1 files changed, 97 insertions, 66 deletions
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 8f5a231ee..6b6d1a196 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -23,7 +23,9 @@
 package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 
@@ -40,41 +42,40 @@ import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.data.AuthProcessDataWrapper;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
-import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
-import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
-import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException;
-import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.moduls.SSOManager;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
-import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -87,7 +88,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
 	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
-	@Autowired private FederatedAuthCredentialProvider credentialProvider;
+	@Autowired private FederatedAuthCredentialProvider credentialProvider; 
 	@Autowired private SSOManager ssoManager;
 	@Autowired private AttributQueryBuilder attributQueryBuilder;
 	@Autowired private AuthenticationDataBuilder authDataBuilder;
@@ -105,17 +106,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		
 		try {
 			
-			IDecoder decoder = null;
-			MOAURICompare comperator = null;
+			IDecoder decoder = null; 
+			EAAFURICompare comperator = null;
 			//select Response Binding
 			if (request.getMethod().equalsIgnoreCase("POST")) {
 				decoder = new PostBinding();
-				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
+				comperator = new EAAFURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
 				Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
 				
 			}  else if (request.getMethod().equalsIgnoreCase("GET")) {
 				decoder = new RedirectBinding();
-				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
+				comperator = new EAAFURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
 				Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
 				
 			} else {
@@ -131,7 +132,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 					comperator);
 			 
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
-				throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+				throw new InvalidProtocolRequestException("sp.pvp2.04", 
+						new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
 				
 			}
 
@@ -145,11 +147,11 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
 			
 			//validate assertion
-			MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
+			PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
 			
 			//load IDP and SP configuration
-			IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
-			IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration();
+			IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class);
+			IOAAuthParameters spConfig = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class);
 			
 			//check if response Entity is valid
 			if (!idpConfig.isInderfederationIDP()) {
@@ -159,10 +161,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 								msg.getEntityID()});
 				
 			}
-			
-			//load MOASession from database
-			defaultTaskInitialization(request, executionContext);
-			
+						
 			//initialize Attribute extractor
 			AssertionAttributeExtractor extractor = 
 					new AssertionAttributeExtractor((Response) processedMsg.getResponse());
@@ -170,12 +169,12 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			//check if SP is also a federated IDP
 			if (spConfig.isInderfederationIDP()) {
 				//SP is a federated IDP  --> answer only with nameID and wait for attribute-Query
-				pendingReq.setGenericDataToSession(
-						PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);				
-				pendingReq.setGenericDataToSession(
-						PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
-				pendingReq.setGenericDataToSession(
-						PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
+				pendingReq.setRawDataToTransaction(
+						MOAIDAuthConstants.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);				
+				pendingReq.setRawDataToTransaction(
+						MOAIDAuthConstants.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
+				pendingReq.setRawDataToTransaction(
+						MOAIDAuthConstants.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
 
 				authenticatedSessionStorage.
 					addFederatedSessionInformation(pendingReq, 
@@ -185,7 +184,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 				//SP is real Service-Provider  --> check attributes in response 
 				// and start Attribute-Query if required 
 												
-				getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), 
+				getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), 
 						idpConfig);	
 
 				//store federatedIDP to MOASession
@@ -197,8 +196,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			}
 
 			//store valid assertion into pending-request
-			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
-			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
+			pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+			pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
 			
 			//store pending-request
 			requestStoreage.storePendingRequest(pendingReq);
@@ -223,13 +222,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		} catch (AssertionValidationExeption | AuthnResponseValidationException e) {
 			Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());			
 			if (msg != null) {
-				IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
-				
-				//remove federated IDP from SSO session if exists
-				ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request);
+				IOAAuthParameters idpConfig = null;
+				try {					
+					idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class);
+					//remove federated IDP from SSO session if exists
+					ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request);
+					
+					//select next step
+					handleAuthnResponseValidationProblem(executionContext, idpConfig, e);
+					
+				} catch (EAAFConfigurationException e1) {
+					Logger.error("Can not handle error during an internal problem. ", e1);
+					throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+					
+				}
 				
-				//select next step
-				handleAuthnResponseValidationProblem(executionContext, idpConfig, e);
 								
 			} else
 				throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
@@ -244,29 +251,46 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig, 
 			IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
 		
+		/*TODO: 
+		 *   only workaround for oe.gv.at project
+		 */
+		final List<String> minimalIDLAttributeNamesList = Arrays.asList(
+				PVPConstants.EID_IDENTITY_LINK_NAME,			
+				PVPConstants.EID_SOURCE_PIN_NAME,
+				PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
+		
 		try {
 			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
-			Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);
+			
+			//TODO!!!!!
+			//Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);
+			Collection<String> requestedAttr = Collections.emptyList();
 						
 			//check if SAML2 Assertion contains a minimal set of attributes
-			if (!extractor.containsAllRequiredAttributes()) {
+			
+			//TODO: switch back to correct attribute query
+			if (!extractor.containsAllRequiredAttributes() 
+					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList) ) {
 				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");				
 				
 				//build attributQuery request
 				List<Attribute> attributs = 
 						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
 			
-				//request IDP to get additional attributes
-				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
+//				//request IDP to get additional attributes
+//				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), 
+//						idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);
 								
 			} else {
 				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
 				
 			}														
 			
+			//TODO: switch back to correct attribute query
 			//check if all attributes are include
-			if (!extractor.containsAllRequiredAttributes(
-					pendingReq.getRequestedAttributes(metadataProvider))) {
+			//if (!extractor.containsAllRequiredAttributes(requestedAttr)) {
+			if (!extractor.containsAllRequiredAttributes() 
+					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {
 				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
 				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
 				
@@ -274,30 +298,37 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			
 			//copy attributes into MOASession
 			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+			AuthProcessDataWrapper session = pendingReq.getSessionData(AuthProcessDataWrapper.class);
 			for (String el : includedAttrNames) {
-				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+				String value = extractor.getSingleAttributeValue(el);
+				
+				//TODO: check in future version
+				//update PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME to prefixed version
+				if (el.equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) {
+					Logger.trace("Find PVP-attribute " + el + ". Start mapping if neccessary ... ");					
+					if (!value.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
+						value = PVPConstants.STORK_QAA_PREFIX + value;
+						Logger.debug("Prefix '" + el + "' with: "+ PVPConstants.STORK_QAA_PREFIX);
+					}					
+				} 
+				
+				session.setGenericDataToSession(el, value);				
 				Logger.debug("Add PVP-attribute " + el + " into MOASession");
 				
 			}
 			
 			//set validTo from this federated IDP response
-			moasession.setGenericDataToSession(
+			session.setGenericDataToSession(
 					AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, 
 					extractor.getAssertionNotOnOrAfter());
 									
-		} catch (AttributQueryException e) {
-			throw new BuildException("builder.06", null, e);
-			
-		} catch (SessionDataStorageException e) {
-			throw new BuildException("builder.06", null, e);
-			
 		} catch (AssertionValidationExeption e) {
 			throw new BuildException("builder.06", null, e);
 			
-		} catch (AssertionAttributeExtractorExeption e) {
+		} catch (MOAIDException e) {
 			throw new BuildException("builder.06", null, e);
 			
-		} catch (MOAIDException e) {
+		} catch (EAAFStorageException e) {
 			throw new BuildException("builder.06", null, e);
 			
 		}
@@ -338,7 +369,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 	 * @throws AssertionValidationExeption 
 	 * @throws AuthnResponseValidationException 
 	 */
-	private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+	private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
 		Logger.debug("Start PVP21 assertion processing... ");
 		Response samlResp = (Response) msg.getResponse();