diff options
Diffstat (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java')
-rw-r--r-- | id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java | 163 |
1 files changed, 97 insertions, 66 deletions
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 8f5a231ee..6b6d1a196 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -23,7 +23,9 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks; import java.io.IOException; +import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Set; @@ -40,41 +42,40 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; -import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.moduls.SSOManager; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -87,7 +88,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired private FederatedAuthCredentialProvider credentialProvider; + @Autowired private FederatedAuthCredentialProvider credentialProvider; @Autowired private SSOManager ssoManager; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private AuthenticationDataBuilder authDataBuilder; @@ -105,17 +106,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { try { - IDecoder decoder = null; - MOAURICompare comperator = null; + IDecoder decoder = null; + EAAFURICompare comperator = null; //select Response Binding if (request.getMethod().equalsIgnoreCase("POST")) { decoder = new PostBinding(); - comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST); + comperator = new EAAFURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST); Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding."); } else if (request.getMethod().equalsIgnoreCase("GET")) { decoder = new RedirectBinding(); - comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT); + comperator = new EAAFURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT); Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding."); } else { @@ -131,7 +132,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { comperator); if (MiscUtil.isEmpty(msg.getEntityID())) { - throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); + throw new InvalidProtocolRequestException("sp.pvp2.04", + new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); } @@ -145,11 +147,11 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE); //validate assertion - MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); + PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg); //load IDP and SP configuration - IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); - IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration(); + IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + IOAAuthParameters spConfig = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class); //check if response Entity is valid if (!idpConfig.isInderfederationIDP()) { @@ -159,10 +161,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { msg.getEntityID()}); } - - //load MOASession from database - defaultTaskInitialization(request, executionContext); - + //initialize Attribute extractor AssertionAttributeExtractor extractor = new AssertionAttributeExtractor((Response) processedMsg.getResponse()); @@ -170,12 +169,12 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //check if SP is also a federated IDP if (spConfig.isInderfederationIDP()) { //SP is a federated IDP --> answer only with nameID and wait for attribute-Query - pendingReq.setGenericDataToSession( - PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true); - pendingReq.setGenericDataToSession( - PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID()); - pendingReq.setGenericDataToSession( - PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel()); + pendingReq.setRawDataToTransaction( + MOAIDAuthConstants.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true); + pendingReq.setRawDataToTransaction( + MOAIDAuthConstants.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID()); + pendingReq.setRawDataToTransaction( + MOAIDAuthConstants.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel()); authenticatedSessionStorage. addFederatedSessionInformation(pendingReq, @@ -185,7 +184,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //SP is real Service-Provider --> check attributes in response // and start Attribute-Query if required - getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), + getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), idpConfig); //store federatedIDP to MOASession @@ -197,8 +196,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } //store valid assertion into pending-request - pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); - pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); + pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); + pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -223,13 +222,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } catch (AssertionValidationExeption | AuthnResponseValidationException e) { Logger.info("PVP response validation FAILED. Msg:" + e.getMessage()); if (msg != null) { - IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); - - //remove federated IDP from SSO session if exists - ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + IOAAuthParameters idpConfig = null; + try { + idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + //remove federated IDP from SSO session if exists + ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + + //select next step + handleAuthnResponseValidationProblem(executionContext, idpConfig, e); + + } catch (EAAFConfigurationException e1) { + Logger.error("Can not handle error during an internal problem. ", e1); + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); + + } - //select next step - handleAuthnResponseValidationProblem(executionContext, idpConfig, e); } else throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); @@ -244,29 +251,46 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig, IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{ + /*TODO: + * only workaround for oe.gv.at project + */ + final List<String> minimalIDLAttributeNamesList = Arrays.asList( + PVPConstants.EID_IDENTITY_LINK_NAME, + PVPConstants.EID_SOURCE_PIN_NAME, + PVPConstants.EID_SOURCE_PIN_TYPE_NAME); + try { Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); - Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider); + + //TODO!!!!! + //Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider); + Collection<String> requestedAttr = Collections.emptyList(); //check if SAML2 Assertion contains a minimal set of attributes - if (!extractor.containsAllRequiredAttributes()) { + + //TODO: switch back to correct attribute query + if (!extractor.containsAllRequiredAttributes() + && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList) ) { Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); //build attributQuery request List<Attribute> attributs = attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator()); - //request IDP to get additional attributes - extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig); +// //request IDP to get additional attributes +// extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), +// idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA); } else { Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. "); } + //TODO: switch back to correct attribute query //check if all attributes are include - if (!extractor.containsAllRequiredAttributes( - pendingReq.getRequestedAttributes(metadataProvider))) { + //if (!extractor.containsAllRequiredAttributes(requestedAttr)) { + if (!extractor.containsAllRequiredAttributes() + && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) { Logger.warn("PVP Response from federated IDP contains not all requested attributes."); throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); @@ -274,30 +298,37 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //copy attributes into MOASession Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); + AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class); for (String el : includedAttrNames) { - moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el)); + String value = extractor.getSingleAttributeValue(el); + + //TODO: check in future version + //update PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME to prefixed version + if (el.equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) { + Logger.trace("Find PVP-attribute " + el + ". Start mapping if neccessary ... "); + if (!value.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + value = PVPConstants.STORK_QAA_PREFIX + value; + Logger.debug("Prefix '" + el + "' with: "+ PVPConstants.STORK_QAA_PREFIX); + } + } + + session.setGenericDataToSession(el, value); Logger.debug("Add PVP-attribute " + el + " into MOASession"); } //set validTo from this federated IDP response - moasession.setGenericDataToSession( + session.setGenericDataToSession( AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, extractor.getAssertionNotOnOrAfter()); - } catch (AttributQueryException e) { - throw new BuildException("builder.06", null, e); - - } catch (SessionDataStorageException e) { - throw new BuildException("builder.06", null, e); - } catch (AssertionValidationExeption e) { throw new BuildException("builder.06", null, e); - } catch (AssertionAttributeExtractorExeption e) { + } catch (MOAIDException e) { throw new BuildException("builder.06", null, e); - } catch (MOAIDException e) { + } catch (EAAFStorageException e) { throw new BuildException("builder.06", null, e); } @@ -338,7 +369,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { * @throws AssertionValidationExeption * @throws AuthnResponseValidationException */ - private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException { + private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException { Logger.debug("Start PVP21 assertion processing... "); Response samlResp = (Response) msg.getResponse(); |