diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x')
16 files changed, 516 insertions, 395 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index fbbc4b817..5440e7138 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -65,7 +65,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; @@ -102,7 +102,7 @@ import at.gv.egovernment.moa.id.util.VelocityLogAdapter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { +public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo { public static final String NAME = PVP2XProtocol.class.getName(); public static final String PATH = "id_pvp2x"; @@ -200,7 +200,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { HttpServletResponse response, String action) throws MOAIDException { - if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isPVP21Active()) { + if (!AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isPVP21Active()) { Logger.info("PVP2.1 is deaktivated!"); throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); @@ -473,7 +473,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { String oaURL = metadata.getEntityID(); oaURL = StringEscapeUtils.escapeHtml(oaURL); - OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL); Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + oaURL + " Binding=" + msg.getRequestBinding()); @@ -540,7 +540,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); if (!oa.isInderfederationIDP()) { Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); @@ -647,7 +647,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { String oaURL = moaRequest.getEntityMetadata().getEntityID(); oaURL = StringEscapeUtils.escapeHtml(oaURL); - OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oaURL); + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL); Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 65da23565..74b20356e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -34,7 +34,7 @@ import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; @@ -88,7 +88,7 @@ public class PVPTargetConfiguration extends RequestImpl { reqAttr.put(el, ""); try { - OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(getOAURL()); SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata().getSPSSODescriptor(SAMLConstants.SAML20P_NS); if (spSSODescriptor.getAttributeConsumingServices() != null && diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index aa154b84b..b567798fa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -60,6 +60,7 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -69,7 +70,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; @@ -258,23 +259,23 @@ public class SingleLogOutAction implements IAction { } else { //print SLO information directly - redirectURL = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/idpSingleLogout"; + redirectURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/idpSingleLogout"; String artifact = Random.nextRandom(); String statusCode = null; if (sloContainer.getSloFailedOAs() == null || sloContainer.getSloFailedOAs().size() == 0) - statusCode = SLOSTATUS_SUCCESS; + statusCode = MOAIDAuthConstants.SLOSTATUS_SUCCESS; else - statusCode = SLOSTATUS_ERROR; + statusCode = MOAIDAuthConstants.SLOSTATUS_ERROR; AssertionStorage.getInstance().put(artifact, statusCode); - redirectURL = addURLParameter(redirectURL, PARAM_SLOSTATUS, artifact); + redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_SLOSTATUS, artifact); } //redirect to Redirect Servlet - String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; + String url = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(redirectURL, "UTF-8")); url = httpResp.encodeRedirectURL(url); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 1a268c812..5402e3dce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -62,6 +62,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class PostBinding implements IDecoder, IEncoder { @@ -170,10 +171,12 @@ public class PostBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); msg = new MOARequest(inboundMessage, getSAML2BindingName()); + msg.setEntityID(inboundMessage.getIssuer().getValue()); } else if (messageContext.getInboundMessage() instanceof StatusResponseType){ - StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage(); + StatusResponseType inboundMessage = (StatusResponseType) messageContext.getInboundMessage(); msg = new MOAResponse(inboundMessage); + msg.setEntityID(inboundMessage.getIssuer().getValue()); } else //create empty container if request type is unknown @@ -182,8 +185,10 @@ public class PostBinding implements IDecoder, IEncoder { if (messageContext.getPeerEntityMetadata() != null) msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - else - Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); + else { + if (MiscUtil.isEmpty(msg.getEntityID())) + Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); + } msg.setVerified(false); msg.setRelayState(messageContext.getRelayState()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 587d8e935..81863f48f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -33,7 +33,6 @@ import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; @@ -48,7 +47,6 @@ import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -63,7 +61,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; public class RedirectBinding implements IDecoder, IEncoder { @@ -173,11 +171,32 @@ public class RedirectBinding implements IDecoder, IEncoder { else messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.decode(messageContext); + try { + decode.decode(messageContext); - //check signature - signatureRule.evaluate(messageContext); + //check signature + signatureRule.evaluate(messageContext); + + } catch (SecurityException e) { + if (MiscUtil.isEmpty(messageContext.getInboundMessageIssuer())) { + throw e; + + } + Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + messageContext.getPeerEntityId()); + if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(messageContext.getInboundMessageIssuer())) + throw e; + + else { + Logger.trace("PVP2X metadata reload finished. Check validate message again."); + decode.decode(messageContext); + //check signature + signatureRule.evaluate(messageContext); + + } + Logger.trace("Second PVP2X message validation finished"); + } + InboundMessage msg = null; if (messageContext.getInboundMessage() instanceof RequestAbstractType) { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java index 4ef09184d..4959df16c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -52,7 +52,7 @@ import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; @@ -106,7 +106,7 @@ public class AuthResponseBuilder { } - boolean isEncryptionActive = AuthConfigurationProvider.getInstance().isPVP2AssertionEncryptionActive(); + boolean isEncryptionActive = AuthConfigurationProviderFactory.getInstance().isPVP2AssertionEncryptionActive(); if (encryptionCredentials != null && isEncryptionActive) { //encrypt SAML2 assertion diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 1b2e64759..61bc51565 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -64,7 +64,7 @@ import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; @@ -153,7 +153,7 @@ public class PVP2AssertionBuilder implements PVPConstants { AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance() .getOnlineApplicationParameter( peerEntity.getEntityID()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IPVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IPVPAttributeBuilder.java index 8adf5cad9..72775ec02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IPVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IPVPAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -interface IPVPAttributeBuilder extends PVPConstants, MOAIDAuthConstants, IAttributeBuilder { +interface IPVPAttributeBuilder extends PVPConstants, IAttributeBuilder { } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index d3a9ad3e7..de58c34a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -24,11 +24,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; import iaik.x509.X509Certificate; -import java.io.File; +import java.io.IOException; import java.net.URL; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; +import java.util.Map; import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; @@ -46,14 +47,14 @@ import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; -import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -90,31 +91,19 @@ public class PVPConfiguration { public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias"; public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword"; - public static final String IDP_ISSUER_NAME = "idp.issuer.name"; - - public static final String METADATA_FILE = "md.dir"; - public static final String METADATA_EXTENSION = "md.ext"; - - public static final String IDP_ENTITY = "idp.entityid"; - public static final String IDP_ORG_NAME = "idp.org.name"; - public static final String IDP_ORG_DISPNAME = "idp.org.dispname"; - public static final String IDP_ORG_URL = "idp.org.url"; - - public static final String IDP_PUBLIC_URL = "idp.public.url"; - - public static final String IDP_TRUST_STORE = "idp.truststore"; - public static final String SP_TARGET_PREFIX = "sp.target."; - - public static final String IDP_CONTACT_PREFIX = "idp.contact"; - public static final String IDP_CONTACT_LIST = "idp.contact_list"; + public static final String IDP_ISSUER_NAME = "servicename"; + + public static final String IDP_ORG_NAME = "name.short"; + public static final String IDP_ORG_DISPNAME = "name.full"; + public static final String IDP_ORG_URL = "url"; - public static final String IDP_CONTACT_SURNAME = "surname"; + public static final String IDP_CONTACT_SURNAME = "familyname"; public static final String IDP_CONTACT_GIVENNAME = "givenname"; public static final String IDP_CONTACT_MAIL = "mail"; public static final String IDP_CONTACT_TYPE = "type"; public static final String IDP_CONTACT_COMPANY = "company"; - public static final String IDP_CONTACT_PHONE = "phone"; - + public static final String IDP_CONTACT_PHONE = "phone"; + private static String moaIDVersion = null; //PVP2 generalpvpconfigdb; @@ -124,8 +113,11 @@ public class PVPConfiguration { private PVPConfiguration() { try { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); - props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); - rootDir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); + rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); + + //load PVP2X metadata for all active online applications + MOAMetadataProvider.getInstance(); } catch (ConfigurationException e) { e.printStackTrace(); @@ -133,7 +125,7 @@ public class PVPConfiguration { } public String getIDPPublicPath() throws ConfigurationException { - String publicPath = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + String publicPath = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); if(publicPath != null) { if(publicPath.endsWith("/")) { int length = publicPath.length(); @@ -209,75 +201,42 @@ public class PVPConfiguration { moaIDVersion = parseMOAIDVersionFromManifest(); } - return AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getIssuerName() + moaIDVersion; + return AuthConfigurationProviderFactory.getInstance().getConfigurationWithKey( + MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_SERVICENAMME) + moaIDVersion; } - - public List<String> getMetadataFiles() { - String filter = props.getProperty(METADATA_EXTENSION); - - if (filter == null) { - filter = ".mdxml"; - } - - List<String> files = new ArrayList<String>(); - - File[] faFiles = new File(props.getProperty(METADATA_FILE)).listFiles(); - for (File file : faFiles) { - if (!file.isDirectory()) { - if (file.getName().endsWith(filter)) { - files.add(file.getAbsolutePath()); - } - } - } - - return files; - } - - //TODO: - public String getTargetForSP(String sp) { - - try { - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(sp); - - if (oaParam != null) - return oaParam.getTarget(); - - Logger.warn("OnlineApplication with ID "+ sp + " is not found."); - return null; - - } catch (ConfigurationException e) { - Logger.warn("OnlineApplication with ID "+ sp + " is not found."); - return null; - } - - } - public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + Logger.trace("Load metadata signing certificate for online application " + entityID); + IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + if (oaParam == null) { + Logger.info("Online Application with ID " + entityID + " not found!"); + return null; + } - try { - IOAAuthParameters oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); - - if (oaParam == null) { - Logger.warn("Online Application with ID " + entityID + " not found!"); - return null; - } - - OAPVP2 pvp2param = oaParam.getPVP2Parameter(); - - if (pvp2param == null) { - return null; - } - - Logger.info("Load TrustEntityCertificate ("+entityID+") from Database."); - return new X509Certificate(pvp2param.getCertificate()); + String pvp2MetadataCertificateString = + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { + Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); + return null; + + } + + X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); + Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); + return cert; } catch (CertificateException e) { - Logger.warn("Signer certificate can not be loaded from session database!", e); + Logger.warn("Metadata signer certificate is not parsed.", e); return null; } catch (ConfigurationException e) { - e.printStackTrace(); + Logger.error("Configuration is not accessable.", e); + return null; + + } catch (IOException e) { + Logger.warn("Metadata signer certificate is not decodeable.", e); return null; } } @@ -285,112 +244,101 @@ public class PVPConfiguration { public List<ContactPerson> getIDPContacts() throws ConfigurationException { List<ContactPerson> list = new ArrayList<ContactPerson>(); - List<Contact> contacts = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getContact(); + Map<String, String> contacts = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( + MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT + "."); - if (contacts != null) { + ContactPerson person = SAML2Utils + .createSAMLObject(ContactPerson.class); + + String type = contacts.get(IDP_CONTACT_TYPE); + + if (type == null) { + Logger.error("IDP Contact with SurName " + contacts.get(IDP_CONTACT_SURNAME) + + " has no type defined!"); + type = "unknown"; + } + + ContactPersonTypeEnumeration enumType = null; + + if (type.equals(ContactPersonTypeEnumeration.ADMINISTRATIVE + .toString())) { + enumType = ContactPersonTypeEnumeration.ADMINISTRATIVE; + } else if (type.equals(ContactPersonTypeEnumeration.BILLING + .toString())) { + enumType = ContactPersonTypeEnumeration.BILLING; + } else if (type.equals(ContactPersonTypeEnumeration.OTHER + .toString())) { + enumType = ContactPersonTypeEnumeration.OTHER; + } else if (type.equals(ContactPersonTypeEnumeration.SUPPORT + .toString())) { + enumType = ContactPersonTypeEnumeration.SUPPORT; + } else if (type.equals(ContactPersonTypeEnumeration.TECHNICAL + .toString())) { + enumType = ContactPersonTypeEnumeration.TECHNICAL; + } + + if (enumType == null) { + Logger.error("IDP Contact with SurName " + contacts.get(IDP_CONTACT_SURNAME) + + " has invalid type defined: " + type); + } + + person.setType(enumType); + + String givenName = contacts.get(IDP_CONTACT_GIVENNAME); + + if (givenName != null) { + GivenName name = SAML2Utils + .createSAMLObject(GivenName.class); + name.setName(givenName); + person.setGivenName(name); + } + + String company = contacts.get(IDP_CONTACT_COMPANY); + + if (company != null) { + Company comp = SAML2Utils.createSAMLObject(Company.class); + comp.setName(company); + person.setCompany(comp); + } + + String surname = contacts.get(IDP_CONTACT_SURNAME); + + if (surname != null) { + SurName name = SAML2Utils.createSAMLObject(SurName.class); + name.setName(surname); + person.setSurName(name); + } + + String phone = contacts.get(IDP_CONTACT_PHONE); + if (phone != null) { + TelephoneNumber telePhone = SAML2Utils + .createSAMLObject(TelephoneNumber.class); + telePhone.setNumber(phone); + person.getTelephoneNumbers().add(telePhone); + } - for (Contact contact : contacts) { - - ContactPerson person = SAML2Utils - .createSAMLObject(ContactPerson.class); - - String type = contact.getType(); - - if (type == null) { - Logger.error("IDP Contact with SurName " + contact.getSurName() - + " has no type defined!"); - break; - } - - ContactPersonTypeEnumeration enumType = null; - - if (type.equals(ContactPersonTypeEnumeration.ADMINISTRATIVE - .toString())) { - enumType = ContactPersonTypeEnumeration.ADMINISTRATIVE; - } else if (type.equals(ContactPersonTypeEnumeration.BILLING - .toString())) { - enumType = ContactPersonTypeEnumeration.BILLING; - } else if (type.equals(ContactPersonTypeEnumeration.OTHER - .toString())) { - enumType = ContactPersonTypeEnumeration.OTHER; - } else if (type.equals(ContactPersonTypeEnumeration.SUPPORT - .toString())) { - enumType = ContactPersonTypeEnumeration.SUPPORT; - } else if (type.equals(ContactPersonTypeEnumeration.TECHNICAL - .toString())) { - enumType = ContactPersonTypeEnumeration.TECHNICAL; - } - - if (enumType == null) { - Logger.error("IDP Contact with SurName " + contact.getSurName() - + " has invalid type defined: " + type); - break; - } - - person.setType(enumType); - - String givenName = contact.getGivenName(); - - if (givenName != null) { - GivenName name = SAML2Utils - .createSAMLObject(GivenName.class); - name.setName(givenName); - person.setGivenName(name); - } - - String company = contact.getCompany(); - - if (company != null) { - Company comp = SAML2Utils.createSAMLObject(Company.class); - comp.setName(company); - person.setCompany(comp); - } - - String surname = contact.getSurName(); - - if (surname != null) { - SurName name = SAML2Utils.createSAMLObject(SurName.class); - name.setName(surname); - person.setSurName(name); - } - - List<String> phones = contact.getPhone(); - for (String phone : phones) { - TelephoneNumber telePhone = SAML2Utils - .createSAMLObject(TelephoneNumber.class); - telePhone.setNumber(phone); - person.getTelephoneNumbers().add(telePhone); - } - - List<String> mails = contact.getMail(); - for (String mail : mails) { - EmailAddress mailAddress = SAML2Utils - .createSAMLObject(EmailAddress.class); - mailAddress.setAddress(mail); - person.getEmailAddresses().add(mailAddress); - } - - list.add(person); - } + String mail = contacts.get(IDP_CONTACT_MAIL); + if (mail != null) { + EmailAddress mailAddress = SAML2Utils + .createSAMLObject(EmailAddress.class); + mailAddress.setAddress(mail); + person.getEmailAddresses().add(mailAddress); } + + list.add(person); return list; } public Organization getIDPOrganisation() throws ConfigurationException { Organization org = SAML2Utils.createSAMLObject(Organization.class); - at.gv.egovernment.moa.id.commons.db.dao.config.Organization organisation = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig().getOrganization(); - - String org_name = null; - String org_dispname = null; - String org_url = null; - - if (organisation != null) { - org_name = organisation.getName(); - org_dispname = organisation.getDisplayName(); - org_url = organisation.getURL(); - } + Map<String, String> organisation = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( + MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG + "."); + String org_name = organisation.get(IDP_ORG_NAME); + String org_dispname = organisation.get(IDP_ORG_DISPNAME); + String org_url = organisation.get(IDP_ORG_URL); + if (org_name == null || org_dispname == null || org_url == null) { return null; } @@ -416,6 +364,7 @@ public class PVPConfiguration { private String parseMOAIDVersionFromManifest() { try { + @SuppressWarnings("rawtypes") Class clazz = PVPConfiguration.class; String className = clazz.getSimpleName() + ".class"; String classPath = clazz.getResource(className).toString(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index d493ef9e0..389b9825f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -22,14 +22,18 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; +import java.io.IOException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Map.Entry; +import java.util.concurrent.CopyOnWriteArrayList; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; @@ -44,16 +48,18 @@ import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; +import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer; import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; -import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; @@ -61,14 +67,15 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.Interfeder import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; -public class MOAMetadataProvider implements MetadataProvider { +public class MOAMetadataProvider implements ObservableMetadataProvider{ private static MOAMetadataProvider instance = null; - private static Object mutex = new Object(); - private static Date timestamp = null; + private List<ObservableMetadataProvider.Observer> observers; + public static MOAMetadataProvider getInstance() { if (instance == null) { @@ -80,18 +87,19 @@ public class MOAMetadataProvider implements MetadataProvider { } return instance; } - - public static Date getTimeStamp() { - return timestamp; - } public static void reInitialize() { synchronized (mutex) { /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ if (instance != null) - instance.addAndRemoveMetadataProvider(); - + try { + instance.addAndRemoveMetadataProvider(); + + } catch (ConfigurationException e) { + Logger.error("Access to MOA-ID configuration FAILED.", e); + + } else Logger.info("MOAMetadataProvider is not loaded."); } @@ -108,90 +116,168 @@ public class MOAMetadataProvider implements MetadataProvider { MetadataProvider internalProvider; + public boolean refreshMetadataProvider(String entityID) { + try { + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + if (oaParam != null) { + String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); + if (MiscUtil.isNotEmpty(metadataURL)) { + Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders(); + + // check if MetadataProvider is actually loaded + if (actuallyLoadedProviders.containsKey(metadataURL)) { + actuallyLoadedProviders.get(metadataURL).refresh(); + Logger.info("PVP2X metadata for onlineApplication: " + + entityID + " is refreshed."); + return true; + + } else { + //load new Metadata Provider + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + byte[] cert = Base64Utils.decode(certBase64, false); + String oaFriendlyName = oaParam.getFriendlyName(); + + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, + cert, oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataURL, + cert)); + + chainProvider.addMetadataProvider(newMetadataProvider); + + emitChangeEvent(); + + Logger.info("PVP2X metadata for onlineApplication: " + + entityID + " is added."); + return true; + + } else + Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata certificate for OA with Id: " + entityID); + + } + + } else + Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata URL for OA with Id: " + entityID); + + } else + Logger.debug("Can not refresh PVP2X metadata: NO onlineApplication with Id: " + entityID); + + + } catch (ConfigurationException e) { + Logger.warn("Access MOA-ID configuration FAILED.", e); + + } catch (MetadataProviderException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } catch (IOException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } catch (CertificateException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } + + return false; + + } + + private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() { + Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + + //make a Map of all actually loaded HTTPMetadataProvider + List<MetadataProvider> providers = chainProvider.getProviders(); + for (MetadataProvider provider : providers) { + if (provider instanceof HTTPMetadataProvider) { + HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; + loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); + + } + } + + return loadedproviders; + } - private void addAndRemoveMetadataProvider() { + + private void addAndRemoveMetadataProvider() throws ConfigurationException { if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { Logger.info("Relaod MOAMetaDataProvider."); /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - - Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - //make a Map of all actually loaded HTTPMetadataProvider - List<MetadataProvider> providers = chainProvider.getProviders(); - for (MetadataProvider provider : providers) { - if (provider instanceof HTTPMetadataProvider) { - HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; - loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); - } - } - - //set Timestamp - Date oldTimeStamp = timestamp; - timestamp = new Date(); + //get all actually loaded metadata providers + Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders(); //load all PVP2 OAs form ConfigurationDatabase and //compare actually loaded Providers with configured PVP2 OAs - List<OnlineApplication> oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - - Iterator<OnlineApplication> oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - HTTPMetadataProvider httpProvider = null; - - try { - OnlineApplication oa = oaIt.next(); - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) { - - String metadataurl = pvp2Config.getMetadataURL(); + Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( + MOAIDConfigurationConstants.PREFIX_SERVICES + + ".%." + + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); + + if (allOAs != null) { + Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator(); + while (oaInterator.hasNext()) { + Entry<String, String> oaKeyPair = oaInterator.next(); + + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue()); + if (oaParam != null) { + String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - if (loadedproviders.containsKey(metadataurl)) { + HTTPMetadataProvider httpProvider = null; + try { + if (MiscUtil.isNotEmpty(metadataurl)) { + if (loadedproviders.containsKey(metadataurl)) { + // PVP2 OA is actually loaded, to nothing + providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); + loadedproviders.remove(metadataurl); - if (pvp2Config.getUpdateRequiredItem() != null && - pvp2Config.getUpdateRequiredItem().after(oldTimeStamp)) { - //PVP2 OA is actually loaded, but update is requested - Logger.info("Reload metadata for: " + oa.getFriendlyName()); - loadedproviders.get(metadataurl).refresh(); - - } - - // PVP2 OA is actually loaded, to nothing - providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); - loadedproviders.remove(metadataurl); + } else if ( MiscUtil.isNotEmpty(metadataurl) && + !providersinuse.containsKey(metadataurl) ) { + //PVP2 OA is new, add it to MOAMetadataProvider + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + byte[] cert = Base64Utils.decode(certBase64, false); + String oaFriendlyName = oaParam.getFriendlyName(); + + + Logger.info("Loading metadata for: " + oaFriendlyName); + httpProvider = createNewHTTPMetaDataProvider( + metadataurl, + cert, + oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataurl, + cert)); - } else if ( MiscUtil.isNotEmpty(metadataurl) && - !providersinuse.containsKey(metadataurl) ) { - //PVP2 OA is new, add it to MOAMetadataProvider - - Logger.info("Loading metadata for: " + oa.getFriendlyName()); - httpProvider = createNewHTTPMetaDataProvider( - pvp2Config.getMetadataURL(), - pvp2Config.getCertificate(), - oa.getFriendlyName(), - buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(), - pvp2Config.getCertificate())); - - if (httpProvider != null) - providersinuse.put(metadataurl, httpProvider); + if (httpProvider != null) + providersinuse.put(metadataurl, httpProvider); + } - } - } - } catch (Throwable e) { - Logger.error( + } + } + } catch (Throwable e) { + Logger.error( "Failed to add Metadata (unhandled reason: " + e.getMessage(), e); - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } - } + } + } + } } //remove all actually loaded MetadataProviders with are not in ConfigurationDB any more @@ -220,6 +306,8 @@ public class MOAMetadataProvider implements MetadataProvider { try { chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + emitChangeEvent(); + } catch (MetadataProviderException e) { Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy", e); @@ -249,7 +337,9 @@ public class MOAMetadataProvider implements MetadataProvider { } else { Logger.warn("MetadataProvider can not be destroyed."); } - } + } + + this.observers = Collections.emptyList(); instance = null; } else { Logger.warn("ReInitalize MOAMetaDataProvider is not possible! MOA-ID Instance has to be restarted manualy"); @@ -258,80 +348,95 @@ public class MOAMetadataProvider implements MetadataProvider { private MOAMetadataProvider() { ChainingMetadataProvider chainProvider = new ChainingMetadataProvider(); - Logger.info("Loading metadata"); + this.observers = new CopyOnWriteArrayList<Observer>(); + Logger.info("Loading metadata"); Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - - List<OnlineApplication> oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - - if (oaList.size() == 0) - Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); - - Iterator<OnlineApplication> oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - HTTPMetadataProvider httpProvider = null; + try { + //TODO: database search does not work!!!!! + Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( + MOAIDConfigurationConstants.PREFIX_SERVICES + + ".%." + + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); - try { - OnlineApplication oa = oaIt.next(); - Logger.info("Loading metadata for: " + oa.getFriendlyName()); - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) { - String metadataURL = pvp2Config.getMetadataURL(); + if (allOAs != null) { + Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator(); + while (oaInterator.hasNext()) { + Entry<String, String> oaKeyPair = oaInterator.next(); - if (!providersinuse.containsKey(metadataURL)) { - - httpProvider = createNewHTTPMetaDataProvider( - metadataURL, - pvp2Config.getCertificate(), - oa.getFriendlyName(), - buildMetadataFilterChain(oa, metadataURL, - pvp2Config.getCertificate())); - - if (httpProvider != null) - providersinuse.put(metadataURL, httpProvider); + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue()); + if (oaParam != null) { + String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); + String oaFriendlyName = oaParam.getFriendlyName(); + HTTPMetadataProvider httpProvider = null; + + try { + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64) || MiscUtil.isNotEmpty(metadataurl)) { + byte[] cert = Base64Utils.decode(certBase64, false); + + + Logger.info("Loading metadata for: " + oaFriendlyName); + if (!providersinuse.containsKey(metadataurl)) { + httpProvider = createNewHTTPMetaDataProvider( + metadataurl, + cert, + oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataurl, + cert)); - } else { - Logger.info(metadataURL + " are already added."); - } + if (httpProvider != null) + providersinuse.put(metadataurl, httpProvider); + + } else { + Logger.info(metadataurl + " are already added."); + } + + } else { + Logger.info(oaFriendlyName + + " is not a PVP2 Application skipping"); + } + } catch (Throwable e) { + Logger.error( + "Failed to add Metadata (unhandled reason: " + + e.getMessage(), e); - } else { - Logger.info(oa.getFriendlyName() - + " is not a PVP2 Application skipping"); + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + } + } } - } catch (Throwable e) { + + } else + Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); + + try { + chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + + } catch (MetadataProviderException e) { Logger.error( "Failed to add Metadata (unhandled reason: " + e.getMessage(), e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - } - } - - - try { - chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + } + + } catch (ConfigurationException e) { + Logger.error("Access MOA-ID configuration FAILED.", e); - } catch (MetadataProviderException e) { - Logger.error( - "Failed to add Metadata (unhandled reason: " - + e.getMessage(), e); } internalProvider = chainProvider; - timestamp = new Date(); } - private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { + private MetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException { MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); - if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { + if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); - filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType())); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService())); } @@ -349,11 +454,11 @@ public class MOAMetadataProvider implements MetadataProvider { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - AuthConfigurationProvider.getInstance().getCertstoreDirectory(), - AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(), + AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, - ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), - AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); @@ -458,4 +563,23 @@ public class MOAMetadataProvider implements MetadataProvider { return internalProvider.getRole(entityID, roleName, supportedProtocol); } + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers() + */ + @Override + public List<Observer> getObservers() { + return ((ChainingMetadataProvider) internalProvider).getObservers(); + } + + protected void emitChangeEvent() { + if ((getObservers() == null) || (getObservers().size() == 0)) { + return; + } + + List<Observer> tempObserverList = new ArrayList<Observer>(getObservers()); + for (ObservableMetadataProvider.Observer observer : tempObserverList) + if (observer != null) + observer.onEvent(this); + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java index 12de97a3f..2915ff683 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -39,7 +39,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; @@ -65,11 +65,11 @@ public class MOASAMLSOAPClient { SecureProtocolSocketFactory sslprotocolsocketfactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - AuthConfigurationProvider.getInstance().getCertstoreDirectory(), - AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(), + AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, - ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), - AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode(), + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); } catch (MOAHttpProtocolSocketFactoryException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 550643da1..69c760f19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.io.IOException; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; @@ -32,36 +33,39 @@ import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; -import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { // List<OnlineApplication> oaList = ConfigurationDBRead // .getAllActiveOnlineApplications(); + try { + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); - OnlineApplication oa = ConfigurationDBRead - .getActiveOnlineApplication(entityID); - -// Iterator<OnlineApplication> oaIt = oaList.iterator(); -// while (oaIt.hasNext()) { -// OnlineApplication oa = oaIt.next(); -// if (oa.getPublicURLPrefix().equals(entityID)) { - - if (oa != null && oa.getAuthComponentOA() != null) { - - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null) { - return pvp2Config.getCertificate(); - } + String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + return Base64Utils.decode(certBase64, false); + } -// } + + } catch (ConfigurationException e) { + Logger.error("Access MOA-ID configuration FAILED.", e); + + } catch (IOException e) { + Logger.warn("Decoding PVP2X metadata certificate FAILED.", e); + + } + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 257f9dac4..70b778c49 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -38,7 +38,6 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -68,25 +67,50 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationExcep import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SAMLVerificationEngine { public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + try { + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } catch (InvalidProtocolRequestException e) { + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw e; + + } + Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID()); + if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(msg.getEntityID())) + throw e; + + else { + Logger.trace("PVP2X metadata reload finished. Check validate message again."); + + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); + + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } + Logger.trace("Second PVP2X message validation finished"); + } } - public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException{ SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); @@ -110,13 +134,13 @@ public class SAMLVerificationEngine { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } - } catch (SecurityException e) { - e.printStackTrace(); + } catch (org.opensaml.xml.security.SecurityException e) { + Logger.warn("PVP2x message signature validation FAILED.", e); throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } - public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); @@ -140,8 +164,8 @@ public class SAMLVerificationEngine { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } - } catch (SecurityException e) { - e.printStackTrace(); + } catch (org.opensaml.xml.security.SecurityException e) { + Logger.warn("PVP2x message signature validation FAILED.", e); throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index 885de6805..942fab4f3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -38,7 +38,7 @@ import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; @@ -52,7 +52,7 @@ public class SAMLVerifierMOASP implements ISAMLVerifier { try { if (request.isSigned()) { - String trustProfileID = AuthConfigurationProvider.getInstance() + String trustProfileID = AuthConfigurationProviderFactory.getInstance() .getStorkConfig().getSignatureVerificationParameter() .getTrustProfileID(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java index 4d9b97a52..918863d05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -41,14 +41,10 @@ public class InterfederatedIDPPublicServiceFilter implements MetadataFilter { /** * */ - public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) { + public InterfederatedIDPPublicServiceFilter(String metadataURL, boolean isBusinessService) { Logger.debug("Add " + this.getClass().getName() + " to metadata policy"); this.metadataURL = metadataURL; - - if (oaType.equals("businessService")) - this.isPublicService = false; - else - this.isPublicService = true; + this.isPublicService = !isBusinessService; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index f73b541bf..1aca587c9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -35,7 +35,7 @@ import org.opensaml.common.xml.SAMLSchemaBuilder; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.logging.Logger; @@ -49,7 +49,7 @@ public class SchemaValidationFilter implements MetadataFilter { public SchemaValidationFilter() { try { - isActive = AuthConfigurationProvider.getInstance().isPVPSchemaValidationActive(); + isActive = AuthConfigurationProviderFactory.getInstance().isPVPSchemaValidationActive(); } catch (ConfigurationException e) { e.printStackTrace(); |