diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x')
6 files changed, 352 insertions, 226 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 587d8e935..0b6cb6eea 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -33,7 +33,6 @@ import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; @@ -48,7 +47,6 @@ import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; @@ -63,7 +61,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; public class RedirectBinding implements IDecoder, IEncoder { @@ -173,11 +171,32 @@ public class RedirectBinding implements IDecoder, IEncoder { else messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.decode(messageContext); + try { + decode.decode(messageContext); - //check signature - signatureRule.evaluate(messageContext); + //check signature + signatureRule.evaluate(messageContext); + + } catch (SecurityException e) { + if (MiscUtil.isEmpty(messageContext.getPeerEntityId())) { + throw e; + + } + Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + messageContext.getPeerEntityId()); + if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(messageContext.getPeerEntityId())) + throw e; + + else { + Logger.trace("PVP2X metadata reload finished. Check validate message again."); + decode.decode(messageContext); + //check signature + signatureRule.evaluate(messageContext); + + } + Logger.trace("Second PVP2X message validation finished"); + } + InboundMessage msg = null; if (messageContext.getInboundMessage() instanceof RequestAbstractType) { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 5c473f32d..ca95ff90c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -24,10 +24,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; import iaik.x509.X509Certificate; +import java.io.IOException; import java.net.URL; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; +import java.util.Map; import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; @@ -46,18 +48,16 @@ import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; -//TODO!!!!! - public class PVPConfiguration { private static PVPConfiguration instance; @@ -116,6 +116,9 @@ public class PVPConfiguration { props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); + //load PVP2X metadata for all active online applications + MOAMetadataProvider.getInstance(); + } catch (ConfigurationException e) { e.printStackTrace(); } @@ -201,52 +204,39 @@ public class PVPConfiguration { return AuthConfigurationProviderFactory.getInstance().getConfigurationWithKey( MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_SERVICENAMME) + moaIDVersion; } - - //TODO: - public String getTargetForSP(String sp) { - - try { - OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(sp); - - if (oaParam != null) - return oaParam.getTarget(); - - Logger.warn("OnlineApplication with ID "+ sp + " is not found."); - return null; - - } catch (ConfigurationException e) { - Logger.warn("OnlineApplication with ID "+ sp + " is not found."); - return null; - } - - } - public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { + + try { + Logger.trace("Load metadata signing certificate for online application " + entityID); + IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + if (oaParam == null) { + Logger.info("Online Application with ID " + entityID + " not found!"); + return null; + } - try { - IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); - - if (oaParam == null) { - Logger.warn("Online Application with ID " + entityID + " not found!"); - return null; - } - - OAPVP2 pvp2param = oaParam.getPVP2Parameter(); - - if (pvp2param == null) { - return null; - } - - Logger.info("Load TrustEntityCertificate ("+entityID+") from Database."); - return new X509Certificate(pvp2param.getCertificate()); + String pvp2MetadataCertificateString = + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isEmpty(pvp2MetadataCertificateString)) { + Logger.info("Online Application with ID " + entityID + " include not PVP2X metadata signing certificate!"); + return null; + + } + + X509Certificate cert = new X509Certificate(Base64Utils.decode(pvp2MetadataCertificateString, false)); + Logger.debug("Metadata signing certificate is loaded for ("+entityID+") is loaded."); + return cert; } catch (CertificateException e) { - Logger.warn("Signer certificate can not be loaded from session database!", e); + Logger.warn("Metadata signer certificate is not parsed.", e); return null; } catch (ConfigurationException e) { - e.printStackTrace(); + Logger.error("Configuration is not accessable.", e); + return null; + + } catch (IOException e) { + Logger.warn("Metadata signer certificate is not decodeable.", e); return null; } } @@ -254,16 +244,16 @@ public class PVPConfiguration { public List<ContactPerson> getIDPContacts() throws ConfigurationException { List<ContactPerson> list = new ArrayList<ContactPerson>(); - Properties contacts = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( + Map<String, String> contacts = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT + "."); ContactPerson person = SAML2Utils .createSAMLObject(ContactPerson.class); - String type = contacts.getProperty(IDP_CONTACT_TYPE); + String type = contacts.get(IDP_CONTACT_TYPE); if (type == null) { - Logger.error("IDP Contact with SurName " + contacts.getProperty(IDP_CONTACT_SURNAME) + Logger.error("IDP Contact with SurName " + contacts.get(IDP_CONTACT_SURNAME) + " has no type defined!"); } @@ -287,13 +277,13 @@ public class PVPConfiguration { } if (enumType == null) { - Logger.error("IDP Contact with SurName " + contacts.getProperty(IDP_CONTACT_SURNAME) + Logger.error("IDP Contact with SurName " + contacts.get(IDP_CONTACT_SURNAME) + " has invalid type defined: " + type); } person.setType(enumType); - String givenName = contacts.getProperty(IDP_CONTACT_GIVENNAME); + String givenName = contacts.get(IDP_CONTACT_GIVENNAME); if (givenName != null) { GivenName name = SAML2Utils @@ -302,7 +292,7 @@ public class PVPConfiguration { person.setGivenName(name); } - String company = contacts.getProperty(IDP_CONTACT_COMPANY); + String company = contacts.get(IDP_CONTACT_COMPANY); if (company != null) { Company comp = SAML2Utils.createSAMLObject(Company.class); @@ -310,7 +300,7 @@ public class PVPConfiguration { person.setCompany(comp); } - String surname = contacts.getProperty(IDP_CONTACT_SURNAME); + String surname = contacts.get(IDP_CONTACT_SURNAME); if (surname != null) { SurName name = SAML2Utils.createSAMLObject(SurName.class); @@ -318,7 +308,7 @@ public class PVPConfiguration { person.setSurName(name); } - String phone = contacts.getProperty(IDP_CONTACT_PHONE); + String phone = contacts.get(IDP_CONTACT_PHONE); if (phone != null) { TelephoneNumber telePhone = SAML2Utils .createSAMLObject(TelephoneNumber.class); @@ -326,7 +316,7 @@ public class PVPConfiguration { person.getTelephoneNumbers().add(telePhone); } - String mail = contacts.getProperty(IDP_CONTACT_MAIL); + String mail = contacts.get(IDP_CONTACT_MAIL); if (mail != null) { EmailAddress mailAddress = SAML2Utils .createSAMLObject(EmailAddress.class); @@ -341,12 +331,12 @@ public class PVPConfiguration { public Organization getIDPOrganisation() throws ConfigurationException { Organization org = SAML2Utils.createSAMLObject(Organization.class); - Properties organisation = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( + Map<String, String> organisation = AuthConfigurationProviderFactory.getInstance().getConfigurationWithPrefix( MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG + "."); - String org_name = organisation.getProperty(IDP_ORG_NAME); - String org_dispname = organisation.getProperty(IDP_ORG_DISPNAME); - String org_url = organisation.getProperty(IDP_ORG_URL); + String org_name = organisation.get(IDP_ORG_NAME); + String org_dispname = organisation.get(IDP_ORG_DISPNAME); + String org_url = organisation.get(IDP_ORG_URL); if (org_name == null || org_dispname == null || org_url == null) { return null; @@ -373,6 +363,7 @@ public class PVPConfiguration { private String parseMOAIDVersionFromManifest() { try { + @SuppressWarnings("rawtypes") Class clazz = PVPConfiguration.class; String className = clazz.getSimpleName() + ".class"; String classPath = clazz.getResource(className).toString(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 0ec79c79a..c2127a2af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; +import java.io.IOException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; @@ -30,6 +31,7 @@ import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; @@ -47,13 +49,13 @@ import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; -import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; @@ -61,6 +63,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.Interfeder import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; public class MOAMetadataProvider implements MetadataProvider { @@ -68,7 +71,6 @@ public class MOAMetadataProvider implements MetadataProvider { private static MOAMetadataProvider instance = null; private static Object mutex = new Object(); - private static Date timestamp = null; public static MOAMetadataProvider getInstance() { if (instance == null) { @@ -80,18 +82,19 @@ public class MOAMetadataProvider implements MetadataProvider { } return instance; } - - public static Date getTimeStamp() { - return timestamp; - } public static void reInitialize() { synchronized (mutex) { /**add new Metadataprovider or remove Metadataprovider which are not in use any more.**/ if (instance != null) - instance.addAndRemoveMetadataProvider(); - + try { + instance.addAndRemoveMetadataProvider(); + + } catch (ConfigurationException e) { + Logger.error("Access to MOA-ID configuration FAILED.", e); + + } else Logger.info("MOAMetadataProvider is not loaded."); } @@ -109,89 +112,165 @@ public class MOAMetadataProvider implements MetadataProvider { MetadataProvider internalProvider; - private void addAndRemoveMetadataProvider() { + public boolean refreshMetadataProvider(String entityID) { + try { + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + if (oaParam != null) { + String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); + if (MiscUtil.isNotEmpty(metadataURL)) { + Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders(); + + // check if MetadataProvider is actually loaded + if (actuallyLoadedProviders.containsKey(metadataURL)) { + actuallyLoadedProviders.get(metadataURL).refresh(); + Logger.info("PVP2X metadata for onlineApplication: " + + entityID + " is refreshed."); + return true; + + } else { + //load new Metadata Provider + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + byte[] cert = Base64Utils.decode(certBase64, false); + String oaFriendlyName = oaParam.getFriendlyName(); + + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, + cert, oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataURL, + cert)); + + chainProvider.addMetadataProvider(newMetadataProvider); + Logger.info("PVP2X metadata for onlineApplication: " + + entityID + " is added."); + return true; + + } else + Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata certificate for OA with Id: " + entityID); + + } + + } else + Logger.debug("Can not refresh PVP2X metadata: NO PVP2X metadata URL for OA with Id: " + entityID); + + } else + Logger.debug("Can not refresh PVP2X metadata: NO onlineApplication with Id: " + entityID); + + + } catch (ConfigurationException e) { + Logger.warn("Access MOA-ID configuration FAILED.", e); + + } catch (MetadataProviderException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } catch (IOException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } catch (CertificateException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); + + } + + return false; + + } + + private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() { + Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); + ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; + + //make a Map of all actually loaded HTTPMetadataProvider + List<MetadataProvider> providers = chainProvider.getProviders(); + for (MetadataProvider provider : providers) { + if (provider instanceof HTTPMetadataProvider) { + HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; + loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); + + } + } + + return loadedproviders; + } + + + private void addAndRemoveMetadataProvider() throws ConfigurationException { if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { Logger.info("Relaod MOAMetaDataProvider."); /*OpenSAML ChainingMetadataProvider can not remove a MetadataProvider (UnsupportedOperationException) *The ChainingMetadataProvider use internal a unmodifiableList to hold all registrated MetadataProviders.*/ Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - - Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>(); ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - //make a Map of all actually loaded HTTPMetadataProvider - List<MetadataProvider> providers = chainProvider.getProviders(); - for (MetadataProvider provider : providers) { - if (provider instanceof HTTPMetadataProvider) { - HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider; - loadedproviders.put(httpprovider.getMetadataURI(), httpprovider); - } - } - - //set Timestamp - Date oldTimeStamp = timestamp; - timestamp = new Date(); + //get all actually loaded metadata providers + Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders(); //load all PVP2 OAs form ConfigurationDatabase and //compare actually loaded Providers with configured PVP2 OAs - List<OnlineApplication> oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - - Iterator<OnlineApplication> oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - HTTPMetadataProvider httpProvider = null; - - try { - OnlineApplication oa = oaIt.next(); - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) { - - String metadataurl = pvp2Config.getMetadataURL(); + Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( + MOAIDConfigurationConstants.PREFIX_SERVICES + + ".%." + + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); + + if (allOAs != null) { + Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator(); + while (oaInterator.hasNext()) { + Entry<String, String> oaKeyPair = oaInterator.next(); + + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue()); + if (oaParam != null) { + String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - if (loadedproviders.containsKey(metadataurl)) { - - if (pvp2Config.getUpdateRequiredItem() != null && - pvp2Config.getUpdateRequiredItem().after(oldTimeStamp)) { - //PVP2 OA is actually loaded, but update is requested - Logger.info("Reload metadata for: " + oa.getFriendlyName()); - loadedproviders.get(metadataurl).refresh(); - - } - - // PVP2 OA is actually loaded, to nothing - providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); - loadedproviders.remove(metadataurl); + HTTPMetadataProvider httpProvider = null; + try { + if (MiscUtil.isNotEmpty(metadataurl)) { + if (loadedproviders.containsKey(metadataurl)) { + // PVP2 OA is actually loaded, to nothing + providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); + loadedproviders.remove(metadataurl); - } else if ( MiscUtil.isNotEmpty(metadataurl) && - !providersinuse.containsKey(metadataurl) ) { - //PVP2 OA is new, add it to MOAMetadataProvider - - Logger.info("Loading metadata for: " + oa.getFriendlyName()); - httpProvider = createNewHTTPMetaDataProvider( - pvp2Config.getMetadataURL(), - pvp2Config.getCertificate(), - oa.getFriendlyName(), - buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(), - pvp2Config.getCertificate())); + } else if ( MiscUtil.isNotEmpty(metadataurl) && + !providersinuse.containsKey(metadataurl) ) { + //PVP2 OA is new, add it to MOAMetadataProvider + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + byte[] cert = Base64Utils.decode(certBase64, false); + String oaFriendlyName = oaParam.getFriendlyName(); + + + Logger.info("Loading metadata for: " + oaFriendlyName); + httpProvider = createNewHTTPMetaDataProvider( + metadataurl, + cert, + oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataurl, + cert)); - if (httpProvider != null) - providersinuse.put(metadataurl, httpProvider); + if (httpProvider != null) + providersinuse.put(metadataurl, httpProvider); + } - } - } - } catch (Throwable e) { - Logger.error( + } + } + } catch (Throwable e) { + Logger.error( "Failed to add Metadata (unhandled reason: " + e.getMessage(), e); - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } - } + } + } + } } //remove all actually loaded MetadataProviders with are not in ConfigurationDB any more @@ -261,77 +340,90 @@ public class MOAMetadataProvider implements MetadataProvider { Logger.info("Loading metadata"); Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); - - List<OnlineApplication> oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - - if (oaList.size() == 0) - Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); - - Iterator<OnlineApplication> oaIt = oaList.iterator(); - while (oaIt.hasNext()) { - HTTPMetadataProvider httpProvider = null; + try { + Map<String, String> allOAs = AuthConfigurationProviderFactory.getInstance().getConfigurationWithWildCard( + MOAIDConfigurationConstants.PREFIX_SERVICES + + ".%." + + MOAIDConfigurationConstants.SERVICE_UNIQUEIDENTIFIER); - try { - OnlineApplication oa = oaIt.next(); - Logger.info("Loading metadata for: " + oa.getFriendlyName()); - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null && MiscUtil.isNotEmpty(pvp2Config.getMetadataURL())) { - String metadataURL = pvp2Config.getMetadataURL(); + if (allOAs != null) { + Iterator<Entry<String, String>> oaInterator = allOAs.entrySet().iterator(); + while (oaInterator.hasNext()) { + Entry<String, String> oaKeyPair = oaInterator.next(); - if (!providersinuse.containsKey(metadataURL)) { - - httpProvider = createNewHTTPMetaDataProvider( - metadataURL, - pvp2Config.getCertificate(), - oa.getFriendlyName(), - buildMetadataFilterChain(oa, metadataURL, - pvp2Config.getCertificate())); - - if (httpProvider != null) - providersinuse.put(metadataURL, httpProvider); + OAAuthParameter oaParam = + AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaKeyPair.getValue()); + if (oaParam != null) { + String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); + String oaFriendlyName = oaParam.getFriendlyName(); + HTTPMetadataProvider httpProvider = null; + + try { + String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64) || MiscUtil.isNotEmpty(metadataurl)) { + byte[] cert = Base64Utils.decode(certBase64, false); + + + Logger.info("Loading metadata for: " + oaFriendlyName); + if (!providersinuse.containsKey(metadataurl)) { + httpProvider = createNewHTTPMetaDataProvider( + metadataurl, + cert, + oaFriendlyName, + buildMetadataFilterChain(oaParam, metadataurl, + cert)); - } else { - Logger.info(metadataURL + " are already added."); - } + if (httpProvider != null) + providersinuse.put(metadataurl, httpProvider); + + } else { + Logger.info(metadataurl + " are already added."); + } + + } else { + Logger.info(oaFriendlyName + + " is not a PVP2 Application skipping"); + } + } catch (Throwable e) { + Logger.error( + "Failed to add Metadata (unhandled reason: " + + e.getMessage(), e); - } else { - Logger.info(oa.getFriendlyName() - + " is not a PVP2 Application skipping"); + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + } + } } - } catch (Throwable e) { + + } else + Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); + + try { + chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + + } catch (MetadataProviderException e) { Logger.error( "Failed to add Metadata (unhandled reason: " + e.getMessage(), e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - } - } - - - try { - chainProvider.setProviders(new ArrayList<MetadataProvider>(providersinuse.values())); + } + + } catch (ConfigurationException e) { + Logger.error("Access MOA-ID configuration FAILED.", e); - } catch (MetadataProviderException e) { - Logger.error( - "Failed to add Metadata (unhandled reason: " - + e.getMessage(), e); } internalProvider = chainProvider; - timestamp = new Date(); } - private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { + private MetadataFilterChain buildMetadataFilterChain(OAAuthParameter oaParam, String metadataURL, byte[] certificate) throws CertificateException { MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); - if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { + if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); - filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType())); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.getBusinessService())); } @@ -352,7 +444,7 @@ public class MOAMetadataProvider implements MetadataProvider { AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(), AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), null, - ChainingModeType.fromValue(AuthConfigurationProviderFactory.getInstance().getDefaultChainingMode()), + AuthConfiguration.DEFAULT_X509_CHAININGMODE, AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 550643da1..69c760f19 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.io.IOException; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; @@ -32,36 +33,39 @@ import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; -import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; -import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { // List<OnlineApplication> oaList = ConfigurationDBRead // .getAllActiveOnlineApplications(); + try { + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); - OnlineApplication oa = ConfigurationDBRead - .getActiveOnlineApplication(entityID); - -// Iterator<OnlineApplication> oaIt = oaList.iterator(); -// while (oaIt.hasNext()) { -// OnlineApplication oa = oaIt.next(); -// if (oa.getPublicURLPrefix().equals(entityID)) { - - if (oa != null && oa.getAuthComponentOA() != null) { - - OAPVP2 pvp2Config = oa.getAuthComponentOA().getOAPVP2(); - if (pvp2Config != null) { - return pvp2Config.getCertificate(); - } + String certBase64 = oa.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); + if (MiscUtil.isNotEmpty(certBase64)) { + return Base64Utils.decode(certBase64, false); + } -// } + + } catch (ConfigurationException e) { + Logger.error("Access MOA-ID configuration FAILED.", e); + + } catch (IOException e) { + Logger.warn("Decoding PVP2X metadata certificate FAILED.", e); + + } + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 257f9dac4..70b778c49 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -38,7 +38,6 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -68,25 +67,50 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationExcep import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SAMLVerificationEngine { public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { - if (msg instanceof MOARequest && - ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) - verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); - - else - verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + try { + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } catch (InvalidProtocolRequestException e) { + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw e; + + } + Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + msg.getEntityID()); + if (!MOAMetadataProvider.getInstance().refreshMetadataProvider(msg.getEntityID())) + throw e; + + else { + Logger.trace("PVP2X metadata reload finished. Check validate message again."); + + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); + + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } + Logger.trace("Second PVP2X message validation finished"); + } } - public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + public void verifyResponse(StatusResponseType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException{ SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); @@ -110,13 +134,13 @@ public class SAMLVerificationEngine { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } - } catch (SecurityException e) { - e.printStackTrace(); + } catch (org.opensaml.xml.security.SecurityException e) { + Logger.warn("PVP2x message signature validation FAILED.", e); throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } - public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws InvalidProtocolRequestException { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); @@ -140,8 +164,8 @@ public class SAMLVerificationEngine { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } - } catch (SecurityException e) { - e.printStackTrace(); + } catch (org.opensaml.xml.security.SecurityException e) { + Logger.warn("PVP2x message signature validation FAILED.", e); throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java index 4d9b97a52..918863d05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -41,14 +41,10 @@ public class InterfederatedIDPPublicServiceFilter implements MetadataFilter { /** * */ - public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) { + public InterfederatedIDPPublicServiceFilter(String metadataURL, boolean isBusinessService) { Logger.debug("Add " + this.getClass().getName() + " to metadata policy"); this.metadataURL = metadataURL; - - if (oaType.equals("businessService")) - this.isPublicService = false; - else - this.isPublicService = true; + this.isPublicService = !isBusinessService; } |