diff options
Diffstat (limited to 'id.server/src')
| -rw-r--r-- | id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java | 223 | 
1 files changed, 169 insertions, 54 deletions
| diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 7693c3170..e72d0b6c4 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -1,13 +1,20 @@  package at.gv.egovernment.moa.id.auth.validator; +import java.util.Iterator; +import java.util.List; +  import org.w3c.dom.Element;  import org.w3c.dom.NodeList; +import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;  import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;  import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;  import at.gv.egovernment.moa.id.auth.data.IdentityLink;  import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.logging.Logger;  import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.XPathUtils;  /**   *  @@ -18,6 +25,11 @@ import at.gv.egovernment.moa.util.Constants;   * @version $Id$   */  public class CreateXMLSignatureResponseValidator { +   +  +  /** Xpath expression to the dsig:Signature element */ +  private static final String SIGNATURE_XPATH = Constants.DSIG_PREFIX + ":Signature"; +     /** Singleton instance. <code>null</code>, if none has been created. */    private static CreateXMLSignatureResponseValidator instance; @@ -54,16 +66,21 @@ public class CreateXMLSignatureResponseValidator {      IdentityLink identityLink = session.getIdentityLink(); -    String issuer = createXMLSignatureResponse.getSamlAssertion().getAttribute("Issuer");     +    Element samlAssertion = createXMLSignatureResponse.getSamlAssertion();  +    String issuer = samlAssertion.getAttribute("Issuer");          if (issuer == null) {        // should not happen, because parser would dedect this        throw new ValidateException("validator.32", null);      } +    String issueInstant = samlAssertion.getAttribute("IssueInstant"); +    if (!issueInstant.equals(session.getIssueInstant())) { +      throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); +    } +          String name = identityLink.getName();      if (!issuer.equals(name)) {        throw new ValidateException("validator.33", new Object[] {issuer, name}); -    } -     +    }           SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); @@ -71,66 +88,160 @@ public class CreateXMLSignatureResponseValidator {      boolean foundGB = false;      boolean foundWBPK = false; -    for (int i = 0; i < samlAttributes.length; i++) { -      SAMLAttribute samlAttribute = samlAttributes[i]; -      if (samlAttribute.getName().equals("Geschaeftsbereich")) {  -        if (businessService) { +    // check number of SAML aatributes +    List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); +    int extendedSAMLAttributesNum = 0; +    if (extendedSAMLAttributes != null) { +      extendedSAMLAttributesNum = extendedSAMLAttributes.size(); +    } +    int expectedSAMLAttributeNumber =  +      AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; +    int actualSAMLAttributeNumber = samlAttributes.length; +    if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { +      Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " +  +        expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); +      throw new ValidateException( +        "validator.36",  +        new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); +    } +     +    // check the first attribute ("Geschaeftsbereich" or "wbPK") +    SAMLAttribute samlAttribute = samlAttributes[0]; +    if (businessService) { +      if (!samlAttribute.getName().equals("wbPK")) { +        if (samlAttribute.getName().equals("Geschaeftsbereich")) {            throw new ValidateException("validator.26", null); -        } -        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           -          foundGB = true;              -          if (!gbTarget.equals((String)samlAttribute.getValue())) { -            throw new ValidateException("validator.13", null);  -          }              -        } else { -          throw new ValidateException("validator.12", null); -        } -      } -      if (samlAttribute.getName().equals("OA")) { -        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { -          foundOA = true;             -          if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch              -            throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});  -          }                       } else { -          throw new ValidateException("validator.15", null); +          throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)});          } -      } -      if (samlAttribute.getName().equals("Geburtsdatum")) {  -        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { -          String samlDateOfBirth = (String)samlAttribute.getValue(); -          String dateOfBirth = identityLink.getDateOfBirth(); -          if (!samlDateOfBirth.equals(dateOfBirth)) { -            throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); +      }           +      if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           +        foundWBPK = true; +        try { +          Element attrValue = (Element)samlAttribute.getValue(); +          String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); +          String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); +          if (!value.equals(identityLink.getIdentificationValue())) { +            throw new ValidateException("validator.28", null);  +          } +          if (!type.equals(identityLink.getIdentificationType())) { +            throw new ValidateException("validator.28", null);             } +        } catch (Exception ex) { +          throw new ValidateException("validator.29", null); +        } +      } else { +        throw new ValidateException("validator.30", null); +      }     +    } else { +      if (!samlAttribute.getName().equals("Geschaeftsbereich")) { +        if (samlAttribute.getName().equals("wbPK")) { +          throw new ValidateException("validator.26", null);          } else { -          throw new ValidateException("validator.35", null); +          throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)});          }        } -      if (samlAttribute.getName().equals("wbPK")) {  -        if (!businessService) { -          throw new ValidateException("validator.27", null); +      if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           +        foundGB = true;              +        if (!gbTarget.equals((String)samlAttribute.getValue())) { +          throw new ValidateException("validator.13", null);  +        }              +      } else { +        throw new ValidateException("validator.12", null); +      } +    } +     +    // check the second attribute (must be "OA") +    samlAttribute = samlAttributes[1]; +    if (!samlAttribute.getName().equals("OA")) { +      throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); +    } +    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      foundOA = true;             +      if (!oaURL.equals((String)samlAttribute.getValue())) {  // CHECKS für die AttributeVALUES fehlen noch              +        throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()});  +      }              +    } else { +      throw new ValidateException("validator.15", null); +    } +       +    // check the third attribute (must be "Geburtsdatum") +    samlAttribute = samlAttributes[2]; +    if (!samlAttribute.getName().equals("Geburtsdatum")) { +      throw new ValidateException( +          "validator.37",  +          new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); +    } +    if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { +      String samlDateOfBirth = (String)samlAttribute.getValue(); +      String dateOfBirth = identityLink.getDateOfBirth(); +      if (!samlDateOfBirth.equals(dateOfBirth)) { +        throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); +      } +    } else { +      throw new ValidateException("validator.35", null); +    } +       +    // now check the extended SAML attributes +    int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES; +    if (extendedSAMLAttributes != null) { +      Iterator it = extendedSAMLAttributes.iterator(); +      while (it.hasNext()) { +        ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); +        samlAttribute = samlAttributes[i]; +        String actualName = samlAttribute.getName(); +        String expectedName = extendedSAMLAttribute.getName(); +        if (!actualName.equals(expectedName)) { +          throw new ValidateException( +            "validator.38",  +            new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); +        } +        String actualNamespace = samlAttribute.getNamespace(); +        String expectedNamespace = extendedSAMLAttribute.getNameSpace(); +        if (!actualNamespace.equals(expectedNamespace)) { +          throw new ValidateException( +            "validator.38",  +            new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, });          } -        if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) {           -          foundWBPK = true; -          try { -            Element attrValue = (Element)samlAttribute.getValue(); -            String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); -            String type =  ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); -            if (!value.equals(identityLink.getIdentificationValue())) { -              throw new ValidateException("validator.28", null);  +        Object expectedValue = extendedSAMLAttribute.getValue(); +        Object actualValue = samlAttribute.getValue(); +        try { +          if (expectedValue instanceof String) { +            if (!(((String)expectedValue).equals((String)actualValue))) { +              throw new ValidateException( +              "validator.38",  +              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue });                        } -            if (!type.equals(identityLink.getIdentificationType())) { -              throw new ValidateException("validator.28", null);  +          } else if (expectedValue instanceof Element) { +            // only check the name of the element +            String actualElementName = ((Element)actualValue).getNodeName(); +            String expectedElementName = ((Element)expectedValue).getNodeName(); +            if (!(expectedElementName.equals(actualElementName))){ +              throw new ValidateException( +              "validator.38",  +              new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName});                        } -          } catch (Exception ex) { -            throw new ValidateException("validator.29", null); +          } else { +            // should not happen +            throw new ValidateException( +              "validator.38",  +              new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()});            } -        } else { -          throw new ValidateException("validator.30", null); -        }          +        } catch (ClassCastException e) { +          throw new ValidateException( +              "validator.38",  +              new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); +        } +        i++;        } -    }  +    } +          if (!foundOA) throw new ValidateException("validator.14", null);       if (businessService) { @@ -140,9 +251,13 @@ public class CreateXMLSignatureResponseValidator {      }       //Check if dsig:Signature exists -    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -    if (nl.getLength() != 1) { -      throw new ValidateException("validator.05", null); +//    NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); +//    if (nl.getLength() != 1) { +//      throw new ValidateException("validator.05", null); +//    } +    Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); +    if (dsigSignature == null) {     +      throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ;      }    }  } | 
