aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-E-ID_connector/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-E-ID_connector/src/main')
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java120
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java119
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java63
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java355
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java271
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java133
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java68
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java146
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java309
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java124
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java347
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java45
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml17
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider1
-rw-r--r--id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml43
15 files changed, 2161 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java
new file mode 100644
index 000000000..b057ecaf8
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EIDProxyAuthConstants {
+
+ public static final String MODULE_NAME_FOR_LOGGING = "E-ID proxy authentication";
+
+ public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
+
+ public static final String HTTP_PARAM_EIDPROXY_AUTH_SELECTION = "forwardToEID";
+
+ public static final String ENDPOINT_POST = "/sp/eid/post";
+ public static final String ENDPOINT_REDIRECT = "/sp/eid/redirect";
+ public static final String ENDPOINT_METADATA = "/sp/eid/metadata";
+
+ public static final String CONFIG_PROPS_PREFIX = "modules.eidproxyauth.";
+ public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
+ public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
+ public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
+ public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+ public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "EID.entityId";
+ public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "EID.metadataUrl";
+ public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "EID.trustprofileID";
+ public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes";
+ public static final String CONFIG_PROPS_DISABLE_PROCESS_ENFORCEMENT = CONFIG_PROPS_PREFIX + "enforce.process.disabled";
+
+ public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH;
+ public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //add PVP Version attribute
+ add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, false));
+
+ //request entity information
+ add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.BPK_NAME, PVPConstants.BPK_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.BPK_LIST_NAME, PVPConstants.BPK_LIST_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.ENC_BPK_LIST_NAME, PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME, false));
+
+ //E-ID metadata attributes
+ add(Trible.newInstance(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_IDENTITY_STATUS_LEVEL_NAME, PVPConstants.EID_IDENTITY_STATUS_LEVEL_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_ISSUING_NATION_NAME, PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CCS_URL_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.EID_E_ID_TOKEN_NAME, PVPConstants.EID_E_ID_TOKEN_FRIENDLY_NAME, false));
+
+ //mandate attributes
+ add(Trible.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, PVPConstants.MANDATE_TYPE_OID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_LIST_NAME, PVPConstants.MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_ENC_BPK_LIST_NAME, PVPConstants.MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, PVPConstants.MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_PROF_REP_OID_NAME, PVPConstants.MANDATE_PROF_REP_OID_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_PROF_REP_DESC_NAME, PVPConstants.MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false));
+ add(Trible.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false));
+
+ }
+ });
+
+ public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES =
+ Collections.unmodifiableList(new ArrayList<String>() {
+ private static final long serialVersionUID = 1L;
+ {
+ for (Trible<String, String, Boolean> el : DEFAULT_REQUIRED_PVP_ATTRIBUTES)
+ add(el.getFirst());
+ }
+ });
+
+
+}
+
+
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java
new file mode 100644
index 000000000..85d9d0f76
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java
@@ -0,0 +1,119 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth;
+
+import java.io.Serializable;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EIDProxyAuthModuleImpl implements AuthModule {
+
+ @Autowired(required=true) private IConfiguration authConfig;
+ @Autowired(required=true) private AuthenticationManager authManager;
+
+ private int priority = 0;
+ private final String AUTH_PROCESS_NAME = "EIDAuthentication";
+
+ @PostConstruct
+ protected void initalizeEIDProxyAuthentication() {
+ //parameter to whiteList
+ authManager.addParameterNameToWhiteList(EIDProxyAuthConstants.HTTP_PARAM_EIDPROXY_AUTH_SELECTION);
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+ */
+ @Override
+ public int getPriority() {
+ return priority;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+ */
+ @Override
+ public String selectProcess(ExecutionContext context, IRequest pendingReq) {
+
+ if (Boolean.parseBoolean(
+ pendingReq.getServiceProviderConfiguration().getConfigurationValue(
+ MOAIDConfigurationConstants.SERVICE_AUTH_AUSTRIAN_EID_DEMO_MODE,
+ String.valueOf(false)))) {
+ Logger.debug("SP: " + pendingReq.getSPEntityId() + " activates E-ID mode.");
+ return AUTH_PROCESS_NAME;
+
+ } else {
+ if (authConfig.getBasicConfigurationBoolean(EIDProxyAuthConstants.CONFIG_PROPS_DISABLE_PROCESS_ENFORCEMENT, true)) {
+ Logger.trace("Disable E-ID enforcment is 'true' ");
+ Serializable paramObj = context.get(EIDProxyAuthConstants.HTTP_PARAM_EIDPROXY_AUTH_SELECTION);
+ if (paramObj != null ) {
+ if (paramObj instanceof String) {
+ String param = (String)paramObj;
+ if (StringUtils.isNotEmpty(param) && Boolean.parseBoolean(param)) {
+ Logger.debug("Manually selected E-ID authentication process ");
+ return AUTH_PROCESS_NAME;
+ }
+ }
+ }
+
+ return null;
+
+ } else {
+ Logger.trace("Select E-ID authentication process ... ");
+ return AUTH_PROCESS_NAME;
+
+ }
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+ */
+ @Override
+ public String[] getProcessDefinitions() {
+ return new String[] { "classpath:EID_connector_auth.process.xml" };
+ }
+
+ /**
+ * @param priority the priority to set
+ */
+ public void setPriority(int priority) {
+ this.priority = priority;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java
new file mode 100644
index 000000000..a38b84122
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EIDProxyAuthSpringResourceProvider implements SpringResourceProvider {
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+ */
+ @Override
+ public Resource[] getResourcesToLoad() {
+ ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_EID_connector.beans.xml", EIDProxyAuthSpringResourceProvider.class);
+
+ return new Resource[] {federationAuthConfig};
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+ */
+ @Override
+ public String[] getPackagesToScan() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+ */
+ @Override
+ public String getName() {
+ return "MOA-ID Auth-module 'E-ID Authentication'";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java
new file mode 100644
index 000000000..bd1157142
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java
@@ -0,0 +1,355 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EIDAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration {
+
+ private Collection<RequestedAttribute> additionalAttributes = null;
+
+
+ private String authURL;
+ private EIDAuthCredentialProvider credentialProvider;
+ private IPVP2BasicConfiguration pvpConfiguration;
+
+ public EIDAuthMetadataConfiguration(String authURL,
+ EIDAuthCredentialProvider credentialProvider,
+ IPVP2BasicConfiguration pvpConfiguration) {
+ this.authURL = authURL;
+ this.credentialProvider = credentialProvider;
+ this.pvpConfiguration = pvpConfiguration;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+ */
+ @Override
+ public int getMetadataValidUntil() {
+ return EIDProxyAuthConstants.METADATA_VALIDUNTIL_IN_HOURS;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+ */
+ @Override
+ public boolean buildEntitiesDescriptorAsRootElement() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+ */
+ @Override
+ public boolean buildIDPSSODescriptor() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+ */
+ @Override
+ public boolean buildSPSSODescriptor() {
+ return true;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix()
+ */
+ @Override
+ public String getEntityID() {
+ return authURL + EIDProxyAuthConstants.ENDPOINT_METADATA;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+ */
+ @Override
+ public String getEntityFriendlyName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+ */
+ @Override
+ public List<ContactPerson> getContactPersonInformation() {
+ try {
+ return pvpConfiguration.getIDPContacts();
+
+ } catch (EAAFException e) {
+ Logger.warn("Can not load Metadata entry: Contect Person", e);
+ return null;
+
+ }
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+ */
+ @Override
+ public Organization getOrgansiationInformation() {
+ try {
+ return pvpConfiguration.getIDPOrganisation();
+
+ } catch (EAAFException e) {
+ Logger.warn("Can not load Metadata entry: Organisation", e);
+ return null;
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+ */
+ @Override
+ public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPMetaDataSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+ */
+ @Override
+ public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+ */
+ @Override
+ public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionEncryptionCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+ */
+ @Override
+ public String getIDPWebSSOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+ */
+ @Override
+ public String getIDPWebSSORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+ */
+ @Override
+ public String getIDPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+ */
+ @Override
+ public String getIDPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServicePostBindingURL() {
+ return authURL + EIDProxyAuthConstants.ENDPOINT_POST;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServiceRedirectBindingURL() {
+ return authURL + EIDProxyAuthConstants.ENDPOINT_REDIRECT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+ */
+ @Override
+ public String getSPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+ */
+ @Override
+ public String getSPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+ */
+ @Override
+ public String getSPSLOSOAPBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+ */
+ @Override
+ public List<Attribute> getIDPPossibleAttributes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+ */
+ @Override
+ public List<String> getIDPPossibleNameITTypes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+ */
+ @Override
+ public Collection<RequestedAttribute> getSPRequiredAttributes() {
+ Map<String, RequestedAttribute> requestedAttributes = new HashMap<String, RequestedAttribute>();
+ for (Trible<String, String, Boolean> el : EIDProxyAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES)
+ requestedAttributes.put(el.getFirst(), PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+
+ if (additionalAttributes != null) {
+ Logger.trace("Add additional PVP attributes into metadata ... ");
+ for (RequestedAttribute el : additionalAttributes) {
+ if (requestedAttributes.containsKey(el.getName()))
+ Logger.debug("Attribute " + el.getName() + " is already added by default configuration. Overwrite it by user configuration");
+
+ requestedAttributes.put(el.getName(), el);
+
+ }
+ }
+
+ return requestedAttributes.values();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+ */
+ @Override
+ public List<String> getSPAllowedNameITTypes() {
+ return Arrays.asList(NameIDType.PERSISTENT);
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned()
+ */
+ @Override
+ public boolean wantAssertionSigned() {
+ return false;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned()
+ */
+ @Override
+ public boolean wantAuthnRequestSigned() {
+ return true;
+ }
+
+ /**
+ * Add additonal PVP attributes that are required by this deployment
+ *
+ * @param additionalAttr List of PVP attribute name and isRequired flag
+ */
+ public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) {
+ if (additionalAttr != null) {
+ additionalAttributes = new ArrayList<RequestedAttribute>();
+ for (Pair<String, Boolean> el : additionalAttr) {
+ Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst());
+ if (attributBuilder != null) {
+ additionalAttributes.add(
+ PVPAttributeBuilder.buildReqAttribute(
+ attributBuilder.getName(),
+ attributBuilder.getFriendlyName(),
+ el.getSecond()));
+
+ } else
+ Logger.info("NO PVP attribute with name: " + el.getFirst());
+
+ }
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java
new file mode 100644
index 000000000..5ed41c397
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java
@@ -0,0 +1,271 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+import org.w3c.dom.Element;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EIDAuthRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+ private boolean isPassive;
+ private String SPEntityID;
+ private String QAA_Level;
+ private EntityDescriptor idpEntity;
+ private Credential signCred;
+ private String scopeRequesterId;
+ private String providerName;
+ private List<EAAFRequestedAttribute> requestedAttributes;
+ private String reqId;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+ */
+ @Override
+ public Boolean isPassivRequest() {
+ return this.isPassive;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+ */
+ @Override
+ public Integer getAssertionConsumerServiceId() {
+ return 0;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+ */
+ @Override
+ public String getSPEntityID() {
+ return this.SPEntityID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public String getNameIDPolicyFormat() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public boolean getNameIDPolicyAllowCreation() {
+ return true;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+ */
+ @Override
+ public String getAuthnContextClassRef() {
+ return this.QAA_Level;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+ */
+ @Override
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+ return AuthnContextComparisonTypeEnumeration.MINIMUM;
+ }
+
+ /**
+ * @param isPassive the isPassive to set
+ */
+ public void setPassive(boolean isPassive) {
+ this.isPassive = isPassive;
+ }
+
+ /**
+ * @param sPEntityID the sPEntityID to set
+ */
+ public void setSPEntityID(String sPEntityID) {
+ SPEntityID = sPEntityID;
+ }
+
+ /**
+ * @param qAA_Level the qAA_Level to set
+ */
+ public void setQAA_Level(String qAA_Level) {
+ QAA_Level = qAA_Level;
+ }
+
+ /**
+ * @param idpEntity the idpEntity to set
+ */
+ public void setIdpEntity(EntityDescriptor idpEntity) {
+ this.idpEntity = idpEntity;
+ }
+
+ /**
+ * @param signCred the signCred to set
+ */
+ public void setSignCred(Credential signCred) {
+ this.signCred = signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+ */
+ @Override
+ public Credential getAuthnRequestSigningCredential() {
+ return this.signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+ */
+ @Override
+ public EntityDescriptor getIDPEntityDescriptor() {
+ return this.idpEntity;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+ */
+ @Override
+ public String getSubjectNameID() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+ */
+ @Override
+ public String getSubjectNameIDFormat() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return this.reqId;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode()
+ */
+ @Override
+ public String getSubjectConformationMethode() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate()
+ */
+ @Override
+ public Element getSubjectConformationDate() {
+ return null;
+ }
+
+ @Override
+ public List<EAAFRequestedAttribute> getRequestedAttributes() {
+ return this.requestedAttributes;
+
+ }
+
+ @Override
+ public String getProviderName() {
+ return this.providerName;
+ }
+
+ @Override
+ public String getScopeRequesterId() {
+ return this.scopeRequesterId;
+ }
+
+ /**
+ * Set the entityId of the SP that requests the proxy for eIDAS authentication
+ *
+ * @param scopeRequesterId
+ */
+ public void setScopeRequesterId(String scopeRequesterId) {
+ this.scopeRequesterId = scopeRequesterId;
+ }
+
+ /**
+ * Set a friendlyName for the SP that requests the proxy for eIDAS authentication
+ *
+ * @param providerName
+ */
+ public void setProviderName(String providerName) {
+ this.providerName = providerName;
+ }
+
+ /**
+ * Set a Set of PVP attributes that a requested by using requested attributes
+ *
+ * @param requestedAttributes
+ */
+ public void setRequestedAttributes(List<EAAFRequestedAttribute> requestedAttributes) {
+ this.requestedAttributes = requestedAttributes;
+ }
+
+ /**
+ * Set a RequestId for this Authn. Request
+ *
+ * @param reqId
+ */
+ public void setRequestId(String reqId) {
+ this.reqId = reqId;
+ }
+
+
+
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java
new file mode 100644
index 000000000..90ecb0942
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import com.google.common.net.MediaType;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
+import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config.EIDAuthMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EIDAuthMetadataController extends AbstractController {
+
+ @Autowired PVPMetadataBuilder metadatabuilder;
+ @Autowired AuthConfiguration authConfig;
+ @Autowired EIDAuthCredentialProvider credentialProvider;
+ @Autowired IPVP2BasicConfiguration pvpConfiguration;
+
+ public EIDAuthMetadataController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + EIDProxyAuthConstants.ENDPOINT_METADATA
+ + "'.");
+
+ }
+
+ @RequestMapping(value = EIDProxyAuthConstants.ENDPOINT_METADATA,
+ method = {RequestMethod.GET})
+ public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException {
+ //check PublicURL prefix
+ try {
+ String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+ if (!authConfig.getPublicURLPrefix().contains(authURL)) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL");
+ return;
+
+ } else {
+ //initialize metadata builder configuration
+ EIDAuthMetadataConfiguration metadataConfig =
+ new EIDAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration);
+ metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes());
+
+ //build metadata
+ String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
+
+ //write response
+ byte[] content = xmlMetadata.getBytes("UTF-8");
+ resp.setStatus(HttpServletResponse.SC_OK);
+ resp.setContentLength(content.length);
+ resp.setContentType(MediaType.XML_UTF_8.toString());
+ resp.getOutputStream().write(content);
+
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Build E-ID Proxy PVP metadata FAILED.", e);
+ protAuthService.handleErrorNoRedirect(e, req, resp, false);
+
+ }
+
+ }
+
+ private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() {
+ Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EIDProxyAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
+ if (addReqAttributes != null) {
+ List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+ for (String el : addReqAttributes.values()) {
+ if (MiscUtil.isNotEmpty(el)) {
+ Logger.trace("Parse additional attr. definition: " + el);
+ List<String> attr = KeyValueUtils.getListOfCSVValues(el.trim());
+ if (attr.size() == 2) {
+ result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1))));
+
+ } else
+ Logger.info("IGNORE additional attr. definition: " + el
+ + " Reason: Format not valid");
+ }
+ }
+
+ return result;
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java
new file mode 100644
index 000000000..16a6e5aab
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EIDAuthSignalController extends AbstractProcessEngineSignalController {
+
+ public EIDAuthSignalController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + EIDProxyAuthConstants.ENDPOINT_POST
+ + "' and '" + EIDProxyAuthConstants.ENDPOINT_REDIRECT + "'.");
+
+ }
+
+ @RequestMapping(value = { EIDProxyAuthConstants.ENDPOINT_POST,
+ EIDProxyAuthConstants.ENDPOINT_REDIRECT
+ },
+ method = {RequestMethod.POST, RequestMethod.GET})
+ public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException {
+ signalProcessManagement(req, resp);
+
+ }
+
+ public String getPendingRequestId(HttpServletRequest request) {
+ return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState"));
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java
new file mode 100644
index 000000000..38a7c4add
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright 2019 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config.EIDAuthRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.Utils;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("CreateEIDSystemAuthnRequestTask")
+public class CreateAuthnRequestTask extends AbstractAuthServletTask {
+
+ @Autowired PVPAuthnRequestBuilder authnReqBuilder;
+ @Autowired EIDAuthCredentialProvider credential;
+ @Autowired EIDAuthMetadataProvider metadataService;
+
+ //@Autowired(required=true) ILoALevelMapper loaMapper;
+ //@Autowired(required=true) MOAMetadataProvider metadataProvider;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try{
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_SELECTED);
+
+ // get entityID for central ms-specific eIDAS node
+ String msNodeEntityID = Utils.getEIDSystemEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);
+
+
+ if (MiscUtil.isEmpty(msNodeEntityID)) {
+ Logger.info("E-ID authentication not possible -> NO EntityID for E-ID System FOUND!");
+ throw new MOAIDException("NO EntityID for E-ID System FOUND", null);
+
+ }
+
+ //load metadata with metadataURL, as backup
+ String metadataURL = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_METADATAURL);
+ if (MiscUtil.isNotEmpty(metadataURL)) {
+ Logger.warn("Use not recommended metadata-provider initialization!"
+ + " SAML2 'Well-Known-Location' is the preferred methode.");
+ Logger.info("Initialize 'E-ID System' metadata-provider with URL:" + metadataURL);
+ metadataService.addMetadataWithMetadataURL(metadataURL);
+
+ }
+
+ //load IDP SAML2 entitydescriptor
+ EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID);
+ if (entityDesc == null) {
+ Logger.error("Requested 'E-ID System' " + entityDesc
+ + " has no valid metadata or metadata is not found");
+ throw new MOAIDException("Requested 'E-ID System' " + entityDesc
+ + " has no valid metadata or metadata is not found", null);
+
+ }
+
+ //setup AuthnRequestBuilder configuration
+ EIDAuthRequestBuilderConfiguration authnReqConfig = new EIDAuthRequestBuilderConfiguration();
+ SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator();
+ authnReqConfig.setRequestId(gen.generateIdentifier());
+ authnReqConfig.setIdpEntity(entityDesc);
+ authnReqConfig.setPassive(false);
+ authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+ authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_METADATA);
+ authnReqConfig.setScopeRequesterId(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+
+ //build and transmit AuthnRequest
+ authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_REQUESTED,
+ authnReqConfig.getRequestID());
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (MetadataProviderException e) {
+
+ throw new TaskExecutionException(pendingReq,
+ "Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED.",
+ new AuthnRequestBuildException("sp.pvp2.02", new Object[] {"'E-ID System'"},e ));
+
+ } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) {
+ Logger.error("Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED", e);
+ throw new TaskExecutionException(pendingReq,
+ e.getMessage(),
+ new AuthnRequestBuildException("sp.pvp2.13", new Object[] {"'E-ID System'"},e ));
+
+ } catch (Exception e) {
+ Logger.error("Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java
new file mode 100644
index 000000000..6da4ba047
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java
@@ -0,0 +1,309 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.apache.commons.lang3.StringUtils;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.PVPConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.Utils;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveEIDSystemAuthnResponseTask")
+public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
+
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+ @Autowired private EIDAuthCredentialProvider credentialProvider;
+ @Autowired(required=true) EIDAuthMetadataProvider metadataProvider;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ InboundMessage msg = null;
+
+ try {
+
+ IDecoder decoder = null;
+ EAAFURICompare comperator = null;
+ //select Response Binding
+ if (request.getMethod().equalsIgnoreCase("POST")) {
+ decoder = new PostBinding();
+ comperator = new EAAFURICompare(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_POST);
+ Logger.trace("Receive PVP Response from 'E-ID System', by using POST-Binding.");
+
+ } else if (request.getMethod().equalsIgnoreCase("GET")) {
+ decoder = new RedirectBinding();
+ comperator = new EAAFURICompare(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_REDIRECT);
+ Logger.trace("Receive PVP Response from 'E-ID System', by using Redirect-Binding.");
+
+ } else {
+ Logger.warn("Receive PVP Response, but Binding ("
+ + request.getMethod() + ") is not supported.");
+ throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //decode PVP response object
+ msg = (InboundMessage) decoder.decode(
+ request, response, metadataProvider, true,
+ comperator);
+
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw new InvalidProtocolRequestException("sp.pvp2.04",
+ new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //validate response signature
+ if(!msg.isVerified()) {
+ samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ msg.setVerified(true);
+
+ }
+
+ //validate assertion
+ PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
+
+ //validate entityId of response
+ String msNodeEntityID = Utils.getEIDSystemEntityId(pendingReq.getServiceProviderConfiguration(), authConfig);
+ String respEntityId = msg.getEntityID();
+ if (!msNodeEntityID.equals(respEntityId)) {
+ Logger.warn("Response Issuer is not a 'E-ID System'. Stopping authentication via E-ID Proxy ...");
+ throw new AuthnResponseValidationException("sp.pvp2.08",
+ new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING,
+ msg.getEntityID()});
+
+ }
+
+ //initialize Attribute extractor
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+
+ getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class));
+
+ //set NeedConsent to false, because user gives consont during authentication
+ pendingReq.setNeedUserConsent(false);
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //write log entries
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_ATTRIBUTES_VALID);
+ Logger.info("Receive a valid assertion from E-ID System " + msg.getEntityID());
+
+ } catch (MessageDecodingException | SecurityException e) {
+ String samlRequest = request.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID PVP Response from 'E-ID System': " + samlRequest, e);
+ throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP",
+ new AuthnResponseValidationException("sp.pvp2.11", new Object[] {"'E-ID System'"}, e));
+
+ } catch (IOException | MarshallingException | TransformerException e) {
+ Logger.warn("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "Processing PVP response from 'E-ID System' FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'E-ID System'", e.getMessage()}, e));
+
+ } catch (CredentialsNotAvailableException e) {
+ Logger.error("PVP response decrytion FAILED. No credential found.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.",
+ new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'E-ID System'"}, e));
+
+ } catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+ Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'E-ID System'"}, e));
+
+ } catch (Exception e) {
+ Logger.warn("PVP response validation FAILED. Msg:" + e.getMessage(), e);
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'E-ID System'", e.getMessage()}, e));
+
+ }
+
+ }
+
+ private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig) throws BuildException, ConfigurationException{
+ try {
+ //check if all attributes are include
+// if (!extractor.containsAllRequiredAttributes()
+// && !extractor.containsAllRequiredAttributes(EIDProxyAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES)) {
+// Logger.warn("PVP Response from 'E-ID System' contains not all requested attributes.");
+// throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING});
+//
+// }
+
+ //copy attributes into MOASession
+ AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class);
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ String value = extractor.getSingleAttributeValue(el);
+ session.setGenericDataToSession(el, value);
+ Logger.debug("Add PVP-attribute " + el + " into MOASession");
+
+ }
+
+ //set foreigner flag
+ List<String> eidIssuer = extractor.getAttributeValues(PVPConstants.EID_ISSUING_NATION_NAME);
+ if (eidIssuer != null && !eidIssuer.isEmpty() && MiscUtil.isNotEmpty(eidIssuer.get(0))) {
+ String cc = eidIssuer.get(0);
+ Logger.debug("Find Attr: '" + PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME + "' with value: " + cc);
+ if (EAAFConstants.COUNTRYCODE_AUSTRIA.equals(cc))
+ session.setForeigner(false);
+ else
+ session.setForeigner(true);
+
+ }
+
+ //set BKU URL
+ List<String> ccsUrl = extractor.getAttributeValues(PVPConstants.EID_CCS_URL_NAME);
+ if (ccsUrl != null && !ccsUrl.isEmpty() && MiscUtil.isNotEmpty(ccsUrl.get(0)))
+ session.setBkuURL(ccsUrl.get(0));
+ else if (extractor.getFullAssertion().getIssuer() != null &&
+ StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue()))
+ session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue());
+ else
+ session.setBkuURL("E-ID_Authentication");
+
+ //check if mandates are included
+ if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_TYPE_OID_NAME)
+ || extractor.containsAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME) ) {
+
+ Logger.debug("Find Mandate-Attributes in E-ID response. Switch to mandate-mode ... ");
+ session.setUseMandates(true);
+
+ //check if mandate was used by ...
+ if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME) ||
+ extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_DESC_NAME) ) {
+ Logger.debug("Find PROF_REP information in mandate. Switch to 'Organwalter' mode ...");
+ session.setOW(true);
+
+ }
+
+ }
+
+
+
+
+// } catch (AssertionValidationExeption e) {
+// throw new BuildException("builder.06", null, e);
+
+ } catch (EAAFStorageException e) {
+ throw new BuildException("builder.06", null, e);
+
+ }
+ }
+
+ /**
+ * PreProcess AuthResponse and Assertion
+ * @param msg
+ * @throws TransformerException
+ * @throws MarshallingException
+ * @throws IOException
+ * @throws CredentialsNotAvailableException
+ * @throws AssertionValidationExeption
+ * @throws AuthnResponseValidationException
+ */
+ private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+ Logger.debug("Start PVP21 assertion processing... ");
+ Response samlResp = (Response) msg.getResponse();
+
+ // check SAML2 response status-code
+ if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ //validate PVP 2.1 assertion
+ samlVerificationEngine.validateAssertion(samlResp, true,
+ credentialProvider.getIDPAssertionEncryptionCredential(),
+ pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_METADATA,
+ EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+ msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED,
+ samlResp.getID());
+ return msg;
+
+ } else {
+ Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ + " from 'E-ID System'.");
+ revisionsLogger.logEvent(pendingReq,
+ MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR);
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING,
+ samlResp.getIssuer().getValue(),
+ samlResp.getStatus().getStatusCode().getValue(),
+ samlResp.getStatus().getStatusMessage().getMessage()});
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java
new file mode 100644
index 000000000..a9b886a85
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("EIDAuthCredentialProvider")
+public class EIDAuthCredentialProvider extends AbstractCredentialProvider {
+
+ @Autowired AuthConfiguration authConfig;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+ */
+ @Override
+ public String getKeyStoreFilePath() throws ConfigurationException {
+ return FileUtils.makeAbsoluteURL(
+ authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_KEYSTORE),
+ authConfig.getRootConfigFileDir());
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+ */
+ @Override
+ public String getKeyStorePassword() {
+ return authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+ */
+ @Override
+ public String getMetadataKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+ */
+ @Override
+ public String getMetadataKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+ */
+ @Override
+ public String getSignatureKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+ */
+ @Override
+ public String getSignatureKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+ */
+ @Override
+ public String getEncryptionKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+ */
+ @Override
+ public String getEncryptionKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EIDProxyAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+ */
+ @Override
+ public String getFriendlyName() {
+ return "E-ID Proxy authentication";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java
new file mode 100644
index 000000000..649cfa691
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java
@@ -0,0 +1,347 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils;
+
+import java.net.MalformedURLException;
+import java.util.List;
+import java.util.Timer;
+
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.components.spring.api.IDestroyableObject;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+
+@Service("EIDAuthMetadataProvider")
+public class EIDAuthMetadataProvider extends SimpleMetadataProvider
+ implements IDestroyableObject {
+ @Autowired(required=true) AuthConfiguration moaAuthConfig;
+
+ private ChainingMetadataProvider metadataProvider = new ChainingMetadataProvider();
+ private Timer timer = null;
+
+
+ public EIDAuthMetadataProvider() {
+ metadataProvider.setRequireValidMetadata(true);
+
+ }
+
+ public void addMetadataWithMetadataURL(String metadataURL) throws MetadataProviderException {
+ internalInitialize(metadataURL);
+
+ }
+
+ public void destroy() {
+ fullyDestroy();
+
+ }
+
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata()
+ */
+ @Override
+ public boolean requireValidMetadata() {
+ return metadataProvider.requireValidMetadata();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setRequireValidMetadata(boolean)
+ */
+ @Override
+ public void setRequireValidMetadata(boolean requireValidMetadata) {
+ metadataProvider.setRequireValidMetadata(requireValidMetadata);
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadataFilter()
+ */
+ @Override
+ public MetadataFilter getMetadataFilter() {
+ return metadataProvider.getMetadataFilter();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter)
+ */
+ @Override
+ public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
+ Logger.fatal("Set Metadata Filter is not implemented her!");
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadata()
+ */
+ @Override
+ public XMLObject getMetadata() throws MetadataProviderException {
+ return metadataProvider.getMetadata();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntitiesDescriptor(java.lang.String)
+ */
+ @Override
+ public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
+ return metadataProvider.getEntitiesDescriptor(name);
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntityDescriptor(java.lang.String)
+ */
+ @Override
+ public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+
+ if (entityDesc != null)
+ return entityDesc;
+ else
+ Logger.info("No metadata from centrial E-ID system " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ try {
+ EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+ if (entityDesc == null) {
+ Logger.error("E-ID Proxy Client ERROR: No EntityID with "+ entityID);
+ throw new MetadataProviderException("No EntityID with "+ entityID);
+ }
+
+ return entityDesc;
+
+ } catch (MetadataProviderException e) {
+ Logger.error("E-ID Proxy Client ERROR: Metadata extraction FAILED.", e);
+ throw new MetadataProviderException("Metadata extraction FAILED", e);
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName)
+ */
+ @Override
+ public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ List<RoleDescriptor> role = metadataProvider.getRole(entityID, roleName);
+
+ if (role != null)
+ return role;
+ else
+ Logger.info("No metadata from centrial E-ID system: " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ return metadataProvider.getRole(entityID, roleName);
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName, java.lang.String)
+ */
+ @Override
+ public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
+ throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ RoleDescriptor role = metadataProvider.getRole(entityID, roleName, supportedProtocol);
+
+ if (role != null)
+ return role;
+ else
+ Logger.info("No metadata from centrial E-ID system: " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ return metadataProvider.getRole(entityID, roleName, supportedProtocol);
+ }
+
+ private synchronized void internalInitialize(String metdataURL) throws MetadataProviderException {
+
+ //check if metadata with EntityID already exists in chaining metadata provider
+ boolean addNewMetadata = true;
+ try {
+ addNewMetadata = (metadataProvider.getEntityDescriptor(metdataURL) == null);
+
+ } catch (MetadataProviderException e) {}
+
+ //switch between metadata refresh and add new metadata
+ if (addNewMetadata) {
+ //Metadata provider seems not loaded --> Add new metadata provider
+ Logger.info("Initialize PVP MetadataProvider:" + metdataURL + " to connect centrial E-ID system");
+
+ String trustProfileID = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_TRUSTPROFILEID);
+ if (MiscUtil.isEmpty(trustProfileID)) {
+ Logger.error("Create E-ID proxy client FAILED: No trustProfileID to verify PVP metadata." );
+ throw new MetadataProviderException("No trustProfileID to verify PVP metadata.");
+ }
+
+ //initialize Timer if it is null
+ if (timer == null)
+ timer = new Timer(true);
+
+ //create metadata validation filter chain
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new SchemaValidationFilter(true));
+ filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID));
+
+ MetadataProvider idpMetadataProvider = createNewSimpleMetadataProvider(metdataURL,
+ filter,
+ EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING,
+ timer,
+ new BasicParserPool(),
+ createHttpClient(metdataURL));
+
+ if (idpMetadataProvider == null) {
+ Logger.error("Create E-ID Proxy client FAILED.");
+ throw new MetadataProviderException("Can not initialize 'E-ID Proxy client' metadata provider.");
+
+ }
+
+ idpMetadataProvider.setRequireValidMetadata(true);
+ metadataProvider.addMetadataProvider(idpMetadataProvider);
+
+ } else {
+ //Metadata provider seems already loaded --> start refresh process
+ List<MetadataProvider> loadedProvider = metadataProvider.getProviders();
+ for (MetadataProvider el : loadedProvider) {
+ if (el instanceof HTTPMetadataProvider) {
+ HTTPMetadataProvider prov = (HTTPMetadataProvider)el;
+ if (prov.getMetadataURI().equals(metdataURL))
+ prov.refresh();
+
+ } else
+ Logger.warn("'E-ID Proxy client' Metadata provider is not of Type 'HTTPMetadataProvider'! Something is suspect!!!!");
+
+ }
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
+ */
+ @Override
+ public void fullyDestroy() {
+ Logger.info("Destroy 'E-ID Proxy client' PVP metadata pool ... ");
+
+ if (metadataProvider != null) {
+ metadataProvider.destroy();
+
+ }
+
+ if (timer != null)
+ timer.cancel();
+
+ }
+
+ private HttpClient createHttpClient(String metadataURL) {
+ MOAHttpClient httpClient = new MOAHttpClient();
+ HttpClientParams httpClientParams = new HttpClientParams();
+ httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+ httpClient.setParams(httpClientParams);
+
+ if (metadataURL.startsWith("https:")) {
+ try {
+ //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ moaAuthConfig.getBasicConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false),
+ moaAuthConfig.getTrustedCACertificates(),
+ null,
+ AuthConfiguration.DEFAULT_X509_CHAININGMODE,
+ moaAuthConfig.isTrustmanagerrevoationchecking(),
+ moaAuthConfig.getRevocationMethodOrder(),
+ moaAuthConfig.getBasicConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
+
+ httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException | MalformedURLException e) {
+ Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
+
+ }
+ }
+
+ return httpClient;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java
new file mode 100644
index 000000000..cd578d373
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java
@@ -0,0 +1,45 @@
+package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils;
+
+import java.util.List;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class Utils {
+
+ public static String getEIDSystemEntityId(ISPConfiguration spConfiguration, IConfiguration authConfig) {
+ //load from service-provider configuration
+ String msNodeEntityID = spConfiguration.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_EXTERNAL_EID_SYSTEM_SERVICE_URL);
+
+ if (StringUtils.isEmpty(msNodeEntityID)) {
+ Logger.debug("No SP-specific E-ID system URL. Switch to general configuration ... ");
+ if (authConfig instanceof AuthConfiguration) {
+ AuthConfiguration moaAuthConfig = (AuthConfiguration)authConfig;
+ List<String> configuratedEntityIDs = KeyValueUtils.getListOfCSVValues(
+ moaAuthConfig.getConfigurationWithKey(MOAIDConfigurationConstants.GENERAL_AUTH_SERVICES_EID_SYSTEM_SERVICE_URL));
+
+ if (configuratedEntityIDs.size() > 0)
+ msNodeEntityID = configuratedEntityIDs.get(0);
+ else
+ Logger.info("No E-ID system URL in IDP configuration. Switch to backup configuration ... ");
+
+ } else
+ Logger.info("Basic configuration is NOT of type '" + AuthConfiguration.class.getName()
+ + "' Switch to generic Type ... ");
+
+
+ if (StringUtils.isEmpty(msNodeEntityID))
+ msNodeEntityID = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+
+ }
+
+ return msNodeEntityID;
+ }
+}
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml
new file mode 100644
index 000000000..aee4ab403
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="EIDAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+ <pd:Task id="createEIDAuthnRequest" class="CreateEIDSystemAuthnRequestTask" />
+ <pd:Task id="receiveEIDAuthnResponse" class="ReceiveEIDSystemAuthnResponseTask" async="true" />
+ <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
+
+ <pd:StartEvent id="start" />
+
+ <pd:Transition from="start" to="createEIDAuthnRequest" />
+ <pd:Transition from="createEIDAuthnRequest" to="receiveEIDAuthnResponse"/>
+ <pd:Transition from="receiveEIDAuthnResponse" to="finalizeAuthentication"/>
+ <pd:Transition from="finalizeAuthentication" to="end" />
+
+ <pd:EndEvent id="end" />
+
+</pd:ProcessDefinition> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..7e511c22f
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthSpringResourceProvider \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml
new file mode 100644
index 000000000..d5d255680
--- /dev/null
+++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+
+<!-- Federated authentication services -->
+ <bean id="EidAuthCredentialProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider"/>
+
+ <bean id="EidAuthMetadataController"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller.EIDAuthMetadataController"/>
+
+ <bean id="EidAuthModuleImpl"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthModuleImpl">
+ <property name="priority" value="2" />
+ </bean>
+
+ <bean id="EidAuthSignalController"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller.EIDAuthSignalController"/>
+
+ <bean id="EidAuthMetadataProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider" />
+
+ <bean id="pvpAuthnRequestBuilder"
+ class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" />
+
+<!-- Federated Authentication Process Tasks -->
+ <bean id="CreateEIDSystemAuthnRequestTask"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks.CreateAuthnRequestTask"
+ scope="prototype"/>
+
+ <bean id="ReceiveEIDSystemAuthnResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks.ReceiveAuthnResponseTask"
+ scope="prototype"/>
+
+</beans> \ No newline at end of file