aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-eIDAS
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-eIDAS')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java2
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java33
2 files changed, 30 insertions, 5 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index c0101b553..d975b6e0a 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -69,6 +69,8 @@ public class Constants {
public static final String CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".metadata.url";
+ public static final String CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX = CONIG_PROPS_EIDAS_PREFIX + ".bpk.target.";
+
//timeouts and clock skews
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 940b91b44..4b67370d6 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -56,6 +56,7 @@ import at.gv.egovernment.moa.id.commons.MOAIDConstants;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IRequest;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController;
import at.gv.egovernment.moa.logging.Logger;
@@ -283,14 +284,22 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
} else {
String[] splittedTarget = eIDASTarget.split("\\+");
if (!splittedTarget[2].equalsIgnoreCase(reqCC)) {
- Logger.error("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ Logger.debug("Configuration for eIDAS-node:" + samlReq.getIssuer()
+ " Destination Country from request (" + reqCC
- + ") does not match to configuration:" + eIDASTarget);
- throw new MOAIDException("eIDAS.01",
- new Object[]{"Destination Country from request does not match to configuration"});
+ + ") does not match to configuration:" + eIDASTarget
+ + " --> Perform additional organisation check ...");
+
+ //check if eIDAS domain for bPK calculation is a valid target
+ if (!iseIDASTargetAValidOrganisation(reqCC, splittedTarget[2])) {
+ throw new MOAIDException("eIDAS.01",
+ new Object[]{"Destination Country from request does not match to configuration"});
+
+ }
+
}
- Logger.debug("CountryCode from request matches eIDAS-node configuration target");
+ Logger.debug("CountryCode from request matches eIDAS-node configuration target: " + eIDASTarget);
+
}
@@ -439,6 +448,20 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
return false;
}
+
+ private boolean iseIDASTargetAValidOrganisation(String reqCC, String bPKTargetArea) {
+ if (MiscUtil.isNotEmpty(reqCC)) {
+ List<String> allowedOrganisations = KeyValueUtils.getListOfCSVValues(
+ authConfig.getBasicMOAIDConfiguration(Constants.CONFIG_PROPS_EIDAS_BPK_TARGET_PREFIX + reqCC.toLowerCase()));
+ if (allowedOrganisations.contains(bPKTargetArea)) {
+ Logger.debug(bPKTargetArea + " is a valid OrganisationIdentifier for request-country: "+ reqCC);
+ return true;
+ }
+ }
+
+ Logger.info("OrganisationIdentifier: " + bPKTargetArea + " is not allowed for country: " + reqCC);
+ return false;
+ }
}