diff options
Diffstat (limited to 'id/server/modules/moa-id-modules-federated_authentication')
2 files changed, 73 insertions, 6 deletions
| diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java index c3d5e8032..1fff56f8d 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -22,7 +22,10 @@   */  package at.gv.egovernment.moa.id.auth.modules.federatedauth.config; +import java.util.ArrayList;  import java.util.Arrays; +import java.util.Collections; +import java.util.Iterator;  import java.util.List;  import org.opensaml.saml2.core.Attribute; @@ -35,6 +38,10 @@ import org.opensaml.xml.security.credential.Credential;  import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;  import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;  import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -263,7 +270,39 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo  	 */  	@Override  	public List<RequestedAttribute> getSPRequiredAttributes() { -		return null; +		/*TODO: +		 * 		Work for bug in AttributeQuery Client that includes a wrong EntityID for SP +		 */		 +		final List<Trible<String, String, Boolean>> REQUIRED_PVP_ATTRIBUTES =  +				Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { +					private static final long serialVersionUID = 1L; +					{	 +						//add PVP Version attribute +						add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, true)); +						 +						//request entity information +						add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, true)); +						add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, true)); +						add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, true)); +						add(Trible.newInstance(PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CCS_URL_FRIENDLY_NAME, false)); +						add(Trible.newInstance(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, true)); +						add(Trible.newInstance(PVPConstants.EID_IDENTITY_LINK_NAME, PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME, true)); +						add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_NAME, PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME, false)); +						add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, PVPConstants.EID_SOURCE_PIN_TYPE_FRIENDLY_NAME, false)); +						add(Trible.newInstance(PVPConstants.EID_AUTH_BLOCK_NAME, PVPConstants.EID_AUTH_BLOCK_FRIENDLY_NAME, false)); +						add(Trible.newInstance(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, false)); +						add(Trible.newInstance(PVPConstants.MANDATE_FULL_MANDATE_NAME, PVPConstants.MANDATE_FULL_MANDATE_FRIENDLY_NAME, false)); +						 +						 + +					} +				}); +		 +		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); +		for (Trible<String, String, Boolean> el : REQUIRED_PVP_ATTRIBUTES) +			requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); +		 +		return requestedAttributes;  	}  	/* (non-Javadoc) diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 8f5a231ee..dea5e4894 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -23,6 +23,7 @@  package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;  import java.io.IOException; +import java.util.Arrays;  import java.util.Collection;  import java.util.List;  import java.util.Set; @@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageExcepti  import at.gv.egovernment.moa.id.moduls.RequestImpl;  import at.gv.egovernment.moa.id.moduls.SSOManager;  import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;  import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;  import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; @@ -244,12 +246,23 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig,   			IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{ +		/*TODO:  +		 *   only workaround for oe.gv.at project +		 */ +		final List<String> minimalIDLAttributeNamesList = Arrays.asList( +				PVPConstants.EID_IDENTITY_LINK_NAME,			 +				PVPConstants.EID_SOURCE_PIN_NAME, +				PVPConstants.EID_SOURCE_PIN_TYPE_NAME); +		  		try {  			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");  			Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);  			//check if SAML2 Assertion contains a minimal set of attributes -			if (!extractor.containsAllRequiredAttributes()) { +			 +			//TODO: switch back to correct attribute query +			if (!extractor.containsAllRequiredAttributes()  +					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {  				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");				  				//build attributQuery request @@ -257,16 +270,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());  				//request IDP to get additional attributes -				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig); +				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(),  +						idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);  			} else {  				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");  			}														 +			//TODO: switch back to correct attribute query  			//check if all attributes are include -			if (!extractor.containsAllRequiredAttributes( -					pendingReq.getRequestedAttributes(metadataProvider))) { +			//if (!extractor.containsAllRequiredAttributes(requestedAttr)) { +			if (!extractor.containsAllRequiredAttributes()  +					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {  				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");  				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); @@ -275,7 +291,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {  			//copy attributes into MOASession  			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();  			for (String el : includedAttrNames) { -				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el)); +				String value = extractor.getSingleAttributeValue(el); +				 +				//TODO: check in future version +				//update PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME to prefixed version +				if (el.equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) { +					Logger.trace("Find PVP-attribute " + el + ". Start mapping if neccessary ... ");					 +					if (!value.startsWith(PVPConstants.STORK_QAA_PREFIX)) { +						value = PVPConstants.STORK_QAA_PREFIX + value; +						Logger.debug("Prefix '" + el + "' with: "+ PVPConstants.STORK_QAA_PREFIX); +					}					 +				}  +				 +				moasession.setGenericDataToSession(el, value);				  				Logger.debug("Add PVP-attribute " + el + " into MOASession");  			} | 
