aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/server/doc/handbook/protocol/protocol.html4
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java37
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java11
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java37
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java10
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java (renamed from id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java)40
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties1
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties1
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties9
-rw-r--r--id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties2
11 files changed, 125 insertions, 33 deletions
diff --git a/id/server/doc/handbook/protocol/protocol.html b/id/server/doc/handbook/protocol/protocol.html
index e7658875c..1c6e51661 100644
--- a/id/server/doc/handbook/protocol/protocol.html
+++ b/id/server/doc/handbook/protocol/protocol.html
@@ -632,6 +632,10 @@ Redirect Binding</td>
<td>1204</td>
<td>Ein STORK Attribut wei&szlig;t ein fehlerhaftes Format auf.</td>
</tr>
+ <tr>
+ <td>1205</td>
+ <td>Der geforderte QAA Level ist h&ouml;her als der QAA Level der gew&auml;hlten Authentifizierungsmethode</td>
+ </tr>
</table>
<h3><a name="statuscodes_4xxxx" id="allgemeines_zugangspunkte8"></a>1.3.2 Statuscodes 4xxxx</h3>
<p>Alles Statuscodes beginnend mit der Zahl vier beschreiben Fehler die w&auml;hrend der Kommunikation mit externen Services aufgetreten sind.</p>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 5c0e497a3..52488c3cb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -96,6 +96,7 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData;
import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
import at.gv.egovernment.moa.logging.Logger;
@@ -526,10 +527,40 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
}
- if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME))
- authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
- extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+ try {
+ String qaaLevel = extractor.getQAALevel();
+ if (MiscUtil.isNotEmpty(qaaLevel) &&
+ qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
+ authData.setQAALevel(qaaLevel);
+
+ } else {
+ Logger.debug("Found PVP QAA level. QAA mapping process starts ... ");
+ String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel);
+ if (MiscUtil.isNotEmpty(mappedQAA))
+ authData.setQAALevel(mappedQAA);
+
+ else
+ throw new AssertionAttributeExtractorExeption("PVP SecClass not mappable");
+
+ }
+
+ } catch (AssertionAttributeExtractorExeption e) {
+ Logger.warn("No QAA level found in <RequestedAuthnContext> element of interfederated assertion. " +
+ "(ErrorHeader=" + e.getMessage() + ")");
+ if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) {
+ authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX +
+ extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME));
+
+ } else {
+ Logger.info("No QAA level found. Set to default level " +
+ PVPConstants.STORK_QAA_PREFIX + "1");
+ authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1");
+
+ }
+
+ }
+
if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) {
try {
byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index 3be5df917..4ba93f8fe 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -170,6 +170,7 @@ public class SAMLVerificationEngine {
}
+ List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
Conditions conditions = saml2assertion.getConditions();
@@ -177,19 +178,21 @@ public class SAMLVerificationEngine {
DateTime notafter = conditions.getNotOnOrAfter();
if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
Logger.warn("PVP2 Assertion is out of Date");
- saml2assertions.remove(saml2assertion);
+
+ } else {
+ validatedassertions.add(saml2assertion);
- }
+ }
}
- if (saml2assertions.isEmpty()) {
+ if (validatedassertions.isEmpty()) {
Logger.info("No valid PVP 2.1 assertion received.");
throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
}
samlResp.getAssertions().clear();
samlResp.getEncryptedAssertions().clear();
- samlResp.getAssertions().addAll(saml2assertions);
+ samlResp.getAssertions().addAll(validatedassertions);
} else {
Logger.info("PVP 2.1 assertion includes an error. Receive errorcode "
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
index aa018d5a3..d59191c08 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
@@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction {
// Get personal attributtes from MOA/IdentityLink
//build STORK attributes from local authentication information
- if (authData != null)
+ if (authData != null) {
+ int reqQaa = -1;
+ int authQaa = -1;
+ try {
+ reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa();
+ authQaa = Integer.valueOf(
+ authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length()));
+
+ if (reqQaa > authQaa) {
+ Logger.warn("Requested QAA level does not match to authenticated QAA level");
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+
+ } catch (MOAIDException e) {
+ throw e;
+
+ } catch (Exception e) {
+ if (Logger.isDebugEnabled())
+ Logger.warn("STORK QAA Level evaluation error", e);
+
+ else
+ Logger.warn("STORK QAA Level evaluation error (ErrorMessage="
+ + e.getMessage() + ")");
+
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+
moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam));
+
+ }
}
//moaStorkResponse.setCountry(moaStorkRequest.getSpCountry());
@@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction {
IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList();
Logger.info("Found " + attrLst.size() + " personal attributes in the request.");
-
+
// Define attribute list to be populated
PersonalAttributeList attributeList = new PersonalAttributeList();
MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest);
@@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction {
Logger.error("Exception, attributes: " + e.getMessage());
}
- Logger.debug("AUTHBLOCK " + authData.getAuthBlock());
+ Logger.trace("AUTHBLOCK " + authData.getAuthBlock());
Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier());
return attributeList;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
index aaded0ce6..993514ec7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java
@@ -23,11 +23,10 @@
package at.gv.egovernment.moa.id.protocols.stork2;
import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
-import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.data.AuthenticationRole;
import at.gv.egovernment.moa.id.data.IAuthData;
-import at.gv.egovernment.moa.id.util.PVPtoSTORKRoleMapper;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.stork.peps.auth.commons.PersonalAttribute;
@@ -44,11 +43,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
-
-import javassist.expr.Instanceof;
-
/**
* @author bsuzic
* Date: 2/19/14, Time: 4:42 PM
@@ -125,7 +119,7 @@ public class MOAAttributeProvider {
&& authData.getAuthenticationRoles().size() > 0) {
storkRoles = new ArrayList<String>();
- PVPtoSTORKRoleMapper mapper = PVPtoSTORKRoleMapper.getInstance();
+ PVPtoSTORKMapper mapper = PVPtoSTORKMapper.getInstance();
for (AuthenticationRole el : authData.getAuthenticationRoles()) {
String storkRole = mapper.map(el);
if (MiscUtil.isNotEmpty(storkRole))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
index 88c59ccf9..96aa55bcf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider {
authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList());
authRequest.setCitizenCountryCode("AT");
- authRequest.setQaa(oaParam.getQaaLevel());
+ //authRequest.setQaa(oaParam.getQaaLevel());
+ authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa());
- if (authRequest.getQaa() == 0 ) {
- authRequest.setQaa(4); // workaround
- }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
index 20f541a1a..0ea03e29d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
@@ -33,24 +33,26 @@ import at.gv.egovernment.moa.util.MiscUtil;
* @author tlenz
*
*/
-public class PVPtoSTORKRoleMapper {
+public class PVPtoSTORKMapper {
+ private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/";
+
private static final String MAPPING_RESOURCE =
- "resources/properties/pvp-stork_role_mapping.properties";
+ "resources/properties/pvp-stork_mapping.properties";
private Properties mapping = null;
- private static PVPtoSTORKRoleMapper instance = null;
+ private static PVPtoSTORKMapper instance = null;
- public static PVPtoSTORKRoleMapper getInstance() {
+ public static PVPtoSTORKMapper getInstance() {
if (instance == null) {
- instance = new PVPtoSTORKRoleMapper();
+ instance = new PVPtoSTORKMapper();
}
return instance;
}
- private PVPtoSTORKRoleMapper() {
+ private PVPtoSTORKMapper() {
try {
mapping = new Properties();
mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE));
@@ -65,9 +67,29 @@ public class PVPtoSTORKRoleMapper {
}
- /**
- * @param el
- * @return
+ /**Map a PVP SecClass to STORK QAA level
+ *
+ * @param PVP SecClass pvpQAALevel
+ * @return STORK-QAA level
+ */
+ public String mapQAALevel(String pvpQAALevel) {
+ if (mapping != null) {
+ String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length());
+ String mappedQAA = mapping.getProperty(input);
+ if (MiscUtil.isNotEmpty(mappedQAA)) {
+ Logger.info("Map PVP SecClass " + pvpQAALevel + " to STORK-QAA " + mappedQAA);
+ return mappedQAA;
+
+ }
+ }
+ Logger.warn("No mapping for PVP SecClass " + pvpQAALevel +" !");
+ return null;
+ }
+
+ /**Map a PVP Role attribute to STORK ECAuthenticationRole attribute values
+ *
+ * @param PVP Role attribute
+ * @return STORK ECAuthenticationRole attribute value
*/
public String map(AuthenticationRole el) {
if (mapping != null) {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index 848866090..8fda4566c 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -228,6 +228,7 @@ stork.17=Fehler beim Einholen der Zustimmung f\uFFFDr Attribut\u00FCbertragung d
stork.18=STORK-SAML Engine konnte nicht initialisiert werden.
stork.19=Das erforderliche Attribut ist f\u00FCr naturliche Personen nicht vorhanden\: {0}
stork.20=Fehler bei der Datenkonversion - eingegebens Datum fehlerhaft
+stork.21=Der angeforderte QAA-level {0} ist h\u00F6her als der QAA-level der Authentifizierung {1}
pvp2.00={0} ist kein gueltiger consumer service index
pvp2.01=Fehler beim kodieren der PVP2 Antwort
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 27f735028..eeacdc627 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -172,6 +172,7 @@ stork.17=1203
stork.18=9004
stork.19=1203
stork.20=1204
+stork.21=1205
pvp2.01=6100
pvp2.06=6100
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
new file mode 100644
index 000000000..63745f826
--- /dev/null
+++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
@@ -0,0 +1,9 @@
+##PVP role mapping
+viewer=CIRCABC/viewer
+CIRCABC-viewer=CIRCABC/viewer
+
+##PVP SecClass mapping
+secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1
+secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2
+secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3
+secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4 \ No newline at end of file
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties
deleted file mode 100644
index 295d381cd..000000000
--- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_role_mapping.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-viewer=CIRCABC/viewer
-CIRCABC-viewer=CIRCABC/viewer \ No newline at end of file