1 files changed, 33 insertions, 10 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
index 71b55d991..25cb952d7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
@@ -50,7 +50,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * the AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins.
+ * The AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins.
  * The class is called whenever the {@link AuthenticationRequest} Action is invoked and checks for missing attributes.
  * Furthermore, the class can handle direct posts. That is when the class triggers an attribute query which needs user
  * interaction, redirect to another portal, etc. The redirect will hit here and the class can continue to fetch attributes.
@@ -80,8 +80,6 @@ public class AttributeCollector implements IAction {
 		}
 
 
-        //   TODO extract attribute response and check if it corresponds to the container
-
         if (httpReq.getParameter("SAMLResponse") != null) {
             Logger.info("Got SAML response from external attribute provider.");
 
@@ -106,7 +104,7 @@ public class AttributeCollector implements IAction {
             STORKAuthnResponse authnResponse = null;
 
 
-            // check if valid authn request is contained
+            // check if valid authn response is contained
             try {
                 authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, httpReq.getRemoteAddr());
             } catch (STORKSAMLEngineException ex) {
@@ -115,6 +113,22 @@ public class AttributeCollector implements IAction {
 
             STORK2Response.setSTORKAuthnResponseToken(decSamlToken);
 
+            // check if the attributes are provided for the same person from request
+            // requires presence of eIdentifier for unambigious correlation
+            Logger.debug("Checking if the attribute relates to the correct person..");
+            try {
+                String remoteEIdentifier= authnResponse.getPersonalAttributeList().get("eIdentifier").getValue().get(0);
+                String localEidentifier= container.getResponse().getStorkAuthnResponse().getPersonalAttributeList().get("eIdentifier").getValue().get(0);
+                    if (!remoteEIdentifier.equals(localEidentifier)) {
+                        Logger.error("The attribute is not provided for the same person!");
+                        throw new MOAIDException("stork.25", null);
+                    }
+            } catch (NullPointerException ex) {
+                Logger.warn("Could not check the correlation of attributes from external provider. Ignoring the check.");
+                //Logger.debug(ex);
+                //throw new MOAIDException("stork.04", null); // TODO revise message, raise exception when ehvd checked
+            }
+
             if (authnResponse.getPersonalAttributeList().size() > 0) {
                 Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes.");
                 container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList()));
@@ -180,9 +194,21 @@ public class AttributeCollector implements IAction {
         IPersonalAttributeList requestAttributeList = container.getRequest().getPersonalAttributeList();
         IPersonalAttributeList responseAttributeList = container.getResponse().getPersonalAttributeList();
         List<PersonalAttribute> missingAttributes = new ArrayList<PersonalAttribute>();
+        Logger.debug("aquire list of missing attributes");
         for (PersonalAttribute current : requestAttributeList)
-            if (!responseAttributeList.containsKey(current.getName()))
-                missingAttributes.add(current);
+            if (!responseAttributeList.containsKey(current.getName())) {
+                if(null == current.getStatus() || (null != current.getStatus() && !current.getStatus().equals(AttributeStatusType.WITHHELD.value()))) {
+                    // add the ones we need
+                    missingAttributes.add(current);
+                    Logger.debug("add " + current.getName() + " to the list of missing attributes");
+                }
+            } else {
+                // remove the ones we do not want to share from the response list
+                if(null != current.getStatus() && current.getStatus().equals(AttributeStatusType.WITHHELD.value())) {
+                    responseAttributeList.remove(current.getName());
+                    Logger.debug("remove " + current.getName() + " from the list of resulting attributes because the user does not want to disclose the data");
+                }
+            }
 
         Logger.info("collecting attributes...");
 		Logger.debug("found " + missingAttributes.size() + " missing attributes");
@@ -249,10 +275,7 @@ public class AttributeCollector implements IAction {
             Logger.info("collecting attributes done");
             
             // ask for consent if necessary
-            if(oaParam.isRequireConsentForStorkAttributes())
-            	new ConsentEvaluator().requestConsent(container, response, oaParam);
-            else
-            	new ConsentEvaluator().generateSTORKResponse(response, container);
+            new ConsentEvaluator().generateSTORKResponse(response, container);
 
             return null; // AssertionId
                             // TODO