1 files changed, 61 insertions, 25 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index 39cb5b9c8..c38bbc68f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -52,7 +52,6 @@ import org.opensaml.saml2.core.NameIDPolicy;
 import org.opensaml.saml2.core.NameIDType;
 import org.opensaml.saml2.core.RequestedAuthnContext;
 import org.opensaml.saml2.core.StatusCode;
-import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.SingleLogoutService;
 import org.opensaml.saml2.metadata.SingleSignOnService;
@@ -72,9 +71,10 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.registration.ModuleRegistration;
-import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
 import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
@@ -82,12 +82,11 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.SLOInformationContainer;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-
 import at.gv.egovernment.moa.id.process.ExecutionContextImpl;
 import at.gv.egovernment.moa.id.process.ProcessEngine;
 import at.gv.egovernment.moa.id.process.ProcessExecutionException;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -98,6 +97,8 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -167,7 +168,20 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 	}
 	
 	public void performSingleLogOut(HttpServletRequest httpReq,
-	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {		
+	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException {
+		performSingleLogOut(httpReq, httpResp, session, pvpReq, null);
+		
+	}
+	
+	public void performSingleLogOut(HttpServletRequest httpReq,
+	HttpServletResponse httpResp, AuthenticationSession session, String authURL) throws MOAIDException {
+		performSingleLogOut(httpReq, httpResp, session, null, authURL);
+		
+	}
+	
+	
+	private void performSingleLogOut(HttpServletRequest httpReq,
+	HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException {		
 		String pvpSLOIssuer = null;
 		String inboundRelayState = null;
 		
@@ -176,6 +190,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest();
 			pvpSLOIssuer = logOutReq.getIssuer().getValue();
 			inboundRelayState = samlReq.getRelayState();
+			
 		}
 		
 		SSOManager ssomanager = SSOManager.getInstance();
@@ -195,7 +210,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 			
 		} catch (MOADatabaseException e) {
 			Logger.warn("Delete MOASession FAILED.");
-			sloContainer.putFailedOA(AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+			sloContainer.putFailedOA(pvpReq.getAuthURL());
 			
 		}
 		
@@ -219,8 +234,13 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 							+ " FAILED. NO LogOut response received.");
 					sloContainer.putFailedOA(sloReq.getIssuer().getValue());
 					
+				} else {
+					SAMLVerificationEngine engine = new SAMLVerificationEngine();
+					engine.verifySLOResponse(sloResp, 
+							TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+					
 				}
-				
+								
 				SingleLogOutBuilder.checkStatusCode(sloContainer, sloResp);
 										
 			} catch (SOAPException e) {
@@ -228,7 +248,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 						+ " FAILED.", e);
 				sloContainer.putFailedOA(sloReq.getIssuer().getValue());
 				
-			} catch (SecurityException e) {
+			} catch (SecurityException | InvalidProtocolRequestException e) {
 				Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue()
 						+ " FAILED.", e);
 				sloContainer.putFailedOA(sloReq.getIssuer().getValue());
@@ -258,7 +278,10 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 				
 				AssertionStorage.getInstance().put(relayState, sloContainer);
 				
-				String timeOutURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()
+				if (MiscUtil.isEmpty(authURL))
+					authURL = pvpReq.getAuthURL();
+				
+				String timeOutURL = authURL
 						+ "/idpSingleLogout"
 						+ "?restart=" + relayState;
 				
@@ -381,7 +404,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 		
 			String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), 
 					target.requestedAction(), target.getRequestID(), oaParam, 
-					AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix());
+					target.getAuthURL());
 
 			MOAReversionLogger.getInstance().logEvent(target.getOnlineApplicationConfiguration(), 
 					target, MOAIDEventConstants.AUTHPROCESS_SSO_ASK_USER_START);
@@ -450,7 +473,7 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 					authReq.setAssertionConsumerServiceIndex(0);
 					authReq.setIssueInstant(new DateTime());
 					Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);					
-					String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath();
+					String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath().get(0);
 					issuer.setValue(serviceURL);
 
 					issuer.setFormat(NameIDType.ENTITY);
@@ -470,28 +493,27 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
 					
 					//check if STORK protocol module is in ClassPath
-					Object storkRequst = null;
+					Class<?> storkRequstTemplate = null;
 					Integer storkSecClass = null;
 					try {
-						storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance();
-						if (storkRequst != null && 
-								target.getClass().isInstance(storkRequst)) {
+						storkRequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest");
+						if (storkRequstTemplate != null && 
+								storkRequstTemplate.isInstance(target)) {
 							Object storkAuthnRequest = target.getClass().getMethod("getStorkAuthnRequest", null).invoke(target, null);
 							storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null);
 							
 						}
 												
-					} catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
+					} catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) {
 						
 						
 					}
-					
-					
-					if (sp != null && sp.isSTORKPVPGateway()){
+										
+					if (sp != null && sp.isSTORKPVPGateway()) {
 						//use PVP SecClass instead of STORK QAA level
 						String secClass = null;
-						if (storkRequst != null && 
-								target.getClass().isInstance(storkRequst)) {
+						if (storkRequstTemplate != null && 
+								storkRequstTemplate.isInstance(target)) {
 							
 							try {									
 								secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
@@ -509,8 +531,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 							authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
 											
 					} else {
-						if (storkRequst != null && 
-								target.getClass().isInstance(storkRequst)) {
+						if (storkRequstTemplate != null && 
+								storkRequstTemplate.isInstance(target)) {
 							//use requested QAA level from STORK request
 							try {
 								authnClassRef.setAuthnContextClassRef(
@@ -525,7 +547,8 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 							
 						}
 						
-						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))						
+						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))
+							//TODO: switch to eIDAS QAA-levels
 							authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
 						
 					}
@@ -692,7 +715,9 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 				//Build authentication form
 				
 				
-				String publicURLPreFix = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+				String publicURLPreFix = target.getAuthURL();
+				if (publicURLPreFix.endsWith("/"))
+					publicURLPreFix = publicURLPreFix.substring(0, publicURLPreFix.length() - 1);
 				String loginForm = LoginFormBuilder.buildLoginForm(target.requestedModule(), 
 						target.requestedAction(), oaParam, publicURLPreFix, moasession.getSessionID());
 				
@@ -714,6 +739,17 @@ public class AuthenticationManager extends MOAIDAuthConstants {
 				out.flush(); 
 			}
 		} catch (ProcessExecutionException e) {
+			Throwable cause = e.getCause();
+			if (cause != null && cause instanceof TaskExecutionException) {
+				Throwable taskCause = cause.getCause();
+				if (taskCause != null && taskCause instanceof MOAIDException) {
+					MOAIDException moaTaskCause = (MOAIDException) taskCause;
+					Logger.warn(taskCause);
+					throw moaTaskCause;
+					
+				}									
+			} 
+						
 			throw new MOAIDException("process.01", new Object[] { moasession.getProcessInstanceId(), moasession }, e);
 		}
 	}