aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java216
1 files changed, 206 insertions, 10 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index d11d57ab8..a1d7f5d3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -23,8 +23,12 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
+import java.util.Map.Entry;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -52,6 +56,8 @@ import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.X509Credential;
@@ -63,12 +69,23 @@ import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
-import at.gv.egiz.eaaf.core.api.data.ISLOInformationContainer;
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder;
+import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer;
+import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface;
+import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;
+import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage;
+import at.gv.egiz.eaaf.core.exceptions.GUIBuildException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
@@ -85,8 +102,12 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformation
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -98,6 +119,181 @@ public class SingleLogOutBuilder {
@Autowired(required=true) private MOAMetadataProvider metadataProvider;
@Autowired(required=true) ApplicationContext springContext;
@Autowired private IDPCredentialProvider credentialProvider;
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+ @Autowired private IGUIFormBuilder guiBuilder;
+ @Autowired(required=true) protected IRevisionLogger revisionsLogger;
+ @Autowired private ITransactionStorage transactionStorage;
+
+ public static final int SLOTIMEOUT = 30 * 1000; //30 sec
+
+ public void toTechnicalLogout(ISLOInformationContainer sloContainer,
+ HttpServletRequest httpReq, HttpServletResponse httpResp, String authUrl) throws MOAIDException {
+ Logger.trace("Starting Service-Provider logout process ... ");
+ revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_STARTED);
+
+ //start service provider back channel logout process
+ Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA();
+ while (nextOAInterator.hasNext()) {
+ SLOInformationInterface sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next());
+ LogoutRequest sloReq = buildSLORequestMessage(sloDescr);
+
+ try {
+ Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID());
+ List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq);
+
+ LogoutResponse sloResp = null;
+ for (XMLObject el : soapResp) {
+ if (el instanceof LogoutResponse)
+ sloResp = (LogoutResponse) el;
+ }
+
+ if (sloResp == null) {
+ Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID()
+ + " FAILED. NO LogOut response received.");
+ sloContainer.putFailedOA(sloDescr.getSpEntityID());
+
+ } else {
+ samlVerificationEngine.verifySLOResponse(sloResp,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+ }
+
+ checkStatusCode(sloContainer, sloResp);
+
+ } catch (SOAPException e) {
+ Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID()
+ + " FAILED.", e);
+ sloContainer.putFailedOA(sloDescr.getSpEntityID());
+
+ } catch (SecurityException | InvalidProtocolRequestException e) {
+ Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID()
+ + " FAILED.", e);
+ sloContainer.putFailedOA(sloDescr.getSpEntityID());
+
+ }
+ }
+
+ IRequest pendingReq = null;
+ PVPTargetConfiguration pvpReq = null;
+ //start service provider front channel logout process
+ try {
+ if (sloContainer.hasFrontChannelOA()) {
+ String relayState = Random.nextRandom();
+
+ Collection<Entry<String, SLOInformationInterface>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions();
+ List<String> sloReqList = new ArrayList<String>();
+ for (Entry<String, SLOInformationInterface> el : sloDescr) {
+ Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID());
+
+ LogoutRequest sloReq = buildSLORequestMessage(el.getValue());
+ try {
+ sloReqList.add(getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(),
+ sloReq, httpReq, httpResp, relayState));
+
+ } catch (Exception e) {
+ Logger.warn("Failed to build SLO request for OA:" + el.getKey());
+ sloContainer.putFailedOA(el.getKey());
+
+ }
+ }
+
+ //put SLO process-information into transaction storage
+ transactionStorage.put(relayState, sloContainer, -1);
+
+ if (MiscUtil.isEmpty(authUrl))
+ authUrl = sloContainer.getSloRequest().getAuthURL();
+
+ String timeOutURL = authUrl
+ + "/idpSingleLogout"
+ + "?restart=" + relayState;
+
+ DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
+ authUrl,
+ DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,
+ null);
+
+ config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList);
+ config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL);
+ config.putCustomParameter("timeout", String.valueOf(SLOTIMEOUT));
+
+ guiBuilder.build(httpResp, config, "Single-LogOut GUI");
+
+
+ } else {
+ pendingReq = sloContainer.getSloRequest();
+ if (pendingReq != null && pendingReq instanceof PVPTargetConfiguration) {
+ //send SLO response to SLO request issuer
+ pvpReq = (PVPTargetConfiguration)pendingReq;
+ SingleLogoutService sloService = getResponseSLODescriptor(pvpReq);
+ LogoutResponse message = buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs());
+ sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq);
+
+ } else {
+ //print SLO information directly
+ DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
+ authUrl,
+ DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,
+ null);
+
+ if (sloContainer.getSloFailedOAs() == null ||
+ sloContainer.getSloFailedOAs().size() == 0) {
+ revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID);
+ config.putCustomParameter("successMsg",
+ MOAIDMessageProvider.getInstance().getMessage("slo.00", null));
+
+ } else {
+ revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
+ config.putCustomParameterWithOutEscaption("errorMsg",
+ MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
+
+ }
+ guiBuilder.build(httpResp, config, "Single-LogOut GUI");
+
+ }
+
+ }
+
+ } catch (GUIBuildException e) {
+ Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage());
+ throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e);
+
+ } catch (MOADatabaseException e) {
+ Logger.error("MOA AssertionDatabase ERROR", e);
+ if (pvpReq != null) {
+ SingleLogoutService sloService = getResponseSLODescriptor(pvpReq);
+ LogoutResponse message = buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI);
+ sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq);
+
+ revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
+
+ }else {
+ //print SLO information directly
+ DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration(
+ authUrl,
+ DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT,
+ null);
+
+ revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID);
+ config.putCustomParameterWithOutEscaption("errorMsg",
+ MOAIDMessageProvider.getInstance().getMessage("slo.01", null));
+
+ try {
+ guiBuilder.build(httpResp, config, "Single-LogOut GUI");
+
+ } catch (GUIBuildException e1) {
+ Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage());
+ throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e);
+
+ }
+
+ }
+
+ } catch (Exception e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ }
+
public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
@@ -221,7 +417,7 @@ public class SingleLogOutBuilder {
}
- public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {
+ public LogoutRequest buildSLORequestMessage(SLOInformationInterface sloDescr) throws ConfigurationException, MOAIDException {
LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
SecureRandomIdentifierGenerator gen;
@@ -237,17 +433,17 @@ public class SingleLogOutBuilder {
DateTime now = new DateTime();
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloInfo.getAuthURL()));
+ issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloDescr.getAuthURL()));
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
sloReq.setIssueInstant(now);
sloReq.setNotOnOrAfter(now.plusMinutes(5));
- sloReq.setDestination(sloInfo.getServiceURL());
+ sloReq.setDestination(sloDescr.getServiceURL());
NameID nameID = SAML2Utils.createSAMLObject(NameID.class);
- nameID.setFormat(sloInfo.getUserNameIDFormat());
- nameID.setValue(sloInfo.getUserNameIdentifier());
+ nameID.setFormat(sloDescr.getUserNameIDFormat());
+ nameID.setValue(sloDescr.getUserNameIdentifier());
sloReq.setNameID(nameID );
//sign message
@@ -435,9 +631,9 @@ public class SingleLogOutBuilder {
public void parseActiveOAs(SLOInformationContainer container,
List<OASessionStore> dbOAs, String removeOAID) {
if (container.getActiveBackChannelOAs() == null)
- container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>());
if (container.getActiveFrontChannalOAs() == null)
- container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>());
if (dbOAs != null) {
@@ -491,9 +687,9 @@ public class SingleLogOutBuilder {
public void parseActiveIDPs(SLOInformationContainer container,
List<InterfederationSessionStore> dbIDPs, String removeIDP) {
if (container.getActiveBackChannelOAs() == null)
- container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>());
if (container.getActiveFrontChannalOAs() == null)
- container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>());
if (dbIDPs != null) {
for (InterfederationSessionStore el : dbIDPs) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 15:37:50 +0000