diff options
Diffstat (limited to 'id/server/idserverlib')
201 files changed, 8735 insertions, 3751 deletions
diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 285a5da9c..f1518951f 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -3,12 +3,13 @@ <parent>
<groupId>MOA.id</groupId>
<artifactId>moa-id</artifactId>
- <version>2.0.1</version>
+ <version>2.x</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>MOA.id.server</groupId>
<artifactId>moa-id-lib</artifactId>
+ <version>${moa-id-version}</version>
<packaging>jar</packaging>
<name>MOA ID API</name>
@@ -131,21 +132,21 @@ <artifactId>slf4j-api</artifactId>
<version>1.7.6</version>
</dependency>
- <dependency>
+<!-- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>1.7.6</version>
- </dependency>
+ </dependency> -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.6</version>
</dependency>
- <dependency>
+<!-- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
<version>1.7.6</version>
- </dependency>
+ </dependency> -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
@@ -271,6 +272,25 @@ <build>
<plugins>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>properties-maven-plugin</artifactId>
+ <version>1.0-alpha-2</version>
+ <executions>
+ <execution>
+ <phase>initialize</phase>
+ <goals>
+ <goal>read-project-properties</goal>
+ </goals>
+ <configuration>
+ <files>
+ <file>${basedir}/../../../moa-id.properties</file>
+ </files>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
@@ -279,25 +299,8 @@ <target>1.6</target>
</configuration>
</plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jar-plugin</artifactId>
- <configuration>
- <skip>true</skip>
- <skipTests>true</skipTests>
- <archive>
- <addMavenDescriptor>false</addMavenDescriptor>
- </archive>
- </configuration>
- <executions>
- <execution>
- <goals>
- <goal>test-jar</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- <plugin>
+
+ <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
@@ -338,6 +341,24 @@ </execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <configuration>
+ <skip>true</skip>
+ <skipTests>true</skipTests>
+ <archive>
+ <addMavenDescriptor>false</addMavenDescriptor>
+ </archive>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index d4b5d1c05..f20339506 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.BKUException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ServiceException; +import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.StatisticLogDBUtils; @@ -51,7 +52,8 @@ import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -73,6 +75,7 @@ public class StatisticLogger { private static final String ERRORTYPE_MOASP = "moa-sp"; private static final String ERRORTYPE_MANDATE = "mandate"; private static final String ERRORTYPE_MOAID = "moa-id"; + private static final String ERRORTYPE_SZRGW = "szrgw"; private static StatisticLogger instance; @@ -97,9 +100,9 @@ public class StatisticLogger { } } - public void logSuccessOperation(IRequest protocolRequest, AuthenticationSession moasession, boolean isSSOSession) { + public void logSuccessOperation(IRequest protocolRequest, IAuthData authData, boolean isSSOSession) { - if ( isAktive && protocolRequest != null && moasession != null) { + if ( isAktive && protocolRequest != null && authData != null) { OnlineApplication dbOA = ConfigurationDBRead.getOnlineApplication(protocolRequest.getOAURL()); @@ -128,9 +131,18 @@ public class StatisticLogger { dblog.setOatarget(dbOA.getAuthComponentOA().getIdentificationNumber().getValue()); else dblog.setOatarget(dbOA.getTarget()); + + dblog.setInterfederatedSSOSession(authData.isInterfederatedSSOSession()); - dblog.setBkuurl(moasession.getBkuURL()); - dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA)); + if (authData.isInterfederatedSSOSession()) { + dblog.setBkutype(IOAAuthParameters.INDERFEDERATEDIDP); + dblog.setBkuurl(authData.getInterfederatedIDP()); + + } else { + dblog.setBkuurl(authData.getBkuURL()); + dblog.setBkutype(findBKUType(authData.getBkuURL(), dbOA)); + + } dblog.setProtocoltype(protocolRequest.requestedModule()); dblog.setProtocolsubtype(protocolRequest.requestedAction()); @@ -138,10 +150,10 @@ public class StatisticLogger { //log MandateInforamtion - if (moasession.getUseMandate()) { - dblog.setMandatelogin(moasession.getUseMandate()); + if (authData.isUseMandate()) { + dblog.setMandatelogin(authData.isUseMandate()); - MISMandate mandate = moasession.getMISMandate(); + MISMandate mandate = authData.getMISMandate(); if (mandate != null) { if (MiscUtil.isNotEmpty(mandate.getProfRep())) { @@ -297,7 +309,13 @@ public class StatisticLogger { dblog.setErrorcode(error.getBkuErrorCode()); dblog.setErrormessage(getErrorMessageWithMaxLength(error.getBkuErrorMessage(), MAXERRORLENGTH)); - }else if (throwable instanceof MISSimpleClientException) { + } else if (throwable instanceof SZRGWClientException) { + SZRGWClientException error = (SZRGWClientException) throwable; + dblog.setErrortype(ERRORTYPE_SZRGW); + dblog.setErrorcode(error.getSzrErrorCode()); + dblog.setErrormessage(getErrorMessageWithMaxLength(error.getSzrErrorMessage(), MAXERRORLENGTH)); + + } else if (throwable instanceof MISSimpleClientException) { MISSimpleClientException error = (MISSimpleClientException) throwable; dblog.setErrortype(ERRORTYPE_MANDATE); dblog.setErrorcode(error.getMISErrorCode()); @@ -333,13 +351,13 @@ public class StatisticLogger { BKUURLS bkuurls = oaAuth.getBKUURLS(); if (bkuurls != null) { if (bkuURL.equals(bkuurls.getHandyBKU())) - return OAAuthParameter.HANDYBKU; + return IOAAuthParameters.HANDYBKU; if (bkuURL.equals(bkuurls.getLocalBKU())) - return OAAuthParameter.LOCALBKU; + return IOAAuthParameters.LOCALBKU; if (bkuURL.equals(bkuurls.getOnlineBKU())) - return OAAuthParameter.ONLINEBKU; + return IOAAuthParameters.ONLINEBKU; } } } @@ -348,14 +366,14 @@ public class StatisticLogger { try { AuthConfigurationProvider authconfig = AuthConfigurationProvider.getInstance(); - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.ONLINEBKU))) - return OAAuthParameter.ONLINEBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU))) + return IOAAuthParameters.ONLINEBKU; - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.LOCALBKU))) - return OAAuthParameter.LOCALBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU))) + return IOAAuthParameters.LOCALBKU; - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.HANDYBKU))) - return OAAuthParameter.HANDYBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.HANDYBKU))) + return IOAAuthParameters.HANDYBKU; } catch (ConfigurationException e) { Logger.info("Advanced Logging: Default BKUs read failed"); @@ -364,17 +382,17 @@ public class StatisticLogger { Logger.debug("Staticic Log search BKUType from generneric Parameters"); if (bkuURL.endsWith(GENERIC_LOCALBKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.LOCALBKU); - return OAAuthParameter.LOCALBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.LOCALBKU); + return IOAAuthParameters.LOCALBKU; } if (bkuURL.startsWith(GENERIC_HANDYBKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.HANDYBKU); - return OAAuthParameter.HANDYBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU); + return IOAAuthParameters.HANDYBKU; } - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.ONLINEBKU); - return OAAuthParameter.ONLINEBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); + return IOAAuthParameters.ONLINEBKU; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index d7083ec81..4709f8c68 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.auth; import iaik.asn1.ObjectID; +import iaik.pki.PKIRuntimeException; import iaik.util.logging.Log; import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; @@ -314,12 +315,18 @@ public class AuthenticationServer implements MOAIDAuthConstants { appletwidth = StringEscapeUtils.escapeHtml(appletwidth); - //TODO: cleanup before MOA-ID 2.1 release - String htmlForm = new GetIdentityLinkFormBuilder().build(template, - session.getBkuURL(), infoboxReadRequest, dataURL, null, - null, pushInfobox, oaParam, appletheigth, appletwidth); - - return htmlForm; + //TODO: cleanup before MOA-ID 2.1 release + try { + String htmlForm = new GetIdentityLinkFormBuilder().build(template, + session.getBkuURL(), infoboxReadRequest, dataURL, null, + null, pushInfobox, oaParam, appletheigth, appletwidth); + + return htmlForm; + + } catch (BuildException e) { + throw new BuildException("builder.07", null, e); + + } } /** @@ -524,16 +531,16 @@ public class AuthenticationServer implements MOAIDAuthConstants { } catch (SAXException e) { - throw new AuthenticationException("auth.16", + throw new AuthenticationException("auth.15", new Object[]{GET_MIS_SESSIONID}, e); } catch (IOException e) { - throw new AuthenticationException("auth.16", + throw new AuthenticationException("auth.15", new Object[]{GET_MIS_SESSIONID}, e); } catch (ParserConfigurationException e) { - throw new AuthenticationException("auth.16", + throw new AuthenticationException("auth.15", new Object[]{GET_MIS_SESSIONID}, e); } catch (TransformerException e) { - throw new AuthenticationException("auth.16", + throw new AuthenticationException("auth.15", new Object[]{GET_MIS_SESSIONID}, e); } @@ -553,9 +560,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam) throws ConfigurationException, BuildException, ValidateException { - // check for intermediate processing of the infoboxes - if (session.isValidatorInputPending()) - return "Redirect to Input Processor"; +// // check for intermediate processing of the infoboxes +// if (session.isValidatorInputPending()) +// return "Redirect to Input Processor"; if (authConf == null) authConf = AuthConfigurationProvider.getInstance(); @@ -611,9 +618,9 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam, X509Certificate cert) throws ConfigurationException { - // check for intermediate processing of the infoboxes - if (session.isValidatorInputPending()) - return "Redirect to Input Processor"; +// // check for intermediate processing of the infoboxes +// if (session.isValidatorInputPending()) +// return "Redirect to Input Processor"; if (authConf == null) authConf = AuthConfigurationProvider.getInstance(); @@ -1164,11 +1171,31 @@ public class AuthenticationServer implements MOAIDAuthConstants { vtids, tpid); // debug output - // invokes the call - Element domVsresp = new SignatureVerificationInvoker() - .verifyXMLSignature(domVsreq); - // debug output + Element domVsresp = null; + +// try { + // invokes the call + domVsresp = new SignatureVerificationInvoker() + .verifyXMLSignature(domVsreq); + // debug output + +// } catch ( ServiceException e) { +// Logger.error("Signature verification error. ", e); +// Logger.error("Signed Data: " + session.getAuthBlock()); +// try { +// Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); +// } catch (TransformerException e1) { +// e1.printStackTrace(); +// +// } catch (IOException e1) { +// e1.printStackTrace(); +// +// } +// +// throw e; +// } + // parses the <VerifyXMLSignatureResponse> VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponseParser( domVsresp).parseData(); @@ -1196,48 +1223,66 @@ public class AuthenticationServer implements MOAIDAuthConstants { // date and time CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); - // compares the public keys from the identityLink with the AuthBlock - VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( - vsresp, session.getIdentityLink()); - - // post processing of the infoboxes - Iterator iter = session.getInfoboxValidatorIterator(); - boolean formpending = false; - if (iter != null) { - while (!formpending && iter.hasNext()) { - Vector infoboxValidatorVector = (Vector) iter.next(); - String identifier = (String) infoboxValidatorVector.get(0); - String friendlyName = (String) infoboxValidatorVector.get(1); - InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector - .get(2); - InfoboxValidationResult infoboxValidationResult = null; - try { - infoboxValidationResult = infoboxvalidator.validate(csresp - .getSamlAssertion()); - } catch (ValidateException e) { - Logger.error("Error validating " + identifier + " infobox:" - + e.getMessage()); - throw new ValidateException("validator.44", - new Object[]{friendlyName}); - } - if (!infoboxValidationResult.isValid()) { - Logger.info("Validation of " + identifier - + " infobox failed."); - throw new ValidateException("validator.40", new Object[]{ - friendlyName, - infoboxValidationResult.getErrorMessage()}); - } - String form = infoboxvalidator.getForm(); - if (ParepUtils.isEmpty(form)) { - AddAdditionalSAMLAttributes( - session, - infoboxValidationResult.getExtendedSamlAttributes(), - identifier, friendlyName); - } else { - return "Redirect to Input Processor"; - } - } - } + try { + // compares the public keys from the identityLink with the AuthBlock + VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( + vsresp, session.getIdentityLink()); + + } catch ( ValidateException e) { + Logger.error("Signature verification error. ", e); + Logger.error("Signed Data: " + session.getAuthBlock()); + try { + Logger.error("VerifyRequest: " + DOMUtils.serializeNode(domVsreq)); + Logger.error("VerifyResponse: " + DOMUtils.serializeNode(domVsresp)); + } catch (TransformerException e1) { + e1.printStackTrace(); + + } catch (IOException e1) { + e1.printStackTrace(); + + } + + throw e; + } + +// // post processing of the infoboxes +// Iterator iter = session.getInfoboxValidatorIterator(); +// boolean formpending = false; +// if (iter != null) { +// while (!formpending && iter.hasNext()) { +// Vector infoboxValidatorVector = (Vector) iter.next(); +// String identifier = (String) infoboxValidatorVector.get(0); +// String friendlyName = (String) infoboxValidatorVector.get(1); +// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector +// .get(2); +// InfoboxValidationResult infoboxValidationResult = null; +// try { +// infoboxValidationResult = infoboxvalidator.validate(csresp +// .getSamlAssertion()); +// } catch (ValidateException e) { +// Logger.error("Error validating " + identifier + " infobox:" +// + e.getMessage()); +// throw new ValidateException("validator.44", +// new Object[]{friendlyName}); +// } +// if (!infoboxValidationResult.isValid()) { +// Logger.info("Validation of " + identifier +// + " infobox failed."); +// throw new ValidateException("validator.40", new Object[]{ +// friendlyName, +// infoboxValidationResult.getErrorMessage()}); +// } +// String form = infoboxvalidator.getForm(); +// if (ParepUtils.isEmpty(form)) { +// AddAdditionalSAMLAttributes( +// session, +// infoboxValidationResult.getExtendedSamlAttributes(), +// identifier, friendlyName); +// } else { +// return "Redirect to Input Processor"; +// } +// } +// } session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); @@ -1358,44 +1403,44 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.10", new Object[]{ REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID}); - // post processing of the infoboxes - Iterator iter = session.getInfoboxValidatorIterator(); - boolean formpending = false; - if (iter != null) { - while (!formpending && iter.hasNext()) { - Vector infoboxValidatorVector = (Vector) iter.next(); - String identifier = (String) infoboxValidatorVector.get(0); - String friendlyName = (String) infoboxValidatorVector.get(1); - InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector - .get(2); - InfoboxValidationResult infoboxValidationResult = null; - try { - infoboxValidationResult = infoboxvalidator.validate(session - .getIdentityLink().getSamlAssertion()); - } catch (ValidateException e) { - Logger.error("Error validating " + identifier + " infobox:" - + e.getMessage()); - throw new ValidateException("validator.44", - new Object[]{friendlyName}); - } - if (!infoboxValidationResult.isValid()) { - Logger.info("Validation of " + identifier - + " infobox failed."); - throw new ValidateException("validator.40", new Object[]{ - friendlyName, - infoboxValidationResult.getErrorMessage()}); - } - String form = infoboxvalidator.getForm(); - if (ParepUtils.isEmpty(form)) { - AddAdditionalSAMLAttributes( - session, - infoboxValidationResult.getExtendedSamlAttributes(), - identifier, friendlyName); - } else { - return "Redirect to Input Processor"; - } - } - } +// // post processing of the infoboxes +// Iterator iter = session.getInfoboxValidatorIterator(); +// boolean formpending = false; +// if (iter != null) { +// while (!formpending && iter.hasNext()) { +// Vector infoboxValidatorVector = (Vector) iter.next(); +// String identifier = (String) infoboxValidatorVector.get(0); +// String friendlyName = (String) infoboxValidatorVector.get(1); +// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector +// .get(2); +// InfoboxValidationResult infoboxValidationResult = null; +// try { +// infoboxValidationResult = infoboxvalidator.validate(session +// .getIdentityLink().getSamlAssertion()); +// } catch (ValidateException e) { +// Logger.error("Error validating " + identifier + " infobox:" +// + e.getMessage()); +// throw new ValidateException("validator.44", +// new Object[]{friendlyName}); +// } +// if (!infoboxValidationResult.isValid()) { +// Logger.info("Validation of " + identifier +// + " infobox failed."); +// throw new ValidateException("validator.40", new Object[]{ +// friendlyName, +// infoboxValidationResult.getErrorMessage()}); +// } +// String form = infoboxvalidator.getForm(); +// if (ParepUtils.isEmpty(form)) { +// AddAdditionalSAMLAttributes( +// session, +// infoboxValidationResult.getExtendedSamlAttributes(), +// identifier, friendlyName); +// } else { +// return "Redirect to Input Processor"; +// } +// } +// } VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); X509Certificate cert = session.getSignerCertificate(); @@ -1415,127 +1460,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { } /** - * Builds the AuthenticationData object together with the corresponding - * <code><saml:Assertion></code> - * - * @param session authentication session - * @param verifyXMLSigResp VerifyXMLSignatureResponse from MOA-SP - * @param useUTC uses correct UTC time format - * @param useUTC indicates that authenticated citizen is a foreigner - * @param isForeigner indicates whether Austrian (false) or foreigner (true) authenticates - * @return AuthenticationData object - * @throws ConfigurationException while accessing configuration data - * @throws BuildException while building the <code><saml:Assertion></code> - */ - public static AuthenticationData buildAuthenticationData( - AuthenticationSession session, OAAuthParameter oaParam, String target) - throws ConfigurationException, BuildException { - - IdentityLink identityLink = session.getIdentityLink(); - AuthenticationData authData = new AuthenticationData(); - - VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - - boolean businessService = oaParam.getBusinessService(); - - authData.setMajorVersion(1); - authData.setMinorVersion(0); - authData.setAssertionID(Random.nextRandom()); - authData.setIssuer(session.getAuthURL()); - - authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance())); - - //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO - authData.setIdentificationValue(identityLink.getIdentificationValue()); - authData.setIdentificationType(identityLink.getIdentificationType()); - - authData.setGivenName(identityLink.getGivenName()); - authData.setFamilyName(identityLink.getFamilyName()); - authData.setDateOfBirth(identityLink.getDateOfBirth()); - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); - authData.setBkuURL(session.getBkuURL()); - - try { - - MISMandate mandate = session.getMISMandate(); - - if (session.getUseMandate() && session.isOW() - && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { - authData.setBPK(mandate.getOWbPK()); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); - authData.setIdentityLink(identityLink); - Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - - } else { - - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } - - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - - } else { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } - - Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - - Element idlassertion = session.getIdentityLink().getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IdentityLink idl = idlparser.parseIdentityLink(); - authData.setIdentityLink(idl); - - } else { - - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - Logger.trace("Authenticate user with bPK " + authData.getBPK()); - - authData.setIdentityLink(identityLink); - } - } - - return authData; - - } catch (Throwable ex) { - throw new BuildException("builder.00", new Object[]{ - "AuthenticationData", ex.toString()}, ex); - } - } - - /** * Retrieves a session from the session store. * * @param id session ID @@ -1773,6 +1697,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { request.setMIS(mis); } + if (MiscUtil.isEmpty(connectionParameters.getUrl())) { + Logger.warn("SZR-Gateway Service URL is empty"); + throw new SZRGWClientException("service.07"); + } + Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")..."); CreateIdentityLinkResponse response = client.sentCreateIDLRequest(request, connectionParameters.getUrl()); return response; @@ -1826,11 +1755,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { String destination = cpeps.getPepsURL().toExternalForm(); Logger.debug("C-PEPS URL: " + destination); - String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; + + String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + String acsURL = new DataURLBuilder().buildDataURL(issuerValue, + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN, moasession.getSessionID()); Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); String providerName = oaParam.getFriendlyName(); - String issuerValue = HTTPUtils.getBaseURL(req); Logger.debug("Issuer value: " + issuerValue); // prepare collection of required attributes @@ -1903,6 +1834,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.debug("STORK AuthnRequest succesfully assembled."); STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("outgoing"); + + if (samlEngine == null) { + Logger.error("Could not initalize STORK SAML engine."); + throw new MOAIDException("stork.00", null); + + } + try { authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); } catch (STORKSAMLEngineException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 0173c67a1..6f83da367 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -31,6 +31,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_MODUL = "MODUL"; public static final String PARAM_ACTION = "ACTION"; public static final String PARAM_SSO = "SSO"; + public static final String INTERFEDERATION_IDP = "interIDP"; + /** servlet parameter "sourceID" */ public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index db9bc588f..a6c2cde05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -51,6 +51,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -272,7 +273,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion } String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, issueInstant) }); + new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); //generate unique AuthBlock tokken String uniquetokken = Random.nextRandom(); @@ -424,7 +425,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion } String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, issueInstant) }); + new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); //generate unique AuthBlock tokken String uniquetokken = Random.nextRandom(); @@ -454,12 +455,13 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion } - public static String generateSpecialText(String inputtext, String issuer, String issueInstant) { + public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) { Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); String text = inputtext.replaceAll("#NAME#", issuer); + text = text.replaceAll("#BIRTHDAY#", gebDat); text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime())); text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime())); @@ -495,7 +497,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String gebDat, List<ExtendedSAMLAttribute> extendedSAMLAttributes, AuthenticationSession session, - OAAuthParameter oaParam) + IOAAuthParameters oaParam) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); @@ -536,7 +538,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion if (MiscUtil.isEmpty(text)) text=""; String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, issueInstant) }); + new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); //generate unique AuthBlock tokken String uniquetokken = Random.nextRandom(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 531303300..ba4440bf8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; @@ -224,7 +225,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB * @throws BuildException if an error occurs during the build process */ public String build( - AuthenticationData authData, + SAML1AuthenticationData authData, String xmlPersonData, String xmlAuthBlock, String xmlIdentityLink, @@ -238,6 +239,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB { String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + String publicAuthorityAttribute = ""; if (authData.isPublicAuthority()) { String publicAuthorityIdentification = authData.getPublicAuthorityCode(); @@ -344,7 +346,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB * @throws BuildException if an error occurs during the build process */ public String buildMandate( - AuthenticationData authData, + SAML1AuthenticationData authData, String xmlPersonData, String xmlMandateData, String xmlAuthBlock, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java new file mode 100644 index 000000000..792b6cdd7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -0,0 +1,628 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.builder; + +import iaik.x509.X509Certificate; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.SecurityException; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * @author tlenz + * + */ +public class AuthenticationDataBuilder implements MOAIDAuthConstants { + + public static IAuthData buildAuthenticationData(IRequest protocolRequest, + AuthenticationSession session, List<Attribute> reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { + + + String oaID = protocolRequest.getOAURL(); + if (oaID == null) { + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + } + + // check parameter + if (!ParamValidatorUtils.isValidOA(oaID)) + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + + AuthenticationData authdata = null; + + if (protocolRequest instanceof SAML1RequestImpl) { + //request is SAML1 + SAML1AuthenticationData saml1authdata = new SAML1AuthenticationData(); + saml1authdata.setExtendedSAMLAttributesOA(session.getExtendedSAMLAttributesOA()); + + authdata = saml1authdata; + + } else { + authdata = new AuthenticationData(); + + } + + //reuse some parameters if it is a reauthentication + OASessionStore activeOA = AuthenticationSessionStoreage.searchActiveOASSOSession(session, oaID, protocolRequest.requestedModule()); + if (activeOA != null) { + authdata.setSessionIndex(activeOA.getAssertionSessionID()); + authdata.setNameID(activeOA.getUserNameID()); + authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); + + //mark AttributeQuery as used + if ( protocolRequest instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest && + ((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) { + try { + activeOA.setAttributeQueryUsed(true); + MOASessionDBUtils.saveOrUpdate(activeOA); + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + } + + } + + InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); + + IOAAuthParameters oaParam = null; + if (reqAttributes == null) { + //get OnlineApplication from MOA-ID-Auth configuration + oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(oaID); + + } else { + //build OnlineApplication dynamic from requested attributes + oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); + + } + + if (interfIDP != null ) { + //IDP is a chained interfederated IDP and Authentication is requested + if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && + !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { + //only set minimal response attributes + authdata.setQAALevel(interfIDP.getQAALevel()); + authdata.setBPK(interfIDP.getUserNameID()); + + } else { + //get attributes from interfederated IDP + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); + getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes); + + //mark attribute request as used + try { + if (idp.isInterfederationSSOStorageAllowed()) { + interfIDP.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(interfIDP); + + } else { + MOASessionDBUtils.delete(interfIDP); + } + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + } + + } else { + //build AuthenticationData from MOASession + buildAuthDataFormMOASession(authdata, session, oaParam); + + } + + return authdata; + } + + /** + * @param req + * @param session + * @param reqAttributes + * @return + * @throws WrongParametersException + * @throws ConfigurationException + * @throws BuildException + * @throws DynamicOABuildException + */ + public static IAuthData buildAuthenticationData(IRequest req, + AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException { + return buildAuthenticationData(req, session, null); + } + + /** + * @param authdata + * @param session + * @param oaParam + * @param protocolRequest + * @param interfIDP + * @param idp + * @param reqQueryAttr + * @throws ConfigurationException + */ + private static void getAuthDataFromInterfederation( + AuthenticationData authdata, AuthenticationSession session, + IOAAuthParameters oaParam, IRequest req, + InterfederationSessionStore interfIDP, OAAuthParameter idp, List<Attribute> reqQueryAttr) throws BuildException, ConfigurationException{ + + try { + List<Attribute> attributs = null; + + //IDP is a chained interfederated IDP and request is of type AttributQuery + if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration && + (((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) && + reqQueryAttr != null) { + attributs = reqQueryAttr; + + //IDP is a service provider IDP and request interfederated IDP to collect attributes + } else { + + //TODO: check if response include attributes and map this attributes to requested attributes + + //get PVP 2.1 attributes from protocol specific requested attributes + attributs = req.getRequestedAttributes(); + + } + + //collect attributes by using BackChannel communication + String endpoint = idp.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); + } + + //build attributQuery request + AttributeQuery query = + AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + + //build SOAP request + List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + + } + + if (xmlObjects.get(0) instanceof Response) { + Response intfResp = (Response) xmlObjects.get(0); + + //validate PVP 2.1 response + try { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + + SAMLVerificationEngine.validateAssertion(intfResp, false); + + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + //parse response information to authData + buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + + } + + } catch (SOAPException e) { + throw new BuildException("builder.06", null, e); + + } catch (SecurityException e) { + throw new BuildException("builder.06", null, e); + + } catch (AttributQueryException e) { + throw new BuildException("builder.06", null, e); + + } catch (BuildException e) { + throw new BuildException("builder.06", null, e); + + } catch (AssertionValidationExeption e) { + throw new BuildException("builder.06", null, e); + + } catch (AssertionAttributeExtractorExeption e) { + throw new BuildException("builder.06", null, e); + + } + } + + private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, + Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + + Logger.debug("Build AuthData from assertion starts ...."); + + Assertion assertion = intfResp.getAssertions().get(0); + + if (assertion.getAttributeStatements().size() == 0) { + Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); + throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); + + } + + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + + if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) + authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) + authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) + authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.BPK_NAME)) { + String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); + authData.setBPK(pvpbPK.split(":")[1]); + } + + if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) + authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) + authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) + authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); + + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) + authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) + authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) + authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + + if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setMandate(mandate); + + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + attr.getAttributeValues().get(0).getDOM().getTextContent()); + + } + + if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.setForeigner(true); + } + + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + + if (authData.getStorkAttributes() == null) + authData.setStorkAttributes(new PersonalAttributeList()); + + List<String> storkAttrValues = new ArrayList<String>(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + authData.getStorkAttributes().put(attr.getName(), storkAttr ); + authData.setForeigner(true); + } + + } + + authData.setSsoSession(true); + + //only for SAML1 + if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) + authData.setQualifiedCertificate(true); + else + authData.setQualifiedCertificate(false); + authData.setPublicAuthority(false); + } + + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, + IOAAuthParameters oaParam) throws BuildException { + + String target = oaParam.getTarget(); + + IdentityLink identityLink = session.getIdentityLink(); + + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); + + boolean businessService = oaParam.getBusinessService(); + + authData.setIssuer(session.getAuthURL()); + + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO + authData.setIdentificationValue(identityLink.getIdentificationValue()); + authData.setIdentificationType(identityLink.getIdentificationType()); + + authData.setGivenName(identityLink.getGivenName()); + authData.setFamilyName(identityLink.getFamilyName()); + authData.setDateOfBirth(identityLink.getDateOfBirth()); + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); + authData.setBkuURL(session.getBkuURL()); + + authData.setStorkAttributes(session.getStorkAttributes()); + authData.setStorkAuthnResponse(session.getStorkAuthnResponse()); + authData.setStorkRequest(session.getStorkAuthnRequest()); + + authData.setSignerCertificate(session.getEncodedSignerCertificate()); + authData.setAuthBlock(session.getAuthBlock()); + + authData.setForeigner(session.isForeigner()); + authData.setQAALevel(session.getQAALevel()); + + if (session.isForeigner()) { + if (authData.getStorkAuthnRequest() != null) { + authData.setCcc(authData.getStorkAuthnRequest() + .getCitizenCountryCode()); + + } else { + + try { + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); + + if (certificate != null) { + + LdapName ln = new LdapName(certificate.getIssuerDN() + .getName()); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("C")) { + Logger.info("C is: " + rdn.getValue()); + authData.setCcc(rdn.getValue().toString()); + break; + } + } + } + + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate", e); + + } + } + + } else { + authData.setCcc("AT"); + + } + + try { + + authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); + + + /* TODO: Support SSO Mandate MODE! + * Insert functionality to translate mandates in case of SSO + */ + + + MISMandate mandate = session.getMISMandate(); + authData.setMISMandate(mandate); + authData.setUseMandate(session.getUseMandate()); + authData.setMandateReferenceValue(session.getMandateReferenceValue()); + + if (session.getUseMandate() && session.isOW() + && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { + authData.setBPK(mandate.getOWbPK()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); + + //TODO: check in case of mandates for business services + authData.setIdentityLink(identityLink); + Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); + + } else { + + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { + // If domainIdentifier starts with prefix + // "urn:publicid:gv.at:wbpk+"; remove this prefix + registerAndOrdNr = registerAndOrdNr + .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + + registerAndOrdNr); + } + + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); + authData.setBPK(wbpkBase64); + authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); + + } else { + authData.setBPK(identityLink.getIdentificationValue()); + authData.setBPKType(identityLink.getIdentificationType()); + + } + + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); + + Element idlassertion = session.getIdentityLink().getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink idl = idlparser.parseIdentityLink(); + + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + resignedilAssertion = identitylinkresigner.resignIdentityLink(idl.getSamlAssertion()); + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); + + authData.setIdentityLink(resignedIDL); + + } else { + + if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + } + + Logger.trace("Authenticate user with bPK " + authData.getBPK()); + + authData.setIdentityLink(identityLink); + } + } + + + } catch (Throwable ex) { + throw new BuildException("builder.00", new Object[]{ + "AuthenticationData", ex.toString()}, ex); + } + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java new file mode 100644 index 000000000..132b6af01 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -0,0 +1,109 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.builder; + +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +/** + * @author tlenz + * + */ +public class DynamicOAAuthParameterBuilder { + + public static IOAAuthParameters buildFromAttributeQuery(List<Attribute> reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { + + Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information"); + + try { + DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters(); + + for (Attribute attr : reqAttributes) { + //get Target or BusinessService from request + if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); + if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { + dynamicOA.setBusinessService(false); + dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + + } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || + attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { + dynamicOA.setBusinessService(true); + dynamicOA.setTarget(attrValue); + + } else { + Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); + throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); + + } + + } + + } + + if (interfIDP != null) { + //load interfederated IDP informations + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); + if (idp == null) { + Logger.warn("Interfederated IDP configuration is not loadable."); + throw new DynamicOABuildException("Interfederated IDP configuration is not loadable.", null); + + } + + dynamicOA.setApplicationID(idp.getPublicURLPrefix()); + dynamicOA.setInderfederatedIDP(idp.isInderfederationIDP()); + dynamicOA.setIDPQueryURL(idp.getIDPAttributQueryServiceURL()); + + //check if IDP service area policy. BusinessService IDPs can only request wbPKs + if (!dynamicOA.getBusinessService() && !idp.isIDPPublicService()) { + Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes."); + throw new DynamicOABuildException("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes.", null); + + } + } + + return dynamicOA; + + } catch (ConfigurationException e) { + Logger.warn("Internel server errror. Basic configuration load failed.", e); + throw new DynamicOABuildException("Basic configuration load failed.", null); + } + + + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index ab93f509c..dc981ba33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -52,7 +52,7 @@ import java.io.StringWriter; import java.util.Map; import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -153,7 +153,7 @@ public class GetIdentityLinkFormBuilder extends Builder { String dataURL, String certInfoXMLRequest, String certInfoDataURL, - String pushInfobox, OAAuthParameter oaParam, + String pushInfobox, IOAAuthParameters oaParam, String appletheigth, String appletwidth) throws BuildException diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 4d80be1e8..54196427e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.id.util.FormBuildUtils; @@ -105,9 +106,9 @@ public class LoginFormBuilder { IOUtils.copy(input, writer); template = writer.toString(); template = template.replace(AUTH_URL, SERVLET); - template = template.replace(BKU_ONLINE, OAAuthParameter.ONLINEBKU); - template = template.replace(BKU_HANDY, OAAuthParameter.HANDYBKU); - template = template.replace(BKU_LOCAL, OAAuthParameter.LOCALBKU); + template = template.replace(BKU_ONLINE, IOAAuthParameters.ONLINEBKU); + template = template.replace(BKU_HANDY, IOAAuthParameters.HANDYBKU); + template = template.replace(BKU_LOCAL, IOAAuthParameters.LOCALBKU); } catch (Exception e) { Logger.error("Failed to read template", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 4bae0300b..c5ba49b2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -203,10 +203,10 @@ public class AuthenticationSession implements Serializable { */ private List<ExtendedSAMLAttribute> extendedSAMLAttributesAUTH; - /** - * If infobox validators are needed after signing, they can be stored in this list. - */ - private List infoboxValidators; +// /** +// * If infobox validators are needed after signing, they can be stored in this list. +// */ +// private List infoboxValidators; /** * The register and number in the register parameter in case of a business service application. @@ -347,7 +347,7 @@ public class AuthenticationSession implements Serializable { public AuthenticationSession(String id) { sessionID = id; // setTimestampStart(); - infoboxValidators = new ArrayList(); +// infoboxValidators = new ArrayList(); } public X509Certificate getSignerCertificate() { @@ -712,15 +712,15 @@ public class AuthenticationSession implements Serializable { this.issueInstant = issueInstant; } - /** - * Returns the iterator to the stored infobox validators. - * - * @return Iterator - */ - public Iterator getInfoboxValidatorIterator() { - if (infoboxValidators == null) return null; - return infoboxValidators.iterator(); - } +// /** +// * Returns the iterator to the stored infobox validators. +// * +// * @return Iterator +// */ +// public Iterator getInfoboxValidatorIterator() { +// if (infoboxValidators == null) return null; +// return infoboxValidators.iterator(); +// } // /** // * Adds an infobox validator class to the stored infobox validators. @@ -744,23 +744,23 @@ public class AuthenticationSession implements Serializable { // return infoboxValidators.iterator(); // } - /** - * Tests for pending input events of the infobox validators. - * - * @return true if a validator has a form to show - */ - public boolean isValidatorInputPending() { - boolean result = false; - Iterator iter = getInfoboxValidatorIterator(); - if (iter != null) { - while (!result && iter.hasNext()) { - Vector infoboxValidatorVector = (Vector) iter.next(); - InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector.get(2); - if (!ParepUtils.isEmpty(infoboxvalidator.getForm())) result = true; - } - } - return result; - } +// /** +// * Tests for pending input events of the infobox validators. +// * +// * @return true if a validator has a form to show +// */ +// public boolean isValidatorInputPending() { +// boolean result = false; +// Iterator iter = getInfoboxValidatorIterator(); +// if (iter != null) { +// while (!result && iter.hasNext()) { +// Vector infoboxValidatorVector = (Vector) iter.next(); +// InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector.get(2); +// if (!ParepUtils.isEmpty(infoboxvalidator.getForm())) result = true; +// } +// } +// return result; +// } // /** // * Returns the first pending infobox validator. @@ -956,20 +956,7 @@ public class AuthenticationSession implements Serializable { public void setMISMandate(MISMandate mandate) { this.mandate = mandate; } - - public Element getMandate() { - try { - byte[] byteMandate = mandate.getMandate(); - String stringMandate = new String(byteMandate); - return DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); - - } - catch (Throwable e) { - Logger.warn("Mandate content could not be generated from MISMandate."); - return null; - } - } - + /** * @return the ssoRequested */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/BKUException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/BKUException.java index f1d3b078e..9c2960c4c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/BKUException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/BKUException.java @@ -29,16 +29,6 @@ public class BKUException extends MOAIDException { private String bkuErrorCode; private String bkuErrorMessage; - public BKUException(String messageId, Object[] parameters) { - super(messageId, parameters); - - } - - - public BKUException(String messageId, Object[] parameters, Throwable wrapped) { - super(messageId, parameters, wrapped); - } - public BKUException(String messageId, Object[] parameters, String bkuErrorCode, String bkuErrorMessage) { super(messageId, parameters); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java new file mode 100644 index 000000000..554cf7370 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java @@ -0,0 +1,40 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DynamicOABuildException extends MOAIDException { + + + private static final long serialVersionUID = 3756862942519706809L; + + + public DynamicOABuildException(String messageId, Object[] parameters) { + super(messageId, parameters); + // TODO Auto-generated constructor stub + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/InvalidProtocolRequestException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/InvalidProtocolRequestException.java new file mode 100644 index 000000000..4f68bbac0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/InvalidProtocolRequestException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class InvalidProtocolRequestException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = -7866198705324084601L; + + /** + * @param messageId + * @param parameters + */ + public InvalidProtocolRequestException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/MISSimpleClientException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/MISSimpleClientException.java index e26ab6597..c80cbea26 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/MISSimpleClientException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/MISSimpleClientException.java @@ -46,6 +46,7 @@ package at.gv.egovernment.moa.id.auth.exception;
+
public class MISSimpleClientException extends MOAIDException {
private static final long serialVersionUID = 1L;
@@ -59,22 +60,16 @@ public class MISSimpleClientException extends MOAIDException { public MISSimpleClientException(String message) {
super(message, null);
- this.misErrorMessage = message;
}
public MISSimpleClientException(String message, String code, String text) {
- super(message, null);
+ super(message, new Object[] { code , text });
this.misErrorMessage = text;
this.misErrorCode = code;
}
- public MISSimpleClientException(Throwable cause) {
- super("UNDEFINED ERROR", null, cause);
- }
-
public MISSimpleClientException(String message, Throwable cause) {
super(message, null, cause);
- this.misErrorMessage = message;
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java index ab4a91df9..e2802c1d2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/IdentityLinkAssertionParser.java @@ -241,7 +241,7 @@ public class IdentityLinkAssertionParser { * @param xmlAssertion <code><saml:Assertion></code> as InputStream * @throws ParseException on any parsing error */ - public IdentityLinkAssertionParser(InputStream xmlAssertion) throws Exception { + public IdentityLinkAssertionParser(InputStream xmlAssertion) throws ParseException { try { assertionElem = DOMUtils.parseXmlValidating(xmlAssertion); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java index f6cd2b776..175aeeab7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java @@ -75,6 +75,7 @@ import org.apache.commons.fileupload.servlet.ServletFileUpload; import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.entrypoints.DispatcherServlet; @@ -193,6 +194,11 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants { req.setAttribute("LogLevel", "debug"); } + if (!(exceptionThrown instanceof MOAIDException)) { + Logger.error("Receive an internal error: Message=" + exceptionThrown.getMessage(), exceptionThrown); + + } + IExceptionStore store = DBExceptionStoreImpl.getStore(); String id = store.storeException(exceptionThrown); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java index 17dd9e343..f11489dd2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java @@ -208,7 +208,8 @@ public class GetForeignIDServlet extends AuthServlet { if (null != response.getErrorResponse()){ // TODO fix exception parameter
- throw new SZRGWClientException(response.getErrorResponse().getErrorCode().toString(), null);
+ throw new SZRGWClientException("service.08", (String)response.getErrorResponse().getErrorCode(),
+ (String)response.getErrorResponse().getInfo());
}
else {
IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(new ByteArrayInputStream(response.getIdentityLink()));
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java index a776bbe9a..9e2e845b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java @@ -65,7 +65,6 @@ import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; @@ -190,13 +189,9 @@ public class GetMISSessionIDServlet extends AuthServlet { List<MISMandate> list = MISSimpleClient.sendGetMandatesRequest( connectionParameters.getUrl(), misSessionID, sslFactory); - if (list == null) { + if (list == null || list.size() == 0) { Logger.error("Keine Vollmacht gefunden."); - throw new MISSimpleClientException("Keine Vollmacht gefunden"); - } - if (list.size() == 0) { - Logger.error("Keine Vollmacht gefunden."); - throw new MISSimpleClientException("Keine Vollmacht gefunden"); + throw new AuthenticationException("auth.15", null); } // for now: list contains only one element @@ -205,7 +200,7 @@ public class GetMISSessionIDServlet extends AuthServlet { String sMandate = new String(mandate.getMandate()); if (sMandate == null || sMandate.compareToIgnoreCase("") == 0) { Logger.error("Mandate is empty."); - throw new AuthenticationException("auth.16", + throw new AuthenticationException("auth.15", new Object[] { GET_MIS_SESSIONID }); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index fc4ec305d..9b300578a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -53,7 +53,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; @@ -62,7 +61,6 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -101,13 +99,13 @@ public class LogOutServlet extends AuthServlet { } - if (ssomanager.isValidSSOSession(ssoid, req)) { + if (ssomanager.isValidSSOSession(ssoid, null)) { //TODO: Single LogOut Implementation //delete SSO session and MOA session AuthenticationManager authmanager = AuthenticationManager.getInstance(); - String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid); + String moasessionid = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); RequestStorage.removePendingRequest(AuthenticationSessionStoreage.getPendingRequestID(moasessionid)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 00acdc540..57755ca9f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @@ -53,8 +54,10 @@ public class RedirectServlet extends AuthServlet{ String url = req.getParameter(REDIRCT_PARAM_URL); String target = req.getParameter(PARAM_TARGET); String artifact = req.getParameter(PARAM_SAMLARTIFACT); + String interIDP = req.getParameter(INTERFEDERATION_IDP); - if (MiscUtil.isEmpty(artifact)) { + + if (MiscUtil.isEmpty(artifact) && MiscUtil.isEmpty(interIDP)) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; } @@ -68,14 +71,57 @@ public class RedirectServlet extends AuthServlet{ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; - } else { - try { - String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); - if (MiscUtil.isNotEmpty(test)) - redirectTarget = test; + } else { + //Redirect is a SAML1 send Artifact redirct + if (MiscUtil.isNotEmpty(artifact)) { + try { + String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); + if (MiscUtil.isNotEmpty(test)) + redirectTarget = test; + + } catch (Exception e) { + Logger.debug("Use default redirectTarget."); + } + + Logger.info("Redirect to " + url); + + if (MiscUtil.isNotEmpty(target)) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, + URLEncoder.encode(target, "UTF-8")); + + + } + url = addURLParameter(url, PARAM_SAMLARTIFACT, + URLEncoder.encode(artifact, "UTF-8")); + url = resp.encodeRedirectURL(url); + + String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); + + resp.setContentType("text/html;charset=UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + PrintWriter out = new PrintWriter(resp.getOutputStream()); + out.write(redirect_form); + out.flush(); + + } else if (MiscUtil.isNotEmpty(interIDP)) { + //store IDP identifier and redirect to generate AuthRequst service + Logger.info("Receive an interfederation redirect request for IDP " + interIDP); + SSOManager sso = SSOManager.getInstance(); + sso.setInterfederationIDPCookie(req, resp, interIDP); + + Logger.debug("Redirect to " + url); + url = resp.encodeRedirectURL(url); + resp.setContentType("text/html"); + resp.setStatus(HttpServletResponse.SC_FOUND); + resp.addHeader("Location", url); + + + } else { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); + return; - } catch (Exception e) { - Logger.debug("Use default redirectTarget."); } } @@ -88,29 +134,6 @@ public class RedirectServlet extends AuthServlet{ ConfigurationDBUtils.closeSession(); } - - Logger.info("Redirect to " + url); - - if (MiscUtil.isNotEmpty(target)) { -// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, -// URLEncoder.encode(session.getTarget(), "UTF-8")); - url = addURLParameter(url, PARAM_TARGET, - URLEncoder.encode(target, "UTF-8")); - - - } - url = addURLParameter(url, PARAM_SAMLARTIFACT, - URLEncoder.encode(artifact, "UTF-8")); - url = resp.encodeRedirectURL(url); - - String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); - - resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.write(redirect_form); - out.flush(); - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java index 997241822..495c4ca5b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java @@ -108,7 +108,7 @@ public class SSOSendAssertionServlet extends AuthServlet{ } } - boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, null); String moaSessionID = null; @@ -124,7 +124,7 @@ public class SSOSendAssertionServlet extends AuthServlet{ } if (valueString.compareToIgnoreCase("true") == 0) { - moaSessionID = AuthenticationSessionStoreage.getMOASessionID(ssoId); + moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoId); AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moaSessionID); AuthenticationSessionStoreage.setAuthenticated(moaSessionID, true); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java index 787dc6f10..98edf1fe4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java @@ -227,7 +227,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { if (profiles == null) { Logger.error("No Mandate/Profile for OA configured."); - throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); + throw new AuthenticationException("config.21", new Object[] { GET_MIS_SESSIONID}); } // String profilesArray[] = profiles.split(","); @@ -238,6 +238,7 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { String oaFriendlyName = oaParam.getFriendlyName(); String mandateReferenceValue = session.getMandateReferenceValue(); byte[] cert = session.getEncodedSignerCertificate(); + byte[] authBlock = session.getAuthBlock().getBytes(); //TODO: check in case of SSO!!! String targetType = null; @@ -252,7 +253,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); } - MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert, oaFriendlyName, redirectURL, mandateReferenceValue, profiles, targetType, sslFactory); + MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest( + connectionParameters.getUrl(), + idl, + cert, + oaFriendlyName, + redirectURL, + mandateReferenceValue, + profiles, + targetType, + authBlock, + sslFactory); if (misSessionID == null) { Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); @@ -323,78 +334,5 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet { } } - - /** - * Calls the MIS Service - * @param session - * @throws IOException - */ -// private void callMISService(AuthenticationSession session, HttpServletRequest req, HttpServletResponse resp) throws IOException { -// -// try { -// AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance(); -// ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter(); -// SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters); -// -// // get identitity link as byte[] -// Element elem = session.getIdentityLink().getSamlAssertion(); -// String s = DOMUtils.serializeNode(elem); -// -// System.out.println("IDL: " + s); -// -// byte[] idl = s.getBytes(); -// -// // redirect url -// // build redirect(to the GetMISSessionIdSerlvet) -// String redirectURL = -// new DataURLBuilder().buildDataURL( -// session.getAuthURL(), -// GET_MIS_SESSIONID, -// session.getSessionID()); -// -// String oaURL = session.getOAURLRequested(); -// OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL); -// String profiles = oaParam.getMandateProfiles(); -// -// if (profiles == null) { -// Logger.error("No Mandate/Profile for OA configured."); -// throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}); -// } -// -// String profilesArray[] = profiles.split(","); -// for(int i = 0; i < profilesArray.length; i++) { -// profilesArray[i] = profilesArray[i].trim(); -// } -// -// String oaFriendlyName = oaParam.getFriendlyName(); -// String mandateReferenceValue = session.getMandateReferenceValue(); -// X509Certificate cert = session.getSignerCertificate(); -// MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), oaFriendlyName, redirectURL, mandateReferenceValue, profilesArray, sslFactory); -// String redirectMISGUI = misSessionID.getRedirectURL(); -// -// if (misSessionID == null) { -// Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null."); -// throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service."); -// } -// -// session.setMISSessionID(misSessionID.getSessiondId()); -// -// resp.setStatus(302); -// resp.addHeader("Location", redirectMISGUI); -// Logger.debug("REDIRECT TO: " + redirectURL); -// } -// catch (MOAIDException ex) { -// handleError(null, ex, req, resp); -// } catch (GeneralSecurityException ex) { -// handleError(null, ex, req, resp); -// } catch (PKIException e) { -// handleError(null, e, req, resp); -// } catch (MISSimpleClientException e) { -// handleError(null, e, req, resp); -// } catch (TransformerException e) { -// handleError(null, e, req, resp); -// } -// } - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java index c3b45f165..2c8b44404 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/stork/STORKResponseProcessor.java @@ -53,6 +53,7 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.client.SZRGWClientException;
@@ -124,8 +125,9 @@ public class STORKResponseProcessor { * @param filters the filters
* @return Identity Link
* @throws STORKException the sTORK exception
+ * @throws MOAIDException
*/
- public static IdentityLink connectToSZRGateway(IPersonalAttributeList attributeList, String oaFriendlyName, String targetType, String targetValue, List<String> filters) throws STORKException {
+ public static IdentityLink connectToSZRGateway(IPersonalAttributeList attributeList, String oaFriendlyName, String targetType, String targetValue, List<String> filters) throws STORKException, MOAIDException {
Logger.trace("Calling SZR Gateway with the following attributes:");
CreateIdentityLinkResponse identityLinkResponse = null;
@@ -209,8 +211,8 @@ public class STORKResponseProcessor { }
if (null != identityLinkResponse.getErrorResponse()){
- // TODO fix exception parameter
- throw new SZRGWClientException(identityLinkResponse.getErrorResponse().getErrorCode().toString(), null);
+ throw new SZRGWClientException("service.08", (String)identityLinkResponse.getErrorResponse().getErrorCode(),
+ (String)identityLinkResponse.getErrorResponse().getInfo());
}
else {
IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(new ByteArrayInputStream(identityLinkResponse.getIdentityLink()));
@@ -223,19 +225,13 @@ public class STORKResponseProcessor { // }
}
- } catch (SZRGWClientException e) {
- Logger.error("Error connecting SZR-Gateway: ", e);
- throw new STORKException("Error connecting SZR-Gateway: ", e);
+
} catch (ParseException e) {
Logger.error("Error parsing IdentityLink received from SZR-Gateway: ", e);
- throw new STORKException("Error parsing IdentityLink received from SZR-Gateway: ", e);
- } catch(STORKException e) {
- throw e;
- } catch (Exception e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
-
+ throw new MOAIDException("auth.25", null, e);
+
+ }
+
return identityLink;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index b2c47fac0..762d9af2c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -299,7 +299,7 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } @@ -528,7 +528,7 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index b69fdd9ab..4fd7fa965 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -229,10 +229,17 @@ public class VerifyXMLSignatureResponseValidator { if(ecdsakey.equals(ecdsaPubKeySignature)) found = true; } + +// Logger.debug("IDL-Pubkey=" + idl.getPublicKey()[i].getClass().getName() +// + " Resp-Pubkey=" + pubKeySignature.getClass().getName()); + } - if (!found) + if (!found) { + throw new ValidateException("validator.09", null); + + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 5483b865e..0e2251f21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -113,27 +113,27 @@ public class ParepUtils { }
}
- /*
- *
- */
- public static String extractRepresentativeID(Element mandate) throws ValidateException {
- try {
- Element nameSpaceNode = mandate.getOwnerDocument().createElement("NameSpaceNode");
- nameSpaceNode.setAttribute("xmlns:md", SZRGWConstants.MANDATE_NS);
- Node resultNode = XPathAPI.selectSingleNode(mandate, "//md:Mandate/attribute::MandateID", nameSpaceNode);
- if (resultNode != null) {
- // because following line is not ready for JDK 1.4.x we need to get the childnode;
- // return resultNode.getTextContent();
- Node textNode = resultNode.getFirstChild();
- if (textNode != null) {
- return textNode.getNodeValue();
- }
- }
- return null;
- } catch (Exception e) {
- throw new ValidateException("validator.62", null);
- }
- }
+// /*
+// *
+// */
+// public static String extractRepresentativeID(Element mandate) throws ValidateException {
+// try {
+// Element nameSpaceNode = mandate.getOwnerDocument().createElement("NameSpaceNode");
+// nameSpaceNode.setAttribute("xmlns:md", SZRGWConstants.MANDATE_NS);
+// Node resultNode = XPathAPI.selectSingleNode(mandate, "//md:Mandate/attribute::MandateID", nameSpaceNode);
+// if (resultNode != null) {
+// // because following line is not ready for JDK 1.4.x we need to get the childnode;
+// // return resultNode.getTextContent();
+// Node textNode = resultNode.getFirstChild();
+// if (textNode != null) {
+// return textNode.getNodeValue();
+// }
+// }
+// return null;
+// } catch (Exception e) {
+// throw new ValidateException("validator.62", null);
+// }
+// }
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java index a9f41819d..c675885c9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClient.java @@ -69,7 +69,7 @@ public class SZRGWClient { if (serviceUrl.toLowerCase().startsWith("https")) { Logger.trace("Using ssl for SZRGW client request."); if (sslContext == null) { - throw new SZRGWClientException("SSL context from configuration is empty. Please configure an SSL context in the configuration first.", null); + throw new SZRGWClientException(); } requestContext.put(JAXWSProperties.SSL_SOCKET_FACTORY, sslContext); @@ -95,7 +95,7 @@ public class SZRGWClient { } catch (Exception e) { Logger.warn("SZRGW Client initialization FAILED.", e); - throw new SZRGWClientException("SZRGW Client initialization FAILED.", null); + throw new SZRGWClientException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClientException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClientException.java index d15ded8a8..2038e3f18 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClientException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/client/SZRGWClientException.java @@ -28,12 +28,47 @@ public class SZRGWClientException extends MOAIDException{ private static final long serialVersionUID = 1L; + private String szrErrorCode = null; + private String szrErrorMessage = null; + public SZRGWClientException(String messageId, Object[] parameters) { super(messageId, parameters); } - public SZRGWClientException(SZRGWClientException e1) { - super("", null, e1); + public SZRGWClientException(String messageId) { + super(messageId, null); + } + + public SZRGWClientException(String messageId, Throwable e1) { + super(messageId, null, e1); + } + + public SZRGWClientException(String messageId, String szrErrorCode, String szrErrorMessage) { + super(messageId, null); + this.szrErrorCode = szrErrorCode; + this.szrErrorMessage = szrErrorMessage; + } + + /** + * + */ + public SZRGWClientException() { + super("service.09", null); + } + + /** + * @return the szrErrorCode + */ + public String getSzrErrorCode() { + return szrErrorCode; + } + + /** + * @return the szrErrorMessage + */ + public String getSzrErrorMessage() { + return szrErrorMessage; } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index dc5ec430e..88ed7885f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -135,23 +135,11 @@ public class ConfigurationProvider { return rootConfigFileDir; } - /** - * Return the chaining mode for a given trust anchor. - * - * @param trustAnchor The trust anchor for which the chaining mode should be - * returned. - * @return The chaining mode for the given trust anchor. If the trust anchor - * has not been configured separately, the system default will be returned. - */ - public String getChainingMode(X509Certificate trustAnchor) { - Principal issuer = trustAnchor.getIssuerDN(); - BigInteger serial = trustAnchor.getSerialNumber(); - IssuerAndSerial issuerAndSerial = new IssuerAndSerial(issuer, serial); - - String mode = (String) chainingModes.get(issuerAndSerial); - return mode != null ? mode : defaultChainingMode; + public String getDefaultChainingMode() { + return defaultChainingMode; } - + + /** * Returns the trustedCACertificates. * @return String diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index 31b88263b..b2bcd443f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -68,6 +68,7 @@ public class OAParameter { this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20(); + this.isInderfederationIDP = oa.isIsInterfederationIDP(); } @@ -104,6 +105,8 @@ public class OAParameter { private boolean removePBKFromAuthblock; + private Boolean isInderfederationIDP; + /** * Contains the oAuth 2.0 configuration (client id, secret and redirect uri) */ @@ -141,4 +144,16 @@ public class OAParameter { return oAuth20Config; } + /** + * @return the isInderfederationIDP + */ + public boolean isInderfederationIDP() { + if (isInderfederationIDP == null) + return false; + + return isInderfederationIDP; + } + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 8b5c8d796..dca0958f3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -63,7 +63,6 @@ import javax.xml.bind.JAXBContext; import javax.xml.bind.Unmarshaller; import org.hibernate.cfg.Configuration; -import org.opensaml.DefaultBootstrap; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; @@ -96,6 +95,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.VerifyIdentityLink; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.ExceptionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; @@ -339,6 +339,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { config.addAnnotatedClass(OASessionStore.class); config.addAnnotatedClass(OldSSOSessionIDStore.class); config.addAnnotatedClass(ExceptionStore.class); + config.addAnnotatedClass(InterfederationSessionStore.class); config.addProperties(moaSessionProp); MOASessionDBUtils.initHibernate(config, moaSessionProp); @@ -695,17 +696,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { Logger.warn("Error in MOA-ID Configuration. No SLRequestTemplates found"); throw new ConfigurationException("config.02", null); } else { - SLRequestTemplates.put(OAAuthParameter.ONLINEBKU, templ.getOnlineBKU()); - SLRequestTemplates.put(OAAuthParameter.LOCALBKU, templ.getLocalBKU()); - SLRequestTemplates.put(OAAuthParameter.HANDYBKU, templ.getHandyBKU()); + SLRequestTemplates.put(IOAAuthParameters.ONLINEBKU, templ.getOnlineBKU()); + SLRequestTemplates.put(IOAAuthParameters.LOCALBKU, templ.getLocalBKU()); + SLRequestTemplates.put(IOAAuthParameters.HANDYBKU, templ.getHandyBKU()); } //set Default BKU URLS DefaultBKUs bkuuls = moaidconfig.getDefaultBKUs(); if (bkuuls != null) { - DefaultBKUURLs.put(OAAuthParameter.ONLINEBKU, bkuuls.getOnlineBKU()); - DefaultBKUURLs.put(OAAuthParameter.LOCALBKU, bkuuls.getLocalBKU()); - DefaultBKUURLs.put(OAAuthParameter.HANDYBKU, bkuuls.getHandyBKU()); + DefaultBKUURLs.put(IOAAuthParameters.ONLINEBKU, bkuuls.getOnlineBKU()); + DefaultBKUURLs.put(IOAAuthParameters.LOCALBKU, bkuuls.getLocalBKU()); + DefaultBKUURLs.put(IOAAuthParameters.HANDYBKU, bkuuls.getHandyBKU()); } //set SSO Config @@ -884,7 +885,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return el; else { Logger.warn("getSLRequestTemplates: BKU Type does not match: " - + OAAuthParameter.ONLINEBKU + " or " + OAAuthParameter.HANDYBKU + " or " + OAAuthParameter.LOCALBKU); + + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); return null; } } @@ -899,7 +900,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return el; else { Logger.warn("getSLRequestTemplates: BKU Type does not match: " - + OAAuthParameter.ONLINEBKU + " or " + OAAuthParameter.HANDYBKU + " or " + OAAuthParameter.LOCALBKU); + + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java new file mode 100644 index 000000000..a59cc10e0 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -0,0 +1,148 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth; + +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; + +/** + * @author tlenz + * + */ +public interface IOAAuthParameters { + + public static final String ONLINEBKU = "online"; + public static final String HANDYBKU = "handy"; + public static final String LOCALBKU = "local"; + public static final String INDERFEDERATEDIDP = "interfederated"; + + + public String getPublicURLPrefix(); + + public boolean getBusinessService(); + + public String getTarget(); + + public boolean isInderfederationIDP(); + + /** + * @return the identityLinkDomainIdentifier + */ + public String getIdentityLinkDomainIdentifier(); + + /** + * @return the keyBoxIdentifier + */ + public String getKeyBoxIdentifier(); + + /** + * @return the transformsInfos + */ + public List<String> getTransformsInfos(); + + public OASAML1 getSAML1Parameter(); + + public OAPVP2 getPVP2Parameter(); + + /** + * @return the templateURL + */ + public List<TemplateType> getTemplateURL(); + + public String getAditionalAuthBlockText(); + + public String getBKUURL(String bkutype); + + public List<String> getBKUURL(); + + public boolean useSSO(); + + public boolean useSSOQuestion(); + + public String getSingleLogOutURL(); + + /** + * @return the mandateProfiles + */ + public List<String> getMandateProfiles(); + + /** + * @return the identityLinkDomainIdentifierType + */ + public String getIdentityLinkDomainIdentifierType(); + + public boolean isShowMandateCheckBox(); + + public boolean isOnlyMandateAllowed(); + + /** + * Shall we show the stork login in the bku selection frontend? + * + * @return true, if is we should show stork login + */ + public boolean isShowStorkLogin(); + + public Map<String, String> getFormCustomizaten(); + + public Integer getQaaLevel(); + + /** + * @return the requestedAttributes + */ + public List<OAStorkAttribute> getRequestedAttributes(); + + public boolean isRequireConsentForStorkAttributes(); + + public List<AttributeProviderPlugin> getStorkAPs(); + + public byte[] getBKUSelectionTemplate(); + + public byte[] getSendAssertionTemplate(); + + public List<CPEPS> getPepsList(); + + public String getIDPAttributQueryServiceURL(); + + /** + * @return + */ + boolean isInboundSSOInterfederationAllowed(); + + /** + * @return + */ + boolean isInterfederationSSOStorageAllowed(); + + /** + * @return + */ + boolean isOutboundSSOInterfederationAllowed(); + +}
\ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 492770aad..7fc5746ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationT import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; import at.gv.egovernment.moa.id.commons.db.dao.config.MandatesProfileNameItem; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -85,13 +86,11 @@ import at.gv.egovernment.moa.util.MiscUtil; * * @author Harald Bratko */ -public class OAAuthParameter extends OAParameter { +public class OAAuthParameter extends OAParameter implements IOAAuthParameters { - public static final String ONLINEBKU = "online"; - public static final String HANDYBKU = "handy"; - public static final String LOCALBKU = "local"; - private AuthComponentOA oa_auth; + private String keyBoxIdentifier; + private InterfederationIDPType inderfederatedIDP = null; public OAAuthParameter(OnlineApplication oa) { super(oa); @@ -99,13 +98,15 @@ public class OAAuthParameter extends OAParameter { this.oa_auth = oa.getAuthComponentOA(); this.keyBoxIdentifier = oa.getKeyBoxIdentifier().value(); -} + + this.inderfederatedIDP = oa.getInterfederationIDP(); + } - private String keyBoxIdentifier; -/** - * @return the identityLinkDomainIdentifier +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() */ +@Override public String getIdentityLinkDomainIdentifier() { IdentificationNumber idnumber = oa_auth.getIdentificationNumber(); @@ -115,34 +116,45 @@ public String getIdentityLinkDomainIdentifier() { return null; } -/** - * @return the keyBoxIdentifier +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() */ +@Override public String getKeyBoxIdentifier() { return keyBoxIdentifier; } -/** - * @return the transformsInfos +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTransformsInfos() */ +@Override public List<String> getTransformsInfos() { List<TransformsInfoType> transformations = oa_auth.getTransformsInfo(); return ConfigurationUtils.getTransformInfos(transformations); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSAML1Parameter() + */ + @Override public OASAML1 getSAML1Parameter() { return oa_auth.getOASAML1(); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPVP2Parameter() + */ + @Override public OAPVP2 getPVP2Parameter() { return oa_auth.getOAPVP2(); } - /** - * @return the templateURL + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTemplateURL() */ + @Override public List<TemplateType> getTemplateURL() { TemplatesType templates = oa_auth.getTemplates(); @@ -154,6 +166,10 @@ public List<String> getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getAditionalAuthBlockText() + */ + @Override public String getAditionalAuthBlockText() { TemplatesType templates = oa_auth.getTemplates(); @@ -163,6 +179,10 @@ public List<String> getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL(java.lang.String) + */ + @Override public String getBKUURL(String bkutype) { BKUURLS bkuurls = oa_auth.getBKUURLS(); if (bkuurls != null) { @@ -179,6 +199,10 @@ public List<String> getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL() + */ + @Override public List<String> getBKUURL() { BKUURLS bkuurls = oa_auth.getBKUURLS(); @@ -196,6 +220,10 @@ public List<String> getTransformsInfos() { } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() + */ + @Override public boolean useSSO() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -204,6 +232,10 @@ public List<String> getTransformsInfos() { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSOQuestion() + */ + @Override public boolean useSSOQuestion() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -213,6 +245,10 @@ public List<String> getTransformsInfos() { } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSingleLogOutURL() + */ + @Override public String getSingleLogOutURL() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -221,9 +257,10 @@ public List<String> getTransformsInfos() { return null; } -/** - * @return the mandateProfiles +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getMandateProfiles() */ +@Override public List<String> getMandateProfiles() { Mandates mandates = oa_auth.getMandates(); @@ -253,9 +290,10 @@ public List<String> getMandateProfiles() { return null; } -/** - * @return the identityLinkDomainIdentifierType +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ +@Override public String getIdentityLinkDomainIdentifierType() { IdentificationNumber idnumber = oa_auth.getIdentificationNumber(); if (idnumber != null) @@ -265,6 +303,10 @@ public String getIdentityLinkDomainIdentifierType() { } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() + */ +@Override public boolean isShowMandateCheckBox() { TemplatesType templates = oa_auth.getTemplates(); if (templates != null) { @@ -277,6 +319,10 @@ public boolean isShowMandateCheckBox() { return true; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOnlyMandateAllowed() + */ +@Override public boolean isOnlyMandateAllowed() { TemplatesType templates = oa_auth.getTemplates(); if (templates != null) { @@ -289,11 +335,10 @@ public boolean isOnlyMandateAllowed() { return false; } - /** - * Shall we show the stork login in the bku selection frontend? - * - * @return true, if is we should show stork login + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowStorkLogin() */ + @Override public boolean isShowStorkLogin() { try { return oa_auth.getOASTORK().isStorkLogonEnabled(); @@ -303,6 +348,10 @@ public boolean isOnlyMandateAllowed() { } } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ +@Override public Map<String, String> getFormCustomizaten() { TemplatesType templates = oa_auth.getTemplates(); @@ -354,6 +403,10 @@ public Map<String, String> getFormCustomizaten() { return map; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() + */ +@Override public Integer getQaaLevel() { if (oa_auth.getOASTORK() != null && oa_auth.getOASTORK().getQaa() != null) @@ -363,21 +416,34 @@ public Integer getQaaLevel() { return 4; } -/** - * @return the requestedAttributes +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getRequestedAttributes() */ +@Override public List<OAStorkAttribute> getRequestedAttributes() { return oa_auth.getOASTORK().getOAAttributes(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRequireConsentForStorkAttributes() + */ +@Override public boolean isRequireConsentForStorkAttributes() { return oa_auth.getOASTORK().isRequireConsent(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getStorkAPs() + */ +@Override public List<AttributeProviderPlugin> getStorkAPs() { return oa_auth.getOASTORK().getAttributeProviders(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUSelectionTemplate() + */ +@Override public byte[] getBKUSelectionTemplate() { TemplatesType templates = oa_auth.getTemplates(); @@ -389,6 +455,10 @@ public byte[] getBKUSelectionTemplate() { return null; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSendAssertionTemplate() + */ +@Override public byte[] getSendAssertionTemplate() { TemplatesType templates = oa_auth.getTemplates(); @@ -400,8 +470,54 @@ public byte[] getSendAssertionTemplate() { return null; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPepsList() + */ +@Override public List<CPEPS> getPepsList() { return new ArrayList<CPEPS>(oa_auth.getOASTORK().getCPEPS()); } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() + */ +@Override +public String getIDPAttributQueryServiceURL() { + if (inderfederatedIDP != null) + return inderfederatedIDP.getAttributeQueryURL(); + + else + return null; + +} + +@Override +public boolean isInboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isInboundSSO(); + else + return false; +} + +@Override +public boolean isOutboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isOutboundSSO(); + else + return false; +} + +@Override +public boolean isInterfederationSSOStorageAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isStoreSSOSession(); + else + return false; +} + +public boolean isIDPPublicService() { + return !getBusinessService(); } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java new file mode 100644 index 000000000..02ac09d70 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -0,0 +1,386 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; + +/** + * @author tlenz + * + */ +public class DynamicOAAuthParameters implements IOAAuthParameters { + + private String applicationID = null; + + private boolean isBusinessService; + private String target; + private String businessTarget; + + private boolean inderfederatedIDP; + private String IDPQueryURL; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() + */ + @Override + public boolean getBusinessService() { + return this.isBusinessService; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + */ + @Override + public String getTarget() { + return this.target; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + */ + @Override + public String getIdentityLinkDomainIdentifier() { + return this.businessTarget; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() + */ + @Override + public boolean isInderfederationIDP() { + return this.inderfederatedIDP; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() + */ + @Override + public String getIDPAttributQueryServiceURL() { + return this.IDPQueryURL; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() + */ + @Override + public String getKeyBoxIdentifier() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTransformsInfos() + */ + @Override + public List<String> getTransformsInfos() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSAML1Parameter() + */ + @Override + public OASAML1 getSAML1Parameter() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPVP2Parameter() + */ + @Override + public OAPVP2 getPVP2Parameter() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTemplateURL() + */ + @Override + public List<TemplateType> getTemplateURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getAditionalAuthBlockText() + */ + @Override + public String getAditionalAuthBlockText() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL(java.lang.String) + */ + @Override + public String getBKUURL(String bkutype) { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL() + */ + @Override + public List<String> getBKUURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() + */ + @Override + public boolean useSSO() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSOQuestion() + */ + @Override + public boolean useSSOQuestion() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSingleLogOutURL() + */ + @Override + public String getSingleLogOutURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getMandateProfiles() + */ + @Override + public List<String> getMandateProfiles() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() + */ + @Override + public String getIdentityLinkDomainIdentifierType() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() + */ + @Override + public boolean isShowMandateCheckBox() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOnlyMandateAllowed() + */ + @Override + public boolean isOnlyMandateAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowStorkLogin() + */ + @Override + public boolean isShowStorkLogin() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ + @Override + public Map<String, String> getFormCustomizaten() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() + */ + @Override + public Integer getQaaLevel() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getRequestedAttributes() + */ + @Override + public List<OAStorkAttribute> getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRequireConsentForStorkAttributes() + */ + @Override + public boolean isRequireConsentForStorkAttributes() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getStorkAPs() + */ + @Override + public List<AttributeProviderPlugin> getStorkAPs() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUSelectionTemplate() + */ + @Override + public byte[] getBKUSelectionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSendAssertionTemplate() + */ + @Override + public byte[] getSendAssertionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPepsList() + */ + @Override + public List<CPEPS> getPepsList() { + // TODO Auto-generated method stub + return null; + } + + /** + * @param isBusinessService the isBusinessService to set + */ + public void setBusinessService(boolean isBusinessService) { + this.isBusinessService = isBusinessService; + } + + /** + * @param target the target to set + */ + public void setTarget(String target) { + this.target = target; + } + + /** + * @param businessTarget the businessTarget to set + */ + public void setBusinessTarget(String businessTarget) { + this.businessTarget = businessTarget; + } + + /** + * @param inderfederatedIDP the inderfederatedIDP to set + */ + public void setInderfederatedIDP(boolean inderfederatedIDP) { + this.inderfederatedIDP = inderfederatedIDP; + } + + /** + * @param iDPQueryURL the iDPQueryURL to set + */ + public void setIDPQueryURL(String iDPQueryURL) { + IDPQueryURL = iDPQueryURL; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPublicURLPrefix() + */ + @Override + public String getPublicURLPrefix() { + return this.applicationID; + } + + /** + * @param applicationID the applicationID to set + */ + public void setApplicationID(String applicationID) { + this.applicationID = applicationID; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInboundSSOInterfederationAllowed() + */ + @Override + public boolean isInboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInterfederationSSOStorageAllowed() + */ + @Override + public boolean isInterfederationSSOStorageAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOutboundSSOInterfederationAllowed() + */ + @Override + public boolean isOutboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index f9d3986d7..33e62d3d0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -1,27 +1,5 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ /* - * Copyright 2003 Federal Chancellery Austria + * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * @@ -42,455 +20,643 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ - - package at.gv.egovernment.moa.id.data; import java.io.Serializable; +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.Date; +import org.w3c.dom.Element; + +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; + import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.MiscUtil; /** - * Encapsulates authentication data contained in a <code><saml:Assertion></code>. + * @author tlenz * - * @author Paul Ivancsics - * @version $Id$ */ +public class AuthenticationData implements IAuthData, Serializable { -public class AuthenticationData implements Serializable { - /** - * - */ private static final long serialVersionUID = -1042697056735596866L; -/** - * major version number of the SAML assertion - */ - private int majorVersion; - /** - * minor version number of the SAML assertion - */ - private int minorVersion; - /** - * identifier for this assertion - */ - private String assertionID; - /** - * URL of the MOA-ID Auth component issueing this assertion - */ - private String issuer; - /** - * time instant of issue of this assertion - */ - private String issueInstant; - /** - * user identification value (Stammzahl); <code>null</code>, - * if the authentication module is configured not to return this data - */ - private String identificationValue; - /** - * user identification type - */ - private String identificationType; + public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd"; + /** + * URL of the MOA-ID Auth component issueing this assertion + */ + private String issuer; + /** + * time instant of issue of this assertion + */ + private Date issueInstant; + /** + * user identification value (Stammzahl); <code>null</code>, + * if the authentication module is configured not to return this data + */ + private String identificationValue; + /** + * user identification type + */ + private String identificationType; + + /** + * user identityLink specialized to OAParamter + */ + private IdentityLink identityLink; + + /** + * application specific user identifier (bPK/wbPK) + */ + private String bPK; + + /** + * application specific user identifier type + */ + private String bPKType; + + /** + * given name of the user + */ + private String givenName; + /** + * family name of the user + */ + private String familyName; + /** + * date of birth of the user + */ + private Date dateOfBirth; + /** + * says whether the certificate is a qualified certificate or not + */ + private boolean qualifiedCertificate; + /** + * says whether the certificate is a public authority or not + */ + private boolean publicAuthority; + /** + * public authority code (Behördenkennzeichen - BKZ) + */ + private String publicAuthorityCode; + + /** + * URL of the BKU + */ + private String bkuURL; + /** + * the corresponding <code>lt;saml:Assertion></code> + */ + + /** + * STORK attributes from response + */ + private String ccc = null; + private IPersonalAttributeList storkAttributes = null; + private String storkAuthnResponse; + private STORKAuthnRequest storkRequest = null; + + private byte[] signerCertificate = null; + + private String authBlock = null; + + private boolean useMandate = false; + private MISMandate mandate = null; + private String mandateReferenceValue = null; + + private boolean foreigner =false; + private String QAALevel = null; + + private boolean ssoSession = false; + + private boolean interfederatedSSOSession = false; + private String interfederatedIDP = null; + + private String sessionIndex = null; + private String nameID = null; + private String nameIDFormat = null; + + public AuthenticationData() { + issueInstant = new Date(); + } + + /** + * Returns the publicAuthority. + * @return boolean + */ + public boolean isPublicAuthority() { + return publicAuthority; + } + + /** + * Returns the publicAuthorityCode. + * @return String + */ + public String getPublicAuthorityCode() { + return publicAuthorityCode; + } + + /** + * Returns the qualifiedCertificate. + * @return boolean + */ + public boolean isQualifiedCertificate() { + return qualifiedCertificate; + } + + /** + * Returns the bPK. + * @return String + */ + public String getBPK() { + return bPK; + } + + /** + * Sets the publicAuthority. + * @param publicAuthority The publicAuthority to set + */ + public void setPublicAuthority(boolean publicAuthority) { + this.publicAuthority = publicAuthority; + } + + /** + * Sets the publicAuthorityCode. + * @param publicAuthorityIdentification The publicAuthorityCode to set + */ + public void setPublicAuthorityCode(String publicAuthorityIdentification) { + this.publicAuthorityCode = publicAuthorityIdentification; + } + + /** + * Sets the qualifiedCertificate. + * @param qualifiedCertificate The qualifiedCertificate to set + */ + public void setQualifiedCertificate(boolean qualifiedCertificate) { + this.qualifiedCertificate = qualifiedCertificate; + } + + /** + * Sets the bPK. + * @param bPK The bPK to set + */ + public void setBPK(String bPK) { + this.bPK = bPK; + } + + /** + * Returns the dateOfBirth. + * @return String + */ + public Date getDateOfBirth() { + return dateOfBirth; + } + + public String getFormatedDateOfBirth() { + DateFormat pvpDateFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + if (getDateOfBirth() != null) + return pvpDateFormat.format(getDateOfBirth()); + else + return "1900-01-01"; + } + + /** + * Returns the familyName. + * @return String + */ + public String getFamilyName() { + return familyName; + } + + /** + * Returns the givenName. + * @return String + */ + public String getGivenName() { + return givenName; + } + + /** + * Returns the identificationValue. + * @return String + */ + public String getIdentificationValue() { + return identificationValue; + } + + /** + * Returns the identificationType + * @return String + */ + public String getIdentificationType() { + return identificationType; + } + + /** + * Returns the issueInstant. + * @return String + */ + public String getIssueInstantString() { + return DateTimeUtils.buildDateTimeUTC(issueInstant); + + } + + /** + * Returns the issueInstant. + * @return String + */ + public Date getIssueInstant() { + return issueInstant; + + } + + public void setIssueInstant(Date date) { + this.issueInstant = date; + } + + /** + * Returns the issuer. + * @return String + */ + public String getIssuer() { + return issuer; + } + + /** + * Returns the BKU URL. + * @return String + */ + public String getBkuURL() { + return bkuURL; + } + + /** + * Sets the dateOfBirth. + * @param dateOfBirth The dateOfBirth to set + */ + public void setDateOfBirth(Date dateOfBirth) { + this.dateOfBirth = dateOfBirth; + } + + public void setDateOfBirth(String dateOfBirth) { + try { + if (MiscUtil.isNotEmpty(dateOfBirth)) { + DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + this.dateOfBirth = identityLinkFormat.parse(dateOfBirth); + } + + } catch (ParseException e) { + Logger.warn("Parse dateOfBirht from IdentityLink FAILED", e); + + } + } + + /** + * Sets the familyName. + * @param familyName The familyName to set + */ + public void setFamilyName(String familyName) { + this.familyName = familyName; + } + + /** + * Sets the givenName. + * @param givenName The givenName to set + */ + public void setGivenName(String givenName) { + this.givenName = givenName; + } + + /** + * Sets the identificationValue. + * @param identificationValue The identificationValue to set + */ + public void setIdentificationValue(String identificationValue) { + this.identificationValue = identificationValue; + } + + /** + * Sets the identificationType. + * @param identificationType The identificationType to set + */ + public void setIdentificationType(String identificationType) { + this.identificationType = identificationType; + } + + /** + * Sets the issuer. + * @param issuer The issuer to set + */ + public void setIssuer(String issuer) { + this.issuer = issuer; + } + + /** + * Sets the bkuURL + * @param url The BKU URL to set + */ + public void setBkuURL(String url) { + this.bkuURL = url; + } + + public String getBPKType() { + return bPKType; + } + + public void setBPKType(String bPKType) { + this.bPKType = bPKType; + } + + /** + * @return the identityLink + */ + public IdentityLink getIdentityLink() { + return identityLink; + } + + /** + * @param identityLink the identityLink to set + */ + public void setIdentityLink(IdentityLink identityLink) { + this.identityLink = identityLink; + } + + + /** + * @return the storkAttributes + */ + public IPersonalAttributeList getStorkAttributes() { + return storkAttributes; + } + + /** - * user identityLink specialized to OAParamter + * @param storkAttributes the storkAttributes to set */ - private IdentityLink identityLink; + public void setStorkAttributes(IPersonalAttributeList storkAttributes) { + this.storkAttributes = storkAttributes; + } + + + /** + * @return the signerCertificate + */ + public byte[] getSignerCertificate() { + return signerCertificate; + } + + + /** + * @param signerCertificate the signerCertificate to set + */ + public void setSignerCertificate(byte[] signerCertificate) { + this.signerCertificate = signerCertificate; + } + + + /** + * @return the authBlock + */ + public String getAuthBlock() { + return authBlock; + } + + + /** + * @param authBlock the authBlock to set + */ + public void setAuthBlock(String authBlock) { + this.authBlock = authBlock; + } + + + /** + * @return the mandate + */ + public MISMandate getMISMandate() { + return mandate; + } + + public Element getMandate() { + try { + byte[] byteMandate = mandate.getMandate(); + String stringMandate = new String(byteMandate); + return DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); + + } + catch (Throwable e) { + Logger.warn("Mandate content could not be generated from MISMandate."); + return null; + } + } - /** - * application specific user identifier (bPK/wbPK) - */ - private String bPK; - - /** - * application specific user identifier type - */ - private String bPKType; - - /** - * given name of the user - */ - private String givenName; - /** - * family name of the user - */ - private String familyName; - /** - * date of birth of the user - */ - private String dateOfBirth; - /** - * says whether the certificate is a qualified certificate or not - */ - private boolean qualifiedCertificate; - /** - * says whether the certificate is a public authority or not - */ - private boolean publicAuthority; - /** - * public authority code (Behördenkennzeichen - BKZ) - */ - private String publicAuthorityCode; - /** - * The base64 encoded signer certificate. - */ - private String signerCertificate; - /** - * URL of the BKU - */ - private String bkuURL; - /** - * the corresponding <code>lt;saml:Assertion></code> - */ - private String samlAssertion; - - /** useUTC */ -// private boolean useUTC; - /** - * creation timestamp - */ - Date timestamp; - - - - //this method is only required for MOA-ID Proxy 2.0 Release. - //TODO: remove it, if MOA-ID Proxy is not supported anymore. - public String getWBPK() { - return bPK; - } - - - /** - * Constructor for AuthenticationData. - */ - public AuthenticationData() { - timestamp = new Date(); - } - - /** - * Returns the minorVersion. - * @return int - */ - public int getMinorVersion() { - return minorVersion; - } - - /** - * Returns the publicAuthority. - * @return boolean - */ - public boolean isPublicAuthority() { - return publicAuthority; - } - - /** - * Returns the publicAuthorityCode. - * @return String - */ - public String getPublicAuthorityCode() { - return publicAuthorityCode; - } - - /** - * Returns the qualifiedCertificate. - * @return boolean - */ - public boolean isQualifiedCertificate() { - return qualifiedCertificate; - } - - /** - * Returns the bPK. - * @return String - */ - public String getBPK() { - return bPK; - } - -// /** -// * Returns useUTC -// * @return useUTC -// */ -// public boolean getUseUTC() { -// return useUTC; -// } - - /** - * Sets the minorVersion. - * @param minorVersion The minorVersion to set - */ - public void setMinorVersion(int minorVersion) { - this.minorVersion = minorVersion; - } - - /** - * Sets the publicAuthority. - * @param publicAuthority The publicAuthority to set - */ - public void setPublicAuthority(boolean publicAuthority) { - this.publicAuthority = publicAuthority; - } - - /** - * Sets the publicAuthorityCode. - * @param publicAuthorityIdentification The publicAuthorityCode to set - */ - public void setPublicAuthorityCode(String publicAuthorityIdentification) { - this.publicAuthorityCode = publicAuthorityIdentification; - } - - /** - * Sets the qualifiedCertificate. - * @param qualifiedCertificate The qualifiedCertificate to set - */ - public void setQualifiedCertificate(boolean qualifiedCertificate) { - this.qualifiedCertificate = qualifiedCertificate; - } - - /** - * Sets the bPK. - * @param bPK The bPK to set - */ - public void setBPK(String bPK) { - this.bPK = bPK; - } - -// /** -// * Sets the wbPK. -// * @param wbPK The wbPK to set -// */ -// public void setWBPK(String wbPK) { -// this.wbPK = wbPK; -// } - -// public void setUseUTC(boolean useUTC) { -// this.useUTC = useUTC; -// } - - /** - * Returns the assertionID. - * @return String - */ - public String getAssertionID() { - return assertionID; - } - - /** - * Returns the dateOfBirth. - * @return String - */ - public String getDateOfBirth() { - return dateOfBirth; - } - - /** - * Returns the familyName. - * @return String - */ - public String getFamilyName() { - return familyName; - } - - /** - * Returns the givenName. - * @return String - */ - public String getGivenName() { - return givenName; - } - - /** - * Returns the identificationValue. - * @return String - */ - public String getIdentificationValue() { - return identificationValue; - } - - /** - * Returns the identificationType - * @return String - */ - public String getIdentificationType() { - return identificationType; - } - - /** - * Returns the issueInstant. - * @return String - */ - public String getIssueInstant() { - return issueInstant; - } - - /** - * Returns the issuer. - * @return String - */ - public String getIssuer() { - return issuer; - } - - /** - * Returns the majorVersion. - * @return int - */ - public int getMajorVersion() { - return majorVersion; - } - - /** - * Returns the BKU URL. - * @return String - */ - public String getBkuURL() { - return bkuURL; - } - - /** - * Returns the signer certificate. - * @return String - */ - public String getSignerCertificate() { - return signerCertificate; - } - - /** - * Sets the assertionID. - * @param assertionID The assertionID to set - */ - public void setAssertionID(String assertionID) { - this.assertionID = assertionID; - } - - /** - * Sets the dateOfBirth. - * @param dateOfBirth The dateOfBirth to set - */ - public void setDateOfBirth(String dateOfBirth) { - this.dateOfBirth = dateOfBirth; - } - - /** - * Sets the familyName. - * @param familyName The familyName to set - */ - public void setFamilyName(String familyName) { - this.familyName = familyName; - } - - /** - * Sets the givenName. - * @param givenName The givenName to set - */ - public void setGivenName(String givenName) { - this.givenName = givenName; - } - - /** - * Sets the identificationValue. - * @param identificationValue The identificationValue to set - */ - public void setIdentificationValue(String identificationValue) { - this.identificationValue = identificationValue; - } - - /** - * Sets the identificationType. - * @param identificationType The identificationType to set - */ - public void setIdentificationType(String identificationType) { - this.identificationType = identificationType; - } - - /** - * Sets the issueInstant. - * @param issueInstant The issueInstant to set - */ - public void setIssueInstant(String issueInstant) { - this.issueInstant = issueInstant; - } - - /** - * Sets the issuer. - * @param issuer The issuer to set - */ - public void setIssuer(String issuer) { - this.issuer = issuer; - } - - /** - * Sets the majorVersion. - * @param majorVersion The majorVersion to set - */ - public void setMajorVersion(int majorVersion) { - this.majorVersion = majorVersion; - } - - /** - * Sets the bkuURL - * @param url The BKU URL to set - */ - public void setBkuURL(String url) { - this.bkuURL = url; - } - - /** - * Sets the signer certificate - * @param signerCertificate The signer certificate - */ - public void setSignerCertificate(String signerCertificate) { - this.signerCertificate = signerCertificate; - } - - /** - * Returns the samlAssertion. - * @return String - */ - public String getSamlAssertion() { - return samlAssertion; - } - - /** - * Sets the samlAssertion. - * @param samlAssertion The samlAssertion to set - */ - public void setSamlAssertion(String samlAssertion) { - this.samlAssertion = samlAssertion; - } - - /** - * Returns the timestamp. - * @return Date - */ - public Date getTimestamp() { - return timestamp; - } - -public String getBPKType() { - return bPKType; -} -public void setBPKType(String bPKType) { - this.bPKType = bPKType; -} + /** + * @param mandate the mandate to set + */ + public void setMISMandate(MISMandate mandate) { + this.mandate = mandate; + } -/** - * @return the identityLink - */ -public IdentityLink getIdentityLink() { - return identityLink; -} -/** - * @param identityLink the identityLink to set - */ -public void setIdentityLink(IdentityLink identityLink) { - this.identityLink = identityLink; -} + /** + * @return the useMandate + */ + public boolean isUseMandate() { + return useMandate; + } + /** + * @param useMandate the useMandate to set + */ + public void setUseMandate(boolean useMandate) { + this.useMandate = useMandate; + } - + + /** + * @return + */ + public String getQAALevel() { + return this.QAALevel; + } + + + /** + * @return + */ + public boolean isForeigner() { + return this.foreigner; + } + + + /** + * @param foreigner the foreigner to set + */ + public void setForeigner(boolean foreigner) { + this.foreigner = foreigner; + } + + + /** + * @param qAALevel the qAALevel to set + */ + public void setQAALevel(String qAALevel) { + QAALevel = qAALevel; + } + + + /** + * @return the ssoSession + */ + public boolean isSsoSession() { + return ssoSession; + } + + + /** + * @param ssoSession the ssoSession to set + */ + public void setSsoSession(boolean ssoSession) { + this.ssoSession = ssoSession; + } + + /** + * @param storkRequest the storkRequest to set + */ + public void setStorkRequest(STORKAuthnRequest storkRequest) { + this.storkRequest = storkRequest; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnRequest() + */ + @Override + public STORKAuthnRequest getStorkAuthnRequest() { + return this.storkRequest; + } + + /** + * @return the storkAuthnResponse + */ + public String getStorkAuthnResponse() { + return storkAuthnResponse; + } + + /** + * @param storkAuthnResponse the storkAuthnResponse to set + */ + public void setStorkAuthnResponse(String storkAuthnResponse) { + this.storkAuthnResponse = storkAuthnResponse; + } + + /** + * @return the mandateReferenceValue + */ + public String getMandateReferenceValue() { + return mandateReferenceValue; + } + + /** + * @param mandateReferenceValue the mandateReferenceValue to set + */ + public void setMandateReferenceValue(String mandateReferenceValue) { + this.mandateReferenceValue = mandateReferenceValue; + } + + /** + * @return the ccc + */ + public String getCcc() { + return ccc; + } + + /** + * @param ccc the ccc to set + */ + public void setCcc(String ccc) { + this.ccc = ccc; + } + + /** + * @return the sessionIndex + */ + public String getSessionIndex() { + return sessionIndex; + } + + /** + * @param sessionIndex the sessionIndex to set + */ + public void setSessionIndex(String sessionIndex) { + this.sessionIndex = sessionIndex; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getNameID() + */ + @Override + public String getNameID() { + return this.nameID; + } + + /** + * @param nameID the nameID to set + */ + public void setNameID(String nameID) { + this.nameID = nameID; + } + + /** + * @return the nameIDFormat + */ + public String getNameIDFormat() { + return nameIDFormat; + } + + /** + * @param nameIDFormat the nameIDFormat to set + */ + public void setNameIDFormat(String nameIDFormat) { + this.nameIDFormat = nameIDFormat; + } + + /** + * @return the interfederatedSSOSession + */ + public boolean isInterfederatedSSOSession() { + return interfederatedSSOSession; + } + + /** + * @param interfederatedSSOSession the interfederatedSSOSession to set + */ + public void setInterfederatedSSOSession(boolean interfederatedSSOSession) { + this.interfederatedSSOSession = interfederatedSSOSession; + } + + /** + * @return the interfederatedIDP + */ + public String getInterfederatedIDP() { + return interfederatedIDP; + } + + /** + * @param interfederatedIDP the interfederatedIDP to set + */ + public void setInterfederatedIDP(String interfederatedIDP) { + this.interfederatedIDP = interfederatedIDP; + } + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java new file mode 100644 index 000000000..4ea81f134 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -0,0 +1,86 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.util.Date; + +import org.w3c.dom.Element; + +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; + +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; + +/** + * @author tlenz + * + */ +public interface IAuthData { + + Date getIssueInstant(); + String getIssuer(); + + boolean isSsoSession(); + boolean isInterfederatedSSOSession(); + boolean isUseMandate(); + + String getFamilyName(); + String getGivenName(); + Date getDateOfBirth(); + String getFormatedDateOfBirth(); + + String getBPK(); + String getBPKType(); + + String getInterfederatedIDP(); + + String getIdentificationValue(); + String getIdentificationType(); + + String getBkuURL(); + + IdentityLink getIdentityLink(); + byte[] getSignerCertificate(); + String getAuthBlock(); + + boolean isPublicAuthority(); + String getPublicAuthorityCode(); + boolean isQualifiedCertificate(); + + MISMandate getMISMandate(); + Element getMandate(); + String getMandateReferenceValue(); + + String getQAALevel(); + + String getSessionIndex(); + String getNameID(); + String getNameIDFormat(); + + boolean isForeigner(); + String getCcc(); + STORKAuthnRequest getStorkAuthnRequest(); + String getStorkAuthnResponse(); + IPersonalAttributeList getStorkAttributes(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java new file mode 100644 index 000000000..a0f3dd309 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -0,0 +1,155 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.io.Serializable; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.LinkedHashMap; +import java.util.List; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.metadata.SingleLogoutService; + +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; + +/** + * @author tlenz + * + */ +public class SLOInformationContainer implements Serializable { + + private static final long serialVersionUID = 7148730740582881862L; + + private PVPTargetConfiguration sloRequest = null; + private LinkedHashMap<String, SLOInformationImpl> activeFrontChannalOAs = null; + private LinkedHashMap<String, SLOInformationImpl> activeBackChannelOAs = null; + private List<String> sloFailedOAs = null; + + + public void parseActiveOAs(List<OASessionStore> dbOAs, String removeOAID) { + activeFrontChannalOAs = new LinkedHashMap<String, SLOInformationImpl>(); + activeBackChannelOAs = new LinkedHashMap<String, SLOInformationImpl>(); + + if (dbOAs != null) { + for (OASessionStore oa : dbOAs) { + //Actually only PVP 2.1 support Single LogOut + if (PVP2XProtocol.NAME.equals(oa.getProtocolType()) && + !oa.getOaurlprefix().equals(removeOAID)) { + SingleLogoutService sloDesc; + try { + sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix()); + + if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + activeBackChannelOAs.put(oa.getOaurlprefix(), + new SLOInformationImpl( + oa.getAssertionSessionID(), + oa.getUserNameID(), + oa.getUserNameIDFormat(), + oa.getProtocolType(), + sloDesc)); + + else + activeFrontChannalOAs.put(oa.getOaurlprefix(), + new SLOInformationImpl( + oa.getAssertionSessionID(), + oa.getUserNameID(), + oa.getUserNameIDFormat(), + oa.getProtocolType(), + sloDesc)); + + } catch (NOSLOServiceDescriptorException e) { + putFailedOA(oa.getOaurlprefix()); + + } + + } else + putFailedOA(oa.getOaurlprefix()); + } + } + } + + public String getNextFrontChannelOA() { + Iterator<String> interator = activeFrontChannalOAs.keySet().iterator(); + if (interator.hasNext()) + return interator.next(); + + else + return null; + } + + public SLOInformationImpl getFrontChannelOASessionDescripten(String oaID) { + return activeFrontChannalOAs.get(oaID); + } + + public void removeFrontChannelOA(String oaID) { + activeFrontChannalOAs.remove(oaID); + } + + public Iterator<String> getNextBackChannelOA() { + return activeBackChannelOAs.keySet().iterator(); + } + + public SLOInformationImpl getBackChannelOASessionDescripten(String oaID) { + return activeBackChannelOAs.get(oaID); + } + + public void removeBackChannelOA(String oaID) { + activeBackChannelOAs.remove(oaID); + } + + /** + * @return the sloRequest + */ + public PVPTargetConfiguration getSloRequest() { + return sloRequest; + } + + /** + * @param sloRequest the sloRequest to set + */ + public void setSloRequest(PVPTargetConfiguration sloRequest) { + this.sloRequest = sloRequest; + } + + /** + * @return the sloFailedOAs + */ + public List<String> getSloFailedOAs() { + return sloFailedOAs; + } + + public void putFailedOA(String oaID) { + if (sloFailedOAs == null) + sloFailedOAs = new ArrayList<String>(); + sloFailedOAs.add(oaID); + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java new file mode 100644 index 000000000..55b213702 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -0,0 +1,156 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.io.Serializable; + +import org.opensaml.saml2.metadata.SingleLogoutService; + +/** + * @author tlenz + * + */ +public class SLOInformationImpl implements SLOInformationInterface, Serializable { + + private static final long serialVersionUID = 295577931870512387L; + private String sessionIndex = null; + private String nameID = null; + private String protocolType = null; + private String nameIDFormat = null; + private String binding = null; + private String serviceURL = null; + + public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) { + new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null); + } + + public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { + this.sessionIndex = sessionID; + this.nameID = nameID; + this.nameIDFormat = nameIDFormat; + this.protocolType = protocolType; + + if (sloService != null) { + this.binding = sloService.getBinding(); + this.serviceURL = sloService.getLocation(); + + } + } + + + /** + * + */ + public SLOInformationImpl() { + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getSessionIndex() + */ + @Override + public String getSessionIndex() { + return sessionIndex; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getUserNameIdentifier() + */ + @Override + public String getUserNameIdentifier() { + return nameID; + + } + + + /** + * @param sessionIndex the sessionIndex to set + */ + public void setSessionIndex(String sessionIndex) { + this.sessionIndex = sessionIndex; + } + + + /** + * @param nameID the nameID to set + */ + public void setUserNameIdentifier(String nameID) { + this.nameID = nameID; + } + + + + /** + * @param protocolType the protocolType to set + */ + public void setProtocolType(String protocolType) { + this.protocolType = protocolType; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getProtocolType() + */ + @Override + public String getProtocolType() { + return protocolType; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getUserNameIDFormat() + */ + @Override + public String getUserNameIDFormat() { + return this.nameIDFormat; + } + + + /** + * @param nameIDFormat the nameIDFormat to set + */ + public void setNameIDFormat(String nameIDFormat) { + this.nameIDFormat = nameIDFormat; + } + + /** + * @return the binding + */ + public String getBinding() { + return binding; + } + + /** + * @return the serviceURL + */ + public String getServiceURL() { + return serviceURL; + } + + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java new file mode 100644 index 000000000..b2241f8ed --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java @@ -0,0 +1,63 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +/** + * @author tlenz + * + */ +public interface SLOInformationInterface{ + + + /** + * get AssertionID which was used for Service Provider Single LogOut request + * + * @return + * SessionID (SessionIndex in case of SAML2) + */ + public String getSessionIndex(); + + /** + * get user identifier which was used + * + * @return + * bPK / wbPK (nameID in case of SAML2) + */ + public String getUserNameIdentifier(); + + + /** + * get protocol type which was used for authentication + * + * @return + * return authentication protocol type + */ + public String getProtocolType(); + + /** + * @return + */ + public String getUserNameIDFormat(); + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 480deb867..a3827ab73 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -25,20 +25,18 @@ package at.gv.egovernment.moa.id.entrypoints; import java.io.IOException; import java.util.Iterator; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; @@ -46,6 +44,8 @@ import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.legacy.LegacyHelper; @@ -223,8 +224,10 @@ public class DispatcherServlet extends AuthServlet{ } } - //HttpSession httpSession = req.getSession(); - //Map<String, IRequest> protocolRequests = null; + //get SSO Cookie for Request + SSOManager ssomanager = SSOManager.getInstance(); + String ssoId = ssomanager.getSSOSessionID(req); + IRequest protocolRequest = null; try { @@ -249,18 +252,47 @@ public class DispatcherServlet extends AuthServlet{ try { protocolRequest = info.preProcess(req, resp, action); - if (protocolRequest != null) { - + //request is a valid interfederation response + if (protocolRequest != null && + protocolRequest.getInterfederationResponse() != null ) { + Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest"); + + //reload SP protocol implementation + info = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); + moduleAction = info.getAction(protocolRequest.requestedAction()); + + //create interfederated mOASession + String sessionID = + AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true, ssoId); + req.getParameterMap().put(PARAM_SESSIONID, sessionID); + + Logger.info("PreProcessing of SSO interfederation response complete. "); + + //request is a not valid interfederation response -> Restart local authentication + } else if (protocolRequest != null && + MiscUtil.isNotEmpty(protocolRequest.getRequestID())) { + Logger.info("Restart authentication with stored " + protocolRequest.requestedModule() + + " AuthnRequest for OnlineApplication " + protocolRequest.getOAURL()); + + //request is a new authentication request + } else if (protocolRequest != null && + MiscUtil.isEmpty(protocolRequest.getRequestID())) { //Start new Authentication - protocolRequest.setAction(action); protocolRequest.setModule(module); - protocolRequestID = Random.nextRandom(); - protocolRequest.setRequestID(protocolRequestID); - RequestStorage.setPendingRequest(protocolRequest); + //if preProcessing has not set a specific action from decoded request + // then set the default action + if (MiscUtil.isEmpty(protocolRequest.requestedAction())) + protocolRequest.setAction(action); + else + moduleAction = info.getAction(protocolRequest.requestedAction()); + protocolRequestID = Random.nextRandom(); + protocolRequest.setRequestID(protocolRequestID); + RequestStorage.setPendingRequest(protocolRequest); Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); - + + } else { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); @@ -280,30 +312,42 @@ public class DispatcherServlet extends AuthServlet{ StatisticLogger logger = StatisticLogger.getInstance(); logger.logErrorOperation(e, e.getErrorRequest()); return; - - } catch (MOAIDException e) { + + }catch (InvalidProtocolRequestException e) { + ErrorResponseUtils utils = ErrorResponseUtils.getInstance(); + String code = utils.mapInternalErrorToExternalError(e.getMessageId()); + String descr = e.getMessage(); + Logger.error("Protocol validation FAILED!"); + resp.setContentType("text/html;charset=UTF-8"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Protocol validation FAILED!" + + "(Errorcode=" + code + + " | Description=" + descr + ")"); + return; + } catch (MOAIDException e) { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!"); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, "NO valid protocol request received!" + + "(Errorcode=6000" + +" | Description=Das Authentifizierungsprotokoll wurde nicht erkannt oder wird nicht unterst\u00FCzt" + ")"); return; } } AuthenticationManager authmanager = AuthenticationManager.getInstance(); - SSOManager ssomanager = SSOManager.getInstance(); String moasessionID = null; String newSSOSessionId = null; AuthenticationSession moasession = null; - - //get SSO Cookie for Request - String ssoId = ssomanager.getSSOSessionID(req); - - boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); + IAuthData authData = null; + + boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); if (needAuthentication) { - + + //check if interfederation IDP is requested + ssomanager.checkInterfederationIsRequested(req, resp, protocolRequest); + //check SSO session if (ssoId != null) { String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); @@ -326,8 +370,8 @@ public class DispatcherServlet extends AuthServlet{ } - isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); - useSSOOA = oaParam.useSSO(); + isValidSSOSession = ssomanager.isValidSSOSession(ssoId, protocolRequest); + useSSOOA = oaParam.useSSO() || oaParam.isInderfederationIDP(); //if a legacy request is used SSO should not be allowed, actually @@ -377,38 +421,36 @@ public class DispatcherServlet extends AuthServlet{ if (oaParam.useSSOQuestion() && !AuthenticationSessionStoreage.isAuthenticated(moasessionID)) { authmanager.sendTransmitAssertionQuestion(req, resp, protocolRequest, oaParam); return; - } - } - else { + } - moasessionID = (String) req.getParameter(PARAM_SESSIONID); - + } else { + moasessionID = (String) req.getParameter(PARAM_SESSIONID); moasession = AuthenticationSessionStoreage.getSession(moasessionID); - } - + + } //save SSO session usage in Database newSSOSessionId = ssomanager.createSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); - if (newSSOSessionId != null) { + if (MiscUtil.isNotEmpty(newSSOSessionId)) { ssomanager.setSSOSessionID(req, resp, newSSOSessionId); } else { ssomanager.deleteSSOSessionID(req, resp); + } - } else { - - moasessionID = (String) req.getParameter(PARAM_SESSIONID); - + } else { + moasessionID = (String) req.getParameter(PARAM_SESSIONID); moasession = AuthenticationSessionStoreage.getSession(moasessionID); moasessionID = AuthenticationSessionStoreage.changeSessionID(moasession); + } - - + //build authenticationdata from session information and OA configuration + authData = AuthenticationDataBuilder.buildAuthenticationData(protocolRequest, moasession); } - - String assertionID = moduleAction.processRequest(protocolRequest, req, resp, moasession); + + SLOInformationInterface assertionID = moduleAction.processRequest(protocolRequest, req, resp, authData); RequestStorage.removePendingRequest(protocolRequestID); @@ -436,7 +478,7 @@ public class DispatcherServlet extends AuthServlet{ //Advanced statistic logging StatisticLogger logger = StatisticLogger.getInstance(); - logger.logSuccessOperation(protocolRequest, moasession, isSSOSession); + logger.logSuccessOperation(protocolRequest, authData, isSSOSession); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java deleted file mode 100644 index b6fe20a61..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java +++ /dev/null @@ -1,165 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; -import at.gv.egovernment.moa.logging.Logger; -import iaik.pki.store.certstore.CertStoreConfiguration; -import iaik.pki.store.certstore.CertStoreParameters; -import iaik.pki.store.certstore.CertStoreTypes; -import iaik.pki.store.certstore.directory.DirectoryCertStoreParameters; - -import java.io.File; - -/** - * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class CertStoreConfigurationImpl extends ObservableImpl - implements CertStoreConfiguration, DirectoryCertStoreParameters { - /** - * identifies the rootDirectory - */ - private String rootDirectory; - /** - * ConfigurationProvider - */ - private ConfigurationProvider conf; - /** - * Array for storing all CertStoreParameters - */ - private CertStoreParameters[] parameters; - - /** - * Create a new <code>CertStoreConfigurationImpl</code>. - * - * @param conf The MOA configuration from which the configuration data is - * @throws ConfigurationException an any config-error - * being read. - */ - public CertStoreConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { - this.conf = conf; - - String certStoreRootDirParam = conf.getCertstoreDirectory(); - - if (certStoreRootDirParam == null) - throw new ConfigurationException( - "config.08", new Object[]{"CertStoreDirectory"}); - - //rootDirectory = FileUtils.makeAbsoluteURL(certStoreRootDirParam, conf.getRootConfigFileDir()); - rootDirectory = certStoreRootDirParam; - Logger.error("Using file: " + rootDirectory); - if (rootDirectory.startsWith("file:")) rootDirectory = rootDirectory.substring(5); - Logger.error("Using file2: " + rootDirectory); - - File f = new File(rootDirectory); - //Logger.error("Using file: " + certStoreRootDirParam + " param: " + conf.getRootConfigFileDir()); - - if (!f.exists()) { - Logger.error("File does not exists: " + f.getAbsolutePath()); - throw new ConfigurationException( - "config.05", new Object[]{"CertStoreDirectory"}); - } - - if (!f.isDirectory()) { - Logger.error("File is not a directory: " + f.getAbsolutePath()); - throw new ConfigurationException( - "config.05", new Object[]{"CertStoreDirectory"}); - } - - - parameters = new CertStoreParameters[]{this}; - } - - /** - * @see iaik.pki.store.certstore.CertStoreConfiguration#getParameters() - */ - public CertStoreParameters[] getParameters() { - return parameters; - } - - /** - * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#getRootDirectory() - */ - public String getRootDirectory() { - return rootDirectory; - } - - /** - * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#createNew() - */ - public boolean createNew() { - return false; - } - - /** - * @see iaik.pki.store.certstore.CertStoreParameters#getId() - */ - public String getId() { - return "MOA ID Directory CertStore"; - } - - /** - * @see iaik.pki.store.certstore.CertStoreParameters#isReadOnly() - */ - public boolean isReadOnly() { - return false; - } - - /** - * @return <code>CertStoreTypes.DIRECTORY</code> - * @see iaik.pki.store.certstore.CertStoreParameters#getType() - */ - public String getType() { - return CertStoreTypes.DIRECTORY; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java deleted file mode 100644 index 064d8a835..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java +++ /dev/null @@ -1,120 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import iaik.pki.PKIConfiguration; -import iaik.pki.pathvalidation.ValidationConfiguration; -import iaik.pki.revocation.RevocationConfiguration; -import iaik.pki.store.certstore.CertStoreConfiguration; -import iaik.pki.store.revocation.archive.ArchiveConfiguration; - -/** - * Implementation of interface <code>PKIConfiguration</code> needed to - * initialize an IAIK JSSE <code>TrustManager</code> - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class PKIConfigurationImpl implements PKIConfiguration { - /** The configuration for the CertStore */ - private CertStoreConfiguration certStoreConfiguration; - /** The configuration for the RevocationChecks */ - private RevocationConfiguration revocationConfiguration; - /** The configuration for the Validation */ - private ValidationConfiguration validationConfiguration; - - /** - * Constructor - * @param conf the Configuration for the PKIConfig - * @throws ConfigurationException for any config error - */ - public PKIConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { - - certStoreConfiguration = new CertStoreConfigurationImpl(conf); - revocationConfiguration = new RevocationConfigurationImpl(); - validationConfiguration = new ValidationConfigurationImpl(conf); - } - - /** - * @see iaik.pki.PKIConfiguration#getCertStoreConfiguration() - */ - public CertStoreConfiguration getCertStoreConfiguration() { - return certStoreConfiguration; - } - - /** - * @see iaik.pki.PKIConfiguration#getRevocationConfiguration() - */ - public RevocationConfiguration getRevocationConfiguration() { - return revocationConfiguration; - } - - /** - * @see iaik.pki.PKIConfiguration#getArchiveConfiguration() - */ - public ArchiveConfiguration getArchiveConfiguration() { - return null; - } - - /** - * @see iaik.pki.PKIConfiguration#getValidationConfiguration() - */ - public ValidationConfiguration getValidationConfiguration() { - return validationConfiguration; - } - -/* (non-Javadoc) - * @see iaik.pki.PKIConfiguration#getTimeout() - */ - public int getTimeout() { - // TODO Auto-generated method stub - return 0; -} - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java deleted file mode 100644 index 2c24161f6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java +++ /dev/null @@ -1,86 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import iaik.pki.revocation.RevocationConfiguration; - -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Date; -import java.util.Set; - -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> - * @author Paul Ivancsics - * @version $Id$ - */ -public class RevocationConfigurationImpl extends ObservableImpl implements RevocationConfiguration { - - /** - * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date) - */ - public Set getAlternativeDistributionPoints( - X509Certificate arg0, - X509Certificate arg1, - Date arg2) { - return Collections.EMPTY_SET; - } - - /** - * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String) - */ - public boolean archiveRevocationInfo(String arg0, String arg1) { - return false; - } - - public Integer getCrlRetentionInterval(String arg0) { - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java deleted file mode 100644 index d230eef26..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java +++ /dev/null @@ -1,97 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import iaik.pki.pathvalidation.ValidationConfiguration; - -import java.security.cert.X509Certificate; -import java.security.spec.AlgorithmParameterSpec; - -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of interface needed to initialize an IAIK JSSE <code>TrustManager</code> - * @author Paul Ivancsics - * @version $Id$ - */ -public class ValidationConfigurationImpl extends ObservableImpl - implements ValidationConfiguration { - /** The ConfigurationProvider for the validation*/ - private ConfigurationProvider conf; - - /** - * Constructor - * @param conf with the configuration - */ - public ValidationConfigurationImpl(ConfigurationProvider conf) { - this.conf = conf; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getChainingMode(java.security.cert.X509Certificate) - */ - public String getChainingMode(X509Certificate trustAnchor) { - String chainingMode = conf.getChainingMode(trustAnchor); - return chainingMode; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsSpec(java.security.cert.X509Certificate) - */ - public AlgorithmParameterSpec getPublicKeyParamsAsSpec(X509Certificate arg0) { - return null; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsCert(java.security.cert.X509Certificate) - */ - public X509Certificate getPublicKeyParamsAsCert(X509Certificate arg0) { - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java deleted file mode 100644 index 8afba2a12..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java +++ /dev/null @@ -1,232 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.pki; - -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Set; - -import iaik.pki.PKIProfile; -import iaik.pki.pathvalidation.ValidationProfile; -import iaik.pki.revocation.RevocationProfile; -import iaik.pki.revocation.RevocationSourceTypes; -import iaik.pki.store.truststore.TrustStoreProfile; -import iaik.pki.store.truststore.TrustStoreTypes; - -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of the <code>PKIProfile</code> interface and subinterfaces - * providing information needed for certificate path validation. - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class PKIProfileImpl extends ObservableImpl - implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile { - - /** - * URI to the truststore - */ - private String trustStoreURI; - - /** - * revocation checking; - */ - private boolean revocationChecking; - - /** - * The trust profile identifier. - */ - private String id; - - - /** - * Create a new <code>PKIProfileImpl</code>. - * - * @param trustStoreURI trust store URI - */ - public PKIProfileImpl(String trustStoreURI, boolean revocationChecking) { - this.trustStoreURI = trustStoreURI; - this.revocationChecking = revocationChecking; - String id = String.valueOf(System.currentTimeMillis()); - setId("id-" + id); - } - - /** - * @see iaik.pki.PKIProfile#autoAddCertificates() - */ - public boolean autoAddCertificates() { - return true; - } - - /** - * @see iaik.pki.PKIProfile#getRevocationProfile() - */ - public RevocationProfile getRevocationProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#getTrustStoreProfile() - */ - public TrustStoreProfile getTrustStoreProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#getValidationProfile() - */ - public ValidationProfile getValidationProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() - */ - public boolean useAuthorityInfoAccess() { - return true; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String) - */ - public long getMaxRevocationAge(String arg0) { - return 0; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm() - */ - public String getOCSPRequestHashAlgorithm() { - return null; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) - */ - public String[] getPreferredServiceOrder(X509Certificate arg0) { - return new String[] {RevocationSourceTypes.CRL}; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getType() - */ - public String getType() { - return TrustStoreTypes.DIRECTORY; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getURI() - */ - public String getURI() { - return trustStoreURI; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit() - */ - public boolean getInitialAnyPolicyInhibit() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy() - */ - public boolean getInitialExplicitPolicy() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit() - */ - public boolean getInitialPolicyMappingInhibit() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet() - */ - public Set getInitialPolicySet() { - return Collections.EMPTY_SET; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing() - */ - public boolean getNameConstraintsProcessing() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing() - */ - public boolean getPolicyProcessing() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() - */ - public boolean getRevocationChecking() { - return this.revocationChecking; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getId() - */ - public String getId() { - return id; - } - /** - * Sets the trust profile identifier. - * @param id The id to set. - */ - public void setId(String id) { - this.id = id; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java deleted file mode 100644 index 202be882e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java +++ /dev/null @@ -1,165 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.pki.jsse; - -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.net.URL; -import java.security.GeneralSecurityException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.List; - -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.logging.LoggingContext; -import at.gv.egovernment.moa.logging.LoggingContextManager; - -import iaik.pki.jsse.IAIKX509TrustManager; - -/** - * <code>TrustManager</code> implementation featuring CRL checking (inherited from - * <code>IAIKX509TrustManager</code>), plus server-end-SSL-certificate checking. - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class MOAIDTrustManager extends IAIKX509TrustManager { - - /** an x509Certificate array containing all accepted server certificates*/ - private X509Certificate[] acceptedServerCertificates; - - /** - * Constructor - * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store - * @throws GeneralSecurityException occurs on security errors - * @throws IOException occurs on IO errors - */ - public MOAIDTrustManager(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - - if (acceptedServerCertificateStoreURL != null) - buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); - else - acceptedServerCertificates = null; - } - - - /** - * Initializes the LoggingContextManager logging context. - * Fixes a bug occuring in the case MOA-SP is called by API. - * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP. - * This method must be called before a MOAIDTrustManager is constructed, - * from every thread. - */ - public static void initializeLoggingContext() { - if (LoggingContextManager.getInstance().getLoggingContext() == null) - LoggingContextManager.getInstance().setLoggingContext( - new LoggingContext(Thread.currentThread().getName())); - } - - - /** - * Builds an Array of accepted server certificates from an URL, - * and stores it in <code>acceptedServerCertificates</code>. - * @param acceptedServerCertificateStoreURL file URL pointing to the directory - * containing accepted server X509 certificates - * @throws GeneralSecurityException on security errors - * @throws IOException on any IO errors - */ - private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - - List<X509Certificate> certList = new ArrayList<X509Certificate>(); - URL storeURL = new URL(acceptedServerCertificateStoreURL); - File storeDir = new File(storeURL.getFile()); - // list certificate files in directory - File[] certFiles = storeDir.listFiles(); - for (int i = 0; i < certFiles.length; i++) { - // for each: create an X509Certificate and store it in list - File certFile = certFiles[i]; - FileInputStream fis = new FileInputStream(certFile.getPath()); - CertificateFactory certFact = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); - fis.close(); - certList.add(cert); - } - // store acceptedServerCertificates - acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); - } - - /** - * Does additional server-end-SSL-certificate checking. - * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[]) - */ - public boolean isServerTrusted(X509Certificate[] certChain) { - boolean trusted = super.isServerTrusted(certChain); - if (! trusted || acceptedServerCertificates == null) - return trusted; - else { - // check server-end-SSL-certificate with acceptedServerCertificates - X509Certificate serverCert = certChain[0]; - for (int i = 0; i < acceptedServerCertificates.length; i++) { - X509Certificate acceptedServerCert = acceptedServerCertificates[i]; - if (serverCert.equals(acceptedServerCert)) - return true; - } - Logger.warn(MOAIDMessageProvider.getInstance().getMessage("ssl.01", null)); - return false; - } - } - /** - * In rare cases, this method is being called although it should not be. - * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[]) - */ - public boolean isClientTrusted(java.security.cert.X509Certificate arg0[]) - { - return true; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java deleted file mode 100644 index 16184502d..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java +++ /dev/null @@ -1,92 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.servertools.observer; - -import iaik.pki.store.observer.NotificationData; -import iaik.pki.store.observer.Observable; -import iaik.pki.store.observer.Observer; - -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; - - -/** - * Implementation of interface <needed to initialize an IAIK JSSE <code>TrustManager</code> - * @author Paul Ivancsics - * @version $Id$ - */ -public class ObservableImpl implements Observable { - /** a List for all observers */ - private List<Observer> observers = new ArrayList<Observer>(); - - /** - * @see iaik.pki.store.observer.Observable#addObserver(iaik.pki.store.observer.Observer) - */ - public void addObserver(Observer observer) { - observers.add(observer); - } - - /** - * @see iaik.pki.store.observer.Observable#removeObserver(iaik.pki.store.observer.Observer) - */ - public boolean removeObserver(Observer observer) { - return observers.remove(observer); - } - - /** - * @see iaik.pki.store.observer.Observable#notify(iaik.pki.store.observer.NotificationData) - */ - public void notify(NotificationData data) { - Iterator<Observer> iter = observers.iterator(); - for (iter = observers.iterator(); iter.hasNext();) { - Observer observer = (Observer) iter.next(); - observer.notify(data); - } - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 03a61d08f..5a06b3ecd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -24,12 +24,37 @@ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; import java.io.PrintWriter; +import java.security.NoSuchAlgorithmException; import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.joda.time.DateTime; +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.NameIDPolicy; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCredentialResolverFactory; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.criteria.EntityIDCriteria; + import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder; import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder; import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder; @@ -42,9 +67,17 @@ import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; public class AuthenticationManager extends AuthServlet { @@ -65,7 +98,6 @@ public class AuthenticationManager extends AuthServlet { return instance; } - /** * Checks if this request can authenticate a MOA Session * @@ -82,9 +114,7 @@ public class AuthenticationManager extends AuthServlet { AuthenticationSession authSession; try { authSession = AuthenticationSessionStoreage.getSession(sessionID); - - - + if (authSession != null) { Logger.info("MOASession found! A: " + authSession.isAuthenticated() + ", AU " @@ -148,16 +178,168 @@ public class AuthenticationManager extends AuthServlet { public void doAuthentication(HttpServletRequest request, HttpServletResponse response, IRequest target) throws ServletException, IOException, MOAIDException { + Logger.info("Starting authentication ..."); + + if (MiscUtil.isEmpty(target.getRequestedIDP())) { + perfomLocalAuthentication(request, response, target); + + } else { + Logger.info("Use IDP " + target.getRequestedIDP() + " for authentication ..."); + buildPVP21AuthenticationRequest(request, response, target); + + } + } + + public void sendTransmitAssertionQuestion(HttpServletRequest request, + HttpServletResponse response, IRequest target, OAAuthParameter oaParam) + throws ServletException, IOException, MOAIDException { + + String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), + target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath()); + + response.setContentType("text/html;charset=UTF-8"); + PrintWriter out = new PrintWriter(response.getOutputStream()); + out.print(form); + out.flush(); + } + + private void buildPVP21AuthenticationRequest(HttpServletRequest request, + HttpServletResponse response, IRequest target) + throws ServletException, IOException, MOAIDException { + + boolean requiredLocalAuthentication = true; + + Logger.debug("Build PVP 2.1 authentication request"); + + //get IDP metadata + try { + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { + Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); + Logger.info("Switch to local authentication on this IDP ... "); + perfomLocalAuthentication(request, response, target); + return; + + } + + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). + getEntityDescriptor(target.getRequestedIDP()); + + if (idpEntity != null ) { + + //fetch endpoint from IDP metadata + SingleSignOnService redirectEndpoint = null; + for (SingleSignOnService sss : + idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { + + // use POST binding as default if it exists + //TODO: maybe use RedirectBinding as default + if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + redirectEndpoint = sss; + + } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && + redirectEndpoint == null ) + redirectEndpoint = sss; + } + + if (redirectEndpoint != null) { + + AuthnRequest authReq = SAML2Utils + .createSAMLObject(AuthnRequest.class); + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authReq.setID(gen.generateIdentifier()); -// if (!ParamValidatorUtils.isValidOA(target.getOAURL())) -// throw new WrongParametersException("StartAuthentication", PARAM_OA, -// "auth.12"); -// -// if (target.getOAURL() == null) { -// throw new WrongParametersException("StartAuthentication", PARAM_OA, -// "auth.12"); -// } + //send passive AuthnRequest + authReq.setIsPassive(true); + + authReq.setAssertionConsumerServiceIndex(0); + authReq.setIssueInstant(new DateTime()); + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + NameID name = SAML2Utils.createSAMLObject(NameID.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + + String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); + name.setValue(serviceURL); + issuer.setValue(serviceURL); + + subject.setNameID(name); + authReq.setSubject(subject); + issuer.setFormat(NameIDType.ENTITY); + authReq.setIssuer(issuer); + NameIDPolicy policy = SAML2Utils + .createSAMLObject(NameIDPolicy.class); + policy.setAllowCreate(true); + policy.setFormat(NameID.TRANSIENT); + authReq.setNameIDPolicy(policy); + + authReq.setDestination(redirectEndpoint.getLocation()); + + RequestedAuthnContext reqAuthContext = + SAML2Utils.createSAMLObject(RequestedAuthnContext.class); + + AuthnContextClassRef authnClassRef = + SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); + reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); + authReq.setRequestedAuthnContext(reqAuthContext); + + + IEncoder binding = null; + if (redirectEndpoint.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (redirectEndpoint.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + binding.encodeRequest(request, response, authReq, + redirectEndpoint.getLocation(), target.getRequestID()); + + //build and send request without an error + requiredLocalAuthentication = false; + + } else { + Logger.warn("Requested IDP " + target.getRequestedIDP() + + " does not support POST or Redirect Binding."); + + } + + } else { + Logger.warn("Requested IDP " + target.getRequestedIDP() + + " is not found in InterFederation configuration"); + + } + + } catch (MetadataProviderException e) { + Logger.error("IDP metadata error." , e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } catch (MessageEncodingException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } catch (SecurityException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } + + if (requiredLocalAuthentication) { + Logger.info("Switch to local authentication on this IDP ... "); + perfomLocalAuthentication(request, response, target); + } + } + + + private void perfomLocalAuthentication(HttpServletRequest request, + HttpServletResponse response, IRequest target) + throws ServletException, IOException, MOAIDException { + Logger.debug("Starting authentication on this IDP ..."); setNoCachingHeadersInHttpRespone(request, response); @@ -183,17 +365,12 @@ public class AuthenticationManager extends AuthServlet { if (legacyallowed && legacyparamavail) { - //parse request parameter into MOASession - + //parse request parameter into MOASession StartAuthentificationParameterParser.parse(request, response, moasession, target); Logger.info("Start Authentication Module: " + moasession.getModul() + " Action: " + moasession.getAction()); - - //start authentication process -// session.getServletContext().getNamedDispatcher("StartAuthentication") -// .forward(request, response); - + StartAuthenticationBuilder startauth = StartAuthenticationBuilder.getInstance(); String getIdentityLinkForm = startauth.build(moasession, request, response); @@ -260,17 +437,4 @@ public class AuthenticationManager extends AuthServlet { out.flush(); } } - - public void sendTransmitAssertionQuestion(HttpServletRequest request, - HttpServletResponse response, IRequest target, OAAuthParameter oaParam) - throws ServletException, IOException, MOAIDException { - - String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), - target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath()); - - response.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(response.getOutputStream()); - out.print(form); - out.flush(); - } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java index 9a3d3986b..529e2ab81 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java @@ -26,11 +26,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; public interface IAction extends MOAIDAuthConstants { - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException; public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index 2ef24c084..aaeb84f92 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; + public interface IRequest { public String getOAURL(); public boolean isPassiv(); @@ -33,7 +39,10 @@ public interface IRequest { public void setAction(String action); public String getTarget(); public void setRequestID(String id); - public String getRequestID(); + public String getRequestID(); + public String getRequestedIDP(); + public MOAResponse getInterfederationResponse(); + public List<Attribute> getRequestedAttributes(); //public void setTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index b9b1742e4..4a54a516b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -23,8 +23,13 @@ package at.gv.egovernment.moa.id.moduls; import java.io.Serializable; +import java.util.List; -public class RequestImpl implements IRequest, Serializable{ +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; + +public abstract class RequestImpl implements IRequest, Serializable{ private static final long serialVersionUID = 1L; @@ -37,6 +42,16 @@ public class RequestImpl implements IRequest, Serializable{ private String target = null; private String requestID; + //MOA-ID interfederation + private String requestedIDP = null; + private MOAResponse response = null; + + /** + * This method map the protocol specific requested attributes to PVP 2.1 attributes. + * + * @return List of PVP 2.1 attributes with maps all protocol specific attributes + */ + public abstract List<Attribute> getRequestedAttributes(); public void setOAURL(String value) { oaURL = value; @@ -102,4 +117,36 @@ public class RequestImpl implements IRequest, Serializable{ public String getRequestID() { return requestID; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP() + */ + @Override + public String getRequestedIDP() { + return requestedIDP; + } + + /** + * @param requestedIDP the requestedIDP to set + */ + public void setRequestedIDP(String requestedIDP) { + this.requestedIDP = requestedIDP; + } + + /** + * @return the response + */ + public MOAResponse getInterfederationResponse() { + return response; + } + + /** + * @param response the response to set + */ + public void setInterfederationResponse(MOAResponse response) { + this.response = response; + } + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 684c6630a..f4f89a4ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,11 +31,15 @@ import javax.servlet.http.HttpServletResponse; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -44,9 +48,12 @@ import at.gv.egovernment.moa.util.MiscUtil; public class SSOManager { private static final String SSOCOOKIE = "MOA_ID_SSO"; + private static final String SSOINTERFEDERATION = "MOA_INTERFEDERATION_SSO"; private static final int DEFAULTSSOTIMEOUT = 15 * 60; // sec + private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec + private static SSOManager instance = null; private static int sso_timeout; @@ -68,7 +75,46 @@ public class SSOManager { return instance; } - public boolean isValidSSOSession(String ssoSessionID, HttpServletRequest httpReq) { + public void checkInterfederationIsRequested(HttpServletRequest httpReq, HttpServletResponse httpResp, + IRequest protocolRequest) { + String interIDP = httpReq.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP); + + if (MiscUtil.isNotEmpty(protocolRequest.getRequestedIDP())) { + Logger.info("Protocolspecific preprocessing already set interfederation IDP " + protocolRequest.getRequestedIDP()); + + } + + if (protocolRequest instanceof RequestImpl) { + //check if IDP is requested + RequestImpl moaReq = (RequestImpl) protocolRequest; + if (MiscUtil.isNotEmpty(interIDP)) { + Logger.info("Receive SSO request for interfederation IDP " + interIDP); + moaReq.setRequestedIDP(interIDP); + + } else { + //check if IDP cookie is set + String cookie = getValueFromCookie(httpReq, SSOINTERFEDERATION); + if (MiscUtil.isNotEmpty(cookie)) { + Logger.info("Receive SSO request for interfederated IDP from Cookie " + cookie); + moaReq.setRequestedIDP(cookie); + + deleteCookie(httpReq, httpResp, SSOINTERFEDERATION); + } + } + + } else { + Logger.warn("Request is not of type RequestImpl"); + + } + } + + public void setInterfederationIDPCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String value) { + setCookie(httpReq, httpResp, SSOINTERFEDERATION, value, INTERFEDERATIONCOOKIEMAXAGE); + + } + + + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { // search SSO Session if (ssoSessionID == null) { @@ -76,15 +122,43 @@ public class SSOManager { return false; } - // String moaSessionId =HTTPSessionUtils.getHTTPSessionString(httpReq.getSession(), - // AuthenticationManager.MOA_SESSION, null); + AuthenticatedSessionStore storedSession = AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); - return AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); + if (storedSession == null) + return false; + + else { + if (protocolRequest != null && + protocolRequest instanceof RequestImpl && + storedSession.isInterfederatedSSOSession() && + !storedSession.isAuthenticated()) { + + if (MiscUtil.isEmpty(((RequestImpl) protocolRequest).getRequestedIDP())) { + InterfederationSessionStore selectedIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORSSOWithMOASession(storedSession.getSessionid()); + + if (selectedIDP != null) { + //no local SSO session exist -> request interfederated IDP + ((RequestImpl) protocolRequest).setRequestedIDP(selectedIDP.getIdpurlprefix()); + + } else { + Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); + MOASessionDBUtils.delete(storedSession); + + } + } + + return false; + + } + + return true; + } } public String getMOASession(String ssoSessionID) { - return AuthenticationSessionStoreage.getMOASessionID(ssoSessionID); + return AuthenticationSessionStoreage.getMOASessionSSOID(ssoSessionID); + } public String existsOldSSOSession(String ssoId) { @@ -95,24 +169,10 @@ public class SSOManager { List<OldSSOSessionIDStore> result; synchronized (session) { - -// try { -// session.getTransaction().rollback(); -// } -// catch (Exception e) { -// e.printStackTrace(); -// } -// try { -// session.getSessionFactory().openSession(); -// } -// catch (Exception e) { -// e.printStackTrace(); -// } - // session.getTransaction().begin(); - + session.beginTransaction(); Query query = session.getNamedQuery("getSSOSessionWithOldSessionID"); - query.setString("sessionid", ssoId); + query.setParameter("sessionid", ssoId); result = query.list(); // send transaction @@ -156,22 +216,58 @@ public class SSOManager { return newSSOId; } - + public void setSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp, String ssoId) { - Cookie[] cookies = httpReq.getCookies(); + setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, sso_timeout); - if (cookies != null) { - deleteSSOSessionID(httpReq, httpResp); - } + } - Cookie cookie = new Cookie(SSOCOOKIE, ssoId); - cookie.setMaxAge(sso_timeout); - cookie.setSecure(true); - cookie.setPath(httpReq.getContextPath()); - httpResp.addCookie(cookie); + public String getSSOSessionID(HttpServletRequest httpReq) { + return getValueFromCookie(httpReq, SSOCOOKIE); + + } + + public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) { + deleteCookie(httpReq, httpResp, SSOCOOKIE); } - public String getSSOSessionID(HttpServletRequest httpReq) { + /** + * @param entityID + * @param request + */ + public boolean removeInterfederatedSSOIDP(String entityID, + HttpServletRequest request) { + + String ssoSessionID = getSSOSessionID(request); + + if (MiscUtil.isNotEmpty(ssoSessionID)) { + + AuthenticatedSessionStore storedSession = AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); + + if (storedSession == null) + return false; + + InterfederationSessionStore selectedIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORSSOWithMOASessionIDPID(storedSession.getSessionid(), entityID); + + if (selectedIDP != null) { + //no local SSO session exist -> request interfederated IDP + Logger.info("Delete interfederated IDP " + selectedIDP.getIdpurlprefix() + + " from MOASession " + storedSession.getSessionid()); + MOASessionDBUtils.delete(selectedIDP); + + } else { + Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); + + } + + return true; + + } else + return false; + + } + + private String getValueFromCookie(HttpServletRequest httpReq, String cookieName) { Cookie[] cookies = httpReq.getCookies(); if (cookies != null) { @@ -181,7 +277,7 @@ public class SSOManager { // (firefox) // if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) { - if (cookie.getName().equals(SSOCOOKIE)) { + if (cookie.getName().equals(cookieName)) { return cookie.getValue(); } } @@ -189,13 +285,21 @@ public class SSOManager { return null; } - public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) { - Cookie[] cookies = httpReq.getCookies(); + private void setCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, + String cookieName, String cookieValue, int maxAge) { - if (cookies != null) { - for (Cookie cookie : cookies) { - if (!cookie.getName().equals(SSOCOOKIE)) httpResp.addCookie(cookie); - } - } + Cookie cookie = new Cookie(cookieName, cookieValue); + cookie.setMaxAge(maxAge); + cookie.setSecure(true); + + //TODO: could be a problem if the IDP is accessible from different contextPaths or Domains + cookie.setPath(httpReq.getContextPath()); + + httpResp.addCookie(cookie); + } + + private void deleteCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String cookieName) { + setCookie(httpReq, httpResp, cookieName, "", 1); } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index b95c08044..6c2f3e75a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.monitoring; -import java.io.File; -import java.io.FileInputStream; import java.io.InputStream; +import java.net.URL; import java.util.List; import org.w3c.dom.Element; @@ -49,8 +48,9 @@ public class IdentityLinkTestModule implements TestModuleInterface { public void initializeTest(long delayParam, String url) throws Exception{ if (MiscUtil.isNotEmpty(url)) { - File idlfile = new File(url); - InputStream idlstream = new FileInputStream(idlfile); + + URL keystoreURL = new URL(url); + InputStream idlstream = keystoreURL.openStream(); identityLink = new IdentityLinkAssertionParser(idlstream).parseIdentityLink(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java index ccfa6d5d1..84581abe8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java @@ -30,6 +30,7 @@ import java.util.Map; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; public class TestManager { @@ -54,7 +55,7 @@ public class TestManager { //add IdentityLink verification test IdentityLinkTestModule test2 = new IdentityLinkTestModule(); - String idlurl = config.getMonitoringTestIdentityLinkURL(); + String idlurl = FileUtils.makeAbsoluteURL(config.getMonitoringTestIdentityLinkURL(), config.getRootConfigFileDir()); try { test2.initializeTest(0, idlurl); tests.put(test2.getName(), test2);; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java index 8d45a5d86..93a2f7d6d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java @@ -26,6 +26,7 @@ import java.util.Properties; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.util.FileUtils; public class OAuth20Configuration { @@ -44,10 +45,12 @@ public class OAuth20Configuration { public static final String JWT_KEY_PASSWORD = "jwt.ks.key.password"; private Properties props; + private String rootDir = null; private OAuth20Configuration() { try { props = AuthConfigurationProvider.getInstance().getGeneralOAuth20ProperiesConfig(); + rootDir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); } catch (ConfigurationException e) { e.printStackTrace(); @@ -55,7 +58,7 @@ public class OAuth20Configuration { } public String getJWTKeyStore() { - return props.getProperty(JWT_KEYSTORE); + return FileUtils.makeAbsoluteURL(props.getProperty(JWT_KEYSTORE), rootDir); } public String getJWTKeyStorePassword() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java index 677b5e7ab..75501d812 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java @@ -28,6 +28,8 @@ public final class OAuth20Constants { throw new InstantiationError(); } + public static final String ERRORPAGE = "moa_errorcodes.html"; + // error parameters and error codes public static final String PARAM_ERROR = "error"; public static final String PARAM_ERROR_DESCRIPTION = "error_description"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 394fd1430..3b0d07ce1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -27,9 +27,8 @@ import java.util.List; import org.apache.commons.lang.StringUtils; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.oauth20.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock; @@ -173,10 +172,10 @@ public final class OAuth20AttributeBuilder { } private static void addAttibutes(final List<IAttributeBuilder> builders, final JsonObject jsonObject, - final AuthenticationSession authSession, final OAAuthParameter oaParam, final AuthenticationData authData) { + final OAAuthParameter oaParam, final IAuthData authData) { for (IAttributeBuilder b : builders) { try { - Pair<String, JsonPrimitive> attribute = b.build(authSession, oaParam, authData, generator); + Pair<String, JsonPrimitive> attribute = b.build(oaParam, authData, generator); if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) { jsonObject.add(attribute.getFirst(), attribute.getSecond()); } @@ -187,33 +186,70 @@ public final class OAuth20AttributeBuilder { } } - public static void addScopeOpenId(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersOpenId, jsonObject, authSession, oaParam, authData); + public static void addScopeOpenId(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersOpenId, jsonObject, oaParam, authData); } - public static void addScopeProfile(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersProfile, jsonObject, authSession, oaParam, authData); + public static void addScopeProfile(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersProfile, jsonObject, oaParam, authData); } - public static void addScopeEID(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersEID, jsonObject, authSession, oaParam, authData); + public static void addScopeEID(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEID, jsonObject, oaParam, authData); } - public static void addScopeEIDGov(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersEIDGov, jsonObject, authSession, oaParam, authData); + public static void addScopeEIDGov(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEIDGov, jsonObject, oaParam, authData); } - public static void addScopeMandate(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersMandate, jsonObject, authSession, oaParam, authData); + public static void addScopeMandate(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersMandate, jsonObject, oaParam, authData); } - public static void addScopeSTORK(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersSTORK, jsonObject, authSession, oaParam, authData); + public static void addScopeSTORK(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersSTORK, jsonObject, oaParam, authData); } + + /** + * @return the buildersprofile + */ + public static List<IAttributeBuilder> getBuildersprofile() { + return buildersProfile; + } + + /** + * @return the builderseid + */ + public static List<IAttributeBuilder> getBuilderseid() { + return buildersEID; + } + + /** + * @return the builderseidgov + */ + public static List<IAttributeBuilder> getBuilderseidgov() { + return buildersEIDGov; + } + + /** + * @return the buildersmandate + */ + public static List<IAttributeBuilder> getBuildersmandate() { + return buildersMandate; + } + + /** + * @return the buildersstork + */ + public static List<IAttributeBuilder> getBuildersstork() { + return buildersSTORK; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java index da1980896..121648499 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,9 +34,9 @@ public class OpenIdAuthenticationTimeAttribute implements IAttributeBuilder { return "auth_time"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - return g.buildLongAttribute(this.getName(), "", ((long) (authData.getTimestamp().getTime() / 1000))); + return g.buildLongAttribute(this.getName(), "", ((long) (authData.getIssueInstant().getTime() / 1000))); } public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java index e7a85705a..9230c0105 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java @@ -24,9 +24,8 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -39,7 +38,7 @@ public class OpenIdExpirationTimeAttribute implements IAttributeBuilder { return "exp"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000 + expirationTime)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java index a75dfd029..3bdda5c2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java @@ -24,9 +24,8 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -37,7 +36,7 @@ public class OpenIdIssueInstantAttribute implements IAttributeBuilder { return "iat"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java index d21f1a5bb..85c46d5b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class OpenIdIssuerAttribute implements IAttributeBuilder { return "iss"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getIssuer()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java index bc48ce915..d5bda0dba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class OpenIdSubjectIdentifierAttribute implements IAttributeBuilder { return "sub"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getBPK()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java index a92b0c12d..dd84536ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,9 +34,9 @@ public class ProfileDateOfBirthAttribute implements IAttributeBuilder { return "birthdate"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - return g.buildStringAttribute(this.getName(), "", authData.getDateOfBirth()); + return g.buildStringAttribute(this.getName(), "", authData.getFormatedDateOfBirth()); } public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java index 5ce22a6c6..02cc66e4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class ProfileFamilyNameAttribute implements IAttributeBuilder { return "family_name"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getFamilyName()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java index 047bfa9a9..302ce8105 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class ProfileGivenNameAttribute implements IAttributeBuilder { return "given_name"; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getGivenName()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java new file mode 100644 index 000000000..0edeb89bc --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +/** + * @author tlenz + * + */ +public class OAuth20OANotSupportedException extends OAuth20Exception { + + private static final long serialVersionUID = -8713091674236329339L; + + /** + * @param errorCode + * @param messageId + * @param parameters + */ + public OAuth20OANotSupportedException() { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.06", new Object[] {}); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java index d560e46f0..470507f08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java @@ -28,7 +28,7 @@ public class OAuth20ServerErrorException extends OAuth20Exception { private static final long serialVersionUID = 1L; public OAuth20ServerErrorException() { - super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.06", new Object[] {}); + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.10", new Object[] {}); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index d60b8c230..4c70ce995 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -30,13 +30,12 @@ import java.util.UUID; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; @@ -51,14 +50,13 @@ import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil; import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken; import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner; import at.gv.egovernment.moa.id.storage.AssertionStorage; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; class OAuth20AuthAction implements IAction { - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, - AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; String responseType = oAuthRequest.getResponseType(); @@ -76,7 +74,7 @@ class OAuth20AuthAction implements IAction { o.setCode(code); //generate idToken from MOASession - Map<String, Object> idToken = generateIDToken(o, oAuthRequest, moasession, accessToken); + Map<String, Object> idToken = generateIDToken(o, oAuthRequest, authData, accessToken); o.setAuthDataSession(idToken); } else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) { @@ -100,7 +98,11 @@ class OAuth20AuthAction implements IAction { httpResp.addHeader("Location", finalUrl); Logger.debug("REDIRECT TO: " + finalUrl.toString()); - return accessToken; + + //TODO: maybe add bPK / wbPK to SLO information + SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule()); + + return sloInformation; } catch (Exception e) { @@ -118,7 +120,7 @@ class OAuth20AuthAction implements IAction { } private Map<String, Object> generateIDToken(OAuth20SessionObject auth20SessionObject, - OAuth20AuthRequest oAuthRequest, AuthenticationSession moasession, String accessToken) throws SignatureException, MOAIDException { + OAuth20AuthRequest oAuthRequest, IAuthData authData, String accessToken) throws SignatureException, MOAIDException { // create response Map<String, Object> params = new HashMap<String, Object>(); @@ -128,7 +130,7 @@ class OAuth20AuthAction implements IAction { // build id token and scope Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, - moasession); + authData); Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); @@ -138,34 +140,33 @@ class OAuth20AuthAction implements IAction { } - private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, AuthenticationSession session) + private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, IAuthData authData) throws MOAIDException, SignatureException { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); - AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget()); OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer()); OAuthJsonToken token = new OAuthJsonToken(signer); StringBuilder resultScopes = new StringBuilder(); // always fill with open id - OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append("openId"); for (String s : scope.split(" ")) { if (s.equalsIgnoreCase("profile")) { - OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" profile"); } else if (s.equalsIgnoreCase("eID")) { - OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" eID"); } else if (s.equalsIgnoreCase("eID_gov")) { - OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" eID_gov"); } else if (s.equalsIgnoreCase("mandate")) { - OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" mandate"); } else if (s.equalsIgnoreCase("stork")) { - OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" stork"); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java index dc3335631..c47e366a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -22,17 +22,29 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.logging.Logger; class OAuth20AuthRequest extends OAuth20BaseRequest { @@ -153,4 +165,48 @@ class OAuth20AuthRequest extends OAuth20BaseRequest { } } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + Map<String, String> reqAttr = new HashMap<String, String>(); + for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) + reqAttr.put(el, ""); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + + for (String s : scope.split(" ")) { + if (s.equalsIgnoreCase("profile")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersprofile()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseid()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID_gov")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseidgov()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("mandate")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersmandate()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("stork")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersstork()) + reqAttr.put(el.getName(), ""); + + } + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java index d0b43d25a..d08bd593a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidRequestException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; @@ -89,7 +90,7 @@ abstract class OAuth20BaseRequest extends RequestImpl { } if (StringUtils.isEmpty(config.getOAuthClientSecret()) || StringUtils.isEmpty(config.getOAuthClientId()) || StringUtils.isEmpty(config.getOAuthRedirectUri())) { - throw new OAuth20ServerErrorException(); + throw new OAuth20OANotSupportedException(); } } catch (ConfigurationException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index 00b7a83f0..9dac8d5a0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; import java.net.URLEncoder; import java.util.HashMap; +import java.util.List; import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -10,17 +11,22 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import com.google.gson.JsonObject; +import edu.emory.mathcs.backport.java.util.Arrays; + public class OAuth20Protocol implements IModulInfo { public static final String NAME = OAuth20Protocol.class.getName(); @@ -29,6 +35,13 @@ public class OAuth20Protocol implements IModulInfo { public static final String AUTH_ACTION = "AUTH"; public static final String TOKEN_ACTION = "TOKEN"; + @SuppressWarnings("unchecked") + public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.BPK_NAME + }); + private static HashMap<String, IAction> actions = new HashMap<String, IAction>(); static { @@ -87,20 +100,27 @@ public class OAuth20Protocol implements IModulInfo { */ public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) throws Throwable { - + // get error code and description String errorCode; String errorDescription; - // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; + String errorUri = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + +"/" + OAuth20Constants.ERRORPAGE; + String moaError = null; + + ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance(); if (e instanceof OAuth20Exception) { errorCode = ((OAuth20Exception) e).getErrorCode(); errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8"); + moaError = errorUtils.mapInternalErrorToExternalError(((OAuth20Exception) e).getMessageId()); + } else { errorCode = OAuth20Constants.ERROR_SERVER_ERROR; errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8"); + moaError = errorUtils.getResponseErrorCode(e); } - + String paramRedirect = null; String state = null; boolean isAuthRequest = false; @@ -144,7 +164,8 @@ public class OAuth20Protocol implements IModulInfo { OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); - // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); + if (MiscUtil.isNotEmpty(moaError)) + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError); OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); response.setContentType("text/html"); @@ -159,7 +180,7 @@ public class OAuth20Protocol implements IModulInfo { Map<String, Object> params = new HashMap<String, Object>(); params.put(OAuth20Constants.PARAM_ERROR, errorCode); params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); - // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); + params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError); // create response JsonObject jsonObject = new JsonObject(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index 3f6c148eb..944da38d0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -26,9 +26,10 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; @@ -42,8 +43,8 @@ import com.google.gson.JsonObject; class OAuth20TokenAction implements IAction { - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, - AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { OAuth20SessionObject auth20SessionObject = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java index 0f1ba23b3..3c90a5773 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java @@ -22,8 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.util.List; + import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -137,4 +141,12 @@ class OAuth20TokenRequest extends OAuth20BaseRequest { this.allowedParameters.add(OAuth20Constants.PARAM_SCOPE); this.allowedParameters.add(OAuth20Constants.PARAM_REDIRECT_URI); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java new file mode 100644 index 000000000..71d1c26d4 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -0,0 +1,178 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x; + + +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.joda.time.DateTime; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.Response; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; + +import edu.emory.mathcs.backport.java.util.Arrays; + +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class AttributQueryAction implements IAction { + + @SuppressWarnings("unchecked") + private final static List<String> DEFAULTSTORKATTRIBUTES = Arrays.asList( + new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); + + @SuppressWarnings("unchecked") + private final static List<String> DEFAULTMANDATEATTRIBUTES = Arrays.asList( + new String[]{ PVPConstants.MANDATE_FULL_MANDATE_NAME, + PVPConstants.MANDATE_PROF_REP_OID_NAME}); + + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public SLOInformationInterface processRequest(IRequest req, + HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + if (req instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) req).getRequest() instanceof MOARequest && + ((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest() instanceof AttributeQuery) { + + AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest(); + + //load moaSession + String nameID = attrQuery.getSubject().getNameID().getValue(); + + AuthenticationSession session = AuthenticationSessionStoreage.getSessionWithUserNameID(nameID); + if (session == null) { + Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); + throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); + + } + + DateTime date = new DateTime(); + + //generate authData + authData = AuthenticationDataBuilder.buildAuthenticationData(req, session, attrQuery.getAttributes()); + + //add default attributes in case of mandates or STORK is in use + List<String> attrList = addDefaultAttributes(attrQuery, authData); + + //build PVP 2.1 assertion + Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex()); + + //build PVP 2.1 response + Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion); + + try { + SoapBinding decoder = new SoapBinding(); + decoder.encodeRespone(httpReq, httpResp, authResponse, null, null); + return null; + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } else { + Logger.error("Process AttributeQueryAction but request is NOT of type AttributQuery."); + throw new MOAIDException("pvp2.13", null); + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp) { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + @Override + public String getDefaultActionName() { + return PVP2XProtocol.ATTRIBUTEQUERY; + } + + private List<String> addDefaultAttributes(AttributeQuery query, IAuthData authData) { + + List<String> reqAttributs = new ArrayList<String>(); + + for (Attribute attr : query.getAttributes()) { + reqAttributs.add(attr.getName()); + + } + + //add default STORK attributes if it is a STORK authentication + if (authData.isForeigner() && !reqAttributs.containsAll(DEFAULTSTORKATTRIBUTES)) { + for (String el : DEFAULTSTORKATTRIBUTES) { + if (!reqAttributs.contains(el)) + reqAttributs.add(el); + } + } + + //add default mandate attributes if it is a authentication with mandates + if (authData.isUseMandate() && !reqAttributs.containsAll(DEFAULTMANDATEATTRIBUTES)) { + for (String el : DEFAULTMANDATEATTRIBUTES) { + if (!reqAttributs.contains(el)) + reqAttributs.add(el); + } + } + + return reqAttributs; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 10618071a..70db9cc23 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -25,19 +25,27 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler.RequestManager; public class AuthenticationAction implements IAction { - public String processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; - return RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, moasession); + + SLOInformationImpl sloInformation = (SLOInformationImpl) RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, authData); + + //set protocol type + sloInformation.setProtocolType(req.requestedModule()); + + return sloInformation; } public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 99cba3277..01f7e18ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -38,30 +38,42 @@ import org.joda.time.DateTime; import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -69,8 +81,8 @@ public class MetadataAction implements IAction { private static final int VALIDUNTIL_IN_HOURS = 24; - public String processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { try { EntitiesDescriptor idpEntitiesDescriptor = @@ -110,6 +122,7 @@ public class MetadataAction implements IAction { //keyInfoFactory.setEmitPublicKeyValue(true); keyInfoFactory.setEmitEntityIDAsKeyName(true); keyInfoFactory.setEmitEntityCertificate(true); + KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); @@ -120,106 +133,12 @@ public class MetadataAction implements IAction { SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null); idpEntitiesDescriptor.setSignature(signature); - -// //set SignatureMethode -// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); -// -// //set DigestMethode -// List<ContentReference> contentList = signature.getContentReferences(); -// for (ContentReference content : contentList) { -// -// if (content instanceof SAMLObjectContentReference) { -// -// SAMLObjectContentReference el = (SAMLObjectContentReference) content; -// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); -// -// } -// } - - -// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); -// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); -// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); -// signature.setKeyInfo(metadataKeyInfo ); - - - - IDPSSODescriptor idpSSODescriptor = SAML2Utils - .createSAMLObject(IDPSSODescriptor.class); - idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - - idpSSODescriptor.setWantAuthnRequestsSigned(true); - - if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { - SingleSignOnService postSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - postSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSOPostService()); - postSingleSignOnService - .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - postSingleSignOnService); - } - - if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { - SingleSignOnService redirectSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - redirectSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSORedirectService()); - redirectSingleSignOnService - .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - redirectSingleSignOnService); - } - - /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { - ArtifactResolutionService artifactResolutionService = SAML2Utils - .createSAMLObject(ArtifactResolutionService.class); - - artifactResolutionService - .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - artifactResolutionService.setLocation(PVPConfiguration - .getInstance().getIDPResolveSOAPService()); - - artifactResolutionService.setIndex(0); - - idpSSODescriptor.getArtifactResolutionServices().add( - artifactResolutionService); - }*/ - - //set assertion signing key - Credential assertionSigingCredential = CredentialProvider - .getIDPAssertionSigningCredential(); - - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); - idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); - - NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); - - idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); - - NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - transientNameIDFormat.setFormat(NameIDType.TRANSIENT); + //set IDP metadata + idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); - idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); - - NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); - - idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); - - idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor); + //set SP metadata for interfederation + idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator)); DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory @@ -243,9 +162,8 @@ public class MetadataAction implements IAction { sw.close(); String metadataXML = sw.toString(); - - System.out.println("METADATA: " + metadataXML); - + Logger.debug("METADATA: " + metadataXML); + httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); @@ -268,4 +186,228 @@ public class MetadataAction implements IAction { return (PVP2XProtocol.METADATA); } + private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + + Logger.debug("Set SP Metadata key information"); + + SPSSODescriptor spSSODescriptor = SAML2Utils + .createSAMLObject(SPSSODescriptor.class); + + spSSODescriptor.setAuthnRequestsSigned(true); + spSSODescriptor.setWantAssertionsSigned(true); + + + //Set AuthRequest Signing certificate + X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); + spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + + //set AuthRequest encryption certificate + + X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + if (authEncCredential != null) { + KeyDescriptor encryKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); + + spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat); + + NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientnameIDFormat.setFormat(NameIDType.TRANSIENT); + + spSSODescriptor.getNameIDFormats().add(transientnameIDFormat); + + NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); + + //add assertion consumer services + AssertionConsumerService postassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + postassertionConsumerService.setIndex(0); + postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + postassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postassertionConsumerService.setIsDefault(true); + spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + + AssertionConsumerService redirectassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + + //add SLO descriptor +// SingleLogoutService postSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// postSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// postSLOService +// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +// spSSODescriptor.getSingleLogoutServices().add(postSLOService); +// +// SingleLogoutService redirectSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// redirectSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// redirectSLOService +// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +// spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); + + + spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + AttributeConsumingService attributeService = + SAML2Utils.createSAMLObject(AttributeConsumingService.class); + + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "de")); + attributeService.getNames().add(serviceName); + + return spSSODescriptor; + } + + private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { + + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List<ContentReference> contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + + +// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); +// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); +// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); +// signature.setKeyInfo(metadataKeyInfo ); + + + IDPSSODescriptor idpSSODescriptor = SAML2Utils + .createSAMLObject(IDPSSODescriptor.class); + + idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + idpSSODescriptor.setWantAuthnRequestsSigned(true); + + if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { + //add SSO descriptor + SingleSignOnService postSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + postSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postSingleSignOnService + .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + idpSSODescriptor.getSingleSignOnServices().add( + postSingleSignOnService); + + //add SLO descriptor +// SingleLogoutService postSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// postSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// postSLOService +// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +// idpSSODescriptor.getSingleLogoutServices().add(postSLOService); + + } + + if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { + //add SSO descriptor + SingleSignOnService redirectSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + redirectSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + redirectSingleSignOnService + .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + idpSSODescriptor.getSingleSignOnServices().add( + redirectSingleSignOnService); + + //add SLO descriptor +// SingleLogoutService redirectSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// redirectSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// redirectSLOService +// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +// idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); + } + + /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { + ArtifactResolutionService artifactResolutionService = SAML2Utils + .createSAMLObject(ArtifactResolutionService.class); + + artifactResolutionService + .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + artifactResolutionService.setLocation(PVPConfiguration + .getInstance().getIDPResolveSOAPService()); + + artifactResolutionService.setIndex(0); + + idpSSODescriptor.getArtifactResolutionServices().add( + artifactResolutionService); + }*/ + + //set assertion signing key + Credential assertionSigingCredential = CredentialProvider + .getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); + idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); + + NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); + + idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); + + NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientNameIDFormat.setFormat(NameIDType.TRANSIENT); + + idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); + + NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); + + return idpSSODescriptor; + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index e81b23d41..863bfe501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -22,8 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import iaik.pkcs.pkcs11.objects.Object; - +import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -31,11 +30,17 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; import org.apache.commons.lang.StringEscapeUtils; +import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; @@ -45,32 +50,53 @@ import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.ws.security.SecurityPolicyException; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.signature.SignableXMLObject; + +import edu.emory.mathcs.backport.java.util.Arrays; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityLogAdapter; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { @@ -81,18 +107,29 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public static final String POST = "Post"; public static final String SOAP = "Soap"; public static final String METADATA = "Metadata"; + public static final String ATTRIBUTEQUERY = "AttributeQuery"; + public static final String SINGLELOGOUT = "SingleLogOut"; private static List<IDecoder> decoder = new ArrayList<IDecoder>(); private static HashMap<String, IAction> actions = new HashMap<String, IAction>(); + @SuppressWarnings("unchecked") + public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME + }); + static { decoder.add(new PostBinding()); decoder.add(new RedirectBinding()); + decoder.add(new SoapBinding()); actions.put(REDIRECT, new AuthenticationAction()); actions.put(POST, new AuthenticationAction()); actions.put(METADATA, new MetadataAction()); + actions.put(ATTRIBUTEQUERY, new AttributQueryAction()); + actions.put(SINGLELOGOUT, new SingleLogOutAction()); //TODO: insert getArtifact action @@ -133,7 +170,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public PVP2XProtocol() { super(); } - + public IRequest preProcess(HttpServletRequest request, HttpServletResponse response, String action) throws MOAIDException { @@ -147,6 +184,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { if(METADATA.equals(action)) { return new PVPTargetConfiguration(); + } IDecoder decoder = findDecoder(action, request); @@ -154,103 +192,88 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return null; } try { - PVPTargetConfiguration config = new PVPTargetConfiguration(); - - - MOARequest moaRequest = decoder.decodeRequest(request, response); - - RequestAbstractType samlReq = moaRequest.getSamlRequest(); - - //String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq)); - //Logger.info("SAML : " + xml); - - if(!moaRequest.isVerified()) { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyRequest(samlReq, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - moaRequest.setVerified(true); - } - - if(!(samlReq instanceof AuthnRequest)) { - throw new MOAIDException("Unsupported request", new Object[] {}); - } - - EntityDescriptor metadata = moaRequest.getEntityMetadata(); - if(metadata == null) { - throw new NoMetadataInformationException(); - } - SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + InboundMessage msg = (InboundMessage) decoder.decode(request, response); - AuthnRequest authnRequest = (AuthnRequest)samlReq; - - Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); - int assertionidx = 0; - - if(aIdx != null) { - assertionidx = aIdx.intValue(); + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw new InvalidProtocolRequestException("pvp2.20", new Object[] {}); - } else { - assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); } - aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int attributeIdx = 0; - - if(aIdx != null) { - attributeIdx = aIdx.intValue(); + if(!msg.isVerified()) { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + msg.setVerified(true); + } + + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof AuthnRequest) + return preProcessAuthRequest(request, response, (MOARequest) msg); - AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof AttributeQuery) + return preProcessAttributQueryRequest(request, response, (MOARequest) msg); + + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) + return preProcessLogOut(request, response, (MOARequest) msg); - AttributeConsumingService attributeConsumer = null; + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof LogoutResponse) + return preProcessLogOut(request, response, (MOARequest) msg); - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); - } + else if (msg instanceof MOAResponse) { + //load service provider AuthRequest from session + + IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); + if (obj instanceof RequestImpl) { + RequestImpl iReqSP = (RequestImpl) obj; + + MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); + + if ( processedMsg != null ) { + iReqSP.setInterfederationResponse(processedMsg); + + } else { + Logger.info("Interfederated IDP " + msg.getEntityID() + " has NO valid SSO session." + +". Switch back local authentication process ..."); - String oaURL = moaRequest.getEntityMetadata().getEntityID(); - String binding = consumerService.getBinding(); -// String entityID = moaRequest.getEntityMetadata().getEntityID(); - - Logger.info("Dispatch PVP2 Request: OAURL=" + oaURL + " Binding=" + binding); - - oaURL = StringEscapeUtils.escapeHtml(oaURL); - - config.setOAURL(oaURL); - config.setBinding(binding); - config.setRequest(moaRequest); - config.setConsumerURL(consumerService.getLocation()); + SSOManager ssomanager = SSOManager.getInstance(); + ssomanager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + + iReqSP.setRequestedIDP(null); - String useMandate = request.getParameter(PARAM_USEMANDATE); - if(useMandate != null) { - if(useMandate.equals("true") && attributeConsumer != null) { - if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { - throw new MandateAttributesNotHandleAbleException(); } + + return iReqSP; + } - } - //validate AuthnRequest - try { - AuthnRequestValidator.validate((AuthnRequestImpl) samlReq); - - } catch (AuthnRequestValidatorException e) { - if (generateErrorMessage(e, request, response, config)) { - throw new AuthnRequestValidatorException(e.getMessage(), - new Object[] {}, config); - - } else { - throw new MOAIDException(e.getMessage(), new Object[] {}); - - } + Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type."); + return null; + + } else { + Logger.error("Receive unsupported PVP21 message"); + throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } - - //request.getSession().setAttribute(PARAM_OA, oaURL); - return config; - } catch (PVP2Exception e) { throw e; + + } catch (SecurityPolicyException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SecurityException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + + } catch (InvalidProtocolRequestException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw e; } catch (Throwable e) { String samlRequest = request.getParameter("SAMLRequest"); @@ -278,6 +301,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { Status status = SAML2Utils.createSAMLObject(Status.class); StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); + + ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance(); + String moaError = null; + if(e instanceof NoPassivAuthenticationException) { statusCode.setValue(StatusCode.NO_PASSIVE_URI); statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); @@ -285,6 +312,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } else if (e instanceof NameIDFormatNotSupportedException) { statusCode.setValue(StatusCode.INVALID_NAMEID_POLICY_URI); statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); + + } else if (e instanceof SLOException) { + //SLOExecpetions only occurs if session information is lost + return false; } else if(e instanceof PVP2Exception) { PVP2Exception ex = (PVP2Exception) e; @@ -292,11 +323,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { String statusMessageValue = ex.getStatusMessageValue(); if(statusMessageValue != null) { statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue)); - } + } + moaError = errorUtils.mapInternalErrorToExternalError(ex.getMessageId()); } else { statusCode.setValue(StatusCode.RESPONDER_URI); statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); + moaError = errorUtils.getResponseErrorCode(e); + } + + + if (MiscUtil.isNotEmpty(moaError)) { + StatusCode moaStatusCode = SAML2Utils.createSAMLObject(StatusCode.class); + moaStatusCode.setValue(moaError); + statusCode.setStatusCode(moaStatusCode); } status.setStatusCode(statusCode); @@ -306,16 +346,27 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { samlResponse.setStatus(status); String remoteSessionID = SAML2Utils.getSecureIdentifier(); samlResponse.setID(remoteSessionID); - + + samlResponse.setIssueInstant(new DateTime()); + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + samlResponse.setIssuer(nissuer); + IEncoder encoder = null; - if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { encoder = new RedirectBinding(); - } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { + + } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { // TODO: not supported YET!! //binding = new ArtifactBinding(); + } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { encoder = new PostBinding(); + + } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { + encoder = new SoapBinding(); } if(encoder == null) { @@ -340,8 +391,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { HttpServletResponse response) { if(request.getParameter("SAMLRequest") != null && request.getMethod().equals("GET")) { return getAction(REDIRECT); + } else if(request.getParameter("SAMLRequest") != null && request.getMethod().equals("POST")) { return getAction(POST); + } if(METADATA.equals(request.getParameter("action"))) { @@ -352,8 +405,240 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { - // TODO implement validation! + return true; } + + /** + * PreProcess Single LogOut request + * @param request + * @param response + * @param msg + * @return + * @throws MOAIDException + */ + private IRequest preProcessLogOut(HttpServletRequest request, + HttpServletResponse response, MOARequest msg) throws MOAIDException { + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + + if (((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) { + //preProcess single logout request from service provider + + EntityDescriptor metadata = msg.getEntityMetadata(); + if(metadata == null) { + throw new NoMetadataInformationException(); + } + + + + String oaURL = metadata.getEntityID(); + oaURL = StringEscapeUtils.escapeHtml(oaURL); + + Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + oaURL + " Binding=" + msg.getRequestBinding()); + + config.setOAURL(oaURL); + config.setBinding(msg.getRequestBinding()); + + + } else if (((MOARequest)msg).getSamlRequest() instanceof LogoutResponse) { + //preProcess single logour response from service provider + + LogoutResponse resp = (LogoutResponse) (((MOARequest)msg).getSamlRequest()); + + Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); + + if (!resp.getDestination().startsWith( + PVPConfiguration.getInstance().getIDPPublicPath())) { + Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null); + + } + + //TODO: check if relayState exists + msg.getRelayState(); + + + } else + throw new MOAIDException("Unsupported request", new Object[] {}); + + + config.setRequest(msg); + config.setAction(SINGLELOGOUT); + return config; + } + + /** + * PreProcess AttributeQuery request + * @param request + * @param response + * @param moaRequest + * @return + * @throws Throwable + */ + private IRequest preProcessAttributQueryRequest(HttpServletRequest request, + HttpServletResponse response, MOARequest moaRequest) throws Throwable { + + AttributeQuery attrQuery = (AttributeQuery) moaRequest.getSamlRequest(); + moaRequest.setEntityID(attrQuery.getIssuer().getValue()); + + //validate destination + String destinaten = attrQuery.getDestination(); + if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) { + Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); + throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); + + } + + //check if Issuer is an interfederation IDP + // check parameter + if (!ParamValidatorUtils.isValidOA(moaRequest.getEntityID())) + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); + if (!oa.isInderfederationIDP()) { + Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); + throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); + + } + + if (!oa.isOutboundSSOInterfederationAllowed()) { + Logger.warn("Interfederation IDP " + oa.getPublicURLPrefix() + " does not allow outgoing SSO interfederation."); + throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null); + + } + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + config.setRequest(moaRequest); + config.setOAURL(moaRequest.getEntityID()); + config.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + + return config; + } + + /** + * PreProcess Authn request + * @param request + * @param response + * @param moaRequest + * @return + * @throws Throwable + */ + private IRequest preProcessAuthRequest(HttpServletRequest request, + HttpServletResponse response, MOARequest moaRequest) throws Throwable { + + SignableXMLObject samlReq = moaRequest.getSamlRequest(); + + if(!(samlReq instanceof AuthnRequest)) { + throw new MOAIDException("Unsupported request", new Object[] {}); + } + + EntityDescriptor metadata = moaRequest.getEntityMetadata(); + if(metadata == null) { + throw new NoMetadataInformationException(); + } + SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + AuthnRequest authnRequest = (AuthnRequest)samlReq; + + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); + int assertionidx = 0; + + if(aIdx != null) { + assertionidx = aIdx.intValue(); + + } else { + assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); + } + + aIdx = authnRequest.getAttributeConsumingServiceIndex(); + int attributeIdx = 0; + + if(aIdx != null) { + attributeIdx = aIdx.intValue(); + } + + AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); + + AttributeConsumingService attributeConsumer = null; + + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + } + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + + String oaURL = moaRequest.getEntityMetadata().getEntityID(); + String binding = consumerService.getBinding(); + + Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + binding); + + oaURL = StringEscapeUtils.escapeHtml(oaURL); + + config.setOAURL(oaURL); + config.setBinding(binding); + config.setRequest(moaRequest); + config.setConsumerURL(consumerService.getLocation()); + + //parse AuthRequest + AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; + config.setPassiv(authReq.isPassive()); + config.setForce(authReq.isForceAuthn()); + + //validate AuthnRequest + AuthnRequestValidator.validate(authReq); + + String useMandate = request.getParameter(PARAM_USEMANDATE); + if(useMandate != null) { + if(useMandate.equals("true") && attributeConsumer != null) { + if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { + throw new MandateAttributesNotHandleAbleException(); + } + } + } + + return config; + } + + /** + * PreProcess AuthResponse and Assertion + * @param msg + */ + private MOAResponse preProcessAuthResponse(MOAResponse msg) { + Logger.debug("Start PVP21 assertion processing... "); + Response samlResp = msg.getResponse(); + + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + //validate PVP 2.1 assertion + SAMLVerificationEngine.validateAssertion(samlResp, true); + + msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); + return msg; + + } else { + Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + + " from interfederated IDP."); + + } + + } catch (IOException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); + + } catch (MarshallingException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); + + } catch (TransformerException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); + + } catch (AssertionValidationExeption e) { + //error is already logged, to nothing + } + + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 7946c7596..47c297914 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -27,6 +27,8 @@ import org.opensaml.xml.signature.SignatureConstants; public interface PVPConstants { + public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider"; + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; @@ -39,6 +41,8 @@ public interface PVPConstants { public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3"; public static final String STORK_QAA_1_4 = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; + public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/1.0/"; + public static final String URN_OID_PREFIX = "urn:oid:"; public static final String PVP_VERSION_OID = "1.2.40.0.10.2.1.1.261.10"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index b3887a444..65da23565 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -22,22 +22,41 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.impl.AuthnRequestImpl; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.logging.Logger; public class PVPTargetConfiguration extends RequestImpl { private static final long serialVersionUID = 4889919265919638188L; - MOARequest request; + InboundMessage request; String binding; String consumerURL; - - public MOARequest getRequest() { + + public InboundMessage getRequest() { return request; } - public void setRequest(MOARequest request) { + public void setRequest(InboundMessage request) { this.request = request; } @@ -55,6 +74,67 @@ public class PVPTargetConfiguration extends RequestImpl { public void setConsumerURL(String consumerURL) { this.consumerURL = consumerURL; + } - + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + + Map<String, String> reqAttr = new HashMap<String, String>(); + for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) + reqAttr.put(el, ""); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + + SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata().getSPSSODescriptor(SAMLConstants.SAML20P_NS); + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + + Integer aIdx = null; + if (getRequest() instanceof MOARequest && + ((MOARequest)getRequest()).getSamlRequest() instanceof AuthnRequestImpl) { + AuthnRequestImpl authnRequest = (AuthnRequestImpl)((MOARequest)getRequest()).getSamlRequest(); + aIdx = authnRequest.getAttributeConsumingServiceIndex(); + + } else { + Logger.error("MOARequest is NOT of type AuthnRequest"); + } + + int idx = 0; + + AttributeConsumingService attributeConsumingService = null; + + if (aIdx != null) { + idx = aIdx.intValue(); + attributeConsumingService = spSSODescriptor + .getAttributeConsumingServices().get(idx); + + } else { + List<AttributeConsumingService> attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); + for (AttributeConsumingService el : attrConsumingServiceList) { + if (el.isDefault()) + attributeConsumingService = el; + } + } + + for ( RequestedAttribute attr : attributeConsumingService.getRequestAttributes()) + reqAttr.put(attr.getName(), ""); + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + + } catch (NoMetadataInformationException e) { + Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); + return null; + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java new file mode 100644 index 000000000..c67d10ab7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -0,0 +1,361 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x; + +import java.util.Iterator; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Status; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.SecurityException; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationContainer; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class SingleLogOutAction implements IAction { + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public SLOInformationInterface processRequest(IRequest req, + HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + PVPTargetConfiguration pvpReq = (PVPTargetConfiguration) req; + + if (pvpReq.getRequest() instanceof MOARequest) { + MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + if (samlReq.getSamlRequest() instanceof LogoutRequest) { + Logger.debug("Process Single LogOut request"); + LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); + + AuthenticationSession session = + AuthenticationSessionStoreage.searchMOASessionWithNameIDandOAID( + logOutReq.getIssuer().getValue(), + logOutReq.getNameID().getValue()); + + if (session == null) { + Logger.warn("Can not find active SSO session with nameID " + + logOutReq.getNameID().getValue() + " and OA " + + logOutReq.getIssuer().getValue()); + Logger.info("Search active SSO session with SSO session cookie"); + SSOManager ssomanager = SSOManager.getInstance(); + String ssoID = ssomanager.getSSOSessionID(httpReq); + if (MiscUtil.isEmpty(ssoID)) { + Logger.warn("Can not find active Session. Single LogOut not possible!"); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } else { + String moasession = ssomanager.getMOASession(ssoID); + try { + session = AuthenticationSessionStoreage.getSession(moasession); + + } catch (MOADatabaseException e) { + Logger.warn("Can not find active Session. Single LogOut not possible!"); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } + } + } + + //store active OAs to SLOContaine + List<OASessionStore> dbOAs = AuthenticationSessionStoreage.getAllActiveOAFromMOASession(session); + SLOInformationContainer sloContainer = new SLOInformationContainer(); + sloContainer.setSloRequest(pvpReq); + sloContainer.parseActiveOAs(dbOAs, logOutReq.getIssuer().getValue()); + + //terminate MOASession + try { + AuthenticationSessionStoreage.destroySession(session.getSessionID()); + + } catch (MOADatabaseException e) { + Logger.warn("Delete MOASession FAILED."); + sloContainer.putFailedOA(AuthConfigurationProvider.getInstance().getPublicURLPrefix()); + + } + + //start service provider back channel logout process + Iterator<String> nextOAInterator = sloContainer.getNextBackChannelOA(); + while (nextOAInterator.hasNext()) { + SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); + LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr); + + try { + List<XMLObject> soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); + + LogoutResponse sloResp = null; + for (XMLObject el : soapResp) { + if (el instanceof LogoutResponse) + sloResp = (LogoutResponse) el; + } + + if (sloResp == null) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED. NO LogOut response received."); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } + + checkStatusCode(sloContainer, sloResp); + + } catch (SOAPException e) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED.", e); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } catch (SecurityException e) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED.", e); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } + } + + //start service provider front channel logout process + try { + doFrontChannelLogOut(sloContainer, httpReq, httpResp); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } + + } else if (samlReq.getSamlRequest() instanceof LogoutResponse) { + Logger.debug("Process Single LogOut response"); + LogoutResponse logOutResp = (LogoutResponse) samlReq.getSamlRequest(); + + try { + if (MiscUtil.isEmpty(samlReq.getRelayState())) { + Logger.warn("SLO Response from " + logOutResp.getIssuer().getValue() + + " has no SAML2 RelayState."); + throw new SLOException("pvp2.19", null); + + } + + SLOInformationContainer sloContainer = + AssertionStorage.getInstance().get(samlReq.getRelayState(), SLOInformationContainer.class); + checkStatusCode(sloContainer, logOutResp); + sloContainer.removeFrontChannelOA(logOutResp.getIssuer().getValue()); + doFrontChannelLogOut(sloContainer, httpReq, httpResp); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + throw new SLOException("pvp2.19", null); + + } + + } else { + Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); + throw new MOAIDException("pvp2.13", null); + + } + + } else { + Logger.error("Process SingleLogOutAction but request is NOT of type MOARequest."); + throw new MOAIDException("pvp2.13", null); + + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp) { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + @Override + public String getDefaultActionName() { + return PVP2XProtocol.SINGLELOGOUT; + } + + private void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) { + Status status = logOutResp.getStatus(); + if (!status.getStatusCode().equals(StatusCode.SUCCESS_URI)) { + Logger.warn("Single LogOut for OA " + logOutResp.getIssuer().getValue() + + " FAILED. (ResponseCode: " + status.getStatusCode().getValue() + + " Message: " + status.getStatusMessage().getMessage() + ")"); + sloContainer.putFailedOA(logOutResp.getIssuer().getValue()); + + } else + Logger.debug("Single LogOut for OA " + logOutResp.getIssuer().getValue() + " SUCCESS"); + + } + + private void doFrontChannelLogOut(SLOInformationContainer sloContainer, + HttpServletRequest httpReq, HttpServletResponse httpResp + ) throws MOAIDException, MOADatabaseException { + String nextOA = sloContainer.getNextFrontChannelOA(); + if (MiscUtil.isNotEmpty(nextOA)) { + SLOInformationImpl sloDescr = sloContainer.getFrontChannelOASessionDescripten(nextOA); + LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr); + String relayState = Random.nextRandom(); + + AssertionStorage.getInstance().put(relayState, sloContainer); + + sendFrontChannelSLOMessage(sloDescr.getServiceURL(), sloDescr.getBinding(), + sloReq, httpReq, httpResp, relayState); + + } else { + //send SLO response to SLO request issuer + PVPTargetConfiguration pvpReq = sloContainer.getSloRequest(); + MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + + } + } + + /** + * @param serviceURL + * @param binding + * @param sloReq + * @param httpReq + * @param httpResp + * @param relayState + */ + private void sendFrontChannelSLOMessage(String serviceURL, String bindingType, + RequestAbstractType sloReq, HttpServletRequest httpReq, + HttpServletResponse httpResp, String relayState) throws MOAIDException { + IEncoder binding = null; + if (bindingType.equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (bindingType.equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + if (binding == null) { + throw new BindingNotSupportedException(bindingType); + } + + try { + binding.encodeRequest(httpReq, httpResp, sloReq, + serviceURL, relayState); + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } + + private void sendFrontChannelSLOMessage(SingleLogoutService consumerService, + LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, + String relayState) throws MOAIDException { + IEncoder binding = null; + if (consumerService.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (consumerService.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + if (binding == null) { + throw new BindingNotSupportedException(consumerService.getBinding()); + } + + try { + binding.encodeRespone(req, resp, sloResp, + consumerService.getLocation(), relayState); + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index 43a17af23..8691667f0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -43,13 +43,14 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.Signature; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; public class ArtifactBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { } @@ -100,23 +101,21 @@ public class ArtifactBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { return null; } - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - return null; - } public boolean handleDecode(String action, HttpServletRequest req) { return false; } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_ARTIFACT_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index b64b28de8..fb17c02b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -29,15 +29,14 @@ import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; public interface IDecoder { - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException, PVP2Exception; - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) - throws MessageDecodingException, SecurityException, PVP2Exception; - + public boolean handleDecode(String action, HttpServletRequest req); + + public String getSAML2BindingName(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index f7dfd055c..de5548a44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -34,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; public interface IEncoder { public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation) + HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException, PVP2Exception; /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java index 1d6b227d6..6080f8a33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java @@ -26,9 +26,22 @@ import org.opensaml.common.binding.decoding.URIComparator; public class MOAURICompare implements URIComparator { - public boolean compare(String uri1, String uri2) { - // TODO: implement proper equalizer for rewritten URLS - return true; + /** + * @param idpssoPostService + */ + + private String serviceURL = ""; + + public MOAURICompare(String serviceURL) { + this.serviceURL = serviceURL; + } + + public boolean compare(String uri1, String uri2) { + if (this.serviceURL.equals(uri1)) + return true; + + else + return false; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 11e280d8f..a2fe5c01b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -34,7 +34,9 @@ import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; import org.opensaml.ws.message.decoder.MessageDecodingException; @@ -47,6 +49,14 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -56,10 +66,38 @@ import at.gv.egovernment.moa.logging.Logger; public class PostBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { - // TODO Auto-generated method stub + + try { + X509Credential credentials = CredentialProvider + .getIDPAssertionSigningCredential(); + + VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); + HTTPPostEncoder encoder = new HTTPPostEncoder(engine, + "resources/templates/pvp_postbinding_template.html"); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); + SingleSignOnService service = new SingleSignOnServiceBuilder().buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); + service.setLocation(targetLocation);; + + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(request); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + encoder.encode(context); + + } catch (CredentialsNotAvailableException e) { + e.printStackTrace(); + throw new SecurityException(e); + } catch (Exception e) { + e.printStackTrace(); + throw new SecurityException(e); + } } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, @@ -100,63 +138,63 @@ public class PostBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); + BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - decode.setURIComparator(new MOAURICompare()); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - + try { + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + + } catch (ConfigurationException e) { + throw new SecurityException(e); + } + + decode.decode(messageContext); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - decode.decode(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); - + InboundMessage msg = null; + + if (messageContext.getInboundMessage() instanceof RequestAbstractType) { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + .getInboundMessage(); + msg = new MOARequest(inboundMessage, getSAML2BindingName()); + + } else if (messageContext.getInboundMessage() instanceof Response){ + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + Response inboundMessage = (Response) messageContext.getInboundMessage(); + msg = new MOAResponse(inboundMessage); + + } else + //create empty container if request type is unknown + msg = new InboundMessage(); - MOARequest request = new MOARequest(inboundMessage); - request.setVerified(false); + msg.setVerified(false); + decode.decode(messageContext); if (messageContext.getPeerEntityMetadata() != null) - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); else - Logger.info("No Metadata found for OA with EntityID " + inboundMessage.getIssuer().getValue()); + Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); - request.setRelayState(messageContext.getRelayState()); - return request; - - } - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - decode.decode(messageContext); - - Response inboundMessage = (Response) messageContext.getInboundMessage(); - - MOAResponse moaResponse = new MOAResponse(inboundMessage); - moaResponse.setVerified(false); - moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); - return moaResponse; - + msg.setRelayState(messageContext.getRelayState()); + + return msg; } public boolean handleDecode(String action, HttpServletRequest req) { - return (req.getMethod().equals("POST")); + return (req.getMethod().equals("POST") && action.equals(PVP2XProtocol.POST)); + } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_POST_BINDING_URI; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index dc6a1f637..8fba6cde0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -35,6 +35,7 @@ import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; @@ -50,7 +51,13 @@ import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -61,9 +68,34 @@ import at.gv.egovernment.moa.util.DOMUtils; public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { - // TODO: implement + + try { + X509Credential credentials = CredentialProvider + .getIDPAssertionSigningCredential(); + + Logger.debug("create SAML RedirectBinding response"); + + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject> context = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + service.setLocation(targetLocation); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(request); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + + encoder.encode(context); + } catch (CredentialsNotAvailableException e) { + e.printStackTrace(); + throw new SecurityException(e); + } } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, @@ -85,10 +117,10 @@ public class RedirectBinding implements IDecoder, IEncoder { service.setLocation(targetLocation); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); - // context.setOutboundMessage(authReq); context.setOutboundSAMLMessage(response); context.setOutboundMessageTransport(responseAdapter); - + context.setRelayState(relayState); + encoder.encode(context); } catch (CredentialsNotAvailableException e) { e.printStackTrace(); @@ -96,84 +128,80 @@ public class RedirectBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); - decode.setURIComparator(new MOAURICompare()); - BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - - messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); - - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); + try { + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); - SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - messageContext.setSecurityPolicyResolver(resolver); + } catch (ConfigurationException e) { + throw new SecurityException(e); + + } - decode.decode(messageContext); - - signatureRule.evaluate(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); - MOARequest request = new MOARequest(inboundMessage); - request.setVerified(true); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - return request; - } - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( - new BasicParserPool()); - BasicSAMLMessageContext<Response, ?, ?> messageContext = new BasicSAMLMessageContext<Response, SAMLObject, SAMLObject>(); + BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + decode.decode(messageContext); + + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - - // signatureRule.evaluate(messageContext); + SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); + policy.getPolicyRules().add(signedRole); SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + policy); messageContext.setSecurityPolicyResolver(resolver); - MOAMetadataProvider provider = null; - - provider = MOAMetadataProvider.getInstance(); + + InboundMessage msg = null; + + if (messageContext.getInboundMessage() instanceof RequestAbstractType) { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + .getInboundMessage(); + msg = new MOARequest(inboundMessage, getSAML2BindingName()); + + + } else if (messageContext.getInboundMessage() instanceof Response){ + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + Response inboundMessage = (Response) messageContext.getInboundMessage(); + msg = new MOAResponse(inboundMessage); + + } else + //create empty container if request type is unknown + msg = new InboundMessage(); - messageContext.setMetadataProvider(provider); + signatureRule.evaluate(messageContext); + msg.setVerified(true); decode.decode(messageContext); - - Response inboundMessage = (Response) messageContext.getInboundMessage(); - - MOAResponse moaResponse = new MOAResponse(inboundMessage); - moaResponse.setVerified(true); - moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); - return moaResponse; + if (messageContext.getPeerEntityMetadata() != null) + msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else + Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); + + msg.setRelayState(messageContext.getRelayState()); + + return msg; } public boolean handleDecode(String action, HttpServletRequest req) { return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() .equals("GET")); } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_REDIRECT_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 1d41654eb..75332cfea 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; +import java.util.List; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -33,51 +35,68 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; +import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.signature.SignableXMLObject; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; public class SoapBinding implements IDecoder, IEncoder { - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException, PVP2Exception { - HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(); - BasicSAMLMessageContext<RequestAbstractType, ?, ?> messageContext = - new BasicSAMLMessageContext<RequestAbstractType, SAMLObject, SAMLObject>(); + HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); + BasicSAMLMessageContext<SAMLObject, ?, ?> messageContext = + new BasicSAMLMessageContext<SAMLObject, SAMLObject, SAMLObject>(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( req)); + soapDecoder.decode(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + + Envelope inboundMessage = (Envelope) messageContext .getInboundMessage(); - MOARequest request = new MOARequest(inboundMessage); + if (inboundMessage.getBody() != null) { + List<XMLObject> xmlElemList = inboundMessage.getBody().getUnknownXMLObjects(); - return request; - } - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException, PVP2Exception { - throw new BindingNotSupportedException(SAMLConstants.SAML2_SOAP11_BINDING_URI + " response"); + if (!xmlElemList.isEmpty()) { + SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); + request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + request.setVerified(false); + return request; + + } + } + + Logger.error("Receive empty PVP 2.1 attributequery request."); + throw new AttributQueryException("Receive empty PVP 2.1 attributequery request.", null); } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.SOAP)); + return (req.getMethod().equals("POST") && + (action.equals(PVP2XProtocol.SOAP) || action.equals(PVP2XProtocol.ATTRIBUTEQUERY))); } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException, PVP2Exception { } @@ -103,5 +122,9 @@ public class SoapBinding implements IDecoder, IEncoder { throw new SecurityException(e); } } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_SOAP11_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java new file mode 100644 index 000000000..6296d102f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -0,0 +1,185 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.core.impl.AttributeQueryBuilder; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.Signer; +import org.w3c.dom.Document; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +/** + * @author tlenz + * + */ +public class AttributQueryBuilder { + + public static List<Attribute> buildSAML2AttributeList(OAAuthParameter oa, Iterator<String> iterator) { + + Logger.debug("Build OA specific Attributes for AttributQuery request"); + + List<Attribute> attrList = new ArrayList<Attribute>(); + + SamlAttributeGenerator generator = new SamlAttributeGenerator(); + + while(iterator.hasNext()) { + String rA = iterator.next(); + Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(rA); + if (attr == null) { + Logger.warn("Attribut " + rA + " has no valid Name"); + + } else { + //add OA specific information + if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + if (oa.getBusinessService()) + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), oa.getIdentityLinkDomainIdentifier()); + else + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget()); + } + + //TODO: add attribute values for SSO with mandates (ProfileList) + + + attrList.add(attr); + } + } + + return attrList; + } + + + public static AttributeQuery buildAttributQueryRequest(String nameID, + String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException { + + + try { + + AttributeQuery query = new AttributeQueryBuilder().buildObject(); + + //set user nameID + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setValue(nameID); + subjectNameID.setFormat(NameID.TRANSIENT); + subject.setNameID(subjectNameID); + query.setSubject(subject); + + //set attributes + query.getAttributes().addAll(requestedAttributes); + + //set general request parameters + DateTime now = new DateTime(); + query.setIssueInstant(now); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + query.setIssuer(nissuer); + + String sessionID = SAML2Utils.getSecureIdentifier(); + query.setID(sessionID); + + query.setDestination(endpoint); + + X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential(); + + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(idpSigningCredential); + query.setSignature(signer); + + DocumentBuilder builder; + DocumentBuilderFactory factory = DocumentBuilderFactory + .newInstance(); + + builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(query); + out.marshall(query, document); + + Signer.signObject(signer); + + return query; + + } catch (ConfigurationException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (CredentialsNotAvailableException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (ParserConfigurationException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (MarshallingException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (SignatureException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } + + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java new file mode 100644 index 000000000..4ef09184d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -0,0 +1,152 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.ArrayList; +import java.util.Date; +import java.util.List; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.EncryptedAssertion; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.encryption.Encrypter; +import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.xml.encryption.EncryptionException; +import org.opensaml.xml.encryption.EncryptionParameters; +import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.x509.X509Credential; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class AuthResponseBuilder { + + public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { + Response authResponse = SAML2Utils.createSAMLObject(Response.class); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + + //change to entity value from entity name to IDP EntityID (URL) + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + authResponse.setIssuer(nissuer); + authResponse.setInResponseTo(req.getID()); + + //set responseID + String remoteSessionID = SAML2Utils.getSecureIdentifier(); + authResponse.setID(remoteSessionID); + + + //SAML2 response required IssueInstant + authResponse.setIssueInstant(date); + + authResponse.setStatus(SAML2Utils.getSuccessStatus()); + + //check, if metadata includes an encryption key + MetadataCredentialResolver mdCredResolver = + new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add( new EntityIDCriteria(req.getIssuer().getValue()) ); + criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); + + X509Credential encryptionCredentials = null; + try { + encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); + + } catch (SecurityException e2) { + Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); + throw new InvalidAssertionEncryptionException(); + + } + + boolean isEncryptionActive = AuthConfigurationProvider.getInstance().isPVP2AssertionEncryptionActive(); + if (encryptionCredentials != null && isEncryptionActive) { + //encrypt SAML2 assertion + + try { + + EncryptionParameters dataEncParams = new EncryptionParameters(); + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + + List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>(); + KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); + KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() + .getKeyInfoGeneratorManager().getDefaultManager() + .getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + EncryptedAssertion encryptAssertion = null; + + encryptAssertion = samlEncrypter.encrypt(assertion); + + authResponse.getEncryptedAssertions().add(encryptAssertion); + + } catch (EncryptionException e1) { + Logger.warn("Can not encrypt the PVP2 assertion", e1); + throw new InvalidAssertionEncryptionException(); + + } + + } else { + authResponse.getAssertions().add(assertion); + + } + + return authResponse; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 39e35120c..8b6e71e6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -29,9 +29,8 @@ import java.util.List; import org.opensaml.saml2.core.Attribute; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BirthdateAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock; @@ -150,11 +149,11 @@ public class PVPAttributeBuilder { addBuilder(new STORKTitleAttributBuilder()); } - public static Attribute buildAttribute(String name, AuthenticationSession authSession, OAAuthParameter oaParam, - AuthenticationData authData) throws PVP2Exception { + public static Attribute buildAttribute(String name, OAAuthParameter oaParam, + IAuthData authData) throws PVP2Exception { if (builders.containsKey(name)) { try { - return builders.get(name).build(authSession, oaParam, authData, generator); + return builders.get(name).build(oaParam, authData, generator); } catch (AttributeException e) { if (e instanceof UnavailableAttributeException) { @@ -171,6 +170,22 @@ public class PVPAttributeBuilder { return null; } + public static Attribute buildEmptyAttribute(String name) { + if (builders.containsKey(name)) { + return builders.get(name).buildEmpty(generator); + } + return null; + } + + public static Attribute buildAttribute(String name, String value) { + if (builders.containsKey(name)) { + return builders.get(name).buildEmpty(generator); + } + return null; + } + + + public static List<Attribute> buildSupportedEmptyAttributes() { List<Attribute> attributes = new ArrayList<Attribute>(); Iterator<IAttributeBuilder> builderIt = builders.values().iterator(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java new file mode 100644 index 000000000..04d374e93 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -0,0 +1,186 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.List; + +import org.joda.time.DateTime; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Status; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.StatusMessage; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class SingleLogOutBuilder { + + public static LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException { + LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); + + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloReq.setIssuer(issuer); + sloReq.setIssueInstant(new DateTime()); + + sloReq.setDestination(sloInfo.getServiceURL()); + + NameID nameID = SAML2Utils.createSAMLObject(NameID.class); + nameID.setFormat(sloInfo.getUserNameIDFormat()); + nameID.setValue(sloInfo.getUserNameIdentifier()); + sloReq.setNameID(nameID ); + + return sloReq; + } + + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException { + LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloResp.setIssuer(issuer); + sloResp.setIssueInstant(new DateTime()); + sloResp.setDestination(sloService.getLocation()); + Status status = SAML2Utils.createSAMLObject(Status.class); + StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); + statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + status.setStatusCode(statusCode); + status.setStatusMessage(statusMessage); + sloResp.setStatus(status); + return sloResp; + } + + public static LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws ConfigurationException { + LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloResp.setIssuer(issuer); + sloResp.setIssueInstant(new DateTime()); + sloResp.setDestination(sloService.getLocation()); + + Status status; + if (failedOAs == null || failedOAs.size() == 0) { + status = SAML2Utils.getSuccessStatus(); + + } else { + status = SAML2Utils.createSAMLObject(Status.class); + StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); + statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + status.setStatusCode(statusCode); + status.setStatusMessage(statusMessage); + + } + sloResp.setStatus(status); + return sloResp; + + } + + public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException { + try { + EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID); + SPSSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + SingleLogoutService sloService = null; + for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + if (el.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + sloService = el; + + else if (el.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) + && ( + (sloService != null && !sloService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + || sloService == null) + ) + sloService = el; + + else if (el.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) + && ( + (sloService != null + && !sloService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI) + && !sloService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) + || sloService == null) + ) + sloService = el; + } + + if (sloService == null) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + + } + return sloService; + + } catch (MetadataProviderException e) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + + } + + public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { + MOARequest moaReq = (MOARequest) spRequest.getRequest(); + EntityDescriptor metadata = moaReq.getEntityMetadata(); + SPSSODescriptor spsso = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + SingleLogoutService sloService = null; + for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + if (el.getBinding().equals(spRequest.getBinding())) + sloService = el; + } + if (sloService == null && spsso.getSingleLogoutServices().size() != 0) + sloService = spsso.getSingleLogoutServices().get(0); + + else { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + return sloService; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 9def5d22c..4d6343fce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion; import java.security.MessageDigest; +import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -30,6 +31,7 @@ import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Audience; import org.opensaml.saml2.core.AudienceRestriction; @@ -53,29 +55,28 @@ import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.w3c.dom.Element; -import edu.emory.mathcs.backport.java.util.Arrays; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.id.util.QAALevelVerifier; @@ -83,12 +84,65 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { + + public static Assertion buildAssertion(AttributeQuery attrQuery, + List<String> reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { + + + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + + List<Attribute> attrList = new ArrayList<Attribute>(); + if (reqAttributes != null) { + Iterator<String> it = reqAttributes.iterator(); + while (it.hasNext()) { + String reqAttributName = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttributName, null, authData); + if (attr == null) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } else { + attrList.add(attr); + + } + + } catch (PVP2Exception e) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttributName); + + } + } + } + + + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat()); + subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue()); + + SubjectConfirmationData subjectConfirmationData = null; + + return buildGenericAssertion(attrQuery.getIssuer().getValue(), date, + authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + public static Assertion buildAssertion(AuthnRequest authnRequest, - AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService) + IAuthData authData, EntityDescriptor peerEntity, DateTime date, + AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { - Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); @@ -101,7 +155,7 @@ public class PVP2AssertionBuilder implements PVPConstants { peerEntity.getEntityID()); if (reqAuthnContext == null) { - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { @@ -112,7 +166,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (reqAuthnContextClassRefIt.size() == 0) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_1_4); stork_qaa_1_4_found = true; @@ -126,20 +180,20 @@ public class PVP2AssertionBuilder implements PVPConstants { || qaa_uri.trim().equals(STORK_QAA_1_2) || qaa_uri.trim().equals(STORK_QAA_1_1)) { - if (authSession.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + if (authData.isForeigner()) { + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_PREFIX + oaParam.getQaaLevel()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), qaa_uri.trim()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } break; @@ -152,33 +206,13 @@ public class PVP2AssertionBuilder implements PVPConstants { } } - AuthnContext authnContext = SAML2Utils - .createSAMLObject(AuthnContext.class); - authnContext.setAuthnContextClassRef(authnContextClassRef); - - AuthnStatement authnStatement = SAML2Utils - .createSAMLObject(AuthnStatement.class); - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authnStatement.setAuthnInstant(date); - // currently dummy id ... - authnStatement.setSessionIndex(remoteSessionID); - authnStatement.setAuthnContext(authnContext); - assertion.getAuthnStatements().add(authnStatement); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - AttributeStatement attributeStatement = SAML2Utils - .createSAMLObject(AttributeStatement.class); - - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - - AuthenticationData authData = AuthenticationServer - .buildAuthenticationData(authSession, oaParam, - oaParam.getTarget()); - + //add Attributes to Assertion + List<Attribute> attrList = new ArrayList<Attribute>(); if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -199,22 +233,22 @@ public class PVP2AssertionBuilder implements PVPConstants { attributeConsumingService = el; } } - - if (attributeConsumingService != null) { + + if (attributeConsumingService != null) { Iterator<RequestedAttribute> it = attributeConsumingService .getRequestAttributes().iterator(); while (it.hasNext()) { RequestedAttribute reqAttribut = it.next(); try { Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession, oaParam, authData); + reqAttribut.getName(), oaParam, authData); if (attr == null) { if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } } else { - attributeStatement.getAttributes().add(attr); + attrList.add(attr); } } catch (PVP2Exception e) { Logger.error( @@ -224,19 +258,26 @@ public class PVP2AssertionBuilder implements PVPConstants { throw new UnprovideableAttributeException( reqAttribut.getName()); } + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttribut.getFriendlyName(), e); + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } } } } - if (attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - //TLenz: set correct bPK Type and Value from AuthData - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + //build nameID and nameID Format from moasession + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAvailableException(); } @@ -265,7 +306,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (authSession.getBusinessService()) { + if (oaParam.getBusinessService()) { subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); @@ -334,21 +375,68 @@ public class PVP2AssertionBuilder implements PVPConstants { } } else - subjectNameID.setFormat(nameIDFormat); - - - subject.setNameID(subjectNameID); + subjectNameID.setFormat(nameIDFormat); + - SubjectConfirmation subjectConfirmation = SAML2Utils - .createSAMLObject(SubjectConfirmation.class); - subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); + String sessionIndex = null; + + //if request is a reauthentication and NameIDFormat match reuse old session information + if (MiscUtil.isNotEmpty(authData.getNameID()) && + MiscUtil.isNotEmpty(authData.getNameIDFormat()) && + nameIDFormat.equals(authData.getNameIDFormat())) { + subjectNameID.setValue(authData.getNameID()); + sessionIndex = authData.getSessionIndex(); + + } else + sessionIndex = SAML2Utils.getSecureIdentifier(); + SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5)); subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); + + //set SLO information + sloInformation.setUserNameIdentifier(subjectNameID.getValue()); + sloInformation.setNameIDFormat(subjectNameID.getFormat()); + sloInformation.setSessionIndex(sessionIndex); + + return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + + private static Assertion buildGenericAssertion(String entityID, DateTime date, + AuthnContextClassRef authnContextClassRef, List<Attribute> attrList, + NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, + String sessionIndex) throws ConfigurationException { + Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + + AuthnContext authnContext = SAML2Utils + .createSAMLObject(AuthnContext.class); + authnContext.setAuthnContextClassRef(authnContextClassRef); + AuthnStatement authnStatement = SAML2Utils + .createSAMLObject(AuthnStatement.class); + + authnStatement.setAuthnInstant(date); + authnStatement.setSessionIndex(sessionIndex); + authnStatement.setAuthnContext(authnContext); + + assertion.getAuthnStatements().add(authnStatement); + + AttributeStatement attributeStatement = SAML2Utils + .createSAMLObject(AttributeStatement.class); + attributeStatement.getAttributes().addAll(attrList); + if (attributeStatement.getAttributes().size() > 0) { + assertion.getAttributeStatements().add(attributeStatement); + } + + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + subject.setNameID(subjectNameID); + + SubjectConfirmation subjectConfirmation = SAML2Utils + .createSAMLObject(SubjectConfirmation.class); + subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); @@ -358,7 +446,7 @@ public class PVP2AssertionBuilder implements PVPConstants { .createSAMLObject(AudienceRestriction.class); Audience audience = SAML2Utils.createSAMLObject(Audience.class); - audience.setAudienceURI(peerEntity.getEntityID()); + audience.setAudienceURI(entityID); audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(date); @@ -377,7 +465,7 @@ public class PVP2AssertionBuilder implements PVPConstants { assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); assertion.setIssueInstant(date); - - return assertion; + + return assertion; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 648651350..3dd1dd064 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -35,7 +34,7 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { return BPK_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { String bpk = authData.getBPK(); String type = authData.getBPKType(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java index f3d815e7d..89ec383ce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java @@ -23,47 +23,31 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import java.text.DateFormat; -import java.text.ParseException; import java.text.SimpleDateFormat; -import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.util.MiscUtil; public class BirthdateAttributeBuilder implements IPVPAttributeBuilder { - - public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd"; - + public String getName() { return BIRTHDATE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - try { - DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + + if (authData.getDateOfBirth() != null) { + DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); + String dateString = pvpDateFormat.format(authData.getDateOfBirth()); + + return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - if (MiscUtil.isNotEmpty(authSession.getIdentityLink().getDateOfBirth())) { - Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth()); - DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); - String dateString = pvpDateFormat.format(date); + } else { + //build empty attribute if no Birthday date is found (STORK2) + return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME); - return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - - } else { - //build empty attribute if no Birthday date is found (STORK2) - return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME); - - } - - //return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - } - catch (ParseException e) { - e.printStackTrace(); - return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index 56972248b..ded9e7166 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -26,9 +26,8 @@ import iaik.util.logging.Log; import java.io.IOException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,11 +39,11 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { return EID_AUTH_BLOCK_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { try { - String authblock = authSession.getAuthBlock(); + String authblock = authData.getAuthBlock(); if (MiscUtil.isNotEmpty(authblock)) { return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME, Base64Utils.encode(authblock.getBytes())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java index 7179dd090..2df5ec22e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.MiscUtil; @@ -35,10 +34,10 @@ public class EIDCcsURL implements IPVPAttributeBuilder { return EID_CCS_URL_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - String bkuurl = authSession.getBkuURL(); + String bkuurl = authData.getBkuURL(); if (MiscUtil.isNotEmpty(bkuurl)) return g.buildStringAttribute(EID_CCS_URL_FRIENDLY_NAME, EID_CCS_URL_NAME, bkuurl); else diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java index 02088eea1..365f36594 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class EIDCitizenQAALevelAttributeBuilder implements IPVPAttributeBuilder { @@ -33,10 +32,17 @@ public class EIDCitizenQAALevelAttributeBuilder implements IPVPAttributeBuilder return EID_CITIZEN_QAA_LEVEL_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { + + String qaaLevel = null; + if (authData.getQAALevel().startsWith(STORK_QAA_PREFIX)) + qaaLevel = authData.getQAALevel().substring(STORK_QAA_PREFIX.length()); + else + qaaLevel = authData.getQAALevel(); + return g.buildIntegerAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, - EID_CITIZEN_QAA_LEVEL_NAME, 4); + EID_CITIZEN_QAA_LEVEL_NAME, Integer.valueOf(qaaLevel)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index 2d86586d2..531369e9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -24,19 +24,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import java.io.IOException; -import javax.xml.transform.TransformerException; - -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.DOMUtils; public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { @@ -44,36 +36,15 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { return EID_IDENTITY_LINK_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { try { String ilAssertion = null; - if (oaParam.getBusinessService()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - - Element resignedilAssertion; - - resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() - .getSamlAssertion()); - - ilAssertion = DOMUtils.serializeNode(resignedilAssertion); - - } else - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); - } catch (MOAIDException e) { - Logger.warn("IdentityLink serialization error.", e); - return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME); - } catch (TransformerException e) { - Logger.warn("IdentityLink serialization error.", e); - return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME); } catch (IOException e) { Logger.warn("IdentityLink serialization error.", e); return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java index 39d4d29e7..9b85af9f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java @@ -22,16 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.x509.X509Certificate; - -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.logging.Logger; public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { @@ -39,35 +32,9 @@ public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { return EID_ISSUING_NATION_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - String countryCode = "AT"; - - - if (authSession.getStorkAuthnRequest() != null) { - countryCode = authSession.getStorkAuthnRequest() - .getCitizenCountryCode(); - } else { - - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = authSession.getSignerCertificate(); - - if (certificate != null) { - try { - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - countryCode = rdn.getValue().toString(); - break; - } - } - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate", e); - } - } - } + String countryCode = authData.getCcc(); return g.buildStringAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, EID_ISSUING_NATION_NAME, countryCode); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index e8fba6af2..04cc59b10 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -22,11 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import java.io.IOException; + import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; public class EIDSTORKTOKEN implements IPVPAttributeBuilder { @@ -35,21 +38,28 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder { return EID_STORK_TOKEN_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (!authSession.isForeigner()) { + if (!authData.isForeigner()) { throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); } else { - String storkResponse = authSession.getStorkAuthnResponse(); + String storkResponse = authData.getStorkAuthnResponse(); if ( MiscUtil.isEmpty(storkResponse) ) { throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); } else { - return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, storkResponse); + try { + return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, + Base64Utils.encode(storkResponse.getBytes())); + + } catch (IOException e) { + Logger.warn("Encode AuthBlock BASE64 failed.", e); + throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 807d59050..7f52e1d47 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,7 +32,7 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { return EID_SECTOR_FOR_IDENTIFIER_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { String bpktype = authData.getBPKType(); return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java index 7cd415ada..df1bc1860 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java @@ -26,9 +26,8 @@ import iaik.util.logging.Log; import java.io.IOException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.Base64Utils; @@ -39,11 +38,11 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { return EID_SIGNER_CERTIFICATE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { try { - byte[] signerCertificate = authSession.getEncodedSignerCertificate(); + byte[] signerCertificate = authData.getSignerCertificate(); if (signerCertificate != null) { return g.buildStringAttribute(EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, EID_SIGNER_CERTIFICATE_NAME, Base64Utils .encode(signerCertificate)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index 5bf65da04..a8b703fc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -22,10 +22,10 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -34,11 +34,11 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { return EID_SOURCE_PIN_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { if (oaParam.getBusinessService()) - throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java index ec509f74b..0681419fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -34,7 +33,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { return EID_SOURCE_PIN_TYPE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { if (oaParam.getBusinessService()) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java index 7bd5e2db5..fcde1e9bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class GivenNameAttributeBuilder implements IPVPAttributeBuilder { @@ -33,9 +32,9 @@ public class GivenNameAttributeBuilder implements IPVPAttributeBuilder { return GIVEN_NAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - return g.buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authSession.getIdentityLink().getGivenName()); + return g.buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authData.getGivenName()); } public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java index 55b16edfb..d66b0ab02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java @@ -22,15 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public interface IAttributeBuilder { public String getName(); - public <ATT> ATT build(final AuthenticationSession authSession, final OAAuthParameter oaParam, final AuthenticationData authData, + public <ATT> ATT build(final OAAuthParameter oaParam, final IAuthData authData, final IAttributeGenerator<ATT> g) throws AttributeException; public <ATT> ATT buildEmpty(final IAttributeGenerator<ATT> g); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 4528aa1fe..670398ff6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -29,6 +29,7 @@ import javax.xml.transform.TransformerException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,13 +41,13 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder return MANDATE_FULL_MANDATE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - if (authSession.getMandate() != null) { + if (authData.isUseMandate()) { + if (authData.getMandate() != null) { String fullMandate; try { - fullMandate = DOMUtils.serializeNode(authSession + fullMandate = DOMUtils.serializeNode(authData .getMandate()); return g.buildStringAttribute(MANDATE_FULL_MANDATE_FRIENDLY_NAME, MANDATE_FULL_MANDATE_NAME, Base64Utils.encode(fullMandate.getBytes())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 9ab1de50d..9230e47fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -26,9 +26,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -40,10 +39,10 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute return MANDATE_LEG_PER_FULL_NAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index ca68704c9..04103f28a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu return MANDATE_LEG_PER_SOURCE_PIN_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index 5656d1769..02e1d7ce0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr return MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index 039fc8af8..38456302c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -28,10 +28,9 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -44,10 +43,10 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui return MANDATE_NAT_PER_BPK_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } @@ -62,11 +61,6 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - // if(authSession.getBusinessService()) { - // id = MandateBuilder.getWBPKIdentification(physicalPerson); - // } else { - // id = MandateBuilder.getBPKIdentification(physicalPerson); - // } if (id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); @@ -76,7 +70,7 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui try { if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - if (authSession.getBusinessService()) { + if (oaParam.getBusinessService()) { bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index f5dc277bd..4fcfd4650 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -31,9 +31,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; @@ -46,10 +45,10 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib return MANDATE_NAT_PER_BIRTHDATE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index 2a7bafdbc..3452d7ed0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -29,9 +29,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -43,10 +42,10 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr return MANDATE_NAT_PER_FAMILY_NAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4707c385a..59d5c65fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -28,9 +28,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -42,10 +41,10 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib return MANDATE_NAT_PER_GIVEN_NAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 7fbbce9bc..444312759 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -30,7 +30,9 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -41,10 +43,10 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri return MANDATE_NAT_PER_SOURCE_PIN_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } @@ -61,12 +63,10 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - if(authSession.getBusinessService()) { - id = MandateBuilder.getWBPKIdentification(physicalPerson); - -// } else { -// id = MandateBuilder.getBPKIdentification(physicalPerson); + if(oaParam.getBusinessService()) { + throw new AttributePolicyException(this.getName()); } + if(id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 538cee048..6adc9b532 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt return MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } @@ -60,11 +59,6 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - /*if(authSession.getBusinessService()) { - id = MandateBuilder.getWBPKIdentification(physicalPerson); - } else { - id = MandateBuilder.getBPKIdentification(physicalPerson); - }*/ if(id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java index 814211b24..4c981cb24 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -22,14 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AttributeExtractor; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder { @@ -37,24 +35,24 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder return MANDATE_PROF_REP_DESC_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + MISMandate mandate = authData.getMISMandate(); + + if(mandate == null) { throw new NoMandateDataAttributeException(); } - String text = AttributeExtractor.extractSAMLAttributeOA( - EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, - authSession); + String text = mandate.getTextualDescriptionOfOID(); - if(text == null) { + if(MiscUtil.isEmpty(text)) { return null; - } - - return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, - MANDATE_PROF_REP_DESC_NAME, text); + + } else + return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, + MANDATE_PROF_REP_DESC_NAME, text); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java index b040072a6..1a3311c8a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java @@ -22,14 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AttributeExtractor; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { @@ -37,21 +35,21 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { return MANDATE_PROF_REP_OID_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + + MISMandate mandate = authData.getMISMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } - String oid = AttributeExtractor.extractSAMLAttributeOA(EXT_SAML_MANDATE_OID, authSession); - - if (oid == null) { - return null; - } - - return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); + String oid = mandate.getProfRep(); + + if(MiscUtil.isEmpty(oid)) + return null; + else + return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java index 7e7b57e4f..7b41e9bb6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuilder { @@ -33,12 +32,12 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild return MANDATE_REFERENCE_VALUE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { + if (authData.isUseMandate()) { return g.buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME, - authSession.getMandateReferenceValue()); + authData.getMandateReferenceValue()); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java index 4842141fc..63165f52a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java @@ -25,9 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -38,10 +37,10 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { return MANDATE_TYPE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java index e8c410555..674efa0d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class PVPVersionAttributeBuilder implements IPVPAttributeBuilder { @@ -33,7 +32,7 @@ public class PVPVersionAttributeBuilder implements IPVPAttributeBuilder { return PVP_VERSION_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME, PVP_VERSION_2_1); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java index c687b2bff..11fdeb232 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class PrincipalNameAttributeBuilder implements IPVPAttributeBuilder { @@ -33,9 +32,9 @@ public class PrincipalNameAttributeBuilder implements IPVPAttributeBuilder { return PRINCIPAL_NAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { - return g.buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authSession.getIdentityLink().getFamilyName()); + return g.buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authData.getFamilyName()); } public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java index b81b30e5b..aff0fc0ef 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKAdoptedFamilyNameAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKAdoptedFamilyNameAttributBuilder implements IPVPAttributeBuild return STORKConstants.ADOPTEDFAMILYNAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.ADOPTEDFAMILYNAME_FRIENDLYNAME, STORKConstants.ADOPTEDFAMILYNAME_NAME, - STORKAttributHelper.getAttribut(STORKConstants.ADOPTEDFAMILYNAME_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.ADOPTEDFAMILYNAME_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java index 98fe853ff..fb7c60a95 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKAgeAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKAgeAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.AGE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.AGE_FRIENDLYNAME, STORKConstants.AGE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.AGE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.AGE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java index 6d2b031a5..387e49d25 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java @@ -26,6 +26,7 @@ import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; @@ -36,7 +37,7 @@ import at.gv.egovernment.moa.logging.Logger; public class STORKAttributHelper { public static String getAttribut(String attributName, - AuthenticationSession authSession) throws UnavailableAttributeException { + IAuthData authSession) throws UnavailableAttributeException { if (!authSession.isForeigner()) { throw new UnavailableAttributeException(attributName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java index c3d6f070d..ddfa63b51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKCanonicalResidenceAddressAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKCanonicalResidenceAddressAttributBuilder implements IPVPAttrib return STORKConstants.CANONICALRESIDENCEADDRESS_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.CANONICALRESIDENCEADDRESS_FRIENDLYNAME, STORKConstants.CANONICALRESIDENCEADDRESS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.CANONICALRESIDENCEADDRESS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.CANONICALRESIDENCEADDRESS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java index c873a86ea..08cd65a6d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKCountryCodeOfBirthAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKCountryCodeOfBirthAttributBuilder implements IPVPAttributeBuil return STORKConstants.CONTRYCODEOFBIRTH_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.CONTRYCODEOFBIRTH_FRIENDLYNAME, STORKConstants.CONTRYCODEOFBIRTH_NAME, - STORKAttributHelper.getAttribut(STORKConstants.CONTRYCODEOFBIRTH_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.CONTRYCODEOFBIRTH_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java index 394bffa31..f3a77708b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKFiscalNumberAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKFiscalNumberAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.FISCALNUMBER_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.FISCALNUMBER_FRIENDLYNAME, STORKConstants.FISCALNUMBER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.FISCALNUMBER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.FISCALNUMBER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java index 9209e73c4..6f62dbf89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKGenderAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKGenderAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.GENDER_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.GENDER_FRIENDLYNAME, STORKConstants.GENDER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.GENDER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.GENDER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java index 59f345bd3..65bf9ff6e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKInhertedFamilyNameAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKInhertedFamilyNameAttributBuilder implements IPVPAttributeBuil return STORKConstants.INHERITEDFAMILYNAME_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.INHERITEDFAMILYNAME_FRIENDLYNAME, STORKConstants.INHERITEDFAMILYNAME_NAME, - STORKAttributHelper.getAttribut(STORKConstants.INHERITEDFAMILYNAME_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.INHERITEDFAMILYNAME_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java index d99833f13..a7a77d7b4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKIsAgeOverAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKIsAgeOverAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.ISAGEOVER_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.ISAGEOVER_FRIENDLYNAME, STORKConstants.ISAGEOVER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.ISAGEOVER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.ISAGEOVER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java index 1e627e723..c6ce4e32a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKMaritalStatusAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKMaritalStatusAttributBuilder implements IPVPAttributeBuilder return STORKConstants.MARITALSTATUS_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.MARITALSTATUS_FRIENDLYNAME, STORKConstants.MARITALSTATUS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.MARITALSTATUS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.MARITALSTATUS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java index d46219996..8db5ceeb8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKNationalityCodeAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKNationalityCodeAttributBuilder implements IPVPAttributeBuilder return STORKConstants.NATIONALITYCODE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.NATIONALITYCODE_FRIENDLYNAME, STORKConstants.NATIONALITYCODE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.NATIONALITYCODE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.NATIONALITYCODE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java index 7bf6716ec..421f8c28d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKPseudonymAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKPseudonymAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.PSEUDONYM_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.PSEUDONYM_FRIENDLYNAME, STORKConstants.PSEUDONYM_NAME, - STORKAttributHelper.getAttribut(STORKConstants.PSEUDONYM_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.PSEUDONYM_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java index d47de1ff9..ceff4cf4f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKResidencePermitAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKResidencePermitAttributBuilder implements IPVPAttributeBuilder return STORKConstants.RESIDENCEPERMIT_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.RESIDENCEPERMIT_FRIENDLYNAME, STORKConstants.RESIDENCEPERMIT_NAME, - STORKAttributHelper.getAttribut(STORKConstants.RESIDENCEPERMIT_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.RESIDENCEPERMIT_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java index c75d6b0fb..1344883bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKTextResidenceAddressAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKTextResidenceAddressAttributBuilder implements IPVPAttributeBu return STORKConstants.TEXTRESIDENCEADDRESS_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.TEXTRESIDENCEADDRESS_FRIENDLYNAME, STORKConstants.TEXTRESIDENCEADDRESS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.TEXTRESIDENCEADDRESS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.TEXTRESIDENCEADDRESS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java index 357b2fe0d..5209697d6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKTitleAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKTitleAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.TITLE_NAME; } - public <ATT> ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeException { return g.buildStringAttribute(STORKConstants.TITLE_FRIENDLYNAME, STORKConstants.TITLE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.TITLE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.TITLE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/PVP2EncodingException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java index 60fe47364..1e0e2ee51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/PVP2EncodingException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java @@ -20,21 +20,21 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions; -public class PVP2EncodingException extends PVP2Exception { - - public PVP2EncodingException() { - super("pvp2.01", null); +public class AttributePolicyException extends AttributeException { + + private static final long serialVersionUID = 1L; + + private String attributeName; + + public AttributePolicyException(String attributeName) { + super("Attribute " + attributeName + " is restricted by IDP policy."); + this.attributeName = attributeName; } - public PVP2EncodingException(Throwable wrapped) { - super("pvp2.01", null, wrapped); + public String getAttributeName() { + return attributeName; } - - /** - * - */ - private static final long serialVersionUID = -1348774139990071020L; - + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index ebfffb648..255fba093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -52,9 +52,11 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.MiscUtil; public class PVPConfiguration { @@ -68,9 +70,11 @@ public class PVPConfiguration { return instance; } - public static final String PVP2_METADATA = "/pvp2/metadata"; - public static final String PVP2_REDIRECT = "/pvp2/redirect"; - public static final String PVP2_POST = "/pvp2/post"; + public static final String PVP2_METADATA = "/pvp2/metadata"; + public static final String PVP2_REDIRECT = "/pvp2/redirect"; + public static final String PVP2_POST = "/pvp2/post"; + public static final String PVP2_SOAP = "/pvp2/soap"; + public static final String PVP2_ATTRIBUTEQUERY = "/pvp2/attributequery"; public static final String PVP_CONFIG_FILE = "pvp2config.properties"; @@ -83,6 +87,9 @@ public class PVPConfiguration { public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias"; public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword"; + public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias"; + public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword"; + public static final String IDP_ISSUER_NAME = "idp.issuer.name"; public static final String METADATA_FILE = "md.dir"; @@ -112,12 +119,14 @@ public class PVPConfiguration { //PVP2 generalpvpconfigdb; Properties props; + String rootDir = null; private PVPConfiguration() { try { //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); props = AuthConfigurationProvider.getInstance().getGeneralPVP2ProperiesConfig(); - + rootDir = AuthConfigurationProvider.getInstance().getRootConfigFileDir(); + } catch (ConfigurationException e) { e.printStackTrace(); } @@ -138,6 +147,14 @@ public class PVPConfiguration { return getIDPPublicPath() + PVP2_POST; } + public String getIDPSSOSOAPService() throws ConfigurationException { + return getIDPPublicPath() + PVP2_SOAP; + } + + public String getIDPAttributeQueryService() throws ConfigurationException { + return getIDPPublicPath() + PVP2_ATTRIBUTEQUERY; + } + public String getIDPSSORedirectService() throws ConfigurationException { return getIDPPublicPath() + PVP2_REDIRECT; } @@ -147,7 +164,7 @@ public class PVPConfiguration { } public String getIDPKeyStoreFilename() { - return props.getProperty(IDP_JAVAKEYSTORE); + return FileUtils.makeAbsoluteURL(props.getProperty(IDP_JAVAKEYSTORE), rootDir); } public String getIDPKeyStorePassword() { @@ -170,6 +187,14 @@ public class PVPConfiguration { return props.getProperty(IDP_KEY_PASSASSERTION); } + public String getIDPKeyAliasAssertionEncryption() { + return props.getProperty(IDP_KEYALIASASSERTION); + } + + public String getIDPKeyPasswordAssertionEncryption() { + return props.getProperty(IDP_KEY_PASSASSERTION); + } + public String getIDPIssuerName() throws ConfigurationException { if (moaIDVersion == null) { @@ -223,7 +248,7 @@ public class PVPConfiguration { public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { try { - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); + IOAAuthParameters oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); if (oaParam == null) { Logger.warn("Online Application with ID " + entityID + " not found!"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java new file mode 100644 index 000000000..69ca4e8f5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java @@ -0,0 +1,50 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class AssertionAttributeExtractorExeption extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -6459000942830951492L; + + public AssertionAttributeExtractorExeption(String attributeName) { + super("Parse PVP2.1 assertion FAILED: Attribute " + attributeName + + " can not extract.", null); + } + + public AssertionAttributeExtractorExeption(String messageId, + Object[] parameters) { + super(messageId, parameters); + } + + public AssertionAttributeExtractorExeption() { + super("Parse PVP2.1 assertion FAILED. Interfederation not possible", null); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java new file mode 100644 index 000000000..fcd8472b1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java @@ -0,0 +1,49 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +import at.gv.egovernment.moa.id.config.ConfigurationException; + +/** + * @author tlenz + * + */ +public class AssertionValidationExeption extends PVP2Exception { + + private static final long serialVersionUID = -3987805399122286259L; + + public AssertionValidationExeption(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + /** + * @param string + * @param object + * @param e + */ + public AssertionValidationExeption(String string, Object[] parameters, + Throwable e) { + super(string, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoAuthContextException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java index fdc8c8d39..9008a7183 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NoAuthContextException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java @@ -1,4 +1,4 @@ -/******************************************************************************* +/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. @@ -19,21 +19,26 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ + */ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; -import org.opensaml.saml2.core.StatusCode; - -public class NoAuthContextException extends PVP2Exception { +/** + * @author tlenz + * + */ +public class AttributQueryException extends PVP2Exception { /** * */ - private static final long serialVersionUID = 7040652043174500992L; + private static final long serialVersionUID = -4302422507173728748L; - public NoAuthContextException() { - super("pvp2.04", null); - this.statusCodeValue = StatusCode.REQUESTER_URI; + public AttributQueryException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + public AttributQueryException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java index 69da5c09c..b49070bd6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionEncryptionException.java @@ -30,7 +30,7 @@ public class InvalidAssertionEncryptionException extends PVP2Exception { public InvalidAssertionEncryptionException() { super("pvp2.16", new Object[]{}); - this.statusCodeValue = StatusCode.REQUESTER_URI; + this.statusCodeValue = StatusCode.RESPONDER_URI; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java new file mode 100644 index 000000000..204e1c2a5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class NOSLOServiceDescriptorException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -3073730570511152661L; + + /** + * @param messageId + * @param parameters + */ + public NOSLOServiceDescriptorException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java index b5facde34..87e443930 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java @@ -22,10 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; +import org.opensaml.saml2.core.StatusCode; + public class NameIDFormatNotSupportedException extends AuthnRequestValidatorException { public NameIDFormatNotSupportedException(String nameIDFormat) { super("pvp2.12", new Object[] {nameIDFormat}); + statusCodeValue = StatusCode.INVALID_NAMEID_POLICY_URI; + } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java new file mode 100644 index 000000000..9f1b6168e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java @@ -0,0 +1,41 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class SLOException extends PVP2Exception { + private static final long serialVersionUID = -5284624715788385022L; + + /** + * @param messageId + * @param parameters + */ + public SLOException(String messageId, Object[] parameters) { + super(messageId, parameters); + // TODO Auto-generated constructor stub + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java index 11054fd57..332caf967 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java @@ -1,4 +1,4 @@ -/******************************************************************************* +/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. @@ -19,106 +19,96 @@ * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; import java.io.Serializable; -import org.opensaml.Configuration; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.impl.RequestAbstractTypeMarshaller; -import org.opensaml.saml2.core.impl.RequestAbstractTypeUnmarshaller; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; -import org.opensaml.xml.io.UnmarshallingException; import org.w3c.dom.Element; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.logging.Logger; -public class MOARequest implements Serializable{ +/** + * @author tlenz + * + */ +public class InboundMessage implements InboundMessageInterface, Serializable{ private static final long serialVersionUID = 2395131650841669663L; - private Element samlRequest; + private Element samlMessage = null; private boolean verified = false; private String entityID = null; private String relayState = null; - public MOARequest(RequestAbstractType request) { - samlRequest = request.getDOM(); - } - - public RequestAbstractType getSamlRequest() { - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(samlRequest); + + public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { try { - return (RequestAbstractType) unmashaller.unmarshall(samlRequest); + return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); - } catch (UnmarshallingException e) { - Logger.warn("AuthnRequest Unmarshaller error", e); - return null; - } - + } catch (MetadataProviderException e) { + Logger.warn("No Metadata for EntitiyID " + entityID); + throw new NoMetadataInformationException(); + } } - - /** - * @return the relayState + * @param entitiyID the entitiyID to set */ - public String getRelayState() { - return relayState; + public void setEntityID(String entitiyID) { + this.entityID = entitiyID; } - + + public void setVerified(boolean verified) { + this.verified = verified; + } + /** * @param relayState the relayState to set */ public void setRelayState(String relayState) { this.relayState = relayState; } - - public void setSamlRequest(RequestAbstractType request) { - this.samlRequest = request.getDOM(); - } - - public boolean isVerified() { - return verified; - } - - public void setVerified(boolean verified) { - this.verified = verified; + + public void setSAMLMessage(Element msg) { + this.samlMessage = msg; } - - public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { - - try { - return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); - - } catch (MetadataProviderException e) { - Logger.warn("No Metadata for EntitiyID " + entityID); - throw new NoMetadataInformationException(); - } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getRelayState() + */ + @Override + public String getRelayState() { + return relayState; } - /** - * @return the entitiyID + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getEntityID() */ + @Override public String getEntityID() { return entityID; } - /** - * @param entitiyID the entitiyID to set + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#isVerified() */ - public void setEntityID(String entitiyID) { - this.entityID = entitiyID; + @Override + public boolean isVerified() { + return verified; } - + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getInboundMessage() + */ + @Override + public Element getInboundMessage() { + return samlMessage; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java new file mode 100644 index 000000000..60a6f069a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java @@ -0,0 +1,38 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + +import org.w3c.dom.Element; + +/** + * @author tlenz + * + */ +public interface InboundMessageInterface { + + public String getRelayState(); + public String getEntityID(); + public boolean isVerified(); + public Element getInboundMessage(); + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java new file mode 100644 index 000000000..7679e74a6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java @@ -0,0 +1,66 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + + +import org.opensaml.Configuration; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; +import org.opensaml.xml.signature.SignableXMLObject; + +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.logging.Logger; + +public class MOARequest extends InboundMessage{ + + private static final long serialVersionUID = 8613921176727607896L; + + private String binding = null; + + public MOARequest(SignableXMLObject inboundMessage, String binding) { + setSAMLMessage(inboundMessage.getDOM()); + this.binding = binding; + + } + + public String getRequestBinding() { + return binding; + } + + public SignableXMLObject getSamlRequest() { + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); + + try { + return (SignableXMLObject) unmashaller.unmarshall(getInboundMessage()); + + } catch (UnmarshallingException e) { + Logger.warn("AuthnRequest Unmarshaller error", e); + return null; + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java index 3d21d95c4..870273cf3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java @@ -20,41 +20,37 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; +import org.opensaml.Configuration; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; -public class MOAResponse { - private Response samlResponse; - private EntityDescriptor entityMetadata; - private boolean verified = false; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.logging.Logger; - public MOAResponse(Response response) { - samlResponse = response; - } - - public Response getSamlResponse() { - return samlResponse; - } - - public void setSamlResponse(Response samlResponse) { - this.samlResponse = samlResponse; - } +public class MOAResponse extends InboundMessage { + + private static final long serialVersionUID = -1133012928130138501L; - public boolean isVerified() { - return verified; + public MOAResponse(Response response) { + setSAMLMessage(response.getDOM()); } - public void setVerified(boolean verified) { - this.verified = verified; + public Response getResponse() { + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); + + try { + return (Response) unmashaller.unmarshall(getInboundMessage()); + + } catch (UnmarshallingException e) { + Logger.warn("AuthnResponse Unmarshaller error", e); + return null; + } + } - public EntityDescriptor getEntityMetadata() { - return entityMetadata; - } - - public void setEntityMetadata(EntityDescriptor entityMetadata) { - this.entityMetadata = entityMetadata; - } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 6d9022bd9..a57fb5717 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; import java.util.Date; @@ -31,9 +32,10 @@ import java.util.List; import java.util.Map; import java.util.Timer; +import javax.net.ssl.SSLHandshakeException; import javax.xml.namespace.QName; -import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.MOAHttpClient; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.RoleDescriptor; @@ -46,9 +48,15 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -118,14 +126,15 @@ public class MOAMetadataProvider implements MetadataProvider { } } + //set Timestamp + Date oldTimeStamp = timestamp; + timestamp = new Date(); + //load all PVP2 OAs form ConfigurationDatabase and //compare actually loaded Providers with configured PVP2 OAs List<OnlineApplication> oaList = ConfigurationDBRead .getAllActiveOnlineApplications(); - - //set Timestamp - timestamp = new Date(); - + Iterator<OnlineApplication> oaIt = oaList.iterator(); while (oaIt.hasNext()) { HTTPMetadataProvider httpProvider = null; @@ -138,7 +147,16 @@ public class MOAMetadataProvider implements MetadataProvider { String metadataurl = pvp2Config.getMetadataURL(); if (loadedproviders.containsKey(metadataurl)) { - //PVP2 OA is actually loaded, to nothing + + if (pvp2Config.getUpdateRequiredItem() != null && + pvp2Config.getUpdateRequiredItem().after(oldTimeStamp)) { + //PVP2 OA is actually loaded, but update is requested + Logger.info("Reload metadata for: " + oa.getFriendlyName()); + loadedproviders.get(metadataurl).refresh(); + + } + + // PVP2 OA is actually loaded, to nothing providersinuse.put(metadataurl, loadedproviders.get(metadataurl)); loadedproviders.remove(metadataurl); @@ -146,11 +164,14 @@ public class MOAMetadataProvider implements MetadataProvider { } else if ( MiscUtil.isNotEmpty(metadataurl) && !providersinuse.containsKey(metadataurl) ) { //PVP2 OA is new, add it to MOAMetadataProvider + Logger.info("Loading metadata for: " + oa.getFriendlyName()); httpProvider = createNewHTTPMetaDataProvider( pvp2Config.getMetadataURL(), pvp2Config.getCertificate(), - oa.getFriendlyName()); + oa.getFriendlyName(), + buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(), + pvp2Config.getCertificate())); if (httpProvider != null) providersinuse.put(metadataurl, httpProvider); @@ -256,7 +277,9 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider = createNewHTTPMetaDataProvider( metadataURL, pvp2Config.getCertificate(), - oa.getFriendlyName()); + oa.getFriendlyName(), + buildMetadataFilterChain(oa, metadataURL, + pvp2Config.getCertificate())); if (httpProvider != null) providersinuse.put(metadataURL, httpProvider); @@ -295,13 +318,45 @@ public class MOAMetadataProvider implements MetadataProvider { timestamp = new Date(); } - private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName) { + private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { + MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + + if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { + Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType())); + + } + + return filterChain; + } + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) { HTTPMetadataProvider httpProvider = null; Timer timer= null; - - try { + MOAHttpClient httpClient = null; + try { + httpClient = new MOAHttpClient(); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + timer = new Timer(); - httpProvider = new HTTPMetadataProvider(timer, new HttpClient(), + httpProvider = new HTTPMetadataProvider(timer, httpClient, metadataURL); httpProvider.setParserPool(new BasicParserPool()); httpProvider.setRequireValidMetadata(true); @@ -309,17 +364,20 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours //httpProvider.setRefreshDelayFactor(0.1F); - // TODO: use proper SSL checking - - MetadataFilter filter = new MetadataSignatureFilter( - metadataURL, certificate); + if (filter == null) { + filter = new MetadataFilterChain(metadataURL, certificate); + } httpProvider.setMetadataFilter(filter); httpProvider.initialize(); return httpProvider; - - + } catch (Throwable e) { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + Logger.warn("SSL-Server certificate for metadata " + + metadataURL + " not trusted.", e); + } + Logger.error( "Failed to add Metadata file for " + oaName + "[ " diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java index 04ef4cdbf..303fc2924 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java @@ -30,10 +30,12 @@ import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry import org.opensaml.saml2.core.ArtifactResolve; import org.opensaml.saml2.core.ArtifactResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.RequestDeniedException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; @@ -41,18 +43,18 @@ import at.gv.egovernment.moa.logging.Logger; public class ArtifactResolution implements IRequestHandler { - public boolean handleObject(MOARequest obj) { - return (obj.getSamlRequest() instanceof ArtifactResolve); + public boolean handleObject(InboundMessage obj) { + return (obj instanceof MOARequest && + ((MOARequest)obj).getSamlRequest() instanceof ArtifactResolve); } - public String process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, + HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } - - ArtifactResolve artifactResolve = (ArtifactResolve) obj - .getSamlRequest(); + + ArtifactResolve artifactResolve = (ArtifactResolve) ((MOARequest)obj).getSamlRequest(); String artifactID = artifactResolve.getArtifact().getArtifact(); PVPAssertionStorage pvpAssertion = PVPAssertionStorage.getInstance(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index fd7ff9885..ca5210d21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -22,72 +22,55 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; -import java.util.ArrayList; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.joda.time.DateTime; -import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.EncryptedAssertion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.encryption.Encrypter; -import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionException; -import org.opensaml.xml.encryption.EncryptionParameters; -import org.opensaml.xml.encryption.KeyEncryptionParameters; -import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; -import org.opensaml.xml.security.x509.X509Credential; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; public class AuthnRequestHandler implements IRequestHandler, PVPConstants { - public boolean handleObject(MOARequest obj) { - return (obj.getSamlRequest() instanceof AuthnRequest); + public boolean handleObject(InboundMessage obj) { + + return (obj instanceof MOARequest && + ((MOARequest)obj).getSamlRequest() instanceof AuthnRequest); } - public String process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession authSession) throws MOAIDException { + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, + HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } - + //get basic information - AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); + MOARequest moaRequest = (MOARequest) obj; + AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); EntityDescriptor peerEntity = obj.getEntityMetadata(); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); @@ -113,91 +96,14 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { DateTime date = new DateTime(); - //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, peerEntity, date, consumerService); - - Response authResponse = SAML2Utils.createSAMLObject(Response.class); - - Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - - //change to entity value from entity name to IDP EntityID (URL) - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); - nissuer.setFormat(NameID.ENTITY); - authResponse.setIssuer(nissuer); - authResponse.setInResponseTo(authnRequest.getID()); - - //set responseID - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authResponse.setID(remoteSessionID); - + SLOInformationImpl sloInformation = new SLOInformationImpl(); - //SAML2 response required IssueInstant - authResponse.setIssueInstant(date); + //build Assertion + Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData, + peerEntity, date, consumerService, sloInformation); - authResponse.setStatus(SAML2Utils.getSuccessStatus()); - - String oaURL = consumerService.getLocation(); - - //check, if metadata includes an encryption key - MetadataCredentialResolver mdCredResolver = - new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); - - X509Credential encryptionCredentials = null; - try { - encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); - - } catch (SecurityException e2) { - Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); - throw new InvalidAssertionEncryptionException(); - - } - - boolean isEncryptionActive = AuthConfigurationProvider.getInstance().isPVP2AssertionEncryptionActive(); - if (encryptionCredentials != null && isEncryptionActive) { - //encrypt SAML2 assertion - - try { - - EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); - - List<KeyEncryptionParameters> keyEncParamList = new ArrayList<KeyEncryptionParameters>(); - KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); - - keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); - KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() - .getKeyInfoGeneratorManager().getDefaultManager() - .getFactory(encryptionCredentials); - keyEncParam.setKeyInfoGenerator(kigf.newInstance()); - keyEncParamList.add(keyEncParam); - - Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); - //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); - samlEncrypter.setKeyPlacement(KeyPlacement.PEER); - - EncryptedAssertion encryptAssertion = null; - - encryptAssertion = samlEncrypter.encrypt(assertion); - - authResponse.getEncryptedAssertions().add(encryptAssertion); - - } catch (EncryptionException e1) { - Logger.warn("Can not encrypt the PVP2 assertion", e1); - throw new InvalidAssertionEncryptionException(); - - } - - } else { - authResponse.getAssertions().add(assertion); - - } - + Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion); + IEncoder binding = null; if (consumerService.getBinding().equals( @@ -218,32 +124,21 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { if (binding == null) { throw new BindingNotSupportedException(consumerService.getBinding()); } - + try { - binding.encodeRespone(req, resp, authResponse, oaURL, obj.getRelayState()); - // TODO add remoteSessionID to AuthSession ExternalPVPSessionStore - -// Logger logger = new Logger(); -// logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse))); - - - return assertion.getID(); + binding.encodeRespone(req, resp, authResponse, + consumerService.getLocation(), obj.getRelayState()); + + return sloInformation; } catch (MessageEncodingException e) { Logger.error("Message Encoding exception", e); throw new MOAIDException("pvp2.01", null, e); + } catch (SecurityException e) { Logger.error("Security exception", e); throw new MOAIDException("pvp2.01", null, e); -// } catch (TransformerException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); -// } catch (IOException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); -// } catch (MarshallingException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index 92a47adb3..d1ae0b202 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -25,13 +25,15 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; public interface IRequestHandler { - public boolean handleObject(MOARequest obj); + public boolean handleObject(InboundMessage obj); - public String process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException; + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, + HttpServletResponse resp, IAuthData authData) throws MOAIDException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index a4f43a97a..5b9bf940d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -29,9 +29,12 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; public class RequestManager { @@ -53,13 +56,13 @@ public class RequestManager { handler.add(new ArtifactResolution()); } - public String handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp, AuthenticationSession moasession) + public SLOInformationInterface handle(InboundMessage obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws SAMLRequestNotSupported, MOAIDException { Iterator<IRequestHandler> it = handler.iterator(); while(it.hasNext()) { IRequestHandler handler = it.next(); if(handler.handleObject(obj)) { - return handler.process(obj, req, resp, moasession); + return handler.process(obj, req, resp, authData); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index d95e21a0e..48e435777 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.MiscUtil; public class CredentialProvider { @@ -86,7 +87,32 @@ public class CredentialProvider { throw new CredentialsNotAvailableException(e.getMessage(), null); } } - + + public static X509Credential getIDPAssertionEncryptionCredential() + throws CredentialsNotAvailableException { + PVPConfiguration config = PVPConfiguration.getInstance(); + try { + if (keyStore == null) + keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), + config.getIDPKeyStorePassword()); + + //if no encryption key is configured return null + if (MiscUtil.isEmpty(config.getIDPKeyAliasAssertionEncryption())) + return null; + + MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( + keyStore, config.getIDPKeyAliasAssertionEncryption(), config + .getIDPKeyPasswordAssertionEncryption().toCharArray()); + + credentials.setUsageType(UsageType.ENCRYPTION); + return (X509Credential) credentials; + } catch (Exception e) { + Logger.error("Failed to generate IDP Assertion Encryption credentials"); + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } + } + public static Signature getIDPSignature(Credential credentials) { PrivateKey privatekey = credentials.getPrivateKey(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java new file mode 100644 index 000000000..61b481447 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -0,0 +1,111 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.Subject; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class AssertionAttributeExtractor { + + private Assertion assertion = null; + + public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption { + if (samlResponse != null) { + if (samlResponse.getAssertions().size() == 0) + throw new AssertionAttributeExtractorExeption("Assertion"); + + else if (samlResponse.getAssertions().size() > 1) + Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); + + assertion = samlResponse.getAssertions().get(0); + + } else + throw new AssertionAttributeExtractorExeption(); + } + + public String getNameID() throws AssertionAttributeExtractorExeption { + if (assertion.getSubject() != null) { + Subject subject = assertion.getSubject(); + + if (subject.getNameID() != null) { + if (MiscUtil.isNotEmpty(subject.getNameID().getValue())) + return subject.getNameID().getValue(); + + else + Logger.error("SAML2 NameID Element is empty."); + } + } + + throw new AssertionAttributeExtractorExeption("nameID"); + } + + public String getSessionIndex() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + + if (MiscUtil.isNotEmpty(authn.getSessionIndex())) + return authn.getSessionIndex(); + + else + throw new AssertionAttributeExtractorExeption("SessionIndex"); + } + + /** + * @return + * @throws AssertionAttributeExtractorExeption + */ + public String getQAALevel() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) { + AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef(); + + if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef())) + return qaaClass.getAuthnContextClassRef(); + + else + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)"); + } + + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); + } + + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { + List<AuthnStatement> authnList = assertion.getAuthnStatements(); + if (authnList.size() == 0) + throw new AssertionAttributeExtractorExeption("AuthnStatement"); + + else if (authnList.size() > 1) + Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used."); + + return authnList.get(0); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java deleted file mode 100644 index 666bfab3c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java +++ /dev/null @@ -1,85 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; - -public class AttributeExtractor { - - public static String extractSAMLAttributeOA(String name, - AuthenticationSession authSession) { - List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesOA(); - if(extAttributes == null) { - return null; - } - Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeAUTH(String name, - AuthenticationSession authSession) { - List<ExtendedSAMLAttribute> extAttributes = authSession.getExtendedSAMLAttributesAUTH(); - if(extAttributes == null) { - return null; - } - Iterator<ExtendedSAMLAttribute> extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeBOTH(String name, - AuthenticationSession authSession) { - String value = extractSAMLAttributeOA(name, authSession); - if(value == null) { - value = extractSAMLAttributeAUTH(name, authSession); - } - return value; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java new file mode 100644 index 000000000..12de97a3f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -0,0 +1,93 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; +import org.opensaml.ws.soap.client.http.HttpClientBuilder; +import org.opensaml.ws.soap.client.http.HttpSOAPClient; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.ws.soap.soap11.Body; +import org.opensaml.ws.soap.soap11.Envelope; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.security.SecurityException; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOASAMLSOAPClient { + + public static List<XMLObject> send(String destination, XMLObject payLoad) throws ConfigurationException, SOAPException, SecurityException { + //build SOAP request + BasicParserPool parserPool = new BasicParserPool(); + parserPool.setNamespaceAware(true); + + Envelope soapRequest = SAML2Utils.buildSOAP11Envelope(payLoad); + + BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext(); + soapContext.setOutboundMessage(soapRequest); + + HttpClientBuilder clientBuilder = new HttpClientBuilder(); + if (destination.startsWith("https")) { + try { + SecureProtocolSocketFactory sslprotocolsocketfactory = + new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); + + //send request to IDP + soapClient.send(destination, soapContext); + + //parse response + Envelope soapResponse = (Envelope) soapContext.getInboundMessage(); + Body soapBody = soapResponse.getBody(); + + return soapBody.getUnknownXMLObjects(); + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index b52e37e06..9d57c2bae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -38,6 +38,8 @@ import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.ws.soap.soap11.Body; +import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xml.io.Marshaller; @@ -115,4 +117,15 @@ public class SAML2Utils { return 0; } + + public static Envelope buildSOAP11Envelope(XMLObject payload) { + XMLObjectBuilderFactory bf = Configuration.getBuilderFactory(); + Envelope envelope = (Envelope) bf.getBuilder(Envelope.DEFAULT_ELEMENT_NAME).buildObject(Envelope.DEFAULT_ELEMENT_NAME); + Body body = (Body) bf.getBuilder(Body.DEFAULT_ELEMENT_NAME).buildObject(Body.DEFAULT_ELEMENT_NAME); + + body.getUnknownXMLObjects().add(payload); + envelope.setBody(body); + + return envelope; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index ac222ee54..6388042d9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,21 +22,60 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.util.ArrayList; +import java.util.List; + +import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; + public class SAMLVerificationEngine { + + public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); + + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } + + public void verifyResponse(Response samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { @@ -48,16 +87,16 @@ public class SAMLVerificationEngine { CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } @@ -78,12 +117,96 @@ public class SAMLVerificationEngine { try { if (!sigTrustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new Exception("Signature was either invalid or signing key could not be established as trusted"); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } catch (SecurityException e) { - // Indicates processing error evaluating the signature - e.printStackTrace(); + e.printStackTrace(); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } + public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); + + if (validateDestination && !samlResp.getDestination().startsWith( + PVPConfiguration.getInstance().getIDPPublicPath())) { + Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + + } + + //check encrypted Assertion + List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + Logger.debug("Found encryped assertion. Start decryption ..."); + + X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + Logger.debug("Assertion decryption finished. "); + + } else { + saml2assertions.addAll(samlResp.getAssertions()); + + } + + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore(); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + Logger.warn("PVP2 Assertion is out of Date"); + saml2assertions.remove(saml2assertion); + + } + } + + if (saml2assertions.isEmpty()) { + Logger.info("No valid PVP 2.1 assertion received."); + throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); + } + + samlResp.getAssertions().clear(); + samlResp.getEncryptedAssertions().clear(); + samlResp.getAssertions().addAll(saml2assertions); + + } else { + Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue()); + throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue(), null); + } + + } catch (CredentialsNotAvailableException e) { + Logger.warn("Assertion decrypt FAILED - No Credentials", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); + + } catch (DecryptionException e) { + Logger.warn("Assertion decrypt FAILED.", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); + + } catch (ConfigurationException e) { + throw new AssertionValidationExeption("pvp.12", null, e); + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java new file mode 100644 index 000000000..3d608fd6d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -0,0 +1,76 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; +import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class InterfederatedIDPPublicServiceFilter implements MetadataFilter { + + private String metadataURL; + private boolean isPublicService = false; + + /** + * + */ + public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) { + Logger.debug("Add " + this.getClass().getName() + " to metadata policy"); + this.metadataURL = metadataURL; + + if (oaType.equals("businessService")) + this.isPublicService = false; + else + this.isPublicService = true; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + + boolean metadatacheck = ValidationHelper.isPublicServiceAllowed(this.metadataURL); + + if (isPublicService && isPublicService != metadatacheck) { + Logger.warn("Interfederated IDP " + metadataURL + " is configured " + + "as Public-Servic IDP but PublicService policy check FAILED."); + throw new FilterException("Interfederated IDP " + metadataURL + " is configured " + + "as Public-Servic IDP but PublicService policy check FAILED."); + + } + + Logger.info("Metadata PublicService policy check done OK"); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java new file mode 100644 index 000000000..4e1d939ff --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java @@ -0,0 +1,82 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MetadataFilterChain implements MetadataFilter { + + private List<MetadataFilter> filters = new ArrayList<MetadataFilter>(); + + /** + * @throws CertificateException + * + */ + public MetadataFilterChain(String url, byte[] certificate) throws CertificateException { + addDefaultFilters(url, certificate); + } + + public void addDefaultFilters(String url, byte[] certificate) throws CertificateException { + filters.add(new MetadataSignatureFilter(url, certificate)); + + } + + /** + * @return the filter + */ + public List<MetadataFilter> getFilters() { + return filters; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + for (MetadataFilter filter : filters) { + Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName()); + filter.doFilter(arg0); + } + + } + + + + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java index ed0cf9c62..0405fa114 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -20,7 +20,7 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; import iaik.x509.X509Certificate; @@ -39,6 +39,7 @@ import org.opensaml.xml.security.x509.BasicX509Credential; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; import at.gv.egovernment.moa.logging.Logger; public class MetadataSignatureFilter implements MetadataFilter { @@ -151,9 +152,9 @@ public class MetadataSignatureFilter implements MetadataFilter { ConfigurationDBUtils.closeSession(); - Logger.info("Metadata Filter done OK"); + Logger.info("Metadata signature policy check done OK"); } catch (MOAIDException e) { - e.printStackTrace(); + Logger.warn("Metadata signature policy check FAILED.", e); throw new FilterException(e); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index c337433b6..67f780b3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -27,30 +27,26 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.URLEncoder; public class GetArtifactAction implements IAction { - public String processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession session) throws AuthenticationException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp, IAuthData obj) throws AuthenticationException { String oaURL = (String) req.getOAURL(); - String target = (String) req.getTarget(); String sourceID = null; if (req instanceof SAML1RequestImpl) { @@ -59,42 +55,32 @@ public class GetArtifactAction implements IAction { } - try { - - - if (oaURL == null) { - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - } + SAML1AuthenticationData authData; + if (obj instanceof SAML1AuthenticationData) { + authData = (SAML1AuthenticationData) obj; - // check parameter - if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - - // TODO: Support Mandate MODE! + } else { + Logger.error("AuthDate is NOT of type SAML1AuthenticationData."); + throw new AuthenticationException("AuthDate is NOT of type SAML1AuthenticationData.", new Object[]{}); + } + + try { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(oaURL); - - SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace(); - - AuthenticationData authData = SAML1AuthenticationServer.buildAuthenticationData(session, - oaParam, - target); + .getOnlineApplicationParameter(oaURL); + SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace(); + // add other stork attributes to MOA assertion if available - if(null != session.getStorkAttributes()) { - List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = STORKResponseProcessor.addAdditionalSTORKAttributes(session.getStorkAttributes()); - session.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes); - //produce MOA-Assertion and artifact - AuthenticationServer.getInstance().getForeignAuthenticationData(session); + if(null != authData.getStorkAttributes()) { + List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = STORKResponseProcessor.addAdditionalSTORKAttributes(authData.getStorkAttributes()); + authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes); Logger.info("MOA assertion assembled and SAML Artifact generated."); } - String samlArtifactBase64 = saml1server.BuildSAMLArtifact(session, oaParam, authData, sourceID); + String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); - if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { - String url = "RedirectServlet"; + if (authData.isSsoSession()) { + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); if (!oaParam.getBusinessService()) url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); @@ -122,7 +108,10 @@ public class GetArtifactAction implements IAction { Logger.debug("REDIRECT TO: " + redirectURL); } - return authData.getAssertionID(); + SLOInformationInterface sloInformation = + new SLOInformationImpl(authData.getAssertionID(), null, null, req.requestedModule()); + + return sloInformation; } catch (Exception ex) { Logger.error("SAML1 Assertion build error", ex); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index 0f5e9ee68..2b4aaf458 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -56,7 +56,7 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.Constants; @@ -138,12 +138,9 @@ public class GetAuthenticationDataService implements Constants { try { - AuthenticationData authData = saml1server.getSaml1AuthenticationData(samlArtifact); + samlAssertion = saml1server.getSaml1AuthenticationData(samlArtifact); -// useUTC = authData.getUseUTC(); - // success - samlAssertion = authData.getSamlAssertion(); statusCode = "samlp:Success"; statusMessageCode = "1200"; } @@ -153,18 +150,18 @@ public class GetAuthenticationDataService implements Constants { try { Throwable error = saml1server.getErrorResponse(samlArtifact); statusCode = "samlp:Responder"; - subStatusCode = "samlp:RequestDenied"; + + ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance(); if (error instanceof MOAIDException) { - statusMessageCode = ((MOAIDException)error).getMessageId(); + statusMessageCode = ((MOAIDException)error).getMessageId(); statusMessage = StringEscapeUtils.escapeXml(((MOAIDException)error).getMessage()); } else { - statusMessage = StringEscapeUtils.escapeXml(error.getMessage()); - } - - - + statusMessage = StringEscapeUtils.escapeXml(error.getMessage()); + } + subStatusCode = errorUtils.getResponseErrorCode(error); + } catch (Exception e) { //no authentication data for given SAML artifact statusCode = "samlp:Requester"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java new file mode 100644 index 000000000..d48c0a9bb --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java @@ -0,0 +1,177 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.protocols.saml1; + +import java.text.ParseException; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DateTimeUtils; + +/** + * Encapsulates authentication data contained in a <code><saml:Assertion></code>. + * + * @author Paul Ivancsics + * @version $Id$ + */ + +public class SAML1AuthenticationData extends AuthenticationData { + /** + * + */ + private static final long serialVersionUID = -1042697056735596866L; +/** + * major version number of the SAML assertion + */ + private int majorVersion; + /** + * minor version number of the SAML assertion + */ + private int minorVersion; + /** + * identifier for this assertion + */ + private String assertionID; +/** + * @return the majorVersion + */ + + private String samlAssertion = null; + + private List<ExtendedSAMLAttribute> extendedSAMLAttributesOA; + + + public SAML1AuthenticationData() { + this.setMajorVersion(1); + this.setMinorVersion(0); + this.setAssertionID(Random.nextRandom()); + } + + + //this method is only required for MOA-ID Proxy 2.0 Release. + //TODO: remove it, if MOA-ID Proxy is not supported anymore. + public String getWBPK() { + return getBPK(); + } + +public int getMajorVersion() { + return majorVersion; +} +/** + * @param majorVersion the majorVersion to set + */ +public void setMajorVersion(int majorVersion) { + this.majorVersion = majorVersion; +} +/** + * @return the minorVersion + */ +public int getMinorVersion() { + return minorVersion; +} +/** + * @param minorVersion the minorVersion to set + */ +public void setMinorVersion(int minorVersion) { + this.minorVersion = minorVersion; +} +/** + * @return the assertionID + */ +public String getAssertionID() { + return assertionID; +} +/** + * @param assertionID the assertionID to set + */ +public void setAssertionID(String assertionID) { + this.assertionID = assertionID; +} + +public void setIssueInstant(String date) { + try { + setIssueInstant(DateTimeUtils.parseDateTime(date)); + + } catch (ParseException e) { + Logger.error("Parse IssueInstant element FAILED.", e); + + } +} + +/** + * @return the samlAssertion + */ +public String getSamlAssertion() { + return samlAssertion; +} + +/** + * @param samlAssertion the samlAssertion to set + */ +public void setSamlAssertion(String samlAssertion) { + this.samlAssertion = samlAssertion; +} + +/** + * @return the extendedSAMLAttributesOA + */ +public List<ExtendedSAMLAttribute> getExtendedSAMLAttributesOA() { + return extendedSAMLAttributesOA; +} + +/** + * @param extendedSAMLAttributesOA the extendedSAMLAttributesOA to set + */ +public void setExtendedSAMLAttributesOA( + List<ExtendedSAMLAttribute> extendedSAMLAttributesOA) { + this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; +} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 6391860ff..52b9b40ab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.saml1; import java.io.IOException; -import java.util.Date; import java.util.List; import javax.xml.parsers.ParserConfigurationException; @@ -116,7 +115,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { * * @return <code>AuthenticationData</code> */ - public AuthenticationData getSaml1AuthenticationData(String samlArtifact) + public String getSaml1AuthenticationData(String samlArtifact) throws AuthenticationException { try { new SAMLArtifactParser(samlArtifact).parseAssertionHandle(); @@ -125,13 +124,13 @@ public class SAML1AuthenticationServer extends AuthenticationServer { throw new AuthenticationException("1205", new Object[] { samlArtifact, ex.toString() }); } - AuthenticationData authData = null; + String authData = null; synchronized (authenticationDataStore) { // System.out.println("assertionHandle: " + assertionHandle); try { authData = authenticationDataStore - .get(samlArtifact, AuthenticationData.class); + .get(samlArtifact, String.class, authDataTimeOut); } catch (MOADatabaseException e) { Logger.error("Assertion not found for SAML Artifact: " + samlArtifact); @@ -140,12 +139,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } authenticationDataStore.remove(samlArtifact); - - long now = new Date().getTime(); - - if (now - authData.getTimestamp().getTime() > authDataTimeOut) - throw new AuthenticationException("1207", new Object[] { samlArtifact }); - + Logger.debug("Assertion delivered for SAML Artifact: " + samlArtifact); return authData; @@ -163,9 +157,8 @@ public class SAML1AuthenticationServer extends AuthenticationServer { return samlArtifact; } - public String BuildSAMLArtifact(AuthenticationSession session, - OAAuthParameter oaParam, - AuthenticationData authData, String sourceID) + public String BuildSAMLArtifact(OAAuthParameter oaParam, + SAML1AuthenticationData authData, String sourceID) throws ConfigurationException, BuildException, AuthenticationException { //Load SAML1 Parameter from OA config @@ -179,7 +172,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set BASE64 encoded signer certificate String signerCertificateBase64 = ""; if (saml1parameter.isProvideCertificate()) { - byte[] signerCertificate = session.getEncodedSignerCertificate(); + byte[] signerCertificate = authData.getSignerCertificate(); if (signerCertificate != null) { signerCertificateBase64 = Base64Utils @@ -195,41 +188,31 @@ public class SAML1AuthenticationServer extends AuthenticationServer { provideStammzahl); //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? session + String authBlock = saml1parameter.isProvideAUTHBlock() ? authData .getAuthBlock() : ""; //set IdentityLink for assortion String ilAssertion = ""; if (saml1parameter.isProvideIdentityLink()) { - if (oaParam.getBusinessService()) { - //IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - -// Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() -// .getSamlAssertion()); -// -// ilAssertion = DOMUtils.serializeNode(resignedilAssertion); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - } else { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!saml1parameter.isProvideStammzahl()) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - - } + if (!saml1parameter.isProvideStammzahl()) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); } + String samlAssertion; - if (session.getUseMandate()) { - List<ExtendedSAMLAttribute> oaAttributes = session.getExtendedSAMLAttributesOA(); + if (authData.isUseMandate()) { + List<ExtendedSAMLAttribute> oaAttributes = authData.getExtendedSAMLAttributesOA(); if (saml1parameter.isProvideFullMandatorData()) { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - session.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.getBusinessService(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -293,7 +276,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } } - String mandateDate = generateMandateDate(session, oaParam, authData); + String mandateDate = generateMandateDate(oaParam, authData); samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, @@ -301,7 +284,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { mandateDate, authBlock, ilAssertion, - session.getBkuURL(), + authData.getBkuURL(), signerCertificateBase64, oaParam.getBusinessService(), oaAttributes, @@ -314,24 +297,23 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson, authBlock, ilAssertion, - session.getBkuURL(), + authData.getBkuURL(), signerCertificateBase64, oaParam.getBusinessService(), - session.getExtendedSAMLAttributesOA(), + authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); } - authData.setSamlAssertion(samlAssertion); + //authData.setSamlAssertion(samlAssertion); String samlArtifact = new SAMLArtifactBuilder().build( - session.getAuthURL(), Random.nextRandom(), + authData.getIssuer(), Random.nextRandom(), sourceID); - storeAuthenticationData(samlArtifact, authData); + storeAuthenticationData(samlArtifact, samlAssertion); - Logger.info("Anmeldedaten zu MOASession " + session.getSessionID() - + " angelegt, SAML Artifakt " + samlArtifact); + Logger.info("Anmeldedaten angelegt, SAML Artifakt " + samlArtifact); return samlArtifact; } catch (Throwable ex) { @@ -341,21 +323,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } - private String generateMandateDate(AuthenticationSession session, - OAAuthParameter oaParam, AuthenticationData authData + private String generateMandateDate(OAAuthParameter oaParam, AuthenticationData authData ) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException { - if (session == null) + if (authData == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); IdentityLink tempIdentityLink = null; - Element mandate = session.getMandate(); + Element mandate = authData.getMandate(); - if (session.getUseMandate()) { + if (authData.isUseMandate()) { tempIdentityLink = new IdentityLink(); Element mandator = ParepUtils.extractMandator(mandate); String dateOfBirth = ""; @@ -432,7 +413,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String oatargetType; if(oaParam.getBusinessService()) { - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + oatargetType = oaParam.getIdentityLinkDomainIdentifier(); + else + oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); } else { oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); @@ -509,7 +493,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { * when SAML artifact is invalid */ private void storeAuthenticationData(String samlArtifact, - AuthenticationData authData) throws AuthenticationException { + String samlAssertion) throws AuthenticationException { try { SAMLArtifactParser parser = new SAMLArtifactParser(samlArtifact); @@ -523,7 +507,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { synchronized (authenticationDataStore) { Logger.debug("Assertion stored for SAML Artifact: " + samlArtifact); - authenticationDataStore.put(samlArtifact, authData); + authenticationDataStore.put(samlArtifact, samlAssertion); } } catch (AuthenticationException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index b6a2ac0b6..dafcb9987 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -23,12 +23,15 @@ package at.gv.egovernment.moa.id.protocols.saml1; import java.util.HashMap; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; +import edu.emory.mathcs.backport.java.util.Arrays; + import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -41,7 +44,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -54,8 +57,23 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { public static final String GETARTIFACT = "GetArtifact"; - private static HashMap<String, IAction> actions = new HashMap<String, IAction>(); + @SuppressWarnings("unchecked") + public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.BPK_NAME, + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.BIRTHDATE_NAME, + PVPConstants.EID_CCS_URL_NAME, + PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, + PVPConstants.EID_IDENTITY_LINK_NAME, + PVPConstants.EID_SOURCE_PIN_NAME, + PVPConstants.EID_SOURCE_PIN_TYPE_NAME + }); + private static HashMap<String, IAction> actions = new HashMap<String, IAction>(); + static { actions.put(GETARTIFACT, new GetArtifactAction()); @@ -139,12 +157,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { new Object[] { oaURL }); } - config.setSourceID(sourceID); - + config.setSourceID(sourceID); config.setTarget(oaParam.getTarget()); - -// request.getSession().setAttribute(PARAM_OA, oaURL); -// request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); + return config; } @@ -157,7 +172,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); - String url = "RedirectServlet"; + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = response.encodeRedirectURL(url); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index 72adfe0e7..9bf88534f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -22,7 +22,19 @@ */ package at.gv.egovernment.moa.id.protocols.saml1; +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz @@ -48,4 +60,37 @@ public class SAML1RequestImpl extends RequestImpl { this.sourceID = sourceID; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + + List<String> reqAttr = new ArrayList<String>(); + reqAttr.addAll(SAML1Protocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + OASAML1 saml1 = oa.getSAML1Parameter(); + if (saml1 != null) { + if (saml1.isProvideAUTHBlock()) + reqAttr.add(PVPConstants.EID_AUTH_BLOCK_NAME); + + if (saml1.isProvideCertificate()) + reqAttr.add(PVPConstants.EID_SIGNER_CERTIFICATE_NAME); + + if (saml1.isProvideFullMandatorData()) + reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME); + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.iterator()); + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 2f6dfe555..307715324 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -1,6 +1,5 @@ package at.gv.egovernment.moa.id.protocols.stork2; -import java.io.StringWriter; import java.util.ArrayList; import java.util.List; @@ -13,17 +12,17 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; -import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.*; import eu.stork.peps.auth.engine.STORKSAMLEngine; import eu.stork.peps.exceptions.STORKSAMLEngineException; -import org.apache.velocity.Template; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; + import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import javax.servlet.http.HttpServletRequest; @@ -47,7 +46,7 @@ public class AttributeCollector implements IAction { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.auth.data.AuthenticationSession) */ - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { // - fetch the container String artifactId = (String) httpReq.getParameter(ARTIFACT_ID); @@ -108,7 +107,7 @@ public class AttributeCollector implements IAction { // read configuration parameters of OA OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(container.getRequest().getAssertionConsumerServiceURL()); if (oaParam == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + throw new AuthenticationException("stork.12", new Object[]{container.getRequest().getAssertionConsumerServiceURL()}); // find the attribute provider plugin that can handle the response IPersonalAttributeList newAttributes = null; @@ -134,7 +133,14 @@ public class AttributeCollector implements IAction { addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes); // see if we need some more attributes - return processRequest(container, httpReq, httpResp, moasession, oaParam); + SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam); + + if (sloInfo == null) { + sloInfo = new SLOInformationImpl(null, null, null, req.requestedModule()); + } + + return sloInfo; + } /** @@ -145,7 +151,7 @@ public class AttributeCollector implements IAction { * @return the string * @throws MOAIDException */ - public String processRequest(DataContainer container, HttpServletRequest request, HttpServletResponse response, AuthenticationSession moasession, OAAuthParameter oaParam) throws MOAIDException { + public SLOInformationInterface processRequest(DataContainer container, HttpServletRequest request, HttpServletResponse response, IAuthData authData, OAAuthParameter oaParam) throws MOAIDException { // check if there are attributes we need to fetch IPersonalAttributeList requestAttributeList = container.getRequest().getPersonalAttributeList(); @@ -193,7 +199,7 @@ public class AttributeCollector implements IAction { //aquiredAttributes = currentProvider.acquire(currentAttribute, container.getRequest().getSpCountry(), moasession); //aquiredAttributes = currentProvider.acquire(missingAttributes, container.getRequest().getSpCountry(), moasession); - aquiredAttributes = currentProvider.acquire(currentProviderConfiguredAttributes, container.getRequest().getSpCountry(), moasession); + aquiredAttributes = currentProvider.acquire(currentProviderConfiguredAttributes, container.getRequest().getSpCountry(), authData); Logger.info(currentProvider.getClass().getSimpleName() + " can handle attribute '" + currentAttribute.getName() + "'"); break; @@ -222,7 +228,7 @@ public class AttributeCollector implements IAction { else new ConsentEvaluator().generateSTORKResponse(response, container); - return "12345"; // AssertionId + return null; // AssertionId // TODO } catch (ExternalAttributeRequestRequiredException e) { @@ -250,7 +256,8 @@ public class AttributeCollector implements IAction { throw new MOAIDException("stork.11", null); } - return "12345"; // TODO what to do here? + //TODO: in case of Single LogOut -> SLO information has to be stored + return null; // TODO what to do here? } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java index d7a4bfcc2..7647c8e89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java @@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -25,15 +26,15 @@ public interface AttributeProvider { * * @param attributes the list of attributes to be acquired * @param spCountyCode the sp county code - * @param moasession the moasession + * @param authData the moasession * @return the personal attribute * @throws UnsupportedAttributeException the unsupported attribute exception * @throws ExternalAttributeRequestRequiredException an attribute request to an external service has to be done * @throws MOAIDException the mOAID exception */ - public IPersonalAttributeList acquire(PersonalAttribute attributes, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; + public IPersonalAttributeList acquire(PersonalAttribute attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; - public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; /** * Perform redirect. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index 51ec1fff3..0312f776b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -5,7 +5,11 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; @@ -41,13 +45,13 @@ public class AuthenticationRequest implements IAction { private VelocityEngine velocityEngine; - private AuthenticationSession moaSession = null; + private IAuthData authData = null; private MOASTORKRequest moaStorkRequest = null; - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - this.moaSession = moasession; + this.authData = authData; if ((req instanceof MOASTORKRequest) && ((MOASTORKRequest) req).getStorkAuthnRequest().getCitizenCountryCode().equals("AT")) { @@ -56,9 +60,10 @@ public class AuthenticationRequest implements IAction { Logger.debug("Entering MOASTORKRequest"); httpResp.reset(); - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); + //TODO: CHECK: req.getOAURL() should return the unique OA identifier + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); MOASTORKResponse moaStorkResponse = new MOASTORKResponse(); @@ -84,7 +89,7 @@ public class AuthenticationRequest implements IAction { // } // Get personal attributtes from MOA/IdentityLink - moaStorkResponse.setPersonalAttributeList(populateAttributes()); + moaStorkResponse.setPersonalAttributeList(populateAttributes(oaParam)); } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -105,7 +110,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Data container prepared"); - return (new AttributeCollector()).processRequest(container, httpReq, httpResp, moasession, oaParam); + return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam); } // check if we are getting request for citizen of some other country else if (req instanceof MOASTORKRequest) { @@ -125,7 +130,7 @@ public class AuthenticationRequest implements IAction { /* Handles STORKAuthnRequeste received for citizens of other countries */ - private String handleMOAStorkRequest(String instanceName, MOASTORKRequest moastorkRequest, String remoteAddr, HttpServletResponse httpResp) throws MOAIDException { + private SLOInformationInterface handleMOAStorkRequest(String instanceName, MOASTORKRequest moastorkRequest, String remoteAddr, HttpServletResponse httpResp) throws MOAIDException { STORKAuthnRequest spAuthnRequest = moastorkRequest.getStorkAuthnRequest(); STORKAuthnRequest storkAuthnRequest = null; @@ -140,7 +145,7 @@ public class AuthenticationRequest implements IAction { throw new MOAIDException("stork.05", null); // TODO } - + //TODO: in case of Single LogOut -> SLO information has to be stored // check if citizen country is configured in the system if (!(AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode))) { Logger.error("Citizen country PEPS not configured in MOA instance: " + citizenCountryCode); @@ -205,15 +210,18 @@ public class AuthenticationRequest implements IAction { e.printStackTrace(); } - // preparing redirection for the client + // preparing redirection for the client performRedirection("SAMLRequest", destinationURL, storkAuthnRequest.getTokenSaml(), httpResp); - return "xxxx";// TODO + + SLOInformationImpl sloInfo = new SLOInformationImpl(); + sloInfo.setProtocolType(moastorkRequest.requestedModule()); + return sloInfo; } /* Handles STORKAuthnResponse received from PEPS (return to SP) */ - private String handleMOAStorkResponse(String instanceName, MOASTORKResponse moastorkResponse, String remoteAddr, HttpServletResponse httpResp) throws MOAIDException { + private SLOInformationInterface handleMOAStorkResponse(String instanceName, MOASTORKResponse moastorkResponse, String remoteAddr, HttpServletResponse httpResp) throws MOAIDException { STORKAuthnResponse authnResponse = null; @@ -257,7 +265,8 @@ public class AuthenticationRequest implements IAction { // preparing redirection for the client performRedirection("SAMLResponse", dataContainer.getRequest().getAssertionConsumerServiceURL(), authnResponse.getTokenSaml(), httpResp); - return "yyyyy"; // TODO + + return null; } /* @@ -392,16 +401,16 @@ public class AuthenticationRequest implements IAction { // does nothing - public void mandate(AuthenticationSession moasession) { + public void mandate(IAuthData authData) { - if (moasession.getUseMandate()) { + if (authData.isUseMandate()) { try { - MISMandate mandate = moasession.getMISMandate(); + MISMandate mandate = authData.getMISMandate(); String owbpk = mandate.getOWbPK(); byte[] mand = mandate.getMandate(); String profprep = mandate.getProfRep(); //String textdesc = mandate.getTextualDescriptionOfOID(); - Element mndt = moasession.getMandate(); + Element mndt = authData.getMandate(); iterate(mndt.getAttributes()); Logger.debug("mandate encoded: " + new String(org.bouncycastle.util.encoders.Base64.encode(mand))); @@ -413,14 +422,14 @@ public class AuthenticationRequest implements IAction { } - public PersonalAttributeList populateAttributes() { + public PersonalAttributeList populateAttributes(IOAAuthParameters oaParam) { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); - MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(moaSession.getIdentityLink(), moaStorkRequest); + MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData.getIdentityLink(), moaStorkRequest); try { for (PersonalAttribute personalAttribute : attrLst) { @@ -431,10 +440,8 @@ public class AuthenticationRequest implements IAction { Logger.error("Exception, attributes: " + e.getMessage()); } - Logger.debug("AUTHBLOCK " + moaSession.getAuthBlock()); - Logger.debug("TARGET " + moaSession.getTarget() + " " + moaSession.getTargetFriendlyName()); - Logger.debug("SESSION IDENTIFIER " + moaSession.getCcc() + " " + moaSession.getDomainIdentifier()); - Logger.debug("AUTHBLOCKTOKKEN" + moaSession.getAuthBlockTokken()); + Logger.debug("AUTHBLOCK " + authData.getAuthBlock()); + Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier()); return attributeList; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 9a3376e4c..d827e73cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -7,7 +7,9 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AssertionStorage; @@ -40,7 +42,7 @@ public class ConsentEvaluator implements IAction { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.auth.data.AuthenticationSession) */ - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { // - fetch the container String artifactId = (String) httpReq.getParameter(ARTIFACT_ID); @@ -64,7 +66,7 @@ public class ConsentEvaluator implements IAction { // build and send response generateSTORKResponse(httpResp, container); - return "12345"; // AssertionId + return null; // AssertionId } /** @@ -76,7 +78,7 @@ public class ConsentEvaluator implements IAction { * @return the string * @throws MOAIDException the mOAID exception */ - public String requestConsent(DataContainer container, HttpServletResponse response, OAAuthParameter oaParam) throws MOAIDException { + public String requestConsent(DataContainer container, HttpServletResponse response, IOAAuthParameters oaParam) throws MOAIDException { // prepare redirect String newArtifactId; try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java index c132d5640..2c4793f8f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java @@ -19,6 +19,7 @@ import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -51,7 +52,7 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, AuthenticationSession moasession) + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { @@ -94,7 +95,9 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { requestBodyElem.addAttribute(envelope.createName("xmlns"), "http://gesundheit.gv.at/BAGDAD/DataAccessService"); SOAPElement requestBodyElem1 = requestBodyElem.addChildElement("bPK"); - requestBodyElem1.addTextNode(new BPKBuilder().buildBPK(moasession.getIdentityLink().getIdentificationValue(), "GH")); + + //TODO: CHECK: IdentificationValue containts wbPK if MOA-ID is used as VIDP + requestBodyElem1.addTextNode(new BPKBuilder().buildBPK(authData.getIdentificationValue(), "GH")); requestMessage.saveChanges(); @@ -190,7 +193,7 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { // add stork id for verification ArrayList<String> value = new ArrayList<String>(); - value.add(new BPKBuilder().buildStorkeIdentifier(moasession.getIdentityLink(), spCountryCode)); + value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), spCountryCode)); result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); return result; @@ -200,9 +203,9 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { } @Override - public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { if (attributes.size() == 1) { - return acquire(attributes.get(0), spCountyCode, moasession); + return acquire(attributes.get(0), spCountyCode, authData); } else { throw new MOAIDException("stork.13", new Object[] { }); // TODO message only one attribute supported by this provider diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index a5a91fa55..d7927a917 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -1,8 +1,11 @@ package at.gv.egovernment.moa.id.protocols.stork2; -import java.io.Serializable; +import java.util.List; -import at.gv.egovernment.moa.id.moduls.IRequest; +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.STORKAttrQueryRequest; @@ -14,7 +17,7 @@ import eu.stork.peps.auth.commons.STORKAuthnResponse; * * @author bsuzic */ -public class MOASTORKRequest implements IRequest, Serializable { +public class MOASTORKRequest extends RequestImpl { /** The Constant serialVersionUID. */ private static final long serialVersionUID = 4581953368724501376L; @@ -22,15 +25,6 @@ public class MOASTORKRequest implements IRequest, Serializable { /** The request id. */ private String requestID; - /** The target. */ - private String target = null; - - /** The module. */ - String module = null; - - /** The action. */ - String action = null; - /** The stork authn request. */ private STORKAuthnRequest storkAuthnRequest; @@ -128,41 +122,6 @@ public class MOASTORKRequest implements IRequest, Serializable { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedModule() - */ - public String requestedModule() { - return this.module; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedAction() - */ - public String requestedAction() { - return action; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#setModule(java.lang.String) - */ - public void setModule(String module) { - this.module = module; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#setAction(java.lang.String) - */ - public void setAction(String action) { - this.action = action; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#getTarget() - */ - public String getTarget() { - return this.target; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IRequest#setRequestID(java.lang.String) */ public void setRequestID(String id) { @@ -211,4 +170,31 @@ public class MOASTORKRequest implements IRequest, Serializable { else return this.storkAuthnRequest.getAssertionConsumerServiceURL(); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP() + */ + @Override + public String getRequestedIDP() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getInterfederationResponse() + */ + @Override + public MOAResponse getInterfederationResponse() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java index 7d9e20cd0..2cd0e1d57 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKResponse.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttributeList; @@ -8,13 +9,16 @@ import eu.stork.peps.auth.commons.STORKAttrQueryResponse; import eu.stork.peps.auth.commons.STORKAuthnResponse; import java.io.Serializable; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; /** * Implements MOA request and stores StorkAuthn/Attr-Request related data. * * @author bsuzic */ -public class MOASTORKResponse implements IRequest, Serializable { +public class MOASTORKResponse extends RequestImpl { /** * The Constant serialVersionUID. @@ -257,5 +261,14 @@ public class MOASTORKResponse implements IRequest, Serializable { this.action = action; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List<Attribute> getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java index d4f7066d0..edba7b754 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java @@ -4,6 +4,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; @@ -48,7 +49,7 @@ public class MandateAttributeRequestProvider implements AttributeProvider { return "MandateAttributeRequestProvider"; } - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring attribute: " + attribute.getName() + ", by: " + getAttrProviderName()); this.spCountryCode = spCountryCode; requestedAttributes = new PersonalAttributeList(1); @@ -69,7 +70,7 @@ public class MandateAttributeRequestProvider implements AttributeProvider { } @Override - public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountryCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, String spCountryCode, IAuthData moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring " + attributes.size() + " attributes, by: " + getAttrProviderName()); this.spCountryCode = spCountryCode; requestedAttributes = new PersonalAttributeList(attributes.size()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index 9c7f45146..811d828e1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -3,6 +3,8 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; @@ -28,28 +30,26 @@ import javax.xml.namespace.QName; import java.io.StringWriter; import java.math.BigInteger; import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; /** * */ public class MandateRetrievalRequest implements IAction { - private AuthenticationSession moaSession; + private IAuthData authData; private MOASTORKRequest moaStorkRequest; - public String processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { Logger.debug("Entering AttributeRequest for MandateProvider"); httpResp.reset(); - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); MOASTORKResponse moaStorkResponse = new MOASTORKResponse(); STORKAttrQueryResponse attrResponse = new STORKAttrQueryResponse(); - this.moaSession = moasession; + this.authData = authData; if ((req instanceof MOASTORKRequest)) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -63,10 +63,10 @@ public class MandateRetrievalRequest implements IAction { MandateContainer mandateContainer = null; try { - mandateContainer = new CorporateBodyMandateContainer(new String(moaSession.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new CorporateBodyMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex) { try { - mandateContainer = new PhyPersonMandateContainer(new String(moaSession.getMISMandate().getMandate(), "UTF-8")); + mandateContainer = new PhyPersonMandateContainer(new String(authData.getMISMandate().getMandate(), "UTF-8")); } catch (Exception ex2) { Logger.error("Could not extract data and create mandate container."); throw new MOAIDException("stork.16", new Object[] {}); // TODO @@ -285,6 +285,4 @@ public class MandateRetrievalRequest implements IAction { public String getDefaultActionName() { return STORKProtocol.MANDATERETRIEVALREQUEST; } - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java index e93a7ec87..ed9c45126 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java @@ -147,6 +147,7 @@ public class STORKProtocol implements IModulInfo, MOAIDAuthConstants { STORK2Request.setSTORKAuthnRequest(authnRequest); STORK2Request.setSTORKAttrRequest(attrRequest); + return STORK2Request; } else { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java index 89eb07815..553063ae8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java @@ -16,6 +16,7 @@ import org.apache.velocity.app.VelocityEngine; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; @@ -56,7 +57,7 @@ public class SignedDocAttributeRequestProvider implements AttributeProvider { * at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java * .lang.String) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if(!attributes.contains(attribute.getName())) { throw new UnsupportedAttributeException(); @@ -126,4 +127,24 @@ public class SignedDocAttributeRequestProvider implements AttributeProvider { } } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java.util.List, java.lang.String, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, + String spCountyCode, IAuthData authData) + throws UnsupportedAttributeException, + ExternalAttributeRequestRequiredException, MOAIDException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#getSupportedAttributeNames() + */ + @Override + public List<String> getSupportedAttributeNames() throws MOAIDException { + // TODO Auto-generated method stub + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java index c0e613b82..3a73dafae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java @@ -1,6 +1,8 @@ package at.gv.egovernment.moa.id.protocols.stork2; import java.io.StringWriter; +import java.util.List; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -11,6 +13,7 @@ import org.apache.velocity.app.VelocityEngine; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +58,7 @@ public class StorkAttributeRequestProvider implements AttributeProvider { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java.lang.String) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, AuthenticationSession moasession) + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if (!attributes.contains(attribute.getName())) @@ -158,5 +161,26 @@ public class StorkAttributeRequestProvider implements AttributeProvider { Logger.info("STORK AttrRequest successfully rendered!"); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java.util.List, java.lang.String, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public IPersonalAttributeList acquire(List<PersonalAttribute> attributes, + String spCountyCode, IAuthData authData) + throws UnsupportedAttributeException, + ExternalAttributeRequestRequiredException, MOAIDException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#getSupportedAttributeNames() + */ + @Override + public List<String> getSupportedAttributeNames() throws MOAIDException { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java index 34add9895..f094dfabf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java @@ -54,6 +54,7 @@ import java.util.Map; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.URLEncoder; @@ -78,7 +79,7 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { @@ -116,7 +117,7 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { @@ -149,13 +150,13 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { * @param clientIPAddress client IP address * @return header or parameter value resolved; <code>null</code> if unknown name is given */ - private static String resolveValue(String predicate, AuthenticationData authData, String clientIPAddress) { + private static String resolveValue(String predicate, SAML1AuthenticationData authData, String clientIPAddress) { if (predicate.equals(MOAGivenName)) return authData.getGivenName(); if (predicate.equals(MOAFamilyName)) return authData.getFamilyName(); if (predicate.equals(MOADateOfBirth)) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if (predicate.equals(MOABPK)) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java index cd751b7ee..d432f8c41 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java @@ -50,6 +50,7 @@ import java.util.Map; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; /** * Determines authentication parameters and headers to be added to a {@link java.net.URLConnection} @@ -102,7 +103,7 @@ public interface LoginParameterResolver { */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException; @@ -122,7 +123,7 @@ public interface LoginParameterResolver { */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java index 9f3de08aa..a5c632077 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java @@ -77,6 +77,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -373,7 +374,7 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException { @@ -447,7 +448,7 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException { @@ -511,14 +512,14 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ private static String resolveValue( String predicate, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress) { if (predicate.equals("MOAGivenName")) return authData.getGivenName(); if (predicate.equals("MOAFamilyName")) return authData.getFamilyName(); if (predicate.equals("MOADateOfBirth")) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if (predicate.equals("MOABPK")) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java index 2760a736b..740421024 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java @@ -48,10 +48,12 @@ package at.gv.egovernment.moa.id.proxy; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import java.io.IOException; import java.util.*; + import org.apache.xerces.parsers.DOMParser; import org.w3c.dom.*; @@ -196,7 +198,7 @@ public class XMLLoginParameterResolverPlainData } //TODO document - public Map getAuthenticationHeaders(OAConfiguration oaConf, AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws NotAllowedException + public Map getAuthenticationHeaders(OAConfiguration oaConf, SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws NotAllowedException { Map result = new HashMap(); if(oaConf.getAuthType().equals("basic")) @@ -318,7 +320,7 @@ public class XMLLoginParameterResolverPlainData return result; } - public Map getAuthenticationParameters(OAConfiguration oaConf, AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) + public Map getAuthenticationParameters(OAConfiguration oaConf, SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { Map result = new HashMap(); if(oaConf.getAuthType().equals("param")) @@ -336,14 +338,14 @@ public class XMLLoginParameterResolverPlainData return result; } - private static String resolveValue(String predicate, AuthenticationData authData, String clientIPAddress) + private static String resolveValue(String predicate, SAML1AuthenticationData authData, String clientIPAddress) { if(predicate.equals(MOAGivenName)) return authData.getGivenName(); if(predicate.equals(MOAFamilyName)) return authData.getFamilyName(); if(predicate.equals(MOADateOfBirth)) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if(predicate.equals(MOABPK)) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java index 0ef2077a3..26da33e34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java @@ -68,6 +68,7 @@ import at.gv.egovernment.moa.id.config.legacy.ConnectionParameter; import at.gv.egovernment.moa.id.config.proxy.ProxyConfigurationProvider; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.SAMLStatus; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.proxy.builder.SAMLRequestBuilder; import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser; import at.gv.egovernment.moa.id.proxy.servlet.ProxyException; @@ -107,7 +108,7 @@ public class GetAuthenticationDataInvoker { * @return AuthenticationData * @throws MOAIDException */ - public AuthenticationData getAuthenticationData(String samlArtifact) + public SAML1AuthenticationData getAuthenticationData(String samlArtifact) throws MOAIDException { ConnectionParameter authConnParam = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java index 35f72d36d..ebda8dae0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java @@ -50,6 +50,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -147,11 +148,11 @@ public class AuthenticationDataAssertionParser implements Constants { * @return <code>AuthenticationData</code> object * @throws ParseException on any error */ - public AuthenticationData parseAuthenticationData() + public SAML1AuthenticationData parseAuthenticationData() throws ParseException { try { - AuthenticationData authData = new AuthenticationData(); + SAML1AuthenticationData authData = new SAML1AuthenticationData(); //ÄNDERN: NUR der Identification-Teil authData.setSamlAssertion(DOMUtils.serializeNode(samlAssertion)); authData.setMajorVersion(new Integer( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java index 9835c554d..cec8dbe6c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java @@ -51,6 +51,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.SAMLStatus; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.XPathUtils; @@ -130,7 +131,7 @@ public class SAMLResponseParser implements Constants { * @return <code>AuthenticationData</code> object * @throws ParseException on any parsing error */ - public AuthenticationData parseAuthenticationData() + public SAML1AuthenticationData parseAuthenticationData() throws ParseException { Element samlAssertion; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java index 52f72f577..9447f2e35 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java @@ -84,6 +84,7 @@ import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.config.proxy.OAProxyParameter; import at.gv.egovernment.moa.id.config.proxy.ProxyConfigurationProvider; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.proxy.ConnectionBuilder; import at.gv.egovernment.moa.id.proxy.ConnectionBuilderFactory; import at.gv.egovernment.moa.id.proxy.LoginParameterResolver; @@ -232,7 +233,7 @@ public class ProxyServlet extends HttpServlet { // boolean targetprovided = req.getParameter(PARAM_TARGET) != null; // get authentication data from the MOA-ID Auth component - AuthenticationData authData; + SAML1AuthenticationData authData; try { authData = new GetAuthenticationDataInvoker().getAuthenticationData(samlArtifact); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index 6d8979da3..890ec9f0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -31,9 +31,11 @@ import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -82,10 +84,41 @@ public class AssertionStorage { } - public <T> T get(String artifact, final Class<T> clazz) throws MOADatabaseException { + + /** + * @param samlArtifact + * @param class1 + * @param authdatatimeout + * @return + * @throws MOADatabaseException + * @throws AuthenticationException + */ + public <T> T get(String samlArtifact, + final Class<T> clazz) throws MOADatabaseException { + + try { + return get(samlArtifact, clazz, -1); + + } catch (AuthenticationException e) { + //this execption only occurs if an additional timeOut is used + Logger.error("This exeption should not occur!!!!", e); + return null; + } + } + + public <T> T get(String artifact, final Class<T> clazz, long authdatatimeout) throws MOADatabaseException, AuthenticationException { AssertionStore element = searchInDatabase(artifact); + if (authdatatimeout > -1) { + //check timeout + long now = new Date().getTime(); + + if (now - element.getDatatime().getTime() > authdatatimeout) + throw new AuthenticationException("1207", new Object[] { artifact }); + } + + //Deserialize Assertion Object data = SerializationUtils.deserialize(element.getAssertion()); @@ -118,7 +151,7 @@ public class AssertionStorage { if (results.size() != 0) { for(AssertionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Remove sessioninformation with ID=" + result.getArtifact() + " after timeout."); @@ -135,7 +168,7 @@ public class AssertionStorage { try { AssertionStore element = searchInDatabase(artifact); - MOASessionDBUtils.delete(element); + cleanDelete(element); Logger.info("Remove sessioninformation with ID" + artifact); @@ -148,6 +181,23 @@ public class AssertionStorage { } } + private void cleanDelete(AssertionStore element) { + try { + element.setAssertion(new byte[]{}); + MOASessionDBUtils.saveOrUpdate(element); + + } catch (MOADatabaseException e) { + Logger.warn("Blank shortTime session with artifact=" + element.getArtifact() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(element)) + Logger.error("ShortTime session with artifact=" + element.getArtifact() + + " not removed! (Error during Database communication)"); + + } + + } + @SuppressWarnings("rawtypes") private AssertionStore searchInDatabase(String artifact) throws MOADatabaseException { MiscUtil.assertNotNull(artifact, "artifact"); @@ -158,7 +208,7 @@ public class AssertionStorage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getAssertionWithArtifact"); - query.setString("artifact", artifact); + query.setParameter("artifact", artifact); result = query.list(); //send transaction diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index e6efa0256..26922a13b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -22,10 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.storage; +import java.util.ArrayList; import java.util.Date; import java.util.List; import org.apache.commons.lang.SerializationUtils; +import org.apache.commons.lang.StringEscapeUtils; import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; @@ -36,10 +38,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.EncryptedData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; @@ -62,21 +69,6 @@ public class AuthenticationSessionStoreage { } } - public static void setAuthenticated(String moaSessionID, boolean value) { - - AuthenticatedSessionStore session; - - try { - session = searchInDatabase(moaSessionID); - session.setAuthenticated(value); - MOASessionDBUtils.saveOrUpdate(session); - - - } catch (MOADatabaseException e) { - Logger.warn("isAuthenticated can not be stored in MOASession " + moaSessionID, e); - } - } - public static AuthenticationSession createSession() throws MOADatabaseException { String id = Random.nextRandom(); AuthenticationSession session = new AuthenticationSession(id); @@ -103,44 +95,39 @@ public class AuthenticationSessionStoreage { return session; } - - public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { + + public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { try { - AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); - dbsession.setAuthenticated(session.isAuthenticated()); - byte[] serialized = SerializationUtils.serialize(session); - - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); - - //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 - dbsession.setUpdated(new Date()); - - MOASessionDBUtils.saveOrUpdate(dbsession); - Logger.debug("MOASession with sessionID=" + session.getSessionID() + " is stored in Database"); - + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return decryptSession(dbsession); + } catch (MOADatabaseException e) { - Logger.warn("MOASession could not be stored."); - throw new MOADatabaseException(e); - } + Logger.info("No MOA Session with id: " + sessionID); + throw new MOADatabaseException("No MOA Session with id: " + sessionID); + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + sessionID, e); + throw new MOADatabaseException("MOASession deserialization-exception"); + } + } + + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { + storeSession(session, null); } public static void storeSession(AuthenticationSession session, String pendingRequestID) throws MOADatabaseException, BuildException { try { AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); - dbsession.setPendingRequestID(pendingRequestID); - - dbsession.setAuthenticated(session.isAuthenticated()); - byte[] serialized = SerializationUtils.serialize(session); - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); + if (MiscUtil.isNotEmpty(pendingRequestID)) + dbsession.setPendingRequestID(pendingRequestID); + + encryptSession(session, dbsession); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + dbsession.setAuthenticated(session.isAuthenticated()); dbsession.setUpdated(new Date()); MOASessionDBUtils.saveOrUpdate(dbsession); @@ -152,10 +139,9 @@ public class AuthenticationSessionStoreage { } } - public static void destroySession(String moaSessionID) throws MOADatabaseException { - Session session = MOASessionDBUtils.getCurrentSession(); + Session session = MOASessionDBUtils.getCurrentSession(); List<AuthenticatedSessionStore> result; @@ -163,7 +149,7 @@ public class AuthenticationSessionStoreage { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", moaSessionID); + query.setParameter("sessionid", moaSessionID); result = query.list(); @@ -175,11 +161,9 @@ public class AuthenticationSessionStoreage { throw new MOADatabaseException("No session found with this sessionID"); } - AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - - //delete MOA Session - session.delete(dbsession); - session.getTransaction().commit(); + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); + session.getTransaction().commit(); + cleanDelete(dbsession); } } @@ -196,16 +180,11 @@ public class AuthenticationSessionStoreage { + "to " + id); session.setSessionID(id); + encryptSession(session, dbsession); dbsession.setSessionid(id); dbsession.setAuthenticated(session.isAuthenticated()); - - byte[] serialized = SerializationUtils.serialize(session); - - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); - + //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -219,9 +198,94 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("TODO!", null); } } + + public static void setAuthenticated(String moaSessionID, boolean value) { + + AuthenticatedSessionStore session; + + try { + session = searchInDatabase(moaSessionID); + session.setAuthenticated(value); + MOASessionDBUtils.saveOrUpdate(session); + + } catch (MOADatabaseException e) { + Logger.warn("isAuthenticated can not be stored in MOASession " + moaSessionID, e); + } + } + + public static String getMOASessionSSOID(String SSOSessionID) { + MiscUtil.assertNotNull(SSOSessionID, "SSOsessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setParameter("sessionid", SSOSessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + + } else { + return result.get(0).getSessionid(); + + } + } + + public static boolean isSSOSession(String sessionID) throws MOADatabaseException { + try { + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return dbsession.isSSOSession(); + + } catch (MOADatabaseException e) { + Logger.info("No MOA Session with id: " + sessionID); + throw new MOADatabaseException("No MOA Session with id: " + sessionID); + } + } + + public static AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId, String moaSessionId) { + MiscUtil.assertNotNull(SSOId, "SSOSessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setParameter("sessionid", SSOId); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + + } else { + return result.get(0); + } + } + public static void addSSOInformation(String moaSessionID, String SSOSessionID, - String assertionID, String OAUrl) throws AuthenticationException { + SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException { AuthenticatedSessionStore dbsession; Transaction tx = null; @@ -237,7 +301,7 @@ public class AuthenticationSessionStoreage { tx = session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", moaSessionID); + query.setParameter("sessionid", moaSessionID); result = query.list(); @@ -251,13 +315,34 @@ public class AuthenticationSessionStoreage { } dbsession = (AuthenticatedSessionStore) result.get(0); - + + OASessionStore activeOA = null; + //check if OA already has an active OA session + if (dbsession.getActiveOAsessions() != null) { + for (OASessionStore el : dbsession.getActiveOAsessions()) { + if (el.getOaurlprefix().equals(OAUrl)) + activeOA = el; + } + } + + if (activeOA == null) + activeOA = new OASessionStore(); + //set active OA applications - OASessionStore activeOA = new OASessionStore(); activeOA.setOaurlprefix(OAUrl); activeOA.setMoasession(dbsession); activeOA.setCreated(new Date()); - activeOA.setAssertionSessionID(assertionID); + + //set additional information for SLO + if (SLOInfo != null) { + activeOA.setAssertionSessionID(SLOInfo.getSessionIndex()); + activeOA.setUserNameID(SLOInfo.getUserNameIdentifier()); + activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat()); + activeOA.setProtocolType(SLOInfo.getProtocolType()); + activeOA.setAttributeQueryUsed(false); + + + } List<OASessionStore> activeOAs = dbsession.getActiveOAsessions(); activeOAs.add(activeOA); @@ -286,7 +371,7 @@ public class AuthenticationSessionStoreage { tx.commit(); Logger.debug("Add SSO-Session login information for OA: " + OAUrl - + " and AssertionID: " + assertionID); + + " and AssertionID: " + SLOInfo.getSessionIndex()); } } catch (MOADatabaseException e) { @@ -298,56 +383,75 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); } } - - - public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { + + public static List<OASessionStore> getAllActiveOAFromMOASession(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID()); + return dbsession.getActiveOAsessions(); - //decrypt Session - EncryptedData encdata = new EncryptedData(dbsession.getSession(), - dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); - - AuthenticationSession session = (AuthenticationSession) SerializationUtils.deserialize(decrypted); - - return session; - } catch (MOADatabaseException e) { - Logger.info("No MOA Session with id: " + sessionID); - throw new MOADatabaseException("No MOA Session with id: " + sessionID); + Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e); - } catch (Throwable e) { - Logger.warn("MOASession deserialization-exception by using MOASessionID=" + sessionID, e); - throw new MOADatabaseException("MOASession deserialization-exception"); } + + return null; } - public static boolean isSSOSession(String sessionID) throws MOADatabaseException { - try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); - return dbsession.isSSOSession(); + public static AuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID) { + MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); + MiscUtil.assertNotNull(userNameID, "userNameID"); + Logger.trace("Get moaSession for userNameID " + userNameID + " and OA " + + oaID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getMOASessionWithNameIDandOAID"); + query.setParameter("oaID", oaID); + query.setParameter("nameID", userNameID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No unique entry found."); + return null; + + } + try { + return decryptSession(result.get(0)); - } catch (MOADatabaseException e) { - Logger.info("No MOA Session with id: " + sessionID); - throw new MOADatabaseException("No MOA Session with id: " + sessionID); + } catch (BuildException e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + result.get(0).getSessionid(), e); + return null; } - - } - public static String getMOASessionID(String SSOSessionID) { - MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); - Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + public static OASessionStore searchActiveOASSOSession(AuthenticationSession moaSession, String oaID, String protocolType) { + MiscUtil.assertNotNull(moaSession, "MOASession"); + MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); + MiscUtil.assertNotNull(protocolType, "usedProtocol"); + Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSessionID() + " with OAID " + + oaID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); List<AuthenticatedSessionStore> result; synchronized (session) { session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setString("sessionid", SSOSessionID); + Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); + query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("oaID", oaID); + query.setParameter("protocol", protocolType); result = query.list(); //send transaction @@ -357,29 +461,71 @@ public class AuthenticationSessionStoreage { Logger.trace("Found entries: " + result.size()); //Assertion requires an unique artifact - if (result.size() != 1) { + if (result.size() == 0) { Logger.trace("No entries found."); - return null; - - } else { - return result.get(0).getSessionid(); - + return null; + } + return result.get(0).getActiveOAsessions().get(0); } - public static boolean isValidSessionWithSSOID(String SSOId, String moaSessionId) { - - MiscUtil.assertNotNull(SSOId, "SSOSessionID"); - Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + public static String getPendingRequestID(String sessionID) { + try { + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return dbsession.getPendingRequestID(); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession with ID " + sessionID + " not found"); + return ""; + } + } + + public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { + try { + MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); + Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithPendingRequestID"); + query.setParameter("sessionid", pedingRequestID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + } + + return decryptSession(result.get(0)); + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); + return null; + } + } + + public static boolean deleteSessionWithPendingRequestID(String id) { + MiscUtil.assertNotNull(id, "PendingRequestID"); + Logger.trace("Delete MOAsession with PendingRequestID " + id + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); List<AuthenticatedSessionStore> result; synchronized (session) { session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setString("sessionid", SSOId); + Query query = session.getNamedQuery("getSessionWithPendingRequestID"); + query.setParameter("sessionid", id); result = query.list(); //send transaction @@ -394,22 +540,91 @@ public class AuthenticationSessionStoreage { return false; } else { + cleanDelete(result.get(0)); return true; } + + } + + public static AuthenticationSession getSessionWithUserNameID(String nameID) { + + try { + MiscUtil.assertNotNull(nameID, "nameID"); + Logger.trace("Get authenticated session with pedingRequestID " + nameID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getMOAISessionWithUserNameID"); + query.setParameter("usernameid", StringEscapeUtils.escapeHtml(nameID)); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + } + + return decryptSession(result.get(0)); + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + nameID); + return null; + } + + } + + public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASession(String sessionID) { + MiscUtil.assertNotNull(sessionID, "MOASession"); + Logger.trace("Get interfederated IDP for SSO with sessionID " + sessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionID"); + query.setParameter("sessionID", sessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getInderfederation().get(0); } - public static boolean deleteSessionWithPendingRequestID(String id) { - MiscUtil.assertNotNull(id, "PendingRequestID"); - Logger.trace("Delete MOAsession with PendingRequestID " + id + " from database."); + public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASessionIDPID(String sessionID, String idpID) { + MiscUtil.assertNotNull(sessionID, "MOASession"); + MiscUtil.assertNotNull(idpID, "Interfederated IDP ID"); + Logger.trace("Get interfederated IDP "+ idpID + " for SSO with sessionID " + sessionID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); List<AuthenticatedSessionStore> result; synchronized (session) { session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithPendingRequestID"); - query.setString("sessionid", id); + Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionIDIDPID"); + query.setParameter("sessionID", sessionID); + query.setParameter("idpID", idpID); result = query.list(); //send transaction @@ -419,33 +634,138 @@ public class AuthenticationSessionStoreage { Logger.trace("Found entries: " + result.size()); //Assertion requires an unique artifact - if (result.size() != 1) { + if (result.size() == 0) { Logger.trace("No entries found."); - return false; - - } else { - MOASessionDBUtils.delete(result.get(0)); - return true; + return null; + } - - + + return result.get(0).getInderfederation().get(0); } - public static String getPendingRequestID(String sessionID) { + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption { + AuthenticatedSessionStore dbsession = null; + + //search for active SSO session + if (MiscUtil.isNotEmpty(ssoID)) { + String moaSession = getMOASessionSSOID(ssoID); + if (MiscUtil.isNotEmpty(moaSession)) { + try { + dbsession = searchInDatabase(moaSession); + + }catch (MOADatabaseException e) { + + } + } + } + + String id = null; + Date now = new Date(); + + //create new MOASession if any exists + if (dbsession == null) { + id = Random.nextRandom(); + dbsession = new AuthenticatedSessionStore(); + dbsession.setSessionid(id); + dbsession.setCreated(now); + + } else { + id = dbsession.getSessionid(); + + } + + dbsession.setInterfederatedSSOSession(true); + dbsession.setAuthenticated(isAuthenticated); + dbsession.setUpdated(now); + + AuthenticationSession session = new AuthenticationSession(id); + session.setAuthenticated(true); + session.setAuthenticatedUsed(false); + dbsession.setSession(SerializationUtils.serialize(session)); + + //add interfederation information + List<InterfederationSessionStore> idpList = dbsession.getInderfederation(); + InterfederationSessionStore idp = null; + if (idpList == null) { + idpList = new ArrayList<InterfederationSessionStore>(); + dbsession.setInderfederation(idpList); + + } else { + for (InterfederationSessionStore el : idpList) { + //resue old entry if interfederation IDP is reused for authentication + if (el.getIdpurlprefix().equals(req.getInterfederationResponse().getEntityID())) + idp = el; + + } + } + + //create new interfederation IDP entry + if (idp == null) { + idp = new InterfederationSessionStore(); + idp.setCreated(now); + idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + idp.setMoasession(dbsession); + idpList.add(idp); + + } + AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + idp.setSessionIndex(extract.getSessionIndex()); + idp.setUserNameID(extract.getNameID()); + idp.setAttributesRequested(false); + idp.setQAALevel(extract.getQAALevel()); + + //store AssertionStore element to Database try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); - return dbsession.getPendingRequestID(); + MOASessionDBUtils.saveOrUpdate(dbsession); + Logger.info("MOASession with sessionID=" + id + " is stored in Database"); } catch (MOADatabaseException e) { - Logger.warn("MOASession with ID " + sessionID + " not found"); - return ""; + Logger.warn("MOASession could not be created."); + throw new MOADatabaseException(e); } + return id; } - public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { + public static InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); + Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List<AuthenticatedSessionStore> result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID"); + query.setParameter("sessionID", moaSession.getSessionID()); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getInderfederation().get(0); + } + + /** + * @param entityID + * @param requestID + */ + public static boolean removeInterfederetedSession(String entityID, + String pedingRequestID) { try { + Logger.debug("Remove interfederated IDP from local SSO session ..."); + MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); @@ -455,7 +775,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithPendingRequestID"); - query.setString("sessionid", pedingRequestID); + query.setParameter("sessionid", pedingRequestID); result = query.list(); //send transaction @@ -467,20 +787,27 @@ public class AuthenticationSessionStoreage { //Assertion requires an unique artifact if (result.size() != 1) { Logger.trace("No entries found."); - return null; + return false; } - //decrypt Session - EncryptedData encdata = new EncryptedData(result.get(0).getSession(), - result.get(0).getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); - return (AuthenticationSession) SerializationUtils.deserialize(decrypted); - + AuthenticatedSessionStore authsession = result.get(0); + + List<InterfederationSessionStore> idpSessions = authsession.getInderfederation(); + if (idpSessions != null) { + for (InterfederationSessionStore idp : idpSessions) { + if (idp.getIdpurlprefix().equals(entityID)) + idpSessions.remove(idp); + + } + } + + MOASessionDBUtils.saveOrUpdate(authsession); + return true; } catch (Throwable e) { Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); - return null; - } + return false; + } } public static void clean(long now, long authDataTimeOutCreated, long authDataTimeOutUpdated) { @@ -502,7 +829,7 @@ public class AuthenticationSessionStoreage { if (results.size() != 0) { for(AuthenticatedSessionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Authenticated session with sessionID=" + result.getSessionid() + " after session timeout."); @@ -510,11 +837,43 @@ public class AuthenticationSessionStoreage { Logger.warn("Authenticated session with sessionID=" + result.getSessionid() + " not removed after timeout! (Error during Database communication)", e); } - } } } + private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { + byte[] serialized = SerializationUtils.serialize(session); + + EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + dbsession.setSession(encdata.getEncData()); + dbsession.setIv(encdata.getIv()); + } + + private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { + EncryptedData encdata = new EncryptedData(dbsession.getSession(), + dbsession.getIv()); + byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + + return (AuthenticationSession) SerializationUtils.deserialize(decrypted); + + } + + private static void cleanDelete(AuthenticatedSessionStore result) { + try { + result.setSession(new byte[] {}); + MOASessionDBUtils.saveOrUpdate(result); + + } catch (MOADatabaseException e) { + Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(result)) + Logger.error("Authenticated session with sessionID=" + result.getSessionid() + + " not removed! (Error during Database communication)"); + + } + } + @SuppressWarnings("rawtypes") private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { MiscUtil.assertNotNull(sessionID, "moasessionID"); @@ -526,7 +885,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", sessionID); + query.setParameter("sessionid", sessionID); result = query.list(); //send transaction diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java index ae8e5ee27..054ad1014 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java @@ -154,7 +154,7 @@ public class DBExceptionStoreImpl implements IExceptionStore { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getExceptionWithID"); - query.setString("id", id); + query.setParameter("id", id); result = query.list(); //send transaction diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java new file mode 100644 index 000000000..aff7e5057 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ErrorResponseUtils.java @@ -0,0 +1,103 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.util; + +import java.util.Locale; + +import at.gv.egovernment.moa.id.auth.exception.BKUException; +import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.util.Messages; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class ErrorResponseUtils { + + public static final String INTERNALERRORCODE = "9199"; + + private static ErrorResponseUtils instance = null; + private static final String[] DEFAULT_MESSAGE_RESOURCES = + { "resources/properties/protocol_response_statuscodes" }; + private static final Locale[] DEFAULT_MESSAGE_LOCALES = + new Locale[] { new Locale("de", "AT") }; + private Messages messages = null; + + + public static ErrorResponseUtils getInstance() { + if (instance == null) { + instance = new ErrorResponseUtils(DEFAULT_MESSAGE_RESOURCES, DEFAULT_MESSAGE_LOCALES); + + } + return instance; + } + + private ErrorResponseUtils(String[] resourceNames, Locale[] locales) { + this.messages = new Messages(resourceNames, locales); + } + + public String getResponseErrorCode(Throwable throwable) { + String errorCode = null; + + if (throwable instanceof BKUException) { + BKUException error = (BKUException) throwable; + errorCode = mapInternalErrorToExternalError(error.getMessageId()) + + error.getBkuErrorCode(); + + } else if (throwable instanceof MISSimpleClientException) { + MISSimpleClientException error = (MISSimpleClientException) throwable; + + if (MiscUtil.isNotEmpty(error.getMISErrorCode())) + errorCode = mapInternalErrorToExternalError(error.getMessageId()) + + error.getMISErrorCode(); + else + errorCode = mapInternalErrorToExternalError(error.getMessageId()); + + } else if (throwable instanceof MOAIDException) { + MOAIDException error = (MOAIDException) throwable; + errorCode = mapInternalErrorToExternalError(error.getMessageId()); + + } else { + errorCode = INTERNALERRORCODE; + + } + + return errorCode; + + } + + public String mapInternalErrorToExternalError(String intErrorCode) { + String extErrorCode = messages.getMessage(intErrorCode, null); + + if (MiscUtil.isEmpty(extErrorCode)) + extErrorCode = INTERNALERRORCODE; + + return extErrorCode; + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index ed3f297c7..81abe3f5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -46,11 +46,7 @@ package at.gv.egovernment.moa.id.util; -import iaik.pki.PKIConfiguration; import iaik.pki.PKIException; -import iaik.pki.PKIFactory; -import iaik.pki.PKIProfile; -import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.provider.IAIK; import java.io.BufferedInputStream; @@ -62,26 +58,19 @@ import java.io.Reader; import java.net.URL; import java.security.GeneralSecurityException; import java.security.Security; -import java.util.HashMap; -import java.util.Map; import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; import org.apache.regexp.RE; import org.apache.regexp.RESyntaxException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.ConnectionParameterInterface; -import at.gv.egovernment.moa.id.iaik.config.PKIConfigurationImpl; -import at.gv.egovernment.moa.id.iaik.pki.PKIProfileImpl; -import at.gv.egovernment.moa.id.iaik.pki.jsse.MOAIDTrustManager; -import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; /** @@ -94,14 +83,7 @@ import at.gv.egovernment.moa.logging.Logger; */ public class SSLUtils { - /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ - private static Map<String, SSLSocketFactory> sslSocketFactories = new HashMap<String, SSLSocketFactory>(); - - /** - * Initializes the SSLSocketFactory store. - */ public static void initialize() { - sslSocketFactories = new HashMap<String, SSLSocketFactory>(); // JSSE Abhängigkeit //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); Security.addProvider(new IAIK()); @@ -132,61 +114,38 @@ public class SSLUtils { ConnectionParameterInterface connParam) throws IOException, GeneralSecurityException, ConfigurationException, PKIException { - Logger.debug("Get SSLSocketFactory for " + connParam.getUrl()); - // retrieve SSLSocketFactory if already created - SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(connParam.getUrl()); - if (ssf != null) - return ssf; - - // else create new SSLSocketFactory - String trustStoreURL = conf.getTrustedCACertificates(); - - if (trustStoreURL == null) - throw new ConfigurationException( - "config.08", new Object[] {"TrustedCACertificates"}); - String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); - - TrustManager[] tms = getTrustManagers(conf, trustStoreURL, acceptedServerCertURL); - - KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers( - "pkcs12", connParam.getClientKeyStore(), connParam.getClientKeyStorePassword()); - SSLContext ctx = SSLContext.getInstance("TLS"); - ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); - // store SSLSocketFactory - sslSocketFactories.put(connParam.getUrl(), ssf); - return ssf; + // else create new SSLSocketFactory + String trustStoreURL = conf.getTrustedCACertificates(); + + if (trustStoreURL == null) + throw new ConfigurationException( + "config.08", new Object[] {"TrustedCACertificates"}); + + String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); + + //INFO: MOA-ID 2.x always use defaultChainingMode + + try { + SSLSocketFactory ssf = + at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( + connParam.getUrl(), + conf.getCertstoreDirectory(), + trustStoreURL, + acceptedServerCertURL, + AuthConfigurationProvider.getInstance().getDefaultChainingMode(), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking(), + connParam.getClientKeyStore(), + connParam.getClientKeyStorePassword(), + "pkcs12"); + + return ssf; + + } catch (SSLConfigurationException e) { + throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE()); + + } } - - /** - * Initializes an <code>IAIKX509TrustManager</code> for a given trust store, - * using configuration data. - * - * @param conf MOA-ID configuration provider - * @param trustStoreURL trust store URL - * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates - * @return <code>TrustManager</code> array containing the <code>IAIKX509TrustManager</code> - * @throws ConfigurationException on invalid configuration data - * @throws IOException on data-reading problems - * @throws PKIException while initializing the <code>IAIKX509TrustManager</code> - */ - public static TrustManager[] getTrustManagers( - ConfigurationProvider conf, String trustStoreURL, String acceptedServerCertURL) - throws ConfigurationException, PKIException, IOException, GeneralSecurityException { - - PKIConfiguration cfg = null; - if (! PKIFactory.getInstance().isAlreadyConfigured()) - cfg = new PKIConfigurationImpl(conf); - boolean checkRevocation = conf.isTrustmanagerrevoationchecking(); - PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); - // This call fixes a bug occuring when PKIConfiguration is - // initialized by the MOA-SP initialization code, in case - // MOA-SP is called by API - MOAIDTrustManager.initializeLoggingContext(); - IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); - tm.init(cfg, profile); - return new TrustManager[] {tm}; - } /** * Reads a file, given by URL, into a byte array, * securing the connection by IAIKX509TrustManager. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index 385dd753c..f7785d2c2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -48,6 +48,8 @@ package at.gv.egovernment.moa.id.util.client.mis.simple; import java.io.Serializable;
+import at.gv.egovernment.moa.util.MiscUtil;
+
public class MISMandate implements Serializable{
private static final long serialVersionUID = 1L;
@@ -90,16 +92,21 @@ public class MISMandate implements Serializable{ }
public String getTextualDescriptionOfOID() {
- if (this.oid.equalsIgnoreCase(OID_NOTAR))
- return TEXT_NOTAR;
- if (this.oid.equalsIgnoreCase(OID_RECHTSANWALT))
- return TEXT_RECHTSANWALT;
- if (this.oid.equalsIgnoreCase(OID_ZIVILTECHNIKER))
- return TEXT_ZIVILTECHNIKER;
- if (this.oid.equalsIgnoreCase(OID_ORGANWALTER))
- return TEXT_ORGANWALTER;
+ if (MiscUtil.isNotEmpty(this.oid)) {
+ if (this.oid.equalsIgnoreCase(OID_NOTAR))
+ return TEXT_NOTAR;
+ if (this.oid.equalsIgnoreCase(OID_RECHTSANWALT))
+ return TEXT_RECHTSANWALT;
+ if (this.oid.equalsIgnoreCase(OID_ZIVILTECHNIKER))
+ return TEXT_ZIVILTECHNIKER;
+ if (this.oid.equalsIgnoreCase(OID_ORGANWALTER))
+ return TEXT_ORGANWALTER;
- return "Keine textuelle Beschreibung für OID " + oid;
+ return "Keine textuelle Beschreibung für OID " + oid;
+
+ } else {
+ return null;
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index b9c4e88b7..aaf793987 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -149,17 +149,17 @@ public class MISSimpleClient { }
return foundMandates;
} catch (ParserConfigurationException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (DOMException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (TransformerException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
}
}
- public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String oaFriendlyName, String redirectURL, String referenceValue, List<String> mandateIdentifier, String targetType, SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
+ public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String oaFriendlyName, String redirectURL, String referenceValue, List<String> mandateIdentifier, String targetType, byte[] authBlock, SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
if (webServiceURL == null) {
- throw new NullPointerException("Argument webServiceURL must not be null.");
+ throw new MISSimpleClientException("service.04");
}
if (idl == null) {
throw new NullPointerException("Argument idl must not be null.");
@@ -224,8 +224,11 @@ public class MISSimpleClient { targetElement.appendChild(targetTypeElement);
mirElement.appendChild(targetElement);
-
-
+ //add AuthBlock element
+ Element authBlockElement = doc.createElementNS(MIS_NS, "authBlock");
+ authBlockElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(authBlock))));
+ mirElement.appendChild(authBlockElement);
+
// send soap request
Element mandateIssueResponseElement = sendSOAPRequest(webServiceURL, mirElement);
@@ -253,11 +256,11 @@ public class MISSimpleClient { return msid;
} catch (ParserConfigurationException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (DOMException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (TransformerException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
}
}
@@ -271,9 +274,10 @@ public class MISSimpleClient { if (errorElement != null) {
String code = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Error/mis:Code/text()", NS_NODE)).getNodeValue();
String text = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Error/mis:Text/text()", NS_NODE)).getNodeValue();
- throw new MISSimpleClientException("Fehler beim Abfragen des Online-Vollmachten Services: " + code + " / " + text, code, text); }
+ throw new MISSimpleClientException("service.05", code, text); }
+
} catch (TransformerException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("auth.15", e);
}
}
@@ -308,19 +312,19 @@ public class MISSimpleClient { return unpackFromSOAP(doc.getDocumentElement());
} catch(IOException e) {
- throw new MISSimpleClientException(e.getLocalizedMessage(), e);
+ throw new MISSimpleClientException("service.04", e);
} catch (TransformerException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (SAXException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (ParserConfigurationException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
} catch (Exception e) {
- throw new MISSimpleClientException(e.getLocalizedMessage(), e);
+ throw new MISSimpleClientException("service.06", e);
}
@@ -336,7 +340,7 @@ public class MISSimpleClient { soapBody.appendChild(doc.importNode(element, true));
return soapEnvelope;
} catch(ParserConfigurationException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
}
}
@@ -344,7 +348,7 @@ public class MISSimpleClient { try {
return (Element) XPathAPI.selectSingleNode(element, "/soap:Envelope/soap:Body/child::*[position()=1]", NS_NODE);
} catch(TransformerException e) {
- throw new MISSimpleClientException(e);
+ throw new MISSimpleClientException("service.06", e);
}
}
}
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 3cd8ee24a..c8cca157d 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -24,7 +24,6 @@ auth.03=Fehler beim Abholen einer Datei von der URL "{0}": Interne Fehlermeldung auth.04=Fehler beim Auslesen der Resource "{0}": {1}
auth.05=Fehlender Parameter "{1}" beim Aufruf von "{0}"
auth.06=Fehler beim Speichern der Anmeldedaten, fehlerhaftes SAML-Artifact Format (SAML-Artifact={0})
-#auth.07=Aufruf von {0} muss mit Schema "https:" erfolgen. <br><b>Hinweis:</b> Bitte Dokumentation zu GenericConfiguration: "FrontendServlets.EnableHTTPConnection" beachten.
auth.07=Aufruf von {0} muss mit Schema "https:" erfolgen.
auth.08=In der B\u00FCrgerkartenumgebung ist ein Fehler aufgetreten\: <br>Fehlercode <i>{0}</i>\: {1}
auth.09=Zur Auswahlseite der B\u00FCrgertenumgebung (URL\={0}) konnte keine Verbindung hergestellt werden. \: <br>HTTP-Statuscode <i>{1}</i>
@@ -33,7 +32,7 @@ auth.11=Die zentral gespeicherte Auswahlseite f\u00FCr B\u00FCrgerkartenumgebung auth.12=Fehlerhafter Parameter "{1}" beim Aufruf von "{0}"
auth.13=Vollmachtenmodus f\u00FCr ausl\u00E4ndische B\u00FCrger wird nicht unterst\u00FCtzt.
auth.14=Zertifikat konnte nicht ausgelesen werden.
-auth.15=Fehler bei Anfrage an Vollmachten Service.
+auth.15=Fehler beim validieren der Online-Vollmacht.
auth.16=Fehler bei Abarbeitung der Vollmacht in "{0}"
auth.17=Vollmachtenmodus f\u00FCr nicht-\u00F6ffentlichen Bereich wird nicht unterst\u00FCtzt.
auth.18=Keine MOASessionID vorhanden
@@ -43,6 +42,7 @@ auth.21=Der Anmeldevorgang wurde durch den Benutzer abgebrochen. auth.22=Das Protokoll {0} ist deaktiviert.
auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x.
+auth.25=Fehler beim validieren der SZR-Gateway Response.
init.00=MOA ID Authentisierung wurde erfolgreich gestartet
init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar
@@ -70,7 +70,8 @@ config.16=MOA ID Proxy konnte nicht gestartet werden. Das Element ConnnectionPar config.17=Fehler beim initialisieren von Hibernate
config.18=Keine MOA-ID 2.x Konfiguration gefunden.
config.19=Kein Schl\u00FCssel f\u00FCr die Resignierung der Personenbindung gefunden.
-config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt
+config.20=Umgebungsvariable "moa.id.proxy.configuration" nicht gesetzt
+config.21=F\u00FCr diese Online Applikation sind keine Vollmachtsprofile hinterlegt.
parser.00=Leichter Fehler beim Parsen: {0}
parser.01=Fehler beim Parsen: {0}
@@ -87,11 +88,19 @@ builder.02=Fehler beim Ausblenden von Stammzahlen builder.03=Fehler beim Aufbau des HTML Codes f\u00FCr Vollmachten
builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus diesem Grund nicht ausgeliefert. MOA-SS lieferte folgenden Fehlercode {0} und Fehler {1} zur\u00FCck.
builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert.
+builder.06=Fehler beim generieren der Anmeldedaten aus SSO IDP Interfederation Informationen.
+builder.07=Fehlerhaftes SecurityLayer Template.
service.00=Fehler beim Aufruf des Web Service: {0}
service.01=Fehler beim Aufruf des Web Service: kein Endpoint
service.02=Fehler beim Aufruf des Web Service, Status {0}: {1}
service.03=Fehler beim Aufruf des SPSS-API: {0}
+service.04=Das Online-Vollmachten Service ist unter {0} nicht erreichbar.
+service.05=Fehler beim Anfragen des Online-Vollmachen Service: {0} / {1}
+service.06=Allgemeiner Fehler beim Anfragen des Online-Vollmachten Service
+service.07=Der SZR-Gateway ist unter {0} nicht erreichbar.
+service.08=Die Eintragung der ausländischen Person am SZR-Gateway ist fehlgeschlagen.
+service.09=Der SZR-Gateway Client konnte nicht initialisiert werden.
cleaner.00=AuthenticationSessionCleaner wurde gestartet
cleaner.01=Fehler im AuthenticationSessionCleaner
@@ -129,7 +138,7 @@ validator.08=Das Manifest ist ung\u00FCltig validator.09=Die \u00F6ffentlichen Schl\u00FCssel des Identitiy Link stimmen nicht mit dem retournierten Zertifikat \u00FCberein
validator.10=Anzahl der URLs zur Authentisierungskomponente ung\u00FCltig {0}
-validator.11="Gesch�ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
+validator.11="Gesch\\u00E4ftsbereich" wurde nicht in den SAML-Attributen gefunden {0}
validator.12=Der Namespace des SAML-Attributs "Gesch\\u00E4ftsbereich" ist ung\u00FCltig {0}
validator.13=Das Target des 'Gesch\u00E4ftsbereichs' ist ung\u00FCltig {0}
validator.14="OA" wurde nicht in den SAML-Attributen gefunden {0}
@@ -137,7 +146,6 @@ validator.15=Der Namespace des SAML-Attributs "OA" ist ung\u00FCltig {0} validator.16=Die vorkonfigurierte URL der OnlineApplikation ist fehlerhaft {0}
validator.17= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist ung\u00FCltig {0}
-#validator.18= Der SubjectDN-Name des von MOA-SP retournierten Zertifikats ist nicht als g�ltiger SubjectDN-Name f�r eine Personenbindung konfiguriert. <b>{0}</b> wurde NICHT in der Konfiguration gefunden
validator.18= Das Zertifikat mit dem die Personenbindung signiert wurde, ist nicht zum Signieren der Personenbindung zul\u00E4ssig. Es konnte weder der SubjectDN ({0}) einem berechtigten Namen zugeordnet werden, noch enth?lt das Zertifikat die Erweiterung "Eigenschaft zur Ausstellung von Personenbindungen".
validator.19=Das verwendete Zertifikat zum Signieren ist ung\u00FCltig.<br>{0}
@@ -152,7 +160,7 @@ validator.26=OA Applikation ist eine Wirtschaftsapplikation, trotzdem ist ein SA validator.27=OA Applikation ist keine Wirtschaftsapplikation, trotzdem ist ein SAML-Attribut "wbPK" enthalten
validator.28=Fehlerhafter Wert im "wbPK" SAML-Attribut {0}
validator.29=Fehler beim Auslesen des "wbPK" SAML-Attributs {0}
-validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung�ltig {0}
+validator.30=Der Namespace des SAML-Attributs "wbPK" ist ung\u00FCltig {0}
validator.31="wbPK" wurde nicht in den SAML-Attributen gefunden {0}
@@ -212,7 +220,7 @@ stork.13=Fehler beim Sammeln eines Attributes in einem AttributProviderPlugin stork.14=Es wurde weder Authentifizierungs/ noch Attributerequest empfangen
stork.15=Unbekannte request.
stork.16=Ein Attribute aus zwei verschiedenen Quellen unterscheidet sich\: {0}
-stork.17=Fehler beim Einholen der Zustimmung für Attribut\u00FCbertragung durch den Benutzer
+stork.17=Fehler beim Einholen der Zustimmung f\uFFFDr Attribut\u00FCbertragung durch den Benutzer
stork.18=STORK-SAML Engine konnte nicht initialisiert werden.
pvp2.00={0} ist kein gueltiger consumer service index
@@ -233,6 +241,11 @@ pvp2.14=SAML Anfrage verweigert pvp2.15=Keine Metadateninformation gefunden
pvp2.16=Fehler beim verschl\u00FCsseln der PVP2 Assertion
pvp2.17=Der QAA Level {0} entspricht nicht dem angeforderten QAA Level {1}
+pvp2.18=Es konnten nicht alle Single Sign-On Sessions beendet werden.
+pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abgebrochen werden.
+pvp2.20=Für die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.
+pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.
+pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler={0}).
oauth20.01=Fehlerhafte redirect url
oauth20.02=Fehlender Parameter "{0}"
@@ -241,5 +254,5 @@ oauth20.04=Die Art der Anmeldung wird nicht unterstuetzt oauth20.05=Der angegebene Benutzer ist nicht berechtigt
oauth20.06=Die angegebene OA kann nicht verwendet werden
oauth20.07=Angeforderter grant_type ist nicht erlaubt
-oauth20.08=Nicht berechtigt f�r Token-Request
+oauth20.08=Nicht berechtigt f\u00FCr Token-Request
oauth20.09=Zertifikat fuer JSON Web-Token ist falsch konfiguriert. Fehler bei "{0}"
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties new file mode 100644 index 000000000..2a55ea64c --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -0,0 +1,187 @@ +auth.00=1000 +auth.01=1001 +auth.02=1100 +auth.03=9000 +auth.04=9100 +auth.05=1002 +auth.06=6200 +auth.07=1003 +auth.08=40 +auth.09=9100 +auth.10=1002 +auth.11=9100 +auth.12=1002 +auth.13=1007 +auth.14=1004 +auth.15=1108 +auth.16=9102 +auth.17=1006 +auth.18=1100 +auth.20=1100 +auth.21=1005 +auth.22=6000 +auth.23=9000 +auth.24=9001 +auth.25=1109 + +init.00=9199 +init.01=9199 +init.02=9199 +init.04=9101 + +config.00=9199 +config.01=9199 +config.02=9199 +config.03=9199 +config.04=9199 +config.05=9199 +config.06=9199 +config.07=9199 +config.08=9199 +config.09=9199 +config.10=9199 +config.11=9199 +config.12=9199 +config.13=9199 +config.14=9199 +config.15=9199 +config.16=9199 +config.17=9199 +config.18=9199 +config.19=9199 +config.20=9199 +config.21=9006 + +parser.00=1101 +parser.01=1101 +parser.02=1101 +parser.03=1101 +parser.04=1101 +parser.05=1101 +parser.06=1101 +parser.07=1101 + +builder.00=9102 +builder.01=9103 +builder.02=9102 +builder.03=9102 +builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus diesem Grund nicht ausgeliefert. MOA-SS lieferte folgenden Fehlercode {0} und Fehler {1} zur\u00FCck. +builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert. +builder.06=4400 +builder.07=9002 + +service.00=4300 +service.03=4300 +service.04=41000 +service.05=411 +service.06=41001 +service.07=4200 +service.08=4201 +service.09=9007 + +validator.00=1102 +validator.01=1102 +validator.02=1102 +validator.03=1102 +validator.04=1102 +validator.05=1102 + +validator.06=1103 +validator.07=1104 +validator.08=1103 +validator.09=1106 + +validator.10=1106 +validator.11=1106 +validator.12=1106 +validator.13=1106 +validator.14=1106 +validator.15=1106 +validator.16=1106 + +validator.17=1104 +validator.18=1104 + +validator.19=1105 + +validator.21=1103 +validator.22=1103 +validator.23=1103 +validator.24=1103 +validator.25=1103 + +validator.26=1106 +validator.27=1106 +validator.28=1106 +validator.29=1106 +validator.30=1106 +validator.31=1106 + +validator.32=1106 +validator.33=1106 +validator.34=1106 +validator.35=1106 +validator.36=1106 +validator.37=1106 +validator.38=1106 +validator.39=1106 + +validator.40=9199 +validator.41=9199 +validator.42=9199 +validator.43=9199 +validator.44=9199 +validator.45=9102 +validator.46=9102 +validator.47=9102 +validator.48=9199 + +validator.49=1104 +validator.50=1106 + +validator.64=9102 + +validator.67=1106 +validator.68=1106 +validator.69=1106 +validator.70=1106 +validator.71=1105 + +ssl.01=1107 + +stork.00=1200 +stork.01=1200 +stork.02=1200 +stork.04=1201 +stork.05=1201 +stork.06=1202 +stork.07=1201 +stork.08=1201 +stork.09=1201 +stork.10=4200 +stork.11=1203 +stork.12=9003 +stork.13=1203 +stork.14=6001 +stork.15=6001 +stork.16=1203 +stork.17=1203 +stork.18=9004 + +pvp2.01=6100 +pvp2.06=6100 +pvp2.13=9199 +pvp2.16=6101 +pvp2.17=6102 +pvp2.20=6103 +pvp2.21=6104 +pvp2.22=6105 + +oauth20.01=6200 +oauth20.06=1000 +oauth20.09=9005 +oauth20.10=9102 + +##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes +mis.301=1005 +bku.6001=1005
\ No newline at end of file diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParserTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParserTest.java index e5bde81fd..3acf20a41 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParserTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParserTest.java @@ -52,6 +52,7 @@ import test.at.gv.egovernment.moa.id.UnitTestCase; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.SAMLStatus; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -209,7 +210,7 @@ public class SAMLResponseParserTest extends UnitTestCase { assertEquals("samlp:Success", status.getStatusCode()); assertEquals("samlp:Success", status.getSubStatusCode()); assertEquals("Ollas leiwand", status.getStatusMessage()); - AuthenticationData authData = parser.parseAuthenticationData(); + SAML1AuthenticationData authData = parser.parseAuthenticationData(); assertEquals(1, authData.getMajorVersion()); assertEquals(0, authData.getMinorVersion()); assertEquals("-4633313027464114584", authData.getAssertionID()); |