diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder')
7 files changed, 428 insertions, 1076 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index cc716f9f8..2c14af463 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -23,72 +23,71 @@ package at.gv.egovernment.moa.id.auth.builder; import java.io.IOException; -import java.io.InputStream; import java.lang.reflect.InvocationTargetException; import java.security.PrivateKey; import java.util.ArrayList; import java.util.Arrays; -import java.util.Collection; import java.util.Date; +import java.util.HashMap; import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; +import javax.annotation.PostConstruct; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import org.w3c.dom.DOMException; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IAuthProcessDataContainer; +import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; +import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFParserException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.exceptions.XPathException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.AbstractAuthenticationDataBuilder; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder; +import at.gv.egiz.eaaf.core.impl.utils.XPathUtils; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; -import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; -import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; -import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; -import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.data.MOAAuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; -import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; +import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; -import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.client.szr.SZRClient; import at.gv.util.config.EgovUtilPropertiesConfiguration; import at.gv.util.wsdl.szr.SZRException; @@ -100,30 +99,57 @@ import iaik.x509.X509Certificate; * */ @Service("AuthenticationDataBuilder") -public class AuthenticationDataBuilder extends MOAIDAuthConstants { +public class AuthenticationDataBuilder extends AbstractAuthenticationDataBuilder { + public static final String CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS = "configuration.foreignsectors.pubkey"; + @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; - @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired protected LoALevelMapper loaLevelMapper; + private Map<String, X509Certificate> encKeyMap = new HashMap<String, X509Certificate>(); - public IAuthData buildAuthenticationData(IRequest pendingReq, - IAuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { - return buildAuthenticationData(pendingReq, session, pendingReq.getOnlineApplicationConfiguration()); - + @PostConstruct + private void initialize() { + Map<String, String> pubKeyMap = authConfig.getBasicMOAIDConfigurationWithPrefix(CONFIGURATION_PROP_FOREIGN_BPK_ENC_KEYS); + for (Entry<String, String> el : pubKeyMap.entrySet()) { + try { + encKeyMap.put(el.getKey(), new X509Certificate(Base64Utils.decode(el.getValue(), false))); + Logger.info("Load foreign bPK encryption certificate for sector: " + el.getKey()); + + } catch (Exception e) { + Logger.warn("Can NOT load foreign bPK encryption certificate for sector: \" + el.getKey()", e); + + } + + } } - public IAuthData buildAuthenticationData(IRequest pendingReq, - IAuthenticationSession session, IOAAuthParameters oaParam) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { - AuthenticationData authdata = null; + @Override + public IAuthData buildAuthenticationData(IRequest pendingReq) throws EAAFAuthenticationException { + try { + return buildAuthenticationData(pendingReq, + pendingReq.getSessionData(AuthenticationSessionWrapper.class), + pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class)); + + } catch (ConfigurationException | BuildException | WrongParametersException | DynamicOABuildException | EAAFBuilderException e) { + Logger.warn("Can not build authentication data from session information"); + throw new EAAFAuthenticationException("builder.11", new Object[]{}, e); + + } + + } + + private IAuthData buildAuthenticationData(IRequest pendingReq, + IAuthenticationSession session, IOAAuthParameters oaParam) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException, EAAFBuilderException { + MOAAuthenticationData authdata = null; //only needed for SAML1 legacy support try { //check if SAML1 authentication module is in Classpath Class<?> saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + //IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").getConstructor(LoALevelMapper.class).newInstance(loaLevelMapper); if (saml1RequstTemplate != null && saml1RequstTemplate.isInstance(pendingReq)) { //request is SAML1 --> invoke SAML1 protocol specific methods @@ -134,19 +160,19 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); } - authdata = (AuthenticationData) saml1authdata; + authdata = (MOAAuthenticationData) saml1authdata; } else { - authdata = new AuthenticationData(); + authdata = new MOAAuthenticationData(loaLevelMapper); } } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { - authdata = new AuthenticationData(); + authdata = new MOAAuthenticationData(loaLevelMapper); } - OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getSPEntityId(), pendingReq.requestedModule()); //reuse authentication information in case of service-provider reauthentication if (activeOA != null) { authdata.setSessionIndex(activeOA.getAssertionSessionID()); @@ -160,14 +186,14 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { if (oaParam.isSTORKPVPGateway()) oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); - Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( - PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); + Boolean isMinimalFrontChannelResp = pendingReq.getRawData( + MOAIDAuthConstants.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { //only set minimal response attributes authdata.setQAALevel( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); + pendingReq.getRawData(MOAIDAuthConstants.DATAID_INTERFEDERATION_QAALEVEL, String.class)); authdata.setBPK( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); + pendingReq.getRawData(MOAIDAuthConstants.DATAID_INTERFEDERATION_NAMEID, String.class)); } else { //build AuthenticationData from MOASession @@ -177,173 +203,15 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { return authdata; } - - /** - * Get PVP authentication attributes by using a SAML2 AttributeQuery - * - * @param reqQueryAttr List of PVP attributes which are requested - * @param userNameID SAML2 UserNameID of the user for which attributes are requested - * @param idpConfig Configuration of the IDP, which is requested - * @return - * @return PVP attribute DAO, which contains all received information - * @throws MOAIDException - */ - public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr, - String userNameID, IOAAuthParameters idpConfig ) throws MOAIDException{ - String idpEnityID = idpConfig.getPublicURLPrefix(); - - try { - Logger.debug("Starting AttributeQuery process ..."); - //collect attributes by using BackChannel communication - String endpoint = idpConfig.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); - throw new ConfigurationException("config.26", new Object[]{idpEnityID}); - - } - - //build attributQuery request - AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(userNameID, endpoint, reqQueryAttr); - - //build SOAP request - List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."}); - - } - - Response intfResp; - if (xmlObjects.get(0) instanceof Response) { - intfResp = (Response) xmlObjects.get(0); - - //validate PVP 2.1 response - try { - samlVerificationEngine.verifyIDPResponse(intfResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine( - metadataProvider)); - - //create assertion attribute extractor from AttributeQuery response - return new AssertionAttributeExtractor(intfResp); - - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("auth.27", - new Object[]{idpEnityID, e.getMessage()}, e); - } - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); - - } - - } catch (SOAPException e) { - throw new BuildException("builder.06", null, e); - - } catch (SecurityException e) { - throw new BuildException("builder.06", null, e); - - } catch (org.opensaml.xml.security.SecurityException e1) { - throw new BuildException("builder.06", null, e1); - - } - } - - private void buildAuthDataFormMOASession(AuthenticationData authData, IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { - - Collection<String> includedToGenericAuthData = null; - if (session.getGenericSessionDataStorage() != null && - !session.getGenericSessionDataStorage().isEmpty()) - includedToGenericAuthData = session.getGenericSessionDataStorage().keySet(); - else - includedToGenericAuthData = new ArrayList<String>(); - - try { - //#################################################### - //set general authData info's - authData.setIssuer(protocolRequest.getAuthURL()); - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); - authData.setBaseIDTransferRestrication(oaParam.hasBaseIdTransferRestriction()); - - - //#################################################### - //parse user info's from identityLink - IIdentityLink idlFromPVPAttr = null; - IIdentityLink identityLink = session.getIdentityLink(); - if (identityLink != null) { - parseBasicUserInfosFromIDL(authData, identityLink, includedToGenericAuthData); - - } else { - // identityLink is not direct in MOASession - String pvpAttrIDL = session.getGenericDataFromSession(PVPConstants.EID_IDENTITY_LINK_NAME, String.class); - //find PVP-Attr. which contains the IdentityLink - if (MiscUtil.isNotEmpty(pvpAttrIDL)) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME - + " --> Parse basic user info's from that attribute."); - InputStream idlStream = null; - try { - idlStream = Base64Utils.decodeToStream(pvpAttrIDL, false); - idlFromPVPAttr = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - parseBasicUserInfosFromIDL(authData, idlFromPVPAttr, includedToGenericAuthData); - - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); - - } finally { - try { - includedToGenericAuthData.remove(PVPConstants.EID_IDENTITY_LINK_NAME); - if (idlStream != null) - idlStream.close(); - - } catch (IOException e) { - Logger.fatal("Close InputStream FAILED.", e); - - } - - } - - } - - //if no basic user info's are set yet, parse info's single PVP-Attributes - if (MiscUtil.isEmpty(authData.getFamilyName())) { - Logger.debug("No IdentityLink found or not parseable --> Parse basic user info's from single PVP-Attributes."); - authData.setFamilyName(session.getGenericDataFromSession(PVPConstants.PRINCIPAL_NAME_NAME, String.class)); - authData.setGivenName(session.getGenericDataFromSession(PVPConstants.GIVEN_NAME_NAME, String.class)); - authData.setDateOfBirth(session.getGenericDataFromSession(PVPConstants.BIRTHDATE_NAME, String.class)); - authData.setIdentificationValue(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_NAME, String.class)); - authData.setIdentificationType(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, String.class)); - - //remove corresponding keys from genericSessionData if exists - includedToGenericAuthData.remove(PVPConstants.PRINCIPAL_NAME_NAME); - includedToGenericAuthData.remove(PVPConstants.GIVEN_NAME_NAME); - includedToGenericAuthData.remove(PVPConstants.BIRTHDATE_NAME); - includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_NAME); - includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - } - - } - if (authData.getIdentificationType() != null && - !authData.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.trace("IdentificationType is not a baseID --> clear it. "); - authData.setBPK(authData.getIdentificationValue()); - authData.setBPKType(authData.getIdentificationType()); - - authData.setIdentificationValue(null); - authData.setIdentificationType(null); - - } + private void buildAuthDataFormMOASession(MOAAuthenticationData authData, IAuthenticationSession session, + IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException, EAAFBuilderException { + try { + //generate basic authentication data + generateBasicAuthData(authData, protocolRequest, session); - //#################################################### + // #### generate MOA-ID specific authentication data ###### //set BKU URL includedToGenericAuthData.remove(PVPConstants.EID_CCS_URL_NAME); if (MiscUtil.isNotEmpty(session.getBkuURL())) @@ -355,33 +223,53 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //TODO: fully switch from STORK QAA to eIDAS LoA //#################################################### //set QAA level - includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); - if (MiscUtil.isNotEmpty(session.getQAALevel())) - authData.setQAALevel(session.getQAALevel()); + if (MiscUtil.isNotEmpty(authData.getEIDASQAALevel())) { + Logger.debug("Find eIDAS LoA. Map it to STORK QAA"); + authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(authData.getEIDASQAALevel())); + + } else { + Logger.info("Find NO eIDAS Loa. Starting STORK QAA processing as backup ... "); - else { - String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); - if (MiscUtil.isNotEmpty(qaaLevel)) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME - + " --> Parse QAA-Level from that attribute."); - - if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { - authData.setQAALevel(qaaLevel); - - } else { - Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); - if (MiscUtil.isNotEmpty(mappedQAA)) - authData.setQAALevel(mappedQAA); - + + includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + String currentLoA = null; + if (MiscUtil.isNotEmpty(session.getQAALevel())) + currentLoA = session.getQAALevel(); + else { + currentLoA = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); + if (MiscUtil.isNotEmpty(currentLoA)) { + Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + currentLoA + + " --> Parse QAA-Level from that attribute."); + } } + + if (MiscUtil.isNotEmpty(currentLoA)) { + if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(currentLoA)); + + } else if (currentLoA.startsWith(EAAFConstants.EIDAS_LOA_PREFIX)) { + authData.setQAALevel(loaLevelMapper.mapeIDASQAAToSTORKQAA(currentLoA)); + authData.seteIDASLoA(currentLoA); + + } else { + Logger.debug("Found PVP SecClass. QAA mapping process starts ... "); + String mappedStorkQAA = loaLevelMapper.mapSecClassToQAALevel(currentLoA); + if (MiscUtil.isNotEmpty(mappedStorkQAA)) { + authData.setQAALevel(mappedStorkQAA); + authData.seteIDASLoA(loaLevelMapper.mapSTORKQAAToeIDASQAA(mappedStorkQAA)); + + } + } + } } //if no QAA level is set in MOASession then set default QAA level - if (MiscUtil.isEmpty(authData.getQAALevel())) { - Logger.info("No QAA level found. Set to default level " + PVPConstants.STORK_QAA_PREFIX + "1"); + if (MiscUtil.isEmpty(authData.getEIDASQAALevel())) { + Logger.info("No QAA level found. Set to default level " + EAAFConstants.EIDAS_LOA_LOW); authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + authData.seteIDASLoA(EAAFConstants.EIDAS_LOA_LOW); } @@ -433,65 +321,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - - //#################################################### - //set isForeigner flag - //TODO: change to new eIDAS-token attribute identifier - if (session.getGenericDataFromSession(PVPConstants.EID_STORK_TOKEN_NAME) != null) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_STORK_TOKEN_FRIENDLY_NAME - + " --> Set 'isForeigner' flag to TRUE"); - authData.setForeigner(true); - - } else { - authData.setForeigner(session.isForeigner()); - - } - - - //#################################################### - //set citizen country-code - includedToGenericAuthData.remove(PVPConstants.EID_ISSUING_NATION_NAME); - String pvpCCCAttr = session.getGenericDataFromSession(PVPConstants.EID_ISSUING_NATION_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpCCCAttr)) { - authData.setCcc(pvpCCCAttr); - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME); - - } else { - if (authData.isForeigner()) { - try { - if (authData.getSignerCertificate() != null) { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); - if (certificate != null) { - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - authData.setCcc(rdn.getValue().toString()); - break; - } - } - } - - } else - Logger.warn("NO PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_NAME - + " and NO SignerCertificate in MOASession -->" - + " Can NOT extract citizen-country of foreign person."); - - - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate with message: " + e.getMessage()); - - } - - } else { - authData.setCcc(COUNTRYCODE_AUSTRIA); - - } - } - - + //#################################################### //set max. SSO session time includedToGenericAuthData.remove(AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO); @@ -620,11 +450,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { includedToGenericAuthData.remove(PVPConstants.MANDATE_PROF_REP_OID_NAME); } } - - - - - + //#################################################### // set bPK and IdentityLink for Organwalter --> // Organwalter has a special bPK is received from MIS @@ -634,111 +460,14 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { authData.setBPK(misMandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); Logger.trace("Authenticated User is OW: " + misMandate.getOWbPK()); - - - //TODO: check in case of mandates for business services - if (identityLink != null) - authData.setIdentityLink(identityLink); - - else if (idlFromPVPAttr != null){ - authData.setIdentityLink(idlFromPVPAttr); - Logger.debug("Set IdentityLink received from federated IDP for Organwalter"); - - } else - Logger.info("Can NOT set Organwalter IdentityLink. Msg: No IdentityLink found"); - - + //set bPK and IdenityLink for all other - } else { - //build bPK - String pvpbPKValue = getbPKValueFromPVPAttribute(session); - String pvpbPKTypeAttr = getbPKTypeFromPVPAttribute(session); - Pair<String, String> pvpEncbPKAttr = getEncryptedbPKFromPVPAttribute(session, authData, oaParam); - - //check if a unique ID for this citizen exists - if (MiscUtil.isEmpty(authData.getIdentificationValue()) && - MiscUtil.isEmpty(pvpbPKValue) && MiscUtil.isEmpty(authData.getBPK()) && - pvpEncbPKAttr == null) { - Logger.info("Can not build authData, because moaSession include no bPK, encrypted bPK or baseID"); - throw new MOAIDException("builder.08", new Object[]{"No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); - - } - - // baseID is in MOASesson --> calculate bPK directly - if (MiscUtil.isNotEmpty(authData.getIdentificationValue())) { - Logger.debug("Citizen baseID is in MOASession --> calculate bPK from this."); - Pair<String, String> result = buildOAspecificbPK(protocolRequest, oaParam, authData); - authData.setBPK(result.getFirst()); - authData.setBPKType(result.getSecond()); - - //check if bPK already added to AuthData matches OA - } else if (MiscUtil.isNotEmpty(authData.getBPK()) - && matchsReceivedbPKToOnlineApplication(oaParam, authData.getBPKType()) ) { - Logger.debug("Correct bPK is already included in AuthData."); - - //check if bPK received by PVP-Attribute matches OA - } else if (MiscUtil.isNotEmpty(pvpbPKValue) && - matchsReceivedbPKToOnlineApplication(oaParam, pvpbPKTypeAttr)) { - Logger.debug("Receive correct bPK from PVP-Attribute"); - authData.setBPK(pvpbPKValue); - authData.setBPKType(pvpbPKTypeAttr); - - //check if decrypted bPK exists - } else if (pvpEncbPKAttr != null) { - Logger.debug("Receive bPK as encrypted bPK and decryption was possible."); - authData.setBPK(pvpEncbPKAttr.getFirst()); - authData.setBPKType(pvpEncbPKAttr.getSecond()); + Logger.debug("User is an OW. Set original IDL into authdata ... "); + authData.setIdentityLink(session.getIdentityLink()); - //ask SZR to get bPK - } else { - String notValidbPK = authData.getBPK(); - String notValidbPKType = authData.getBPKType(); - if (MiscUtil.isEmpty(notValidbPK) && - MiscUtil.isEmpty(notValidbPKType)) { - notValidbPK = pvpbPKValue; - notValidbPKType = pvpbPKTypeAttr; - - if (MiscUtil.isEmpty(notValidbPK) && - MiscUtil.isEmpty(notValidbPKType)) { - Logger.fatal("No bPK in MOASession. THIS error should not occur any more."); - throw new NullPointerException("No bPK in MOASession. THIS error should not occur any more."); - } - } - - Pair<String, String> baseIDFromSZR = getbaseIDFromSZR(authData, notValidbPK, notValidbPKType); - if (baseIDFromSZR != null) { - Logger.info("Receive citizen baseID from SRZ. Authentication can be completed"); - authData.setIdentificationValue(baseIDFromSZR.getFirst()); - authData.setIdentificationType(baseIDFromSZR.getSecond()); - Pair<String, String> result = buildOAspecificbPK(protocolRequest, oaParam, authData); - authData.setBPK(result.getFirst()); - authData.setBPKType(result.getSecond()); - - } else { - Logger.warn("Can not build authData, because moaSession include no valid bPK, encrypted bPK or baseID"); - throw new MOAIDException("builder.08", new Object[]{"No valid " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME - + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); - - } - } - - //build IdentityLink - if (identityLink != null) - authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType())); - else if (idlFromPVPAttr != null) { - authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, idlFromPVPAttr, authData.getBPK(), authData.getBPKType())); - Logger.debug("Set IdentityLink received from federated IDP"); - } else { - Logger.info("Can NOT set IdentityLink. Msg: No IdentityLink found"); - - } - } - + } //################################################################### //set PVP role attribute (implemented for ISA 1.18 action) @@ -786,6 +515,9 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } + //build foreign bPKs + generateForeignbPK(authData, oaParam.foreignbPKSectorsRequested()); + //#################################################################### //copy all generic authentication information, which are not processed before to authData Iterator<String> copyInterator = includedToGenericAuthData.iterator(); @@ -794,13 +526,13 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { try { authData.setGenericData(elementKey, session.getGenericDataFromSession(elementKey)); - } catch (SessionDataStorageException e) { + } catch (EAAFStorageException e) { Logger.warn("Can not add generic authData with key:" + elementKey, e); } } - } catch (BuildException e) { + } catch (EAAFBuilderException e) { throw e; } catch (Throwable ex) { @@ -809,38 +541,6 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } - - /** - * Check a bPK-Type against a Service-Provider configuration <br> - * If bPK-Type is <code>null</code> the result is <code>false</code>. - * - * @param oaParam Service-Provider configuration, never null - * @param bPKType bPK-Type to check - * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false - * @throws ConfigurationException - */ - private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) throws ConfigurationException { - return oaParam.getAreaSpecificTargetIdentifier().equals(bPKType); - - } - - private void parseBasicUserInfosFromIDL(AuthenticationData authData, IIdentityLink identityLink, Collection<String> includedGenericSessionData) { - //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO - authData.setIdentificationValue(identityLink.getIdentificationValue()); - authData.setIdentificationType(identityLink.getIdentificationType()); - - authData.setGivenName(identityLink.getGivenName()); - authData.setFamilyName(identityLink.getFamilyName()); - authData.setDateOfBirth(identityLink.getDateOfBirth()); - - //remove corresponding keys from genericSessionData if exists - includedGenericSessionData.remove(PVPConstants.PRINCIPAL_NAME_NAME); - includedGenericSessionData.remove(PVPConstants.GIVEN_NAME_NAME); - includedGenericSessionData.remove(PVPConstants.BIRTHDATE_NAME); - includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_NAME); - includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - - } /** * @param authData @@ -848,7 +548,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @param notValidbPKType * @return */ - private Pair<String, String> getbaseIDFromSZR(AuthenticationData authData, String notValidbPK, + @Override + protected Pair<String, String> getbaseIDFromSZR(AuthenticationData authData, String notValidbPK, String notValidbPKType) { try { EgovUtilPropertiesConfiguration eGovClientsConfig = authConfig.geteGovUtilsConfig(); @@ -903,7 +604,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class)</code></pre> * to <code>authData</code> * - * @param session MOASession, but never null + * @param authProcessDataContainer MOASession, but never null * @param authData AuthenticationData DAO * @param spConfig Service-Provider configuration * @@ -911,194 +612,123 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * or <code>null</code> if no attribute exists or can not decrypted * @throws ConfigurationException */ - private Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthenticationSession session, - AuthenticationData authData, IOAAuthParameters spConfig) throws ConfigurationException { - //set List of encrypted bPKs to authData DAO - String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { - List<String> encbPKList = Arrays.asList(pvpEncbPKListAttr.split(";")); - authData.setEncbPKList(encbPKList); - - //check if one of this encrypted bPK could be decrypt for this Service-Provider - for (String fullEncbPK : encbPKList) { - int index = fullEncbPK.indexOf("|"); - if (index >= 0) { - String encbPK = fullEncbPK.substring(index+1); - String second = fullEncbPK.substring(0, index); - int secIndex = second.indexOf("+"); - if (secIndex >= 0) { - String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); - if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { - String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); - if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + spConfig.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); - if (MiscUtil.isNotEmpty(bPK)) { - Logger.info("bPK decryption process finished successfully."); - return Pair.newInstance(bPK, oaTargetId); - - } else { - Logger.error("bPK decryption FAILED."); - + @Override + protected Pair<String, String> getEncryptedbPKFromPVPAttribute(IAuthProcessDataContainer authProcessDataContainer, + AuthenticationData authData, ISPConfiguration spConfig) throws EAAFBuilderException { + //set List of encrypted bPKs to authData DAO + if (authData instanceof MOAAuthenticationData && + spConfig instanceof IOAAuthParameters) { + + String pvpEncbPKListAttr = authProcessDataContainer.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { + List<String> encbPKList = Arrays.asList(pvpEncbPKListAttr.split(";")); + ((MOAAuthenticationData) authData).setEncbPKList(encbPKList); + + //check if one of this encrypted bPK could be decrypt for this Service-Provider + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + String oaTargetId = spConfig.getAreaSpecificTargetIdentifier(); + if (oaTargetId.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + String publicServiceShortTarget = oaTargetId.substring(MOAIDAuthConstants.PREFIX_CDID.length()); + if (publicServiceShortTarget.equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getUniqueIdentifier() + + " Start decryption process ..."); + PrivateKey privKey = ((IOAAuthParameters) spConfig).getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, publicServiceShortTarget, privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, oaTargetId); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (EAAFBuilderException e) { + Logger.error("bPK decryption FAILED.", e); + } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); - } + } } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID + + " BUT oaTarget is " + oaTargetId); } - - } else { - Logger.info("Encrypted bPKs are only allowed for public services with prefix: " + MOAIDAuthConstants.PREFIX_CDID - + " BUT oaTarget is " + oaTargetId); - - } - } - } - } - } - - return null; - } - - /** - * Get bPK from PVP Attribute 'BPK_NAME', which could be exist in - * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class)</code></pre> - * - * @param session MOASession, but never null - * @return bPK, which was received by PVP-Attribute, or <code>null</code> if no attribute exists - */ - private String getbPKValueFromPVPAttribute(IAuthenticationSession session) { - String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpbPKValueAttr)) { - - //fix a wrong bPK-value prefix, which was used in some PVP Standardportal implementations - if (pvpbPKValueAttr.startsWith("bPK:")) { - Logger.warn("Attribute " + PVPConstants.BPK_NAME - + " contains a not standardize prefix! Staring attribute value correction process ..."); - pvpbPKValueAttr = pvpbPKValueAttr.substring("bPK:".length()); - - } - - String[] spitted = pvpbPKValueAttr.split(":"); - if (spitted.length != 2) { - Logger.warn("Attribute " + PVPConstants.BPK_NAME + " has a wrong encoding and can NOT be USED!" - + " Value:" + pvpbPKValueAttr); - return null; - + } + } + } } - Logger.debug("Find PVP-Attr: " + PVPConstants.BPK_FRIENDLY_NAME); - return spitted[1]; - } + } else + Logger.warn("AuthData: " + authData.getClass().getName() + " or spConfig: " + spConfig.getClass().getName() + + " are not MOAID data-objects"); return null; } - /** - * Get bPK-Type from PVP Attribute 'EID_SECTOR_FOR_IDENTIFIER_NAME', which could be exist in - * MOASession as 'GenericData' <br> <pre><code>session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class)</code></pre> - * - * @param session MOASession, but never null - * @return bPKType, which was received by PVP-Attribute, or <code>null</code> if no attribute exists - */ - private String getbPKTypeFromPVPAttribute(IAuthenticationSession session) { - String pvpbPKTypeAttr = session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class); - if (MiscUtil.isNotEmpty(pvpbPKTypeAttr)) { - - //fix a wrong bPK-Type encoding, which was used in some PVP Standardportal implementations - if (pvpbPKTypeAttr.startsWith(Constants.URN_PREFIX_CDID) && - !pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length(), - Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { - Logger.warn("Receive uncorrect encoded bBKType attribute " + pvpbPKTypeAttr + " Starting attribute value correction ... "); - pvpbPKTypeAttr = Constants.URN_PREFIX_CDID + "+" + pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length() + 1); - - } - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); - return pvpbPKTypeAttr; - } - - return null; - - - /* - * INFO: This code could be used to extract the bPKType from 'PVPConstants.BPK_NAME', - * because the prefix of BPK_NAME attribute contains the postfix of the bPKType - * - * Now, all PVP Standardportals should be able to send 'EID_SECTOR_FOR_IDENTIFIER' - * PVP attributes - */ -// String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); -// String[] spitted = pvpbPKValueAttr.split(":"); -// if (MiscUtil.isEmpty(authData.getBPKType())) { -// Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + -// "Starting target extraction from bPK/wbPK prefix ..."); -// //exract bPK/wbPK type from bpk attribute value prefix if type is -// //not transmitted as single attribute -// Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); -// Matcher matcher = pattern.matcher(spitted[0]); -// if (matcher.matches()) { -// //find public service bPK -// authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); -// Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); -// -// } else { -// //find business service wbPK -// authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); -// Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); -// -// } -// } - - } + @Override + protected IIdentityLink buildOAspecificIdentityLink(ISPConfiguration spConfig, IIdentityLink idl, String bPK, String bPKType) throws EAAFConfigurationException, XPathException, DOMException, EAAFParserException { + if (spConfig.hasBaseIdTransferRestriction()) { + try { + Element idlassertion = idl.getSamlAssertion(); + + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(bPK); - private IIdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IIdentityLink idl, String bPK, String bPKType) throws MOAIDException { - if (oaParam.hasBaseIdTransferRestriction()) { - Element idlassertion = idl.getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(bPK); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(bPKType); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(bPKType); - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IIdentityLink businessServiceIdl = idlparser.parseIdentityLink(); + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IIdentityLink businessServiceIdl = idlparser.parseIdentityLink(); - //resign IDL - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - Element resignedilAssertion; - - if (authConfig.isIdentityLinkResigning()) { - resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), authConfig.getIdentityLinkResigningKey()); - } else { - resignedilAssertion = businessServiceIdl.getSamlAssertion(); + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + + if (authConfig.isIdentityLinkResigning()) { + resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), authConfig.getIdentityLinkResigningKey()); + } else { + resignedilAssertion = businessServiceIdl.getSamlAssertion(); + } + + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + return resignedIDLParser.parseIdentityLink(); + + } catch (MOAIDException e) { + Logger.warn("Can not build OA specific IDL. Reason: " + e.getMessage(), e); + throw new EAAFParserException("TODO", null, e); + } - IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); - return resignedIDLParser.parseIdentityLink(); } else return idl; - - - } - - - private Pair<String, String> buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException, ConfigurationException { + + } + + + @Override + protected Pair<String, String> buildOAspecificbPK(IRequest pendingReq, AuthenticationData authData) throws EAAFBuilderException { + ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration(); String baseID = authData.getIdentificationValue(); String baseIDType = authData.getIdentificationType(); @@ -1140,4 +770,58 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } + private void generateForeignbPK(MOAAuthenticationData authData, List<String> foreignSectors) { + if (foreignSectors != null && !foreignSectors.isEmpty()) { + Logger.debug("Sectors for foreign bPKs are configurated. Starting foreign bPK generation ... "); + for (String foreignSector : foreignSectors) { + Logger.trace("Process sector: " + foreignSector + " ... "); + if (encKeyMap.containsKey(foreignSector)) { + try { + String sector = null; + //splitt sector into VKZ and target + if (foreignSector.startsWith("wbpk")) { + Logger.trace("Find foreign private sector " + foreignSector); + sector = Constants.URN_PREFIX + ":" + foreignSector; + + } else { + String[] split = foreignSector.split("+"); + if (split.length != 2) { + Logger.warn("Foreign sector: " + foreignSector + " looks WRONG. IGNORE IT!"); + + } else { + Logger.trace("Find foreign public sector. VKZ: " + split[0] + " Target: " + split[1]); + sector = Constants.URN_PREFIX_CDID + "+" + split[1]; + + } + + } + + if (sector != null) { + Pair<String, String> bpk = new BPKBuilder().generateAreaSpecificPersonIdentifier( + authData.getIdentificationValue(), + authData.getIdentificationType(), + sector); + String foreignbPK = BPKBuilder.encryptBPK(bpk.getFirst(), bpk.getSecond(), encKeyMap.get(foreignSector).getPublicKey()); + authData.getEncbPKList().add("(" + foreignSector + "|" + foreignbPK + ")"); + Logger.debug("Foreign bPK for sector: " + foreignSector + " created."); + + } + + } catch (Exception e) { + Logger.warn("Foreign bPK generation FAILED for sector: " + foreignSector, e); + + } + + } else { + Logger.info("NO encryption cerfificate FOUND in configuration for sector: " + foreignSector); + Logger.info("Foreign bPK for sector: " + foreignSector + " is NOT possible"); + + } + } + + } else + Logger.debug("No foreign bPKs required for this service provider"); + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java deleted file mode 100644 index a7f6e873f..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ /dev/null @@ -1,359 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.builder; - -import java.security.InvalidKeyException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.text.SimpleDateFormat; -import java.util.Date; - -import javax.crypto.BadPaddingException; -import javax.crypto.Cipher; -import javax.crypto.IllegalBlockSizeException; -import javax.crypto.NoSuchPaddingException; - -import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.data.Pair; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * Builder for the bPK, as defined in - * <code>"Ableitung f¨r die bereichsspezifische Personenkennzeichnung"</code> - * version <code>1.0.1</code> from <code>"reference.e-government.gv.at"</code>. - * - * @author Paul Schamberger - * @version $Id$ - */ -public class BPKBuilder { - - /** - * Calculates an area specific unique person-identifier from a baseID - * - * @param baseID baseId from user but never null - * @param targetIdentifier target identifier for area specific identifier calculation but never null - * @return Pair<unique person identifier for this target, targetArea> but never null - * @throws BuildException if some input data are not valid - */ - public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String targetIdentifier) throws BuildException{ - return generateAreaSpecificPersonIdentifier(baseID, Constants.URN_PREFIX_BASEID, targetIdentifier); - - } - - /** - * Calculates an area specific unique person-identifier from an unique identifier with a specific type - * - * @param baseID baseId from user but never null - * @param baseIdType Type of the baseID but never null - * @param targetIdentifier target identifier for area specific identifier calculation but never null - * @return Pair<unique person identifier for this target, targetArea> but never null - * @throws BuildException if some input data are not valid - */ - public Pair<String, String> generateAreaSpecificPersonIdentifier(String baseID, String baseIdType, String targetIdentifier) throws BuildException{ - if (MiscUtil.isEmpty(baseID)) - throw new BuildException("builder.00", new Object[]{"baseID is empty or null"}); - - if (MiscUtil.isEmpty(baseIdType)) - throw new BuildException("builder.00", new Object[]{"the type of baseID is empty or null"}); - - if (MiscUtil.isEmpty(targetIdentifier)) - throw new BuildException("builder.00", new Object[]{"OA specific target identifier is empty or null"}); - - if (baseIdType.equals(Constants.URN_PREFIX_BASEID)) { - Logger.trace("Find baseID. Starting unique identifier caluclation for this target"); - - if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_CDID) || - targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK) || - targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_STORK)) { - Logger.trace("Calculate bPK, wbPK, or STORK identifier for target: " + targetIdentifier); - return Pair.newInstance(calculatebPKwbPK(baseID + "+" + targetIdentifier), targetIdentifier); - - } else if (targetIdentifier.startsWith(MOAIDAuthConstants.PREFIX_EIDAS)) { - Logger.trace("Calculate eIDAS identifier for target: " + targetIdentifier); - String[] splittedTarget = targetIdentifier.split("\\+"); - String cititzenCountryCode = splittedTarget[1]; - String eIDASOutboundCountry = splittedTarget[2]; - - if (cititzenCountryCode.equalsIgnoreCase(eIDASOutboundCountry)) { - Logger.warn("Suspect configuration FOUND!!! CitizenCountry equals DestinationCountry"); - - } - return buildeIDASIdentifer(baseID, baseIdType, cititzenCountryCode, eIDASOutboundCountry); - - - } else - throw new BuildException("builder.00", - new Object[]{"Target identifier: " + targetIdentifier + " is NOT allowed or unknown"}); - - } else { - Logger.trace("BaseID is not of type " + Constants.URN_PREFIX_BASEID + ". Check type against requested target ..."); - if (baseIdType.equals(targetIdentifier)) { - Logger.debug("Unique identifier is already area specific. Is nothing todo"); - return Pair.newInstance(baseID, targetIdentifier); - - } else { - Logger.warn("Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required!"); - throw new BuildException("builder.00", - new Object[]{"Get unique identifier for target: " + baseIdType + " but target: " + targetIdentifier + " is required"}); - - } - } - } - - - /** - * Builds the storkeid from the given parameters. - * - * @param baseID baseID of the citizen - * @param baseIDType Type of the baseID - * @param sourceCountry CountryCode of that country, which build the eIDAs ID - * @param destinationCountry CountryCode of that country, which receives the eIDAs ID - * - * @return Pair<eIDAs, bPKType> in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - private Pair<String, String> buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String bPK = null; - String bPKType = null; - - // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); - bPK = calculatebPKwbPK(baseID + "+" + bPKType); - - } else { // if not, sector identification value is already calculated by BKU - Logger.debug("eIDAS eIdentifier already provided by BKU"); - bPK = baseID; - } - - if ((MiscUtil.isEmpty(bPK) || - MiscUtil.isEmpty(sourceCountry) || - MiscUtil.isEmpty(destinationCountry))) { - throw new BuildException("builder.00", - new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + - bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); - } - - Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; - - return Pair.newInstance(eIdentifier, bPKType); - } - -// /** -// * Builds the bPK from the given parameters. -// * -// * @param identificationValue Base64 encoded "Stammzahl" -// * @param target "Bereich lt. Verordnung des BKA" -// * @return bPK in a BASE64 encoding -// * @throws BuildException if an error occurs on building the bPK -// */ -// private String buildBPK(String identificationValue, String target) -// throws BuildException { -// -// if ((identificationValue == null || -// identificationValue.length() == 0 || -// target == null || -// target.length() == 0)) { -// throw new BuildException("builder.00", -// new Object[]{"BPK", "Unvollständige Parameterangaben: identificationValue=" + -// identificationValue + ",target=" + target}); -// } -// String basisbegriff; -// if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) -// basisbegriff = identificationValue + "+" + target; -// else -// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_CDID + "+" + target; -// -// return calculatebPKwbPK(basisbegriff); -// } -// -// /** -// * Builds the wbPK from the given parameters. -// * -// * @param identificationValue Base64 encoded "Stammzahl" -// * @param registerAndOrdNr type of register + "+" + number in register. -// * @return wbPK in a BASE64 encoding -// * @throws BuildException if an error occurs on building the wbPK -// */ -// private String buildWBPK(String identificationValue, String registerAndOrdNr) -// throws BuildException { -// -// if ((identificationValue == null || -// identificationValue.length() == 0 || -// registerAndOrdNr == null || -// registerAndOrdNr.length() == 0)) { -// throw new BuildException("builder.00", -// new Object[]{"wbPK", "Unvollständige Parameterangaben: identificationValue=" + -// identificationValue + ",Register+Registernummer=" + registerAndOrdNr}); -// } -// -// String basisbegriff; -// if (registerAndOrdNr.startsWith(Constants.URN_PREFIX_WBPK + "+")) -// basisbegriff = identificationValue + "+" + registerAndOrdNr; -// else -// basisbegriff = identificationValue + "+" + Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr; -// -// return calculatebPKwbPK(basisbegriff); -// } -// -// private String buildbPKorwbPK(String baseID, String bPKorwbPKTarget) throws BuildException { -// if (MiscUtil.isEmpty(baseID) || -// !(bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_CDID + "+") || -// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_WBPK + "+") || -// bPKorwbPKTarget.startsWith(Constants.URN_PREFIX_STORK + "+")) ) { -// throw new BuildException("builder.00", -// new Object[]{"bPK/wbPK", "bPK or wbPK target " + bPKorwbPKTarget -// + " has an unkown prefix."}); -// -// } -// -// return calculatebPKwbPK(baseID + "+" + bPKorwbPKTarget); -// -// } - - public static String encryptBPK(String bpk, String target, PublicKey publicKey) throws BuildException { - MiscUtil.assertNotNull(bpk, "BPK"); - MiscUtil.assertNotNull(publicKey, "publicKey"); - - SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); - - String input = "V1::urn:publicid:gv.at:cdid+" + target + "::" - + bpk + "::" - + sdf.format(new Date()); - System.out.println(input); - byte[] result; - try { - byte[] inputBytes = input.getBytes("ISO-8859-1"); - result = encrypt(inputBytes, publicKey); - return new String(Base64Utils.encode(result, "ISO-8859-1")).replaceAll("\r\n", ""); - - } catch (Exception e) { - throw new BuildException("bPK encryption FAILED", null, e); - } - } - - public static String decryptBPK(String encryptedBpk, String target, PrivateKey privateKey) throws BuildException { - MiscUtil.assertNotEmpty(encryptedBpk, "Encrypted BPK"); - MiscUtil.assertNotNull(privateKey, "Private key"); - String decryptedString; - try { - byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, "ISO-8859-1"); - byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); - decryptedString = new String(decryptedBytes, "ISO-8859-1"); - - } catch (Exception e) { - throw new BuildException("bPK decryption FAILED", null, e); - } - String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); - String sector = tmp.substring(0, tmp.indexOf("::")); - tmp = tmp.substring(tmp.indexOf("::") + 2); - String bPK = tmp.substring(0, tmp.indexOf("::")); - - if (target.startsWith(Constants.URN_PREFIX_CDID + "+")) - target = target.substring((Constants.URN_PREFIX_CDID + "+").length()); - - if (target.equals(sector)) - return bPK; - - else { - Logger.error("Decrypted bPK does not match to request bPK target."); - return null; - } - } - - private String calculatebPKwbPK(String basisbegriff) throws BuildException { - try { - MessageDigest md = MessageDigest.getInstance("SHA-1"); - byte[] hash = md.digest(basisbegriff.getBytes("ISO-8859-1")); - String hashBase64 = Base64Utils.encode(hash); - return hashBase64; - - } catch (Exception ex) { - throw new BuildException("builder.00", new Object[]{"bPK/wbPK", ex.toString()}, ex); - } - - } - - private static byte[] encrypt(byte[] inputBytes, PublicKey publicKey) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException { - byte[] result; - Cipher cipher = null; - try { - cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle - } catch(NoSuchAlgorithmException e) { - cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider - } - cipher.init(Cipher.ENCRYPT_MODE, publicKey); - result = cipher.doFinal(inputBytes); - - return result; - } - - private static byte[] decrypt(byte[] encryptedBytes, PrivateKey privateKey) - throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException{ - byte[] result; - Cipher cipher = null; - try { - cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // try with bouncycastle - } catch(NoSuchAlgorithmException e) { - cipher = Cipher.getInstance("RSA/ECB/OAEP"); // try with iaik provider - } - cipher.init(Cipher.DECRYPT_MODE, privateKey); - result = cipher.doFinal(encryptedBytes); - return result; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java index 4c4af4239..399ecc022 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/CreateXMLSignatureRequestBuilder.java @@ -50,11 +50,12 @@ import java.text.MessageFormat; import java.util.Calendar; import java.util.List; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -185,12 +186,12 @@ public class CreateXMLSignatureRequestBuilder implements Constants { } public static String buildForeignIDTextToBeSigned(String subject, IRequest pendingReq) throws ConfigurationException { - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + IOAAuthParameters oaParam = pendingReq.getServiceProviderConfiguration(OAAuthParameterDecorator.class); String target = null; String sectorName = null; - String saml1Target = pendingReq.getGenericData( + String saml1Target = pendingReq.getRawData( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); if (MiscUtil.isNotEmpty(saml1Target)) { target = saml1Target; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java deleted file mode 100644 index c78361eda..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DataURLBuilder.java +++ /dev/null @@ -1,109 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.auth.builder; - -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; - -/** - * Builds a DataURL parameter meant for the security layer implementation - * to respond to. - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class DataURLBuilder { - - /** - * Constructor for DataURLBuilder. - */ - public DataURLBuilder() { - super(); - } - - /** - * Constructs a data URL for <code>VerifyIdentityLink</code> or <code>VerifyAuthenticationBlock</code>, - * including the <code>MOASessionID</code> as a parameter. - * - * @param authBaseURL base URL (context path) of the MOA ID Authentication component, - * including a trailing <code>'/'</code> - * @param authServletName request part of the data URL - * @param sessionID sessionID to be included in the dataURL - * @return String - */ - public String buildDataURL(String authBaseURL, String authServletName, String sessionID) { - String dataURL; - if (!authBaseURL.endsWith("/")) - authBaseURL += "/"; - - if (authServletName.startsWith("/")) - authServletName = authServletName.substring(1); - - dataURL = authBaseURL + authServletName; - - dataURL = addParameter(dataURL, MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, sessionID); - return dataURL; - } - - /** - * Method addParameter. - * @param urlString represents the url - * @param paramname is the parameter to be added - * @param value is the value of that parameter - * @return String - */ - private String addParameter(String urlString, String paramname, String value) { - String url = urlString; - if (paramname != null) { - if (url.indexOf("?") < 0) - url += "?"; - else - url += "&"; - url += paramname + "=" + value; - } - return url; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index fc5489673..e600505a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -27,12 +27,12 @@ import java.util.List; import org.opensaml.saml2.core.Attribute; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; -import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -50,7 +50,7 @@ public class DynamicOAAuthParameterBuilder { for (Attribute attr : reqAttributes) { //get Target or BusinessService from request - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + if (attr.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { //dynamicOA.setBusinessService(false); @@ -88,7 +88,6 @@ public class DynamicOAAuthParameterBuilder { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java new file mode 100644 index 000000000..3dfba9cca --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java @@ -0,0 +1,115 @@ +package at.gv.egovernment.moa.id.auth.builder; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.stereotype.Service; +import org.w3c.dom.Element; + +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; +import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; +import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder; +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; +import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; +import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +@Service("MOASAML2SubjectNameIDGenerator") +public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { + + @Override + public Pair<String, String> generateSubjectNameId(IAuthData authData, ISPConfiguration spConfig) throws PVP2Exception { + //build nameID and nameID Format from moasessio + if (authData instanceof IMOAAuthData && + ((IMOAAuthData)authData).isUseMandate()) { + String bpktype = null; + String bpk = null; + + Element mandate = ((IMOAAuthData)authData).getMandate(); + if(mandate != null) { + Logger.debug("Read mandator bPK|baseID from full-mandate ... "); + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAvailableException(); + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); + + IdentificationType id; + if(corporation != null && corporation.getIdentification().size() > 0) + id = corporation.getIdentification().get(0); + + + else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) + id = pysicalperson.getIdentification().get(0); + + else { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAvailableException(); + } + + bpktype = id.getType(); + bpk = id.getValue().getValue(); + + } else { + Logger.debug("Read mandator bPK|baseID from PVP attributes ... "); + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if (StringUtils.isEmpty(bpk)) { + //no sourcePin is included --> search for bPK + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); + + try { + if (bpk.contains(":")) + bpk = bpk.split(":")[1]; + + } catch (Exception e) { + Logger.warn("Can not split bPK from mandator attribute!", e); + + } + + //set bPK-Type from configuration, because it MUST be equal to service-provider type + bpktype = spConfig.getAreaSpecificTargetIdentifier(); + + } else { + //sourcePin is include --> check sourcePinType + if (StringUtils.isEmpty(bpktype)) + bpktype = Constants.URN_PREFIX_BASEID; + + } + } + + if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) { + throw new NoMandateDataAvailableException(); + + } + + if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { + try { + return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier()); + + } catch (EAAFBuilderException e) { + Logger.warn("Can NOT generate SubjectNameId." , e); + throw new ResponderErrorException("pvp2.01", null); + + } + + } else + return Pair.newInstance(bpk, bpktype); + + } else + return Pair.newInstance(authData.getBPK(), authData.getBPKType()); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java index 9ca15c76f..27d983785 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SignatureVerificationUtils.java @@ -22,6 +22,8 @@ */ package at.gv.egovernment.moa.id.auth.builder; +import java.util.List; + import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -74,10 +76,15 @@ public class SignatureVerificationUtils { } } - public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException { + public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID) throws MOAIDException { + return verify(signature, trustProfileID, null); + + } + + public IVerifiyXMLSignatureResponse verify(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID) throws MOAIDException { try { //build signature-verification request - Element domVerifyXMLSignatureRequest = build(signature, trustProfileID); + Element domVerifyXMLSignatureRequest = build(signature, trustProfileID, verifyTransformsInfoProfileID); //send signature-verification to MOA-SP Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance() @@ -112,7 +119,7 @@ public class SignatureVerificationUtils { * * @throws ParseException */ - private Element build(byte[] signature, String trustProfileID) + private Element build(byte[] signature, String trustProfileID, List<String> verifyTransformsInfoProfileID) throws ParseException { try { @@ -153,6 +160,20 @@ public class SignatureVerificationUtils { requestElem_.appendChild(signatureManifestCheckParamsElem); signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false"); + //verify transformations + if (verifyTransformsInfoProfileID != null && !verifyTransformsInfoProfileID.isEmpty()) { + Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo"); + signatureManifestCheckParamsElem.appendChild(referenceInfoElem); + for (String element : verifyTransformsInfoProfileID) { + Element verifyTransformsInfoProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfileID"); + referenceInfoElem.appendChild(verifyTransformsInfoProfileIDElem); + verifyTransformsInfoProfileIDElem.appendChild(requestDoc_.createTextNode(element)); + + } + } + + + //hashinput data Element returnHashInputDataElem = requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData"); requestElem_.appendChild(returnHashInputDataElem); |