aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java180
1 files changed, 74 insertions, 106 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index ffa74b92b..490dc9dcf 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -9,15 +9,13 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Timer;
-import javax.net.ssl.SSLHandshakeException;
import javax.xml.namespace.QName;
-import org.apache.commons.httpclient.MOAHttpClient;
-import org.apache.commons.httpclient.params.HttpClientParams;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
@@ -28,25 +26,22 @@ import org.springframework.stereotype.Service;
import at.gv.egovernment.moa.id.auth.IDestroyableObject;
import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
+import at.gv.egovernment.moa.id.auth.IPostStartupInitializable;
import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
-import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
-import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
import eu.eidas.auth.engine.AbstractProtocolEngine;
@Service("eIDASMetadataProvider")
-public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider,
- IGarbageCollectorProcessing, IDestroyableObject {
+public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider implements ObservableMetadataProvider,
+ IGarbageCollectorProcessing, IDestroyableObject, IMOARefreshableMetadataProvider, IPostStartupInitializable{
-// private static MOAeIDASChainingMetadataProvider instance = null;
- private static Object mutex = new Object();
+ private Timer timer = null;
private MetadataProvider internalProvider;
private Map<String, Date> lastAccess = null;
@@ -70,12 +65,41 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
lastAccess = new HashMap<String, Date>();
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.IPostStartupInitializable#executeAfterStartup()
+ */
+ @Override
+ public void executeAfterStartup() {
+ initializeEidasMetadataFromFileSystem();
+
+ }
+
+ protected void initializeEidasMetadataFromFileSystem() {
+ Map<String, String> metadataToLoad = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX);
+ if (!metadataToLoad.isEmpty()) {
+ Logger.info("Load static configurated eIDAS metadata ... ");
+ for (String metaatalocation : metadataToLoad.values()) {
+ String absMetadataLocation = FileUtils.makeAbsoluteURL(metaatalocation, authConfig.getRootConfigFileDir());
+ Logger.info(" Load eIDAS metadata from: " + absMetadataLocation);
+ refreshMetadataProvider(absMetadataLocation);
+
+ }
+
+ Logger.info("Load static configurated eIDAS metadata finished ");
+ }
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
*/
@Override
public void fullyDestroy() {
+
+ if (timer != null)
+ timer.cancel();
+
Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders();
if (loadedproviders != null) {
for (Entry<String, HTTPMetadataProvider> el : loadedproviders.entrySet()) {
@@ -140,8 +164,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
+ " after timeout.");
} else
- Logger.warn("eIDAS metadata for EntityID: " + expired
- + " is marked as unsed, but no loaded metadata provider is found.");
+ Logger.info("eIDAS metadata for EntityID: " + expired
+ + " is marked as expired, but no currently loaded HTTPMetadataProvider metadata provider is found.");
}
}
@@ -187,108 +211,50 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
}
}
-
-
- private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
- HTTPMetadataProvider httpProvider = null;
- Timer timer= null;
- MOAHttpClient httpClient = null;
- try {
- AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
-
- httpClient = new MOAHttpClient();
-
- HttpClientParams httpClientParams = new HttpClientParams();
- httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
- httpClient.setParams(httpClientParams);
-
- if (metadataURL.startsWith("https:")) {
- try {
- //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
- MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
- Constants.SSLSOCKETFACTORYNAME,
- authConfig.getTrustedCACertificates(),
- null,
- AuthConfiguration.DEFAULT_X509_CHAININGMODE,
- authConfig.isTrustmanagerrevoationchecking(),
- authConfig.getRevocationMethodOrder(),
- authConfig.getBasicMOAIDConfigurationBoolean(
- AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
-
- httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
-
- } catch (MOAHttpProtocolSocketFactoryException e) {
- Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
-
- }
- }
-
+
+ private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+ if (timer == null)
timer = new Timer(true);
- httpProvider = new HTTPMetadataProvider(timer, httpClient,
- metadataURL);
- httpProvider.setParserPool(AbstractProtocolEngine.getSecuredParserPool());
- httpProvider.setRequireValidMetadata(true);
- httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
- httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
- //httpProvider.setRefreshDelayFactor(0.1F);
-
- //add Metadata filters
- MetadataFilterChain filter = new MetadataFilterChain();
- filter.addFilter(new MOASPMetadataSignatureFilter(
- authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
- httpProvider.setMetadataFilter(filter);
-
- httpProvider.initialize();
-
- return httpProvider;
-
- } catch (Throwable e) {
- if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
- Logger.warn("SSL-Server certificate for metadata "
- + metadataURL + " not trusted.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {
- Logger.warn("Signature verification for metadata"
- + metadataURL + " FAILED.", e);
-
- } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
- Logger.warn("Schema validation for metadata "
- + metadataURL + " FAILED.", e);
- }
-
- Logger.error(
- "Failed to add Metadata file for "
- + metadataURL + "[ "
- + e.getMessage() + " ]", e);
-
- if (httpProvider != null) {
- Logger.debug("Destroy failed Metadata provider");
- httpProvider.destroy();
- }
-
- if (timer != null) {
- Logger.debug("Destroy Timer.");
- timer.cancel();
- }
-
-
- }
- return null;
+ //add Metadata filters
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new MOASPMetadataSignatureFilter(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+
+ return createNewMoaMetadataProvider(metadataURL, filter,
+ "eIDAS metadata-provider",
+ timer, AbstractProtocolEngine.getSecuredParserPool());
+
}
private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>();
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
-
+
//make a Map of all actually loaded HTTPMetadataProvider
List<MetadataProvider> providers = chainProvider.getProviders();
for (MetadataProvider provider : providers) {
if (provider instanceof HTTPMetadataProvider) {
HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
loadedproviders.put(httpprovider.getMetadataURI(), httpprovider);
-
- }
+
+ } else if (provider instanceof FilesystemMetadataProvider) {
+ String entityID = "'!!NO-ENTITYID!!'";
+ try {
+ if (provider.getMetadata() instanceof EntityDescriptor)
+ entityID = ((EntityDescriptor)provider.getMetadata()).getEntityID();
+
+ Logger.debug("Skip eIDAS metadata: " + entityID + " because it is loaded from local Filesystem");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Collect currently loaded eIDAS metadata provider has an internel process error: " + e.getMessage());
+
+ }
+
+ } else
+ Logger.info("Skip " + provider.getClass().getName() + " from list of currently loaded "
+ + "eIDAS metadata provider");
+
}
return loadedproviders;
@@ -309,7 +275,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
} else {
//load new Metadata Provider
ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
- HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
+ MetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);
if (newMetadataProvider != null) {
chainProvider.addMetadataProvider(newMetadataProvider);
@@ -319,7 +285,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
+ metadataURL + " is added.");
return true;
- }
+ } else
+ Logger.warn("Can not load eIDAS metadata from URL: " + metadataURL);
}
} else
@@ -435,4 +402,5 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
if (observer != null)
observer.onEvent(this);
}
+
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-07 07:20:02 +0000