aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS/src
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS/src')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java8
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java4
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java33
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd31
6 files changed, 71 insertions, 11 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+ public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+
//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 6f1d75bfe..c55b5a749 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
@@ -41,6 +40,7 @@ import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
import com.google.common.net.MediaType;
@@ -306,7 +306,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
context.put("RelayState", pendingReq.getRequestID());
- Logger.debug("Using assertion consumer url as action: " + authnReqEndpoint.getLocation());
+ Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation());
context.put("action", authnReqEndpoint.getLocation());
Logger.debug("Starting template merge");
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
index d0c003b31..bb52d2ffe 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/NewMoaEidasMetadata.java
@@ -168,12 +168,12 @@ public class NewMoaEidasMetadata {
}
private void generateDigest(Extensions eidasExtensions) throws EIDASSAMLEngineException {
- if (!(StringUtils.isEmpty(this.params.getDigestMethods()))) {
- Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
+ Set<String> signatureMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
Set<String> digestMethods = new HashSet();
for (String signatureMethod : signatureMethods) {
digestMethods.add(CertificateUtil.validateDigestAlgorithm(signatureMethod));
- }
+ }
for (String digestMethod : digestMethods) {
DigestMethod dm = (DigestMethod) BuilderFactoryUtil.buildXmlObject(DigestMethod.DEF_ELEMENT_NAME);
if (dm != null) {
@@ -203,7 +203,7 @@ public class NewMoaEidasMetadata {
generateDigest(eidasExtensions);
if (!(StringUtils.isEmpty(this.params.getSigningMethods()))) {
- Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getDigestMethods());
+ Set<String> signMethods = EIDASUtil.parseSemicolonSeparatedList(this.params.getSigningMethods());
for (String signMethod : signMethods) {
SigningMethod sm = (SigningMethod) BuilderFactoryUtil
.buildXmlObject(SigningMethod.DEF_ELEMENT_NAME);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index d469ca28c..02a5df098 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -28,6 +28,7 @@ import java.net.URL;
import java.util.HashMap;
import java.util.Map;
+import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLConfigurator;
@@ -107,6 +108,9 @@ public class SAMLEngineUtils {
//overwrite eIDAS response validator suite because Condition-Valitator has not time jitter
initOpenSAMLConfig("own-saml-eidasnode-config.xml");
+ //add eIDAS specific SAML2 extensions to eIDAS Schema validatior
+ SAMLSchemaBuilder.addExtensionSchema(
+ at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION);
eIDASEngine = engine;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..4b67370d6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} else {
String[] splittedTarget = eIDASTarget.split("\\+");
if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
- Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ " Destination Country from request (" + reqCC
- + ") does not match to configuration:" + eIDASTarget);
- throw new MOAIDException("eIDAS.01",
- new Object[]{"Destination Country from request does not match to configuration"});
+ + ") does not match to configuration:" + eIDASTarget
+ + " --> Perform additional organisation check ...");
+
+ //check if eIDAS domain for bPK calculation is a valid target
+ if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {
+ throw new MOAIDException("eIDAS.01",
+ new Object[]{"Destination Country from request does not match to configuration"});
+
+ }
+
}
- Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+ Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+
}
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
return false;
}
+
+ private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+ if (MiscUtil.isNotEmpty(reqCC)) {
+ List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+ if (allowedOrganisations.contains(bPKTargetArea)) {
+ Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+ return true;
+ }
+ }
+
+ Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+ return false;
+ }
}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
new file mode 100644
index 000000000..76b82a267
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/schema/eIDAS_saml_extensions.xsd
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:eidas="http://eidas.europa.eu/saml-extensions" targetNamespace="http://eidas.europa.eu/saml-extensions" elementFormDefault="qualified" attributeFormDefault="unqualified">
+
+ <xsd:element name="SPType" type="eidas:SPTypeType"/>
+ <xsd:simpleType name="SPTypeType">
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="public"/>
+ <xsd:enumeration value="private"/>
+ </xsd:restriction>
+ </xsd:simpleType>
+
+ <xsd:element name="RequestedAttributes" type="eidas:RequestedAttributesType"/>
+ <xsd:complexType name="RequestedAttributesType">
+ <xsd:sequence>
+ <xsd:element minOccurs="0" maxOccurs="unbounded" ref="eidas:RequestedAttribute"/>
+ </xsd:sequence>
+ </xsd:complexType>
+
+ <xsd:element name="RequestedAttribute" type="eidas:RequestedAttributeType"/>
+ <xsd:complexType name="RequestedAttributeType">
+ <xsd:sequence>
+ <xsd:element name="AttributeValue" minOccurs="0" maxOccurs="unbounded" type="xsd:anyType"/>
+ </xsd:sequence>
+ <xsd:attribute name="Name" type="xsd:string" use="required"/>
+ <xsd:attribute name="NameFormat" type="xsd:anyURI" use="required" />
+ <xsd:attribute name="isRequired" type="xsd:boolean" use="required"/>
+ <xsd:attribute name="FriendlyName" type="xsd:string" use="optional"/>
+ <xsd:anyAttribute namespace="##other" processContents="lax" />
+ </xsd:complexType>
+
+</xsd:schema>