1 files changed, 67 insertions, 36 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 9e2c89583..bc90da8df 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -1,3 +1,25 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion;
 
 import java.util.Iterator;
@@ -52,6 +74,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedExcept
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.id.util.QAALevelVerifier;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 
@@ -67,45 +90,59 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		AuthnContextClassRef authnContextClassRef = SAML2Utils
 				.createSAMLObject(AuthnContextClassRef.class);
 		
+		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+				.getOnlineApplicationParameter(
+						peerEntity.getEntityID());
+		
 		if (reqAuthnContext == null) {
 			 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
 			
-		} else {
+		}
 
-			boolean stork_qaa_1_4_found = false;
+		boolean stork_qaa_1_4_found = false;
+	
+		 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+				.getAuthnContextClassRefs();
 		
-			 List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
-					.getAuthnContextClassRefs();
+		 if (reqAuthnContextClassRefIt.size() == 0) {
+			 
+			 QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), 
+					 STORK_QAA_1_4);
 			
-			 if (reqAuthnContextClassRefIt.size() == 0) {
-				 stork_qaa_1_4_found = true;
-				 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-				 
-			 } else {
-				 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
-					 String qaa_uri = authnClassRef.getAuthnContextClassRef();
-					 if (qaa_uri.trim().equals(STORK_QAA_1_4)
-							 || qaa_uri.trim().equals(STORK_QAA_1_3)
-							 || qaa_uri.trim().equals(STORK_QAA_1_2)
-							 || qaa_uri.trim().equals(STORK_QAA_1_1)) {
-						
-						 if (authSession.isForeigner()) {
-							 //TODO: insert QAA check
-						
-							 stork_qaa_1_4_found = false;
-						
-						 } else {
-							 stork_qaa_1_4_found = true;
-							 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
-						 }
-						 break;
+			 stork_qaa_1_4_found = true;
+			 authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+			 
+		 } else {
+			 for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+				 String qaa_uri = authnClassRef.getAuthnContextClassRef();
+				 if (qaa_uri.trim().equals(STORK_QAA_1_4)
+						 || qaa_uri.trim().equals(STORK_QAA_1_3)
+						 || qaa_uri.trim().equals(STORK_QAA_1_2)
+						 || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+					
+					 if (authSession.isForeigner()) {
+						 QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), 
+								 STORK_QAA_PREFIX + oaParam.getQaaLevel());
+						 
+						 stork_qaa_1_4_found = true;
+						 authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel());
+						 
+					 } else {
+						 
+						 QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), 
+								 qaa_uri.trim());
+						 
+						 stork_qaa_1_4_found = true;
+						 authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel());
+						 							 
 					 }
+					 break;
 				 }
 			 }
-	
-			if (!stork_qaa_1_4_found) {
-				throw new QAANotSupportedException(STORK_QAA_1_4);
-			}
+		 }
+
+		if (!stork_qaa_1_4_found) {
+			throw new QAANotSupportedException(STORK_QAA_1_4);
 		}
 
 //		reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
@@ -187,12 +224,6 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		 * null, true); } }
 		 */
 
-		// TODO: LOAD oaParam from request and not from MOASession in case of
-		// SSO
-		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
-				.getOnlineApplicationParameter(
-						peerEntity.getEntityID());
-
 		AuthenticationData authData = AuthenticationServer
 				.buildAuthenticationData(authSession, oaParam,
 						oaParam.getTarget());