diff options
Diffstat (limited to 'id.server')
8 files changed, 120 insertions, 62 deletions
diff --git a/id.server/doc/MOA-ID-Configuration-1.4.xsd b/id.server/doc/MOA-ID-Configuration-1.4.xsd index c39c2845e..66a9c0ed4 100644 --- a/id.server/doc/MOA-ID-Configuration-1.4.xsd +++ b/id.server/doc/MOA-ID-Configuration-1.4.xsd @@ -139,6 +139,7 @@ </xsd:restriction>
</xsd:simpleType>
</xsd:attribute>
+ <xsd:attribute name="calculateHPI" type="xsd:boolean" use="optional" default="false"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
diff --git a/id.server/doc/moa_id/id-admin_2.htm b/id.server/doc/moa_id/id-admin_2.htm index 8b7b61697..0773198ee 100644 --- a/id.server/doc/moa_id/id-admin_2.htm +++ b/id.server/doc/moa_id/id-admin_2.htm @@ -569,6 +569,13 @@ Projekt <span style="font-size:48pt; ">moa</span>  die Werte <tt>publicService</tt> für eine Applikation aus dem öffentlichen Bereich und <tt>businessService</tt> für eine Anwendung aus dem privatwirtschaftlichen Bereich annehmen. + Ab Version 1.4 kann im Modus <tt>businessService</tt> ein zusätzliches + logisches Attribut <tt>OnlineApplication/@calculateHPI</tt> angegeben werden. + Dadurch wird im Falle von <tt>calculateHPI="true"</tt> im privatwirtschaftlichen + Bereich zur Identifikation der Health Professional Identifier HPI anstatt des wbPKs (siehe + <a href="#OnlineApplication/AuthComponent/IdentificationNumber"> + OnlineApplication/AuthComponent/IdentificationNumber</a>) berechnet + und zur Anmeldung weiterverwendet. Ist dieses Attribut nicht gesetzt, so wird der Typ <tt>publicService</tt> vorausgesetzt. <br /> <br /> diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index cd4b26df3..2baa172f1 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -493,7 +493,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, - extendedSAMLAttributes); + extendedSAMLAttributes, + session); return authBlock; } diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ef50acb3f..4493333c2 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -5,6 +5,7 @@ import java.util.List; import at.gv.egovernment.moa.id.BuildException; import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -100,19 +101,25 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String identityLinkType, String oaURL, String gebDat, - List extendedSAMLAttributes) + List extendedSAMLAttributes, + AuthenticationSession session) throws BuildException { - + session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; if (target == null) { // OA is a business application - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { + // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); + wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + } } else { - gebeORwbpk = MessageFormat.format( - GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); + gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); } String assertion; diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 50d15007e..12d29ba82 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -66,13 +66,19 @@ public class AuthenticationSession { * service or not */ private boolean businessService; - + /** * SAML attributes from an extended infobox validation to be appended * to the SAML assertion delivered to the final online application. */ private List extendedSAMLAttributesOA; + /** + * The boolean value for either a target or a wbPK is provided as + * SAML Attribute in the SAML Assertion or not. + */ + private boolean samlAttributeGebeORwbpk; + /** * SAML attributes from an extended infobox validation to be appended * to the SAML assertion of the AUTHBlock. @@ -335,6 +341,28 @@ public class AuthenticationSession { } /** + * Returns the boolean value for either a target or a wbPK is + * provided as SAML Attribute in the SAML Assertion or not. + * + * @return true either a target or a wbPK is provided as SAML Attribute + * in the SAML Assertion or false if not. + */ + public boolean getSAMLAttributeGebeORwbpk() { + return this.samlAttributeGebeORwbpk; + } + + /** + * Sets the boolean value for either a target or a wbPK is + * provided as SAML Attribute in the SAML Assertion or not. + * + * @param samlAttributeGebeORwbpk The boolean for value either a target or + * wbPK is provided as SAML Attribute in the SAML Assertion or not. + */ + public void setSAMLAttributeGebeORwbpk(boolean samlAttributeGebeORwbpk) { + this.samlAttributeGebeORwbpk = samlAttributeGebeORwbpk; + } + + /** * Returns the issuing time of the AUTH-Block SAML assertion. * * @return The issuing time of the AUTH-Block SAML assertion. diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 78f62de50..efb33ea59 100644 --- a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -87,6 +87,7 @@ public class CreateXMLSignatureResponseValidator { boolean foundOA = false; boolean foundGB = false; boolean foundWBPK = false; + int offset = 0; // check number of SAML aatributes List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); @@ -96,6 +97,7 @@ public class CreateXMLSignatureResponseValidator { } int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + @@ -105,58 +107,63 @@ public class CreateXMLSignatureResponseValidator { new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); } - // check the first attribute ("Geschaeftsbereich" or "wbPK") - SAMLAttribute samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } + SAMLAttribute samlAttribute; + if (session.getSAMLAttributeGebeORwbpk()) { + // check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + if (businessService) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + } else { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(identityLink.getIdentificationValue())) { + throw new ValidateException("validator.28", null); + } + if (!type.equals(identityLink.getIdentificationType())) { + throw new ValidateException("validator.28", null); + } + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + } else { + throw new ValidateException("validator.30", null); + } + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) { + throw new ValidateException("validator.26", null); + } else { + throw new ValidateException( + "validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + } + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + if (!gbTarget.equals((String)samlAttribute.getValue())) { + throw new ValidateException("validator.13", null); + } + } else { + throw new ValidateException("validator.12", null); + } + } } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } + offset--; } - + // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1]; + samlAttribute = samlAttributes[1 + offset]; if (!samlAttribute.getName().equals("OA")) { throw new ValidateException( "validator.37", @@ -172,7 +179,7 @@ public class CreateXMLSignatureResponseValidator { } // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2]; + samlAttribute = samlAttributes[2 + offset]; if (!samlAttribute.getName().equals("Geburtsdatum")) { throw new ValidateException( "validator.37", @@ -189,7 +196,7 @@ public class CreateXMLSignatureResponseValidator { } // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES; + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; if (extendedSAMLAttributes != null) { Iterator it = extendedSAMLAttributes.iterator(); while (it.hasNext()) { @@ -250,7 +257,7 @@ public class CreateXMLSignatureResponseValidator { if (!foundOA) throw new ValidateException("validator.14", null); if (businessService) { - if (!foundWBPK) throw new ValidateException("validator.31", null); + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); } else { if (!foundGB) throw new ValidateException("validator.11", null); } diff --git a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index ebb29c26d..43c018e76 100644 --- a/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id.server/src/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -472,7 +472,14 @@ public class ConfigurationBuilder { Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\""); throw new ConfigurationException("config.02", null); } - oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild)); + if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) { + oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild)); + } else { + // If we have business service and want to dealt with GDA, the security layer can be advised to calulate + // the Health Professional Identifier HPI instead of the wbPK + Logger.info("OA uses HPI for Identification"); + oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI); + } // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2"); diff --git a/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java b/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java index 68f7ba973..8cc8797ef 100644 --- a/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java +++ b/id.server/src/test/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilderTest.java @@ -39,7 +39,7 @@ public class AuthenticationBlockAssertionBuilderTest extends UnitTestCase { public void testBuild() throws Exception { AuthenticationBlockAssertionBuilder builder = new AuthenticationBlockAssertionBuilder(); - String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null); + String assertionBuilt = builder.buildAuthBlock(ISSUER, ISSUE_INSTANT, AUTH_URL, TARGET, "", "", OA_URL, GEB_DAT, null, null); assertionBuilt = XML_DECL + assertionBuilt; String assertionShould = XML_DECL + ASSERTION_SHOULD; assertXmlEquals(assertionShould, assertionBuilt); |