aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java6
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java35
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java31
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java63
5 files changed, 109 insertions, 28 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+ public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+
//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..154006ed8 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
import com.google.common.net.MediaType;
@@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM);
//set correct SPType for this online application
- if (oaConfig.getBusinessService())
+ if (oaConfig.hasBaseIdTransferRestriction())
authnRequestBuilder.spType(SpType.PRIVATE.getValue());
else
authnRequestBuilder.spType(SpType.PUBLIC.getValue());
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
context.put("RelayState", pendingReq.getRequestID());
- Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+ Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
context.put("action", authnReqEndpoint.getLocation());
Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..1ce900ebb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
@@ -269,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
//validate request country-code against eIDAS node config
String reqCC = samlReq.getOriginCountryCode();
- String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier();
+ String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier();
//validate eIDAS target
Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} else {
String[] splittedTarget = eIDASTarget.split("\\+");
if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
- Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ " Destination Country from request (" + reqCC
- + ") does not match to configuration:" + eIDASTarget);
- throw new MOAIDException("eIDAS.01",
- new Object[]{"Destination Country from request does not match to configuration"});
+ + ") does not match to configuration:" + eIDASTarget
+ + " --> Perform additional organisation check ...");
+
+ //check if eIDAS domain for bPK calculation is a valid target
+ if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {
+ throw new MOAIDException("eIDAS.01",
+ new Object[]{"Destination Country from request does not match to configuration"});
+
+ }
+
}
- Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+ Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+
}
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
return false;
}
+
+ private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+ if (MiscUtil.isNotEmpty(reqCC)) {
+ List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+ if (allowedOrganisations.contains(bPKTargetArea)) {
+ Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+ return true;
+ }
+ }
+
+ Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+ return false;
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
index c008048cb..ea5a002e0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java
@@ -22,7 +22,13 @@
*/
package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
/**
* @author tlenz
@@ -31,6 +37,31 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonS
public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute {
@Override
+ public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ if(authData.isUseMandate()) {
+
+ //extract eIDAS unique Id prefix from naturalPerson bPK identifier
+ if (MiscUtil.isEmpty(authData.getBPKType())
+ || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) {
+ Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType());
+ throw new AttributeException("Suspect bPKType for eIDAS identifier generation");
+
+ }
+
+ //add eIDAS eID prefix to legal person identifier
+ String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1);
+ String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData);
+ return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME,
+ MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID);
+
+ }
+
+ return null;
+
+ }
+
+ @Override
public String getName() {
return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString();
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..b91bbde9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction {
@Autowired protected MOAReversionLogger revisionsLogger;
@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+
+
@Override
public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
EIDASData eidasRequest;
@@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction {
//gather attributes
ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();
ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
- //generate eIDAS attributes
- for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
- Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
- attr, req.getOnlineApplicationConfiguration(), authData);
-
- if(eIDASAttr == null) {
- if (attr.isRequired()) {
- Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
- throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
-
- } else
- Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");
- } else {
- //add attribute to Map
- attrMapBuilder.put(
- (AttributeDefinition)eIDASAttr.getFirst(),
- (ImmutableSet)eIDASAttr.getSecond());
+ //generate eIDAS attributes
+ for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+ buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+
+ //Check if Mandate attributes are requested if mandates was used
+ if (authData.isUseMandate()) {
+ if (reqAttributeList.getDefinitionByNameUri(
+ eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) {
+ Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'");
+ buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData);
+
+ }
+
+ if (reqAttributeList.getDefinitionByNameUri(
+ eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) {
+ Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'");
+ buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData);
}
}
+ //build final attibute set
+ ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+
// construct eIDaS response
AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
@@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction {
responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
//add attributes
- responseBuilder.attributes(attrMapBuilder.build());
+ responseBuilder.attributes(eIDASAttrbutMap);
//set success statuscode
responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction {
return "eIDAS_AuthnRequest";
}
+ private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+ Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+ attr, req.getOnlineApplicationConfiguration(), authData);
+
+ if(eIDASAttr == null) {
+ if (attr.isRequired()) {
+ Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+ throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+
+ } else
+ Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");
+
+ } else {
+ //add attribute to Map
+ attrMapBuilder.put(
+ (AttributeDefinition)eIDASAttr.getFirst(),
+ (ImmutableSet)eIDASAttr.getSecond());
+
+ }
+ }