diff options
3 files changed, 54 insertions, 34 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 17d6898ee..ddcc6e1d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.AttributeQuery;  import org.opensaml.saml2.core.AttributeStatement;  import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType;  import org.opensaml.ws.soap.common.SOAPException;  import org.opensaml.xml.XMLObject;  import org.opensaml.xml.security.SecurityException; @@ -76,6 +77,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;  import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;  import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;  import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;  import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -239,11 +241,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  				attributs = reqQueryAttr;  			//IDP is a service provider IDP and request interfederated IDP to collect attributes				 -			} else { -				 -				//TODO: check if response include attributes and map this attributes to requested attributes -				//TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst -				 +			} else {												  				//get PVP 2.1 attributes from protocol specific requested attributes  				attributs = req.getRequestedAttributes(); @@ -255,44 +253,52 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {  				Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix());  				throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null);  			} + +			 +			//TODO: check if response include attributes and map this attributes to requested attributes +			//TODO: insert code to parse Attributes from AuthnRespones for USP --> Zustelldienst +			Response intfResp = (Response) req.getInterfederationResponse().getResponse(); +			AssertionAttributeExtractor extractor =  +					new AssertionAttributeExtractor(intfResp);			 -			//build attributQuery request -			AttributeQuery query =  -					AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); +			if (!extractor.containsAllRequiredAttributes()) {			 +				//build attributQuery request +				AttributeQuery query =  +						AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); -			//build SOAP request				 -			List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); +				//build SOAP request				 +				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); -			if (xmlObjects.size() == 0) { -				Logger.error("Receive emptry AttributeQuery response-body."); -				throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); +				if (xmlObjects.size() == 0) { +					Logger.error("Receive emptry AttributeQuery response-body."); +					throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); -			} +				} -			if (xmlObjects.get(0) instanceof Response) { -				Response intfResp = (Response) xmlObjects.get(0); +				if (xmlObjects.get(0) instanceof Response) { +					intfResp = (Response) xmlObjects.get(0); -				//validate PVP 2.1 response -				try { -					SAMLVerificationEngine engine = new SAMLVerificationEngine(); -					engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); +					//validate PVP 2.1 response +					try { +						SAMLVerificationEngine engine = new SAMLVerificationEngine(); +						engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); -					SAMLVerificationEngine.validateAssertion(intfResp, false); +						SAMLVerificationEngine.validateAssertion(intfResp, false); -				} catch (Exception e) { -					Logger.warn("PVP 2.1 assertion validation FAILED.", e); -					throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); -				} -				 -				//parse response information to authData -				buildAuthDataFormInterfederationResponse(authdata, session, intfResp); -								 -			} else { -				Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); -				throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); +					} catch (Exception e) { +						Logger.warn("PVP 2.1 assertion validation FAILED.", e); +						throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); +					} +												 +				} else { +					Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); +					throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); +				}  			} -										 						 +			//parse response information to authData +			buildAuthDataFormInterfederationResponse(authdata, session, intfResp);			 +			  		} catch (SOAPException e) {  			throw new BuildException("builder.06", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 0d34fcb87..1e38bd4ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -269,7 +269,7 @@ public class DispatcherServlet extends AuthServlet{  							info = ModulStorage.getModuleByPath(protocolRequest.requestedModule());  							moduleAction = info.getAction(protocolRequest.requestedAction()); -							//create interfederated mOASession +							//create interfederated MOASession  							String sessionID =   									AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId);  							req.getParameterMap().put(PARAM_SESSIONID, sessionID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..9aadfdc28 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils;  import java.util.List;  import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute;  import org.opensaml.saml2.core.AuthnContextClassRef;  import org.opensaml.saml2.core.AuthnStatement;  import org.opensaml.saml2.core.Response; @@ -54,6 +55,19 @@ public class AssertionAttributeExtractor {  			throw new AssertionAttributeExtractorExeption();		  	} +	public boolean containsAllRequiredAttributes() { +		//TODO: add default attribute list +		return containsAllRequiredAttributes(null); +		 +	} +	 +	public boolean containsAllRequiredAttributes(List<Attribute> attributs) {		 +		//TODO: add validation		 +		return false; +		 +	} +	 +	  	public String getNameID() throws AssertionAttributeExtractorExeption {		  		if (assertion.getSubject() != null) {  			Subject subject = assertion.getSubject(); | 
