diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java | 198 |
1 files changed, 141 insertions, 57 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index def0d9b80..79a1c3e0f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion; import java.security.MessageDigest; +import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -30,6 +31,7 @@ import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Audience; import org.opensaml.saml2.core.AudienceRestriction; @@ -58,13 +60,13 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; @@ -80,13 +82,65 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { + + public static Assertion buildAssertion(AttributeQuery attrQuery, + List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { + + + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + + List<Attribute> attrList = new ArrayList<Attribute>(); + if (reqAttributes != null) { + Iterator<String> it = reqAttributes.iterator(); + while (it.hasNext()) { + String reqAttributName = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttributName, null, authData); + if (attr == null) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } else { + attrList.add(attr); + + } + + } catch (PVP2Exception e) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttributName); + + } + } + } + + + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat()); + subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue()); + + SubjectConfirmationData subjectConfirmationData = null; + + return buildGenericAssertion(attrQuery.getIssuer().getValue(), date, + authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + public static Assertion buildAssertion(AuthnRequest authnRequest, - AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date, + IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { - Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); @@ -99,7 +153,7 @@ public class PVP2AssertionBuilder implements PVPConstants { peerEntity.getEntityID()); if (reqAuthnContext == null) { - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { @@ -110,7 +164,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (reqAuthnContextClassRefIt.size() == 0) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_1_4); stork_qaa_1_4_found = true; @@ -124,20 +178,20 @@ public class PVP2AssertionBuilder implements PVPConstants { || qaa_uri.trim().equals(STORK_QAA_1_2) || qaa_uri.trim().equals(STORK_QAA_1_1)) { - if (authSession.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + if (authData.isForeigner()) { + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_PREFIX + oaParam.getQaaLevel()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), qaa_uri.trim()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } break; @@ -150,33 +204,13 @@ public class PVP2AssertionBuilder implements PVPConstants { } } - AuthnContext authnContext = SAML2Utils - .createSAMLObject(AuthnContext.class); - authnContext.setAuthnContextClassRef(authnContextClassRef); - AuthnStatement authnStatement = SAML2Utils - .createSAMLObject(AuthnStatement.class); - - String sessionIndex = SAML2Utils.getSecureIdentifier(); - authnStatement.setAuthnInstant(date); - authnStatement.setSessionIndex(sessionIndex); - authnStatement.setAuthnContext(authnContext); - - assertion.getAuthnStatements().add(authnStatement); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - AttributeStatement attributeStatement = SAML2Utils - .createSAMLObject(AttributeStatement.class); - - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - - AuthenticationData authData = AuthenticationServer - .buildAuthenticationData(authSession, oaParam, - oaParam.getTarget()); - + //add Attributes to Assertion + List<Attribute> attrList = new ArrayList<Attribute>(); if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -197,7 +231,7 @@ public class PVP2AssertionBuilder implements PVPConstants { attributeConsumingService = el; } } - + if (attributeConsumingService != null) { Iterator<RequestedAttribute> it = attributeConsumingService .getRequestAttributes().iterator(); @@ -205,14 +239,14 @@ public class PVP2AssertionBuilder implements PVPConstants { RequestedAttribute reqAttribut = it.next(); try { Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession, oaParam, authData); + reqAttribut.getName(), oaParam, authData); if (attr == null) { if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } } else { - attributeStatement.getAttributes().add(attr); + attrList.add(attr); } } catch (PVP2Exception e) { Logger.error( @@ -222,19 +256,26 @@ public class PVP2AssertionBuilder implements PVPConstants { throw new UnprovideableAttributeException( reqAttribut.getName()); } + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttribut.getFriendlyName(), e); + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } } } } - if (attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - //TLenz: set correct bPK Type and Value from AuthData - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + //build nameID and nameID Format from moasession + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAvailableException(); } @@ -263,7 +304,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (authSession.getBusinessService()) { + if (oaParam.getBusinessService()) { subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); @@ -332,21 +373,68 @@ public class PVP2AssertionBuilder implements PVPConstants { } } else - subjectNameID.setFormat(nameIDFormat); - - - subject.setNameID(subjectNameID); - - SubjectConfirmation subjectConfirmation = SAML2Utils - .createSAMLObject(SubjectConfirmation.class); - subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); + subjectNameID.setFormat(nameIDFormat); + + + String sessionIndex = null; + + //if request is a reauthentication and NameIDFormat match reuse old session information + if (MiscUtil.isNotEmpty(authData.getNameID()) && + MiscUtil.isNotEmpty(authData.getNameIDFormat()) && + nameIDFormat.equals(authData.getNameIDFormat())) { + subjectNameID.setValue(authData.getNameID()); + sessionIndex = authData.getSessionIndex(); + + } else + sessionIndex = SAML2Utils.getSecureIdentifier(); + SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5)); subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); + + //set SLO information + sloInformation.setUserNameIdentifier(subjectNameID.getValue()); + sloInformation.setNameIDFormat(subjectNameID.getFormat()); + sloInformation.setSessionIndex(sessionIndex); + + return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + + private static Assertion buildGenericAssertion(String entityID, DateTime date, + AuthnContextClassRef authnContextClassRef, List<Attribute> attrList, + NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, + String sessionIndex) throws ConfigurationException { + Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + + AuthnContext authnContext = SAML2Utils + .createSAMLObject(AuthnContext.class); + authnContext.setAuthnContextClassRef(authnContextClassRef); + AuthnStatement authnStatement = SAML2Utils + .createSAMLObject(AuthnStatement.class); + + authnStatement.setAuthnInstant(date); + authnStatement.setSessionIndex(sessionIndex); + authnStatement.setAuthnContext(authnContext); + + assertion.getAuthnStatements().add(authnStatement); + + AttributeStatement attributeStatement = SAML2Utils + .createSAMLObject(AttributeStatement.class); + attributeStatement.getAttributes().addAll(attrList); + if (attributeStatement.getAttributes().size() > 0) { + assertion.getAttributeStatements().add(attributeStatement); + } + + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + subject.setNameID(subjectNameID); + + SubjectConfirmation subjectConfirmation = SAML2Utils + .createSAMLObject(SubjectConfirmation.class); + subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); @@ -356,7 +444,7 @@ public class PVP2AssertionBuilder implements PVPConstants { .createSAMLObject(AudienceRestriction.class); Audience audience = SAML2Utils.createSAMLObject(Audience.class); - audience.setAudienceURI(peerEntity.getEntityID()); + audience.setAudienceURI(entityID); audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(date); @@ -375,11 +463,7 @@ public class PVP2AssertionBuilder implements PVPConstants { assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); assertion.setIssueInstant(date); - - //set SLO information - sloInformation.setUserNameIdentifier(subjectNameID.getValue()); - sloInformation.setSessionIndex(sessionIndex); - return assertion; + return assertion; } } |