diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java | 168 |
1 files changed, 72 insertions, 96 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index cad3354f5..5a5d0bcf6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -267,9 +267,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //#################################################### //set general authData info's authData.setIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setIsBusinessService(oaParam.getBusinessService()); - + authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); + //#################################################### //parse user info's from identityLink @@ -816,21 +816,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @param oaParam Service-Provider configuration, never null * @param bPKType bPK-Type to check * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false + * @throws ConfigurationException */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) { - String oaTarget = null; - if (oaParam.getBusinessService()) { - oaTarget = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); - - } - - if (oaTarget.equals(bPKType)) - return true; - else - return false; + private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { + return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); + } private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { @@ -918,9 +908,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * * @return Pair<bPK, bPKType> which was received by PVP-Attribute and could be decrypted for this Service Provider, * or <code>null</code> if no attribute exists or can not decrypted + * @throws ConfigurationException */ private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - AuthenticationData authData, IOAAuthParameters spConfig) { + AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { //set List of encrypted bPKs to authData DAO String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { @@ -935,35 +926,44 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { String second = fullEncbPK.substring(0, index); int secIndex = second.indexOf("+"); if (secIndex >= 0) { - if (spConfig.getTarget().equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget()); - - } else { - Logger.error("bPK decryption FAILED."); - + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } } @@ -1066,7 +1066,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException { - if (oaParam.getBusinessService()) { + if (oaParam.hasBaseIdTransferRestriction()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); @@ -1097,69 +1097,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException { + private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { - String bPK; - String bPKType; - String baseID = authData.getIdentificationValue(); - String baseIDType = authData.getIdentificationType(); - - if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { - //Calculate eIDAS identifier - if (oaParam.getBusinessService() && - oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_EIDAS)) { - String[] splittedTarget = oaParam.getIdentityLinkDomainIdentifier().split("\\+"); - String cititzenCountryCode = splittedTarget[1]; - String eIDASOutboundCountry = splittedTarget[2]; - - if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { - Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); - - } - - Pair<String, String> eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID, - cititzenCountryCode, eIDASOutboundCountry); - Logger.debug("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond()); - return eIDASID; - - } else if (oaParam.getBusinessService()) { - //is Austrian private-service application - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr); - bPKType = registerAndOrdNr; - - } else { - // only compute bPK if online application is a public service and we have the Stammzahl - String target = null; - Class<?> saml1RequstTemplate = null; - try { - saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(pendingReq)) { - target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); + String baseIDType = authData.getIdentificationType(); + Pair<String, String> sectorSpecId = null; + + if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { + //SAML1 legacy target parameter work-around + String oaTargetId = null; + Class<?> saml1RequstTemplate = null; + try { + saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + oaTargetId = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); - } + } - } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + + if (MiscUtil.isEmpty(oaTargetId)) { + oaTargetId = oaParam.getAreaSpecificTargetIdentifier(); + Logger.debug("Use OA target identifier '" + oaTargetId + "' from configuration"); - if (MiscUtil.isEmpty(target)) - target = oaParam.getTarget(); - - bPK = new BPKBuilder().buildBPK(baseID, target); - bPKType = Constants.URN_PREFIX_CDID + "+" + target; - - } - + } else + Logger.info("Use OA target identifier '" + oaTargetId + "' from SAML1 request for bPK calculation"); + + //calculate sector specific unique identifier + sectorSpecId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseID, oaTargetId); + + } else { - Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); - bPK = baseID; - bPKType = baseIDType; - + Logger.fatal("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); + sectorSpecId = Pair.newInstance(baseID, baseIDType); + } - Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType); - return Pair.newInstance(bPK, bPKType); + Logger.trace("Authenticate user with bPK:" + sectorSpecId.getFirst() + " Type:" + sectorSpecId.getSecond()); + return sectorSpecId; } |