diff options
Diffstat (limited to 'id/server/idserverlib/src/main')
42 files changed, 1081 insertions, 276 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index cf50a1bf5..b9ce76d0c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1612,6 +1612,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { data.setFamilyname(PEPSFamilyname); data.setFirstname(PEPSFirstname); data.setIdentifier(PEPSIdentifier); + + data.setFiscalNumber(PEPSFiscalNumber); data.setRepresentative(representative); data.setRepresented(represented); @@ -1737,6 +1739,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // add sign request PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName("signedDoc"); + newAttribute.setIsRequired(true); List<String> value = new ArrayList<String>(); Logger.debug("PEPS supports XMLSignatures:"+cpeps.isXMLSignatureSupported()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 52488c3cb..5d816be1b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -43,6 +43,7 @@ import javax.xml.bind.Marshaller; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Response; import org.opensaml.ws.soap.common.SOAPException; import org.opensaml.xml.XMLObject; @@ -214,7 +215,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } else { //build AuthenticationData from MOASession - buildAuthDataFormMOASession(authdata, session, oaParam); + buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest); } @@ -271,12 +272,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); - if (!extractor.containsAllRequiredAttributes()) { + if (!extractor.containsAllRequiredAttributes()) { + Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); //collect attributes by using BackChannel communication String endpoint = idp.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); + Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null); } //build attributQuery request @@ -321,7 +323,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam); + buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req); } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -348,7 +350,8 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { AuthenticationData authData, AuthenticationSession session, AssertionAttributeExtractor extractor, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + IRequest req) throws BuildException, AssertionAttributeExtractorExeption { Logger.debug("Build AuthData from assertion starts ...."); @@ -358,14 +361,35 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME)); authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME)); authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME)); - authData.setBPKType(extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)); authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME)); authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME)); authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME)); authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); + + if (extractor.containsAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + String bpkType = extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME); + if (bpkType.startsWith(Constants.URN_PREFIX_CDID) && + !bpkType.substring(Constants.URN_PREFIX_CDID.length(), + Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { + Logger.warn("Receive uncorrect encoded bBKType attribute " + bpkType + " Starting attribute value correction ... "); + bpkType = Constants.URN_PREFIX_CDID + "+" + bpkType.substring(Constants.URN_PREFIX_CDID.length() + 1); + + } + + authData.setBPKType(bpkType); + } + if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); + + if (pvpbPK.startsWith("bPK:")) { + Logger.warn("Attribute " + PVPConstants.BPK_NAME + + " contains a not standardize prefix! Staring attribute value correction process ..."); + pvpbPK = pvpbPK.substring("bPK:".length()); + + } + String[] spitted = pvpbPK.split(":"); authData.setBPK(spitted[1]); if (MiscUtil.isEmpty(authData.getBPKType())) { @@ -513,7 +537,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } //build OA specific bPK/wbPK information - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(req, oaParam, authData, authData.getIdentificationValue(), authData.getIdentificationType()); @@ -521,7 +545,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (MiscUtil.isEmpty(authData.getBPK())) { Logger.debug("Calcutlate bPK from baseID"); - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(req, oaParam, authData, authData.getIdentificationValue(), authData.getIdentificationType()); @@ -536,7 +560,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } else { Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel); + String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); if (MiscUtil.isNotEmpty(mappedQAA)) authData.setQAALevel(mappedQAA); @@ -744,6 +768,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } } + //set PVP OU attribute + if (extractor.containsAttribute(PVPConstants.OU_NAME)) { + authData.setPvpAttribute_OU(extractor.getSingleAttributeValue(PVPConstants.OU_NAME)); + Logger.debug("Found PVP 'OU' attribute in response -> " + authData.getPvpAttribute_OU()); + + } //set STORK attributes if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { @@ -761,8 +791,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setSsoSession(true); authData.setInterfederatedSSOSession(true); - if (extractor.getFullAssertion().getConditions() != null && extractor.getFullAssertion().getConditions().getNotOnOrAfter() != null) + if (extractor.getFullAssertion().getAuthnStatements() != null + && extractor.getFullAssertion().getAuthnStatements().size() > 0) { + for (AuthnStatement el : extractor.getFullAssertion().getAuthnStatements()) { + if (el.getSessionNotOnOrAfter() != null) { + authData.setSsoSessionValidTo(el.getSessionNotOnOrAfter().toDate()); + break; + } + } + + } else { authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); + + } //only for SAML1 if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) @@ -805,7 +846,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, - IOAAuthParameters oaParam) throws BuildException, ConfigurationException { + IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { IdentityLink identityLink = session.getIdentityLink(); @@ -919,7 +960,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); } else { - buildOAspecificbPK(oaParam, authData, + buildOAspecificbPK(protocolRequest, oaParam, authData, identityLink.getIdentificationValue(), identityLink.getIdentificationType()); @@ -951,7 +992,13 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { //resign IDL IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); Element resignedilAssertion; - resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion()); + + AuthConfigurationProvider config = AuthConfigurationProvider.getInstance(); + if (config.isIdentityLinkResigning()) { + resignedilAssertion = identitylinkresigner.resignIdentityLink(businessServiceIdl.getSamlAssertion(), config.getIdentityLinkResigningKey()); + } else { + resignedilAssertion = businessServiceIdl.getSamlAssertion(); + } IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); @@ -963,7 +1010,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - private static void buildOAspecificbPK(IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { + private static void buildOAspecificbPK(IRequest protocolRequest, IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { if (oaParam.getBusinessService()) { //since we have foreigner, wbPK is not calculated in BKU @@ -984,9 +1031,15 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(baseID, oaParam.getTarget()); + String target = null; + if (protocolRequest instanceof SAML1RequestImpl) + target = protocolRequest.getTarget(); + else + target = oaParam.getTarget(); + + String bpkBase64 = new BPKBuilder().buildBPK(baseID, target); authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + target); } Logger.trace("Authenticate user with bPK " + authData.getBPK()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index e2802c1d2..a5783bfb7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -106,7 +106,7 @@ public class IdentityLinkAssertionParser { + PDATA + "Person"; /** Xpath expression to the PersonData GivenName element */ - private static final String PERSON_GIVEN_NAME_XPATH = + public static final String PERSON_GIVEN_NAME_XPATH = PERSON_XPATH + "/" + PDATA @@ -114,7 +114,7 @@ public class IdentityLinkAssertionParser { + PDATA + "GivenName"; /** Xpath expression to the PersonData FamilyName element */ - private static final String PERSON_FAMILY_NAME_XPATH = + public static final String PERSON_FAMILY_NAME_XPATH = PERSON_XPATH + "/" + PDATA @@ -122,7 +122,7 @@ public class IdentityLinkAssertionParser { + PDATA + "FamilyName"; /** Xpath expression to the PersonData DateOfBirth element */ - private static final String PERSON_DATE_OF_BIRTH_XPATH = + public static final String PERSON_DATE_OF_BIRTH_XPATH = PERSON_XPATH + "/" + PDATA diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index 1bc3702e4..a123569d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -132,12 +132,13 @@ public class StartAuthentificationParameterParser implements MOAIDAuthConstants{ String targetFriendlyNameConfig = oaParam.getTargetFriendlyName(); if (StringUtils.isEmpty(targetConfig) -// || (module.equals(SAML1Protocol.PATH) && -// !StringUtils.isEmpty(target)) + || (module.equals(SAML1Protocol.PATH) && + !StringUtils.isEmpty(target)) ) { - // no target attribut is given in OA config - // target is used from request - // check parameter + //INFO: ONLY SAML1 legacy mode + // if SAML1 is used and target attribute is given in request + // use requested target + // check target parameter if (!ParamValidatorUtils.isValidTarget(target)) { Logger.error("Selected target is invalid. Using target: " + target); throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java index bc8a01e41..ad4776a45 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GenerateIFrameTemplateServlet.java @@ -42,6 +42,11 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; + +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; + import at.gv.egovernment.moa.id.process.ExecutionContextImpl; import at.gv.egovernment.moa.id.process.ProcessInstance; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -101,11 +106,15 @@ public class GenerateIFrameTemplateServlet extends AuthServlet { else { - //load Parameters from config - String target = oaParam.getTarget(); - - - + //get Target from config or from request in case of SAML 1 + String target = null; + IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); + if (MiscUtil.isNotEmpty(pendingReq.getTarget()) && + pendingReq.requestedModule().equals(SAML1Protocol.PATH)) + target = pendingReq.getTarget(); + else + target = oaParam.getTarget(); + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java index e45418b4b..7357818c8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java @@ -48,6 +48,8 @@ import org.apache.velocity.Template; import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.saml2.core.StatusCode;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.auth.AuthenticationServer;
import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
@@ -55,18 +57,23 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.auth.stork.STORKException;
import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.moduls.ModulUtils;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
import at.gv.egovernment.moa.id.util.VelocityProvider;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
import at.gv.util.xsd.xmldsig.SignatureType;
import at.gv.util.xsd.xmldsig.X509DataType;
import eu.stork.oasisdss.api.ApiUtils;
@@ -111,15 +118,26 @@ public class PEPSConnectorServlet extends AuthServlet { public PEPSConnectorServlet()
{
super();
- Properties props = new Properties();
+
try {
- props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
- dtlUrl = props.getProperty("docservice.url");
- } catch (IOException e) {
+ AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance();
+ dtlUrl = authConfigurationProvider.getDocumentServiceUrl();
+ Logger.info ("PEPSConnectorServlet, using dtlUrl:"+dtlUrl);
+ } catch (Exception e) {
dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
- Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
e.printStackTrace();
- }
+ Logger.error("Loading documentservice url failed, using default value:"+dtlUrl);
+ }
+
+// Properties props = new Properties();
+// try {
+// props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+// dtlUrl = props.getProperty("docservice.url");
+// } catch (IOException e) {
+// dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+// Logger.error("Loading DTL config failed, using default value:"+dtlUrl);
+// e.printStackTrace();
+// }
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
@@ -247,7 +265,56 @@ public class PEPSConnectorServlet extends AuthServlet { Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
throw new MOAIDException("stork.07", null);
}
-
+
+ OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
+ if (oaParam == null)
+ throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+ //================== Check QAA level start ====================
+ int reqQaa = -1;
+ int authQaa = -1;
+ String authQaaStr = null;
+ try {
+ reqQaa = storkAuthnRequest.getQaa();
+
+ //TODO: found better solution, but QAA Level in response could be not supported yet
+ try {
+
+ authQaaStr = authnResponse.getAssertions().get(0).
+ getAuthnStatements().get(0).getAuthnContext().
+ getAuthnContextClassRef().getAuthnContextClassRef();
+ moaSession.setQAALevel(authQaaStr);
+
+ } catch (Throwable e) {
+ Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+ moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+ authQaaStr = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel();
+ }
+ if(authQaaStr != null)//Check value only if set
+ {
+ authQaa = Integer.valueOf(authQaaStr.substring(PVPConstants.STORK_QAA_PREFIX.length()));
+// authQaa = Integer.valueOf(authQaaStr);
+ if (reqQaa > authQaa) {
+ Logger.warn("Requested QAA level does not match to authenticated QAA level");
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+ }
+ } catch (MOAIDException e) {
+ throw e;
+
+ } catch (Exception e) {
+ if (Logger.isDebugEnabled())
+ Logger.warn("STORK QAA Level evaluation error", e);
+
+ else
+ Logger.warn("STORK QAA Level evaluation error (ErrorMessage="
+ + e.getMessage() + ")");
+
+ throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+ }
+ //================== Check QAA level end ====================
+
Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
////////////// incorporate gender from parameters if not in stork response
@@ -288,28 +355,41 @@ public class PEPSConnectorServlet extends AuthServlet { SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new java.io.StringReader(signatureInfo)));
// fetch signed doc
- DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+ DataSource ds = null;
+ try{
+ ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+ }catch(Exception e)
+ {
+ e.printStackTrace();
+ }
if(ds == null){
- throw new ApiUtilsException("No datasource found in response");
- }
-
- InputStream incoming = ds.getInputStream();
- citizenSignature = IOUtils.toString(incoming);
- incoming.close();
-
- Logger.debug("citizenSignature:"+citizenSignature);
- if(isDocumentServiceUsed(citizenSignature)==true)
+ //Normal DocumentServices return a http-page, but the SI DocumentService returns HTTP error 500
+ //which results in an exception and ds==null
+
+ //try to load document from documentservice
+ citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+ //throw new ApiUtilsException("No datasource found in response");
+ }
+ else
{
- Logger.debug("Loading document from DocumentService.");
- String url = getDtlUrlFromResponse(dssSignResponse);
- //get Transferrequest
- String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
- //Load document from DocujmentService
- byte[] data = getDocumentFromDtl(transferRequest, url);
- citizenSignature = new String(data, "UTF-8");
- Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ InputStream incoming = ds.getInputStream();
+ citizenSignature = IOUtils.toString(incoming);
+ incoming.close();
+
+ Logger.debug("citizenSignature:"+citizenSignature);
+ if(isDocumentServiceUsed(citizenSignature)==true)
+ {
+ citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+ // Logger.debug("Loading document from DocumentService.");
+ // String url = getDtlUrlFromResponse(dssSignResponse);
+ // //get Transferrequest
+ // String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ // //Load document from DocumentService
+ // byte[] data = getDocumentFromDtl(transferRequest, url);
+ // citizenSignature = new String(data, "UTF-8");
+ // Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ }
}
-
JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(IOUtils.toInputStream(citizenSignature))).getValue();
@@ -346,9 +426,9 @@ public class PEPSConnectorServlet extends AuthServlet { // Logger.error("could not retrieve moa session");
// throw new AuthenticationException("auth.01", null);
// }
- OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
- if (oaParam == null)
- throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+// OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
+// if (oaParam == null)
+// throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
// retrieve target
//TODO: check in case of SSO!!!
@@ -363,14 +443,61 @@ public class PEPSConnectorServlet extends AuthServlet { targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
}
- Logger.debug("Starting connecting SZR Gateway");
- //contact SZR Gateway
IdentityLink identityLink = null;
try {
- identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
+ AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+ if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+ // create fake IdL
+ // - fetch IdL template from resources
+ InputStream s = PEPSConnectorServlet.class.getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
+ Element idlTemplate = DOMUtils.parseXmlValidating(s);
+
+ identityLink = new IdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
+
+ // replace data
+ Element idlassertion = identityLink.getSamlAssertion();
+ // - set bpk/wpbk;
+ Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("eIdentifier", attributeList))
+ throw new STORKException("eIdentifier is missing");
+ String eIdentifier = STORKResponseProcessor.getAttributeValue("eIdentifier", attributeList, false);
+ prIdentification.getFirstChild().setNodeValue(eIdentifier);
+
+ // - set last name
+ Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("surname", attributeList))
+ throw new STORKException("surname is missing");
+ String familyName = STORKResponseProcessor.getAttributeValue("surname", attributeList, false);
+ prFamilyName.getFirstChild().setNodeValue(familyName);
+
+ // - set first name
+ Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("givenName", attributeList))
+ throw new STORKException("givenName is missing");
+ String givenName = STORKResponseProcessor.getAttributeValue("givenName", attributeList, false);
+ prGivenName.getFirstChild().setNodeValue(givenName);
+
+ // - set date of birth
+ Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+ if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
+ throw new STORKException("dateOfBirth is missing");
+ String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+ prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
+
+ identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
+
+ //resign IDL
+ IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();
+ Element resignedilAssertion = identitylinkresigner.resignIdentityLink(identityLink.getSamlAssertion(), config.getStorkFakeIdLResigningKey());
+ identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink();
+ } else {
+ //contact SZR Gateway
+ Logger.debug("Starting connecting SZR Gateway");
+ identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
oaParam.getFriendlyName(),
targetType, null,
oaParam.getMandateProfiles(), citizenSignature);
+ }
} catch (STORKException e) {
// this is really nasty but we work against the system here. We are supposed to get the gender attribute from
// stork. If we do not, we cannot register the person in the ERnP - we have to have the
@@ -427,18 +554,18 @@ public class PEPSConnectorServlet extends AuthServlet { // stork did the authentication step
moaSession.setAuthenticated(true);
- //TODO: found better solution, but QAA Level in response could be not supported yet
- try {
-
- moaSession.setQAALevel(authnResponse.getAssertions().get(0).
- getAuthnStatements().get(0).getAuthnContext().
- getAuthnContextClassRef().getAuthnContextClassRef());
-
- } catch (Throwable e) {
- Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
- moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
-
- }
+// //TODO: found better solution, but QAA Level in response could be not supported yet
+// try {
+//
+// moaSession.setQAALevel(authnResponse.getAssertions().get(0).
+// getAuthnStatements().get(0).getAuthnContext().
+// getAuthnContextClassRef().getAuthnContextClassRef());
+//
+// } catch (Throwable e) {
+// Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+// moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+//
+// }
//session is implicit stored in changeSessionID!!!!
String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
@@ -476,11 +603,28 @@ public class PEPSConnectorServlet extends AuthServlet { }
+ private String loadDocumentFromDocumentService(SignResponse dssSignResponse) throws Exception
+ {
+ Logger.debug("Loading document from DocumentService.");
+ String url = getDtlUrlFromResponse(dssSignResponse);
+ Logger.debug("Loading document from DocumentService, url:"+url);
+ //get Transferrequest
+ String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+ //Load document from DocumentService
+ byte[] data = getDocumentFromDtl(transferRequest, url);
+ String citizenSignature = new String(data, "UTF-8");
+ Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+ return citizenSignature;
+ }
private boolean isDocumentServiceUsed(String citizenSignature) //TODo add better check
{
if(citizenSignature.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+ {
+ Logger.trace("isDocumentServiceUsed => true");
return true;
+ }
+ Logger.trace("isDocumentServiceUsed => false");
return false;
}
@@ -517,6 +661,7 @@ public class PEPSConnectorServlet extends AuthServlet { URL url = null;
try
{
+ Logger.debug("getDocumentFromDtl, dtlUrl:'"+dtlUrl+"' eDtlUrl:'"+eDtlUrl+"'");
url = new URL(dtlUrl);
QName qname = new QName("http://stork.eu",
"DocumentService");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index 7113dcf70..ea1526ff0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -102,7 +102,7 @@ public class STORKResponseProcessor { private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList) throws STORKException {
return getAttributeValue(attributeName, attributeList, true);
}
- private static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {
+ public static String getAttributeValue(String attributeName, IPersonalAttributeList attributeList, boolean throwException) throws STORKException {
try {
String result = attributeList.get(attributeName).getValue().get(0);
Logger.trace(attributeName + " : " + result);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java index e1cd59c26..61b26b59a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/client/szrgw/SZRGWClient.java @@ -65,6 +65,7 @@ import org.w3c.dom.NodeList; import org.w3c.dom.Text;
import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
+import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
@@ -137,7 +138,7 @@ public class SZRGWClient { if (address == null) {
throw new NullPointerException("Address (SZR-gateway ServiceURL) must not be null.");
}
- HttpClient client = new HttpClient();
+ HttpClient client = HttpClientWithProxySupport.getHttpClient();
PostMethod method = new PostMethod(address);
method.setRequestHeader("SOAPAction", "");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 0dfd2236f..c746c0888 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -53,6 +53,7 @@ import java.io.IOException; import java.math.BigInteger; import java.net.MalformedURLException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; import java.util.HashMap; import java.util.List; @@ -1008,6 +1009,39 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return null; } + /** + * Checks if is fakeIdL is activated. + * + * @return true, if fake IdLs are available for stork + */ + public boolean isStorkFakeIdLActive() { + String prop = props.getProperty("stork.fakeIdL.active", "false"); + return Boolean.valueOf(prop); + } + + /** + * Gets the countries which will receive a fake IdL + * + * @return the countries + */ + public List<String> getStorkFakeIdLCountries() { + String prop = props.getProperty("stork.fakeIdL.countries", ""); + return Arrays.asList(prop.replaceAll(" ", "").split(",")); + } + + /** + * Gets the resigning key (group) for the stork fake IdL. + * + * @return the resigning key + */ + public String getStorkFakeIdLResigningKey() { + String prop = props.getProperty("stork.fakeIdL.keygroup"); + if (MiscUtil.isNotEmpty(prop)) + return prop; + else + return null; + } + public boolean isMonitoringActive() { String prop = props.getProperty("configuration.monitoring.active", "false"); return Boolean.valueOf(prop); @@ -1048,8 +1082,21 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return !Boolean.valueOf(prop); } + + //Load document service url from moa properties + public String getDocumentServiceUrl() { + String prop = props.getProperty("stork.documentservice.url", "false"); + return prop; + } + + + public boolean isPVPSchemaValidationActive() { + String prop = props.getProperty("protocols.pvp2.schemavalidation", "true"); + return Boolean.valueOf(prop); + } + /** - * Retruns the STORK Configuration + * Returns the STORK Configuration * @return STORK Configuration * @throws ConfigurationException */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 65c413ef9..05b008515 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -133,7 +133,9 @@ public class AuthenticationData implements IAuthData, Serializable { private String authBlock = null; private List<String> encbPKList = null; + //ISA 1.18 attributes private List<AuthenticationRole> roles = null; + private String pvpAttribute_OU = null; private boolean useMandate = false; private MISMandate mandate = null; @@ -707,6 +709,7 @@ public class AuthenticationData implements IAuthData, Serializable { return roles; } + //ISA 1.18 attributes /** * @param roles the roles to set */ @@ -716,26 +719,31 @@ public class AuthenticationData implements IAuthData, Serializable { this.roles.add(role); } + + /** + * @return the pvpAttribute_OU + */ + public String getPvpAttribute_OU() { + return pvpAttribute_OU; + } + + /** + * @param pvpAttribute_OU the pvpAttribute_OU to set + */ + public void setPvpAttribute_OU(String pvpAttribute_OU) { + this.pvpAttribute_OU = pvpAttribute_OU; + } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() */ @Override public boolean isBusinessService() { - // TODO Auto-generated method stub return this.businessService; } public void setIsBusinessService(boolean flag) { this.businessService = flag; - } - - - - - - - - + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java index 8915b2442..b3b29f6c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationRoleFactory.java @@ -26,6 +26,7 @@ import java.util.Arrays; import java.util.List; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -51,23 +52,29 @@ public class AuthenticationRoleFactory { List<String> param = Arrays.asList(params.split(",")); String test = new String(); for (String el : param) { - test = test.concat(el); - if (!test.endsWith("\\") || - (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) { - String[] keyValue = test.split("="); - if (keyValue.length < 2) { - role.addParameter(keyValue[0].trim(), ""); - Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()); + if (MiscUtil.isNotEmpty(el)) { + test = test.concat(el); + if (!test.endsWith("\\") || + (test.endsWith("\\\\") && !test.endsWith("\\\\\\")) ) { + String[] keyValue = test.split("="); + if (keyValue.length < 2) { + role.addParameter(keyValue[0].trim(), ""); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim()); - } else { - role.addParameter(keyValue[0].trim(), keyValue[1].trim()); - Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim() - + " value=" + keyValue[1].trim()); + } else { + role.addParameter(keyValue[0].trim(), keyValue[1].trim()); + Logger.debug("Add authentication roleparameter with key=" + keyValue[0].trim() + + " value=" + keyValue[1].trim()); - } + } - test = new String(); - } + test = new String(); + + } else { + test = test.substring(0, test.length()-1).concat(","); + + } + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index ebbf62ce7..ccc90a031 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -69,7 +69,9 @@ public interface IAuthData { IdentityLink getIdentityLink(); byte[] getSignerCertificate(); String getAuthBlock(); - + + //ISA 1.18 attributes + String getPvpAttribute_OU(); List<AuthenticationRole> getAuthenticationRoles(); boolean isPublicAuthority(); @@ -90,5 +92,6 @@ public interface IAuthData { String getCcc(); STORKAuthnRequest getStorkAuthnRequest(); String getStorkAuthnResponse(); - IPersonalAttributeList getStorkAttributes(); + IPersonalAttributeList getStorkAttributes(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index b239fbb1d..49f3df25c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -77,6 +77,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.SLOInformationContainer; import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; + import at.gv.egovernment.moa.id.process.ExecutionContextImpl; import at.gv.egovernment.moa.id.process.ProcessEngine; import at.gv.egovernment.moa.id.process.ProcessExecutionException; @@ -91,9 +93,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -384,6 +388,7 @@ public class AuthenticationManager implements MOAIDAuthConstants { //get IDP metadata try { OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL()); if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); @@ -392,7 +397,7 @@ public class AuthenticationManager implements MOAIDAuthConstants { return; } - + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); @@ -412,7 +417,7 @@ public class AuthenticationManager implements MOAIDAuthConstants { redirectEndpoint == null ) redirectEndpoint = sss; } - + if (redirectEndpoint != null) { AuthnRequest authReq = SAML2Utils @@ -425,16 +430,10 @@ public class AuthenticationManager implements MOAIDAuthConstants { authReq.setAssertionConsumerServiceIndex(0); authReq.setIssueInstant(new DateTime()); - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - NameID name = SAML2Utils.createSAMLObject(NameID.class); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); - name.setValue(serviceURL); issuer.setValue(serviceURL); - subject.setNameID(name); - authReq.setSubject(subject); issuer.setFormat(NameIDType.ENTITY); authReq.setIssuer(issuer); NameIDPolicy policy = SAML2Utils @@ -449,13 +448,55 @@ public class AuthenticationManager implements MOAIDAuthConstants { SAML2Utils.createSAMLObject(RequestedAuthnContext.class); AuthnContextClassRef authnClassRef = - SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + + if (sp != null && sp.isSTORKPVPGateway()){ + //use PVP SecClass instead of STORK QAA level + String secClass = null; + if (target instanceof MOASTORKRequest) { + + try { + MOASTORKRequest storkReq = (MOASTORKRequest) target; + secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( + PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); + + } catch (Exception e) { + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + + } + } + + if (MiscUtil.isNotEmpty(secClass)) + authnClassRef.setAuthnContextClassRef(secClass); + else + authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"); + + } else { + if (target instanceof MOASTORKRequest) { + //use requested QAA level from STORK request + try { + MOASTORKRequest storkReq = (MOASTORKRequest) target; + authnClassRef.setAuthnContextClassRef( + PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa()); + Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef() + + " from STORK request"); + + } catch (Exception e) { + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + + } + + } + + if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef())) + authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + + } + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); authReq.setRequestedAuthnContext(reqAuthContext); - - + IEncoder binding = null; if (redirectEndpoint.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java index b22941216..aa154b84b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -135,8 +135,10 @@ public class SingleLogOutAction implements IAction { if (MiscUtil.isEmpty(ssoID)) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); - SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); + Logger.info("Sending SLO success message to requester ..."); + SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; } else { @@ -147,7 +149,9 @@ public class SingleLogOutAction implements IAction { } catch (MOADatabaseException e) { Logger.warn("Can not find active Session. Single LogOut not possible!"); SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); - LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + //LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq, StatusCode.RESPONDER_URI); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, null); + Logger.info("Sending SLO success message to requester ..."); SingleLogOutBuilder.sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index 01139d95c..50f42d928 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -43,6 +43,7 @@ import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SSODescriptor; import org.opensaml.saml2.metadata.SingleLogoutService; @@ -348,17 +349,29 @@ public class SingleLogOutBuilder { public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { MOARequest moaReq = (MOARequest) spRequest.getRequest(); EntityDescriptor metadata = moaReq.getEntityMetadata(); - SPSSODescriptor spsso = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + if (ssodesc == null) { + Logger.debug("No PVP SPSSO descriptor found --> search IDPSSO descriptor"); + ssodesc = metadata.getIDPSSODescriptor(SAMLConstants.SAML20P_NS); + + } + + if (ssodesc == null) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + SingleLogoutService sloService = null; - for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + for (SingleLogoutService el : ssodesc.getSingleLogoutServices()) { if (el.getBinding().equals(spRequest.getBinding())) sloService = el; } if (sloService == null) { - if (spsso.getSingleLogoutServices().size() != 0) - sloService = spsso.getSingleLogoutServices().get(0); + if (ssodesc.getSingleLogoutServices().size() != 0) + sloService = ssodesc.getSingleLogoutServices().get(0); else { Logger.error("Found no SLO ServiceDescriptor in Metadata"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java index 4c981cb24..1059e324e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -22,10 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; +import org.w3c.dom.Element; + +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; +import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.util.MiscUtil; @@ -37,23 +41,37 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authData.isUseMandate()) { - MISMandate mandate = authData.getMISMandate(); - + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } - if(mandate == null) { + Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); + if (mandateObject == null) { throw new NoMandateDataAttributeException(); } + + String text = null; + if (MiscUtil.isNotEmpty(mandateObject.getAnnotation())) { + text = mandateObject.getAnnotation(); + + } else { + MISMandate misMandate = authData.getMISMandate(); - String text = mandate.getTextualDescriptionOfOID(); + if(misMandate == null) { + throw new NoMandateDataAttributeException(); + } - if(MiscUtil.isEmpty(text)) { - return null; - - } else - return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, - MANDATE_PROF_REP_DESC_NAME, text); + text = misMandate.getTextualDescriptionOfOID(); + if(MiscUtil.isEmpty(text)) { + return null; + + } else + return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, + MANDATE_PROF_REP_DESC_NAME, text); + } } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java new file mode 100644 index 000000000..fc4ed1f28 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java @@ -0,0 +1,52 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class SchemaValidationException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = 1L; + + /** + * @param messageId + * @param parameters + */ + public SchemaValidationException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + /** + * @param messageId + * @param parameters + */ + public SchemaValidationException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index cba64e080..12afa14bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -324,6 +325,7 @@ public class MOAMetadataProvider implements MetadataProvider { private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + filterChain.getFilters().add(new SchemaValidationFilter()); if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); @@ -374,6 +376,8 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider.setMetadataFilter(filter); httpProvider.initialize(); + httpProvider.setRequireValidMetadata(true); + return httpProvider; } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index f0373e214..26b3bfbd1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -54,8 +54,7 @@ public class AssertionAttributeExtractor { private final List<String> minimalAttributeNameList = Arrays.asList( PVPConstants.PRINCIPAL_NAME_NAME, - PVPConstants.GIVEN_NAME_NAME, - PVPConstants.BIRTHDATE_NAME); + PVPConstants.GIVEN_NAME_NAME); public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { @@ -119,16 +118,21 @@ public class AssertionAttributeExtractor { //first check if a bPK or an encrypted bPK is available if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || - (attributs.containsKey(PVPConstants.BPK_NAME) && attributs.containsKey(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME))) { + (attributs.containsKey(PVPConstants.BPK_NAME))) { boolean flag = true; for (String attr : attributeNameList) { - if (!attributs.containsKey(attr)) + if (!attributs.containsKey(attr)) { flag = false; + Logger.debug("Assertion contains no Attribute " + attr); + + } + } return flag; - } + } + Logger.debug("Assertion contains no bPK or encryptedbPK."); return false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 4ba93f8fe..257f9dac4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -25,14 +25,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.util.ArrayList; import java.util.List; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; + import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Conditions; import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -51,11 +57,14 @@ import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; @@ -81,9 +90,15 @@ public class SAMLVerificationEngine { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); + performSchemaValidation(samlObj.getDOM()); + } catch (ValidationException e) { - // Indicates signature did not conform to SAML Signature profile - e.printStackTrace(); + Logger.warn("Signature is not conform to SAML signature profile", e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SchemaValidationException e) { + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + } CriteriaSet criteriaSet = new CriteriaSet(); @@ -103,12 +118,17 @@ public class SAMLVerificationEngine { public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); + profileValidator.validate(samlObj.getSignature()); + performSchemaValidation(samlObj.getDOM()); + } catch (ValidationException e) { - // Indicates signature did not conform to SAML Signature profile - e.printStackTrace(); + Logger.warn("Signature is not conform to SAML signature profile", e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SchemaValidationException e) { + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + } CriteriaSet criteriaSet = new CriteriaSet(); @@ -173,16 +193,27 @@ public class SAMLVerificationEngine { List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore(); + try { + performSchemaValidation(saml2assertion.getDOM()); + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore().minusMinutes(5); DateTime notafter = conditions.getNotOnOrAfter(); if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date"); + Logger.warn("PVP2 Assertion is out of Date. " + + "{ Current : " + new DateTime() + + " NotBefore: " + notbefore + + " NotAfter : " + notafter + + " }");; - } else { - validatedassertions.add(saml2assertion); + } else { + validatedassertions.add(saml2assertion); + + } + + } catch (SchemaValidationException e) { - } + } } if (validatedassertions.isEmpty()) { @@ -213,4 +244,35 @@ public class SAMLVerificationEngine { throw new AssertionValidationExeption("pvp.12", null, e); } } + + private static void performSchemaValidation(Element source) throws SchemaValidationException { + + String err = null; + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + val.validate(new DOMSource(source)); + Logger.debug("Schema validation check done OK"); + return; + + } catch (SAXException e) { + err = e.getMessage(); + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Schema validation FAILED with exception:", e); + else + Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); + + } catch (Exception e) { + err = e.getMessage(); + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Schema validation FAILED with exception:", e); + else + Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); + + } + + throw new SchemaValidationException("pvp2.22", new Object[]{err}); + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java index 3d608fd6d..4d9b97a52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -26,7 +26,6 @@ import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; -import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java new file mode 100644 index 000000000..382adb108 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -0,0 +1,110 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.io.IOException; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; + +import org.opensaml.common.xml.SAMLSchemaBuilder; + +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class SchemaValidationFilter implements MetadataFilter { + + private boolean isActive = true; + + public SchemaValidationFilter() { + try { + isActive = AuthConfigurationProvider.getInstance().isPVPSchemaValidationActive(); + + } catch (ConfigurationException e) { + e.printStackTrace(); + } + } + + /** + * + */ + public SchemaValidationFilter(boolean useSchemaValidation) { + this.isActive = useSchemaValidation; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + + String errString = null; + + if (isActive) { + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + DOMSource source = new DOMSource(arg0.getDOM()); + val.validate(source); + Logger.info("Metadata Schema validation check done OK"); + return; + + } catch (SAXException e) { + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Metadata Schema validation FAILED with exception:", e); + else + Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); + + errString = e.getMessage(); + + } catch (Exception e) { + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Metadata Schema validation FAILED with exception:", e); + else + Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); + + errString = e.getMessage(); + + } + + throw new FilterException("Metadata Schema validation FAILED with message: "+ errString); + + } else + Logger.info("Metadata Schema validation check is DEACTIVATED!"); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 67f780b3a..4cdd1db01 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -83,7 +83,7 @@ public class GetArtifactAction implements IAction { String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); if (!oaParam.getBusinessService()) - url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(req.getTarget(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = httpResp.encodeRedirectURL(url); @@ -95,7 +95,7 @@ public class GetArtifactAction implements IAction { String redirectURL = oaURL; if (!oaParam.getBusinessService()) { redirectURL = addURLParameter(redirectURL, PARAM_TARGET, - URLEncoder.encode(oaParam.getTarget(), "UTF-8")); + URLEncoder.encode(req.getTarget(), "UTF-8")); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 65e520cc3..c8a480cac 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -64,6 +64,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; import at.gv.util.xsd.persondata.IdentificationType; import at.gv.util.xsd.persondata.IdentificationType.Value; @@ -222,8 +223,14 @@ public class SAML1AuthenticationServer extends AuthenticationServer { Value value = new Value(); id.setValue(value ); - id.setType(Constants.URN_PREFIX_BASEID); - value.setValue(""); + id.setType(authData.getIdentificationType()); + //add baseID if it is requested and available + if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && + saml1parameter.isProvideIdentityLink() ) + value.setValue(authData.getIdentificationValue()); + else + value.setValue(""); + familyName.setValue(authData.getFamilyName()); familyName.setPrimary("undefined"); name.getGivenName().add(authData.getGivenName()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 8f7f17e2e..9934c339d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -132,7 +132,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - + config.setOAURL(oaURL); Logger.info("Dispatch SAML1 Request: OAURL=" + oaURL); @@ -156,8 +156,13 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { new Object[] { null }); } - config.setSourceID(sourceID); - config.setTarget(oaParam.getTarget()); + config.setSourceID(sourceID); + if (MiscUtil.isNotEmpty(target)) + config.setTarget(target); + + else + config.setTarget(oaParam.getTarget()); + return config; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index e3b9992aa..1e6cf6910 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -45,7 +45,7 @@ import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.*; import eu.stork.peps.auth.engine.STORKSAMLEngine; -import eu.stork.peps.complex.attributes.AttributeStatusType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; import eu.stork.peps.exceptions.STORKSAMLEngineException; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; @@ -121,7 +121,7 @@ public class AttributeCollector implements IAction { if (authnResponse.getPersonalAttributeList().size() > 0) { Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes."); - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList()); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList())); } } @@ -157,7 +157,7 @@ public class AttributeCollector implements IAction { // - insert the embedded attribute(s) into the container if (null != newAttributes) - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes)); // see if we need some more attributes SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam); @@ -203,7 +203,8 @@ public class AttributeCollector implements IAction { IPersonalAttributeList aquiredAttributes = new PersonalAttributeList(); currentAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value()); aquiredAttributes.add((PersonalAttribute) currentAttribute.clone()); - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes); + container.getResponse().setPersonalAttributeList( + addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes)); // - check if we can find a suitable AttributeProvider Plugin Iterator<AttributeProvider> attibuteProvidersInterator = AttributeProviderFactory.getConfiguredPlugins(oaParam.getStorkAPs()); @@ -247,7 +248,7 @@ public class AttributeCollector implements IAction { Logger.error("We have no suitable plugin for obtaining the attribute '" + currentAttribute.getName() + "'"); } else // else, update any existing attributes - addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes); + container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), aquiredAttributes)); } Logger.info("collecting attributes done"); @@ -296,15 +297,21 @@ public class AttributeCollector implements IAction { * * @param target the target * @param source the source + * @return * @throws MOAIDException */ - private void addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException { + private PersonalAttributeList addOrUpdateAll(IPersonalAttributeList target, IPersonalAttributeList source) throws MOAIDException { + + PersonalAttributeList updatedList = new PersonalAttributeList(); + for (PersonalAttribute el : target) + updatedList.add(el); + Logger.debug("Updating " + source.size() + " attributes..."); for (PersonalAttribute current : source) { Logger.debug("treating " + current.getName()); // check if we need to update the current pa - if (target.containsKey(current.getName())) { + if (updatedList.containsKey(current.getName())) { PersonalAttribute existing = target.get(current.getName()); if(!(existing.isEmptyValue() && existing.isEmptyComplexValue())) if(!(existing.getValue().equals(current.getValue()) || existing.getComplexValue().equals(current.getComplexValue()))) { @@ -312,14 +319,16 @@ public class AttributeCollector implements IAction { throw new MOAIDException("stork.16", new Object[] {existing.getName()}); } - target.get(current.getName()).setStatus(current.getStatus()); - target.get(current.getName()).setValue(current.getValue()); - target.get(current.getName()).setComplexValue(current.getComplexValue()); + updatedList.get(current.getName()).setStatus(current.getStatus()); + updatedList.get(current.getName()).setValue(current.getValue()); + updatedList.get(current.getName()).setComplexValue(current.getComplexValue()); } else - target.add(current); + updatedList.add(current); - Logger.debug("...successfully treated " + current.getName()); + Logger.debug("...successfully treated " + current.getName()); } + + return updatedList; } /* (non-Javadoc) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index de7d5d6dd..2c5728798 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -41,7 +41,7 @@ import eu.stork.peps.auth.commons.PEPSUtil; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.STORKAuthnResponse; import eu.stork.peps.auth.engine.STORKSAMLEngine; -import eu.stork.peps.complex.attributes.AttributeStatusType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; import eu.stork.peps.exceptions.STORKSAMLEngineException; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java index 3e16db7d2..acbf1678a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/CorporateBodyMandateContainer.java @@ -90,6 +90,7 @@ public class CorporateBodyMandateContainer extends MandateContainer { } public void setCorpMandatorIdentificationValue(String corpMandatorIdentificationValue) { + Logger.debug("Setting corpMandatorIdentificationValue to AT/" + corpMandatorIdentificationValue); this.corpMandatorIdentificationValue = "AT/" + corpMandatorIdentificationValue; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index 993514ec7..3ab4ec4a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -31,8 +31,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; -import eu.stork.peps.auth.commons.STORKStatusCode; - +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.text.DateFormat; @@ -59,19 +58,23 @@ public class MOAAttributeProvider { static { Map<String, String> tempSimpleMap = new HashMap<String, String>(); tempSimpleMap.put("givenName", "getGivenName"); - tempSimpleMap.put("surname", "getFamilyName"); + tempSimpleMap.put("surname", "getFamilyName"); + tempSimpleMap.put("MSOrganization", "getPvpAttribute_OU"); storkAttributeSimpleMapping = Collections.unmodifiableMap(tempSimpleMap); + Map<String, String> tempFunctionMap = new HashMap<String, String>(); tempFunctionMap.put("eIdentifier", "geteIdentifier"); tempFunctionMap.put("ECApplicationRole","getECApplicationRole"); tempFunctionMap.put("dateOfBirth", "getFormatedDateOfBirth"); + tempFunctionMap.put("MSOrganization", "getMSOrganization"); storkAttributeFunctionMapping = Collections.unmodifiableMap(tempFunctionMap); + } public MOAAttributeProvider(IAuthData authData, MOASTORKRequest moastorkRequest) { this.authData = authData; this.moastorkRequest = moastorkRequest; - Logger.debug("identity " + authData.getIdentificationType() + " " + authData.getIdentificationValue()); + } public void populateAttribute(PersonalAttributeList attributeList, PersonalAttribute requestedAttribute ) { @@ -129,12 +132,11 @@ public class MOAAttributeProvider { } return storkRoles; } - + private String getFormatedDateOfBirth() { if (authData.getDateOfBirth() != null) { DateFormat fmt = new SimpleDateFormat("yyyyMMdd"); return fmt.format(authData.getDateOfBirth()); - } else return null; @@ -143,14 +145,14 @@ public class MOAAttributeProvider { private void populateAttributeWithMethod(Method method, Object object, PersonalAttributeList attributeList, String storkAttribute, Boolean isRequired) { try { - Object attributeValue = method.invoke(object, new Class[]{}); + Object attributeValue = method.invoke(object, new Class[]{}); // (Object[]) PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName(storkAttribute); newAttribute.setIsRequired(isRequired); if (attributeValue != null) { - newAttribute.setStatus(STORKStatusCode.STATUS_AVAILABLE.name()); + newAttribute.setStatus(AttributeStatusType.AVAILABLE.value()); Logger.info("Got attribute value: " + attributeValue); if (attributeValue instanceof String) @@ -163,7 +165,7 @@ public class MOAAttributeProvider { } else { Logger.info("Attribute " + storkAttribute + " is not available."); - newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name()); + newAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value()); } @@ -175,7 +177,7 @@ public class MOAAttributeProvider { } else { Logger.info("Attribute " + storkAttribute + " is not available."); - newAttribute.setStatus(STORKStatusCode.STATUS_NOT_AVAILABLE.name()); + newAttribute.setStatus(AttributeStatusType.NOT_AVAILABLE.value()); } } catch (InvocationTargetException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java index e6c58b503..9207cc2dc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateContainer.java @@ -54,6 +54,8 @@ public abstract class MandateContainer { public MandateContainer(String mandate) throws XPathExpressionException, MOAIDException { + Logger.debug("Received mandate content for processing: " + mandate); + xPath = XPathFactory.newInstance().newXPath(); HashMap<String, String> prefMap = new HashMap<String, String>() {{ put(S2Constants.MANDATE_PREFIX, S2Constants.MANDATE_NS); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index baa91a854..ed8480ccb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -33,13 +33,16 @@ import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; import eu.stork.peps.auth.commons.STORKAttrQueryResponse; -import eu.stork.peps.complex.attributes.*; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.*; +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.codec.binary.StringUtils; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -65,12 +68,21 @@ public class MandateRetrievalRequest implements IAction { private IAuthData authData; private MOASTORKRequest moaStorkRequest; private IdentityLink representingIdentityLink; + private Integer QAALevel; + private byte[] originalContent; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { Logger.debug("Entering AttributeRequest for MandateProvider"); httpResp.reset(); this.representingIdentityLink = authData.getIdentityLink(); + this.QAALevel = translateQAALevel(authData.getQAALevel()); + // preparing original content and removing sensitive data from it + this.originalContent = authData.getMISMandate().getMandate(); // TODO ERROR + //Logger.debug("Original content " + StringUtils.newStringUtf8(authData.getMISMandate().getMandate())); + String originalMandate = StringUtils.newStringUtf8(authData.getMISMandate().getMandate()).replaceAll("<pd:Value>.*?==</pd:Value><pd:Type>urn:publicid:gv.at:baseid</pd:Type>","<pd:Value></pd:Value><pd:Type></pd:Type>");; + Logger.debug("Removing personal identification value and type from original mandate "); + originalContent = StringUtils.getBytesUtf8(originalMandate); OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) @@ -206,6 +218,18 @@ public class MandateRetrievalRequest implements IAction { return null; } + private Integer translateQAALevel(String qaaLevel) throws MOAIDException { + if (qaaLevel.equals(PVPConstants.STORK_QAA_1_1)) + return 1; + if (qaaLevel.equals(PVPConstants.STORK_QAA_1_2)) + return 2; + if (qaaLevel.equals(PVPConstants.STORK_QAA_1_3)) + return 3; + if (qaaLevel.equals(PVPConstants.STORK_QAA_1_4)) + return 4; + Logger.error("Wrong QAA Number format"); + throw new MOAIDException("stork.16", new Object[]{}); + } private String geteLPIdentifier(MandateContainer mandateContainer, PersonalAttribute currentAttribute) throws MOAIDException { RepresentationPersonType represented = getRepresented(mandateContainer, currentAttribute); @@ -213,7 +237,7 @@ public class MandateRetrievalRequest implements IAction { return represented.getELPIdentifier(); } else if (currentAttribute.isRequired()) { Logger.error("Cannot provide eLPIdentifier for natural person."); - throw new MOAIDException("stork.19", new Object[]{currentAttribute.getName()}); + throw new MOAIDException("stork.19", new Object[]{currentAttribute.getName()}); // TODO } return ""; } @@ -249,14 +273,35 @@ public class MandateRetrievalRequest implements IAction { private String mapPowersType(MandateContainer mandateContainer) { + // using if for java 6 compatibility if necessary if (mandateContainer.getAnnotation().equals("ELGABilateral")) { return "6"; // Health Powers } else if (mandateContainer.getAnnotation().equals("ERsB")) { return "0"; // General Powers } else if (mandateContainer.getAnnotation().equals("GeneralvollmachtBilateral")) { return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("ERsBMitPostvollmacht")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("ZVR")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("ZVRMitPostvollmacht")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("EVB")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Einzelvertretungsbefugnis")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Prokura")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Notar")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Organwalter")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Rechtsanwalt")) { + return "0"; // General Powers + } else if (mandateContainer.getAnnotation().equals("Ziviltechniker")) { + return "0"; // General Powers } - return ""; + return "9"; } private MandateType getMandateType(MandateContainer mandateContainer, PersonalAttribute sourceAttribute) throws MOAIDException { @@ -264,10 +309,9 @@ public class MandateRetrievalRequest implements IAction { RepresentationPersonType representative = getRepresentative(mandateContainer, sourceAttribute); RepresentationPersonType represented = getRepresented(mandateContainer, sourceAttribute); MandateContentType mandateContent = getMandateContent(mandateContainer, sourceAttribute); - - mandateType.setRepresenting(representative); + mandateType.setRepresentative(representative); mandateType.setRepresented(represented); - mandateType.setMandateContent(mandateContent); + mandateType.getMandateContent().add(mandateContent); Logger.debug("Complex attribute extracted: " + sourceAttribute.getName()); return mandateType; } @@ -275,7 +319,8 @@ public class MandateRetrievalRequest implements IAction { private String getLegalName(MandateContainer mandateContainer, PersonalAttribute sourceAttribute) throws MOAIDException { RepresentationPersonType represented = getRepresented(mandateContainer, sourceAttribute); if (mandateContainer instanceof CorporateBodyMandateContainer) { - return represented.getName(); + represented.getLegalName(); + //return represented.getName(); } else if (sourceAttribute.isRequired()) { Logger.error("Cannot provide legalName for natural person."); throw new MOAIDException("stork.19", new Object[]{sourceAttribute.getName()}); @@ -487,10 +532,10 @@ public class MandateRetrievalRequest implements IAction { if (mandateContainer instanceof CorporateBodyMandateContainer) { CorporateBodyMandateContainer corporateBodyMandateContainer = (CorporateBodyMandateContainer) mandateContainer; represented.setELPIdentifier(corporateBodyMandateContainer.getCorpMandatorIdentificationValue()); - represented.setName(corporateBodyMandateContainer.getCorpMandatorFullName()); - represented.setAddress(""); - represented.setCanonicalAddress(new CanonicalAddressType()); - represented.setType(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); + represented.setLegalName(corporateBodyMandateContainer.getCorpMandatorFullName()); + represented.setTextRegisteredAddress(null); + represented.setCanonicalRegisteredAddress(new CanonicalAddressType()); + represented.setLegalForm(getCompanyType(corporateBodyMandateContainer.corpMandatorFullName, corporateBodyMandateContainer.corpMandatorIdentificationType, sourceAttribute)); } else if (mandateContainer instanceof PhyPersonMandateContainer) { PhyPersonMandateContainer phyPersonMandateContainer = (PhyPersonMandateContainer) mandateContainer; represented.setEIdentifier(getRepresentedStorkeIdentifier(mandateContainer)); @@ -510,18 +555,22 @@ public class MandateRetrievalRequest implements IAction { try { XMLGregorianCalendar validFrom = DatatypeFactory.newInstance().newXMLGregorianCalendar(mandateContainer.getMandateValidFrom()); XMLGregorianCalendar validTo = DatatypeFactory.newInstance().newXMLGregorianCalendar(mandateContainer.getMandateValidTo()); - mandateContent.setValidFrom(validFrom); - mandateContent.setValidTo(validTo); + TimeRestrictionType timeRestriction = new TimeRestrictionType(); + timeRestriction.setValidFrom(validFrom); + timeRestriction.setValidTo(validTo); + mandateContent.setTimeRestriction(timeRestriction); } catch (DatatypeConfigurationException dte) { Logger.error("Error converting date from mandate: " + mandateContainer.getMandateValidFrom() + ", " + mandateContainer.getMandateValidTo()); throw new MOAIDException("stork.20", new Object[]{}); } - - mandateContent.setTransactionLimit(BigInteger.valueOf(0)); // TODO - mandateContent.setTransactionLimitCurrency("");// TODO - mandateContent.setIsJoint("0"); - mandateContent.setIschained(false); - mandateContent.setTypePower(mapPowersType(mandateContainer)); + mandateContent.setAQAA(this.QAALevel); + mandateContent.setOriginalMandate(originalContent); + mandateContent.setOriginalMandateType("application/xml"); + TransactionLimitRestrictionType transactionLimit = new TransactionLimitRestrictionType(); + mandateContent.setTransactionLimit(transactionLimit); + mandateContent.setIsJoint(""); + mandateContent.setIsChained(false); + mandateContent.setTypeOfPower(mapPowersType(mandateContainer)); // TODO check Logger.debug("Complex attribute extracted: " + sourceAttribute.getName()); return mandateContent; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java index d923eccde..123d32af4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKPVPUtilits.java @@ -32,7 +32,7 @@ import java.util.List; public class STORKPVPUtilits { public static final List<String> attributesRequirePVPAuthentication = - Arrays.asList("ECApplicationRole"); + Arrays.asList("ECApplicationRole", "MSOrganization"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java index 761460971..bd1576020 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttributeProviderPlugin.java @@ -52,8 +52,9 @@ import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; -import eu.stork.peps.complex.attributes.IsHealthCareProfessionalType; -import eu.stork.peps.complex.attributes.ObjectFactory; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.ObjectFactory; /** * Fetches the attribute IsHealthcareProfessional from the BAGDAD SOAP service @@ -67,7 +68,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { * Instantiates a new e hvd attribute provider plugin. * * @param url the service url - * @param attributes + * @param supportedAttributes */ public EHvdAttributeProviderPlugin(String url, String supportedAttributes) { super(supportedAttributes); @@ -183,7 +184,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { if (collection.get("IsHealthcareProfessional").equals("false") || !collection.get("Type").equals("Medical doctor")) { // the citizen is no HCP - acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), "NotAvailable"); + acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), AttributeStatusType.NOT_AVAILABLE.value()); } else { // go on and parse the data IsHealthCareProfessionalType result = new IsHealthCareProfessionalType(); @@ -193,7 +194,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { result.setTypeOfHCP("physician"); result.setNameOfOrganisation(collection.get("NameOfOrganisation")); - result.setTypeOfOrganisation("Unknown"); + //result.setTypeOfOrganisation("Unknown"); // TODO used in previous version, check what to do with this result.setAQAA(4); @@ -206,7 +207,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { ArrayList<String> value = new ArrayList<String>(); value.add(stringWriter.toString()); - acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, "Available"); + acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, AttributeStatusType.AVAILABLE.value()); } // pack and return the result @@ -216,7 +217,7 @@ public class EHvdAttributeProviderPlugin extends AttributeProvider { // add stork id for verification ArrayList<String> value = new ArrayList<String>(); value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry())); - result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); + result.add(new PersonalAttribute("eIdentifier", false, value, AttributeStatusType.AVAILABLE.value())); return result; } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java index 2000ef928..a16603beb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/EHvdAttribute_deprecatedProviderPlugin.java @@ -52,9 +52,11 @@ import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; -import eu.stork.peps.complex.attributes.IsHealthCareProfessionalDeprecatedType; -import eu.stork.peps.complex.attributes.IsHealthCareProfessionalType; -import eu.stork.peps.complex.attributes.ObjectFactory; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalDeprecatedType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.IsHealthCareProfessionalType; // IsHealthCareProfessionalDeprecatedType; +//import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion. _1_0.assertion.IsHealthCareProfessionalType; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.ObjectFactory; /** * Fetches the attribute IsHealthcareProfessional from the BAGDAD SOAP service @@ -68,7 +70,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { * Instantiates a new e hvd attribute provider plugin. * * @param url the service url - * @param attributes + * @param supportedAttributes */ public EHvdAttribute_deprecatedProviderPlugin(String url, String supportedAttributes) { super(supportedAttributes); @@ -184,7 +186,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { if (collection.get("IsHealthcareProfessional").equals("false")) { // the citizen is no HCP - acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), "NotAvailable"); + acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, new ArrayList<String>(), AttributeStatusType.NOT_AVAILABLE.value()); } else { // go on and parse the data IsHealthCareProfessionalDeprecatedType result = new IsHealthCareProfessionalDeprecatedType(); @@ -202,16 +204,16 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { result.setAQAA(4); - final Marshaller m = JAXBContext.newInstance(IsHealthCareProfessionalType.class).createMarshaller(); + final Marshaller m = JAXBContext.newInstance(IsHealthCareProfessionalDeprecatedType.class).createMarshaller(); m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); StringWriter stringWriter = new StringWriter(); - m.marshal(new ObjectFactory().createIsHealthCareProfessional(result), stringWriter); + m.marshal(new ObjectFactory().createIsHealthCareProfessionalDeprecated(result), stringWriter); ArrayList<String> value = new ArrayList<String>(); value.add(stringWriter.toString()); - acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, "Available"); + acquiredAttribute = new PersonalAttribute("isHealthCareProfessional", false, value, AttributeStatusType.AVAILABLE.value()); } // pack and return the result @@ -221,7 +223,7 @@ public class EHvdAttribute_deprecatedProviderPlugin extends AttributeProvider { // add stork id for verification ArrayList<String> value = new ArrayList<String>(); value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), moastorkRequest.getSpCountry())); - result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); + result.add(new PersonalAttribute("eIdentifier", false, value, AttributeStatusType.AVAILABLE.value())); return result; } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index 96aa55bcf..7f06c604b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -80,7 +80,7 @@ public class PVPAuthenticationProvider extends AttributeProvider { this.moastorkRequest = moastorkRequest; // break if we cannot handle the requested attribute - if (!attributes.contains(attribute.getName())) { + if (!getSupportedAttributeNames().contains(attribute.getName())) { Logger.info("Attribute " + attribute.getName() + " not supported by the provider: " + getAttrProviderName()); throw new UnsupportedAttributeException(); @@ -193,33 +193,34 @@ public class PVPAuthenticationProvider extends AttributeProvider { public IPersonalAttributeList parse(HttpServletRequest httpReq) throws UnsupportedAttributeException, MOAIDException { - Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request"); + throw new UnsupportedAttributeException(); - //extract STORK Response from HTTP Request - //Decodes SAML Response - byte[] decSamlToken; - try { - decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse")); - } catch(NullPointerException e) { - throw new UnsupportedAttributeException(); - } - - //Get SAMLEngine instance - STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); - - STORKAuthnResponse authnResponse = null; - try { - //validate SAML Token - Logger.debug("Starting validation of SAML response"); - authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost()); - Logger.info("SAML response successfully verified!"); - - }catch(STORKSAMLEngineException e){ - Logger.error("Failed to verify STORK SAML Response", e); - throw new MOAIDException("stork.05", null); - } - - return authnResponse.getPersonalAttributeList(); +// Logger.info(this.getClass().getSimpleName() + " tries to extract SAMLResponse out of HTTP Request"); +// //extract STORK Response from HTTP Request +// //Decodes SAML Response +// byte[] decSamlToken; +// try { +// decSamlToken = PEPSUtil.decodeSAMLToken(httpReq.getParameter("SAMLResponse")); +// } catch(NullPointerException e) { +// throw new UnsupportedAttributeException(); +// } +// +// //Get SAMLEngine instance +// STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); +// +// STORKAuthnResponse authnResponse = null; +// try { +// //validate SAML Token +// Logger.debug("Starting validation of SAML response"); +// authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) httpReq.getRemoteHost()); +// Logger.info("SAML response successfully verified!"); +// +// }catch(STORKSAMLEngineException e){ +// Logger.error("Failed to verify STORK SAML Response", e); +// throw new MOAIDException("stork.05", null); +// } +// +// return authnResponse.getPersonalAttributeList(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 124b91e8b..bb3d8b1fd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -46,6 +46,7 @@ import javax.xml.ws.Service; import javax.xml.ws.soap.SOAPBinding; import javax.xml.ws.BindingProvider; +import eu.stork.peps.complex.attributes.eu.stork.names.tc.stork._1_0.assertion.AttributeStatusType; import org.apache.commons.codec.binary.Base64; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.NotImplementedException; @@ -55,6 +56,7 @@ import org.apache.velocity.app.VelocityEngine; import org.bouncycastle.util.encoders.UrlBase64; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.stork2.ExternalAttributeRequestRequiredException; @@ -107,15 +109,25 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { super(attributes); this.oasisDssWebFormURL = oasisDssWebFormURL; - Properties props = new Properties(); try { - props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); - dtlUrl = props.getProperty("docservice.url"); - } catch (IOException e) { + AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance(); + dtlUrl = authConfigurationProvider.getDocumentServiceUrl(); + Logger.info ("SignedDocAttributeRequestProvider, using dtlUrl:"+dtlUrl); + } catch (Exception e) { dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService"; - Logger.error("Loading DTL config failed, using default value:"+dtlUrl); e.printStackTrace(); - } + Logger.error("Loading documentservice url failed, using default value:"+dtlUrl); + } + +// Properties props = new Properties(); +// try { +// props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties")); +// dtlUrl = props.getProperty("docservice.url"); +// } catch (IOException e) { +// dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService"; +// Logger.error("Loading DTL config failed, using default value:"+dtlUrl); +// e.printStackTrace(); +// } } /* @@ -207,7 +219,16 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { // set the url in the SignResponse DocumentWithSignature documentWithSignature = new DocumentWithSignature(); DocumentType value = new DocumentType(); - value.setDocumentURL(dtlUrl); + if(dtlUrl.endsWith("?wsdl")) + { + String tmp = dtlUrl.replace("?wsdl", ""); + Logger.debug("DocumentUrl ends with ? wsdl, using "+tmp+" instead."); + value.setDocumentURL(tmp); + } + else + { + value.setDocumentURL(dtlUrl); + } documentWithSignature.setDocument(value); if(signResponse.getOptionalOutputs()!=null) { @@ -296,7 +317,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { Logger.debug("Assembling signedDoc attribute"); PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, - "Available"); + AttributeStatusType.AVAILABLE.value()); // pack and return the result PersonalAttributeList result = new PersonalAttributeList(); @@ -355,7 +376,13 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { byte[] data = getDocumentFromDtl(docRequest, dtlURL);//dtlUrl //load doc from DTL - Logger.debug("data:"+data); + Logger.debug("data:"+data+" "+data.length); + try{ + Logger.trace("data:"+new String(data,"UTF-8")); + }catch(Exception e) + { + Logger.trace("data: creating String failed:"+e); + } String mime = getDocumentMimeFromDtl(docId, dtlURL);//dtlUrl Logger.debug("mime:"+mime); @@ -366,11 +393,28 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { IncludeObject.class); signRequest.getOptionalInputs().getAny().removeAll(includeObjects); + String documentId = null; + Object objDoc = signRequest.getInputDocuments().getDocumentOrTransformedDataOrDocumentHash().get(0); + if (objDoc != null && objDoc instanceof DocumentType) + { + DocumentType document = (DocumentType)objDoc; + documentId = document.getID(); + } DocumentType document = new DocumentType(); - Base64Data b64data = new Base64Data(); - b64data.setValue(data); - b64data.setMimeType(mime); - document.setBase64Data(b64data); + if(documentId != null) + document.setID(documentId); + if(signRequest.getProfile().toLowerCase().contains("xades")) + { + document.setBase64XML(data); + } + else + { + Base64Data b64data = new Base64Data(); + b64data.setValue(data); + b64data.setMimeType(mime); + document.setBase64Data(b64data); + } + signRequest.setInputDocuments(ApiUtils.createInputDocuments(document)); //override old signRequestString @@ -379,6 +423,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { IOUtils.copy(istr, writer, "UTF-8"); signRequestString = writer.toString(); Logger.info("Signrequest overwritten"); + Logger.debug("Signrequest overwritten:"+signRequestString); } catch (Exception e) { e.printStackTrace(); throw new Exception("Could not marshall sign request", e); @@ -469,6 +514,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { URL url = null; try { + Logger.debug("getDocumentFromDtl:"+dtlUrl); url = new URL(dtlUrl); QName qname = new QName("http://stork.eu", "DocumentService"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java index 090bea486..520b81b17 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java @@ -71,13 +71,9 @@ public class IdentityLinkReSigner { return instance; } - public Element resignIdentityLink(Element idl) throws MOAIDException { + public Element resignIdentityLink(Element idl, String keyGroupId) throws MOAIDException { try { - AuthConfigurationProvider config = AuthConfigurationProvider.getInstance(); - - if (config.isIdentityLinkResigning()) { - if (idl == null) { Logger.warn("IdentityLink is empty"); return null; @@ -91,7 +87,6 @@ public class IdentityLinkReSigner { SPSSFactory spssFac = SPSSFactory.getInstance(); - String keyGroupId = config.getIdentityLinkResigningKey(); if (MiscUtil.isEmpty(keyGroupId)) { Logger.warn("No IdentityLink reSigning-Key definded"); throw new MOAIDException("config.19", new Object[]{}); @@ -166,9 +161,6 @@ public class IdentityLinkReSigner { Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); throw new MOAIDException("builder.05", new Object[]{}); } - - } else - return idl; } catch (ConfigurationException e) { Logger.warn("Configuration can not be loaded", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java index 0ea03e29d..5ef9494f4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVPtoSTORKMapper { private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; + private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/"; private static final String MAPPING_RESOURCE = "resources/properties/pvp-stork_mapping.properties"; @@ -67,12 +68,31 @@ public class PVPtoSTORKMapper { } + /**Map a STORK QAA level to PVP SecClass + * + * @param STORK-QAA level + * @return PVP SecClass pvpQAALevel + */ + public String mapToSecClass(String storkQAALevel) { + if (mapping != null) { + String input = storkQAALevel.substring(STORK_QAA_PREFIX.length()); + String mappedQAA = mapping.getProperty(input); + if (MiscUtil.isNotEmpty(mappedQAA)) { + Logger.info("Map STORK-QAA " + storkQAALevel + " to PVP SecClass " + mappedQAA); + return mappedQAA; + + } + } + Logger.warn("No mapping for STORK-QAA " + storkQAALevel +" !"); + return null; + } + /**Map a PVP SecClass to STORK QAA level * * @param PVP SecClass pvpQAALevel * @return STORK-QAA level */ - public String mapQAALevel(String pvpQAALevel) { + public String mapToQAALevel(String pvpQAALevel) { if (mapping != null) { String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length()); String mappedQAA = mapping.getProperty(input); @@ -93,13 +113,16 @@ public class PVPtoSTORKMapper { */ public String map(AuthenticationRole el) { if (mapping != null) { - String ecRole = mapping.getProperty(el.getRawRoleString()); + //String ecRole = mapping.getProperty(el.getRawRoleString()); + String ecRole = mapping.getProperty(el.getRoleName()); if (MiscUtil.isNotEmpty(ecRole)) { - Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + //Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + Logger.info("Map PVPRole " + el.getRoleName() + " to ECRole " + ecRole); return ecRole; } } - Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + //Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + Logger.warn("NO mapping for PVPRole "+ el.getRoleName() + " !"); return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index 20cabaf4d..1edb8d1f3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -66,6 +66,9 @@ public class MISMandate implements Serializable{ final static public String OID_ORGANWALTER = "1.2.40.0.10.3.4";
final static private String TEXT_ORGANWALTER = "Organwalter";
+ final static public String OID_ELGA_OMBUTSSTELLE = "1.2.40.0.34.3.1.3";
+ final static public String OID_ELGA_OMBUTSSTELLE_TEST = "1.2.40.0.34.3.1.2.99.9";
+ final static private String TEXT_ELGA_OMBUTSSTELLE = "ELGA-Ombudsstelle";
private String oid = null;
private byte[] mandate = null;
@@ -102,7 +105,10 @@ public class MISMandate implements Serializable{ return TEXT_ZIVILTECHNIKER;
if (this.oid.equalsIgnoreCase(OID_ORGANWALTER))
return TEXT_ORGANWALTER;
-
+ if (this.oid.equalsIgnoreCase(OID_ELGA_OMBUTSSTELLE)
+ || this.oid.equalsIgnoreCase(OID_ELGA_OMBUTSSTELLE_TEST))
+ return TEXT_ELGA_OMBUTSSTELLE;
+
return "Keine textuelle Beschreibung für OID " + oid;
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 15b2a89b5..24c96a78f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -56,6 +56,7 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException;
import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.StringRequestEntity;
@@ -70,6 +71,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory;
+import at.gv.egovernment.moa.id.commons.utils.HttpClientWithProxySupport;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.StringUtils;
@@ -300,7 +302,7 @@ public class MISSimpleClient { throw new NullPointerException("Argument request must not be null.");
}
try {
- HttpClient httpclient = new HttpClient();
+ HttpClient httpclient = HttpClientWithProxySupport.getHttpClient();
PostMethod post = new PostMethod(webServiceURL);
StringRequestEntity re = new StringRequestEntity(DOMUtils.serializeNode(packIntoSOAP(request)),"text/xml", "UTF-8");
post.setRequestEntity(re);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties index 63745f826..ca12fada4 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties @@ -1,9 +1,31 @@ ##PVP role mapping viewer=CIRCABC/viewer CIRCABC-viewer=CIRCABC/viewer +CIRCABC-DIRECTOR=CIRCABC/DIRECTOR +CIRCABC-SECRETARY=CIRCABC/SECRETARY +CIRCABC-MEMBER=CIRCABC/MEMBER -##PVP SecClass mapping +ecas-demo-EUROPEAN_COMMISSION=ecas-demo/EUROPEAN_COMMISSION +ecas-demo-EXTERNAL_INTRAMUROS=ecas-demo/EXTERNAL_INTRAMUROS +ecas-demo-INTERNET=ecas-demo/INTERNET +ecas-demo-LIVENEWS=ecas-demo/LIVENEWS + +DIGIT-EUROPEAN_COMMISSION=DIGIT/EUROPEAN_COMMISSION +DIGIT-EXTERNAL_INTRAMUROS=DIGIT/EXTERNAL_INTRAMUROS +DIGIT-INTERNET=DIGIT/INTERNET +DIGIT-LIVENEWS=DIGIT/LIVENEWS + + + + +##PVP SecClass to STORK-QAA mapping secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1 secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2 -secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3 -secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
\ No newline at end of file +secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/4 +secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4 + +##STORK-QAA to PVP SecClass mapping +citizenQAALevel/1=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0 +citizenQAALevel/2=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-1 +citizenQAALevel/3=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2 +citizenQAALevel/4=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml b/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml new file mode 100644 index 000000000..09084a34f --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID13456264458587874" IssueInstant="2012-08-22T11:07:25+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> + <saml:AttributeStatement> + <saml:Subject> + <saml:SubjectConfirmation> + <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> + <saml:SubjectConfirmationData> + <pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>wJO/bvDJjUysG0yARn7I6w==</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXRúùd</pr:GivenName><pr:FamilyName primary="undefined">XXXVàn Nisteĺrooy</pr:FamilyName></pr:Name><pr:DateOfBirth>1969-02-13</pr:DateOfBirth></pr:Person> + </saml:SubjectConfirmationData> + </saml:SubjectConfirmation> + </saml:Subject> + <saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="22280299907126338788314199678167217078072953115254374209747379168424021905237" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="40387096985250872237992703378062984723606079359080588656963239072881568409170" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>4Y4FL09VhczsfYQgFPuycP8quJNZBAAu1R1rFXNodI2711B6BTMjAGQn6xuFWfd3/nyFav/MLTr/ +t2VazvANS4TRFxJAcWyIx7xbxCdzZr6gJ+FCmq4g5JPrQvt50v3JX+wKSYft1gHBOWlDn90Ia4Gm +P8MVuze21T+VVKM6ZklmS6d5PT1er/uYQFydGErmJ17xlSQG6Fi5xuftopBDyJxG1tL1KIebpLFg +gaM2EyuB1HxH8/+Mfqa4UgeqIH65</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement> + <dsig:Signature> + <dsig:SignedInfo> + <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> + <dsig:Reference URI=""> + <dsig:Transforms> + <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> + <dsig:XPath>not(ancestor-or-self::pr:Identification)</dsig:XPath> + </dsig:Transform> + <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + </dsig:Transforms> + <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> + <dsig:DigestValue>KEQEPY2O3Z3IRaISSSoRZVPzsHE=</dsig:DigestValue> + </dsig:Reference> + <dsig:Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest"> + <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> + <dsig:DigestValue>gzGhjH1kdmPcPbgen0xojNIoJLk=</dsig:DigestValue> + </dsig:Reference> + </dsig:SignedInfo> + <dsig:SignatureValue> + 06wqWHgplwpu3N5HMhzb6QC5NkXMO1z4N4oc1L6eDqwZlvFJ9X1XGW//QqviKO9oog3il7IzdfJwnjygR4trgGCIqx+JYCDHJCrG9l8zlxlSW0ZqfsygGXthutcQ1aeUpfO6jYuhnWOUywa8BgzukRtWT+AOJBQZPRYTb8IBmey+uAwlhFLni94eMOd81l+efCvkWi3jRajwsG8ZOaNxSZT3aEV5vj+32Aqtx2MPEVzQWtIA7GqZi+EzcdSdHQvHhg7UB+8kqbU70ENAJbEMTANFZYvLOJ0Om9KfDtPf/+R2TvTc360fNo9RnPl04pHPhCIjcGZhFZorBpUhXFwd2Q== + </dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIF3TCCBMWgAwIBAgIDByniMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIwIAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMB4XDTEwMDcyODExMzY0M1oXDTE1MDcyODExMzY0M1owgbYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0emtvbW1pc3Npb24xIjAgBgNVBAsMGVN0YW1temFobHJlZ2lzdGVyYmVob2VyZGUxLjAsBgNVBAMMJVNpZ25hdHVyc2VydmljZSBEYXRlbnNjaHV0emtvbW1pc3Npb24xFTATBgNVBAUTDDMyNTkyODMyMzk5ODEcMBoGCSqGSIb3DQEJARYNZHNrQGRzay5ndi5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+dBSEBGj2jUXIK1Mp3lVxc/Za+pJMiyKrX3G1ZxgX/ikx7D9scsPYMt473LlAWl9cmCbHbJK+PV2XNNdURLMUCIX+4vUNs2MHeDTQtX8BXjJFpwJYSoaRJQ39FVS/1r5sWcra9Hhdm7w5Gtx/2ukyDX0kdkxawkhP4EQEzi/SI+Fugn+WqgQ1nAdlbxb/dcBw5w1h9b3lmuwUf4z3ooQWUD2DgA/kKd1KejNR43mLUsmvSzevPxT9zs78pOR1OacB7IszTVJPXeOEaaNZHnnB/UeO3g8LEV/3OkXcUgcMkbIIiaBHlll71Pq0COj9kqjXoe7OrRjLY5i3KwOpa6TMCAwEAAaOCAgcwggIDMBMGA1UdIwQMMAqACEkcWDpP6A0DMH8GCCsGAQUFBwEBBHMwcTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwMEYGCCsGAQUFBzAChjpodHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMvYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMmEuY3J0MFQGA1UdIARNMEswSQYGKigAEQESMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1BbXRzc2lnbmF0dXIwgZ4GA1UdHwSBljCBkzCBkKCBjaCBioaBh2xkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMixvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQITAgOnhr0tbowDgYDVR0PAQH/BAQDAgSwMCAGA1UdEQQZMBeBFW1hcmN1cy5oaWxkQGRzay5ndi5hdDAJBgNVHRMEAjAAMA4GByooAAoBBwEEAwEB/zAUBgcqKAAKAQEBBAkMB0JTQi1EU0swDQYJKoZIhvcNAQEFBQADggEBAHTklnvPCH/bJSOlIPbLUEkSGuFHsektSZ8Vr22x/Yv7EzsxoQrJIiz2mQ2gQqFuExdWYxvsowjiSbiis9iUf1c0zscvDS3mIZxGs4M89XHsjHnIyb+Fuwnamw65QrFvM1tNB1ZMjxJ3x+YmHLHdtT3BEBcr3/NCRHd2S0HoBspNz9HVgJaZY1llR7poKBvnAc4g1i+QTvyVb00PtKxR9Lw/9ABInX/1pzpxqrPy7Ib2OP8z6dd3WHmIsCiSHUaj0Dxwwln6fYJjhxZ141SnbovlCLYtrsZLXoi9ljIqX4xO0PwMI2RfNc9cXxTRrRS6rEOvX7PpvgXiDXhp592Yyp4=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo> + <dsig:Object> + <dsig:Manifest Id="manifest"> + <dsig:Reference URI=""> + <dsig:Transforms> + <dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> + <dsig:XPath>not(ancestor-or-self::dsig:Signature)</dsig:XPath> + </dsig:Transform> + </dsig:Transforms> + <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> + <dsig:DigestValue>8e7RjLnA4Mgltq5ruIJzheKGxu0=</dsig:DigestValue> + </dsig:Reference> + </dsig:Manifest> + </dsig:Object> + </dsig:Signature> +</saml:Assertion>
\ No newline at end of file |