diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols')
28 files changed, 491 insertions, 114 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 3b0d07ce1..583120a86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -115,6 +115,7 @@ public final class OAuth20AttributeBuilder { buildersOpenId.add(new OpenIdExpirationTimeAttribute()); buildersOpenId.add(new OpenIdIssueInstantAttribute()); buildersOpenId.add(new OpenIdAuthenticationTimeAttribute()); + buildersOpenId.add(new OpenIdAudiencesAttribute()); // profile buildersProfile.add(new ProfileGivenNameAttribute()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java index 7509c51d8..404eb1b44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java @@ -20,15 +20,28 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x; +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; - -public class PVPProcessor extends AuthServlet { - - /** - * - */ - private static final long serialVersionUID = 4102075202310068260L; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +public class OpenIdAudiencesAttribute implements IAttributeBuilder { + + public String getName() { + return "aud"; + } + + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", oaParam.getPublicURLPrefix()); + } + + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + } + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index fec8e3b98..dbf54951f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -165,7 +165,7 @@ public class MetadataAction implements IAction { Logger.debug("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); - httpResp.getOutputStream().write(metadataXML.getBytes()); + httpResp.getOutputStream().write(metadataXML.getBytes("UTF-8")); httpResp.getOutputStream().close(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 46e02d048..b22941216 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,7 +135,7 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -147,7 +147,7 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; @@ -162,7 +162,9 @@ public class SingleLogOutAction implements IAction { ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); LogoutResponse logOutResp = (LogoutResponse) ((MOAResponse)pvpReq.getRequest()).getResponse(); - + + Transaction tx = null; + try { String relayState = pvpReq.getRequest().getRelayState(); if (MiscUtil.isEmpty(relayState)) { @@ -179,7 +181,7 @@ public class SingleLogOutAction implements IAction { //TODO: add counter to prevent deadlock while (!storageSuccess) { - Transaction tx = session.beginTransaction(); + tx = session.beginTransaction(); List result; Query query = session.getNamedQuery("getAssertionWithArtifact"); @@ -235,7 +237,7 @@ public class SingleLogOutAction implements IAction { try { session.delete(element); tx.commit(); - + } catch(HibernateException e) { tx.rollback(); Logger.error("SLOContainter could not deleted from database. "); @@ -292,7 +294,14 @@ public class SingleLogOutAction implements IAction { Logger.error("Finale SLO redirct not possible.", e); throw new AuthenticationException("pvp2.13", new Object[]{}); + } finally { + if (tx != null && !tx.wasCommitted()) { + tx.commit(); + + } } + + } else { Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 7f73b1ed7..1a268c812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -147,20 +147,22 @@ public class PostBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); - + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + } + } catch (ConfigurationException e) { throw new SecurityException(e); } messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - //set metadata descriptor type - if (isSPEndPoint) - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - else - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - + decode.decode(messageContext); InboundMessage msg = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 26f6f3a62..587d8e935 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -135,18 +135,26 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); + BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); + messageContext + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + try { - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService())); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + } } catch (ConfigurationException e) { throw new SecurityException(e); } - - BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( @@ -198,8 +206,8 @@ public class RedirectBinding implements IDecoder, IEncoder { } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() - .equals("GET")); + return ((action.equals(PVP2XProtocol.REDIRECT) || action.equals(PVP2XProtocol.SINGLELOGOUT)) + && req.getMethod().equals("GET")); } public String getSAML2BindingName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index f0eafe272..a2583c706 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -33,6 +33,7 @@ import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.client.BasicSOAPMessageContext; @@ -52,9 +53,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedEx import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class SoapBinding implements IDecoder, IEncoder { @@ -66,8 +69,10 @@ public class SoapBinding implements IDecoder, IEncoder { new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + req)); + //messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + soapDecoder.decode(messageContext); Envelope inboundMessage = (Envelope) messageContext @@ -78,8 +83,25 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); + + if (messageContext.getPeerEntityMetadata() != null) + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else if (attrReq instanceof RequestAbstractType) { + RequestAbstractType attributeRequest = (RequestAbstractType) attrReq; + try { + if (MiscUtil.isNotEmpty(attributeRequest.getIssuer().getValue()) && + MOAMetadataProvider.getInstance().getRole( + attributeRequest.getIssuer().getValue(), + SPSSODescriptor.DEFAULT_ELEMENT_NAME) != null) + request.setEntityID(attributeRequest.getIssuer().getValue()); + + } catch (Exception e) { + Logger.warn("No Metadata found with EntityID " + attributeRequest.getIssuer().getValue()); + } + } + request.setVerified(false); return request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index eeb1dd104..01139d95c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -213,12 +213,13 @@ public class SingleLogOutBuilder { } - + DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); - sloReq.setIssueInstant(new DateTime()); + sloReq.setIssueInstant(now); + sloReq.setNotOnOrAfter(now.plusMinutes(5)); sloReq.setDestination(sloInfo.getServiceURL()); @@ -230,14 +231,17 @@ public class SingleLogOutBuilder { return sloReq; } - public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException { + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException { LogoutResponse sloResp = buildBasicResponse(sloService, spRequest); Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(firstLevelStatusCode); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); sloResp.setStatus(status); @@ -255,8 +259,11 @@ public class SingleLogOutBuilder { status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setValue(StatusCode.SUCCESS_URI); statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + StatusCode secondLevelCode = SAML2Utils.createSAMLObject(StatusCode.class); + secondLevelCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusCode.setStatusCode(secondLevelCode); status.setStatusCode(statusCode); status.setStatusMessage(statusMessage); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 3dd1dd064..a38446826 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -25,8 +25,10 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class BPKAttributeBuilder implements IPVPAttributeBuilder { @@ -39,9 +41,14 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { String bpk = authData.getBPK(); String type = authData.getBPKType(); + if (MiscUtil.isEmpty(bpk)) + throw new UnavailableAttributeException(BPK_NAME); + if (type.startsWith(Constants.URN_PREFIX_WBPK)) type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - else if (type.startsWith(Constants.URN_PREFIX_CDID)) type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); + + else if (type.startsWith(Constants.URN_PREFIX_CDID)) + type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); if (bpk.length() > BPK_MAX_LENGTH) { bpk = bpk.substring(0, BPK_MAX_LENGTH); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index ded9e7166..61840ea21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -22,14 +22,13 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; - import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; @@ -46,12 +45,12 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { String authblock = authData.getAuthBlock(); if (MiscUtil.isNotEmpty(authblock)) { return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME, - Base64Utils.encode(authblock.getBytes())); + Base64Utils.encode(authblock.getBytes("UTF-8"))); } } catch (IOException e) { - Log.info("Encode AuthBlock BASE64 failed."); + Logger.info("Encode AuthBlock BASE64 failed."); } throw new UnavailableAttributeException(EID_AUTH_BLOCK_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index 531369e9a..29d6df040 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -27,6 +27,7 @@ import java.io.IOException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,10 +41,14 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { IAttributeGenerator<ATT> g) throws AttributeException { try { String ilAssertion = null; + + if (authData.getIdentityLink() == null) + throw new UnavailableAttributeException(EID_IDENTITY_LINK_NAME); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); + EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes("UTF-8"))); } catch (IOException e) { Logger.warn("IdentityLink serialization error.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index 04cc59b10..5e723baab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -54,7 +54,7 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder { } else { try { return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, - Base64Utils.encode(storkResponse.getBytes())); + Base64Utils.encode(storkResponse.getBytes("UTF-8"))); } catch (IOException e) { Logger.warn("Encode AuthBlock BASE64 failed.", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 7f52e1d47..463658a3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -25,6 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,8 +35,12 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { } public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, - IAttributeGenerator<ATT> g) throws AttributeException { + IAttributeGenerator<ATT> g) throws AttributeException { String bpktype = authData.getBPKType(); + + if (MiscUtil.isEmpty(authData.getBPKType())) + throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); + return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java index df1bc1860..8a603f53a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java @@ -22,7 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.util.logging.Log; import java.io.IOException; @@ -30,6 +29,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; public class EIDSignerCertificate implements IPVPAttributeBuilder { @@ -49,7 +49,7 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { } }catch (IOException e) { - Log.info("Signer certificate BASE64 encoding error"); + Logger.info("Signer certificate BASE64 encoding error"); } throw new UnavailableAttributeException(EID_SIGNER_CERTIFICATE_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index a8b703fc2..16de43e11 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -27,6 +27,7 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.util.MiscUtil; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -41,6 +42,9 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { + if (MiscUtil.isEmpty(authData.getIdentificationValue())) + throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java new file mode 100644 index 000000000..b3256ac9a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { + + public String getName() { + return ENC_BPK_LIST_NAME; + } + + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + + if (authData.getEncbPKList() != null && + authData.getEncbPKList().size() > 0) { + String value = authData.getEncbPKList().get(0); + for (int i=1; i<authData.getEncbPKList().size(); i++) + value += ";"+authData.getEncbPKList().get(i); + + return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, + value); + + } + + throw new UnavailableAttributeException(ENC_BPK_LIST_NAME); + +// String encbpk = "XXX01234567890XXX"; +// String type = "Bereich"; +// String vkz = "Verfahrenskennzeichen"; +// +// //TODO: implement encrypted bPK support +// +// Logger.trace("Authenticate user with encrypted bPK " + vkz + "+" + type + "|" + encbpk); +// +// return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, +// vkz + "+" + type + "|" + encbpk); + } + + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return g.buildEmptyAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 670398ff6..790c1e8ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DOMUtils; @@ -44,7 +45,9 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { if (authData.isUseMandate()) { - if (authData.getMandate() != null) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData @@ -57,6 +60,8 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder Logger.error("Failed to generate Full Mandate", e); } } + throw new NoMandateDataAttributeException(); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index a57fb5717..cba64e080 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -261,6 +261,10 @@ public class MOAMetadataProvider implements MetadataProvider { List<OnlineApplication> oaList = ConfigurationDBRead .getAllActiveOnlineApplications(); + + if (oaList.size() == 0) + Logger.info("No Online-Application configuration found. PVP 2.1 metadata provider initialization failed!"); + Iterator<OnlineApplication> oaIt = oaList.iterator(); while (oaIt.hasNext()) { HTTPMetadataProvider httpProvider = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index ee0088576..a16fed9cd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -22,15 +22,25 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.core.Subject; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -38,6 +48,14 @@ import at.gv.egovernment.moa.util.MiscUtil; public class AssertionAttributeExtractor { private Assertion assertion = null; + private Map<String, String> attributs = new HashMap<String, String>(); + private PersonalAttributeList storkAttributes = new PersonalAttributeList(); + + private final List<String> minimalAttributeNameList = Arrays.asList( + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.BIRTHDATE_NAME); + public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { @@ -48,12 +66,79 @@ public class AssertionAttributeExtractor { else if (assertions.size() > 1) Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); - assertion = assertions.get(0); - + assertion = assertions.get(0); + + if (assertion.getAttributeStatements() != null && + assertion.getAttributeStatements().size() > 0) { + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + List<String> storkAttrValues = new ArrayList<String>(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + storkAttributes.put(attr.getName(), storkAttr ); + + } else + attributs.put(attr.getName(), attr.getAttributeValues().get(0).getDOM().getTextContent()); + } + + } + } else throw new AssertionAttributeExtractorExeption(); } + /** + * check attributes from assertion with minimal required attribute list + * @return + */ + public boolean containsAllRequiredAttributes() { + return containsAllRequiredAttributes(minimalAttributeNameList); + + } + + /** + * check attributes from assertion with attributeNameList + * bPK or enc_bPK is always needed + * + * @param List of attributes which are required + * + * @return + */ + public boolean containsAllRequiredAttributes(List<String> attributeNameList) { + + //first check if a bPK or an encrypted bPK is available + if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || + (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) + flag = false; + } + + return flag; + + } + return false; + + } + + public boolean containsAttribute(String attributeName) { + return attributs.containsKey(attributeName); + + } + + public String getAttribute(String attributeName) { + return attributs.get(attributeName); + + } + + public PersonalAttributeList getSTORKAttributes() { + return storkAttributes; + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); @@ -99,6 +184,10 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); } + public Assertion getFullAssertion() { + return assertion; + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List<AuthnStatement> authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java index 8dfebc06c..885de6805 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.io.UnsupportedEncodingException; + import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.xml.validation.ValidationException; @@ -70,7 +72,7 @@ public class SAMLVerifierMOASP implements ISAMLVerifier { // builds a <VerifyXMLSignatureRequest> for a call of MOA-SP Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() - .build(XMLUtil.printXML(request.getDOM()).getBytes(), + .build(XMLUtil.printXML(request.getDOM()).getBytes("UTF-8"), trustProfileID); Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); @@ -123,6 +125,10 @@ public class SAMLVerifierMOASP implements ISAMLVerifier { String msg = "Unable to invoke MOA-SP."; Logger.error(msg, e); throw new SecurityException(msg, e); + } catch (UnsupportedEncodingException e) { + String msg = "Unsupported Encoding."; + Logger.error(msg, e); + throw new SecurityException(msg, e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 08f40f888..7d3c72630 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -22,15 +22,22 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.saml1; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.List; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBElement; +import javax.xml.bind.Marshaller; +import javax.xml.namespace.QName; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import com.sun.xml.bind.marshaller.NamespacePrefixMapper; + import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; @@ -60,6 +67,11 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.StringUtils; +import at.gv.util.xsd.persondata.IdentificationType; +import at.gv.util.xsd.persondata.IdentificationType.Value; +import at.gv.util.xsd.persondata.PersonNameType; +import at.gv.util.xsd.persondata.PersonNameType.FamilyName; +import at.gv.util.xsd.persondata.PhysicalPersonType; public class SAML1AuthenticationServer extends AuthenticationServer { @@ -185,30 +197,82 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() || oaParam.getBusinessService(); - String prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), - provideStammzahl); - //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? authData - .getAuthBlock() : ""; - - //set IdentityLink for assortion + String prPerson = ""; String ilAssertion = ""; - if (saml1parameter.isProvideIdentityLink()) { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!provideStammzahl) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - } - + if (authData.getIdentityLink() != null) { + prPerson = new PersonDataBuilder().build(authData.getIdentityLink(), + provideStammzahl); - String samlAssertion; + //set IdentityLink for assortion + if (saml1parameter.isProvideIdentityLink()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + if (!provideStammzahl) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); + } + } else { + Logger.info("No IdentityLink available! Build attribute 'PersonDate' from givenname, familyname and dateofbirth. "); + PhysicalPersonType person = new PhysicalPersonType(); + PersonNameType name = new PersonNameType(); + person.setName(name); + FamilyName familyName = new FamilyName(); + name.getFamilyName().add(familyName ); + IdentificationType id = new IdentificationType(); + person.getIdentification().add(id ); + Value value = new Value(); + id.setValue(value ); + + id.setType(Constants.URN_PREFIX_BASEID); + value.setValue(""); + familyName.setValue(authData.getFamilyName()); + familyName.setPrimary("undefined"); + name.getGivenName().add(authData.getGivenName()); + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + JAXBContext jc = JAXBContext.newInstance("at.gv.util.xsd.persondata"); + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE); + + m.setProperty("com.sun.xml.bind.namespacePrefixMapper", new NamespacePrefixMapper() { + public String getPreferredPrefix(String arg0, String arg1, boolean arg2) { + if (Constants.PD_NS_URI.equals(arg0)) + return Constants.PD_PREFIX; + else + return arg1; + } + }); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + m.marshal( + new JAXBElement<PhysicalPersonType>(new QName(Constants.PD_NS_URI,"Person"), PhysicalPersonType.class, person), + stream); + prPerson = StringUtils.removeXMLDeclaration(new String(stream.toByteArray(), "UTF-8")); + stream.close(); + + + + } + + //set Authblock + String authBlock = ""; + if (authData.getAuthBlock() != null) { + authBlock = saml1parameter.isProvideAUTHBlock() ? authData.getAuthBlock() : ""; + + } else { + Logger.info("\"provideAuthBlock\" is \"true\", but no authblock available"); + + } + String samlAssertion; if (authData.isUseMandate()) { List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA(); - if (saml1parameter.isProvideFullMandatorData()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (saml1parameter.isProvideFullMandatorData() + && authData.getMISMandate().isFullMandateIncluded()) { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 9c8c52e87..8f7f17e2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -33,6 +33,7 @@ import org.apache.commons.lang.StringEscapeUtils; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -102,7 +103,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isSAML1Active()) { Logger.info("SAML1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new Object[] { NAME }); + throw new ProtocolNotActiveException("auth.22", new Object[] { "SAML 1" }); } @@ -145,14 +146,14 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { .getOnlineApplicationParameter(oaURL); if (oaParam == null) - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); OASAML1 saml1 = oaParam.getSAML1Parameter(); if (saml1 == null || !(saml1.isIsActive() != null && saml1.isIsActive()) ) { Logger.info("Online-Application " + oaURL + " can not use SAML1 for authentication."); - throw new AuthenticationException("auth.00", - new Object[] { oaURL }); + throw new InvalidProtocolRequestException("auth.00", + new Object[] { null }); } config.setSourceID(sourceID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index a5690a883..3bd827667 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -75,7 +75,7 @@ public class AuthenticationRequest implements IAction { this.authData = authData; - if ((req instanceof MOASTORKRequest) && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { + if ((req instanceof MOASTORKRequest)) { // && ( ((MOASTORKRequest) req).getCitizenCountryCode() == null || ((MOASTORKRequest) req).getCitizenCountryCode().equals("AT") )) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -134,10 +134,10 @@ public class AuthenticationRequest implements IAction { return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam); } - // check if we are getting request for citizen of some other country - else if (req instanceof MOASTORKRequest) { - return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); - } +// // check if we are getting request for citizen of some other country +// else if (req instanceof MOASTORKRequest) { +// return handleMOAStorkRequest("VIDP", (MOASTORKRequest) req, httpReq.getRemoteAddr(), httpResp); +// } // Check if we got the response from PEPS // If so then process it and forward to SP @@ -318,7 +318,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (IOException e) { Logger.error("Velocity IO error: " + e.getMessage()); @@ -380,7 +380,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); @@ -390,24 +390,24 @@ public class AuthenticationRequest implements IAction { public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { - // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country - if (req instanceof MOASTORKRequest) { - MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; - if (moastorkRequest.getStorkAuthnRequest() != null) { - String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); - // check if citizen country is configured in the system - try { - if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { - return false; - } - } catch (MOAIDException e) { - Logger.error("Could not initialize AuthConfigurationProvider"); - } - } - // authentication is not required if received authentication response - } else if (req instanceof MOASTORKResponse) { - return false; - } +// // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country +// if (req instanceof MOASTORKRequest) { +// MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; +// if (moastorkRequest.getStorkAuthnRequest() != null) { +// String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); +// // check if citizen country is configured in the system +// try { +// if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { +// return false; +// } +// } catch (MOAIDException e) { +// Logger.error("Could not initialize AuthConfigurationProvider"); +// } +// } +// // authentication is not required if received authentication response +// } else if (req instanceof MOASTORKResponse) { +// return false; +// } return true; } @@ -455,8 +455,12 @@ public class AuthenticationRequest implements IAction { try { for (PersonalAttribute personalAttribute : attrLst) { + try { Logger.debug("Personal attribute found in request: " + personalAttribute.getName() + " isRequired: " + personalAttribute.isRequired()); moaAttributeProvider.populateAttribute(attributeList, personalAttribute); + } catch (Exception e) { + Logger.error("Exception, attributes: " + e.getMessage()); + } } } catch (Exception e) { Logger.error("Exception, attributes: " + e.getMessage()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 2b00f15e2..3159574fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -142,7 +142,7 @@ public class ConsentEvaluator implements IAction { StringWriter writer = new StringWriter(); template.merge(context, writer); - response.getOutputStream().write(writer.getBuffer().toString().getBytes()); + response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); @@ -209,7 +209,7 @@ public class ConsentEvaluator implements IAction { Logger.debug("Sending html content: " + writer.getBuffer().toString()); Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); + httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Velocity error: " + e.getMessage()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 139c438f9..baa91a854 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -71,6 +71,7 @@ public class MandateRetrievalRequest implements IAction { httpResp.reset(); this.representingIdentityLink = authData.getIdentityLink(); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); @@ -449,7 +450,8 @@ public class MandateRetrievalRequest implements IAction { } if (!mandateContainer.getPhysicalRepresentativeIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType()); + Logger.error("Incorrect identity link (MIS): identification type is not correct! Got: " + this.representingIdentityLink.getIdentificationType() + " (representingIdentityLink) and " + mandateContainer.getPhysicalRepresentativeIdentificationType() + " (mandateContainer.phyRepresentative)"); + Logger.debug("mandatecontainervalue: " + mandateContainer.getPhysicalRepresentativeIdentificationValue() + ", representingidentitylinkvalue: " + this.representingIdentityLink.getIdentificationValue()); throw new MOAIDException("stork.20", new Object[]{}); // TODO } @@ -491,7 +493,7 @@ public class MandateRetrievalRequest implements IAction { represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); } else if (mandateContainer instanceof PhyPersonMandateContainer) { PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; - represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); // TODO CALCULATE + represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); represented.setGivenName(phyPersonMandateContainer.getPhyPersMandatorGivenName()); represented.setSurname(phyPersonMandateContainer.getPhyPersMandatorFamilyName()); represented.setDateOfBirth(phyPersonMandateContainer.getPhyPersMandatorBirthDate()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java index 8df3c00aa..07e5b70ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/MandateAttributeRequestProvider.java @@ -192,7 +192,7 @@ public class MandateAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending STORK SAML AttrRequest.", e); throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 72274bada..13b14b0be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -104,8 +104,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { public SignedDocAttributeRequestProvider(String oasisDssWebFormURL, String attributes) { super(attributes); this.oasisDssWebFormURL = oasisDssWebFormURL; - //TODO load dtlUrl from config - + Properties props = new Properties(); try { props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); @@ -132,6 +131,14 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { } requestedAttribute = attribute; + try + { + String tmp = requestedAttribute.getValue().get(0); + }catch(Exception e) + { + Logger.info("SignedDocAttributeProvide failed:"+e.toString()); + throw new UnsupportedAttributeException(); + } throw new ExternalAttributeRequestRequiredException(this); } @@ -144,11 +151,10 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { * .servlet.http.HttpServletRequest) */ public IPersonalAttributeList parse(HttpServletRequest httpReq) throws MOAIDException, UnsupportedAttributeException { - Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request2"); + Logger.debug("Beginning to extract OASIS-DSS response out of HTTP Request"); try { - String base64 = httpReq. - getParameter("signresponse"); + String base64 = httpReq.getParameter("signresponse"); Logger.debug("signresponse url: " + httpReq.getRequestURI().toString()); Logger.debug("signresponse querystring: " + httpReq.getQueryString()); Logger.debug("signresponse method: " + httpReq.getMethod()); @@ -219,6 +225,49 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { { //No document service used? // do nothing.... + //TODO temporary fix because document is deleted after fetching => SP can't download Doc + //Add doc to Signresponse + + DocumentWithSignature documentWithSignature = new DocumentWithSignature(); + DocumentType value = new DocumentType(); + if(signResponse.getProfile().toLowerCase().contains("xades")) + { + value.setBase64XML(data); + } + else + { + Base64Data base64data = new Base64Data(); + base64data.setValue(data); + base64data.setMimeType(dataSource.getContentType()); + value.setBase64Data(base64data); + } + documentWithSignature.setDocument(value); + if(signResponse.getOptionalOutputs()!=null) + { + //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + for(Object o :signResponse.getOptionalOutputs().getAny()) + { + if(o instanceof DocumentWithSignature) + { + signResponse.getOptionalOutputs().getAny().remove(o); + signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + break; + } + } + } + else + { + AnyType anytype = new AnyType(); + anytype.getAny().add(documentWithSignature); + signResponse.setOptionalOutputs(anytype ); + } + +// System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); + InputStream istr = ApiUtils.marshalToInputStream(signResponse); + StringWriter writer = new StringWriter(); + IOUtils.copy(istr, writer, "UTF-8"); + signResponseString = writer.toString(); + Logger.info("SignResponse overwritten:"+signResponseString); } } else @@ -337,7 +386,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending DSS signrequest.", e); throw new MOAIDException("stork.11", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java index d7e2cdf58..cb3a33c69 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/StorkAttributeRequestProvider.java @@ -172,7 +172,7 @@ public class StorkAttributeRequestProvider extends AttributeProvider { StringWriter writer = new StringWriter(); template.merge(context, writer); - resp.getOutputStream().write(writer.toString().getBytes()); + resp.getOutputStream().write(writer.toString().getBytes("UTF-8")); } catch (Exception e) { Logger.error("Error sending STORK SAML AttrRequest.", e); throw new MOAIDException("stork.11", null); |