aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java144
1 files changed, 122 insertions, 22 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index cc48873af..c17f1a4dd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -37,36 +37,50 @@ import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
-import at.gv.egiz.eaaf.core.api.IAction;
-import at.gv.egiz.eaaf.core.api.IOAAuthParameters;
import at.gv.egiz.eaaf.core.api.IRequest;
-import at.gv.egiz.eaaf.core.api.data.IAuthData;
-import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface;
-import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egiz.eaaf.core.api.idp.IAction;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder;
+import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
+import at.gv.egovernment.moa.id.data.IMOAAuthData;
import at.gv.egovernment.moa.id.data.Trible;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -76,12 +90,15 @@ import at.gv.egovernment.moa.logging.Logger;
public class AttributQueryAction implements IAction {
@Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;
- @Autowired private AuthenticationDataBuilder authDataBuilder;
+ @Autowired private IAuthenticationDataBuilder authDataBuilder;
@Autowired private IDPCredentialProvider pvpCredentials;
@Autowired private AuthConfiguration authConfig;
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
@Autowired(required=true) ApplicationContext springContext;
+ @Autowired private AttributQueryBuilder attributQueryBuilder;
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+
private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
new String[]{PVPConstants.EID_STORK_TOKEN_NAME});
@@ -109,14 +126,14 @@ public class AttributQueryAction implements IAction {
try {
//get Single Sign-On information for the Service-Provider
// which sends the Attribute-Query request
- AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getInternalSSOSessionIdentifier());
+ AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getSSOSessionIdentifier());
if (moaSession == null) {
- Logger.warn("No MOASession with ID:" + pendingReq.getInternalSSOSessionIdentifier() + " FOUND.");
- throw new MOAIDException("auth.02", new Object[]{pendingReq.getInternalSSOSessionIdentifier()});
+ Logger.warn("No MOASession with ID:" + pendingReq.getSSOSessionIdentifier() + " FOUND.");
+ throw new MOAIDException("auth.02", new Object[]{pendingReq.getSSOSessionIdentifier()});
}
InterfederationSessionStore nextIDPInformation =
- authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID());
+ authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSSOSessionID());
AttributeQuery attrQuery =
(AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest();
@@ -157,9 +174,9 @@ public class AttributQueryAction implements IAction {
throw new MOAIDException("pvp2.01", null, e);
} catch (MOADatabaseException e) {
- Logger.error("MOASession with SessionID=" + pendingReq.getInternalSSOSessionIdentifier()
+ Logger.error("MOASession with SessionID=" + pendingReq.getSSOSessionIdentifier()
+ " is not found in Database", e);
- throw new MOAIDException("init.04", new Object[] { pendingReq.getInternalSSOSessionIdentifier() });
+ throw new MOAIDException("init.04", new Object[] { pendingReq.getSSOSessionIdentifier() });
}
@@ -195,7 +212,7 @@ public class AttributQueryAction implements IAction {
((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest &&
((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) {
- authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getOAURL(), pendingReq.requestedModule());
+ authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getSPEntityId(), pendingReq.requestedModule());
}
//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
@@ -208,15 +225,18 @@ public class AttributQueryAction implements IAction {
+ " for authentication information.");
//load configuration of next IDP
- IOAAuthParameters idpLoaded = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix());
- if (idpLoaded == null || !(idpLoaded instanceof OAAuthParameter)) {
+ IOAAuthParameters idpLoaded =
+ authConfig.getServiceProviderConfiguration(
+ nextIDPInformation.getIdpurlprefix(),
+ OAAuthParameterDecorator.class);
+ if (idpLoaded == null || !(idpLoaded instanceof IOAAuthParameters)) {
Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix()
+ "is not loadable.");
throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()});
}
- OAAuthParameter idp = (OAAuthParameter) idpLoaded;
+ IOAAuthParameters idp = idpLoaded;
//check if next IDP config allows inbound messages
if (!idp.isInboundSSOInterfederationAllowed()) {
@@ -227,7 +247,7 @@ public class AttributQueryAction implements IAction {
}
//check next IDP service area policy. BusinessService IDPs can only request wbPKs
- if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
+ if (!spConfig.hasBaseIdTransferRestriction() && idp.hasBaseIdTransferRestriction()) {
Logger.error("Interfederated IDP " + idp.getPublicURLPrefix()
+ " is a BusinessService-IDP but requests PublicService attributes.");
throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
@@ -239,7 +259,7 @@ public class AttributQueryAction implements IAction {
* 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module
* but used in moa-id-lib. This should be refactored!!!
*/
- AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes,
+ AssertionAttributeExtractor extractor = getAuthDataFromAttributeQuery(reqAttributes,
nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata");
//mark attribute request as used
@@ -262,7 +282,7 @@ public class AttributQueryAction implements IAction {
} else {
Logger.debug("Build authData for AttributQuery from local MOASession.");
- IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq, session, spConfig);
+ IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq);
//add default attributes in case of mandates or STORK is in use
List<String> attrList = addDefaultAttributes(reqAttributes, authData);
@@ -270,12 +290,19 @@ public class AttributQueryAction implements IAction {
//build Set of response attributes
List<Attribute> respAttr = PVPAttributeBuilder.buildSetOfResponseAttributes(authData, attrList);
- return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getQAALevel());
+ return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getEIDASQAALevel());
}
} catch (MOAIDException e) {
throw e;
+
+ } catch (EAAFAuthenticationException e) {
+ throw new MOAIDException(e.getErrorId(), e.getParams(), e);
+
+ } catch (EAAFConfigurationException e) {
+ throw new MOAIDException(e.getErrorId(), e.getParams(), e);
+
}
}
@@ -307,7 +334,8 @@ public class AttributQueryAction implements IAction {
}
//add default mandate attributes if it is a authentication with mandates
- if (authData.isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) {
+ if (authData instanceof IMOAAuthData)
+ if (((IMOAAuthData)authData).isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) {
for (String el : DEFAULTMANDATEATTRIBUTES) {
if (!reqAttributeNames.contains(el))
reqAttributeNames.add(el);
@@ -317,4 +345,76 @@ public class AttributQueryAction implements IAction {
return reqAttributeNames;
}
+ /**
+ * Get PVP authentication attributes by using a SAML2 AttributeQuery
+ *
+ * @param reqQueryAttr List of PVP attributes which are requested
+ * @param userNameID SAML2 UserNameID of the user for which attributes are requested
+ * @param idpConfig Configuration of the IDP, which is requested
+ * @return
+ * @return PVP attribute DAO, which contains all received information
+ * @throws MOAIDException
+ */
+ public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr,
+ String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{
+ String idpEnityID = idpConfig.getPublicURLPrefix();
+
+ try {
+ Logger.debug("Starting AttributeQuery process ...");
+ //collect attributes by using BackChannel communication
+ String endpoint = idpConfig.getIDPAttributQueryServiceURL();
+ if (MiscUtil.isEmpty(endpoint)) {
+ Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID);
+ throw new ConfigurationException("config.26", new Object[]{idpEnityID});
+
+ }
+
+ //build attributQuery request
+ AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr);
+
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("auth.27",
+ new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."});
+
+ }
+
+ Response intfResp;
+ if (xmlObjects.get(0) instanceof Response) {
+ intfResp = (Response) xmlObjects.get(0);
+
+ //validate PVP 2.1 response
+ try {
+ samlVerificationEngine.verifyIDPResponse(intfResp,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+ metadataProvider));
+
+ //create assertion attribute extractor from AttributeQuery response
+ return new AssertionAttributeExtractor(intfResp);
+
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("auth.27",
+ new Object[]{idpEnityID, e.getMessage()}, e);
+ }
+
+ } else {
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("auth.27",
+ new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"});
+
+ }
+
+ } catch (SOAPException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (SecurityException e) {
+ throw new BuildException("builder.06", null, e);
+
+ }
+ }
+
}