diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java')
64 files changed, 1347 insertions, 1376 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java index 0090bf3d3..322686c21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAReversionLogger.java @@ -123,7 +123,6 @@ public class MOAReversionLogger implements IRevisionLogger { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.advancedlogging.IRevisionLogger#logEvent(at.gv.egovernment.moa.id.commons.api.IOAAuthParameters, at.gv.egiz.eaaf.core.api.IRequest, int) */ - @Override public void logEvent(ISPConfiguration oaConfig, IRequest pendingRequest, int eventCode) { if (selectOASpecificEventCodes(oaConfig).contains(eventCode)) @@ -136,7 +135,6 @@ public class MOAReversionLogger implements IRevisionLogger { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.advancedlogging.IRevisionLogger#logEvent(at.gv.egovernment.moa.id.commons.api.IOAAuthParameters, at.gv.egiz.eaaf.core.api.IRequest, int, java.lang.String) */ - @Override public void logEvent(IOAAuthParameters oaConfig, IRequest pendingRequest, int eventCode, String message) { if (selectOASpecificEventCodes(oaConfig).contains(eventCode)) @@ -251,11 +249,14 @@ public class MOAReversionLogger implements IRevisionLogger { } - private List<Integer> selectOASpecificEventCodes(IOAAuthParameters oaConfig) { + private List<Integer> selectOASpecificEventCodes(ISPConfiguration oaConfig) { List<Integer> OASpecificEventCodes = null; - if (oaConfig != null && oaConfig.getReversionsLoggingEventCodes() != null) - OASpecificEventCodes = oaConfig.getReversionsLoggingEventCodes(); + if (oaConfig != null && oaConfig instanceof IOAAuthParameters) { + if (((IOAAuthParameters)oaConfig).getReversionsLoggingEventCodes() != null) + OASpecificEventCodes = ((IOAAuthParameters)oaConfig).getReversionsLoggingEventCodes(); + } + else OASpecificEventCodes = getDefaulttReversionsLoggingEventCodes(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index e12b1372e..ea796d974 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -46,6 +46,7 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBod import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.logging.IStatisticLogger; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -286,10 +287,10 @@ public class StatisticLogger implements IStatisticLogger{ } IAuthenticationSession moasession = null; - if (MiscUtil.isNotEmpty(errorRequest.getInternalSSOSessionIdentifier())) { + if (MiscUtil.isNotEmpty(errorRequest.getSSOSessionIdentifier())) { Logger.debug("Use MOA session information from SSO session for ErrorLogging"); try { - moasession = authenticatedSessionStorage.getInternalSSOSession(errorRequest.getInternalSSOSessionIdentifier()); + moasession = authenticatedSessionStorage.getInternalSSOSession(errorRequest.getSSOSessionIdentifier()); } catch (MOADatabaseException e) { Logger.error("Error during database communication", e); @@ -298,7 +299,8 @@ public class StatisticLogger implements IStatisticLogger{ } else { Logger.debug("Use MOA session information from pending-req for ErrorLogging"); - moasession = errorRequest.getMOASession(); + moasession = new AuthenticationSessionWrapper(errorRequest.genericFullDataStorage()); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index efe28c900..738f733a8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -36,11 +36,6 @@ import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeQuery; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.DOMException; @@ -49,10 +44,12 @@ import org.w3c.dom.Node; import org.w3c.dom.NodeList; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; import at.gv.egiz.eaaf.core.impl.idp.AuthenticationData; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; @@ -71,7 +68,6 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; @@ -80,17 +76,9 @@ import at.gv.egovernment.moa.id.data.MOAAuthenticationData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; -import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; +import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -112,9 +100,6 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; - @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Override public IAuthData buildAuthenticationData(IRequest pendingReq) throws EAAFAuthenticationException { @@ -193,82 +178,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu return authdata; } - - /** - * Get PVP authentication attributes by using a SAML2 AttributeQuery - * - * @param reqQueryAttr List of PVP attributes which are requested - * @param userNameID SAML2 UserNameID of the user for which attributes are requested - * @param idpConfig Configuration of the IDP, which is requested - * @return - * @return PVP attribute DAO, which contains all received information - * @throws MOAIDException - */ - public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr, - String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{ - String idpEnityID = idpConfig.getPublicURLPrefix(); - - try { - Logger.debug("Starting AttributeQuery process ..."); - //collect attributes by using BackChannel communication - String endpoint = idpConfig.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); - throw new ConfigurationException("config.26", new Object[]{idpEnityID}); - - } - - //build attributQuery request - AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr); - - //build SOAP request - List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."}); - - } - - Response intfResp; - if (xmlObjects.get(0) instanceof Response) { - intfResp = (Response) xmlObjects.get(0); - - //validate PVP 2.1 response - try { - samlVerificationEngine.verifyIDPResponse(intfResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine( - metadataProvider)); - - //create assertion attribute extractor from AttributeQuery response - return new AssertionAttributeExtractor(intfResp); - - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("auth.27", - new Object[]{idpEnityID, e.getMessage()}, e); - } - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("auth.27", - new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); - } - - } catch (SOAPException e) { - throw new BuildException("builder.06", null, e); - - } catch (SecurityException e) { - throw new BuildException("builder.06", null, e); - - } catch (org.opensaml.xml.security.SecurityException e1) { - throw new BuildException("builder.06", null, e1); - - } - } - private void buildAuthDataFormMOASession(MOAAuthenticationData authData, IAuthenticationSession session, IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { @@ -372,32 +282,43 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu //#################################################### //set QAA level includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + String currentLoA = null; if (MiscUtil.isNotEmpty(session.getQAALevel())) - authData.setQAALevel(session.getQAALevel()); - + currentLoA = session.getQAALevel(); else { - String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); - if (MiscUtil.isNotEmpty(qaaLevel)) { - Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + qaaLevel + currentLoA = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); + if (MiscUtil.isNotEmpty(currentLoA)) { + Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + currentLoA + " --> Parse QAA-Level from that attribute."); - - if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { - authData.setQAALevel(qaaLevel); - - } else { - Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); - if (MiscUtil.isNotEmpty(mappedQAA)) - authData.setQAALevel(mappedQAA); - - } + } } + + if (MiscUtil.isNotEmpty(currentLoA)) { + if (currentLoA.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + + } else if (currentLoA.startsWith(EAAFConstants.EIDAS_QAA_PREFIX)) { + authData.setQAALevel(LoALevelMapper.getInstance().mapeIDASQAAToSTORKQAA(currentLoA)); + authData.seteIDASLoA(currentLoA); + + } else { + Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); + String mappedStorkQAA = LoALevelMapper.getInstance().mapToQAALevel(currentLoA); + if (MiscUtil.isNotEmpty(mappedStorkQAA)) { + authData.setQAALevel(currentLoA); + authData.seteIDASLoA(LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(currentLoA)); + + } + } + } //if no QAA level is set in MOASession then set default QAA level if (MiscUtil.isEmpty(authData.getQAALevel())) { - Logger.info("No QAA level found. Set to default level " + PVPConstants.STORK_QAA_PREFIX + "1"); + Logger.info("No QAA level found. Set to default level " + EAAFConstants.EIDAS_QAA_LOW); authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + authData.seteIDASLoA(EAAFConstants.EIDAS_QAA_LOW); } @@ -810,7 +731,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants implements IAu try { authData.setGenericData(elementKey, session.getGenericDataFromSession(elementKey)); - } catch (SessionDataStorageException e) { + } catch (EAAFStorageException e) { Logger.warn("Can not add generic authData with key:" + elementKey, e); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index e9e217137..a1d31f5ae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -29,7 +29,6 @@ import org.opensaml.saml2.core.Attribute; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.PVPAttributeConstants; -import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -89,16 +88,8 @@ public class DynamicOAAuthParameterBuilder { DynamicOAAuthParameters dynOAParams = new DynamicOAAuthParameters(); dynOAParams.setApplicationID(oaParam.getPublicURLPrefix()); - try { - dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); - dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); - - } catch (EAAFConfigurationException e) { - Logger.warn("Can not resolve baseID restrications! Set to privacy friendly configuration", e); - dynOAParams.setHasBaseIdProcessingRestriction(true); - dynOAParams.setHasBaseIdTransfergRestriction(true); - - } + dynOAParams.setHasBaseIdProcessingRestriction(oaParam.hasBaseIdInternalProcessingRestriction()); + dynOAParams.setHasBaseIdTransfergRestriction(oaParam.hasBaseIdTransferRestriction()); Object storkRequst = null; try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index e0d65e103..10c271b6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -186,7 +186,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), - authConfig.getRootConfigFileDir()); + authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java index 0e9db3964..f9aa1b83c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/IDPSingleLogOutServlet.java @@ -36,12 +36,14 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; -import at.gv.egiz.eaaf.core.impl.idp.auth.AuthenticationManager; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -50,6 +52,7 @@ import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; @@ -66,7 +69,7 @@ import at.gv.egovernment.moa.util.URLEncoder; public class IDPSingleLogOutServlet extends AbstractController { @Autowired SSOManager ssoManager; - @Autowired AuthenticationManager authManager; + @Autowired IAuthenticationManager authManager; @Autowired IAuthenticationSessionStoreage authenicationStorage; @Autowired SingleLogOutBuilder sloBuilder; @@ -127,6 +130,9 @@ public class IDPSingleLogOutServlet extends AbstractController { } catch (MOADatabaseException e) { handleErrorNoRedirect(e, req, resp, false); + } catch (EAAFException e) { + handleErrorNoRedirect(e, req, resp, false); + } return; @@ -135,10 +141,13 @@ public class IDPSingleLogOutServlet extends AbstractController { try { if (ssoManager.isValidSSOSession(ssoid, null)) { - AuthenticationSession authSession = authenicationStorage.getInternalMOASessionWithSSOID(ssoid); + String internalSSOId = authenicationStorage.getInternalSSOSessionWithSSOID(ssoid); - if(authSession != null) { - authManager.performSingleLogOut(req, resp, authSession, authURL); + if(MiscUtil.isNotEmpty(internalSSOId)) { + ISLOInformationContainer sloInfoContainer = authManager.performSingleLogOut(req, resp, null, internalSSOId); + + Logger.debug("Starting technical SLO process ... "); + sloBuilder.toTechnicalLogout(sloInfoContainer, req, resp, authURL); return; } @@ -159,11 +168,12 @@ public class IDPSingleLogOutServlet extends AbstractController { sloContainer.putFailedOA("differntent OAs"); String redirectURL = null; - if (sloContainer.getSloRequest() != null) { + IRequest sloReq = sloContainer.getSloRequest(); + if (sloReq != null && sloReq instanceof PVPTargetConfiguration) { //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); - redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, sloContainer.getSloRequest().getRequest().getRelayState()); + SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPTargetConfiguration)sloContainer.getSloRequest()); + LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPTargetConfiguration)sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); + redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, req, resp, ((PVPTargetConfiguration)sloContainer.getSloRequest()).getRequest().getRelayState()); } else { //print SLO information directly @@ -205,6 +215,9 @@ public class IDPSingleLogOutServlet extends AbstractController { } catch (MOAIDException e) { Logger.warn("Build SLO respone FAILED.", e); + } catch (EAAFException e) { + Logger.warn("Build SLO respone FAILED.", e); + } try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 21d329145..0285dd75b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -98,7 +98,7 @@ public class LogOutServlet { } - if (ssomanager.destroySSOSessionOnIDPOnly(req, resp)) + if (ssomanager.destroySSOSessionOnIDPOnly(req, resp, null)) Logger.info("User with SSO is logged out and get redirect to "+ redirectUrl); else Logger.info("No active SSO session found. User is maybe logout already and get redirect to "+ redirectUrl); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java index 752f54139..07b5242e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/UniqueSessionIdentifierInterceptor.java @@ -29,9 +29,9 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils; -import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.util.MiscUtil; @@ -56,10 +56,10 @@ public class UniqueSessionIdentifierInterceptor implements HandlerInterceptor { //search for unique session identifier String uniqueSessionIdentifier = ssomanager.getUniqueSessionIdentifier(ssoId); if (MiscUtil.isEmpty(uniqueSessionIdentifier)) - uniqueSessionIdentifier = Random.nextRandom(); + uniqueSessionIdentifier = Random.nextHexRandom16(); TransactionIDUtils.setSessionId(uniqueSessionIdentifier); - request.setAttribute(MOAIDConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); + request.setAttribute(EAAFConstants.UNIQUESESSIONIDENTIFIER, uniqueSessionIdentifier); return true; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameterDecorator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameterDecorator.java index f0477c1fb..89e543209 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameterDecorator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameterDecorator.java @@ -60,7 +60,6 @@ import java.util.Set; import org.apache.commons.lang.SerializationUtils; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -104,7 +103,7 @@ public class OAAuthParameterDecorator implements IOAAuthParameters, Serializable @Override - public boolean hasBaseIdInternalProcessingRestriction() throws EAAFConfigurationException { + public boolean hasBaseIdInternalProcessingRestriction() { String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); for (String el : spConfiguration.getTargetsWithNoBaseIdInternalProcessingRestriction()) { if (targetAreaIdentifier.startsWith(el)) @@ -116,7 +115,7 @@ public class OAAuthParameterDecorator implements IOAAuthParameters, Serializable } @Override - public boolean hasBaseIdTransferRestriction() throws EAAFConfigurationException { + public boolean hasBaseIdTransferRestriction() { String targetAreaIdentifier = getAreaSpecificTargetIdentifier(); for (String el : spConfiguration.getTargetsWithNoBaseIdTransferRestriction()) { if (targetAreaIdentifier.startsWith(el)) @@ -688,13 +687,7 @@ public boolean isInterfederationSSOStorageAllowed() { } public boolean isIDPPublicService() throws ConfigurationException { - try { - return !hasBaseIdTransferRestriction(); - - } catch (EAAFConfigurationException e) { - throw new ConfigurationException("internal.00", new Object[] {}, e); - - } + return !hasBaseIdTransferRestriction(); } @@ -947,11 +940,14 @@ public List<String> getTargetsWithNoBaseIdTransferRestriction() { @Override -/** - * THIS METHODE IS NOT SUPPORTED IN THIS IMPLEMENTATION - */ public String getUniqueIdentifier() { - return null; + return getPublicURLPrefix(); +} + + +@Override +public String getMinimumLevelOfAssurence() { + return getQaaLevel(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index db2499ad5..a0a34336c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -96,7 +96,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide Map<String, String> oa = getActiveOnlineApplication(spIdentifier); if (oa == null) { return null; - } + } return new OAAuthParameterDecorator(new SPConfigurationImpl(oa, this)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index f401db8bf..11932f52a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -75,7 +75,7 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() */ @Override - public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + public String getAreaSpecificTargetIdentifier() { return this.oaTargetAreaIdentifier; } @@ -551,8 +551,12 @@ public class DynamicOAAuthParameters implements IOAAuthParameters, Serializable{ @Override public String getUniqueIdentifier() { - // TODO Auto-generated method stub - return null; + return getPublicURLPrefix(); + } + + @Override + public String getMinimumLevelOfAssurence() { + return getQaaLevel(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java index 0e8a988ce..ba3eba2e6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MOAAuthenticationData.java @@ -33,7 +33,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; +import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -76,7 +76,7 @@ public class MOAAuthenticationData extends AuthenticationData implements IMOAAut public String getQAALevel() { if (this.QAALevel != null && this.QAALevel.startsWith(PVPConstants.EIDAS_QAA_PREFIX)) { - String mappedQAA = PVPtoSTORKMapper.getInstance().mapeIDASQAAToSTORKQAA(this.QAALevel); + String mappedQAA = LoALevelMapper.getInstance().mapeIDASQAAToSTORKQAA(this.QAALevel); if (MiscUtil.isNotEmpty(mappedQAA)) return mappedQAA; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java index 20588ad0b..b1f123bbc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -30,7 +30,9 @@ import java.util.List; import java.util.Map.Entry; import java.util.Set; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; /** * @author tlenz @@ -40,9 +42,9 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon private static final long serialVersionUID = 7148730740582881862L; - private PVPTargetConfiguration sloRequest = null; - private LinkedHashMap<String, SLOInformationImpl> activeFrontChannalOAs; - private LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs; + private IRequest sloRequest = null; + private LinkedHashMap<String, SLOInformationInterface> activeFrontChannalOAs; + private LinkedHashMap<String, SLOInformationInterface> activeBackChannelOAs; private List<String> sloFailedOAs = null; private String transactionID = null; private String sessionID = null; @@ -51,8 +53,8 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon * */ public SLOInformationContainer() { - this.activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>(); - this.activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>(); + this.activeBackChannelOAs = new LinkedHashMap<String, SLOInformationInterface>(); + this.activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationInterface>(); this.sloFailedOAs = new ArrayList<String>(); } @@ -61,28 +63,28 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon /** * @return the activeFrontChannalOAs */ - public LinkedHashMap<String, SLOInformationImpl> getActiveFrontChannalOAs() { + public LinkedHashMap<String, SLOInformationInterface> getActiveFrontChannalOAs() { return activeFrontChannalOAs; } /** * @param activeFrontChannalOAs the activeFrontChannalOAs to set */ - public void setActiveFrontChannalOAs(LinkedHashMap<String, SLOInformationImpl> activeFrontChannalOAs) { + public void setActiveFrontChannalOAs(LinkedHashMap<String, SLOInformationInterface> activeFrontChannalOAs) { this.activeFrontChannalOAs = activeFrontChannalOAs; } /** * @return the activeBackChannelOAs */ - public LinkedHashMap<String, SLOInformationImpl> getActiveBackChannelOAs() { + public LinkedHashMap<String, SLOInformationInterface> getActiveBackChannelOAs() { return activeBackChannelOAs; } /** * @param activeBackChannelOAs the activeBackChannelOAs to set */ - public void setActiveBackChannelOAs(LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs) { + public void setActiveBackChannelOAs(LinkedHashMap<String, SLOInformationInterface> activeBackChannelOAs) { this.activeBackChannelOAs = activeBackChannelOAs; } @@ -98,7 +100,7 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getFrontChannelOASessionDescriptions() */ @Override - public Set<Entry<String, SLOInformationImpl>> getFrontChannelOASessionDescriptions() { + public Set<Entry<String, SLOInformationInterface>> getFrontChannelOASessionDescriptions() { return activeFrontChannalOAs.entrySet(); } @@ -122,7 +124,7 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getBackChannelOASessionDescripten(java.lang.String) */ @Override - public SLOInformationImpl getBackChannelOASessionDescripten(String oaID) { + public SLOInformationInterface getBackChannelOASessionDescripten(String oaID) { return activeBackChannelOAs.get(oaID); } @@ -134,19 +136,12 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon activeBackChannelOAs.remove(oaID); } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#getSloRequest() - */ - @Override - public PVPTargetConfiguration getSloRequest() { - return sloRequest; - } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.ISLOInformationContainer#setSloRequest(at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration) */ @Override - public void setSloRequest(PVPTargetConfiguration sloRequest) { + public void setSloRequest(IRequest sloRequest) { this.sloRequest = sloRequest; } @@ -197,7 +192,11 @@ public class SLOInformationContainer implements Serializable, ISLOInformationCon public void setSessionID(String sessionID) { this.sessionID = sessionID; } - - + + + @Override + public IRequest getSloRequest() { + return this.sloRequest; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java index 1d1e2f36a..5ff923bce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -26,6 +26,8 @@ import java.io.Serializable; import org.opensaml.saml2.metadata.SingleLogoutService; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; + /** * @author tlenz diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java deleted file mode 100644 index 31fdaacfd..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.data; - -/** - * @author tlenz - * - */ -public interface SLOInformationInterface{ - - - /** - * get AssertionID which was used for Service Provider Single LogOut request - * - * @return - * SessionID (SessionIndex in case of SAML2) - */ - public String getSessionIndex(); - - /** - * get user identifier which was used - * - * @return - * bPK / wbPK (nameID in case of SAML2) - */ - public String getUserNameIdentifier(); - - - /** - * get protocol type which was used for authentication - * - * @return - * return authentication protocol type - */ - public String getProtocolType(); - - /** - * @return - */ - public String getUserNameIDFormat(); - - /** - * Get the unique entityID of this Service-Provider - * - * @return unique identifier, but never null - */ - public String getSpEntityID(); - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 2e1af43e4..c05a271f6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -22,12 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; -import java.util.ArrayList; -import java.util.Collection; import java.util.Enumeration; -import java.util.Iterator; import java.util.List; -import java.util.Map.Entry; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -35,46 +31,31 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import org.opensaml.saml2.core.LogoutRequest; -import org.opensaml.saml2.core.LogoutResponse; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.EAAFException; -import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.impl.idp.auth.AbstractAuthenticationManager; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; -import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; -import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; -import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; -import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; @@ -92,7 +73,7 @@ public class AuthenticationManager extends AbstractAuthenticationManager { public static final String MOA_SESSION = "MoaAuthenticationSession"; public static final String MOA_AUTHENTICATED = "MoaAuthenticated"; - public static final int SLOTIMEOUT = 30 * 1000; //30 sec + @Autowired private ITransactionStorage transactionStorage; @@ -105,87 +86,33 @@ public class AuthenticationManager extends AbstractAuthenticationManager { @Override - public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq) - throws EAAFException { - // TODO Auto-generated method stub - - } - - @Override - public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq, String arg3) + public ISLOInformationContainer performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, IRequest pendingReq, String internalSSOId) throws EAAFException { - // TODO Auto-generated method stub - - } - - - - public void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { - performSingleLogOut(httpReq, httpResp, session, pvpReq, null); - - } - - public void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, String authURL) throws MOAIDException { - performSingleLogOut(httpReq, httpResp, session, null, authURL); - - } - - - public void performOnlyIDPLogOut(HttpServletRequest request, - HttpServletResponse response, String internalMOASsoSessionID) { - Logger.info("Remove active user-session"); - - if(internalMOASsoSessionID == null) { - internalMOASsoSessionID = StringEscapeUtils.escapeHtml((String) request.getParameter(PARAM_SESSIONID)); - } - - if(internalMOASsoSessionID == null) { - Logger.info("NO MOA Session to logout"); - return; - } - - AuthenticationSession authSession; - try { - authSession = authenticatedSessionStore.getInternalSSOSession(internalMOASsoSessionID); - - if(authSession == null) { - Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); - return; - } - - performOnlyIDPLogOut(authSession); - - } catch (MOADatabaseException e) { - Logger.info("NO MOA Authentication data for ID " + internalMOASsoSessionID); - return; - } - - } - - - private void performSingleLogOut(HttpServletRequest httpReq, - HttpServletResponse httpResp, IAuthenticationSession session, PVPTargetConfiguration pvpReq, String authURL) throws MOAIDException { String pvpSLOIssuer = null; - String inboundRelayState = null; String uniqueSessionIdentifier = "notSet"; String uniqueTransactionIdentifier = "notSet"; - + PVPTargetConfiguration pvpReq = null; Logger.debug("Start technical Single LogOut process ... "); - if (pvpReq != null) { - MOARequest samlReq = (MOARequest) pvpReq.getRequest(); - LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); - pvpSLOIssuer = logOutReq.getIssuer().getValue(); - inboundRelayState = samlReq.getRelayState(); - uniqueSessionIdentifier = pvpReq.getUniqueSessionIdentifier(); - uniqueTransactionIdentifier = pvpReq.getUniqueTransactionIdentifier(); + + if (pendingReq != null) { + uniqueSessionIdentifier = pendingReq.getUniqueSessionIdentifier(); + uniqueTransactionIdentifier = pendingReq.getUniqueTransactionIdentifier(); + + if (pendingReq instanceof PVPTargetConfiguration) { + pvpReq = ((PVPTargetConfiguration)pendingReq); + MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); + pvpSLOIssuer = logOutReq.getIssuer().getValue(); + } + if (MiscUtil.isEmpty(internalSSOId)) + internalSSOId = pendingReq.getSSOSessionIdentifier(); + } else { AuthenticationSessionExtensions sessionExt; try { - sessionExt = authenticatedSessionStore.getAuthenticationSessionExtensions(session.getSessionID()); + sessionExt = authenticatedSessionStore.getAuthenticationSessionExtensions(internalSSOId); if (sessionExt != null) uniqueSessionIdentifier = sessionExt.getUniqueSessionId(); @@ -199,8 +126,8 @@ public class AuthenticationManager extends AbstractAuthenticationManager { } //store active OAs to SLOContaine - List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(session); - List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(session); + List<OASessionStore> dbOAs = authenticatedSessionStore.getAllActiveOAFromMOASession(internalSSOId); + List<InterfederationSessionStore> dbIDPs = authenticatedSessionStore.getAllActiveIDPsFromMOASession(internalSSOId); SLOInformationContainer sloContainer = new SLOInformationContainer(); sloContainer.setTransactionID(uniqueTransactionIdentifier); sloContainer.setSessionID(uniqueSessionIdentifier); @@ -213,13 +140,13 @@ public class AuthenticationManager extends AbstractAuthenticationManager { + " BackChannel:" + sloContainer.getActiveBackChannelOAs().size() + " FrontChannel:" + sloContainer.getActiveFrontChannalOAs().size() + " NO_SLO_Support:" + sloContainer.getSloFailedOAs().size()); - + + //terminate MOASession try { - authenticatedSessionStore.destroyInternalSSOSession(session.getSessionID()); - ssoManager.deleteSSOSessionID(httpReq, httpResp); + authenticatedSessionStore.destroyInternalSSOSession(internalSSOId); + ssoManager.destroySSOSessionOnIDPOnly(httpReq, httpResp, pendingReq); revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, uniqueSessionIdentifier); - Logger.debug("Active SSO Session on IDP is remove."); } catch (MOADatabaseException e) { @@ -228,165 +155,8 @@ public class AuthenticationManager extends AbstractAuthenticationManager { } - Logger.trace("Starting Service-Provider logout process ... "); - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); - //start service provider back channel logout process - Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA(); - while (nextOAInterator.hasNext()) { - SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); - LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(sloDescr); - - try { - Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID()); - List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); - - LogoutResponse sloResp = null; - for (XMLObject el : soapResp) { - if (el instanceof LogoutResponse) - sloResp = (LogoutResponse) el; - } - - if (sloResp == null) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED. NO LogOut response received."); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } else { - samlVerificationEngine.verifySLOResponse(sloResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - sloBuilder.checkStatusCode(sloContainer, sloResp); - - } catch (SOAPException e) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED.", e); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } catch (SecurityException | InvalidProtocolRequestException e) { - Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() - + " FAILED.", e); - sloContainer.putFailedOA(sloDescr.getSpEntityID()); - - } - } - - //start service provider front channel logout process - try { - if (sloContainer.hasFrontChannelOA()) { - String relayState = Random.nextRandom(); - - Collection<Entry<String, SLOInformationImpl>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions(); - List<String> sloReqList = new ArrayList<String>(); - for (Entry<String, SLOInformationImpl> el : sloDescr) { - Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID()); - - LogoutRequest sloReq = sloBuilder.buildSLORequestMessage(el.getValue()); - try { - sloReqList.add(sloBuilder.getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), - sloReq, httpReq, httpResp, relayState)); - - } catch (Exception e) { - Logger.warn("Failed to build SLO request for OA:" + el.getKey()); - sloContainer.putFailedOA(el.getKey()); - - } - } - - //put SLO process-information into transaction storage - transactionStorage.put(relayState, sloContainer, -1); - - if (MiscUtil.isEmpty(authURL)) - authURL = pvpReq.getAuthURL(); - - String timeOutURL = authURL - + "/idpSingleLogout" - + "?restart=" + relayState; - - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); - - config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList); - config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL); - config.putCustomParameter("timeout", String.valueOf(SLOTIMEOUT)); - - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - - } else { - if (pvpReq != null) { - //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); - - } else { - //print SLO information directly - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); - - if (sloContainer.getSloFailedOAs() == null || - sloContainer.getSloFailedOAs().size() == 0) { - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID); - config.putCustomParameter("successMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); - - } else { - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameterWithOutEscaption("errorMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); - - } - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - } - - } + return sloContainer; - } catch (GUIBuildException e) { - Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); - throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); - - } catch (MOADatabaseException e) { - Logger.error("MOA AssertionDatabase ERROR", e); - if (pvpReq != null) { - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = sloBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - sloBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, inboundRelayState, pvpReq); - - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - - }else { - //print SLO information directly - DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( - authURL, - DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, - null); - - revisionsLogger.logEvent(uniqueSessionIdentifier, uniqueTransactionIdentifier, MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); - config.putCustomParameterWithOutEscaption("errorMsg", - MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); - - try { - guiBuilder.build(httpResp, config, "Single-LogOut GUI"); - - } catch (GUIBuildException e1) { - Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); - throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); - - } - - } - - } catch (Exception e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } } @Override diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index bded1943b..d3d7a9456 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -72,11 +72,15 @@ public class SSOManager implements ISSOManager { private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec + public static final String DATAID_INTERFEDERATIOIDP_URL = "INTERFEDERATIOIDP_URL"; + @Autowired private IAuthenticationSessionStoreage authenticatedSessionStore; @Autowired private AuthConfiguration authConfig; @Autowired private IRevisionLogger revisionsLogger; + + //@Autowired private MOASessionDBUtils moaSessionDBUtils; @@ -113,7 +117,7 @@ public class SSOManager implements ISSOManager { return isSSOValid; - } catch (SessionDataStorageException | ConfigurationException | MOADatabaseException e) { + } catch (SessionDataStorageException | ConfigurationException | EAAFStorageException e) { Logger.warn("Cann not process SSO session. Reason: " + e.getMessage(), e); Logger.info("All SSO session will be ignored."); @@ -151,8 +155,9 @@ public class SSOManager implements ISSOManager { public void populatePendingRequestWithSSOInformation(IRequest pendingReq) throws EAAFSSOException { //populate pending request with eID data from SSO session if no userConsent is required - try { - AuthenticationSession ssoMOASession = getInternalMOASession(pendingReq.getSSOSessionIdentifier()); + try { + String ssoSessionId = authenticatedSessionStore.getInternalSSOSessionWithSSOID(pendingReq.getSSOSessionIdentifier()); + AuthenticationSession ssoMOASession = authenticatedSessionStore.getInternalSSOSession(ssoSessionId); if (ssoMOASession == null) Logger.info("No MOASession FOUND with provided SSO-Cookie."); @@ -192,25 +197,26 @@ public class SSOManager implements ISSOManager { if (isValidSSOSession(ssoid, null)) { //delete SSO session and MOA session - AuthenticationSession ssoSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoid); + String ssoSessionId = authenticatedSessionStore.getInternalSSOSessionWithSSOID(ssoid); + AuthenticationSession ssoMOASession = authenticatedSessionStore.getInternalSSOSession(ssoSessionId); - if (ssoSession == null) { + if (ssoMOASession == null) { Logger.info("No internal MOA SSO-Session found. Nothing to destroy"); return false; } - ssoSession.setAuthenticated(false); + ssoMOASession.setAuthenticated(false); //log Session_Destroy to reversionslog AuthenticationSessionExtensions sessionExtensions = - authenticatedSessionStore.getAuthenticationSessionExtensions(ssoSession.getSSOSessionID()); + authenticatedSessionStore.getAuthenticationSessionExtensions(ssoMOASession.getSSOSessionID()); revisionsLogger.logEvent(MOAIDEventConstants.SESSION_DESTROYED, sessionExtensions.getUniqueSessionId()); - authenticatedSessionStore.destroyInternalSSOSession(ssoSession.getSSOSessionID()); + authenticatedSessionStore.destroyInternalSSOSession(ssoMOASession.getSSOSessionID()); } - } catch (MOADatabaseException | ConfigurationException | SessionDataStorageException e) { + } catch (ConfigurationException | SessionDataStorageException | EAAFStorageException e) { Logger.info("NO MOA Authentication data for ID " + ssoid); return false; @@ -235,14 +241,15 @@ public class SSOManager implements ISSOManager { * @param httpResp HttpServletResponse * @param protocolRequest Authentication request which is actually in process * @throws SessionDataStorageException + * @throws EAAFStorageException * **/ public void checkInterfederationIsRequested(HttpServletRequest httpReq, HttpServletResponse httpResp, - IRequest protocolRequest) throws SessionDataStorageException { + IRequest protocolRequest) throws SessionDataStorageException, EAAFStorageException { String interIDP = httpReq.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP); String interfederationIDP = - protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); + protocolRequest.getGenericData(DATAID_INTERFEDERATIOIDP_URL, String.class); if (MiscUtil.isNotEmpty(interfederationIDP)) { Logger.debug("Protocolspecific preprocessing already set interfederation IDP " + interfederationIDP); return; @@ -254,14 +261,14 @@ public class SSOManager implements ISSOManager { RequestImpl moaReq = (RequestImpl) protocolRequest; if (MiscUtil.isNotEmpty(interIDP)) { Logger.info("Receive SSO request for interfederation IDP " + interIDP); - moaReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, interIDP); + moaReq.setGenericDataToSession(DATAID_INTERFEDERATIOIDP_URL, interIDP); } else { //check if IDP cookie is set String cookie = getValueFromCookie(httpReq, SSOINTERFEDERATION); if (MiscUtil.isNotEmpty(cookie)) { Logger.info("Receive SSO request for interfederated IDP from Cookie " + cookie); - moaReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, cookie); + moaReq.setGenericDataToSession(DATAID_INTERFEDERATIOIDP_URL, cookie); deleteCookie(httpReq, httpResp, SSOINTERFEDERATION); } @@ -283,7 +290,7 @@ public class SSOManager implements ISSOManager { Logger.debug("Add SSO information to MOASession."); //Store SSO information into database - String newSSOSessionId = createSSOSessionInformations(moaSession.getSessionID(), + String newSSOSessionId = createSSOSessionInformations(moaSession.getSSOSessionID(), pendingReq.getSPEntityId()); //set SSO cookie to response @@ -298,7 +305,7 @@ public class SSOManager implements ISSOManager { return newSSOSessionId; } - public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException, SessionDataStorageException { + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) throws ConfigurationException, SessionDataStorageException, EAAFStorageException { // search SSO Session if (ssoSessionID == null) { @@ -328,7 +335,7 @@ public class SSOManager implements ISSOManager { //in case of federated SSO session, jump to federated IDP for authentication String interfederationIDP = - protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); + protocolRequest.getGenericData(DATAID_INTERFEDERATIOIDP_URL, String.class); if (MiscUtil.isEmpty(interfederationIDP)) { InterfederationSessionStore selectedIDP = authenticatedSessionStore.searchInterfederatedIDPFORSSOWithMOASession(storedSession.getSessionid()); @@ -337,7 +344,7 @@ public class SSOManager implements ISSOManager { //no local SSO session exist -> request interfederated IDP Logger.info("SSO Session refer to federated IDP: " + selectedIDP.getIdpurlprefix()); protocolRequest.setGenericDataToSession( - RequestImpl.DATAID_INTERFEDERATIOIDP_URL, selectedIDP.getIdpurlprefix()); + DATAID_INTERFEDERATIOIDP_URL, selectedIDP.getIdpurlprefix()); } else { Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); @@ -360,18 +367,18 @@ public class SSOManager implements ISSOManager { } - public AuthenticationSession getInternalMOASession(String ssoSessionID) throws MOADatabaseException { - return authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID); - - } +// public String getInternalSSOSession(String ssoSessionID) throws MOADatabaseException { +// return authenticatedSessionStore.getInternalSSOSessionWithSSOID(ssoSessionID); +// +// } //TODO: refactor for faster DB access public String getUniqueSessionIdentifier(String ssoSessionID) { try { if (MiscUtil.isNotEmpty(ssoSessionID)) { - AuthenticationSession moaSession = authenticatedSessionStore.getInternalMOASessionWithSSOID(ssoSessionID); - if (moaSession != null) { - AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(moaSession.getSSOSessionID()); + String ssoSessionId = authenticatedSessionStore.getInternalSSOSessionWithSSOID(ssoSessionID); + if (MiscUtil.isNotEmpty(ssoSessionId)) { + AuthenticationSessionExtensions extSessionInformation = authenticatedSessionStore.getAuthenticationSessionExtensions(ssoSessionId); return extSessionInformation.getUniqueSessionId(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java deleted file mode 100644 index 9262e97c2..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BPKAttributeBuilder.java +++ /dev/null @@ -1,71 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.builder.attributes; - -import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; - -public class BPKAttributeBuilder implements IPVPAttributeBuilder { - - public String getName() { - return BPK_NAME; - } - - public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, - IAttributeGenerator<ATT> g) throws AttributeBuilderException { - String bpk = authData.getBPK(); - String type = authData.getBPKType(); - - if (MiscUtil.isEmpty(bpk)) - throw new UnavailableAttributeException(BPK_NAME); - - if (type.startsWith(Constants.URN_PREFIX_WBPK)) - type = type.substring((Constants.URN_PREFIX_WBPK + "+").length()); - - else if (type.startsWith(Constants.URN_PREFIX_CDID)) - type = type.substring((Constants.URN_PREFIX_CDID + "+").length()); - - else if (type.startsWith(Constants.URN_PREFIX_EIDAS)) - type = type.substring((Constants.URN_PREFIX_EIDAS + "+").length()); - - if (bpk.length() > BPK_MAX_LENGTH) { - bpk = bpk.substring(0, BPK_MAX_LENGTH); - } - - Logger.trace("Authenticate user with bPK/wbPK " + bpk + " and Type=" + type); - - return g.buildStringAttribute(BPK_FRIENDLY_NAME, BPK_NAME, type + ":" + bpk); - } - - public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { - return g.buildEmptyAttribute(BPK_FRIENDLY_NAME, BPK_NAME); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSectorForIDAttributeBuilder.java deleted file mode 100644 index 783e044f8..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ /dev/null @@ -1,55 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.builder.attributes; - -import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; -import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; -import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.util.MiscUtil; - -public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { - - public String getName() { - return EID_SECTOR_FOR_IDENTIFIER_NAME; - } - - public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, - IAttributeGenerator<ATT> g) throws AttributeBuilderException { - String bpktype = authData.getBPKType(); - - if (MiscUtil.isEmpty(authData.getBPKType())) - throw new UnavailableAttributeException(EID_SECTOR_FOR_IDENTIFIER_NAME); - - return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, - EID_SECTOR_FOR_IDENTIFIER_NAME, bpktype); - } - - public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { - return g.buildEmptyAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, - EID_SECTOR_FOR_IDENTIFIER_NAME); - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSignerCertificate.java index 2f18c78e2..7c2207d1d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSignerCertificate.java @@ -31,6 +31,7 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.logging.Logger; public class EIDSignerCertificate implements IPVPAttributeBuilder { @@ -43,11 +44,14 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { IAttributeGenerator<ATT> g) throws AttributeBuilderException { try { - byte[] signerCertificate = authData.getSignerCertificate(); - if (signerCertificate != null) { - return g.buildStringAttribute(EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, EID_SIGNER_CERTIFICATE_NAME, + if (authData instanceof IMOAAuthData) { + byte[] signerCertificate = ((IMOAAuthData)authData).getSignerCertificate(); + if (signerCertificate != null) { + return g.buildStringAttribute(EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, EID_SIGNER_CERTIFICATE_NAME, Base64Utils.encodeToString(signerCertificate)); - } + } + } else + Logger.info(EID_SIGNER_CERTIFICATE_FRIENDLY_NAME + " is only available in MOA-ID context"); }catch (Exception e) { Logger.info("Signer certificate BASE64 encoding error"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java index e91bc90d6..090cf6b21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EncryptedBPKAttributeBuilder.java @@ -28,6 +28,8 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.logging.Logger; public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { @@ -38,16 +40,20 @@ public class EncryptedBPKAttributeBuilder implements IPVPAttributeBuilder { public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.getEncbPKList() != null && - authData.getEncbPKList().size() > 0) { - String value = authData.getEncbPKList().get(0); - for (int i=1; i<authData.getEncbPKList().size(); i++) - value += ";"+authData.getEncbPKList().get(i); + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).getEncbPKList() != null && + ((IMOAAuthData)authData).getEncbPKList().size() > 0) { + String value = ((IMOAAuthData)authData).getEncbPKList().get(0); + for (int i=1; i<((IMOAAuthData)authData).getEncbPKList().size(); i++) + value += ";"+((IMOAAuthData)authData).getEncbPKList().get(i); - return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, - value); + return g.buildStringAttribute(ENC_BPK_LIST_FRIENDLY_NAME, ENC_BPK_LIST_NAME, + value); - } + } + + } else + Logger.info(ENC_BPK_LIST_FRIENDLY_NAME + " is only available in MOA-ID context"); throw new UnavailableAttributeException(ENC_BPK_LIST_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/HolderOfKey.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/HolderOfKey.java index e1e7440e6..c65199dd6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/HolderOfKey.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/HolderOfKey.java @@ -24,13 +24,13 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import java.io.IOException; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -45,7 +45,7 @@ public class HolderOfKey implements IPVPAttributeBuilder { try { byte[] certEncoded = authData.getGenericData( - MOAIDAuthConstants.MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE, + EAAFConstants.PROCESS_ENGINE_SSL_CLIENT_CERTIFICATE, byte[].class); if (certEncoded != null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java index 007f7403a..171dfe2d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -33,6 +33,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.DOMUtils; @@ -45,25 +46,30 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - //only provide full mandate if it is included. - //In case of federation only a short mandate could be include - if (authData.getMandate() != null) { - String fullMandate; - try { - fullMandate = DOMUtils.serializeNode(authData - .getMandate()); - return g.buildStringAttribute(MANDATE_FULL_MANDATE_FRIENDLY_NAME, - MANDATE_FULL_MANDATE_NAME, Base64Utils.encodeToString(fullMandate.getBytes())); - } catch (TransformerException e) { - Logger.error("Failed to generate Full Mandate", e); - } catch (IOException e) { - Logger.error("Failed to generate Full Mandate", e); + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + //only provide full mandate if it is included. + //In case of federation only a short mandate could be include + if (((IMOAAuthData)authData).getMandate() != null) { + String fullMandate; + try { + fullMandate = DOMUtils.serializeNode(((IMOAAuthData)authData) + .getMandate()); + return g.buildStringAttribute(MANDATE_FULL_MANDATE_FRIENDLY_NAME, + MANDATE_FULL_MANDATE_NAME, Base64Utils.encodeToString(fullMandate.getBytes())); + } catch (TransformerException e) { + Logger.error("Failed to generate Full Mandate", e); + } catch (IOException e) { + Logger.error("Failed to generate Full Mandate", e); + } } + throw new NoMandateDataAttributeException(); + } - throw new NoMandateDataAttributeException(); - } + } else + Logger.info(MANDATE_FULL_MANDATE_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index e41a5ccf1..26ea1823e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -44,34 +45,39 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - - //get PVP attribute directly, if exists - String fullName = authData.getGenericData(MANDATE_LEG_PER_FULL_NAME_NAME, String.class); - - if (MiscUtil.isEmpty(fullName)) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + + //get PVP attribute directly, if exists + String fullName = authData.getGenericData(MANDATE_LEG_PER_FULL_NAME_NAME, String.class); + + if (MiscUtil.isEmpty(fullName)) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if (corporation == null) { + Logger.info("No corporation mandate"); + throw new NoMandateDataAttributeException(); + + } + fullName = corporation.getFullName(); } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if (corporation == null) { - Logger.info("No corporation mandate"); - throw new NoMandateDataAttributeException(); - - } - fullName = corporation.getFullName(); + return g.buildStringAttribute(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, MANDATE_LEG_PER_FULL_NAME_NAME, + fullName); + } - return g.buildStringAttribute(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, MANDATE_LEG_PER_FULL_NAME_NAME, - fullName); - } + } else + Logger.info(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index e20cf6684..cad8416b4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -44,11 +45,14 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if(authData.isUseMandate()) { - return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, - MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(authData)); + if (authData instanceof IMOAAuthData) { + if(((IMOAAuthData)authData).isUseMandate()) { + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_LEG_PER_SOURCE_PIN_NAME, getLegalPersonIdentifierFromMandate(((IMOAAuthData)authData))); - } + } + } else + Logger.info(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME + " is only available in MOA-ID context"); return null; @@ -59,7 +63,7 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu } - protected String getLegalPersonIdentifierFromMandate(IAuthData authData) throws NoMandateDataAttributeException { + protected String getLegalPersonIdentifierFromMandate(IMOAAuthData authData) throws NoMandateDataAttributeException { //get PVP attribute directly, if exists String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index 098ecf68f..5fa0a5c48 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -31,6 +31,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -44,39 +45,44 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - //get PVP attribute directly, if exists - String sourcePinType = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + //get PVP attribute directly, if exists + String sourcePinType = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if (MiscUtil.isEmpty(sourcePinType)) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); - if (MiscUtil.isEmpty(sourcePinType)) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if (corporation == null) { - Logger.info("No corporate mandate"); - throw new NoMandateDataAttributeException(); - - } - if (corporation.getIdentification().size() == 0) { - Logger.info("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if (corporation == null) { + Logger.info("No corporate mandate"); + throw new NoMandateDataAttributeException(); + + } + if (corporation.getIdentification().size() == 0) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + sourcePinType = corporation.getIdentification().get(0).getType(); } - sourcePinType = corporation.getIdentification().get(0).getType(); + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, + sourcePinType); } - return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, - sourcePinType); - } + } else + Logger.info(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index ebec019ae..9160ef453 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -37,6 +37,7 @@ import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -107,46 +108,49 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui protected Pair<String, String> internalBPKGenerator(IOAAuthParameters oaParam, IAuthData authData) throws NoMandateDataAttributeException, BuildException, ConfigurationException { //get PVP attribute directly, if exists Pair<String, String> calcResult = null; - - if (authData.isUseMandate()) { - String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); - - if (MiscUtil.isEmpty(bpk)) { - //read bPK from mandate if it is not directly included - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.debug("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - id = physicalPerson.getIdentification().get(0); - if (id == null) { - Logger.info("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - } - - - if (id.getType().equals(Constants.URN_PREFIX_BASEID)) - calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), - oaParam.getAreaSpecificTargetIdentifier()); - else - calcResult = Pair.newInstance(id.getValue().getValue(), id.getType()); - + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); - } else { - Logger.info("Find '" + MANDATE_NAT_PER_BPK_NAME + "' in AuthData. Use it what is is."); - calcResult = Pair.newInstance(bpk, null); + if (MiscUtil.isEmpty(bpk)) { + //read bPK from mandate if it is not directly included + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.debug("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + IdentificationType id = null; + id = physicalPerson.getIdentification().get(0); + if (id == null) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + } + + + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) + calcResult = new BPKBuilder().generateAreaSpecificPersonIdentifier(id.getValue().getValue(), + oaParam.getAreaSpecificTargetIdentifier()); + else + calcResult = Pair.newInstance(id.getValue().getValue(), id.getType()); + + } else { + Logger.info("Find '" + MANDATE_NAT_PER_BPK_NAME + "' in AuthData. Use it what is is."); + calcResult = Pair.newInstance(bpk, null); + + } } - } + + } else + Logger.info(MANDATE_NAT_PER_BPK_FRIENDLY_NAME + " is only available in MOA-ID context"); return calcResult; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index 0b8263ffb..e91087484 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -37,6 +37,7 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.InvalidDateFormatAttributeException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -65,41 +66,44 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib protected String internalAttributGeneration(ISPConfiguration oaParam, IAuthData authData) throws InvalidDateFormatAttributeException, NoMandateDataAttributeException { - if (authData.isUseMandate()) { + if (((IMOAAuthData)authData).isUseMandate()) { //get PVP attribute directly, if exists String birthDayString = authData.getGenericData(MANDATE_NAT_PER_BIRTHDATE_NAME, String.class); if (MiscUtil.isEmpty(birthDayString)) { - //read bPK from mandate if it is not directly included - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.info("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } + if (authData instanceof IMOAAuthData) { + //read bPK from mandate if it is not directly included + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.info("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } - String dateOfBirth = physicalPerson.getDateOfBirth(); - try { - DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); - mandateFormat.setLenient(false); - Date date = mandateFormat.parse(dateOfBirth); - DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); - birthDayString = pvpDateFormat.format(date); + String dateOfBirth = physicalPerson.getDateOfBirth(); + try { + DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); + mandateFormat.setLenient(false); + Date date = mandateFormat.parse(dateOfBirth); + DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); + birthDayString = pvpDateFormat.format(date); - } - catch (ParseException e) { - Logger.warn("MIS mandate birthday has an incorrect formt. (Value:" + dateOfBirth, e); - throw new InvalidDateFormatAttributeException(); + } + catch (ParseException e) { + Logger.warn("MIS mandate birthday has an incorrect formt. (Value:" + dateOfBirth, e); + throw new InvalidDateFormatAttributeException(); - } + } + } else + Logger.info(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME + " is only available in MOA-ID context"); } else { try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index 38a520298..9261ba063 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -34,6 +34,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -47,40 +48,45 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if(authData.isUseMandate()) { + if (authData instanceof IMOAAuthData) { + if(((IMOAAuthData)authData).isUseMandate()) { - //get PVP attribute directly, if exists - String familyName = authData.getGenericData(MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class); - - if (MiscUtil.isEmpty(familyName)) { - //read mandator familyName from mandate if it is not directly included - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if(physicalPerson == null) { - Logger.debug("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - - StringBuilder sb = new StringBuilder(); - Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator(); + //get PVP attribute directly, if exists + String familyName = authData.getGenericData(MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class); - while(fNamesit.hasNext()) - sb.append(" " + fNamesit.next().getValue()); - - familyName = sb.toString(); + if (MiscUtil.isEmpty(familyName)) { + //read mandator familyName from mandate if it is not directly included + Element mandate = ((IMOAAuthData)authData).getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if(physicalPerson == null) { + Logger.debug("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + + StringBuilder sb = new StringBuilder(); + Iterator<FamilyName> fNamesit = physicalPerson.getName().getFamilyName().iterator(); + + while(fNamesit.hasNext()) + sb.append(" " + fNamesit.next().getValue()); + + familyName = sb.toString(); + + } + return g.buildStringAttribute(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, + MANDATE_NAT_PER_FAMILY_NAME_NAME, familyName); } - return g.buildStringAttribute(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, - MANDATE_NAT_PER_FAMILY_NAME_NAME, familyName); - } + } else + Logger.info(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index be8e761e0..fe952253d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -33,6 +33,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -46,37 +47,41 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - //get PVP attribute directly, if exists - String givenName = authData.getGenericData(MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class); - - if (MiscUtil.isEmpty(givenName)) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.debug("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + //get PVP attribute directly, if exists + String givenName = authData.getGenericData(MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class); - StringBuilder sb = new StringBuilder(); - Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator(); - - while (gNamesit.hasNext()) - sb.append(" " + gNamesit.next()); - - givenName = sb.toString(); + if (MiscUtil.isEmpty(givenName)) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.debug("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + + StringBuilder sb = new StringBuilder(); + Iterator<String> gNamesit = physicalPerson.getName().getGivenName().iterator(); + + while (gNamesit.hasNext()) + sb.append(" " + gNamesit.next()); + + givenName = sb.toString(); + + } + return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, givenName); } - return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, givenName); - } + } else + Logger.info(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME + " is only available in MOA-ID context"); return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 2890b72d9..3c0a2cc94 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -33,6 +33,7 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.AttributePolicyException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -45,36 +46,41 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if(authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator() - .getPhysicalPerson(); - if (physicalPerson == null) { - Logger.debug("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - id = physicalPerson.getIdentification().get(0); - - if(authData.isBaseIDTransferRestrication()) { - throw new AttributePolicyException(this.getName()); - } - - if(id == null) { - Logger.info("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); + if (authData instanceof IMOAAuthData) { + if(((IMOAAuthData)authData).isUseMandate()) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator() + .getPhysicalPerson(); + if (physicalPerson == null) { + Logger.debug("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + IdentificationType id = null; + id = physicalPerson.getIdentification().get(0); + + if(authData.isBaseIDTransferRestrication()) { + throw new AttributePolicyException(this.getName()); + } + + if(id == null) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + } + + return g.buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_NAT_PER_SOURCE_PIN_NAME, id.getValue().getValue()); } - return g.buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME, - MANDATE_NAT_PER_SOURCE_PIN_NAME, id.getValue().getValue()); - } + } else + Logger.info(MANDATE_NAT_PER_SOURCE_PIN_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 6b3ed6768..0d9009778 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -32,6 +32,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -44,31 +45,36 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if(authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator() - .getPhysicalPerson(); - if (physicalPerson == null) { - Logger.debug("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - id = physicalPerson.getIdentification().get(0); - if(id == null) { - Logger.info("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - } - - return g.buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, - MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, id.getType()); - } + if (authData instanceof IMOAAuthData) { + if(((IMOAAuthData)authData).isUseMandate()) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator() + .getPhysicalPerson(); + if (physicalPerson == null) { + Logger.debug("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + IdentificationType id = null; + id = physicalPerson.getIdentification().get(0); + if(id == null) { + Logger.info("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + } + + return g.buildStringAttribute(MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, + MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, id.getType()); + } + + } else + Logger.info(MANDATE_NAT_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java index d8804d395..3cd9ef3e2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -31,8 +31,10 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder { @@ -43,42 +45,47 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if(authData.isUseMandate()) { - String profRepName = authData.getGenericData(MANDATE_PROF_REP_DESC_NAME, String.class); - - if (MiscUtil.isEmpty(profRepName)) { - IMISMandate misMandate = authData.getMISMandate(); - - if(misMandate == null) { - throw new NoMandateDataAttributeException(); - } - - profRepName = misMandate.getTextualDescriptionOfOID(); + if (authData instanceof IMOAAuthData) { + if(((IMOAAuthData)authData).isUseMandate()) { + String profRepName = authData.getGenericData(MANDATE_PROF_REP_DESC_NAME, String.class); - //only read textual prof. rep. OID describtion from mandate annotation - // if also OID exists - if (MiscUtil.isEmpty(profRepName) - && MiscUtil.isNotEmpty(misMandate.getProfRep())) { - Element mandate = authData.getMandate(); - if (mandate == null) { + if (MiscUtil.isEmpty(profRepName)) { + IMISMandate misMandate = ((IMOAAuthData)authData).getMISMandate(); + + if(misMandate == null) { throw new NoMandateDataAttributeException(); } - Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - - profRepName = mandateObject.getAnnotation(); + profRepName = misMandate.getTextualDescriptionOfOID(); + + //only read textual prof. rep. OID describtion from mandate annotation + // if also OID exists + if (MiscUtil.isEmpty(profRepName) + && MiscUtil.isNotEmpty(misMandate.getProfRep())) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(((IMOAAuthData)authData).getMandate()); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + + profRepName = mandateObject.getAnnotation(); + + } } + + if(MiscUtil.isNotEmpty(profRepName)) + return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, + MANDATE_PROF_REP_DESC_NAME, profRepName); + } - if(MiscUtil.isNotEmpty(profRepName)) - return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, - MANDATE_PROF_REP_DESC_NAME, profRepName); - - } + } else + Logger.info(MANDATE_PROF_REP_DESC_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java index 555f92fe0..6cdf64dc3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java @@ -28,7 +28,9 @@ import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { @@ -39,25 +41,30 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - String profRepOID = authData.getGenericData(MANDATE_PROF_REP_OID_NAME, String.class); - - if (MiscUtil.isEmpty(profRepOID)) { - IMISMandate mandate = authData.getMISMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + String profRepOID = authData.getGenericData(MANDATE_PROF_REP_OID_NAME, String.class); + + if (MiscUtil.isEmpty(profRepOID)) { + IMISMandate mandate = ((IMOAAuthData)authData).getMISMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + + profRepOID = mandate.getProfRep(); + } - - profRepOID = mandate.getProfRep(); + + if(MiscUtil.isEmpty(profRepOID)) + return null; + else + return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, profRepOID); } - - if(MiscUtil.isEmpty(profRepOID)) - return null; - else - return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, profRepOID); - } + } else + Logger.info(MANDATE_PROF_REP_OID_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateReferenceValueAttributeBuilder.java index 45cce5852..f609117a4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateReferenceValueAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateReferenceValueAttributeBuilder.java @@ -27,6 +27,8 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.logging.Logger; public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuilder { @@ -36,11 +38,16 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + + return g.buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME, + ((IMOAAuthData)authData).getMandateReferenceValue()); + } + + } else + Logger.info(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME + " is only available in MOA-ID context"); - return g.buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME, - authData.getMandateReferenceValue()); - } return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java index 3bc7d5a2d..5471c5a13 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java @@ -30,8 +30,10 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { @@ -42,27 +44,32 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - //get PVP attribute directly, if exists - String mandateType = authData.getGenericData(MANDATE_TYPE_NAME, String.class); - - if (MiscUtil.isEmpty(mandateType)) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + //get PVP attribute directly, if exists + String mandateType = authData.getGenericData(MANDATE_TYPE_NAME, String.class); + + if (MiscUtil.isEmpty(mandateType)) { + Element mandate = ((IMOAAuthData)authData).getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + mandateType = mandateObject.getAnnotation(); } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - mandateType = mandateObject.getAnnotation(); - + return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateType); } - - return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateType); - } + + } else + Logger.info(MANDATE_TYPE_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeOIDAttributeBuilder.java index d5c89fc97..88f5bc2f7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeOIDAttributeBuilder.java @@ -27,6 +27,7 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IPVPAttributeBuilder; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -38,18 +39,23 @@ public class MandateTypeOIDAttributeBuilder implements IPVPAttributeBuilder { public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { - if (authData.isUseMandate()) { - //get PVP attribute directly, if exists - String mandateType = authData.getGenericData(MANDATE_TYPE_OID_NAME, String.class); - - if (MiscUtil.isEmpty(mandateType)) { - Logger.info("MIS Mandate does not include 'Mandate-Type OID'."); - return null; + if (authData instanceof IMOAAuthData) { + if (((IMOAAuthData)authData).isUseMandate()) { + //get PVP attribute directly, if exists + String mandateType = authData.getGenericData(MANDATE_TYPE_OID_NAME, String.class); + if (MiscUtil.isEmpty(mandateType)) { + Logger.info("MIS Mandate does not include 'Mandate-Type OID'."); + return null; + + } + + return g.buildStringAttribute(MANDATE_TYPE_OID_FRIENDLY_NAME, MANDATE_TYPE_OID_NAME, mandateType); } - - return g.buildStringAttribute(MANDATE_TYPE_OID_FRIENDLY_NAME, MANDATE_TYPE_OID_NAME, mandateType); - } + + } else + Logger.info(MANDATE_TYPE_OID_FRIENDLY_NAME + " is only available in MOA-ID context"); + return null; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index cc48873af..c17f1a4dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -37,36 +37,50 @@ import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.Response; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IAction; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.IAuthData; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; -import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAction; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.EAAFAuthenticationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.data.Trible; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -76,12 +90,15 @@ import at.gv.egovernment.moa.logging.Logger; public class AttributQueryAction implements IAction { @Autowired private IAuthenticationSessionStoreage authenticationSessionStorage; - @Autowired private AuthenticationDataBuilder authDataBuilder; + @Autowired private IAuthenticationDataBuilder authDataBuilder; @Autowired private IDPCredentialProvider pvpCredentials; @Autowired private AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired(required=true) ApplicationContext springContext; + @Autowired private AttributQueryBuilder attributQueryBuilder; + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -109,14 +126,14 @@ public class AttributQueryAction implements IAction { try { //get Single Sign-On information for the Service-Provider // which sends the Attribute-Query request - AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getInternalSSOSessionIdentifier()); + AuthenticationSession moaSession = authenticationSessionStorage.getInternalSSOSession(pendingReq.getSSOSessionIdentifier()); if (moaSession == null) { - Logger.warn("No MOASession with ID:" + pendingReq.getInternalSSOSessionIdentifier() + " FOUND."); - throw new MOAIDException("auth.02", new Object[]{pendingReq.getInternalSSOSessionIdentifier()}); + Logger.warn("No MOASession with ID:" + pendingReq.getSSOSessionIdentifier() + " FOUND."); + throw new MOAIDException("auth.02", new Object[]{pendingReq.getSSOSessionIdentifier()}); } InterfederationSessionStore nextIDPInformation = - authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID()); + authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSSOSessionID()); AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); @@ -157,9 +174,9 @@ public class AttributQueryAction implements IAction { throw new MOAIDException("pvp2.01", null, e); } catch (MOADatabaseException e) { - Logger.error("MOASession with SessionID=" + pendingReq.getInternalSSOSessionIdentifier() + Logger.error("MOASession with SessionID=" + pendingReq.getSSOSessionIdentifier() + " is not found in Database", e); - throw new MOAIDException("init.04", new Object[] { pendingReq.getInternalSSOSessionIdentifier() }); + throw new MOAIDException("init.04", new Object[] { pendingReq.getSSOSessionIdentifier() }); } @@ -195,7 +212,7 @@ public class AttributQueryAction implements IAction { ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { - authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + authenticationSessionStorage.markOAWithAttributeQueryUsedFlag(session, pendingReq.getSPEntityId(), pendingReq.requestedModule()); } //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration @@ -208,15 +225,18 @@ public class AttributQueryAction implements IAction { + " for authentication information."); //load configuration of next IDP - IOAAuthParameters idpLoaded = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix()); - if (idpLoaded == null || !(idpLoaded instanceof OAAuthParameter)) { + IOAAuthParameters idpLoaded = + authConfig.getServiceProviderConfiguration( + nextIDPInformation.getIdpurlprefix(), + OAAuthParameterDecorator.class); + if (idpLoaded == null || !(idpLoaded instanceof IOAAuthParameters)) { Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() + "is not loadable."); throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()}); } - OAAuthParameter idp = (OAAuthParameter) idpLoaded; + IOAAuthParameters idp = idpLoaded; //check if next IDP config allows inbound messages if (!idp.isInboundSSOInterfederationAllowed()) { @@ -227,7 +247,7 @@ public class AttributQueryAction implements IAction { } //check next IDP service area policy. BusinessService IDPs can only request wbPKs - if (!spConfig.hasBaseIdTransferRestriction() && !idp.isIDPPublicService()) { + if (!spConfig.hasBaseIdTransferRestriction() && idp.hasBaseIdTransferRestriction()) { Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() + " is a BusinessService-IDP but requests PublicService attributes."); throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); @@ -239,7 +259,7 @@ public class AttributQueryAction implements IAction { * 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module * but used in moa-id-lib. This should be refactored!!! */ - AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes, + AssertionAttributeExtractor extractor = getAuthDataFromAttributeQuery(reqAttributes, nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata"); //mark attribute request as used @@ -262,7 +282,7 @@ public class AttributQueryAction implements IAction { } else { Logger.debug("Build authData for AttributQuery from local MOASession."); - IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq, session, spConfig); + IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq); //add default attributes in case of mandates or STORK is in use List<String> attrList = addDefaultAttributes(reqAttributes, authData); @@ -270,12 +290,19 @@ public class AttributQueryAction implements IAction { //build Set of response attributes List<Attribute> respAttr = PVPAttributeBuilder.buildSetOfResponseAttributes(authData, attrList); - return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getQAALevel()); + return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getEIDASQAALevel()); } } catch (MOAIDException e) { throw e; + + } catch (EAAFAuthenticationException e) { + throw new MOAIDException(e.getErrorId(), e.getParams(), e); + + } catch (EAAFConfigurationException e) { + throw new MOAIDException(e.getErrorId(), e.getParams(), e); + } } @@ -307,7 +334,8 @@ public class AttributQueryAction implements IAction { } //add default mandate attributes if it is a authentication with mandates - if (authData.isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) { + if (authData instanceof IMOAAuthData) + if (((IMOAAuthData)authData).isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) { for (String el : DEFAULTMANDATEATTRIBUTES) { if (!reqAttributeNames.contains(el)) reqAttributeNames.add(el); @@ -317,4 +345,76 @@ public class AttributQueryAction implements IAction { return reqAttributeNames; } + /** + * Get PVP authentication attributes by using a SAML2 AttributeQuery + * + * @param reqQueryAttr List of PVP attributes which are requested + * @param userNameID SAML2 UserNameID of the user for which attributes are requested + * @param idpConfig Configuration of the IDP, which is requested + * @return + * @return PVP attribute DAO, which contains all received information + * @throws MOAIDException + */ + public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr, + String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{ + String idpEnityID = idpConfig.getPublicURLPrefix(); + + try { + Logger.debug("Starting AttributeQuery process ..."); + //collect attributes by using BackChannel communication + String endpoint = idpConfig.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); + throw new ConfigurationException("config.26", new Object[]{idpEnityID}); + + } + + //build attributQuery request + AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr); + + //build SOAP request + List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("auth.27", + new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."}); + + } + + Response intfResp; + if (xmlObjects.get(0) instanceof Response) { + intfResp = (Response) xmlObjects.get(0); + + //validate PVP 2.1 response + try { + samlVerificationEngine.verifyIDPResponse(intfResp, + TrustEngineFactory.getSignatureKnownKeysTrustEngine( + metadataProvider)); + + //create assertion attribute extractor from AttributeQuery response + return new AssertionAttributeExtractor(intfResp); + + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("auth.27", + new Object[]{idpEnityID, e.getMessage()}, e); + } + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("auth.27", + new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); + + } + + } catch (SOAPException e) { + throw new BuildException("builder.06", null, e); + + } catch (SecurityException e) { + throw new BuildException("builder.06", null, e); + + } + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index a8adc9ca0..43c860488 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -38,10 +38,10 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IAction; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.IAuthData; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.idp.IAction; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.SLOInformationImpl; @@ -60,7 +60,7 @@ import at.gv.egovernment.moa.logging.Logger; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { - @Autowired IDPCredentialProvider pvpCredentials; + @Autowired IDPCredentialProvider pvpCredentials; @Autowired AuthConfiguration authConfig; @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired(required=true) ApplicationContext springContext; @@ -123,7 +123,7 @@ public class AuthenticationAction implements IAction { //set protocol type sloInformation.setProtocolType(req.requestedModule()); - sloInformation.setSpEntityID(req.getOnlineApplicationConfiguration().getPublicURLPrefix()); + sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier()); return sloInformation; } catch (MessageEncodingException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index baaf8b681..76956b5a8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -30,10 +30,10 @@ import org.springframework.stereotype.Service; import com.google.common.net.MediaType; -import at.gv.egiz.eaaf.core.api.IAction; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.IAuthData; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.idp.IAction; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -48,7 +48,7 @@ public class MetadataAction implements IAction { - @Autowired private IRevisionLogger revisionsLogger; + @Autowired private IRevisionLogger revisionsLogger; @Autowired private IDPCredentialProvider credentialProvider; @Autowired private PVPMetadataBuilder metadatabuilder; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 038e384f3..591aaa7cc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import java.net.MalformedURLException; +import java.net.URL; import java.util.Arrays; import java.util.List; @@ -57,14 +59,15 @@ import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IModulInfo; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.exceptions.NoPassivAuthenticationException; import at.gv.egiz.eaaf.core.exceptions.ProtocolNotActiveException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractAuthProtocolModulController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityLogAdapter; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; @@ -80,7 +83,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; @@ -90,16 +92,14 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.id.util.ErrorResponseUtils; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; - + @Controller public class PVP2XProtocol extends AbstractAuthProtocolModulController implements IModulInfo { @@ -107,6 +107,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement @Autowired SAMLVerificationEngineSP samlVerificationEngine; @Autowired(required=true) private MOAMetadataProvider metadataProvider; + @Autowired protected IAuthenticationSessionStoreage authenticatedSessionStorage; + public static final String NAME = PVP2XProtocol.class.getName(); public static final String PATH = "id_pvp2x"; @@ -137,16 +139,17 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement public PVP2XProtocol() { super(); - } + } //PVP2.x metadata end-point @RequestMapping(value = "/pvp2/metadata", method = {RequestMethod.POST, RequestMethod.GET}) - public void PVPMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { - if (!authConfig.getAllowedProtocols().isPVP21Active()) { - Logger.info("PVP2.1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); - - } + public void PVPMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { +// if (!authConfig.getAllowedProtocols().isPVP21Active()) { +// Logger.info("PVP2.1 is deaktivated!"); +// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); +// +// } + //create pendingRequest object PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); pendingReq.initialize(req); @@ -166,12 +169,12 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement //PVP2.x IDP POST-Binding end-point @RequestMapping(value = "/pvp2/post", method = {RequestMethod.POST}) - public void PVPIDPPostRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { - if (!authConfig.getAllowedProtocols().isPVP21Active()) { - Logger.info("PVP2.1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); - - } + public void PVPIDPPostRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { +// if (!authConfig.getAllowedProtocols().isPVP21Active()) { +// Logger.info("PVP2.1 is deaktivated!"); +// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); +// +// } PVPTargetConfiguration pendingReq = null; @@ -206,7 +209,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); } catch (SecurityException e) { String samlRequest = req.getParameter("SAMLRequest"); @@ -216,7 +219,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); } catch (MOAIDException e) { @@ -240,10 +243,10 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement //PVP2.x IDP Redirect-Binding end-point @RequestMapping(value = "/pvp2/redirect", method = {RequestMethod.GET}) - public void PVPIDPRedirecttRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { + public void PVPIDPRedirecttRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { if (!AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isPVP21Active()) { Logger.info("PVP2.1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); + throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); } PVPTargetConfiguration pendingReq = null; @@ -278,7 +281,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); } catch (SecurityException e) { String samlRequest = req.getParameter("SAMLRequest"); @@ -288,7 +291,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); } catch (MOAIDException e) { String samlRequest = req.getParameter("SAMLRequest"); @@ -315,12 +318,12 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement //PVP2.x IDP SOAP-Binding end-point @RequestMapping(value = "/pvp2/soap", method = {RequestMethod.POST}) - public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { - if (!authConfig.getAllowedProtocols().isPVP21Active()) { - Logger.info("PVP2.1 is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); - - } + public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws EAAFException { +// if (!authConfig.getAllowedProtocols().isPVP21Active()) { +// Logger.info("PVP2.1 is deaktivated!"); +// throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }, "PVP2.1 is deaktivated!"); +// +// } PVPTargetConfiguration pendingReq = null; try { @@ -354,7 +357,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, e.getMessage()); } catch (SecurityException e) { String samlRequest = req.getParameter("SAMLRequest"); @@ -364,7 +367,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (pendingReq != null) revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.TRANSACTION_ERROR, pendingReq.getUniqueTransactionIdentifier()); - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, e.getMessage()); } catch (MOAIDException e) { //write revision log entries @@ -393,7 +396,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement InboundMessage msg = pendingReq.getRequest(); if (MiscUtil.isEmpty(msg.getEntityID())) { - throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}, "EntityId is null or empty"); } @@ -425,8 +428,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), - pendingReq, MOAIDEventConstants.AUTHPROTOCOL_TYPE, PATH); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_TYPE, PATH); //switch to session authentication performAuthentication(request, response, pendingReq); @@ -451,7 +453,6 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); - ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance(); String moaError = null; if(e instanceof NoPassivAuthenticationException) { @@ -473,12 +474,12 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if(statusMessageValue != null) { statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue)); } - moaError = errorUtils.mapInternalErrorToExternalError(ex.getMessageId()); + moaError = statusMessager.mapInternalErrorToExternalError(ex.getMessageId()); } else { statusCode.setValue(StatusCode.RESPONDER_URI); statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); - moaError = errorUtils.getResponseErrorCode(e); + moaError = statusMessager.getResponseErrorCode(e); } @@ -544,10 +545,11 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement * @param response * @param msg * @return + * @throws EAAFException * @throws MOAIDException */ private void preProcessLogOut(HttpServletRequest request, - HttpServletResponse response, PVPTargetConfiguration pendingReq) throws MOAIDException { + HttpServletResponse response, PVPTargetConfiguration pendingReq) throws EAAFException { InboundMessage inMsg = pendingReq.getRequest(); MOARequest msg; @@ -564,11 +566,11 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement String oaURL = metadata.getEntityID(); oaURL = StringEscapeUtils.escapeHtml(oaURL); - IOAAuthParameters oa = authConfig.getOnlineApplicationParameter(oaURL); + ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + oaURL + " Binding=" + msg.getRequestBinding()); - pendingReq.setOAURL(oaURL); + pendingReq.setSPEntityId(oaURL); pendingReq.setOnlineApplicationConfiguration(oa); pendingReq.setBinding(msg.getRequestBinding()); @@ -584,17 +586,25 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); - List<String> allowedPublicURLPrefix = - AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); - boolean isAllowedDestination = false; +// List<String> allowedPublicURLPrefix = authConfig.getIDPPublicURLPrefixes(); +// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); - for (String prefix : allowedPublicURLPrefix) { - if (resp.getDestination().startsWith( - prefix)) { - isAllowedDestination = true; - break; - } + boolean isAllowedDestination = false; + try { + isAllowedDestination = MiscUtil.isNotEmpty(authConfig.validateIDPURL(new URL(resp.getDestination()))); + + } catch (MalformedURLException e) { + Logger.info(resp.getDestination() + " is NOT valid. Reason: " + e.getMessage()); + } + +// for (String prefix : allowedPublicURLPrefix) { +// if (resp.getDestination().startsWith( +// prefix)) { +// isAllowedDestination = true; +// break; +// } +// } if (!isAllowedDestination) { Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); @@ -607,7 +617,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement } else - throw new MOAIDException("Unsupported request", new Object[] {}); + throw new EAAFException("Unsupported request"); pendingReq.setRequest(inMsg); @@ -641,13 +651,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement } - //check if Issuer is an interfederation IDP - // check parameter - if (!ParamValidatorUtils.isValidOA(moaRequest.getEntityID())) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - - IOAAuthParameters oa = authConfig.getOnlineApplicationParameter(moaRequest.getEntityID()); + //check if Issuer is an interfederation IDP + IOAAuthParameters oa = authConfig.getServiceProviderConfiguration(moaRequest.getEntityID(), IOAAuthParameters.class); if (!oa.isInderfederationIDP()) { Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); @@ -671,7 +676,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement //set preProcessed information into pending-request pendingReq.setRequest(moaRequest); - pendingReq.setOAURL(moaRequest.getEntityID()); + pendingReq.setSPEntityId(moaRequest.getEntityID()); pendingReq.setOnlineApplicationConfiguration(oa); pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); @@ -682,7 +687,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement pendingReq.setAction(AttributQueryAction.class.getName()); //add moasession - pendingReq.setInternalSSOSessionIdentifier(session.getSessionID()); + pendingReq.setSSOSessionIdentifier(session.getSSOSessionID()); //write revisionslog entry revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY); @@ -717,13 +722,15 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement if (authnRequest.getIssueInstant() == null) { Logger.warn("Unsupported request: No IssueInstant Attribute found."); - throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant Attribute found.", new Object[] {}); + throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant Attribute found.", new Object[] {}, + "Unsupported request: No IssueInstant Attribute found", pendingReq); } if (authnRequest.getIssueInstant().minusMinutes(MOAIDAuthConstants.TIME_JITTER).isAfterNow()) { Logger.warn("Unsupported request: No IssueInstant DateTime is not valid anymore."); - throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant DateTime is not valid anymore.", new Object[] {}); + throw new AuthnRequestValidatorException("Unsupported request: No IssueInstant DateTime is not valid anymore.", new Object[] {}, + "Unsupported request: No IssueInstant DateTime is not valid anymore.", pendingReq); } @@ -790,22 +797,22 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController implement AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; AuthnRequestValidator.validate(authReq); - String useMandate = request.getParameter(PARAM_USEMANDATE); - if(useMandate != null) { - if(useMandate.equals("true") && attributeConsumer != null) { - if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { - throw new MandateAttributesNotHandleAbleException(); - } - } - } +// String useMandate = request.getParameter(PARAM_USEMANDATE); +// if(useMandate != null) { +// if(useMandate.equals("true") && attributeConsumer != null) { +// if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { +// throw new MandateAttributesNotHandleAbleException(); +// } +// } +// } String oaURL = moaRequest.getEntityMetadata(metadataProvider).getEntityID(); oaURL = StringEscapeUtils.escapeHtml(oaURL); - IOAAuthParameters oa = authConfig.getOnlineApplicationParameter(oaURL); + ISPConfiguration oa = authConfig.getServiceProviderConfiguration(oaURL); Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + consumerService.getBinding()); - pendingReq.setOAURL(oaURL); + pendingReq.setSPEntityId(oaURL); pendingReq.setOnlineApplicationConfiguration(oa); pendingReq.setBinding(consumerService.getBinding()); pendingReq.setRequest(moaRequest); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java index 46e5b83f6..67cbafe90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPAssertionStorage.java @@ -29,7 +29,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.StoredAssertion; @Service("PVPAssertionStorage") @@ -47,11 +47,11 @@ public class PVPAssertionStorage implements SAMLArtifactMap { relyingPartyId, issuerId, samlMessage); - - try { + + try { transactionStorage.put(artifact, assertion, -1); - } catch (MOADatabaseException e) { + } catch (EAAFException e) { // TODO Insert Error Handling, if Assertion could not be stored throw new MarshallingException("Assertion are not stored in Database.",e); } @@ -61,7 +61,7 @@ public class PVPAssertionStorage implements SAMLArtifactMap { try { return transactionStorage.get(artifact, SAMLArtifactMapEntry.class); - } catch (MOADatabaseException e) { + } catch (EAAFException e) { // TODO Insert Error Handling, if Assertion could not be read e.printStackTrace(); return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 060a5fcc2..95a2d8715 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -22,31 +22,24 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import java.util.Collection; -import java.util.HashMap; -import java.util.List; -import java.util.Map; +import javax.servlet.http.HttpServletRequest; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.impl.AuthnRequestImpl; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.logging.Logger; @Component("PVPTargetConfiguration") @Scope(value = BeanDefinition.SCOPE_PROTOTYPE) public class PVPTargetConfiguration extends RequestImpl { + @Autowired(required=true) IConfiguration authConfig; + public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse"; public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel"; @@ -55,10 +48,17 @@ public class PVPTargetConfiguration extends RequestImpl { private static final long serialVersionUID = 4889919265919638188L; + + InboundMessage request; String binding; String consumerURL; + public void initialize(HttpServletRequest req) throws EAAFException { + super.initialize(req, authConfig); + + } + public InboundMessage getRequest() { return request; } @@ -84,61 +84,61 @@ public class PVPTargetConfiguration extends RequestImpl { } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() - */ - @Override - public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) { - - Map<String, String> reqAttr = new HashMap<String, String>(); - for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) - reqAttr.put(el, ""); - - try { - SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata(metadataProvider).getSPSSODescriptor(SAMLConstants.SAML20P_NS); - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - - Integer aIdx = null; - if (getRequest() instanceof MOARequest && - ((MOARequest)getRequest()).getSamlRequest() instanceof AuthnRequestImpl) { - AuthnRequestImpl authnRequest = (AuthnRequestImpl)((MOARequest)getRequest()).getSamlRequest(); - aIdx = authnRequest.getAttributeConsumingServiceIndex(); - - } else { - Logger.error("MOARequest is NOT of type AuthnRequest"); - } - - int idx = 0; - - AttributeConsumingService attributeConsumingService = null; - - if (aIdx != null) { - idx = aIdx.intValue(); - attributeConsumingService = spSSODescriptor - .getAttributeConsumingServices().get(idx); - - } else { - List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); - for (AttributeConsumingService el : attrConsumingServiceList) { - if (el.isDefault()) - attributeConsumingService = el; - } - } - - for ( RequestedAttribute attr : attributeConsumingService.getRequestAttributes()) - reqAttr.put(attr.getName(), ""); - } - - //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator()); - return reqAttr.keySet(); - - } catch (NoMetadataInformationException e) { - Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); - return null; - - } - - } +// /* (non-Javadoc) +// * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() +// */ +// @Override +// public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) { +// +// Map<String, String> reqAttr = new HashMap<String, String>(); +// for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) +// reqAttr.put(el, ""); +// +// try { +// SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata(metadataProvider).getSPSSODescriptor(SAMLConstants.SAML20P_NS); +// if (spSSODescriptor.getAttributeConsumingServices() != null && +// spSSODescriptor.getAttributeConsumingServices().size() > 0) { +// +// Integer aIdx = null; +// if (getRequest() instanceof MOARequest && +// ((MOARequest)getRequest()).getSamlRequest() instanceof AuthnRequestImpl) { +// AuthnRequestImpl authnRequest = (AuthnRequestImpl)((MOARequest)getRequest()).getSamlRequest(); +// aIdx = authnRequest.getAttributeConsumingServiceIndex(); +// +// } else { +// Logger.error("MOARequest is NOT of type AuthnRequest"); +// } +// +// int idx = 0; +// +// AttributeConsumingService attributeConsumingService = null; +// +// if (aIdx != null) { +// idx = aIdx.intValue(); +// attributeConsumingService = spSSODescriptor +// .getAttributeConsumingServices().get(idx); +// +// } else { +// List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); +// for (AttributeConsumingService el : attrConsumingServiceList) { +// if (el.isDefault()) +// attributeConsumingService = el; +// } +// } +// +// for ( RequestedAttribute attr : attributeConsumingService.getRequestAttributes()) +// reqAttr.put(attr.getName(), ""); +// } +// +// //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.keySet().iterator()); +// return reqAttr.keySet(); +// +// } catch (NoMetadataInformationException e) { +// Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); +// return null; +// +// } +// +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index 2d8d0f66f..6b945d692 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -35,20 +35,20 @@ import org.opensaml.saml2.metadata.SingleLogoutService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IAction; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.IAuthData; -import at.gv.egiz.eaaf.core.api.data.ISLOInformationContainer; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.idp.IAction; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; -import at.gv.egiz.eaaf.core.impl.idp.auth.AuthenticationManager; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; @@ -71,7 +71,7 @@ import at.gv.egovernment.moa.util.URLEncoder; public class SingleLogOutAction implements IAction { @Autowired private SSOManager ssomanager; - @Autowired private AuthenticationManager authManager; + @Autowired private IAuthenticationManager authManager; @Autowired private IAuthenticationSessionStoreage authenticationSessionStorage; @Autowired private ITransactionStorage transactionStorage; @Autowired private SingleLogOutBuilder sloBuilder; @@ -84,7 +84,7 @@ public class SingleLogOutAction implements IAction { @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, - IAuthData authData) throws MOAIDException { + IAuthData authData) throws EAAFException { PVPTargetConfiguration pvpReq = (PVPTargetConfiguration) req; @@ -94,12 +94,12 @@ public class SingleLogOutAction implements IAction { MOARequest samlReq = (MOARequest) pvpReq.getRequest(); LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); - IAuthenticationSession session = - authenticationSessionStorage.searchMOASessionWithNameIDandOAID( + String ssoSessionId = + authenticationSessionStorage.searchSSOSessionWithNameIDandOAID( logOutReq.getIssuer().getValue(), logOutReq.getNameID().getValue()); - if (session == null) { + if (MiscUtil.isEmpty(ssoSessionId)) { Logger.warn("Can not find active SSO session with nameID " + logOutReq.getNameID().getValue() + " and OA " + logOutReq.getIssuer().getValue()); @@ -116,10 +116,10 @@ public class SingleLogOutAction implements IAction { } else { try { - session = ssomanager.getInternalMOASession(ssoID); + ssoSessionId = authenticationSessionStorage.getInternalSSOSessionWithSSOID(ssoID); - if (session == null) - throw new MOADatabaseException(); + if (MiscUtil.isEmpty(ssoSessionId)) + throw new MOADatabaseException(""); } catch (MOADatabaseException e) { Logger.info("Can not find active Session. Single LogOut not possible!"); @@ -134,8 +134,13 @@ public class SingleLogOutAction implements IAction { } } - authManager.performSingleLogOut(httpReq, httpResp, session, pvpReq); - + pvpReq.setSSOSessionIdentifier(ssoSessionId); + ISLOInformationContainer sloInformationContainer + = authManager.performSingleLogOut(httpReq, httpResp, pvpReq, ssoSessionId); + + Logger.debug("Starting technical SLO process ... "); + sloBuilder.toTechnicalLogout(sloInformationContainer, httpReq, httpResp, null); + } else if (pvpReq.getRequest() instanceof MOAResponse && ((MOAResponse)pvpReq.getRequest()).getResponse() instanceof LogoutResponse) { Logger.debug("Process Single LogOut response"); @@ -178,7 +183,7 @@ public class SingleLogOutAction implements IAction { // AssertionStore element = (AssertionStore) result.get(0); // Object data = SerializationUtils.deserialize(element.getAssertion()); Logger.debug("Current Thread getAssertionStore: "+Thread.currentThread().getId()); - Object o = transactionStorage.getAssertionStore(relayState); + Object o = transactionStorage.getRaw(relayState); if(o==null){ Logger.trace("No entries found."); throw new MOADatabaseException("No sessioninformation found with this ID"); @@ -202,12 +207,12 @@ public class SingleLogOutAction implements IAction { // session.saveOrUpdate(element); // tx.commit(); Logger.debug("Current Thread putAssertionStore: "+Thread.currentThread().getId()); - transactionStorage.putAssertionStore(element); + transactionStorage.putRaw(element.getArtifact(), element); //sloContainer could be stored to database storageSuccess = true; - } catch(MOADatabaseException e) { + } catch(EAAFException e) { //tx.rollback(); counter++; @@ -230,11 +235,12 @@ public class SingleLogOutAction implements IAction { storageSuccess = true; String redirectURL = null; - if (sloContainer.getSloRequest() != null) { - //send SLO response to SLO request issuer - SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor(sloContainer.getSloRequest()); - LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, sloContainer.getSloRequest(), sloContainer.getSloFailedOAs()); - redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, sloContainer.getSloRequest().getRequest().getRelayState()); + IRequest sloReq = sloContainer.getSloRequest(); + if (sloReq != null && sloReq instanceof PVPTargetConfiguration) { + //send SLO response to SLO request issuer + SingleLogoutService sloService = sloBuilder.getResponseSLODescriptor((PVPTargetConfiguration)sloReq); + LogoutResponse message = sloBuilder.buildSLOResponseMessage(sloService, (PVPTargetConfiguration)sloReq, sloContainer.getSloFailedOAs()); + redirectURL = sloBuilder.getFrontChannelSLOMessageURL(sloService, message, httpReq, httpResp, ((PVPTargetConfiguration)sloReq).getRequest().getRelayState()); } else { //print SLO information directly @@ -276,7 +282,7 @@ public class SingleLogOutAction implements IAction { } } } - } catch (MOADatabaseException e) { + } catch (EAAFException e) { Logger.error("MOA AssertionDatabase ERROR", e); throw new SLOException("pvp2.19", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index c662a0af5..f3af12a2c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -49,11 +49,10 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Document; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 6beaee92b..07da57d2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -32,15 +32,15 @@ import java.util.ServiceLoader; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.metadata.RequestedAttribute; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; -import at.gv.egiz.eaaf.core.api.data.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder; +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.exceptions.InvalidDateFormatAttributeException; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidDateFormatException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; @@ -97,13 +97,13 @@ public class PVPAttributeBuilder { } - public static Attribute buildAttribute(String name, IOAAuthParameters oaParam, - IAuthData authData) throws PVP2Exception, AttributeException { + public static Attribute buildAttribute(String name, ISPConfiguration oaParam, + IAuthData authData) throws PVP2Exception, AttributeBuilderException { if (builders.containsKey(name)) { try { return builders.get(name).build(oaParam, authData, generator); } - catch (AttributeException e) { + catch (AttributeBuilderException e) { if (e instanceof UnavailableAttributeException) { throw e; } else if (e instanceof InvalidDateFormatAttributeException) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index be8c2abdf..a55e873b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -95,7 +95,7 @@ public class PVPAuthnRequestBuilder { // use POST binding as default if it exists if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - endpoint = sss; + endpoint = sss; } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && endpoint == null ) @@ -215,7 +215,7 @@ public class PVPAuthnRequestBuilder { //encode message binding.encodeRequest(null, httpResp, authReq, - endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential(), pendingReq); + endpoint.getLocation(), pendingReq.getPendingRequestId(), config.getAuthnRequestSigningCredential(), pendingReq); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index d11d57ab8..a1d7f5d3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -23,8 +23,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; import java.util.LinkedHashMap; import java.util.List; +import java.util.Map.Entry; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -52,6 +56,8 @@ import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.x509.X509Credential; @@ -63,12 +69,23 @@ import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import org.w3c.dom.Document; -import at.gv.egiz.eaaf.core.api.data.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; +import at.gv.egiz.eaaf.core.api.idp.slo.ISLOInformationContainer; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; +import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; @@ -85,8 +102,12 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformation import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -98,6 +119,181 @@ public class SingleLogOutBuilder { @Autowired(required=true) private MOAMetadataProvider metadataProvider; @Autowired(required=true) ApplicationContext springContext; @Autowired private IDPCredentialProvider credentialProvider; + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + @Autowired private IGUIFormBuilder guiBuilder; + @Autowired(required=true) protected IRevisionLogger revisionsLogger; + @Autowired private ITransactionStorage transactionStorage; + + public static final int SLOTIMEOUT = 30 * 1000; //30 sec + + public void toTechnicalLogout(ISLOInformationContainer sloContainer, + HttpServletRequest httpReq, HttpServletResponse httpResp, String authUrl) throws MOAIDException { + Logger.trace("Starting Service-Provider logout process ... "); + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_STARTED); + + //start service provider back channel logout process + Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA(); + while (nextOAInterator.hasNext()) { + SLOInformationInterface sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); + LogoutRequest sloReq = buildSLORequestMessage(sloDescr); + + try { + Logger.trace("Send backchannel SLO Request to " + sloDescr.getSpEntityID()); + List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); + + LogoutResponse sloResp = null; + for (XMLObject el : soapResp) { + if (el instanceof LogoutResponse) + sloResp = (LogoutResponse) el; + } + + if (sloResp == null) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED. NO LogOut response received."); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } else { + samlVerificationEngine.verifySLOResponse(sloResp, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + checkStatusCode(sloContainer, sloResp); + + } catch (SOAPException e) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED.", e); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } catch (SecurityException | InvalidProtocolRequestException e) { + Logger.warn("Single LogOut for OA " + sloDescr.getSpEntityID() + + " FAILED.", e); + sloContainer.putFailedOA(sloDescr.getSpEntityID()); + + } + } + + IRequest pendingReq = null; + PVPTargetConfiguration pvpReq = null; + //start service provider front channel logout process + try { + if (sloContainer.hasFrontChannelOA()) { + String relayState = Random.nextRandom(); + + Collection<Entry<String, SLOInformationInterface>> sloDescr = sloContainer.getFrontChannelOASessionDescriptions(); + List<String> sloReqList = new ArrayList<String>(); + for (Entry<String, SLOInformationInterface> el : sloDescr) { + Logger.trace("Build frontChannel SLO Request for " + el.getValue().getSpEntityID()); + + LogoutRequest sloReq = buildSLORequestMessage(el.getValue()); + try { + sloReqList.add(getFrontChannelSLOMessageURL(el.getValue().getServiceURL(), el.getValue().getBinding(), + sloReq, httpReq, httpResp, relayState)); + + } catch (Exception e) { + Logger.warn("Failed to build SLO request for OA:" + el.getKey()); + sloContainer.putFailedOA(el.getKey()); + + } + } + + //put SLO process-information into transaction storage + transactionStorage.put(relayState, sloContainer, -1); + + if (MiscUtil.isEmpty(authUrl)) + authUrl = sloContainer.getSloRequest().getAuthURL(); + + String timeOutURL = authUrl + + "/idpSingleLogout" + + "?restart=" + relayState; + + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + config.putCustomParameterWithOutEscaption("redirectURLs", sloReqList); + config.putCustomParameterWithOutEscaption("timeoutURL", timeOutURL); + config.putCustomParameter("timeout", String.valueOf(SLOTIMEOUT)); + + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + + } else { + pendingReq = sloContainer.getSloRequest(); + if (pendingReq != null && pendingReq instanceof PVPTargetConfiguration) { + //send SLO response to SLO request issuer + pvpReq = (PVPTargetConfiguration)pendingReq; + SingleLogoutService sloService = getResponseSLODescriptor(pvpReq); + LogoutResponse message = buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq); + + } else { + //print SLO information directly + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + if (sloContainer.getSloFailedOAs() == null || + sloContainer.getSloFailedOAs().size() == 0) { + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_ALL_VALID); + config.putCustomParameter("successMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.00", null)); + + } else { + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + config.putCustomParameterWithOutEscaption("errorMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); + + } + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + } + + } + + } catch (GUIBuildException e) { + Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); + throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + if (pvpReq != null) { + SingleLogoutService sloService = getResponseSLODescriptor(pvpReq); + LogoutResponse message = buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, pvpReq.getRequest().getRelayState(), pvpReq); + + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + + }else { + //print SLO information directly + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authUrl, + DefaultGUIFormBuilderConfiguration.VIEW_SINGLELOGOUT, + null); + + revisionsLogger.logEvent(sloContainer.getSessionID(), sloContainer.getTransactionID(), MOAIDEventConstants.AUTHPROCESS_SLO_NOT_ALL_VALID); + config.putCustomParameterWithOutEscaption("errorMsg", + MOAIDMessageProvider.getInstance().getMessage("slo.01", null)); + + try { + guiBuilder.build(httpResp, config, "Single-LogOut GUI"); + + } catch (GUIBuildException e1) { + Logger.warn("Can not build GUI:'Single-LogOut'. Msg:" + e.getMessage()); + throw new MOAIDException("builder.09", new Object[]{e.getMessage()}, e); + + } + + } + + } catch (Exception e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) { @@ -221,7 +417,7 @@ public class SingleLogOutBuilder { } - public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException { + public LogoutRequest buildSLORequestMessage(SLOInformationInterface sloDescr) throws ConfigurationException, MOAIDException { LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); SecureRandomIdentifierGenerator gen; @@ -237,17 +433,17 @@ public class SingleLogOutBuilder { DateTime now = new DateTime(); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloInfo.getAuthURL())); + issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloDescr.getAuthURL())); issuer.setFormat(NameID.ENTITY); sloReq.setIssuer(issuer); sloReq.setIssueInstant(now); sloReq.setNotOnOrAfter(now.plusMinutes(5)); - sloReq.setDestination(sloInfo.getServiceURL()); + sloReq.setDestination(sloDescr.getServiceURL()); NameID nameID = SAML2Utils.createSAMLObject(NameID.class); - nameID.setFormat(sloInfo.getUserNameIDFormat()); - nameID.setValue(sloInfo.getUserNameIdentifier()); + nameID.setFormat(sloDescr.getUserNameIDFormat()); + nameID.setValue(sloDescr.getUserNameIdentifier()); sloReq.setNameID(nameID ); //sign message @@ -435,9 +631,9 @@ public class SingleLogOutBuilder { public void parseActiveOAs(SLOInformationContainer container, List<OASessionStore> dbOAs, String removeOAID) { if (container.getActiveBackChannelOAs() == null) - container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (container.getActiveFrontChannalOAs() == null) - container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (dbOAs != null) { @@ -491,9 +687,9 @@ public class SingleLogOutBuilder { public void parseActiveIDPs(SLOInformationContainer container, List<InterfederationSessionStore> dbIDPs, String removeIDP) { if (container.getActiveBackChannelOAs() == null) - container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (container.getActiveFrontChannalOAs() == null) - container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>()); + container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationInterface>()); if (dbIDPs != null) { for (InterfederationSessionStore el : dbIDPs) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 40c85945f..056e2bba0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -59,23 +59,26 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; -import at.gv.egiz.eaaf.core.api.data.IAuthData; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.IMOAAuthData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.util.LoALevelMapper; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.id.util.QAALevelVerifier; import at.gv.egovernment.moa.logging.Logger; @@ -91,7 +94,7 @@ public class PVP2AssertionBuilder implements PVPConstants { * @param issuerEntityID EnitiyID, which should be used for this IDP response * @param attrQuery AttributeQuery request from Service-Provider * @param attrList List of PVP response attributes - * @param now Current time + * @param now Current time * @param validTo ValidTo time of the assertion * @param qaaLevel QAA level of the authentication * @param sessionIndex SAML2 SessionIndex, which should be included * @@ -141,48 +144,51 @@ public class PVP2AssertionBuilder implements PVPConstants { AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + ISPConfiguration oaParam = pendingReq.getServiceProviderConfiguration(); if (reqAuthnContext == null) { - authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); } else { - boolean stork_qaa_1_4_found = false; + boolean eIDAS_qaa_found = false; List<AuthnContextClassRef> reqAuthnContextClassRefIt = reqAuthnContext .getAuthnContextClassRefs(); - if (reqAuthnContextClassRefIt.size() == 0) { - - QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), - STORK_QAA_1_4); + if (reqAuthnContextClassRefIt.size() == 0) { + QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), EAAFConstants.EIDAS_QAA_HIGH); - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); + eIDAS_qaa_found = true; + authnContextClassRef.setAuthnContextClassRef(EAAFConstants.EIDAS_QAA_HIGH); } else { for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { String qaa_uri = authnClassRef.getAuthnContextClassRef(); - if (qaa_uri.trim().equals(STORK_QAA_1_4) - || qaa_uri.trim().equals(STORK_QAA_1_3) - || qaa_uri.trim().equals(STORK_QAA_1_2) - || qaa_uri.trim().equals(STORK_QAA_1_1)) { + + if (qaa_uri.trim().startsWith(STORK_QAA_PREFIX)) { + Logger.debug("Find STORK QAA leven in AuthnRequest. Starting mapping to eIDAS level ... "); + qaa_uri = LoALevelMapper.getInstance().mapSTORKQAAToeIDASQAA(qaa_uri.trim()); + + } + + if (qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_HIGH) + || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_SUBSTANTIAL) + || qaa_uri.trim().equals(EAAFConstants.EIDAS_QAA_LOW)) { if (authData.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), - STORK_QAA_PREFIX + oaParam.getQaaLevel()); + QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), oaParam.getMinimumLevelOfAssurence()); - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + eIDAS_qaa_found = true; + authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); } else { - QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getEIDASQAALevel(), qaa_uri.trim()); - stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + eIDAS_qaa_found = true; + authnContextClassRef.setAuthnContextClassRef(authData.getEIDASQAALevel()); } break; @@ -190,9 +196,9 @@ public class PVP2AssertionBuilder implements PVPConstants { } } - if (!stork_qaa_1_4_found) { - throw new QAANotSupportedException(STORK_QAA_1_4); - } + if (!eIDAS_qaa_found) + throw new QAANotSupportedException(EAAFConstants.EIDAS_QAA_HIGH); + } @@ -289,11 +295,12 @@ public class PVP2AssertionBuilder implements PVPConstants { //build nameID and nameID Format from moasession //TODO: nameID generation - if (authData.isUseMandate()) { + if (authData instanceof IMOAAuthData && + ((IMOAAuthData)authData).isUseMandate()) { String bpktype = null; String bpk = null; - Element mandate = authData.getMandate(); + Element mandate = ((IMOAAuthData)authData).getMandate(); if(mandate != null) { Logger.debug("Read mandator bPK|baseID from full-mandate ... "); Mandate mandateObject = MandateBuilder.buildMandate(mandate); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java index e462b277e..6ccacd6c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/SamlAttributeGenerator.java @@ -31,7 +31,7 @@ import org.opensaml.xml.schema.XSString; import org.opensaml.xml.schema.impl.XSIntegerBuilder; import org.opensaml.xml.schema.impl.XSStringBuilder; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; public class SamlAttributeGenerator implements IAttributeGenerator<Attribute> { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 64f5c7d73..81eca3765 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -44,7 +44,8 @@ import org.opensaml.saml2.metadata.OrganizationURL; import org.opensaml.saml2.metadata.SurName; import org.opensaml.saml2.metadata.TelephoneNumber; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; @@ -157,7 +158,7 @@ public class PVPConfiguration { try { Logger.trace("Load metadata signing certificate for online application " + entityID); - IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + ISPConfiguration oaParam = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); if (oaParam == null) { Logger.info("Online Application with ID " + entityID + " not found!"); return null; @@ -186,6 +187,11 @@ public class PVPConfiguration { } catch (IOException e) { Logger.warn("Metadata signer certificate is not decodeable.", e); return null; + + } catch (EAAFConfigurationException e) { + Logger.error("Configuration is not accessable.", e); + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java index b1e7df014..c82e6bdf1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java @@ -29,7 +29,7 @@ import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; public class NameIDFormatNotSupportedException extends AuthnRequestValidatorException { public NameIDFormatNotSupportedException(String nameIDFormat) { - super("pvp2.12", new Object[] {nameIDFormat}); + super("pvp2.12", new Object[] {nameIDFormat}, "NameID format not supported"); statusCodeValue = StatusCode.INVALID_NAMEID_POLICY_URI; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 86284a2f4..7d43732a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -49,12 +49,14 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.auth.IDestroyableObject; import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPEntityCategoryFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; @@ -72,7 +74,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider // private static MOAMetadataProvider instance = null; MetadataProvider internalProvider = null; - private Timer timer = null; + private Timer timer = null; private static Object mutex = new Object(); //private Map<String, Date> lastAccess = null; @@ -110,7 +112,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider Logger.trace("Check consistence of PVP2X metadata"); addAndRemoveMetadataProvider(); - } catch (ConfigurationException e) { + } catch (ConfigurationException | EAAFConfigurationException e) { Logger.error("Access to MOA-ID configuration FAILED.", e); } @@ -156,8 +158,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider //reload metadata provider - IOAAuthParameters oaParam = - authConfig.getOnlineApplicationParameter(entityID); + ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(entityID); if (oaParam != null) { String metadataURL = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); if (MiscUtil.isNotEmpty(metadataURL)) { @@ -175,7 +176,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider String certBase64 = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_CERTIFICATE); if (MiscUtil.isNotEmpty(certBase64)) { byte[] cert = Base64Utils.decode(certBase64, false); - String oaFriendlyName = oaParam.getFriendlyName(); + String oaFriendlyName = oaParam.getUniqueIdentifier(); if (timer == null) timer = new Timer(true); @@ -222,6 +223,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } catch (ConfigurationException e) { Logger.warn("Refresh PVP2X metadata for onlineApplication: " + entityID + " FAILED.", e); + + } catch (EAAFConfigurationException e) { + Logger.warn("Refresh PVP2X metadata for onlineApplication: " + + entityID + " FAILED.", e); } return false; @@ -246,7 +251,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } - private void addAndRemoveMetadataProvider() throws ConfigurationException { + private void addAndRemoveMetadataProvider() throws ConfigurationException, EAAFConfigurationException { if (internalProvider != null && internalProvider instanceof ChainingMetadataProvider) { Logger.info("Reload MOAMetaDataProvider."); @@ -282,8 +287,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider while (oaInterator.hasNext()) { Entry<String, String> oaKeyPair = oaInterator.next(); - IOAAuthParameters oaParam = - authConfig.getOnlineApplicationParameter(oaKeyPair.getValue()); + ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(oaKeyPair.getValue()); if (oaParam != null) { String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); @@ -409,7 +413,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider * This method is deprecated because OA metadata should be loaded dynamically * if the corresponding OA is requested. */ - private void loadAllPVPMetadataFromKonfiguration() { + private void loadAllPVPMetadataFromKonfiguration() throws EAAFConfigurationException { ChainingMetadataProvider chainProvider = new ChainingMetadataProvider(); Logger.info("Loading metadata"); Map<String, MetadataProvider> providersinuse = new HashMap<String, MetadataProvider>(); @@ -423,11 +427,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider while (oaInterator.hasNext()) { Entry<String, String> oaKeyPair = oaInterator.next(); - IOAAuthParameters oaParam = - authConfig.getOnlineApplicationParameter(oaKeyPair.getValue()); + ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(oaKeyPair.getValue()); if (oaParam != null) { String metadataurl = oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_PVP2X_URL); - String oaFriendlyName = oaParam.getFriendlyName(); + String oaFriendlyName = oaParam.getUniqueIdentifier(); MetadataProvider httpProvider = null; try { @@ -489,7 +492,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider } - private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { + private PVPMetadataFilterChain buildMetadataFilterChain(ISPConfiguration oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); filterChain.getFilters().add( @@ -497,7 +500,9 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER, false))); - if (oaParam.isInderfederationIDP()) { + + + if ((new OAAuthParameterDecorator(oaParam)).isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oaParam.hasBaseIdTransferRestriction())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java index 6c2235654..c87b7515f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; import java.io.File; +import java.net.MalformedURLException; import java.util.Timer; import javax.net.ssl.SSLHandshakeException; @@ -57,6 +58,7 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ @Autowired + //protected IConfiguration authConfig; protected AuthConfiguration authConfig; /** @@ -76,21 +78,30 @@ public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ return createNewHTTPMetaDataProvider(metadataLocation, filter, IdForLogging, timer, pool); else { - String absoluteMetadataLocation = FileUtils.makeAbsoluteURL( - metadataLocation, - authConfig.getRootConfigFileDir()); - - if (absoluteMetadataLocation.startsWith(URI_PREFIX_FILE)) { - File metadataFile = new File(absoluteMetadataLocation); - if (metadataFile.exists()) - return createNewFileSystemMetaDataProvider(metadataFile, filter, IdForLogging, timer, pool); + String absoluteMetadataLocation; + try { + absoluteMetadataLocation = FileUtils.makeAbsoluteURL( + metadataLocation, + authConfig.getConfigurationRootDirectory().toURL().toString()); - else { - Logger.warn("SAML2 metadata file: " + absoluteMetadataLocation + " not found or not exist"); - return null; - } + if (absoluteMetadataLocation.startsWith(URI_PREFIX_FILE)) { + File metadataFile = new File(absoluteMetadataLocation); + if (metadataFile.exists()) + return createNewFileSystemMetaDataProvider(metadataFile, filter, IdForLogging, timer, pool); + + else { + Logger.warn("SAML2 metadata file: " + absoluteMetadataLocation + " not found or not exist"); + return null; + } + + } - } + + } catch (MalformedURLException e) { + Logger.warn("SAML2 metadata URL is invalid: " + metadataLocation, e); + + } + } Logger.warn("SAML2 metadata has an unsupported metadata location prefix: " + metadataLocation); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java index af9ba0180..dd94e0093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java @@ -33,6 +33,7 @@ import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -55,8 +56,9 @@ public abstract class AbstractCredentialProvider { * Get KeyStore * * @return URL to the keyStore + * @throws ConfigurationException */ - public abstract String getKeyStoreFilePath(); + public abstract String getKeyStoreFilePath() throws ConfigurationException; /** * Get keyStore password diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java index 381289824..ebaef348c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/IDPCredentialProvider.java @@ -28,6 +28,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -53,14 +54,14 @@ public class IDPCredentialProvider extends AbstractCredentialProvider { * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() */ @Override - public String getKeyStoreFilePath() { + public String getKeyStoreFilePath() throws ConfigurationException { if (props == null) props = authConfig.getGeneralPVP2ProperiesConfig(); + return FileUtils.makeAbsoluteURL( - props.getProperty(IDP_JAVAKEYSTORE), - authConfig.getRootConfigFileDir()); - + props.getProperty(IDP_JAVAKEYSTORE), + authConfig.getRootConfigFileDir()); } /* (non-Javadoc) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java index 528d8cbb6..d89d04664 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.java @@ -34,7 +34,8 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import org.opensaml.xml.signature.SignatureValidator; import org.opensaml.xml.validation.ValidationException; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; @@ -52,8 +53,8 @@ public class EntityVerifier { public static byte[] fetchSavedCredential(String entityID) { // List<OnlineApplication> oaList = ConfigurationDBRead // .getAllActiveOnlineApplications(); - try { - IOAAuthParameters oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(entityID); + try { + ISPConfiguration oa = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(entityID); if (oa == null) { Logger.debug("No OnlineApplication with EntityID: " + entityID); @@ -67,7 +68,7 @@ public class EntityVerifier { } - } catch (ConfigurationException e) { + } catch (ConfigurationException | EAAFConfigurationException e) { Logger.error("Access MOA-ID configuration FAILED.", e); } catch (IOException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 870c70efe..50bc7fb68 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -62,7 +62,7 @@ public class SAMLVerificationEngine { public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { try { - if (msg instanceof MOARequest && + if (msg instanceof MOARequest && ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); @@ -112,10 +112,10 @@ public class SAMLVerificationEngine { } catch (ValidationException e) { Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature is not conform to SAML signature profile"); } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, "SAML response does not fit XML scheme"); } @@ -126,11 +126,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML response"); } } catch (org.opensaml.xml.security.SecurityException e) { Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML response"); } } @@ -142,10 +142,10 @@ public class SAMLVerificationEngine { } catch (ValidationException e) { Logger.warn("Signature is not conform to SAML signature profile", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Scheme validation FAILED on SAML request"); } catch (SchemaValidationException e) { - throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}, "Scheme verification FAILED on SAML request"); } @@ -156,11 +156,11 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML request"); } } catch (org.opensaml.xml.security.SecurityException e) { Logger.warn("PVP2x message signature validation FAILED.", e); - throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}, "Signature verification FAILED on SAML request"); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index 9ae41c06c..c5f02e7de 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -40,15 +40,17 @@ import org.springframework.transaction.annotation.Transactional; import com.fasterxml.jackson.core.JsonProcessingException; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; @@ -56,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.JsonMapper; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; @@ -68,14 +71,12 @@ import at.gv.egovernment.moa.util.MiscUtil; public class DBAuthenticationSessionStoreage implements IAuthenticationSessionStoreage{ @PersistenceContext(unitName="session") - private EntityManager entityManager; + private EntityManager entityManager; @Autowired AuthConfiguration authConfig; private static JsonMapper mapper = new JsonMapper(); - - //@Autowired MOASessionDBUtils moaSessionDBUtils; - + @Override public boolean isAuthenticated(String internalSsoSessionID) { @@ -108,7 +109,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt sessionExt.setUniqueSessionId(target.getUniqueSessionIdentifier()); dbsession.setAdditionalInformation(mapper.serialize(sessionExt).getBytes("UTF-8")); - AuthenticationSession session = new AuthenticationSession(id, now, target.getMOASession()); + AuthenticationSession session = new AuthenticationSession(id, now, + new AuthenticationSessionWrapper(target.genericFullDataStorage())); encryptSession(session, dbsession); //store AssertionStore element to Database @@ -123,7 +125,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } catch (JsonProcessingException | UnsupportedEncodingException e) { Logger.warn("Extended session information can not be stored.", e); - throw new MOADatabaseException(e); + throw new MOADatabaseException("Extended session information can not be stored.", e); } @@ -180,7 +182,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } catch (MOADatabaseException e) { Logger.warn("MOASession could not be stored."); - throw new MOADatabaseException(e); + throw new MOADatabaseException("MOASession could not be stored.", e); } catch (JsonProcessingException | UnsupportedEncodingException e) { Logger.warn("Extended session information can not be stored.", e); @@ -228,12 +230,12 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } @Override - public AuthenticationSession getInternalMOASessionWithSSOID(String SSOSessionID) throws MOADatabaseException { - MiscUtil.assertNotNull(SSOSessionID, "SSOsessionID"); - Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + public String getInternalSSOSessionWithSSOID(String externelSSOId) throws MOADatabaseException { + MiscUtil.assertNotNull(externelSSOId, "SSOsessionID"); + Logger.trace("Get authenticated session with SSOID " + externelSSOId + " from database."); Query query = entityManager.createNamedQuery("getSessionWithSSOID"); - query.setParameter("sessionid", SSOSessionID); + query.setParameter("sessionid", externelSSOId); List<AuthenticatedSessionStore> results = query.getResultList(); Logger.trace("Found entries: " + results.size()); @@ -245,7 +247,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } else try { - return decryptSession(results.get(0)); + return decryptSession(results.get(0)).getSSOSessionID(); } catch (Throwable e) { Logger.warn("MOASession deserialization-exception by using internal MOASessionID=" + results.get(0).getSessionid(), e); @@ -312,7 +314,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt //check if OA already has an active OA session if (dbsession.getActiveOAsessions() != null) { for (OASessionStore el : dbsession.getActiveOAsessions()) { - if (el.getOaurlprefix().equals(protocolRequest.getOAURL())) + if (el.getOaurlprefix().equals(protocolRequest.getSPEntityId())) activeOA = el; } } @@ -321,7 +323,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt activeOA = new OASessionStore(); //set active OA applications - activeOA.setOaurlprefix(protocolRequest.getOAURL()); + activeOA.setOaurlprefix(protocolRequest.getSPEntityId()); activeOA.setMoasession(dbsession); activeOA.setCreated(new Date()); @@ -360,21 +362,21 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt entityManager.merge(dbsession); if (SLOInfo != null) - Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL() + Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getSPEntityId() + " and AssertionID: " + SLOInfo.getSessionIndex()); else - Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getOAURL()); + Logger.info("Add SSO-Session login information for OA: " + protocolRequest.getSPEntityId()); } @Override - public List<OASessionStore> getAllActiveOAFromMOASession(IAuthenticationSession moaSession) { - MiscUtil.assertNotNull(moaSession, "MOASession"); + public List<OASessionStore> getAllActiveOAFromMOASession(String ssoSessionId) { + MiscUtil.assertNotNull( ssoSessionId, "MOASession"); - Logger.trace("Get OAs for moaSession " + moaSession.getSessionID() + " from database."); + Logger.trace("Get OAs for moaSession " + ssoSessionId + " from database."); Query query = entityManager.createNamedQuery("getAllActiveOAsForSessionID"); - query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("sessionID", ssoSessionId); List<OASessionStore> results = query.getResultList(); Logger.trace("Found entries: " + results.size()); @@ -384,13 +386,13 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } @Override - public List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(IAuthenticationSession moaSession) { - MiscUtil.assertNotNull(moaSession, "MOASession"); + public List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(String ssoSessionId) { + MiscUtil.assertNotNull( ssoSessionId, "MOASession"); - Logger.trace("Get active IDPs for moaSession " + moaSession.getSessionID() + " from database."); + Logger.trace("Get active IDPs for moaSession " + ssoSessionId + " from database."); Query query = entityManager.createNamedQuery("getAllActiveIDPsForSessionID"); - query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("sessionID", ssoSessionId); List<InterfederationSessionStore> results = query.getResultList(); Logger.trace("Found entries: " + results.size()); @@ -399,7 +401,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } @Override - public IAuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID) { + public String searchSSOSessionWithNameIDandOAID(String oaID, String userNameID) { MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); MiscUtil.assertNotNull(userNameID, "userNameID"); Logger.trace("Get moaSession for userNameID " + userNameID + " and OA " @@ -419,8 +421,10 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } - try { - return decryptSession(results.get(0)); + try { + AuthenticationSession decrytedSession = decryptSession(results.get(0)); + + return decrytedSession.getSSOSessionID(); } catch (BuildException e) { Logger.warn("MOASession deserialization-exception by using MOASessionID=" + results.get(0).getSessionid(), e); @@ -434,11 +438,11 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt MiscUtil.assertNotNull(moaSession, "MOASession"); MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); MiscUtil.assertNotNull(protocolType, "usedProtocol"); - Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSessionID() + " with OAID " + Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSSOSessionID() + " with OAID " + oaID + " from database."); Query query = entityManager.createNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); - query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("sessionID", moaSession.getSSOSessionID()); query.setParameter("oaID", oaID); query.setParameter("protocol", protocolType); List<AuthenticatedSessionStore> results = query.getResultList(); @@ -545,25 +549,25 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } @Override - public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { + public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException, EAAFConfigurationException { AuthenticatedSessionStore dbsession = null; - AuthenticationSession moaSession = null; + String ssoSessionId = null; Date now = new Date(); //search for active session - if (MiscUtil.isNotEmpty(req.getInternalSSOSessionIdentifier())) { - Logger.debug("Internal SSO-Session object: " + req.getInternalSSOSessionIdentifier() + " used for federated SSO"); - moaSession = getInternalMOASessionWithSSOID(req.getInternalSSOSessionIdentifier()); + if (MiscUtil.isNotEmpty(req.getSSOSessionIdentifier())) { + Logger.debug("Internal SSO-Session object: " + req.getSSOSessionIdentifier() + " used for federated SSO"); + ssoSessionId = getInternalSSOSessionWithSSOID(req.getSSOSessionIdentifier()); } else { Logger.debug("No internal SSO-Session object exists for federated SSO --> create new session object"); - moaSession = createInternalSSOSession(req); + ssoSessionId = createInternalSSOSession(req).getSSOSessionID(); } - if (moaSession != null) { + if (MiscUtil.isNotEmpty(ssoSessionId)) { try { - dbsession = searchInDatabase(moaSession.getSessionID()); + dbsession = searchInDatabase(ssoSessionId); }catch (MOADatabaseException e) { Logger.error("NO MOASession found but MOASession MUST already exist!"); @@ -617,7 +621,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt idp.setIdpurlprefix(idpEntityID); idp.setAuthURL(req.getAuthURL()); - IOAAuthParameters oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix()); + IOAAuthParameters oa = authConfig.getServiceProviderConfiguration(idp.getIdpurlprefix(), OAAuthParameterDecorator.class); idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed()); idp.setMoasession(dbsession); idpList.add(idp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java index 958ef4977..27d9d394d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBTransactionStorage.java @@ -241,16 +241,17 @@ public class DBTransactionStorage implements ITransactionStorage { } } -// public Object getAssertionStore(String key) throws MOADatabaseException{ -// return searchInDatabase(key); -// -// } + @Override + public Object getRaw(String key) throws MOADatabaseException { + return searchInDatabase(key); + + } -// @Override -// public void putAssertionStore(Object element) throws MOADatabaseException{ -// entityManager.merge(element); -// -// } + @Override + public void putRaw(String key, Object element) throws MOADatabaseException { + entityManager.merge(element); + + } private void cleanDelete(AssertionStore element) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index 414df1328..ff9c4e358 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -26,7 +26,8 @@ import java.util.Date; import java.util.List; import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.SLOInformationInterface; +import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionExtensions; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; @@ -110,13 +111,13 @@ public interface IAuthenticationSessionStoreage { public void setAuthenticated(String internalSsoSessionID, boolean isAuthenticated); /** - * Find the MOASessionId of an active Single Sign-On session + * Find the internal SSO session identifier of an active Single Sign-On session * - * @param SSOSessionID Single Sign-On sessionID - * @return internal MOA SSO-Session of the associated SSO-Session Id + * @param externelSSOId external Single Sign-On sessionID + * @return internal SSO-Session identifier * @throws MOADatabaseException */ - public AuthenticationSession getInternalMOASessionWithSSOID(String SSOSessionID) throws MOADatabaseException; + public String getInternalSSOSessionWithSSOID(String externelSSOId) throws MOADatabaseException; /** * Check if a MOASession is an active Single Sign-On session @@ -151,28 +152,28 @@ public interface IAuthenticationSessionStoreage { /** * Get all Single Sign-On authenticated Service-Provider of a MOASession * - * @param moaSession MOASession data object + * @param ssoSessionId SSO session id * @return List of Service-Provider information */ - public List<OASessionStore> getAllActiveOAFromMOASession(IAuthenticationSession moaSession); + public List<OASessionStore> getAllActiveOAFromMOASession(String ssoSessionId); /** * Get all active interfederation connections for a MOASession * - * @param moaSession MOASession data object + * @param ssoSessionId SSO session id * @return List of Interfederation-IDP information */ - public List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(IAuthenticationSession moaSession); + public List<InterfederationSessionStore> getAllActiveIDPsFromMOASession(String ssoSessionId); /** - * Search a MOASession by using already transfered authentication information + * Search a SSO session by using already transfered authentication information * * @param oaID Service-Provider identifier, which has received the authentication information * @param userNameID UserId (bPK), which was send to this Service-Provider - * @return MOASession, or null if no corresponding MOASession is found + * @return SSO-session identifier, or null if no corresponding SSO session is found */ - public IAuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID); + public String searchSSOSessionWithNameIDandOAID(String oaID, String userNameID); /** * Search a active Single Sign-On session for a specific Service-Provider @@ -220,8 +221,9 @@ public interface IAuthenticationSessionStoreage { * @throws MOADatabaseException * @throws AssertionAttributeExtractorExeption * @throws BuildException + * @throws EAAFConfigurationException */ - public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; + public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException, EAAFConfigurationException; /** * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/RedisTransactionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/RedisTransactionStorage.java index f30613474..8d36e81bb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/RedisTransactionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/RedisTransactionStorage.java @@ -40,6 +40,7 @@ import org.springframework.data.redis.serializer.JacksonJsonRedisSerializer; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; @@ -352,12 +353,13 @@ private AssertionStore prepareAssertion(AssertionStore element, String key, Obje } @Override -public Object getAssertionStore(String key) throws MOADatabaseException { +public Object getRaw(String key) throws EAAFException { return searchInDatabase(key); + } @Override -public void putAssertionStore(Object element) throws MOADatabaseException { +public void putRaw(String key, Object element) throws EAAFException { // TODO Auto-generated method stub AssertionStore as = (AssertionStore)element; final int expTime = redisTemplate.getExpire(as.getArtifact(), TimeUnit.MILLISECONDS).intValue(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java index 099a70470..3e3d9dafc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/LoALevelMapper.java @@ -33,7 +33,7 @@ import at.gv.egovernment.moa.util.MiscUtil; * @author tlenz * */ -public class PVPtoSTORKMapper { +public class LoALevelMapper { private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/"; @@ -47,17 +47,17 @@ public class PVPtoSTORKMapper { private Properties mapping = null; - private static PVPtoSTORKMapper instance = null; + private static LoALevelMapper instance = null; - public static PVPtoSTORKMapper getInstance() { + public static LoALevelMapper getInstance() { if (instance == null) { - instance = new PVPtoSTORKMapper(); + instance = new LoALevelMapper(); } return instance; } - private PVPtoSTORKMapper() { + private LoALevelMapper() { try { mapping = new Properties(); mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java index 88a64bd07..ca71ad946 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/QAALevelVerifier.java @@ -22,8 +22,9 @@ */ package at.gv.egovernment.moa.id.util; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotAllowedException; +import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz @@ -33,10 +34,23 @@ public class QAALevelVerifier { public static void verifyQAALevel(String qaaAuth, String qaaRequest) throws QAANotAllowedException { - Integer qaaA = Integer.valueOf(qaaAuth.substring(PVPConstants.STORK_QAA_PREFIX.length())); - Integer qaaR = Integer.valueOf(qaaRequest.substring(PVPConstants.STORK_QAA_PREFIX.length())); + if (EAAFConstants.EIDAS_QAA_LOW.equals(qaaRequest) && + (EAAFConstants.EIDAS_QAA_LOW.equals(qaaAuth) || + EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || + EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) + ) + Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); - if (qaaA < qaaR) + else if (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaRequest) && + (EAAFConstants.EIDAS_QAA_SUBSTANTIAL.equals(qaaAuth) || + EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) + ) + Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); + + else if (EAAFConstants.EIDAS_QAA_HIGH.equals(qaaRequest) && EAAFConstants.EIDAS_QAA_HIGH.equals(qaaAuth)) + Logger.debug("Requesed LoA fits LoA from authentication. Continuingauth process ... "); + + else throw new QAANotAllowedException(qaaAuth, qaaRequest); } |