1 files changed, 130 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java
new file mode 100644
index 000000000..f0527bc5e
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/validator/eIDASResponseValidator.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.eidas.validator;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
+import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.commons.protocol.IAuthenticationResponse;
+import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;
+
+/**
+ * @author tlenz
+ *
+ */
+public class eIDASResponseValidator {
+	
+
+	public static void validateResponse(IRequest pendingReq, IAuthenticationResponse samlResp, String spCountry) throws MOAIDException {		
+
+		/*-----------------------------------------------------|
+		 * validate received LoA against minimum required LoA  |
+		 *_____________________________________________________|
+		 */
+		LevelOfAssurance reqLoA = LevelOfAssurance.fromString(pendingReq.getOnlineApplicationConfiguration().getQaaLevel());
+		LevelOfAssurance respLoA = LevelOfAssurance.fromString(samlResp.getLevelOfAssurance()); 
+		if (respLoA.numericValue() < reqLoA.numericValue()) {
+			Logger.error("eIDAS Response LevelOfAssurance is lower than the required! "
+					+ "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + reqLoA.getValue() + ")");
+			throw new MOAIDException("eIDAS.14", new Object[]{respLoA.getValue()});
+			
+		}
+
+		/*-----------------------------------------------------|
+		 *     validate 'PersonalIdentifier' attribute         |
+		 *_____________________________________________________|
+		 */
+		String respCC = samlResp.getCountry();		
+		Object personalIdObj = samlResp.getAttributes().getFirstValue(
+	        		SAMLEngineUtils.getMapOfAllAvailableAttributes().get(
+	        				Constants.eIDAS_ATTR_PERSONALIDENTIFIER));
+	   
+		//check attribute type
+		if (personalIdObj == null || !(personalIdObj instanceof String))
+	        	Logger.warn("eIDAS Response include NO 'PersonalIdentifier' attriubte "
+	        			+ ".... That can be a BIG problem in further processing steps");	
+		
+		else {
+			//validate attribute value format
+			Trible<String, String, String> split = 
+					eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier((String)personalIdObj);
+			if (split == null) {
+				throw new MOAIDException("eIDAS.16", 
+						new Object[]{
+								Constants.eIDAS_ATTR_PERSONALIDENTIFIER,
+								"Wrong identifier format"});
+				
+			} else {
+				//validation according to eIDAS SAML Attribute Profile, Section 2.2.3 
+				if (MiscUtil.isEmpty(split.getSecond())) {
+					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER 
+							+ " includes NO destination country. Value:" + ((String)personalIdObj));				
+					throw new MOAIDException("eIDAS.16", 
+							new Object[]{
+									Constants.eIDAS_ATTR_PERSONALIDENTIFIER,
+									"No or empty destination country"});
+					
+				}
+				if (!split.getSecond().equalsIgnoreCase(spCountry)) {
+					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER 
+							+ " includes wrong destination country. Value:" + ((String)personalIdObj)
+							+ " SP-Country:" + spCountry);				
+					throw new MOAIDException("eIDAS.16", 
+							new Object[]{
+									Constants.eIDAS_ATTR_PERSONALIDENTIFIER,
+									"Destination country does not match to SP country"});
+					
+				}
+				
+				if (MiscUtil.isEmpty(split.getFirst())) {
+					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER 
+							+ " includes NO citizen country. Value:" + ((String)personalIdObj));				
+					throw new MOAIDException("eIDAS.16", 
+							new Object[]{
+									Constants.eIDAS_ATTR_PERSONALIDENTIFIER,
+									"No or empty citizen country"});
+					
+				}
+				if (!split.getFirst().equalsIgnoreCase(respCC)) {
+					Logger.error("eIDAS attribute value for " + Constants.eIDAS_ATTR_PERSONALIDENTIFIER 
+							+ " includes a citizen country that does not match to eIDAS Response node. "
+							+ " Value:" + ((String)personalIdObj)
+							+ " Response-Node Country:" + respCC);				
+					throw new MOAIDException("eIDAS.16", 
+							new Object[]{
+									Constants.eIDAS_ATTR_PERSONALIDENTIFIER,
+									"Citizen country does not match to eIDAS-node country that generates the response"});
+					
+				}				
+			}									
+		}
+		
+		
+		
+	}
+}