diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java')
-rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java | 257 |
1 files changed, 17 insertions, 240 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 194138235..94189714e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -1,42 +1,22 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; -import java.util.Iterator; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeStatement; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.AuthnContext; -import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Conditions; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.RequestedAuthnContext; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Subject; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; -import org.w3c.dom.Element; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; @@ -44,13 +24,10 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -63,222 +40,20 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { public void process(MOARequest obj, HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { if (!handleObject(obj)) { - throw new MOAIDException("INVALID HANDLER SELECETED", null); + throw new MOAIDException("pvp2.13", null); } AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); - - RequestedAuthnContext reqAuthnContext = authnRequest - .getRequestedAuthnContext(); - - if (reqAuthnContext == null) { - throw new NoAuthContextException("No Authn Context provided!", null); - } - - boolean stork_qaa_1_4_found = false; - - Iterator<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext - .getAuthnContextClassRefs().iterator(); - - while (reqAuthnContextClassRefIt.hasNext()) { - AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt - .next(); - String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split( - "\\s+"); - for (int i = 0; i < qaa_uris.length; i++) { - if (qaa_uris[i].trim().equals(STORK_QAA_1_4)) { - stork_qaa_1_4_found = true; - break; - } - } - } - - if (!stork_qaa_1_4_found) { - throw new NoAuthContextException( - "QAA not available Only supported QAA: " + STORK_QAA_1_4, - null); - } + EntityDescriptor peerEntity = obj.getEntityMetadata(); + AuthenticationSession authSession = AuthenticationManager .getAuthenticationSession(req.getSession()); // authSession.getM - Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); - - reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() - .iterator(); - StringBuilder authContextsb = new StringBuilder(); - while (reqAuthnContextClassRefIt.hasNext()) { - AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt - .next(); - String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split( - "\\s+"); - for (int i = 0; i < qaa_uris.length; i++) { - if (qaa_uris[i].trim().equals(STORK_QAA_1_4) - || qaa_uris[i].trim().equals(STORK_QAA_1_3) - || qaa_uris[i].trim().equals(STORK_QAA_1_2) - || qaa_uris[i].trim().equals(STORK_QAA_1_1)) { - authContextsb.append(qaa_uris[i].trim()); - authContextsb.append(" "); - } - } - - } - AuthnContextClassRef authnContextClassRef = SAML2Utils - .createSAMLObject(AuthnContextClassRef.class); - authnContextClassRef.setAuthnContextClassRef(authContextsb.toString()); - AuthnContext authnContext = SAML2Utils - .createSAMLObject(AuthnContext.class); - authnContext.setAuthnContextClassRef(authnContextClassRef); - - AuthnStatement authnStatement = SAML2Utils - .createSAMLObject(AuthnStatement.class); - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authnStatement.setAuthnInstant(new DateTime()); - // currently dummy id ... - authnStatement.setSessionIndex(remoteSessionID); - authnStatement.setAuthnContext(authnContext); - - assertion.getAuthnStatements().add(authnStatement); - EntityDescriptor peerEntity = obj.getEntityMetadata(); - SPSSODescriptor spSSODescriptor = peerEntity - .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int idx = 0; - - if (aIdx != null) { - idx = aIdx.intValue(); - } - - AttributeConsumingService attributeConsumingService = spSSODescriptor - .getAttributeConsumingServices().get(idx); - - AttributeStatement attributeStatement = SAML2Utils - .createSAMLObject(AttributeStatement.class); - - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - boolean foundFormat = false; - Iterator<NameIDFormat> formatIt = spSSODescriptor.getNameIDFormats() - .iterator(); - while (formatIt.hasNext()) { - if (formatIt.next().getFormat().equals(NameID.PERSISTENT)) { - foundFormat = true; - break; - } - } - if (!foundFormat) { - // TODO use correct exception - throw new SAMLRequestNotSupported(NameID.PERSISTENT - + " not supported by SP", null); - } - - //TODO: Check if we need to hide source pin - /*if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); - if(authSession.getBusinessService()) { - // Hide Source PIN! - ParepUtils.HideStammZahlen(mandate, true, null, authSession.getDomainIdentifier(), true); - } else { - ParepUtils.HideStammZahlen(mandate, false, authSession.getTarget(), null, true); - } - }*/ + Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity); -/* if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); - - Document document = mandate.getOwnerDocument(); - DOMImplementationLS domImplLS = (DOMImplementationLS) document - .getImplementation(); - LSSerializer serializer = domImplLS.createLSSerializer(); - String str = serializer.writeToString(mandate); - Logger.info("Full Mandate: " + str); - //TODO: extract attributes for mandates - Logger.info("Assertion Authdata getAssertionID: " + authSession.getAssertionAuthData().getAssertionID()); - Logger.info("Assertion Authdata getBkuURL: " + authSession.getAssertionAuthData().getBkuURL()); - Logger.info("Assertion Authdata getBPK: " + authSession.getAssertionAuthData().getBPK()); - Logger.info("Assertion Authdata getDateOfBirth: " + authSession.getAssertionAuthData().getDateOfBirth()); - Logger.info("Assertion Authdata getFamilyName: " + authSession.getAssertionAuthData().getFamilyName()); - Logger.info("Assertion Authdata getGivenName: " + authSession.getAssertionAuthData().getGivenName()); - Logger.info("Assertion Authdata getIdentificationType: " + authSession.getAssertionAuthData().getIdentificationType()); - Logger.info("Assertion Authdata getIdentificationValue: " + authSession.getAssertionAuthData().getIdentificationValue()); - Logger.info("Assertion Authdata getWBPK: " + authSession.getAssertionAuthData().getWBPK()); - Logger.info("Assertion getMandateData: " + authSession.getMandateData()); - Logger.info("Assertion getMandateReferenceValue: " + authSession.getMandateReferenceValue()); - } else { -*/ - Iterator<RequestedAttribute> it = attributeConsumingService - .getRequestAttributes().iterator(); - while (it.hasNext()) { - RequestedAttribute reqAttribut = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession); - if (attr == null) { - if (reqAttribut.isRequired()) { - throw new UnprovideableAttributeException( - reqAttribut.getName()); - } - } else { - attributeStatement.getAttributes().add(attr); - } - } catch(PVP2Exception e) { - Logger.error("Attribute generation failed! for " + reqAttribut.getFriendlyName(), e); - } - } - - if (attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } - - subjectNameID.setFormat(NameID.PERSISTENT); - subjectNameID.setNameQualifier(authSession.getAssertionAuthData() - .getIdentificationType()); - subjectNameID.setValue(authSession.getAssertionAuthData() - .getIdentificationValue()); -// } - - subject.setNameID(subjectNameID); - - SubjectConfirmation subjectConfirmation = SAML2Utils - .createSAMLObject(SubjectConfirmation.class); - subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); - SubjectConfirmationData subjectConfirmationData = SAML2Utils - .createSAMLObject(SubjectConfirmationData.class); - subjectConfirmationData.setInResponseTo(authnRequest.getID()); - subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); - subjectConfirmationData.setRecipient(peerEntity.getEntityID()); - - subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); - - subject.getSubjectConfirmations().add(subjectConfirmation); - - Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class); - AudienceRestriction audienceRestriction = SAML2Utils - .createSAMLObject(AudienceRestriction.class); - Audience audience = SAML2Utils.createSAMLObject(Audience.class); - - audience.setAudienceURI(peerEntity.getEntityID()); - audienceRestriction.getAudiences().add(audience); - conditions.setNotBefore(new DateTime()); - conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); - conditions.getAudienceRestrictions().add(audienceRestriction); - - assertion.setConditions(conditions); - - // assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, - // authSession)); - - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); - issuer.setFormat(NameID.ENTITY); - assertion.setIssuer(issuer); - assertion.setSubject(subject); - assertion.setID(SAML2Utils.getSecureIdentifier()); - assertion.setIssueInstant(new DateTime()); - Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); @@ -289,19 +64,21 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.getAssertions().add(assertion); authResponse.setStatus(SAML2Utils.getSuccessStatus()); - aIdx = authnRequest.getAssertionConsumerServiceIndex(); - idx = 0; + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); + int idx = 0; if (aIdx != null) { idx = aIdx.intValue(); } + + SPSSODescriptor spSSODescriptor = peerEntity + .getSPSSODescriptor(SAMLConstants.SAML20P_NS); AssertionConsumerService consumerService = spSSODescriptor .getAssertionConsumerServices().get(idx); if (consumerService == null) { - throw new InvalidAssertionConsumerServiceException("IDX " + idx - + " is not a valid consumer service index!", null); + throw new InvalidAssertionConsumerServiceException(idx); } String oaURL = consumerService.getLocation(); @@ -320,18 +97,18 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { } if (binding == null) { - throw new InvalidAssertionConsumerServiceException("Binding " - + consumerService.getBinding() + " is not supported", null); + throw new BindingNotSupportedException(consumerService.getBinding()); } try { binding.encodeRespone(req, resp, authResponse, oaURL); // TODO add remoteSessionID to AuthSession ExternalPVPSessionStore } catch (MessageEncodingException e) { - e.printStackTrace(); + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); } catch (SecurityException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); } } } |