diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java | 216 |
1 files changed, 206 insertions, 10 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index d11d57ab8..a1d7f5d3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -23,8 +23,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; import java.util.LinkedHashMap; import java.util.List; +import java.util.Map.Entry; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -52,6 +56,8 @@ import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.x509.X509Credential; @@ -63,12 +69,23 @@ import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import org.w3c.dom.Document; -import at.gv.egiz.eaaf.core.api.data.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; @@ -85,8 +102,12 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformation import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -98,6 +119,181 @@ public class SingleLogOutBuilder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired(required=true) ApplicationContext springContext; @Autowired private IDPCredentialProvider credentialProvider; + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + @Autowired private IGUIFormBuilder guiBuilder; + @Autowired(required=true) protected IRevisionLogger revisionsLogger; + @Autowired private ITransactionStorage transactionStorage; + + public static final int SLOTIMEOUT = 30 * 1000; //30 sec + + public void toTechnicalLogout(ISLOInformationContainer sloContainer, + HttpServletRequest httpReq, HttpServletResponse httpResp, String authUrl) throws MOAIDException { + Logger.trace("Starting Service-Provider logout process ... "); + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); + + //start service provider back channel logout process + Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA(); + while (nextOAInterator.hasNext()) { + SLOInformationInterface sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); + LogoutRequest sloReq = buildSLORequestMessage(sloDescr); + + try { + Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID()); + List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); + + LogoutResponse sloResp = null; + for (XMLObject el : soapResp) { + if (el instanceof LogoutResponse) + sloResp = (LogoutResponse) el; + } + + if (sloResp == null) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED. NO LogOut response received."); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } else { + samlVerificationEngine.verifySLOResponse(sloResp, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + checkStatusCode(sloContainer, sloResp); + + } catch (SOAPException e) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED.", e); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } catch (SecurityException | InvalidProtocolRequestException e) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED.", e); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } + } + + IRequest pendingReq = null; + PVPTargetConfiguration pvpReq = null; + //start service provider front channel logout process + try { + if (sloContainer.hasFrontChannelOA()) { + String relayState = Random.nextRandom(); + + Collection<Entry<String, SLOInformationInterface>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions(); + List<String> sloReqList = new ArrayList<String>(); + for (Entry<String, SLOInformationInterface> el : sloDescr) { + Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID()); + + LogoutRequest sloReq = buildSLORequestMessage(el.getValue()); + try { + sloReqList.add(getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), + sloReq, httpReq, httpResp, relayState)); + + } catch (Exception e) { + Logger.warn("Failed to build SLO request for OA:" + el.getKey()); + sloContainer.putFailedOA(el.getKey()); + + } + } + + //put SLO process-information into transaction storage + transactionStorage.put(relayState, sloContainer, -1); + + if (MiscUtil.isEmpty(authUrl)) + authUrl = sloContainer.getSloRequest().getAuthURL(); + + String timeOutURL = authUrl + + "/idpSingleLogout" + + "?restart=" + relayState; + + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList); + config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL); + config.putCustomParameter("timeout", String.valueOf(SLOTIMEOUT)); + + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + + } else { + pendingReq = sloContainer.getSloRequest(); + if (pendingReq != null && pendingReq instanceof PVPTargetConfiguration) { + //send SLO response to SLO request issuer + pvpReq = (PVPTargetConfiguration)pendingReq; + SingleLogoutService sloService = getResponseSLODescriptor(pvpReq); + LogoutResponse message = buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq); + + } else { + //print SLO information directly + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + if (sloContainer.getSloFailedOAs() == null || + sloContainer.getSloFailedOAs().size() == 0) { + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID); + config.putCustomParameter("successMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); + + } else { + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + config.putCustomParameterWithOutEscaption("errorMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); + + } + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + } + + } + + } catch (GUIBuildException e) { + Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); + throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + if (pvpReq != null) { + SingleLogoutService sloService = getResponseSLODescriptor(pvpReq); + LogoutResponse message = buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq); + + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + + }else { + //print SLO information directly + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + config.putCustomParameterWithOutEscaption("errorMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); + + try { + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + } catch (GUIBuildException e1) { + Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); + throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); + + } + + } + + } catch (Exception e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) { @@ -221,7 +417,7 @@ public class SingleLogOutBuilder { } - public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException { + public LogoutRequest buildSLORequestMessage(SLOInformationInterface sloDescr) throws ConfigurationException, MOAIDException { LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); SecureRandomIdentifierGenerator gen; @@ -237,17 +433,17 @@ public class SingleLogOutBuilder { DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloInfo.getAuthURL())); + issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloDescr.getAuthURL())); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); sloReq.setIssueInstant(now); sloReq.setNotOnOrAfter(now.plusMinutes(5)); - sloReq.setDestination(sloInfo.getServiceURL()); + sloReq.setDestination(sloDescr.getServiceURL()); NameID nameID = SAML2Utils.createSAMLObject(NameID.class); - nameID.setFormat(sloInfo.getUserNameIDFormat()); - nameID.setValue(sloInfo.getUserNameIdentifier()); + nameID.setFormat(sloDescr.getUserNameIDFormat()); + nameID.setValue(sloDescr.getUserNameIdentifier()); sloReq.setNameID(nameID ); //sign message @@ -435,9 +631,9 @@ public class SingleLogOutBuilder { public void parseActiveOAs(SLOInformationContainer container, List<OASessionStore> dbOAs, String removeOAID) { if (container.getActiveBackChannelOAs() == null) - container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (container.getActiveFrontChannalOAs() == null) - container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (dbOAs != null) { @@ -491,9 +687,9 @@ public class SingleLogOutBuilder { public void parseActiveIDPs(SLOInformationContainer container, List<InterfederationSessionStore> dbIDPs, String removeIDP) { if (container.getActiveBackChannelOAs() == null) - container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (container.getActiveFrontChannalOAs() == null) - container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (dbIDPs != null) { for (InterfederationSessionStore el : dbIDPs) { |