aboutsummaryrefslogtreecommitdiff
path: root/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java')
-rw-r--r--id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java362
1 files changed, 182 insertions, 180 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index cbb7c88b2..8e9865a3a 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -33,7 +33,6 @@ import javax.net.ssl.SSLHandshakeException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.httpclient.MOAHttpClient;
-import org.apache.log4j.Logger;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.saml2.metadata.provider.MetadataFilterChain;
@@ -57,186 +56,189 @@ import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
import iaik.x509.X509Certificate;
+import lombok.extern.slf4j.Slf4j;
+@Slf4j
public class OAPVP2ConfigValidation {
- private static final Logger log = Logger.getLogger(OAPVP2ConfigValidation.class);
-
- public List<String> validate(OAPVP2Config form, String oaID, HttpServletRequest request) {
-
- Timer timer = null;
- MOAHttpClient httpClient = null;
- HTTPMetadataProvider httpProvider = null;
-
- List<String> errors = new ArrayList<String>();
- try {
- byte[] certSerialized = null;
- if (form.getFileUpload() != null)
- certSerialized = form.getCertificate();
-
- else {
- try {
- //Some databases does not allow the selection of a lob in SQL where expression
- String dbDriver = ConfigurationProvider.getInstance().getConfigurationProperties().getProperty("hibernate.connection.driver_class");
- boolean backupVersion = false;
- if (MiscUtil.isNotEmpty(dbDriver)) {
- for (String el:MOAIDConstants.JDBC_DRIVER_NEEDS_WORKAROUND) {
- if (dbDriver.startsWith(el)) {
- backupVersion = true;
- log.debug("JDBC driver '" + dbDriver
- + "' is blacklisted --> Switch to alternative DB access methode implementation.");
-
- }
-
- }
- }
-
- Map<String, String> oa = ConfigurationProvider.getInstance().getDbRead().getOnlineApplicationKeyValueWithId(oaID, backupVersion);
- if (oa != null &&
- MiscUtil.isNotEmpty(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE))) {
- certSerialized = Base64Utils.decode(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE), false);
- form.setStoredCert(certSerialized);
- }
-
- } catch (ConfigurationException e) {
- log.error("MOA-ID-Configuration initialization FAILED.", e);
-
- }
- }
-
- String check = form.getMetaDataURL();
- if (MiscUtil.isNotEmpty(check)) {
-
- if (!ValidationHelper.validateURL(check)) {
- log.info("MetaDataURL has no valid form.");
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request));
-
- } else {
- if (certSerialized == null) {
- log.info("No certificate for metadata validation");
- errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
-
- } else {
- if (form.getMetaDataURL().startsWith("http")) {
- X509Certificate cert = new X509Certificate(certSerialized);
- BasicX509Credential credential = new BasicX509Credential();
- credential.setEntityCertificate(cert);
-
- timer = new Timer();
- httpClient = new MOAHttpClient();
-
- if (form.getMetaDataURL().startsWith("https:"))
- try {
- MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- "MOAMetaDataProvider",
- true,
- ConfigurationProvider.getInstance().getCertStoreDirectory(),
- ConfigurationProvider.getInstance().getTrustStoreDirectory(),
- null,
- "pkix",
- true,
- new String[]{"crl"},
- false);
-
- httpClient.setCustomSSLTrustStore(
- form.getMetaDataURL(),
- protoSocketFactory);
-
- } catch (MOAHttpProtocolSocketFactoryException e) {
- log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
-
- } catch (ConfigurationException e) {
- log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
-
- }
-
- List<MetadataFilter> filterList = new ArrayList<MetadataFilter>();
- filterList.add(new MetaDataVerificationFilter(credential));
-
- try {
- filterList.add(new SchemaValidationFilter(
- ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive()));
-
- } catch (ConfigurationException e) {
- log.warn("Configuration access FAILED!", e);
-
- }
-
- MetadataFilterChain filter = new MetadataFilterChain();
- filter.setFilters(filterList);
-
- httpProvider =
- new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
- httpProvider.setParserPool(new BasicParserPool());
- httpProvider.setRequireValidMetadata(true);
- httpProvider.setMetadataFilter(filter);
- httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
- httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
-
- httpProvider.setRequireValidMetadata(true);
-
- httpProvider.initialize();
-
-
-
-
- if (httpProvider.getMetadata() == null) {
- log.info("Metadata could be received but validation FAILED.");
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request));
- }
-
- } else {
- log.info("Metadata load validation skipped, because it's no http(s) metadata: " + form.getMetaDataURL());
-
- }
-
- }
- }
- }
-
- } catch (CertificateException e) {
- log.info("Uploaded Certificate can not be found", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
-
- } catch (IOException e) {
- log.info("Metadata can not be loaded from URL", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
-
- } catch (MetadataProviderException e) {
-
- try {
- if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
- log.info("SSL Server certificate not trusted.", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
-
- } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
- log.info("MetaDate verification failed", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request));
-
- } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
- log.info("MetaDate verification failed", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request));
-
- } else {
- log.info("MetaDate verification failed", e);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
- }
-
- } catch (Exception e1) {
- log.info("MetaDate verification failed", e1);
- errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
-
- }
-
- } finally {
- if (httpProvider != null)
- httpProvider.destroy();
-
- if (timer != null)
- timer.cancel();
-
- }
-
- return errors;
- }
+ public List<String> validate(OAPVP2Config form, String oaID, HttpServletRequest request) {
+
+ Timer timer = null;
+ MOAHttpClient httpClient = null;
+ HTTPMetadataProvider httpProvider = null;
+
+ final List<String> errors = new ArrayList<>();
+ try {
+ byte[] certSerialized = null;
+ if (form.getFileUpload() != null) {
+ certSerialized = form.getCertificate();
+ } else {
+ try {
+ // Some databases does not allow the selection of a lob in SQL where expression
+ final String dbDriver = ConfigurationProvider.getInstance().getConfigurationProperties()
+ .getProperty("hibernate.connection.driver_class");
+ boolean backupVersion = false;
+ if (MiscUtil.isNotEmpty(dbDriver)) {
+ for (final String el : MOAIDConstants.JDBC_DRIVER_NEEDS_WORKAROUND) {
+ if (dbDriver.startsWith(el)) {
+ backupVersion = true;
+ log.debug("JDBC driver '" + dbDriver
+ + "' is blacklisted --> Switch to alternative DB access methode implementation.");
+
+ }
+
+ }
+ }
+
+ final Map<String, String> oa = ConfigurationProvider.getInstance().getDbRead()
+ .getOnlineApplicationKeyValueWithId(oaID, backupVersion);
+ if (oa != null &&
+ MiscUtil.isNotEmpty(oa.get(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE))) {
+ certSerialized = Base64Utils.decode(oa.get(
+ MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE), false);
+ form.setStoredCert(certSerialized);
+ }
+
+ } catch (final ConfigurationException e) {
+ log.error("MOA-ID-Configuration initialization FAILED.", e);
+
+ }
+ }
+
+ final String check = form.getMetaDataURL();
+ if (MiscUtil.isNotEmpty(check)) {
+
+ if (!ValidationHelper.validateURL(check)) {
+ log.info("MetaDataURL has no valid form.");
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.valid", request));
+
+ } else {
+ if (certSerialized == null) {
+ log.info("No certificate for metadata validation");
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
+
+ } else {
+ if (form.getMetaDataURL().startsWith("http")) {
+ final X509Certificate cert = new X509Certificate(certSerialized);
+ final BasicX509Credential credential = new BasicX509Credential();
+ credential.setEntityCertificate(cert);
+
+ timer = new Timer();
+ httpClient = new MOAHttpClient();
+
+ if (form.getMetaDataURL().startsWith("https:")) {
+ try {
+ final MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ "MOAMetaDataProvider",
+ true,
+ ConfigurationProvider.getInstance().getCertStoreDirectory(),
+ ConfigurationProvider.getInstance().getTrustStoreDirectory(),
+ null,
+ "pkix",
+ true,
+ new String[] { "crl" },
+ false);
+
+ httpClient.setCustomSSLTrustStore(
+ form.getMetaDataURL(),
+ protoSocketFactory);
+
+ } catch (final MOAHttpProtocolSocketFactoryException e) {
+ log.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
+
+ } catch (final ConfigurationException e) {
+ log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.");
+
+ }
+ }
+
+ final List<MetadataFilter> filterList = new ArrayList<>();
+ filterList.add(new MetaDataVerificationFilter(credential));
+
+ try {
+ filterList.add(new SchemaValidationFilter(
+ ConfigurationProvider.getInstance().isPVPMetadataSchemaValidationActive()));
+
+ } catch (final ConfigurationException e) {
+ log.warn("Configuration access FAILED!", e);
+
+ }
+
+ final MetadataFilterChain filter = new MetadataFilterChain();
+ filter.setFilters(filterList);
+
+ httpProvider =
+ new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL());
+ httpProvider.setParserPool(new BasicParserPool());
+ httpProvider.setRequireValidMetadata(true);
+ httpProvider.setMetadataFilter(filter);
+ httpProvider.setMinRefreshDelay(1000 * 60 * 15); // 15 minutes
+ httpProvider.setMaxRefreshDelay(1000 * 60 * 60 * 24); // 24 hours
+
+ httpProvider.setRequireValidMetadata(true);
+
+ httpProvider.initialize();
+
+ if (httpProvider.getMetadata() == null) {
+ log.info("Metadata could be received but validation FAILED.");
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request));
+ }
+
+ } else {
+ log.info("Metadata load validation skipped, because it's no http(s) metadata: " + form
+ .getMetaDataURL());
+
+ }
+
+ }
+ }
+ }
+
+ } catch (final CertificateException e) {
+ log.info("Uploaded Certificate can not be found", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.certificate.notfound", request));
+
+ } catch (final IOException e) {
+ log.info("Metadata can not be loaded from URL", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
+
+ } catch (final MetadataProviderException e) {
+
+ try {
+ if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+ log.info("SSL Server certificate not trusted.", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+
+ } else if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.sig", request));
+
+ } else if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.schema", request));
+
+ } else {
+ log.info("MetaDate verification failed", e);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
+ }
+
+ } catch (final Exception e1) {
+ log.info("MetaDate verification failed", e1);
+ errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify.general", request));
+
+ }
+
+ } finally {
+ if (httpProvider != null) {
+ httpProvider.destroy();
+ }
+
+ if (timer != null) {
+ timer.cancel();
+ }
+
+ }
+
+ return errors;
+ }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-02 05:05:00 +0000