diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java | 285 |
1 files changed, 179 insertions, 106 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 4f778f27b..194138235 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -32,9 +32,11 @@ import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import org.w3c.dom.Element; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; @@ -46,9 +48,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; public class AuthnRequestHandler implements IRequestHandler, PVPConstants { @@ -58,151 +62,215 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { public void process(MOARequest obj, HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { - if(!handleObject(obj)) { + if (!handleObject(obj)) { throw new MOAIDException("INVALID HANDLER SELECETED", null); } - - AuthnRequest authnRequest = (AuthnRequest)obj.getSamlRequest(); - - RequestedAuthnContext reqAuthnContext = authnRequest.getRequestedAuthnContext(); - - if(reqAuthnContext == null) { + + AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); + + RequestedAuthnContext reqAuthnContext = authnRequest + .getRequestedAuthnContext(); + + if (reqAuthnContext == null) { throw new NoAuthContextException("No Authn Context provided!", null); } - + boolean stork_qaa_1_4_found = false; - - Iterator<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs().iterator(); - - while(reqAuthnContextClassRefIt.hasNext()) { - AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt.next(); - String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split("\\s+"); - for(int i = 0; i < qaa_uris.length; i++) { - if(qaa_uris[i].trim().equals(STORK_QAA_1_4)) { + + Iterator<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext + .getAuthnContextClassRefs().iterator(); + + while (reqAuthnContextClassRefIt.hasNext()) { + AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt + .next(); + String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split( + "\\s+"); + for (int i = 0; i < qaa_uris.length; i++) { + if (qaa_uris[i].trim().equals(STORK_QAA_1_4)) { stork_qaa_1_4_found = true; break; } } } - - if(!stork_qaa_1_4_found) { - throw new NoAuthContextException("QAA not available Only supported QAA: " + STORK_QAA_1_4, null); + + if (!stork_qaa_1_4_found) { + throw new NoAuthContextException( + "QAA not available Only supported QAA: " + STORK_QAA_1_4, + null); } - - AuthenticationSession authSession = - AuthenticationManager.getAuthenticationSession(req.getSession()); - - //authSession.getM - + + AuthenticationSession authSession = AuthenticationManager + .getAuthenticationSession(req.getSession()); + + // authSession.getM + Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); - reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs().iterator(); + reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() + .iterator(); StringBuilder authContextsb = new StringBuilder(); - while(reqAuthnContextClassRefIt.hasNext()) { - AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt.next(); - String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split("\\s+"); - for(int i = 0; i < qaa_uris.length; i++) { - if(qaa_uris[i].trim().equals(STORK_QAA_1_4) || - qaa_uris[i].trim().equals(STORK_QAA_1_3)|| - qaa_uris[i].trim().equals(STORK_QAA_1_2)|| - qaa_uris[i].trim().equals(STORK_QAA_1_1)) { + while (reqAuthnContextClassRefIt.hasNext()) { + AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt + .next(); + String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split( + "\\s+"); + for (int i = 0; i < qaa_uris.length; i++) { + if (qaa_uris[i].trim().equals(STORK_QAA_1_4) + || qaa_uris[i].trim().equals(STORK_QAA_1_3) + || qaa_uris[i].trim().equals(STORK_QAA_1_2) + || qaa_uris[i].trim().equals(STORK_QAA_1_1)) { authContextsb.append(qaa_uris[i].trim()); authContextsb.append(" "); } } } - AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + AuthnContextClassRef authnContextClassRef = SAML2Utils + .createSAMLObject(AuthnContextClassRef.class); authnContextClassRef.setAuthnContextClassRef(authContextsb.toString()); - AuthnContext authnContext = SAML2Utils.createSAMLObject(AuthnContext.class); + AuthnContext authnContext = SAML2Utils + .createSAMLObject(AuthnContext.class); authnContext.setAuthnContextClassRef(authnContextClassRef); - - AuthnStatement authnStatement = SAML2Utils.createSAMLObject(AuthnStatement.class); + + AuthnStatement authnStatement = SAML2Utils + .createSAMLObject(AuthnStatement.class); String remoteSessionID = SAML2Utils.getSecureIdentifier(); authnStatement.setAuthnInstant(new DateTime()); // currently dummy id ... authnStatement.setSessionIndex(remoteSessionID); authnStatement.setAuthnContext(authnContext); - + assertion.getAuthnStatements().add(authnStatement); EntityDescriptor peerEntity = obj.getEntityMetadata(); - SPSSODescriptor spSSODescriptor = peerEntity. - getSPSSODescriptor(SAMLConstants.SAML20P_NS); - + SPSSODescriptor spSSODescriptor = peerEntity + .getSPSSODescriptor(SAMLConstants.SAML20P_NS); + Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); int idx = 0; - - if(aIdx != null) { + + if (aIdx != null) { idx = aIdx.intValue(); } - - AttributeConsumingService attributeConsumingService = - spSSODescriptor.getAttributeConsumingServices().get(idx); - - AttributeStatement attributeStatement = SAML2Utils.createSAMLObject(AttributeStatement.class); - - Iterator<RequestedAttribute> it = attributeConsumingService.getRequestAttributes().iterator(); - while(it.hasNext()) { - RequestedAttribute reqAttribut = it.next(); - Attribute attr = PVPAttributeBuilder.buildAttribute(reqAttribut.getName(), authSession); - if(attr == null) { - if(reqAttribut.isRequired()) { - throw new UnprovideableAttributeException(reqAttribut.getName()); - } - } else { - attributeStatement.getAttributes().add(attr); - } - } - - if(attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } + + AttributeConsumingService attributeConsumingService = spSSODescriptor + .getAttributeConsumingServices().get(idx); + + AttributeStatement attributeStatement = SAML2Utils + .createSAMLObject(AttributeStatement.class); Subject subject = SAML2Utils.createSAMLObject(Subject.class); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); boolean foundFormat = false; - Iterator<NameIDFormat> formatIt = spSSODescriptor.getNameIDFormats().iterator(); - while(formatIt.hasNext()) { - if(formatIt.next().getFormat().equals(NameID.PERSISTENT)) { + Iterator<NameIDFormat> formatIt = spSSODescriptor.getNameIDFormats() + .iterator(); + while (formatIt.hasNext()) { + if (formatIt.next().getFormat().equals(NameID.PERSISTENT)) { foundFormat = true; break; } } - if(!foundFormat) { + if (!foundFormat) { // TODO use correct exception - throw new SAMLRequestNotSupported(NameID.PERSISTENT + " not supported by SP", null); + throw new SAMLRequestNotSupported(NameID.PERSISTENT + + " not supported by SP", null); } - subjectNameID.setFormat(NameID.PERSISTENT); - subjectNameID.setNameQualifier(authSession.getIdentityLink().getIdentificationType()); - subjectNameID.setValue(authSession.getAuthData().getIdentificationValue()); + + //TODO: Check if we need to hide source pin + /*if(authSession.getUseMandate()) { + Element mandate = authSession.getMandate(); + if(authSession.getBusinessService()) { + // Hide Source PIN! + ParepUtils.HideStammZahlen(mandate, true, null, authSession.getDomainIdentifier(), true); + } else { + ParepUtils.HideStammZahlen(mandate, false, authSession.getTarget(), null, true); + } + }*/ + +/* if (authSession.getUseMandate()) { + Element mandate = authSession.getMandate(); + + Document document = mandate.getOwnerDocument(); + DOMImplementationLS domImplLS = (DOMImplementationLS) document + .getImplementation(); + LSSerializer serializer = domImplLS.createLSSerializer(); + String str = serializer.writeToString(mandate); + Logger.info("Full Mandate: " + str); + //TODO: extract attributes for mandates + Logger.info("Assertion Authdata getAssertionID: " + authSession.getAssertionAuthData().getAssertionID()); + Logger.info("Assertion Authdata getBkuURL: " + authSession.getAssertionAuthData().getBkuURL()); + Logger.info("Assertion Authdata getBPK: " + authSession.getAssertionAuthData().getBPK()); + Logger.info("Assertion Authdata getDateOfBirth: " + authSession.getAssertionAuthData().getDateOfBirth()); + Logger.info("Assertion Authdata getFamilyName: " + authSession.getAssertionAuthData().getFamilyName()); + Logger.info("Assertion Authdata getGivenName: " + authSession.getAssertionAuthData().getGivenName()); + Logger.info("Assertion Authdata getIdentificationType: " + authSession.getAssertionAuthData().getIdentificationType()); + Logger.info("Assertion Authdata getIdentificationValue: " + authSession.getAssertionAuthData().getIdentificationValue()); + Logger.info("Assertion Authdata getWBPK: " + authSession.getAssertionAuthData().getWBPK()); + Logger.info("Assertion getMandateData: " + authSession.getMandateData()); + Logger.info("Assertion getMandateReferenceValue: " + authSession.getMandateReferenceValue()); + } else { +*/ + Iterator<RequestedAttribute> it = attributeConsumingService + .getRequestAttributes().iterator(); + while (it.hasNext()) { + RequestedAttribute reqAttribut = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttribut.getName(), authSession); + if (attr == null) { + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } else { + attributeStatement.getAttributes().add(attr); + } + } catch(PVP2Exception e) { + Logger.error("Attribute generation failed! for " + reqAttribut.getFriendlyName(), e); + } + } + + if (attributeStatement.getAttributes().size() > 0) { + assertion.getAttributeStatements().add(attributeStatement); + } + + subjectNameID.setFormat(NameID.PERSISTENT); + subjectNameID.setNameQualifier(authSession.getAssertionAuthData() + .getIdentificationType()); + subjectNameID.setValue(authSession.getAssertionAuthData() + .getIdentificationValue()); +// } + subject.setNameID(subjectNameID); - - SubjectConfirmation subjectConfirmation = SAML2Utils.createSAMLObject(SubjectConfirmation.class); + + SubjectConfirmation subjectConfirmation = SAML2Utils + .createSAMLObject(SubjectConfirmation.class); subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); - SubjectConfirmationData subjectConfirmationData = - SAML2Utils.createSAMLObject(SubjectConfirmationData.class); + SubjectConfirmationData subjectConfirmationData = SAML2Utils + .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); subjectConfirmationData.setRecipient(peerEntity.getEntityID()); - + subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); - + subject.getSubjectConfirmations().add(subjectConfirmation); - + Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class); - AudienceRestriction audienceRestriction = SAML2Utils.createSAMLObject(AudienceRestriction.class); + AudienceRestriction audienceRestriction = SAML2Utils + .createSAMLObject(AudienceRestriction.class); Audience audience = SAML2Utils.createSAMLObject(Audience.class); - + audience.setAudienceURI(peerEntity.getEntityID()); audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); conditions.getAudienceRestrictions().add(audienceRestriction); - + assertion.setConditions(conditions); - - //assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, authSession)); - + + // assertion.getAttributeStatements().add(CitizenTokenBuilder.buildCitizenToken(obj, + // authSession)); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); issuer.setFormat(NameID.ENTITY); @@ -210,9 +278,9 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); assertion.setIssueInstant(new DateTime()); - + Response authResponse = SAML2Utils.createSAMLObject(Response.class); - + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); nissuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); nissuer.setFormat(NameID.ENTITY); @@ -220,37 +288,42 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { authResponse.setInResponseTo(authnRequest.getID()); authResponse.getAssertions().add(assertion); authResponse.setStatus(SAML2Utils.getSuccessStatus()); - + aIdx = authnRequest.getAssertionConsumerServiceIndex(); idx = 0; - - if(aIdx != null) { + + if (aIdx != null) { idx = aIdx.intValue(); } - - AssertionConsumerService consumerService = spSSODescriptor. - getAssertionConsumerServices().get(idx); - - if(consumerService == null) { - throw new InvalidAssertionConsumerServiceException("IDX " + idx + " is not a valid consumer service index!", null); + + AssertionConsumerService consumerService = spSSODescriptor + .getAssertionConsumerServices().get(idx); + + if (consumerService == null) { + throw new InvalidAssertionConsumerServiceException("IDX " + idx + + " is not a valid consumer service index!", null); } String oaURL = consumerService.getLocation(); - + IEncoder binding = null; - - if(consumerService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + + if (consumerService.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { binding = new RedirectBinding(); - } else if(consumerService.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { + } else if (consumerService.getBinding().equals( + SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { // TODO: not supported YET!! binding = new ArtifactBinding(); - } else if(consumerService.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + } else if (consumerService.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { binding = new PostBinding(); } - if(binding == null) { - throw new InvalidAssertionConsumerServiceException("Binding " + consumerService.getBinding() + " is not supported", null); + if (binding == null) { + throw new InvalidAssertionConsumerServiceException("Binding " + + consumerService.getBinding() + " is not supported", null); } - + try { binding.encodeRespone(req, resp, authResponse, oaURL); // TODO add remoteSessionID to AuthSession ExternalPVPSessionStore |