1 files changed, 122 insertions, 22 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index cc48873af..c17f1a4dd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -37,36 +37,50 @@ import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeQuery;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Service;
 
-import at.gv.egiz.eaaf.core.api.IAction;
-import at.gv.egiz.eaaf.core.api.IOAAuthParameters;
 import at.gv.egiz.eaaf.core.api.IRequest;
-import at.gv.egiz.eaaf.core.api.data.IAuthData;
-import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface;
-import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egiz.eaaf.core.api.idp.IAction;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder;
+import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
 import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
 import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator;
+import at.gv.egovernment.moa.id.data.IMOAAuthData;
 import at.gv.egovernment.moa.id.data.Trible;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -76,12 +90,15 @@ import at.gv.egovernment.moa.logging.Logger;
 public class AttributQueryAction implements IAction {
 
 	@Autowired private IAuthenticationSessionStoreage authenticationSessionStorage;
-	@Autowired private AuthenticationDataBuilder authDataBuilder;
+	@Autowired private IAuthenticationDataBuilder authDataBuilder;
 	@Autowired private IDPCredentialProvider pvpCredentials;
 	@Autowired private AuthConfiguration authConfig;
 	@Autowired(required=true) private MOAMetadataProvider metadataProvider;
 	@Autowired(required=true) ApplicationContext springContext;
 	
+	@Autowired private AttributQueryBuilder attributQueryBuilder;
+	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+	
 	private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList(
 			new String[]{PVPConstants.EID_STORK_TOKEN_NAME});	
 	
@@ -109,14 +126,14 @@ public class AttributQueryAction implements IAction {
 			try {
 				//get Single Sign-On information for the Service-Provider
 				// which sends the Attribute-Query request
-				AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getInternalSSOSessionIdentifier());
+				AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getSSOSessionIdentifier());
 				if (moaSession == null) {
-					Logger.warn("No MOASession with ID:" + pendingReq.getInternalSSOSessionIdentifier() + " FOUND.");
-					throw new MOAIDException("auth.02", new Object[]{pendingReq.getInternalSSOSessionIdentifier()});
+					Logger.warn("No MOASession with ID:" + pendingReq.getSSOSessionIdentifier() + " FOUND.");
+					throw new MOAIDException("auth.02", new Object[]{pendingReq.getSSOSessionIdentifier()});
 				}
 												
 				InterfederationSessionStore nextIDPInformation = 
-						authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID());
+						authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSSOSessionID());
 			
 				AttributeQuery attrQuery = 
 						(AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest();
@@ -157,9 +174,9 @@ public class AttributQueryAction implements IAction {
 				throw new MOAIDException("pvp2.01", null, e);
 
 			} catch (MOADatabaseException e) {
-				Logger.error("MOASession with SessionID=" + pendingReq.getInternalSSOSessionIdentifier() 
+				Logger.error("MOASession with SessionID=" + pendingReq.getSSOSessionIdentifier() 
 					+ " is not found in Database", e);
-				throw new MOAIDException("init.04", new Object[] { pendingReq.getInternalSSOSessionIdentifier() });
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getSSOSessionIdentifier() });
 				
 			}
 			
@@ -195,7 +212,7 @@ public class AttributQueryAction implements IAction {
 					((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest &&
 					((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) {				
 				
-				authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getOAURL(), pendingReq.requestedModule());
+				authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getSPEntityId(), pendingReq.requestedModule());
 			}
 			
 			//build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration
@@ -208,15 +225,18 @@ public class AttributQueryAction implements IAction {
 					+ " for authentication information.");
 	
 				//load configuration of next IDP
-				IOAAuthParameters idpLoaded = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix());
-				if (idpLoaded == null || !(idpLoaded instanceof OAAuthParameter)) {
+				IOAAuthParameters idpLoaded = 
+						authConfig.getServiceProviderConfiguration(
+								nextIDPInformation.getIdpurlprefix(),
+								OAAuthParameterDecorator.class);
+				if (idpLoaded == null || !(idpLoaded instanceof IOAAuthParameters)) {
 					Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() 
 						+ "is not loadable.");
 					throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()});
 					
 				}
 
-				OAAuthParameter idp = (OAAuthParameter) idpLoaded;
+				IOAAuthParameters idp = idpLoaded;
 				
 				//check if next IDP config allows inbound messages
 				if (!idp.isInboundSSOInterfederationAllowed()) {
@@ -227,7 +247,7 @@ public class AttributQueryAction implements IAction {
 				}
 				
 				//check next IDP service area policy. BusinessService IDPs can only request wbPKs 
-				if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) {
+				if (!spConfig.hasBaseIdTransferRestriction() && idp.hasBaseIdTransferRestriction()) {
 					Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() 
 							+ " is a BusinessService-IDP but requests PublicService attributes.");
 					throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()});
@@ -239,7 +259,7 @@ public class AttributQueryAction implements IAction {
 				 * 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module 
 				 *  but used in moa-id-lib. This should be refactored!!!  
 				 */
-				AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes, 
+				AssertionAttributeExtractor extractor = getAuthDataFromAttributeQuery(reqAttributes, 
 						nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata");
 								
 				//mark attribute request as used
@@ -262,7 +282,7 @@ public class AttributQueryAction implements IAction {
 								
 			} else {													
 				Logger.debug("Build authData for AttributQuery from local MOASession.");							
-				IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq, session, spConfig);
+				IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq);
 				
 				//add default attributes in case of mandates or STORK is in use
 				List<String> attrList = addDefaultAttributes(reqAttributes, authData);
@@ -270,12 +290,19 @@ public class AttributQueryAction implements IAction {
 				//build Set of response attributes
 				List<Attribute> respAttr = PVPAttributeBuilder.buildSetOfResponseAttributes(authData, attrList);
 				
-				return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getQAALevel());
+				return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getEIDASQAALevel());
 				
 			}
 										
 		} catch (MOAIDException e) {
 			throw e;
+			
+		} catch (EAAFAuthenticationException e) {
+			throw new MOAIDException(e.getErrorId(), e.getParams(), e);
+			
+		} catch (EAAFConfigurationException e) {
+			throw new MOAIDException(e.getErrorId(), e.getParams(), e);
+			
 		}
 	}
 	
@@ -307,7 +334,8 @@ public class AttributQueryAction implements IAction {
 		}
 		
 		//add default mandate attributes if it is a authentication with mandates
-		if (authData.isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) {
+		if (authData instanceof IMOAAuthData)
+		if (((IMOAAuthData)authData).isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) {
 			for (String el : DEFAULTMANDATEATTRIBUTES) {
 				if (!reqAttributeNames.contains(el))
 					reqAttributeNames.add(el);
@@ -317,4 +345,76 @@ public class AttributQueryAction implements IAction {
 		return reqAttributeNames;
 	}
 	
+	/**
+	 * Get PVP authentication attributes by using a SAML2 AttributeQuery
+	 * 
+	 * @param reqQueryAttr List of PVP attributes which are requested
+	 * @param userNameID SAML2 UserNameID of the user for which attributes are requested
+	 * @param idpConfig Configuration of the IDP, which is requested 
+	 * @return 
+	 * @return PVP attribute DAO, which contains all received information
+	 * @throws MOAIDException
+	 */
+	public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr,
+			String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{
+		String idpEnityID = idpConfig.getPublicURLPrefix();
+		
+		try {		
+			Logger.debug("Starting AttributeQuery process ...");
+			//collect attributes by using BackChannel communication
+			String endpoint = idpConfig.getIDPAttributQueryServiceURL();			
+			if (MiscUtil.isEmpty(endpoint)) {
+				Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID);
+				throw new ConfigurationException("config.26", new Object[]{idpEnityID});
+				
+			}
+				
+			//build attributQuery request
+			AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr);
+			
+			//build SOAP request				
+			List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+		
+			if (xmlObjects.size() == 0) {
+				Logger.error("Receive emptry AttributeQuery response-body.");
+				throw new AttributQueryException("auth.27", 
+						new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."});
+			
+			}
+		
+			Response intfResp;
+			if (xmlObjects.get(0) instanceof Response) {
+				intfResp = (Response) xmlObjects.get(0);
+			
+				//validate PVP 2.1 response
+				try {
+					samlVerificationEngine.verifyIDPResponse(intfResp, 
+							TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+									metadataProvider));
+			
+					//create assertion attribute extractor from AttributeQuery response
+					return new AssertionAttributeExtractor(intfResp);
+		
+				} catch (Exception e) {
+					Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+					throw new AssertionValidationExeption("auth.27", 
+							new Object[]{idpEnityID, e.getMessage()}, e);
+				}
+											
+			} else {
+				Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+				throw new AttributQueryException("auth.27", 
+						new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"});
+			
+			}
+				 										
+		} catch (SOAPException e) {
+			throw new BuildException("builder.06", null, e);
+			
+		} catch (SecurityException e) {
+			throw new BuildException("builder.06", null, e);
+					
+		}
+	}
+	
 }