9 @@ import java.util.Iterator;  import java.util.List;  import java.util.Map;  import java.util.Map.Entry; -import java.util.Timer; -import javax.net.ssl.SSLHandshakeException;  import javax.xml.namespace.QName; -import org.apache.commons.httpclient.MOAHttpClient;  import org.opensaml.saml2.metadata.EntitiesDescriptor;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.saml2.metadata.RoleDescriptor; @@ -47,20 +44,13 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.saml2.metadata.provider.MetadataProviderException;  import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;  import org.opensaml.xml.XMLObject; -import org.opensaml.xml.parse.BasicParserPool;  import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; -import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;  import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;  import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;  import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;  import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; @@ -68,7 +58,8 @@ import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Base64Utils;  import at.gv.egovernment.moa.util.MiscUtil; -public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing { +public class MOAMetadataProvider extends SimpleMOAMetadataProvider +	implements ObservableMetadataProvider, IGarbageCollectorProcessing {  	private static MOAMetadataProvider instance = null;  	private static Object mutex = new Object(); @@ -151,10 +142,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage  						String oaFriendlyName = oaParam.getFriendlyName();  						ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						 -						HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL,  -								cert, oaFriendlyName,  -								buildMetadataFilterChain(oaParam, metadataURL,  -										cert)); +						HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, 								  +								buildMetadataFilterChain(oaParam, metadataURL, cert),  +								oaFriendlyName);  						chainProvider.addMetadataProvider(newMetadataProvider); @@ -264,11 +254,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage  										Logger.info("Loading metadata for: " + oaFriendlyName);  										httpProvider = createNewHTTPMetaDataProvider( -												metadataurl,  -												cert, -												oaFriendlyName, -												buildMetadataFilterChain(oaParam, metadataurl,  -														cert)); +												metadataurl, 												 +												buildMetadataFilterChain(oaParam, metadataurl, cert), +												oaFriendlyName);  										if (httpProvider != null)  											providersinuse.put(metadataurl, httpProvider); @@ -389,10 +377,8 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage  								if (!providersinuse.containsKey(metadataurl)) {					  									httpProvider = createNewHTTPMetaDataProvider(  											metadataurl,  -											cert, -											oaFriendlyName, -											buildMetadataFilterChain(oaParam, metadataurl,  -													cert)); +											buildMetadataFilterChain(oaParam, metadataurl, cert), +											oaFriendlyName);  									if (httpProvider != null)  										providersinuse.put(metadataurl, httpProvider); @@ -450,86 +436,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage  		return filterChain;		  	} -	 -	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, PVPMetadataFilterChain filter) { -		HTTPMetadataProvider httpProvider = null; -		Timer timer= null; -		MOAHttpClient httpClient = null; -		try {			 -			httpClient = new MOAHttpClient(); -			 -			if (metadataURL.startsWith("https:")) { -				try { -					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( -							PVPConstants.SSLSOCKETFACTORYNAME,  -							AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(),  -							AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), -							null, -							AuthConfiguration.DEFAULT_X509_CHAININGMODE,  -							AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); -					 -					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); - -				} catch (MOAHttpProtocolSocketFactoryException e) { -					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); -					 -				} -			} -			 -			timer = new Timer(); -			httpProvider = new HTTPMetadataProvider(timer, httpClient,  -					metadataURL); -			httpProvider.setParserPool(new BasicParserPool()); -			httpProvider.setRequireValidMetadata(true); -			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes -			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours -			//httpProvider.setRefreshDelayFactor(0.1F); -			 -			if (filter == null) {			 -				filter = new PVPMetadataFilterChain(metadataURL, certificate); -			} -			httpProvider.setMetadataFilter(filter); -			httpProvider.initialize(); -			 -			httpProvider.setRequireValidMetadata(true); -			 -			return httpProvider; -						 -		} catch (Throwable e) {			 -			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { -				Logger.warn("SSL-Server certificate for metadata "  -						+ metadataURL + " not trusted.", e); -				 -			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				 -				Logger.warn("Signature verification for metadata"  -						+ metadataURL + " FAILED.", e); -			 -			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { -				Logger.warn("Schema validation for metadata "  -						+ metadataURL + " FAILED.", e);								 -			} -			 -			Logger.error( -					"Failed to add Metadata file for " -							+ oaName + "[ " -							+ e.getMessage() + " ]", e); -						 -			if (httpProvider != null) { -				Logger.debug("Destroy failed Metadata provider"); -				httpProvider.destroy(); -			} -			 -			if (timer != null) { -				Logger.debug("Destroy Timer."); -				timer.cancel(); -			} - -			 -		} -		return null;	 -	} -	  	public boolean requireValidMetadata() {  		return internalProvider.requireValidMetadata();  	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java new file mode 100644 index 000000000..6d646c609 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -0,0 +1,135 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; + +import java.util.Timer; + +import javax.net.ssl.SSLHandshakeException; + +import org.apache.commons.httpclient.MOAHttpClient; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.xml.parse.BasicParserPool; + +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ +	 +	/** +	 * Create a single SAML2 HTTP metadata provider +	 *  +	 * @param metadataURL URL, where the metadata should be loaded +	 * @param filter Filters, which should be used to validate the metadata +	 * @param IdForLogging Id, which is used for Logging +	 *  +	 * @return SAML2 Metadata Provider +	 */ +	protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) { +		HTTPMetadataProvider httpProvider = null; +		Timer timer= null; +		MOAHttpClient httpClient = null; +		try {			 +			httpClient = new MOAHttpClient(); +			 +			if (metadataURL.startsWith("https:")) { +				try { +					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( +							PVPConstants.SSLSOCKETFACTORYNAME,  +							AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(),  +							AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), +							null, +							AuthConfiguration.DEFAULT_X509_CHAININGMODE,  +							AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); +					 +					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + +				} catch (MOAHttpProtocolSocketFactoryException e) { +					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); +					 +				} +			} +			 +			timer = new Timer(); +			httpProvider = new HTTPMetadataProvider(timer, httpClient,  +					metadataURL); +			httpProvider.setParserPool(new BasicParserPool()); +			httpProvider.setRequireValidMetadata(true); +			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes +			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours +			//httpProvider.setRefreshDelayFactor(0.1F); +			 +			httpProvider.setMetadataFilter(filter); +			httpProvider.initialize(); +			 +			httpProvider.setRequireValidMetadata(true); +			 +			return httpProvider; +						 +		} catch (Throwable e) {			 +			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { +				Logger.warn("SSL-Server certificate for metadata "  +						+ metadataURL + " not trusted.", e); +				 +			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				 +				Logger.warn("Signature verification for metadata"  +						+ metadataURL + " FAILED.", e); +			 +			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { +				Logger.warn("Schema validation for metadata "  +						+ metadataURL + " FAILED.", e);								 +			} +			 +			Logger.error( +					"Failed to load Metadata file for " +							+ IdForLogging + "[ " +							+ e.getMessage() + " ]", e); +						 +			if (httpProvider != null) { +				Logger.debug("Destroy failed Metadata provider"); +				httpProvider.destroy(); +			} +			 +			if (timer != null) { +				Logger.debug("Destroy Timer."); +				timer.cancel(); +			} + +			 +		} +		 +		return null;	 +	} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9c294245f..8787df82d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -24,9 +24,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;  import java.util.ArrayList;  import java.util.Arrays; +import java.util.Collection;  import java.util.HashMap;  import java.util.List;  import java.util.Map; +import java.util.Set;  import org.opensaml.saml2.core.Assertion;  import org.opensaml.saml2.core.Attribute; @@ -111,7 +113,7 @@ public class AssertionAttributeExtractor {  	 *   	 * @return  	 */ -	public boolean containsAllRequiredAttributes(List<String> attributeNameList) {		 +	public boolean containsAllRequiredAttributes(Collection<String> attributeNameList) {		  		//first check if a bPK or an encrypted bPK is available  		if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) ||  @@ -152,6 +154,16 @@ public class AssertionAttributeExtractor {  	} +	/** +	 * Return all include PVP attribute names +	 *  +	 * @return +	 */ +	public Set<String> getAllIncludeAttributeNames() { +		return attributs.keySet(); +		 +	} +	  //	public PersonalAttributeList getSTORKAttributes() {  //		return storkAttributes;  //	} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java index 67a91f6e1..3ea124db6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification;  import java.util.ArrayList;  import java.util.List; +import org.opensaml.saml2.metadata.provider.MetadataProvider;  import org.opensaml.security.MetadataCredentialResolver;  import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;  import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; @@ -35,8 +36,6 @@ import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;  import org.opensaml.xml.signature.SignatureTrustEngine;  import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;  //import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; - -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  //import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver;  public class TrustEngineFactory { @@ -65,11 +64,10 @@ public class TrustEngineFactory {  //		}  //	} -	public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() { +	public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) {  		MetadataCredentialResolver resolver; -		resolver = new MetadataCredentialResolver( -				MOAMetadataProvider.getInstance()); +		resolver = new MetadataCredentialResolver(provider);  		List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>();  		keyInfoProvider.add(new DSAKeyValueProvider()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java index c9f3e5bcd..f67c475bb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -20,13 +20,12 @@   * The "NOTICE" text file is part of the distribution. Any derivative works   * that you distribute must include a readable copy of the "NOTICE" text file.   */ -package at.gv.egovernment.moa.id.auth.modules.eidas.engine; +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata;  import java.io.IOException;  import java.io.StringWriter;  import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerConfigurationException;  import javax.xml.transform.TransformerException;  import javax.xml.transform.TransformerFactory;  import javax.xml.transform.TransformerFactoryConfigurationError; @@ -40,7 +39,6 @@ import org.opensaml.xml.XMLObject;  import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;  import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.logging.Logger; @@ -48,14 +46,14 @@ import at.gv.egovernment.moa.logging.Logger;   * @author tlenz   *   */ -public class MOAeIDASMetadataSignatureFilter implements MetadataFilter { +public class MOASPMetadataSignatureFilter implements MetadataFilter {  	private String trustProfileID = null;  	/**  	 *   	 */ -	public MOAeIDASMetadataSignatureFilter(String trustProfileID) { +	public MOASPMetadataSignatureFilter(String trustProfileID) {  		this.trustProfileID = trustProfileID;  	} @@ -87,20 +85,20 @@ public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {  					//check signature-verification result  					if (result.getSignatureCheckCode() != 0) { -						Logger.warn("eIDAS Metadata signature-verification FAILED!" +						Logger.warn("Metadata signature-verification FAILED!"  								+ " Metadata: " + entityDes.getEntityID()  								+ " StatusCode:" + result.getSignatureCheckCode()); -						throw new FilterException("eIDAS Metadata signature-verification FAILED!" +						throw new FilterException("Metadata signature-verification FAILED!"  								+ " Metadata: " + entityDes.getEntityID()  								+ " StatusCode:" + result.getSignatureCheckCode());  					}  					if (result.getCertificateCheckCode() != 0) { -						Logger.warn("eIDAS Metadata certificate-verification FAILED!" +						Logger.warn("Metadata certificate-verification FAILED!"  								+ " Metadata: " + entityDes.getEntityID()  								+ " StatusCode:" + result.getCertificateCheckCode()); -						throw new FilterException("eIDAS Metadata certificate-verification FAILED!" +						throw new FilterException("Metadata certificate-verification FAILED!"  								+ " Metadata: " + entityDes.getEntityID()  								+ " StatusCode:" + result.getCertificateCheckCode()); @@ -108,22 +106,22 @@ public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {  				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { -					Logger.error("eIDAS Metadata verification has an interal error.", e); -					throw new FilterException("eIDAS Metadata verification has an interal error." +					Logger.error("Metadata verification has an interal error.", e); +					throw new FilterException("Metadata verification has an interal error."  							+ " Message:" + e.getMessage());  				}  			} else { -				Logger.warn("eIDAS Metadata root-element MUST be signed."); -				throw new FilterException("eIDAS Metadata root-element MUST be signed.'"); +				Logger.warn("Metadata root-element MUST be signed."); +				throw new FilterException("Metadata root-element MUST be signed.'");  			}  		} else { -			Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); -			throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); +			Logger.warn("Metadata root-element is not of type 'EntityDescriptor'"); +			throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'");  		} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 1aca587c9..69fe0ee6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,16 +22,13 @@   */  package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; -  import javax.xml.transform.dom.DOMSource;  import javax.xml.validation.Schema;  import javax.xml.validation.Validator;  import org.opensaml.common.xml.SAMLSchemaBuilder; - +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject;  import org.xml.sax.SAXException;  import at.gv.egovernment.moa.id.config.ConfigurationException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index cfdb4426b..c190ad779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -53,9 +53,8 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.EncryptedData;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; @@ -95,9 +94,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  			Date now = new Date();  			dbsession.setCreated(now);  			dbsession.setUpdated(now); -		 -			dbsession.setPendingRequestID(target.getRequestID()); -		 +				  			//set additional session informations  			AuthenticationSessionExtensions sessionExt = new AuthenticationSessionExtensions();  			sessionExt.setUniqueSessionId(target.getUniqueSessionIdentifier()); @@ -443,6 +440,10 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  				  } +				  //set additional information for AttributeQuery +				  activeOA.setAttQueryContainerID(protocolRequest.getGenericData( +						  PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, String.class)); +				    				  List<OASessionStore> activeOAs = dbsession.getActiveOAsessions();				    				  activeOAs.add(activeOA);  				  dbsession.setActiveOAsessions(activeOAs); @@ -461,7 +462,6 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  					dbsession.setSSOSession(true);  					dbsession.setSSOsessionid(SSOSessionID);  					dbsession.setAuthenticated(false); -					dbsession.setPendingRequestID("empty");  					//Store MOASession  					session.saveOrUpdate(dbsession); @@ -751,7 +751,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  		  }	  	} -	public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {		 +	@Override +	public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {		  		AuthenticatedSessionStore dbsession = null;  		Date now = new Date(); @@ -766,23 +767,27 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  				throw e;  			}			  		} 	 + +		dbsession.setUpdated(now); +		//decrypt MOASession  		AuthenticationSession session = decryptSession(dbsession); -		//set Session parameters -		session.setAuthenticated(isAuthenticated); -		dbsession.setAuthenticated(isAuthenticated); -		dbsession.setInterfederatedSSOSession(true);		 -		dbsession.setUpdated(now);		 -				 +		//federated Session are never authenticated locally,  +		// because they get always authentication information from federated IDP +		session.setAuthenticated(false); +		dbsession.setAuthenticated(false); + +		//encrypt MOASession  		encryptSession(session, dbsession); +		 +		//mark as federated SSO session +		dbsession.setInterfederatedSSOSession(true);  		//add interfederation information  		List<InterfederationSessionStore> idpList = dbsession.getInderfederation(); -		 -		MOAResponse interfederationResp = req.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class); -		String interFedEntityID = interfederationResp.getEntityID(); -		 + +		//check if federated IDP is already stored  		InterfederationSessionStore idp = null;  		if (idpList == null) {  			idpList = new ArrayList<InterfederationSessionStore>(); @@ -791,7 +796,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  		} else {  			for (InterfederationSessionStore el : idpList) {  				//resue old entry if interfederation IDP is reused for authentication -				if (el.getIdpurlprefix().equals(interFedEntityID)) +				if (el.getIdpurlprefix().equals(idpEntityID))  					idp = el;  			}			 @@ -801,7 +806,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  		if (idp == null) {  			idp = new InterfederationSessionStore();  			idp.setCreated(now); -			idp.setIdpurlprefix(interFedEntityID); +			idp.setIdpurlprefix(idpEntityID);  			idp.setAuthURL(req.getAuthURL());  			OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix());			 @@ -809,12 +814,11 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  			idp.setMoasession(dbsession);  			idpList.add(idp); -		} -		AssertionAttributeExtractor extract = new AssertionAttributeExtractor(interfederationResp.getResponse());		 -		idp.setSessionIndex(extract.getSessionIndex()); -		idp.setUserNameID(extract.getNameID()); +		}		 +		idp.setSessionIndex(extractor.getSessionIndex()); +		idp.setUserNameID(extractor.getNameID());  		idp.setAttributesRequested(false); -		idp.setQAALevel(extract.getQAALevel()); +		idp.setQAALevel(extractor.getQAALevel());  		//store AssertionStore element to Database  		try { @@ -1024,4 +1028,5 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt  				throw e;  		}	  	} +  } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index 2fd540a67..aaa54fbb9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  /**   * @author tlenz @@ -238,16 +239,16 @@ public interface IAuthenticationSessionStoreage {  	/** -	 * Create a MOASession from interfederation information +	 * Add information of the federated IDP to MOASession  	 *  -	 * @param req Pending request -	 * @param isAuthenticated true if the session should be marked as authenticated, otherwise false +	 * @param req Pending request of the service-provider request, never null +	 * @param idpEntityID The SAML2 EntityID of the federated IDP, never null +	 * @param extractor <code>AssertionAttributeExtractor</code> which holds the SAML2 response of the federated IDP, never null   	 * @throws MOADatabaseException  	 * @throws AssertionAttributeExtractorExeption  	 * @throws BuildException  	 */ -	@Deprecated -	public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; +	public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException;  	/**  	 * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 50d01ce2f..a94b90931 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -112,6 +112,8 @@ service.07=Der SZR-Gateway ist unter {0} nicht erreichbar.  service.08=Die Eintragung der ausländischen Person am SZR-Gateway ist fehlgeschlagen.
  service.09=Der SZR-Gateway Client konnte nicht initialisiert werden.
 +service.10=Die Verwendung des Service {0} ist nicht m\u00f6glich. Ursache: {1}  
 +
  cleaner.00=AuthenticationSessionCleaner wurde gestartet
  cleaner.01=Fehler im AuthenticationSessionCleaner
  cleaner.02=Abgelaufene MOASession {0} wurde aus dem Speicher entfernt
 @@ -272,12 +274,15 @@ pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht  ##add status codes!!!!
 -sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found.
 -sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication.
 -sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata.
 -sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding.  
 -sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found.  
 -sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}.
 +sp.pvp2.00=Can not build PVP AuthnRequest for {0} {1}. No valid SingleSignOnService endpoint found.
 +sp.pvp2.01=Can not build PVP AuthnRequest for {0} {0}. IDP is not allowed for federated authentication.
 +sp.pvp2.02=Can not build PVP AuthnRequest for {0} {0}. IDP has no (valid) metadata.
 +sp.pvp2.03=Receive PVP Response from {0} with unsupported Binding.  
 +sp.pvp2.04=Receive invalid PVP Response from {0}. No PVP metadata found.  
 +sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode {2}.
 +sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all required attributes.
 +sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid.
 +sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed.
  oauth20.01=Fehlerhafte redirect url
  oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"
 diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 0b00b2d29..4e36e2cbf 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -90,6 +90,21 @@ service.07=4200  service.08=4201  service.09=9007  +service.10=TODO  + +process.01=TODO +process.02=TODO +  +sp.pvp2.00=TODO +sp.pvp2.01=TODO +sp.pvp2.02=TODO +sp.pvp2.03=TODO +sp.pvp2.04=TODO +sp.pvp2.05=TODO +sp.pvp2.06=TODO +sp.pvp2.07=TODO +sp.pvp2.08=TODO +   validator.00=1102  validator.01=1102  validator.02=1102 diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java index 6d43bcdc6..125d83d6d 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java @@ -22,6 +22,8 @@   */  package at.gv.egovernment.moa.id.module.test; +import java.util.Collection; +  import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.moduls.IRequest; @@ -247,6 +249,15 @@ public class TestRequestImpl implements IRequest {  		// TODO Auto-generated method stub  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedAttributes() +	 */ +	@Override +	public Collection<String> getRequestedAttributes() { +		// TODO Auto-generated method stub +		return null; +	} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index af5950c98..a8cc1928e 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -38,7 +38,6 @@ import javax.persistence.Lob;  import javax.persistence.NamedQueries;  import javax.persistence.NamedQuery;  import javax.persistence.OneToMany; -import javax.persistence.PrePersist;  import javax.persistence.PreUpdate;  import javax.persistence.Table;  import javax.persistence.Temporal; @@ -130,46 +129,115 @@ public class AuthenticatedSessionStore implements Serializable{  		this.id = id;  	} +	/** +	 * Get the internal ID of this MOASession +	 *  +	 * @return moaSessionID, but never null +	 */  	public String getSessionid() {  		return sessionid; +		  	} +	/** +	 * Set the internal ID of this MOASession.  +	 *  +	 * @param sessionid The internal ID of this MOASession, but never null +	 **/  	public void setSessionid(String sessionid) {  		this.sessionid = sessionid;  	} +	/** +	 * Get the Single Sign-On SessionID of this MOASession +	 *  +	 * @return SSO SessionID +	 */  	public String getSSOsessionid() {  		return SSOsessionid;  	} +	/** +	 * Set the Single Sign-On SessionID for this MOASession +	 *  +	 * @param sSOsessionid SSO SessionID +	 */  	public void setSSOsessionid(String sSOsessionid) {  		SSOsessionid = sSOsessionid;  	} +	/** +	 * Get the serialized (and encrypted) AuthenticatedData DAO, which contains the user +	 * identification and authentication information. +	 *  +	 * @return serialized (and encryped) authenticationData, but never null +	 */  	public byte[] getSession() {  		return authSession;  	} +	/** +	 * Set the AuthenticationData DAO, as serialized (and encrypted) blob.<br><br> +	 *  +	 * <strong>This method should only be used, since MOASesion is not authenticated  +	 * <code>this.isAuthenticated() == false</code>. If the MOASession is already authenticated, +	 * the corresponding user authentication data should not be changed any more.</strong> +	 *   +	 * @param session the serialized (and encryped) authenticationData +	 */  	public void setSession(byte[] session) {  		this.authSession = session;  	} +	/** +	 * Indicates this MOASession is already authenticated. <br><br> +	 *  +	 * A authenticated MOASession contains all information, which are  +	 * needed build protocol specific authentication information.  +	 * Therefore, a user has already performed a full identification and +	 * authentication process.    +	 *  +	 * @return true, if this MOASession is authenticated, otherwise false +	 */  	public boolean isAuthenticated() {  		return isAuthenticated;  	} +	/** +	 * Mark a MOASession as authenticated. <br><br> +	 *  +	 * A MOASession had to be marked as authenticated, if the user +	 * identification and authentication process is completed.  +	 *  +	 * @param isAuthenticated +	 */  	public void setAuthenticated(boolean isAuthenticated) {  		this.isAuthenticated = isAuthenticated;  	} +	/** +	 * Indicates this MOASession as a Single Sign-On session +	 *  +	 * @return true if it is a SSO session, otherwise false +	 */  	public boolean isSSOSession() {  		return isSSOSession;  	} +	/** +	 * Mark this MOASession as a Single Sign-On session +	 *  +	 * @param isSSOSession true, if this MOASession is a SSO session, otherwise false +	 */  	public void setSSOSession(boolean isSSOSession) {  		this.isSSOSession = isSSOSession;  	} +	/** +	 * Get a timestamp when this MOASession was created +	 *  +	 * @return timestamp +	 */  	public Date getCreated() {  		return created;  	} @@ -178,6 +246,11 @@ public class AuthenticatedSessionStore implements Serializable{  		this.created = created;  	} +	/** +	 * Get a timestamp, when this MOASession was updated last time +	 *  +	 * @return timestamp +	 */  	public Date getUpdated() {  		return updated;  	} @@ -186,6 +259,12 @@ public class AuthenticatedSessionStore implements Serializable{  		this.updated = updated;  	} +	/** +	 * Get a List of Service Providers, which has received a authentication information by using  +	 * Single Sign-On  +	 *  +	 * @return +	 */  	public List<OASessionStore> getActiveOAsessions() {  		return activeOAsessions;  	} @@ -198,6 +277,12 @@ public class AuthenticatedSessionStore implements Serializable{  		this.activeOAsessions = activeOAsessions;  	} +	/** +	 * Get a List of old Single Sign-On SessionIDs, which are already used for this MOASession. +	 * Every SSO SessionID can only be used  once.  +	 *  +	 * @return +	 */  	public List<OldSSOSessionIDStore> getOldssosessionids() {  		return oldssosessionids;  	} @@ -207,6 +292,8 @@ public class AuthenticatedSessionStore implements Serializable{  	}  	/** +	 * Get a List of federated IDPs which are already used in this Session +	 *   	 * @return the inderfederation  	 */  	public List<InterfederationSessionStore> getInderfederation() { @@ -221,20 +308,8 @@ public class AuthenticatedSessionStore implements Serializable{  	}  	/** -	 * @return the pendingRequestID -	 */ -	public String getPendingRequestID() { -		return pendingRequestID; -	} - -	/** -	 * @param pendingRequestID the pendingRequestID to set -	 */ -	public void setPendingRequestID(String pendingRequestID) { -		this.pendingRequestID = pendingRequestID; -	} - -	/** +	 * Get the initial vector for AuthenticationData encryption +	 *   	 * @return the iv  	 */  	public byte[] getIv() { @@ -242,6 +317,8 @@ public class AuthenticatedSessionStore implements Serializable{  	}  	/** +	 * Set the inital vector for AuthenticationData encryption +	 *   	 * @param iv the iv to set  	 */  	public void setIv(byte[] iv) { @@ -249,14 +326,18 @@ public class AuthenticatedSessionStore implements Serializable{  	}  	/** -	 * @return the isInterfederatedSSOSession +	 * Indicates this MOASession as an federated session +	 *  +	 * @return true if it is a federated session, otherwise false  	 */  	public boolean isInterfederatedSSOSession() {  		return isInterfederatedSSOSession;  	}  	/** -	 * @param isInterfederatedSSOSession the isInterfederatedSSOSession to set +	 * Mark this MOASession as an federated session +	 *  +	 * @param isInterfederatedSSOSession true, if this MOASession is a federated session  	 */  	public void setInterfederatedSSOSession(boolean isInterfederatedSSOSession) {  		this.isInterfederatedSSOSession = isInterfederatedSSOSession; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java index 8b720e901..bead2f593 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java @@ -71,6 +71,9 @@ public class OASessionStore implements Serializable{  	@Column(name = "attributequeryused", unique=false, nullable=false)  	private boolean attributeQueryUsed = false; +	@Column(name = "attQueryContainerID", unique=false, nullable=true) +	private String attQueryContainerID = null; +	  	@Column(name = "created", updatable=false, nullable=false)  //    @Temporal(TemporalType.TIMESTAMP)      private Date created; @@ -200,6 +203,21 @@ public class OASessionStore implements Serializable{  		this.authURL = authURL;  	} +	/** +	 * @return the attQueryContainerID +	 */ +	public String getAttQueryContainerID() { +		return attQueryContainerID; +	} + +	/** +	 * @param attQueryContainerID the attQueryContainerID to set +	 */ +	public void setAttQueryContainerID(String attQueryContainerID) { +		this.attQueryContainerID = attQueryContainerID; +	} + +	 diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 965abcde1..55504dcb0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;  import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;  import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -178,7 +179,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi  			//add Metadata filters  			MetadataFilterChain filter = new MetadataFilterChain(); -			filter.addFilter(new MOAeIDASMetadataSignatureFilter( +			filter.addFilter(new MOASPMetadataSignatureFilter(  					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));  			httpProvider.setMetadataFilter(filter); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java index 935cefdf9..f682913e6 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java @@ -22,6 +22,12 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;   * that you distribute must include a readable copy of the "NOTICE" text file.   */ +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  /**   * @author tlenz @@ -29,13 +35,24 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;   */  public class ELGAMandatesAuthConstants { +	public static final String MODULE_NAME_FOR_LOGGING = "ELGA Mandate-Service"; +	  	public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;  +	//Service endpoint definitions  	public static final String ENDPOINT_POST = "/sp/elga_mandate/post";  	public static final String ENDPOINT_REDIRECT = "/sp/elga_mandate/redirect";  	public static final String ENDPOINT_METADATA = "/sp/elga_mandate/metadata"; -	public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";	 +	//configuration properties +	public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate."; +	 +	public static final String CONFIG_PROPS_SUBJECTNAMEID_TARGET = CONFIG_PROPS_PREFIX + "nameID.target"; +	 +	public static final String CONFIG_PROPS_ENTITYID = CONFIG_PROPS_PREFIX + "service.entityID"; +	public static final String CONFIG_PROPS_METADATAURL = CONFIG_PROPS_PREFIX + "service.metadataurl"; +	public static final String CONFIG_PROPS_METADATA_TRUSTPROFILE = CONFIG_PROPS_PREFIX + "service.metadata.trustprofileID"; +	  	public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";  	public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";  	public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password"; @@ -45,7 +62,42 @@ public class ELGAMandatesAuthConstants {  	public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";  	public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; +	 +	/**  +	 *  +	 * Get required PVP attributes +	 * First : PVP attribute name (OID)  +	 * Second: FriendlyName +	 *  +	 */ +	public static final List<Pair<String, String>> REQUIRED_PVP_ATTRIBUTES =  +			Collections.unmodifiableList(new ArrayList<Pair<String, String>>() { +				private static final long serialVersionUID = 1L; +				{	 +					//request mandate type					 +					add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME)); +					 +					//request attributes for natural mandators   +					add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME)); +					add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME)); +					add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME)); +					add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME)); +					 +					//request reference_value +					add(Pair.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME)); +				} +			}); +	 +	  	public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";  	public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"; + +	public static List<String> getRequiredAttributeNames() { +		List<String> list = new ArrayList<String>(); +		for (Pair<String, String> el : REQUIRED_PVP_ATTRIBUTES) +			list.add(el.getFirst()); +		return list; +	} +	  } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml index 1c0071c4a..b648e4d27 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml @@ -16,6 +16,11 @@  	<pd:Task id="prepareGetMISMandate" 			class="PrepareGetMISMandateTask" />  	<pd:Task id="finalizeAuthentication" 		class="FinalizeAuthenticationTask" />  	<pd:Task id="getForeignID"              class="GetForeignIDTask"              async="true" /> +	 +	<!-- ELGA Mandate-Service Tasks --> +	<pd:Task id="requestELGAMandateTask"    				class="RequestELGAMandateTask" /> +	<pd:Task id="receiveElgaMandateResponseTask"    class="ReceiveElgaMandateResponseTask"  async="true"/> +	  	<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->  	<pd:StartEvent id="start" /> @@ -39,11 +44,15 @@  	<pd:Transition from="verifyCertificate"         to="getForeignID" />  	<pd:Transition from="verifyAuthBlock"           to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" /> +	<pd:Transition from="verifyAuthBlock"           to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />  	<pd:Transition from="verifyAuthBlock"           to="finalizeAuthentication" /> -	 -	<pd:Transition from="prepareGetMISMandate"      to="getMISMandate" /> +	<pd:Transition from="requestELGAMandateTask"      		to="receiveElgaMandateResponseTask" /> +	<pd:Transition from="receiveElgaMandateResponseTask"  to="finalizeAuthentication" /> +	 +	<pd:Transition from="prepareGetMISMandate"      to="getMISMandate" />	  	<pd:Transition from="getMISMandate"           	to="finalizeAuthentication" /> +	  	<pd:Transition from="getForeignID"              to="finalizeAuthentication" />  	<pd:Transition from="finalizeAuthentication"    to="end" /> diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml index 89f1edd06..6e567a42c 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml @@ -14,23 +14,25 @@  		<property name="priority" value="1" />  	</bean> -	<bean id="FederatedAuthCredentialProvider" -	      class="at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider"/> +	<bean	id="ELGAMandate_MetadataProvider" +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider"/> -	<bean	id="FederatedAuthMetadataController" -				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthMetadataController"/> -									 -	<bean	id="FederatedAuthSignalController" -				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthSignalController"/> +	<bean	id="ELGAMandatesCredentialProvider" +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider"/> +	<bean	id="ELGAMandateMetadataController" +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateMetadataController"/> +				 +	<bean	id="ELGAMandateSignalController" +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>  <!-- Federated Authentication Process Tasks --> -	<bean id="CreateFederatedAuthnRequestTask"  -				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.CreateAuthnRequestTask" +	<bean id="RequestELGAMandateTask"  +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"  				scope="prototype"/> -	<bean id="ReceiveFederatedAuthnResponseTask"  -				class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.ReceiveAuthnResponseTask" +	<bean id="ReceiveElgaMandateResponseTask"  +				class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ReceiveElgaMandateResponseTask"  				scope="prototype"/>  </beans>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 1f9d9e3a0..21fe4e5fa 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -33,6 +33,7 @@ import com.google.gson.JsonPrimitive;  import at.gv.egovernment.moa.id.auth.stork.STORKConstants;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair;  import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDAuthBlock;  import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDCcsURL; @@ -59,7 +60,6 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepDescA  import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepOIDAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateReferenceValueAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.oauth20.Pair;  import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 33d057fe9..518a694b0 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -38,13 +38,13 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;  import at.gv.egovernment.moa.id.auth.exception.MOAIDException;  import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair;  import at.gv.egovernment.moa.id.data.SLOInformationImpl;  import at.gv.egovernment.moa.id.data.SLOInformationInterface;  import at.gv.egovernment.moa.id.moduls.IAction;  import at.gv.egovernment.moa.id.moduls.IRequest;  import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;  import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; -import at.gv.egovernment.moa.id.protocols.oauth20.Pair;  import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;  import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;  import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java index e2f851132..1f7f27617 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java @@ -28,6 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth;   */  public class FederatedAuthConstants { +	public static final String MODULE_NAME_FOR_LOGGING = "federated IDP"; +	  	public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;   	public static final String ENDPOINT_POST = "/sp/federated/post"; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java index 29b6ea18b..0f2c85350 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -278,4 +278,13 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo  	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging() +	 */ +	@Override +	public String getSPNameForLogging() { +		return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING; +	} +  } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java index eca5c7649..4ae162f5a 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java @@ -27,6 +27,7 @@ import org.opensaml.saml2.core.NameID;  import org.opensaml.saml2.metadata.EntityDescriptor;  import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;  /** @@ -157,5 +158,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque  		return null;  	} +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() +	 */ +	@Override +	public String getSPNameForLogging() { +		return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING; +	} + +	/* (non-Javadoc) +	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() +	 */ +	@Override +	public String getSubjectNameIDFormat() { +		// TODO Auto-generated method stub +		return null; +	} +  } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index 2e134713b..06664af45 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -89,7 +89,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {  				Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP())  					+ " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed())); -				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID});  +				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});   				return; @@ -102,7 +102,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {  				Logger.warn("Requested IDP " + idpEntityID   						+ " has no valid metadata or metadata is not found"); -				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID});		 +				handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});		  				return;  			} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 49f9782ae..d87109244 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -23,14 +23,21 @@  package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;  import java.io.IOException; +import java.util.Collection; +import java.util.List; +import java.util.Set;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  import javax.xml.transform.TransformerException; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery;  import org.opensaml.saml2.core.Response;  import org.opensaml.saml2.core.StatusCode;  import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject;  import org.opensaml.xml.io.MarshallingException;  import org.opensaml.xml.security.SecurityException;  import org.springframework.beans.factory.annotation.Autowired; @@ -38,25 +45,39 @@ import org.springframework.stereotype.Component;  import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;  import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.BuildException;  import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;  import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;  import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;  import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;  import at.gv.egovernment.moa.id.moduls.RequestImpl;  import at.gv.egovernment.moa.id.moduls.SSOManager;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.storage.ITransactionStorage;  import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.MiscUtil; @@ -67,9 +88,12 @@ import at.gv.egovernment.moa.util.MiscUtil;  @Component("ReceiveFederatedAuthnResponseTask")  public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { -	@Autowired SAMLVerificationEngine samlVerificationEngine; -	@Autowired FederatedAuthCredentialProvider credentialProvider; -	@Autowired SSOManager ssoManager; +	@Autowired private SAMLVerificationEngine samlVerificationEngine; +	@Autowired private FederatedAuthCredentialProvider credentialProvider; +	@Autowired private SSOManager ssoManager; +	@Autowired private AttributQueryBuilder attributQueryBuilder; +	@Autowired private ITransactionStorage transactionStorage; +	  	/* (non-Javadoc)  	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) @@ -94,21 +118,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  			} else {  				Logger.warn("Receive PVP Response, but Binding ("   						+ request.getMethod() + ") is not supported."); -				throw new AuthnResponseValidationException("sp.pvp2.03", null); +				throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});  			}  			//decode PVP response object -			msg = (InboundMessage) decoder.decode(request, response, true); +			msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);  			if (MiscUtil.isEmpty(msg.getEntityID())) { -				throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {}); +				throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});  			}  			//validate response signature  			if(!msg.isVerified()) { -				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));  				msg.setVerified(true);  			} @@ -118,12 +142,77 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  			//validate assertion  			MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); -			//store valid assertion into pending-request -			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); +			//load IDP and SP configuration +			IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); +			IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration(); +			 +			//check if response Entity is valid +			if (!idpConfig.isInderfederationIDP()) { +				Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ..."); +				throw new AuthnResponseValidationException("sp.pvp2.08",  +						new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, +								msg.getEntityID()}); +				 +			} -			//update MOASession with federation information -			authenticatedSessionStorage.createInterfederatedSession(pendingReq, true); +			//load MOASession from database +			defaultTaskInitialization(request, executionContext); +			//initialize Attribute extractor +			AssertionAttributeExtractor extractor =  +					new AssertionAttributeExtractor((Response) processedMsg.getResponse()); +			 +			//check if SP is also a federated IDP +			if (spConfig.isInderfederationIDP()) { +				//SP is a federated IDP  --> answer only with nameID and wait for attribute-Query +				pendingReq.setGenericDataToSession( +						PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);				 +				pendingReq.setGenericDataToSession( +						PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID()); +				pendingReq.setGenericDataToSession( +						PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel()); + 				 +				//build data-container for AttributeQuery +				FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer(); +				container.setIdpEntityID(idpConfig.getPublicURLPrefix()); +				container.setUserNameID(extractor.getNameID()); +				container.setUserQAALevel(extractor.getQAALevel()); +								 +				if (idpConfig.isInterfederationSSOStorageAllowed()) { +					//open SSO session and store IDP as federated IDP +					container.setMoaSessionID(moasession.getSessionID()); +					 +					//store federatedIDP to MOASession +					authenticatedSessionStorage. +						addFederatedSessionInformation(pendingReq,  +							idpConfig.getPublicURLPrefix(), extractor); +										 +				}  +				 +				//store container into transaction storage +				transactionStorage.put(container.getId(), container); +				 +				//store container ID to pending-request +				pendingReq.setGenericDataToSession( +						PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID,  +							container.getId()); +				 +			} else { +				//SP is real Service-Provider  --> check attributes in response  +				// and start Attribute-Query if required  +				 +				//get authenticationData and store it into MOASession +				getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),  +						idpConfig);	 +				 +				//update MOASession			 +				authenticatedSessionStorage.storeSession(moasession); + +			} +										 +			//store valid assertion into pending-request +			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); +						  			//store pending-request  			requestStoreage.storePendingRequest(pendingReq); @@ -165,6 +254,104 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  	} +	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig,  +			IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{ +		 +		try { +			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); +			Collection<String> requestedAttr = pendingReq.getRequestedAttributes(); +							 +			//check if SAML2 Assertion contains a minimal set of attributes +			if (!extractor.containsAllRequiredAttributes()) { +				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); +				//collect attributes by using BackChannel communication +				String endpoint = idpConfig.getIDPAttributQueryServiceURL();			 +				if (MiscUtil.isEmpty(endpoint)) { +					Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix()); +					throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null); +					 +				} +													 +				//build attributQuery request +				List<Attribute> attributs =  +						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator()); +				AttributeQuery query =  +						attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs); +			 +				//build SOAP request				 +				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); +			 +				if (xmlObjects.size() == 0) { +					Logger.error("Receive emptry AttributeQuery response-body."); +					throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); +				 +				} +			 +				if (xmlObjects.get(0) instanceof Response) { +					Response intfResp = (Response) xmlObjects.get(0); +				 +					//validate PVP 2.1 response +					try { +						samlVerificationEngine.verifyIDPResponse(intfResp,  +								TrustEngineFactory.getSignatureKnownKeysTrustEngine( +										MOAMetadataProvider.getInstance())); +						 +						//create assertion attribute extractor from AttributeQuery response +						extractor = new AssertionAttributeExtractor(intfResp); +										 +					} catch (Exception e) { +						Logger.warn("PVP 2.1 assertion validation FAILED.", e); +						throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); +					} +												 +				} else { +					Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); +					throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); +				 +				} +								 +			} else { +				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. "); +				 +			}														 +			 +			//check if all attributes are include +			if (!extractor.containsAllRequiredAttributes( +					pendingReq.getRequestedAttributes())) { +				Logger.warn("PVP Response from federated IDP contains not all requested attributes."); +				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); +				 +			} +			 +			//copy attributes into MOASession +			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); +			for (String el : includedAttrNames) { +				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el)); +				Logger.debug("Add PVP-attribute " + el + " into MOASession"); +				 +			}	 +									 +		} catch (SOAPException e) { +			throw new BuildException("builder.06", null, e); +			 +		} catch (SecurityException e) { +			throw new BuildException("builder.06", null, e); +			 +		} catch (AttributQueryException e) { +			throw new BuildException("builder.06", null, e); +			 +		} catch (SessionDataStorageException e) { +			throw new BuildException("builder.06", null, e); +			 +		} catch (AssertionValidationExeption e) { +			throw new BuildException("builder.06", null, e); +			 +		} catch (AssertionAttributeExtractorExeption e) { +			throw new BuildException("builder.06", null, e); +			 +		} +	} +	  	/**  	 * @param executionContext  	 * @param idpConfig @@ -215,8 +402,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  		} else {  			Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()   				+ " from federated IDP."); -			throw new AuthnResponseValidationException("sp.pvp2.04",  -					new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()}); +			throw new AuthnResponseValidationException("sp.pvp2.05",  +					new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});  		} diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index e85f8ce6b..64c0a0c8e 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -81,8 +81,6 @@ public class SAML1RequestImpl extends RequestImpl {  				reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME);  		} -		//return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.iterator()); -  		return reqAttr;  	} | 
