1 files changed, 29 insertions, 6 deletions

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
 import at.gv.egovernment.moa.logging.Logger;
@@ -269,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			
 			//validate request country-code against eIDAS node config
 			String reqCC = samlReq.getOriginCountryCode();
-			String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+			String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
 
 			//validate eIDAS target
 			Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS 
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			} else {
 				String[] splittedTarget = eIDASTarget.split("\\+");
 				if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
-					Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer() 
+					Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer() 
 						+ " Destination Country from request (" + reqCC 
-						+ ") does not match to configuration:" + eIDASTarget);
-					throw new MOAIDException("eIDAS.01", 
-							new Object[]{"Destination Country from request does not match to configuration"});
+						+ ") does not match to configuration:" + eIDASTarget
+						+ " --> Perform additional organisation check ...");
+					
+					//check if eIDAS domain for bPK calculation is a valid target  
+					if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {						
+						throw new MOAIDException("eIDAS.01", 
+								new Object[]{"Destination Country from request does not match to configuration"});
+						
+					}
+					
 					
 				}
-				Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+				Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+				
 			}
 			
 						
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
     public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
         return false;
     }
+    
+    private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+    	if (MiscUtil.isNotEmpty(reqCC)) {    	
+    		List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+    				authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+    		if (allowedOrganisations.contains(bPKTargetArea)) {
+    			Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+    			return true;
+    		}
+    	}
+    	
+    	Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+    	return false;
+    }
 }