diff options
Diffstat (limited to 'id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java')
-rw-r--r-- | id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java | 458 |
1 files changed, 458 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java new file mode 100644 index 000000000..fc04fa9a7 --- /dev/null +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -0,0 +1,458 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ + + + +package at.gv.egovernment.moa.id.auth.builder; + +import java.text.MessageFormat; +import java.util.Calendar; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.StringUtils; + +/** + * Builder for the authentication data <code><saml:Assertion></code> + * to be provided by the MOA ID Auth component. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionBuilder implements Constants { + + /** 5 minutes (=300 seconds) default length of the assertion */ + private static int DEFAULT_CONDITIONS_LENGTH = 300; + + /** private static String NL contains the NewLine representation in Java*/ + private static final String NL = "\n"; + /** + * XML template for the <code><saml:Assertion></code> to be built + */ + private static final String AUTH_DATA = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{3}''>{4}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{5}{6}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{10}" + + "{11}" + + "{12}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; + + /** + * XML template for the <code><saml:Assertion></code> to be built (with Conditions) + */ + private static final String AUTH_DATA_WITH_CONDITIONS = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + "<saml:Conditions NotBefore=''{3}'' NotOnOrAfter=''{4}''/>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{5}''>{6}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{7}{8}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{11}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{12}" + + "{13}" + + "{14}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; + + /** + * XML template for the <code><saml:Assertion></code> to be built + */ + private static final String AUTH_DATA_MANDATE = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{3}''>{4}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{5}{6}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{7}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''MandateData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{8}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{11}" + + "{12}" + + "{13}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; + + /** + * XML template for the <code><saml:Assertion></code> to be built + */ + private static final String AUTH_DATA_MANDATE_WITH_CONDITIONS = + "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + NL + + "<saml:Assertion xmlns:saml=''" + SAML_NS_URI + "'' xmlns:pr=''" + PD_NS_URI + "'' xmlns:xsi=''" + XSI_NS_URI + "''" + + " xmlns:si=''" + XSI_NS_URI + "''" + + " MajorVersion=''1'' MinorVersion=''0'' AssertionID=''{0}'' Issuer=''{1}'' IssueInstant=''{2}''>" + NL + + "<saml:Conditions NotBefore=''{3}'' NotOnOrAfter=''{4}''/>" + NL + + " <saml:AttributeStatement>" + NL + + " <saml:Subject>" + NL + + " <saml:NameIdentifier NameQualifier=''{5}''>{6}</saml:NameIdentifier>" + NL + + " <saml:SubjectConfirmation>" + NL + + " <saml:ConfirmationMethod>" + MOA_NS_URI + "cm</saml:ConfirmationMethod>" + NL + + " <saml:SubjectConfirmationData>{7}{8}</saml:SubjectConfirmationData>" + NL + + " </saml:SubjectConfirmation>" + NL + + " </saml:Subject>" + NL + + " <saml:Attribute AttributeName=''PersonData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{9}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''MandateData'' AttributeNamespace=''" + PD_NS_URI + "''>" + NL + + " <saml:AttributeValue>{10}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''isQualifiedCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{11}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + " <saml:Attribute AttributeName=''bkuURL'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{12}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL + + "{13}" + + "{14}" + + "{15}" + + " </saml:AttributeStatement>" + NL + + "</saml:Assertion>"; + /** + * XML template for the <code><saml:Attribute></code> named <code>"isPublicAuthority"</code>, + * to be inserted into the <code><saml:Assertion></code> + */ + private static final String PUBLIC_AUTHORITY_ATT = + " <saml:Attribute AttributeName=''isPublicAuthority'' AttributeNamespace=''urn:oid:1.2.40.0.10.1.1.1''>" + NL + + " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; + + private static final String SIGNER_CERTIFICATE_ATT = + " <saml:Attribute AttributeName=''SignerCertificate'' AttributeNamespace=''" + MOA_NS_URI + "''>" + NL + + " <saml:AttributeValue>{0}</saml:AttributeValue>" + NL + + " </saml:Attribute>" + NL; + + /** + * Constructor for AuthenticationDataAssertionBuilder. + */ + public AuthenticationDataAssertionBuilder() { + super(); + } + + /** + * Builds the authentication data <code><saml:Assertion></code>. + * + * @param authData the <code>AuthenticationData</code> to build the + * <code><saml:Assertion></code> from + * @param xmlPersonData <code>lt;pr:Person></code> element as a String + * @param xmlAuthBlock authentication block to be included in a + * <code>lt;saml:SubjectConfirmationData></code> element; may include + * the <code>"Stammzahl"</code> or not; may be empty + * @param xmlIdentityLink the IdentityLink + * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe + * an empty string if the signer certificate should not be provided. + * Will be ignored if the <code>businessService</code> parameter is + * set to <code>false</code>. + * @param businessService <code>true</code> if the online application is a + * business service, otherwise <code>false</code> + * @return the <code><saml:Assertion></code> + * @throws BuildException if an error occurs during the build process + */ + public String build( + SAML1AuthenticationData authData, + String xmlPersonData, + String xmlAuthBlock, + String xmlIdentityLink, + String bkuURL, + String signerCertificateBase64, + boolean businessService, + List<ExtendedSAMLAttribute> extendedSAMLAttributes, + boolean useCondition, + int conditionLength) + throws BuildException + { + + String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + + String publicAuthorityAttribute = ""; + if (authData.isPublicAuthority()) { + String publicAuthorityIdentification = authData.getPublicAuthorityCode(); + if (publicAuthorityIdentification == null) + publicAuthorityIdentification = "True"; + publicAuthorityAttribute = MessageFormat.format( + PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification }); + } + + + String signerCertificateAttribute = ""; + if (signerCertificateBase64 != "") { + signerCertificateAttribute = MessageFormat.format( + SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 }); + } + + String pkType; + String pkValue; + if (businessService) { + pkType = authData.getBPKType(); + pkValue = authData.getBPK(); + + } else { + // <saml:NameIdentifier NameQualifier> always has the bPK as type/value + pkType = URN_PREFIX_BPK; + pkValue = authData.getBPK(); + } + +// System.out.println("pkType; " + pkType); +// System.out.println("pkValue; " + pkValue); + + String assertion; + try { + + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstantString(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstantString(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + + + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } + return assertion; + } + + /** + * Builds the authentication data <code><saml:Assertion></code>. + * + * @param authData the <code>AuthenticationData</code> to build the + * <code><saml:Assertion></code> from + * @param xmlPersonData <code>lt;pr:Person></code> element as a String + * @param xmlAuthBlock authentication block to be included in a + * <code>lt;saml:SubjectConfirmationData></code> element; may include + * the <code>"Stammzahl"</code> or not; may be empty + * @param xmlIdentityLink the IdentityLink + * @param signerCertificateBase64 Base64 encoded certificate of the signer. Maybe + * an empty string if the signer certificate should not be provided. + * Will be ignored if the <code>businessService</code> parameter is + * set to <code>false</code>. + * @param businessService <code>true</code> if the online application is a + * business service, otherwise <code>false</code> + * @return the <code><saml:Assertion></code> + * @throws BuildException if an error occurs during the build process + */ + public String buildMandate( + SAML1AuthenticationData authData, + String xmlPersonData, + String xmlMandateData, + String xmlAuthBlock, + String xmlIdentityLink, + String bkuURL, + String signerCertificateBase64, + boolean businessService, + List<ExtendedSAMLAttribute> extendedSAMLAttributes, + boolean useCondition, + int conditionLength) + throws BuildException + { + + String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + String publicAuthorityAttribute = ""; + if (authData.isPublicAuthority()) { + String publicAuthorityIdentification = authData.getPublicAuthorityCode(); + if (publicAuthorityIdentification == null) + publicAuthorityIdentification = "True"; + publicAuthorityAttribute = MessageFormat.format( + PUBLIC_AUTHORITY_ATT, new Object[] { publicAuthorityIdentification }); + } + + + String signerCertificateAttribute = ""; + if (signerCertificateBase64 != "") { + signerCertificateAttribute = MessageFormat.format( + SIGNER_CERTIFICATE_ATT, new Object[] { signerCertificateBase64 }); + } + + String pkType; + String pkValue; + if (businessService) { + pkType = authData.getBPKType(); + pkValue = authData.getBPK(); + + } else { + // <saml:NameIdentifier NameQualifier> always has the bPK as type/value + pkType = URN_PREFIX_BPK; + pkValue = authData.getBPK(); + } + +// System.out.println("pkType; " + pkType); +// System.out.println("pkValue; " + pkValue); + + String assertion; + try { + + + + if (!useCondition) { + assertion = MessageFormat.format(AUTH_DATA_MANDATE, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstantString(), + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + else { + Calendar cal = Calendar.getInstance(); + String notBefore = DateTimeUtils.buildDateTimeUTC(cal); + if (conditionLength <= 0) + cal.add(Calendar.SECOND, DEFAULT_CONDITIONS_LENGTH); + else + cal.add(Calendar.SECOND, conditionLength); + + String notOnOrAfter = DateTimeUtils.buildDateTimeUTC(cal); + + assertion = MessageFormat.format(AUTH_DATA_MANDATE_WITH_CONDITIONS, new Object[] { + authData.getAssertionID(), + authData.getIssuer(), + authData.getIssueInstantString(), + notBefore, + notOnOrAfter, + pkType, + pkValue, + StringUtils.removeXMLDeclaration(xmlAuthBlock), + StringUtils.removeXMLDeclaration(xmlIdentityLink), + StringUtils.removeXMLDeclaration(xmlPersonData), + StringUtils.removeXMLDeclaration(xmlMandateData), + isQualifiedCertificate, + bkuURL, + publicAuthorityAttribute, + signerCertificateAttribute, + buildExtendedSAMLAttributes(extendedSAMLAttributes)}); + } + + + + + + + } catch (ParseException e) { + Logger.error("Error on building Authentication Data Assertion: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "Authentication Data Assertion", e.toString()}); + } + return assertion; + } + +} |