aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java325
1 files changed, 325 insertions, 0 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
new file mode 100644
index 000000000..17fc52a8c
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -0,0 +1,325 @@
+package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion;
+
+import java.util.Iterator;
+import java.util.List;
+
+import org.joda.time.DateTime;
+import org.opensaml.common.xml.SAMLConstants;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.saml2.core.Subject;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.w3c.dom.Element;
+
+import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate;
+import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.AuthenticationData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.util.MandateBuilder;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+
+public class PVP2AssertionBuilder implements PVPConstants {
+ public static Assertion buildAssertion(AuthnRequest authnRequest,
+ AuthenticationSession authSession, EntityDescriptor peerEntity)
+ throws MOAIDException {
+ Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
+
+ RequestedAuthnContext reqAuthnContext = authnRequest
+ .getRequestedAuthnContext();
+
+ if (reqAuthnContext == null) {
+ throw new NoAuthContextException();
+ }
+
+ boolean stork_qaa_1_4_found = false;
+
+ AuthnContextClassRef authnContextClassRef = SAML2Utils
+ .createSAMLObject(AuthnContextClassRef.class);
+
+ List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext
+ .getAuthnContextClassRefs();
+
+ if (reqAuthnContextClassRefIt.size() == 0) {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+
+ } else {
+ for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) {
+ String qaa_uri = authnClassRef.getAuthnContextClassRef();
+ if (qaa_uri.trim().equals(STORK_QAA_1_4)
+ || qaa_uri.trim().equals(STORK_QAA_1_3)
+ || qaa_uri.trim().equals(STORK_QAA_1_2)
+ || qaa_uri.trim().equals(STORK_QAA_1_1)) {
+
+ if (authSession.isForeigner()) {
+ //TODO: insert QAA check
+
+ stork_qaa_1_4_found = false;
+
+ } else {
+ stork_qaa_1_4_found = true;
+ authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4);
+ }
+ break;
+ }
+ }
+ }
+
+ if (!stork_qaa_1_4_found) {
+ throw new QAANotSupportedException(STORK_QAA_1_4);
+ }
+
+// reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs()
+// .iterator();
+//
+// StringBuilder authContextsb = new StringBuilder();
+//
+// while (reqAuthnContextClassRefIt.hasNext()) {
+// AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt
+// .next();
+// String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split(
+// "\\s+");
+// for (int i = 0; i < qaa_uris.length; i++) {
+// if (qaa_uris[i].trim().equals(STORK_QAA_1_4)
+// || qaa_uris[i].trim().equals(STORK_QAA_1_3)
+// || qaa_uris[i].trim().equals(STORK_QAA_1_2)
+// || qaa_uris[i].trim().equals(STORK_QAA_1_1)) {
+// authContextsb.append(qaa_uris[i].trim());
+// authContextsb.append(" ");
+// }
+// }
+//
+// }
+
+ AuthnContext authnContext = SAML2Utils
+ .createSAMLObject(AuthnContext.class);
+ authnContext.setAuthnContextClassRef(authnContextClassRef);
+
+ AuthnStatement authnStatement = SAML2Utils
+ .createSAMLObject(AuthnStatement.class);
+ String remoteSessionID = SAML2Utils.getSecureIdentifier();
+ authnStatement.setAuthnInstant(new DateTime());
+ // currently dummy id ...
+ authnStatement.setSessionIndex(remoteSessionID);
+ authnStatement.setAuthnContext(authnContext);
+
+ assertion.getAuthnStatements().add(authnStatement);
+
+ SPSSODescriptor spSSODescriptor = peerEntity
+ .getSPSSODescriptor(SAMLConstants.SAML20P_NS);
+
+ Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
+ int idx = 0;
+
+ if (aIdx != null) {
+ idx = aIdx.intValue();
+ }
+
+ AttributeConsumingService attributeConsumingService = spSSODescriptor
+ .getAttributeConsumingServices().get(idx);
+
+ AttributeStatement attributeStatement = SAML2Utils
+ .createSAMLObject(AttributeStatement.class);
+
+ Subject subject = SAML2Utils.createSAMLObject(Subject.class);
+ NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class);
+ boolean foundFormat = false;
+
+ // TL: AuthData generation is moved to Assertion generation.
+
+ Iterator<NameIDFormat> formatIt = spSSODescriptor.getNameIDFormats()
+ .iterator();
+ while (formatIt.hasNext()) {
+ if (formatIt.next().getFormat().equals(NameID.PERSISTENT)) {
+ foundFormat = true;
+ break;
+ }
+ }
+ if (!foundFormat) {
+ // TODO use correct exception
+ throw new NameIDFormatNotSupportedException("");
+ }
+
+ // TODO: Check if we need to hide source pin
+ /*
+ * if(authSession.getUseMandate()) { Element mandate =
+ * authSession.getMandate(); if(authSession.getBusinessService()) { //
+ * Hide Source PIN! ParepUtils.HideStammZahlen(mandate, true, null,
+ * authSession.getDomainIdentifier(), true); } else {
+ * ParepUtils.HideStammZahlen(mandate, false, authSession.getTarget(),
+ * null, true); } }
+ */
+
+ // TODO: LOAD oaParam from request and not from MOASession in case of
+ // SSO
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
+ .getOnlineApplicationParameter(
+ peerEntity.getEntityID());
+
+ AuthenticationData authData = AuthenticationServer
+ .buildAuthenticationData(authSession, oaParam,
+ oaParam.getTarget());
+
+ Iterator<RequestedAttribute> it = attributeConsumingService
+ .getRequestAttributes().iterator();
+ while (it.hasNext()) {
+ RequestedAttribute reqAttribut = it.next();
+ try {
+ Attribute attr = PVPAttributeBuilder.buildAttribute(
+ reqAttribut.getName(), authSession, oaParam, authData);
+ if (attr == null) {
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(
+ reqAttribut.getName());
+ }
+ } else {
+ attributeStatement.getAttributes().add(attr);
+ }
+ } catch (PVP2Exception e) {
+ Logger.error(
+ "Attribute generation failed! for "
+ + reqAttribut.getFriendlyName(), e);
+ if (reqAttribut.isRequired()) {
+ throw new UnprovideableAttributeException(
+ reqAttribut.getName());
+ }
+ }
+ }
+
+ if (attributeStatement.getAttributes().size() > 0) {
+ assertion.getAttributeStatements().add(attributeStatement);
+ }
+
+ subjectNameID.setFormat(NameID.PERSISTENT);
+
+ //TLenz: set correct bPK Type and Value from AuthData
+ if (authSession.getUseMandate()) {
+ Element mandate = authSession.getMandate();
+ if(mandate == null) {
+ throw new NoMandateDataAvailableException();
+ }
+ Mandate mandateObject = MandateBuilder.buildMandate(mandate);
+ if(mandateObject == null) {
+ throw new NoMandateDataAvailableException();
+ }
+ CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody();
+ PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson();
+
+ IdentificationType id;
+ if(corporation != null && corporation.getIdentification().size() > 0)
+ id = corporation.getIdentification().get(0);
+
+
+ else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0)
+ id = pysicalperson.getIdentification().get(0);
+
+ else {
+ Logger.error("Failed to generate IdentificationType");
+ throw new NoMandateDataAvailableException();
+ }
+
+ String bpktype = id.getType();
+ String bpk = id.getValue().getValue();
+
+ if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
+ if (authSession.getBusinessService()) {
+ subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier()));
+ if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
+ subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier());
+ else
+ subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier());
+
+ } else {
+ subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget()));
+ if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+"))
+ subjectNameID.setNameQualifier(oaParam.getTarget());
+ else
+ subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget());
+ }
+
+
+ } else {
+ subjectNameID.setNameQualifier(bpktype);
+ subjectNameID.setValue(bpk);
+ }
+
+ } else {
+ subjectNameID.setNameQualifier(authData.getBPKType());
+ subjectNameID.setValue(authData.getBPK());
+ }
+
+
+ subject.setNameID(subjectNameID);
+
+ SubjectConfirmation subjectConfirmation = SAML2Utils
+ .createSAMLObject(SubjectConfirmation.class);
+ subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER);
+ SubjectConfirmationData subjectConfirmationData = SAML2Utils
+ .createSAMLObject(SubjectConfirmationData.class);
+ subjectConfirmationData.setInResponseTo(authnRequest.getID());
+ subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
+ subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+
+ subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
+
+ subject.getSubjectConfirmations().add(subjectConfirmation);
+
+ Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class);
+ AudienceRestriction audienceRestriction = SAML2Utils
+ .createSAMLObject(AudienceRestriction.class);
+ Audience audience = SAML2Utils.createSAMLObject(Audience.class);
+
+ audience.setAudienceURI(peerEntity.getEntityID());
+ audienceRestriction.getAudiences().add(audience);
+ conditions.setNotBefore(new DateTime());
+ conditions.setNotOnOrAfter(new DateTime().plusMinutes(20));
+ conditions.getAudienceRestrictions().add(audienceRestriction);
+
+ assertion.setConditions(conditions);
+
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+ issuer.setFormat(NameID.ENTITY);
+ assertion.setIssuer(issuer);
+ assertion.setSubject(subject);
+ assertion.setID(SAML2Utils.getSecureIdentifier());
+ assertion.setIssueInstant(new DateTime());
+
+ return assertion;
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 06:51:00 +0000