diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java | 657 |
1 files changed, 161 insertions, 496 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 998817b19..b6f78119c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -23,19 +23,14 @@ package at.gv.egovernment.moa.id.auth.builder; import java.io.IOException; -import java.io.InputStream; import java.lang.reflect.InvocationTargetException; import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Date; import java.util.Iterator; import java.util.List; -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; - import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.DOMException; @@ -46,17 +41,24 @@ import org.w3c.dom.NodeList; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFParserException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.exceptions.XPathException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder; +import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; -import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -64,7 +66,6 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; -import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -82,24 +83,21 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; -import at.gv.egovernment.moa.util.XPathException; -import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.client.szr.SZRClient; import at.gv.util.config.EgovUtilPropertiesConfiguration; import at.gv.util.wsdl.szr.SZRException; import at.gv.util.xsd.szr.PersonInfoType; -import iaik.x509.X509Certificate; /** * @author tlenz * */ @Service("AuthenticationDataBuilder") -public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAuthenticationDataBuilder{ +public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder { @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; - @Autowired private LoALevelMapper loaLevelMapper; + @Autowired protected LoALevelMapper loaLevelMapper; @Override public IAuthData buildAuthenticationData(IRequest pendingReq) throws EAAFAuthenticationException { @@ -108,16 +106,17 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu new AuthenticationSessionWrapper(pendingReq.genericFullDataStorage()), pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class)); - } catch (ConfigurationException | BuildException | WrongParametersException | DynamicOABuildException e) { + } catch (ConfigurationException | BuildException | WrongParametersException | DynamicOABuildException | EAAFBuilderException e) { Logger.warn("Can not build authentication data from session information"); throw new EAAFAuthenticationException("TODO", new Object[]{}, "Can not build authentication data from session information", e); + } } private IAuthData buildAuthenticationData(IRequest pendingReq, - IAuthenticationSession session, IOAAuthParameters oaParam) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { + IAuthenticationSession session, IOAAuthParameters oaParam) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException, EAAFBuilderException { MOAAuthenticationData authdata = null; //only needed for SAML1 legacy support @@ -181,96 +180,13 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu } private void buildAuthDataFormMOASession(MOAAuthenticationData authData, IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { - - Collection<String> includedToGenericAuthData = null; - if (session.getGenericSessionDataStorage() != null && - !session.getGenericSessionDataStorage().isEmpty()) - includedToGenericAuthData = session.getGenericSessionDataStorage().keySet(); - else - includedToGenericAuthData = new ArrayList<String>(); - - try { - //#################################################### - //set general authData info's - authData.setAuthenticationIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); - - - //#################################################### - //parse user info's from identityLink - IIdentityLink idlFromPVPAttr = null; - IIdentityLink identityLink = session.getIdentityLink(); - if (identityLink != null) { - parseBasicUserInfosFromIDL(authData, identityLink, includedToGenericAuthData); - - } else { - // identityLink is not direct in MOASession - String pvpAttrIDL = session.getGenericDataFromSession(PVPConstants.EID_IDENTITY_LINK_NAME, String.class); - //find PVP-Attr. which contains the IdentityLink - if (MiscUtil.isNotEmpty(pvpAttrIDL)) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME - + " --> Parse basic user info's from that attribute."); - InputStream idlStream = null; - try { - idlStream = Base64Utils.decodeToStream(pvpAttrIDL, false); - idlFromPVPAttr = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - parseBasicUserInfosFromIDL(authData, idlFromPVPAttr, includedToGenericAuthData); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } finally { - try { - includedToGenericAuthData.remove(PVPConstants.EID_IDENTITY_LINK_NAME); - if (idlStream != null) - idlStream.close(); - - } catch (IOException e) { - Logger.fatal("Close InputStream FAILED.", e); - - } - - } - - } - - //if no basic user info's are set yet, parse info's single PVP-Attributes - if (MiscUtil.isEmpty(authData.getFamilyName())) { - Logger.debug("No IdentityLink found or not parseable --> Parse basic user info's from single PVP-Attributes."); - authData.setFamilyName(session.getGenericDataFromSession(PVPConstants.PRINCIPAL_NAME_NAME, String.class)); - authData.setGivenName(session.getGenericDataFromSession(PVPConstants.GIVEN_NAME_NAME, String.class)); - authData.setDateOfBirth(session.getGenericDataFromSession(PVPConstants.BIRTHDATE_NAME, String.class)); - authData.setIdentificationValue(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_NAME, String.class)); - authData.setIdentificationType(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, String.class)); - - //remove corresponding keys from genericSessionData if exists - includedToGenericAuthData.remove(PVPConstants.PRINCIPAL_NAME_NAME); - includedToGenericAuthData.remove(PVPConstants.GIVEN_NAME_NAME); - includedToGenericAuthData.remove(PVPConstants.BIRTHDATE_NAME); - includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_NAME); - includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - } - - } - - if (authData.getIdentificationType() != null && - !authData.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.trace("IdentificationType is not a baseID --> clear it. "); - authData.setBPK(authData.getIdentificationValue()); - authData.setBPKType(authData.getIdentificationType()); - - authData.setIdentificationValue(null); - authData.setIdentificationType(null); - - } + IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException, EAAFBuilderException { + try { + //generate basic authentication data + generateBasicAuthData(authData, protocolRequest, session); - //#################################################### + // #### generate MOA-ID specific authentication data ###### //set BKU URL includedToGenericAuthData.remove(PVPConstants.EID_CCS_URL_NAME); if (MiscUtil.isNotEmpty(session.getBkuURL())) @@ -282,41 +198,50 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu //TODO: fully switch from STORK QAA to eIDAS LoA //#################################################### //set QAA level - includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); - String currentLoA = null; - if (MiscUtil.isNotEmpty(session.getQAALevel())) - currentLoA = session.getQAALevel(); - else { - currentLoA = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); - if (MiscUtil.isNotEmpty(currentLoA)) { - Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + currentLoA - + " --> Parse QAA-Level from that attribute."); + if (MiscUtil.isNotEmpty(authData.getEIDASQAALevel())) { + Logger.debug("Find eIDAS LoA. Map it to STORK QAA"); + authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(authData.getEIDASQAALevel())); + + } else { + Logger.info("Find NO eIDAS Loa. Starting STORK QAA processing as backup ... "); + + + includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + String currentLoA = null; + if (MiscUtil.isNotEmpty(session.getQAALevel())) + currentLoA = session.getQAALevel(); + else { + currentLoA = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); + if (MiscUtil.isNotEmpty(currentLoA)) { + Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + currentLoA + + " --> Parse QAA-Level from that attribute."); + } } - } - if (MiscUtil.isNotEmpty(currentLoA)) { - if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { - authData.setQAALevel(currentLoA); - authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(currentLoA)); + if (MiscUtil.isNotEmpty(currentLoA)) { + if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(currentLoA)); - } else if (currentLoA.startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { - authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(currentLoA)); - authData.seteIDASLoA(currentLoA); + } else if (currentLoA.startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { + authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(currentLoA)); + authData.seteIDASLoA(currentLoA); - } else { - Logger.debug("Found PVP SecClass. QAA mapping process starts ... "); - String mappedStorkQAA = loaLevelMapper.mapSecClassToQAALevel(currentLoA); - if (MiscUtil.isNotEmpty(mappedStorkQAA)) { - authData.setQAALevel(mappedStorkQAA); - authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(mappedStorkQAA)); + } else { + Logger.debug("Found PVP SecClass. QAA mapping process starts ... "); + String mappedStorkQAA = loaLevelMapper.mapSecClassToQAALevel(currentLoA); + if (MiscUtil.isNotEmpty(mappedStorkQAA)) { + authData.setQAALevel(mappedStorkQAA); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(mappedStorkQAA)); - } - } - } + } + } + } + } //if no QAA level is set in MOASession then set default QAA level - if (MiscUtil.isEmpty(authData.getQAALevel())) { + if (MiscUtil.isEmpty(authData.getEIDASQAALevel())) { Logger.info("No QAA level found. Set to default level " + EAAFConstants.EIDAS_QAA_LOW); authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); authData.seteIDASLoA(EAAFConstants.EIDAS_QAA_LOW); @@ -371,65 +296,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu } - - //#################################################### - //set isForeigner flag - //TODO: change to new eIDAS-token attribute identifier - if (session.getGenericDataFromSession(PVPConstants.EID_STORK_TOKEN_NAME) != null) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_STORK_TOKEN_FRIENDLY_NAME - + " --> Set 'isForeigner' flag to TRUE"); - authData.setForeigner(true); - - } else { - authData.setForeigner(session.isForeigner()); - - } - - - //#################################################### - //set citizen country-code - includedToGenericAuthData.remove(PVPConstants.EID_ISSUING_NATION_NAME); - String pvpCCCAttr = session.getGenericDataFromSession(PVPConstants.EID_ISSUING_NATION_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpCCCAttr)) { - authData.setCiticenCountryCode(pvpCCCAttr); - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME); - - } else { - if (authData.isForeigner()) { - try { - if (authData.getSignerCertificate() != null) { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); - if (certificate != null) { - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - authData.setCiticenCountryCode(rdn.getValue().toString()); - break; - } - } - } - - } else - Logger.warn("NO PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_NAME - + " and NO SignerCertificate in MOASession -->" - + " Can NOT extract citizen-country of foreign person."); - - - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate with message: " + e.getMessage()); - - } - - } else { - authData.setCiticenCountryCode(COUNTRYCODE_AUSTRIA); - - } - } - - + //#################################################### //set max. SSO session time includedToGenericAuthData.remove(AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO); @@ -558,11 +425,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu includedToGenericAuthData.remove(PVPConstants.MANDATE_PROF_REP_OID_NAME); } } - - - - - + //#################################################### // set bPK and IdentityLink for Organwalter --> // Organwalter has a special bPK is received from MIS @@ -572,111 +435,14 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu authData.setBPK(misMandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); Logger.trace("Authenticated User is OW: " + misMandate.getOWbPK()); - - - //TODO: check in case of mandates for business services - if (identityLink != null) - authData.setIdentityLink(identityLink); - - else if (idlFromPVPAttr != null){ - authData.setIdentityLink(idlFromPVPAttr); - Logger.debug("Set IdentityLink received from federated IDP for Organwalter"); - - } else - Logger.info("Can NOT set Organwalter IdentityLink. Msg: No IdentityLink found"); - - + //set bPK and IdenityLink for all other - } else { - //build bPK - String pvpbPKValue = getbPKValueFromPVPAttribute(session); - String pvpbPKTypeAttr = getbPKTypeFromPVPAttribute(session); - Pair<String, String> pvpEncbPKAttr = getEncryptedbPKFromPVPAttribute(session, authData, oaParam); - - //check if a unique ID for this citizen exists - if (MiscUtil.isEmpty(authData.getIdentificationValue()) && - MiscUtil.isEmpty(pvpbPKValue) && MiscUtil.isEmpty(authData.getBPK()) && - pvpEncbPKAttr == null) { - Logger.info("Can not build authData, because moaSession include no bPK, encrypted bPK or baseID"); - throw new MOAIDException("builder.08", new Object[]{"No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); - - } - - // baseID is in MOASesson --> calculate bPK directly - if (MiscUtil.isNotEmpty(authData.getIdentificationValue())) { - Logger.debug("Citizen baseID is in MOASession --> calculate bPK from this."); - Pair<String, String> result = buildOAspecificbPK(protocolRequest, oaParam, authData); - authData.setBPK(result.getFirst()); - authData.setBPKType(result.getSecond()); - - //check if bPK already added to AuthData matches OA - } else if (MiscUtil.isNotEmpty(authData.getBPK()) - && matchsReceivedbPKToOnlineApplication(oaParam, authData.getBPKType()) ) { - Logger.debug("Correct bPK is already included in AuthData."); - - //check if bPK received by PVP-Attribute matches OA - } else if (MiscUtil.isNotEmpty(pvpbPKValue) && - matchsReceivedbPKToOnlineApplication(oaParam, pvpbPKTypeAttr)) { - Logger.debug("Receive correct bPK from PVP-Attribute"); - authData.setBPK(pvpbPKValue); - authData.setBPKType(pvpbPKTypeAttr); - - //check if decrypted bPK exists - } else if (pvpEncbPKAttr != null) { - Logger.debug("Receive bPK as encrypted bPK and decryption was possible."); - authData.setBPK(pvpEncbPKAttr.getFirst()); - authData.setBPKType(pvpEncbPKAttr.getSecond()); + Logger.debug("User is an OW. Set original IDL into authdata ... "); + authData.setIdentityLink(session.getIdentityLink()); - //ask SZR to get bPK - } else { - String notValidbPK = authData.getBPK(); - String notValidbPKType = authData.getBPKType(); - if (MiscUtil.isEmpty(notValidbPK) && - MiscUtil.isEmpty(notValidbPKType)) { - notValidbPK = pvpbPKValue; - notValidbPKType = pvpbPKTypeAttr; - - if (MiscUtil.isEmpty(notValidbPK) && - MiscUtil.isEmpty(notValidbPKType)) { - Logger.fatal("No bPK in MOASession. THIS error should not occur any more."); - throw new NullPointerException("No bPK in MOASession. THIS error should not occur any more."); - } - } - - Pair<String, String> baseIDFromSZR = getbaseIDFromSZR(authData, notValidbPK, notValidbPKType); - if (baseIDFromSZR != null) { - Logger.info("Receive citizen baseID from SRZ. Authentication can be completed"); - authData.setIdentificationValue(baseIDFromSZR.getFirst()); - authData.setIdentificationType(baseIDFromSZR.getSecond()); - Pair<String, String> result = buildOAspecificbPK(protocolRequest, oaParam, authData); - authData.setBPK(result.getFirst()); - authData.setBPKType(result.getSecond()); - - } else { - Logger.warn("Can not build authData, because moaSession include no valid bPK, encrypted bPK or baseID"); - throw new MOAIDException("builder.08", new Object[]{"No valid " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); - - } - } - - //build IdentityLink - if (identityLink != null) - authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType())); - else if (idlFromPVPAttr != null) { - authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, idlFromPVPAttr, authData.getBPK(), authData.getBPKType())); - Logger.debug("Set IdentityLink received from federated IDP"); - } else { - Logger.info("Can NOT set IdentityLink. Msg: No IdentityLink found"); - - } - } - + } //################################################################### //set PVP role attribute (implemented for ISA 1.18 action) @@ -738,7 +504,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu } } - } catch (BuildException e) { + } catch (EAAFBuilderException e) { throw e; } catch (Throwable ex) { @@ -747,38 +513,6 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu } } - - /** - * Check a bPK-Type against a Service-Provider configuration <br> - * If bPK-Type is <code>null</code> the result is <code>false</code>. - * - * @param oaParam Service-Provider configuration, never null - * @param bPKType bPK-Type to check - * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false - * @throws ConfigurationException - */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { - return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); - - } - - private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { - //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO - authData.setIdentificationValue(identityLink.getIdentificationValue()); - authData.setIdentificationType(identityLink.getIdentificationType()); - - authData.setGivenName(identityLink.getGivenName()); - authData.setFamilyName(identityLink.getFamilyName()); - authData.setDateOfBirth(identityLink.getDateOfBirth()); - - //remove corresponding keys from genericSessionData if exists - includedGenericSessionData.remove(PVPConstants.PRINCIPAL_NAME_NAME); - includedGenericSessionData.remove(PVPConstants.GIVEN_NAME_NAME); - includedGenericSessionData.remove(PVPConstants.BIRTHDATE_NAME); - includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_NAME); - includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - - } /** * @param authData @@ -786,7 +520,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu * @param notValidbPKType * @return */ - private Pair<String, String> getbaseIDFromSZR(AuthenticationData authData, String notValidbPK, + @Override + protected Pair<String, String> getbaseIDFromSZR(AuthenticationData authData, String notValidbPK, String notValidbPKType) { try { EgovUtilPropertiesConfiguration eGovClientsConfig = authConfig.geteGovUtilsConfig(); @@ -841,7 +576,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class)</code></pre> * to <code>authData</code> * - * @param session MOASession, but never null + * @param authProcessDataContainer MOASession, but never null * @param authData AuthenticationData DAO * @param spConfig Service-Provider configuration * @@ -849,194 +584,124 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu * or <code>null</code> if no attribute exists or can not decrypted * @throws ConfigurationException */ - private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - MOAAuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { - //set List of encrypted bPKs to authData DAO - String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { - List<String> encbPKList = Arrays.asList(pvpEncbPKListAttr.split(";")); - authData.setEncbPKList(encbPKList); - - //check if one of this encrypted bPK could be decrypt for this Service-Provider - for (String fullEncbPK : encbPKList) { - int index = fullEncbPK.indexOf("|"); - if (index >= 0) { - String encbPK = fullEncbPK.substring(index+1); - String second = fullEncbPK.substring(0, index); - int secIndex = second.indexOf("+"); - if (secIndex >= 0) { - String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); - if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { - String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); - if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, oaTargetId); - - } else { - Logger.error("bPK decryption FAILED."); - + @Override + protected Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthProcessDataContainer authProcessDataContainer, + AuthenticationData authData, ISPConfiguration spConfig) throws EAAFBuilderException { + //set List of encrypted bPKs to authData DAO + if (authData instanceof MOAAuthenticationData && + spConfig instanceof IOAAuthParameters) { + + String pvpEncbPKListAttr = authProcessDataContainer.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { + List<String> encbPKList = Arrays.asList(pvpEncbPKListAttr.split(";")); + ((MOAAuthenticationData) authData).setEncbPKList(encbPKList); + + //check if one of this encrypted bPK could be decrypt for this Service-Provider + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getUniqueIdentifier() + + " Start decryption process ..."); + PrivateKey privKey = ((IOAAuthParameters) spConfig).getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (EAAFBuilderException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } - - } else { - Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID - + " BUT oaTarget is " + oaTargetId); - - } - } - } - } - } - - return null; - } - - /** - * Get bPK from PVP Attribute 'BPK_NAME', which could be exist in - * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class)</code></pre> - * - * @param session MOASession, but never null - * @return bPK, which was received by PVP-Attribute, or <code>null</code> if no attribute exists - */ - private String getbPKValueFromPVPAttribute(IAuthenticationSession session) { - String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpbPKValueAttr)) { - - //fix a wrong bPK-value prefix, which was used in some PVP Standardportal implementations - if (pvpbPKValueAttr.startsWith("bPK:")) { - Logger.warn("Attribute " + PVPConstants.BPK_NAME - + " contains a not standardize prefix! Staring attribute value correction process ..."); - pvpbPKValueAttr = pvpbPKValueAttr.substring("bPK:".length()); - - } - - String[] spitted = pvpbPKValueAttr.split(":"); - if (spitted.length != 2) { - Logger.warn("Attribute " + PVPConstants.BPK_NAME + " has a wrong encoding and can NOT be USED!" - + " Value:" + pvpbPKValueAttr); - return null; - + } + } + } } - Logger.debug("Find PVP-Attr: " + PVPConstants.BPK_FRIENDLY_NAME); - return spitted[1]; - } + } else + Logger.warn("AuthData: " + authData.getClass().getName() + " or spConfig: " + spConfig.getClass().getName() + + " are not MOAID data-objects"); return null; } - /** - * Get bPK-Type from PVP Attribute 'EID_SECTOR_FOR_IDENTIFIER_NAME', which could be exist in - * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class)</code></pre> - * - * @param session MOASession, but never null - * @return bPKType, which was received by PVP-Attribute, or <code>null</code> if no attribute exists - */ - private String getbPKTypeFromPVPAttribute(IAuthenticationSession session) { - String pvpbPKTypeAttr = session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpbPKTypeAttr)) { - - //fix a wrong bPK-Type encoding, which was used in some PVP Standardportal implementations - if (pvpbPKTypeAttr.startsWith(Constants.URN_PREFIX_CDID) && - !pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length(), - Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { - Logger.warn("Receive uncorrect encoded bBKType attribute " + pvpbPKTypeAttr + " Starting attribute value correction ... "); - pvpbPKTypeAttr = Constants.URN_PREFIX_CDID + "+" + pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length() + 1); - - } - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); - return pvpbPKTypeAttr; - } - - return null; - - - /* - * INFO: This code could be used to extract the bPKType from 'PVPConstants.BPK_NAME', - * because the prefix of BPK_NAME attribute contains the postfix of the bPKType - * - * Now, all PVP Standardportals should be able to send 'EID_SECTOR_FOR_IDENTIFIER' - * PVP attributes - */ -// String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); -// String[] spitted = pvpbPKValueAttr.split(":"); -// if (MiscUtil.isEmpty(authData.getBPKType())) { -// Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + -// "Starting target extraction from bPK/wbPK prefix ..."); -// //exract bPK/wbPK type from bpk attribute value prefix if type is -// //not transmitted as single attribute -// Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); -// Matcher matcher = pattern.matcher(spitted[0]); -// if (matcher.matches()) { -// //find public service bPK -// authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); -// Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); -// -// } else { -// //find business service wbPK -// authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); -// Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); -// -// } -// } - - } + @Override + protected IIdentityLink buildOAspecificIdentityLink(ISPConfiguration spConfig, IIdentityLink idl, String bPK, String bPKType) throws EAAFConfigurationException, XPathException, DOMException, EAAFParserException { + if (spConfig.hasBaseIdTransferRestriction()) { + try { + Element idlassertion = idl.getSamlAssertion(); + + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(bPK); - private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException, EAAFConfigurationException, XPathException, DOMException { - if (oaParam.hasBaseIdTransferRestriction()) { - Element idlassertion = idl.getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(bPK); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(bPKType); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(bPKType); - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IIdentityLink businessServiceIdl = idlparser.parseIdentityLink(); + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IIdentityLink businessServiceIdl = idlparser.parseIdentityLink(); - //resign IDL - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - Element resignedilAssertion; - - if (authConfig.isIdentityLinkResigning()) { - resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), authConfig.getIdentityLinkResigningKey()); - } else { - resignedilAssertion = businessServiceIdl.getSamlAssertion(); + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + + if (authConfig.isIdentityLinkResigning()) { + resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), authConfig.getIdentityLinkResigningKey()); + } else { + resignedilAssertion = businessServiceIdl.getSamlAssertion(); + } + + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + return resignedIDLParser.parseIdentityLink(); + + } catch (MOAIDException e) { + Logger.warn("Can not build OA specific IDL. Reason: " + e.getMessage(), e); + throw new EAAFParserException("TODO", null, + "Can not build OA specific IDL. Reason: " + e.getMessage(), e); + } - IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); - return resignedIDLParser.parseIdentityLink(); } else return idl; - - - } - - - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { + + } + + + @Override + protected Pair<String, String> buildOAspecificbPK(IRequest pendingReq, AuthenticationData authData) throws EAAFBuilderException { + ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration(); String baseID = authData.getIdentificationValue(); String baseIDType = authData.getIdentificationType(); |