diff options
Diffstat (limited to 'id/server/modules')
44 files changed, 1490 insertions, 1201 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 9294f3658..c9bc31f6c 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IMISMandate; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.Logger; @@ -192,8 +193,8 @@ public class AuthenticationServer extends BaseAuthenticationServer { Logger.debug("Non-SSO Login requested or SSO not allowed/possible"); //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( - oaParam.getBusinessService(), oaParam - .getIdentityLinkDomainIdentifier()); + oaParam.hasBaseIdInternalProcessingRestriction(), oaParam + .getAreaSpecificTargetIdentifier()); } @@ -401,9 +402,9 @@ public class AuthenticationServer extends BaseAuthenticationServer { try { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam - .getBusinessService()); + .hasBaseIdTransferRestriction()); - validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.hasBaseIdTransferRestriction()); } catch (SAXException e) { @@ -523,9 +524,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { * @return <code><saml:Assertion></code> as a String * @throws BuildException If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. + * @throws ConfigurationException */ private String buildAuthenticationBlock(IAuthenticationSession session, - IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException { + IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException, ConfigurationException { IIdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); @@ -533,12 +535,16 @@ public class AuthenticationServer extends BaseAuthenticationServer { String identificationValue = null; String identificationType = null; + String identificationTypeFriendlyName = null; //get processing data from pending-request String authURL = pendingReq.getAuthURL(); - String requestedTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( + + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); @@ -546,45 +552,45 @@ public class AuthenticationServer extends BaseAuthenticationServer { if (session.isOW() || pendingReq.needSingleSignOnFunctionality() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - - String bpkBase64 = new BPKBuilder().buildWBPK(identityLink - .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); - identificationValue = bpkBase64; - - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = oaParam.getIdentityLinkDomainIdentifier(); - else - identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - - } else { - String bpkBase64 = new BPKBuilder().buildBPK(identityLink - .getIdentificationValue(), requestedTarget); - identificationValue = bpkBase64; - identificationType = Constants.URN_PREFIX_CDID + "+" + requestedTarget; + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) { + Logger.debug("Build AuthBlock bPK from SAML1 requested target"); + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = saml1RequestedFriendlyName; + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = calcId.getFirst(); + identificationType = calcId.getSecond(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } - } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); + identificationTypeFriendlyName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); } //set AuthBlock generation time to session - String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance()); + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()); session.setIssueInstant(issueInstant); - // Bug #485 - // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) - // String oaURL = session.getPublicOAURLPrefix(); - + //load extend attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); + //load special authblock text patterns for replacement + Map<String, String> authBlockTextPatterns = AuthenticationBlockAssertionBuilder. + generateSpezialAuthBlockPatternMap(pendingReq, issuer, gebDat, issueInstant); + String authBlock = null; if (pendingReq.needSingleSignOnFunctionality()) { String oaURL = pendingReq.getAuthURL(); @@ -592,19 +598,20 @@ public class AuthenticationServer extends BaseAuthenticationServer { oaURL = oaURL.replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlockSSO(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); - + .buildAuthBlockSSO(issuer, issueInstant, authURL, + oaURL, gebDat, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } else { String oaURL = oaParam.getPublicURLPrefix().replaceAll("&", "&"); authBlock = new AuthenticationBlockAssertionBuilder() - .buildAuthBlock(issuer, issueInstant, authURL, requestedTarget, - targetFriendlyName, identificationValue, - identificationType, oaURL, gebDat, - extendedSAMLAttributes, session, oaParam); + .buildAuthBlock(issuer, issueInstant, authURL, + identificationValue, + identificationType, + gebDat, + oaURL, + identificationTypeFriendlyName, + extendedSAMLAttributes, session, oaParam, authBlockTextPatterns); } @@ -938,10 +945,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { session.setAuthBlock(serializedAssertion); } catch (TransformerException e) { throw new ParseException("parser.04", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e); } catch (IOException e) { throw new ParseException("parser.04", new Object[]{ - REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}); + REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE}, e); } // validates <CreateXMLSignatureResponse> if (pendingReq.needSingleSignOnFunctionality()) @@ -1062,9 +1069,10 @@ public class AuthenticationServer extends BaseAuthenticationServer { Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Value"); - String bpkBase64 = new BPKBuilder().buildBPK(baseid, target); + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier(baseid, target); + valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( - bpkBase64)); + targedId.getFirst())); Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( Constants.PD_NS_URI, "Type"); typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index ecc91991e..80702795b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -28,7 +28,11 @@ import java.io.StringWriter; import java.text.MessageFormat; import java.text.SimpleDateFormat; import java.util.Calendar; +import java.util.HashMap; +import java.util.Iterator; import java.util.List; +import java.util.Map; +import java.util.Map.Entry; import javax.xml.bind.DatatypeConverter; import javax.xml.transform.Result; @@ -46,7 +50,9 @@ import org.w3c.dom.Node; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; @@ -126,6 +132,15 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion public static final int NUM_OF_SAML_ATTRIBUTES = 5; public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4; + public static final String bPKwbPKNSDECLARATION = " xmlns:pr=\"" + PD_NS_URI + "\""; + + public static final String AUTHBLOCK_TEXT_PATTERN_NAME = "#NAME#"; + public static final String AUTHBLOCK_TEXT_PATTERN_BIRTHDAY = "#BIRTHDAY#"; + public static final String AUTHBLOCK_TEXT_PATTERN_DATE = "#DATE#"; + public static final String AUTHBLOCK_TEXT_PATTERN_TIME = "#TIME#"; + + public static final String PENDING_REQ_AUTHBLOCK_TEXT_KEY = "specialAuthBlockTextKeyValueMap"; + /** * Constructor for AuthenticationBlockAssertionBuilder. */ @@ -133,322 +148,210 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion super(); } + public static Map<String, String> generateSpezialAuthBlockPatternMap(IRequest pendingReq, String issuer, String gebDat, String issueInstant) { + Map<String, String> result = new HashMap<String, String>(); + + //convert issueInstant + Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); + SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); + SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); + + //set default values + result.put(AUTHBLOCK_TEXT_PATTERN_NAME, issuer); + result.put(AUTHBLOCK_TEXT_PATTERN_BIRTHDAY, gebDat); + result.put(AUTHBLOCK_TEXT_PATTERN_DATE, dateformat.format(datetime.getTime())); + result.put(AUTHBLOCK_TEXT_PATTERN_TIME, timeformat.format(datetime.getTime())); + + //set other values from pendingReq if exists + Map<?,?> processSpecificElements = pendingReq.getGenericData(PENDING_REQ_AUTHBLOCK_TEXT_KEY, Map.class); + if (processSpecificElements != null && !processSpecificElements.isEmpty()) { + Logger.debug("Find process-specific patterns for 'special AuthBlock-Text'. Start processing ..."); + Iterator<?> mapIterator = processSpecificElements.entrySet().iterator(); + while (mapIterator.hasNext()) { + Object objEl = mapIterator.next(); + if (objEl instanceof Entry<?, ?>) { + try { + @SuppressWarnings("unchecked") + Entry<String, String> el = (Entry<String, String>) objEl; + Logger.trace(" Add pattern-> Key: " + el.getKey() + " Value:" + el.getValue()); + if (result.containsKey(el.getKey())) + Logger.warn(" Can not add pattern: " + el.getKey() + " , because it already exists."); + else + result.put(el.getKey(), el.getValue()); + + } catch (Exception e) { + Logger.warn("A pendingReq. specific 'special AuthBlock-Text' element has a suspect type. Ignore it!", e); + + } + } + } + } + + return result; + } + + /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. + * @param issuer + * @param issueInstant + * @param authURL + * @param sectorSpecificUniqueId + * @param sectorSpecificUniqueIdType + * @param gebDat + * @param oaURL + * @param spTargetAreaFriendlyName + * @param extendedSAMLAttributes + * @param session + * @param oaParam + * @return + * @throws BuildException + * @throws ConfigurationException */ public String buildAuthBlock( String issuer, String issueInstant, - String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, + String authURL, + String sectorSpecificUniqueId, + String sectorSpecificUniqueIdType, + String gebDat, + String oaURL, + String spTargetAreaFriendlyName, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) + throws BuildException, ConfigurationException { + + //initialize state + session.setSAMLAttributeGebeORwbpk(true); + String usedwbPKbPKNamespaceDeclaration = org.apache.commons.lang3.StringUtils.EMPTY; + String publicSectorIdOrwbPK = org.apache.commons.lang3.StringUtils.EMPTY; + + + if (!sectorSpecificUniqueIdType.startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + //service provider has not an sector Id from Austrian public-domain --> build AuthBlock like a wbPK + + if (!Constants.URN_PREFIX_HPI.equals(sectorSpecificUniqueIdType)) { + //Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator + publicSectorIdOrwbPK = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] {sectorSpecificUniqueId, sectorSpecificUniqueIdType}); + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; - //adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + //adding type of wbPK domain identifier + ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = + new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", spTargetAreaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); + extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } + } else { + // We do not have a wbPK, therefore no SAML-Attribute is provided + session.setSAMLAttributeGebeORwbpk(false); + + } + } else { + // OA is a govermental application + + //convert sector identifier into friendly name and add it to AuthBlock + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(sectorSpecificUniqueIdType); + if (StringUtils.isEmpty(sectorName)) { + if (spTargetAreaFriendlyName != null) + sectorName = spTargetAreaFriendlyName; + + } + publicSectorIdOrwbPK = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, + new Object[] {sectorSpecificUniqueIdType.substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")" }); - } else { - // OA is a govermental application - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - - - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - - //no business service, adding bPK - if (identityLinkValue != null) { - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - // String s = xmlToString(bpkSamlValueElement); - // System.out.println("bpkSamlValueElement: " + s); - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - extendedSAMLAttributes.add(bpkAttribute); - } - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); - - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } - - - - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - } - - //adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); + //add bPK to AuthBlock if it is not empty + if (MiscUtil.isNotEmpty(sectorSpecificUniqueId)) { + Element bpkSamlValueElement; + try { + bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { sectorSpecificUniqueId, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); + + } catch (Exception e) { + Logger.error("Error on building AUTH-Block: " + e.getMessage()); + throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + + } + + ExtendedSAMLAttribute bpkAttribute = + new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(bpkAttribute); + } + + usedwbPKbPKNamespaceDeclaration = bPKwbPKNSDECLARATION; + } + //check if mandates should be used + if (session.isMandateUsed()) { + + //generate mandate reference value + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); + + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + + extendedSAMLAttributes.add(mandateReferenceValueAttribute); + } + + //adding friendly name of OA + String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + //generate special AuthBlock text + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + } + String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); + + //generate unique AuthBlock tokken + String uniquetokken = Random.nextProcessReferenceValue(); + session.setAuthBlockTokken(uniquetokken); String assertion; try { assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, + usedwbPKbPKNamespaceDeclaration, issuer, issueInstant, authURL, - gebeORwbpk, + publicSectorIdOrwbPK, oaURL, gebDat, specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), + MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, new Object[] {uniquetokken}), buildExtendedSAMLAttributes(extendedSAMLAttributes)}); - } catch (ParseException e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - return assertion; - - } - - /** - * Builds the authentication block <code><saml:Assertion></code> - * - * @param issuer authentication block issuer; <code>"GivenName FamilyName"</code> - * @param issueInstant current timestamp - * @param authURL URL of MOA-ID authentication component - * @param target "Geschäftsbereich"; maybe <code>null</code> if the application - * is a business application - * @param identityLinkValue the content of the <code><pr:Value></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this is the - * value of the <code>wbPK</code>; - * maybe <code>null</code> if the application is a public service - * @param identityLinkType the content of the <code><pr:Type></code> - * child element of the <code><pr:Identification></code> - * element derived from the Identitylink; this includes the - * URN prefix and the identification number of the business - * application used as input for wbPK computation; - * maybe <code>null</code> if the application is a public service - * @param oaURL public URL of online application requested - * @param gebDat The date of birth from the identity link. - * @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock. - * - * @return String representation of authentication block - * <code><saml:Assertion></code> built - * - * @throws BuildException If an error occurs on serializing an extended SAML attribute - * to be appended to the AUTH-Block. - */ - public String buildAuthBlockForeignID( - String issuer, - String issueInstant, - String authURL, - String target, - String identityLinkValue, - String identityLinkType, - String oaURL, - String gebDat, - List<ExtendedSAMLAttribute> extendedSAMLAttributes, - IAuthenticationSession session, - IOAAuthParameters oaParam) - throws BuildException - { - session.setSAMLAttributeGebeORwbpk(true); - String gebeORwbpk = ""; - String wbpkNSDeclaration = ""; - - if (target == null) { - // OA is a business application - if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) { - // Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator - gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - - //BZ.., adding type of wbPK domain identifier - ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = - new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute); - //..BZ - - } else { - // We do not have a wbPK, therefore no SAML-Attribute is provided - session.setSAMLAttributeGebeORwbpk(false); - } - } else { - // OA is a govermental application - //BZ.. - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target); - //gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target }); - gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" }); - //..BZ - - //BZ.., no business service, adding bPK - Element bpkSamlValueElement; - try { - bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement(); - } catch (Exception e) { - Logger.error("Error on building AUTH-Block: " + e.getMessage()); - throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); - } - - ExtendedSAMLAttribute bpkAttribute = - new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(bpkAttribute); - //gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType }); - wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\""; - //..BZ - } - - //BZ.., adding friendly name of OA - String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - //..BZ - - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } - - String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); - - //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); - session.setAuthBlockTokken(uniquetokken); - - String assertion; - try { - assertion = MessageFormat.format( - AUTH_BLOCK, new Object[] { - wbpkNSDeclaration, - issuer, - issueInstant, - authURL, - gebeORwbpk, - oaURL, - gebDat, - specialText, - MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE, - new Object[] { uniquetokken }), - buildExtendedSAMLAttributes(extendedSAMLAttributes)}); } catch (ParseException e) { Logger.error("Error on building AUTH-Block: " + e.getMessage()); throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()}); + } return assertion; } - public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) { - Calendar datetime = DatatypeConverter.parseDateTime(issueInstant); - SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy"); - SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss"); - - String text = inputtext.replaceAll("#NAME#", issuer); - text = text.replaceAll("#BIRTHDAY#", gebDat); - text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime())); - text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime())); - - return text; + public static String generateSpecialText(String inputtext, Map<String, String> specialAuthBlockTextPatterns) { + Iterator<Entry<String, String>> it = specialAuthBlockTextPatterns.entrySet().iterator(); + String text = inputtext; + while (it.hasNext()) { + Entry<String, String> el = it.next(); + text = text.replaceAll(el.getKey(), el.getValue()); + + } + + return text; + } public static String xmlToString(Node node) { @@ -472,65 +375,52 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String issuer, String issueInstant, String authURL, - String target, - String targetFriendlyName, - String identityLinkValue, - String identityLinkType, String oaURL, String gebDat, List<ExtendedSAMLAttribute> extendedSAMLAttributes, IAuthenticationSession session, - IOAAuthParameters oaParam) + IOAAuthParameters oaParam, + Map<String, String> specialAuthBlockTextPatterns) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); String gebeORwbpk = ""; String wbpkNSDeclaration = ""; - - if (target != null) { - - boolean useMandate = session.isMandateUsed(); - if (useMandate) { - //String mandateReferenceValue = Random.nextRandom(); - String mandateReferenceValue = Random.nextProcessReferenceValue(); - // remove leading "-" - if (mandateReferenceValue.startsWith("-")) - mandateReferenceValue = mandateReferenceValue.substring(1); - - session.setMandateReferenceValue(mandateReferenceValue); + + //add mandate reference-value if mandates are used + if (session.isMandateUsed()) { + String mandateReferenceValue = Random.nextProcessReferenceValue(); + session.setMandateReferenceValue(mandateReferenceValue); - ExtendedSAMLAttribute mandateReferenceValueAttribute = - new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); + ExtendedSAMLAttribute mandateReferenceValueAttribute = + new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK); - extendedSAMLAttributes.add(mandateReferenceValueAttribute); - } + extendedSAMLAttributes.add(mandateReferenceValueAttribute); } + //adding friendly name of OA String friendlyname; try { - friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); - - ExtendedSAMLAttribute oaFriendlyNameAttribute = - new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); - - extendedSAMLAttributes.add(oaFriendlyNameAttribute); - - - String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); + friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName(); + ExtendedSAMLAttribute oaFriendlyNameAttribute = + new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY); + extendedSAMLAttributes.add(oaFriendlyNameAttribute); + + //generate special AuthBlock text + String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); if (MiscUtil.isEmpty(text)) text=""; String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE, - new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) }); + new Object[] { generateSpecialText(text, specialAuthBlockTextPatterns) }); + //generate unique AuthBlock tokken - String uniquetokken = Random.nextRandom(); + String uniquetokken = Random.nextProcessReferenceValue(); session.setAuthBlockTokken(uniquetokken); - String assertion; - - assertion = MessageFormat.format( + String assertion = MessageFormat.format( AUTH_BLOCK, new Object[] { wbpkNSDeclaration, issuer, diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 608f50200..88a235978 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -120,12 +120,11 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { //get Target from config or from request in case of SAML 1 String target = null; - if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && + if (MiscUtil.isNotEmpty(pendingReq.getGenericData("saml1_target", String.class)) && pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) - target = pendingReq.getGenericData("target", String.class); - else - target = oaParam.getTarget(); - + target = pendingReq.getGenericData("saml1_target", String.class); + + String bkuURL = oaParam.getBKUURL(bkuid); if (MiscUtil.isEmpty(bkuURL)) { Logger.info("No OA specific BKU defined. Use BKU from default configuration"); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java index 975dec429..d2fd4d1de 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java @@ -35,7 +35,6 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -100,14 +99,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask { byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8"); //TODO: check in case of SSO!!! - String targetType = null; - if(oaParam.getBusinessService()){ - targetType = oaParam.getIdentityLinkDomainIdentifier(); - - } else { - targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } + String targetType = oaParam.getAreaSpecificTargetIdentifier(); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index a227ab5be..da96bfe54 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -57,8 +57,10 @@ import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; +import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; @@ -69,6 +71,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; @@ -128,42 +131,46 @@ public class CreateXMLSignatureResponseValidator { * @param session * @param pendingReq * @throws ValidateException + * @throws BuildException + * @throws ConfigurationException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq) - throws ValidateException { + throws ValidateException, BuildException, ConfigurationException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - String gbTarget = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - String targetFriendlyName = pendingReq.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); String oaURL = oaParam.getPublicURLPrefix(); - boolean businessService = oaParam.getBusinessService(); - IIdentityLink identityLink = session.getIdentityLink(); + @Deprecated + String saml1RequestedTarget = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); + @Deprecated + String saml1RequestedFriendlyName = pendingReq.getGenericData( + MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class); + + Element samlAssertion = createXMLSignatureResponse.getSamlAssertion(); + + //validate issuer String issuer = samlAssertion.getAttribute("Issuer"); if (issuer == null) { // should not happen, because parser would dedect this throw new ValidateException("validator.32", null); } // replace ' in name with ' - issuer = issuer.replaceAll("'", "'"); + issuer = issuer.replaceAll("'", "'"); + if (!issuer.equals(identityLink.getName())) + throw new ValidateException("validator.33", new Object[] {issuer, identityLink.getName()}); + + //validate issuerInstant String issueInstant = samlAssertion.getAttribute("IssueInstant"); - if (!issueInstant.equals(session.getIssueInstant())) { - throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - } + if (!issueInstant.equals(session.getIssueInstant())) + throw new ValidateException("validator.39", new Object[] {issueInstant, session.getIssueInstant()}); - String name = identityLink.getName(); - if (!issuer.equals(name)) { - throw new ValidateException("validator.33", new Object[] {issuer, name}); - } - + //validate extended attributes SAMLAttribute[] samlAttributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; @@ -171,241 +178,253 @@ public class CreateXMLSignatureResponseValidator { boolean foundWBPK = false; int offset = 0; - // check number of SAML aatributes + // check number of SAML attributes List<ExtendedSAMLAttribute> extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); int extendedSAMLAttributesNum = 0; if (extendedSAMLAttributes != null) { - extendedSAMLAttributesNum = extendedSAMLAttributes.size(); + extendedSAMLAttributesNum = extendedSAMLAttributes.size(); } - int expectedSAMLAttributeNumber = - AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + int expectedSAMLAttributeNumber = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + extendedSAMLAttributesNum; + + //remove one attribute from expected attributes if public SP target or wbPK is not part of AuthBlock if (!session.getSAMLAttributeGebeORwbpk()) expectedSAMLAttributeNumber--; + + //check number of attributes in AuthBlock response against expected number of attributes int actualSAMLAttributeNumber = samlAttributes.length; if (actualSAMLAttributeNumber != expectedSAMLAttributeNumber) { - Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + - expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); - throw new ValidateException( - "validator.36", - new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + Logger.error("Wrong number of SAML attributes in CreateXMLSignatureResponse: expected " + + expectedSAMLAttributeNumber + ", but was " + actualSAMLAttributeNumber); + throw new ValidateException("validator.36", + new Object[] {String.valueOf(actualSAMLAttributeNumber), String.valueOf(expectedSAMLAttributeNumber)}); + } - SAMLAttribute samlAttribute; - if (session.getSAMLAttributeGebeORwbpk()) { - // check the first attribute ("Geschaeftsbereich" or "wbPK") - samlAttribute = samlAttributes[0]; - if (businessService) { - if (!samlAttribute.getName().equals("wbPK")) { - if (samlAttribute.getName().equals("Geschaeftsbereich")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundWBPK = true; - try { - Element attrValue = (Element)samlAttribute.getValue(); - String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); - String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); - if (!value.equals(identityLink.getIdentificationValue())) { - throw new ValidateException("validator.28", null); - } - if (!type.equals(identityLink.getIdentificationType())) { - throw new ValidateException("validator.28", null); - } - } catch (Exception ex) { - throw new ValidateException("validator.29", null); - } - } else { - throw new ValidateException("validator.30", null); - } - } else { - if (!samlAttribute.getName().equals("Geschaeftsbereich")) { - if (samlAttribute.getName().equals("wbPK")) { - throw new ValidateException("validator.26", null); - } else { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); - } - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundGB = true; - String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget); - if (StringUtils.isEmpty(sectorName)) { - if (targetFriendlyName != null) - sectorName = targetFriendlyName; - } - gbTarget = gbTarget + " (" + sectorName + ")"; - //gbTarget = gbTarget + " (" + TargetToSectorNameMapper.getSectorNameViaTarget(gbTarget) + ")"; + //now check every single attribute + SAMLAttribute samlAttribute = null; + Pair<String, String> userSectorId = null; + if (session.getSAMLAttributeGebeORwbpk()) { + //check the first attribute ("Geschaeftsbereich" or "wbPK") + samlAttribute = samlAttributes[0]; + + //calculate bPK or wbPK as reference value for validation + if (MiscUtil.isNotEmpty(saml1RequestedTarget)) + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + saml1RequestedTarget); + else + userSectorId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identityLink.getIdentificationValue(), identityLink.getIdentificationType(), + oaParam.getAreaSpecificTargetIdentifier()); + + //every sector specific identifier that has not 'urn:publicid:gv.at:cdid+' as prefix + // is internally handled as an AuthBlock with wbPK + if (!userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (!samlAttribute.getName().equals("wbPK")) { + if (samlAttribute.getName().equals("Geschaeftsbereich")) { + throw new ValidateException("validator.26", null); + + } else { + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "wbPK", String.valueOf(1)}); + } + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundWBPK = true; + try { + Element attrValue = (Element)samlAttribute.getValue(); + String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); + String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); + if (!value.equals(userSectorId.getFirst())) + throw new ValidateException("validator.28", null); - if (!gbTarget.equals((String)samlAttribute.getValue())) { - throw new ValidateException("validator.13", null); - } - } else { - throw new ValidateException("validator.12", null); - } - } - } else { - offset--; - } + if (!type.equals(userSectorId.getSecond())) + throw new ValidateException("validator.28", null); + + } catch (Exception ex) { + throw new ValidateException("validator.29", null); + } + + } else + throw new ValidateException("validator.30", null); + + } else { + if (!samlAttribute.getName().equals("Geschaeftsbereich")) { + if (samlAttribute.getName().equals("wbPK")) + throw new ValidateException("validator.26", null); + + else + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geschaeftsbereich", String.valueOf(1)}); + } + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundGB = true; + + String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(userSectorId.getSecond()); + if (StringUtils.isEmpty(sectorName)) { + if (saml1RequestedFriendlyName != null) + sectorName = saml1RequestedFriendlyName; + else + sectorName = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); + } + + String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")"; + if (!refValueSector.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.13", null); + + } else + throw new ValidateException("validator.12", null); + + } + + } else + //check nothing if wbPK or public SP target is not part of AuthBlock + offset--; + + // check the second attribute (must be "OA") + samlAttribute = samlAttributes[1 + offset]; + if (!samlAttribute.getName().equals("OA")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + foundOA = true; + if (!oaURL.equals((String)samlAttribute.getValue())) + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); + + } else + throw new ValidateException("validator.15", null); - // check the second attribute (must be "OA") - samlAttribute = samlAttributes[1 + offset]; - if (!samlAttribute.getName().equals("OA")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "OA", String.valueOf(2)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - foundOA = true; - if (!oaURL.equals((String)samlAttribute.getValue())) { // CHECKS für die AttributeVALUES fehlen noch - throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlAttribute.getValue()}); - } - } else { - throw new ValidateException("validator.15", null); - } - // check the third attribute (must be "Geburtsdatum") - samlAttribute = samlAttributes[2 + offset]; - if (!samlAttribute.getName().equals("Geburtsdatum")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlDateOfBirth = (String)samlAttribute.getValue(); - String dateOfBirth = identityLink.getDateOfBirth(); - if (!samlDateOfBirth.equals(dateOfBirth)) { - throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); - } - } else { - throw new ValidateException("validator.35", null); - } + // check the third attribute (must be "Geburtsdatum") + samlAttribute = samlAttributes[2 + offset]; + if (!samlAttribute.getName().equals("Geburtsdatum")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "Geburtsdatum", String.valueOf(3)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlDateOfBirth = (String)samlAttribute.getValue(); + String dateOfBirth = identityLink.getDateOfBirth(); + if (!samlDateOfBirth.equals(dateOfBirth)) + throw new ValidateException("validator.34", new Object[] {samlDateOfBirth, dateOfBirth}); + + } else + throw new ValidateException("validator.35", null); - // check four attribute could be a special text - samlAttribute = samlAttributes[3 + offset]; - if (!samlAttribute.getName().equals("SpecialText")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String samlSpecialText = (String)samlAttribute.getValue(); - samlSpecialText = samlSpecialText.replaceAll("'", "'"); + // check four attribute could be a special text + samlAttribute = samlAttributes[3 + offset]; + if (!samlAttribute.getName().equals("SpecialText")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "SpecialText", String.valueOf(4)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String samlSpecialText = (String)samlAttribute.getValue(); + samlSpecialText = samlSpecialText.replaceAll("'", "'"); - String text = ""; - if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { - Logger.info("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); - text = oaParam.getAditionalAuthBlockText(); - } + String text = ""; + if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) { + Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix()); + text = oaParam.getAditionalAuthBlockText(); + + } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); - if (!samlSpecialText.equals(specialText)) { - throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); - } - } else { - throw new ValidateException("validator.35", null); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); + if (!samlSpecialText.equals(specialText)) + throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); + + } else + throw new ValidateException("validator.35", null); - } - - - //check unique AuthBlock tokken - samlAttribute = samlAttributes[4 + offset]; - if (!samlAttribute.getName().equals("UniqueTokken")) { - throw new ValidateException( - "validator.37", - new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); - } - if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { - String uniquetokken = (String)samlAttribute.getValue(); + + //check unique AuthBlock tokken + samlAttribute = samlAttributes[4 + offset]; + if (!samlAttribute.getName().equals("UniqueTokken")) + throw new ValidateException("validator.37", + new Object[] {samlAttribute.getName(), "UniqueTokken", String.valueOf(5)}); + + if (samlAttribute.getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { + String uniquetokken = (String)samlAttribute.getValue(); - if (!uniquetokken.equals(session.getAuthBlockTokken())) { - throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); - } - } else { - throw new ValidateException("validator.35", null); - } - - - // now check the extended SAML attributes - int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; - if (extendedSAMLAttributes != null) { - Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); - while (it.hasNext()) { - ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); - samlAttribute = samlAttributes[i]; - String actualName = samlAttribute.getName(); - String expectedName = extendedSAMLAttribute.getName(); - if (!actualName.equals(expectedName)) { - throw new ValidateException( - "validator.38", - new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); - } - String actualNamespace = samlAttribute.getNamespace(); - String expectedNamespace = extendedSAMLAttribute.getNameSpace(); - if (!actualNamespace.equals(expectedNamespace)) { - throw new ValidateException( - "validator.38", - new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); - } - Object expectedValue = extendedSAMLAttribute.getValue(); - Object actualValue = samlAttribute.getValue(); - try { - if (expectedValue instanceof String) { - // replace \r\n because text might be base64-encoded - String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); - expValue = StringUtils.replaceAll(expValue,"\n",""); - String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); - actValue = StringUtils.replaceAll(actValue,"\n",""); - if (!expValue.equals(actValue)) { - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); - } - } else if (expectedValue instanceof Element) { - // only check the name of the element - String actualElementName = ((Element)actualValue).getNodeName(); - String expectedElementName = ((Element)expectedValue).getNodeName(); - if (!(expectedElementName.equals(actualElementName))){ - throw new ValidateException( - "validator.38", - new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); - } - } else { - // should not happen - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); - } - } catch (ClassCastException e) { - throw new ValidateException( - "validator.38", - new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); - } - i++; - } - } - + if (!uniquetokken.equals(session.getAuthBlockTokken())) + throw new ValidateException("validator.70", new Object[] {uniquetokken, session.getAuthBlockTokken()}); + } else + throw new ValidateException("validator.35", null); - if (!foundOA) throw new ValidateException("validator.14", null); - if (businessService) { - if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) throw new ValidateException("validator.31", null); - } else { - if (!foundGB) throw new ValidateException("validator.11", null); - } + + // now check the extended SAML attributes + int i = AuthenticationBlockAssertionBuilder.NUM_OF_SAML_ATTRIBUTES + offset; + if (extendedSAMLAttributes != null) { + Iterator<ExtendedSAMLAttribute> it = extendedSAMLAttributes.iterator(); + while (it.hasNext()) { + ExtendedSAMLAttribute extendedSAMLAttribute = (ExtendedSAMLAttribute)it.next(); + samlAttribute = samlAttributes[i]; + String actualName = samlAttribute.getName(); + String expectedName = extendedSAMLAttribute.getName(); + if (!actualName.equals(expectedName)) + throw new ValidateException("validator.38", + new Object[] {"Name", String.valueOf((i+1)), actualName, actualName, expectedName }); + + String actualNamespace = samlAttribute.getNamespace(); + String expectedNamespace = extendedSAMLAttribute.getNameSpace(); + if (!actualNamespace.equals(expectedNamespace)) + throw new ValidateException("validator.38", + new Object[] {"Namespace", String.valueOf((i+1)), actualName, actualNamespace, expectedNamespace, }); + + Object expectedValue = extendedSAMLAttribute.getValue(); + Object actualValue = samlAttribute.getValue(); + try { + if (expectedValue instanceof String) { + // replace \r\n because text might be base64-encoded + String expValue = StringUtils.replaceAll((String)expectedValue,"\r",""); + expValue = StringUtils.replaceAll(expValue,"\n",""); + String actValue = StringUtils.replaceAll((String)actualValue,"\r",""); + actValue = StringUtils.replaceAll(actValue,"\n",""); + if (!expValue.equals(actValue)) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualValue, expectedValue }); + + } else if (expectedValue instanceof Element) { + // only check the name of the element + String actualElementName = ((Element)actualValue).getNodeName(); + String expectedElementName = ((Element)expectedValue).getNodeName(); + if (!(expectedElementName.equals(actualElementName))) + throw new ValidateException("validator.38", + new Object[] {"Wert", String.valueOf((i+1)), actualName, actualElementName, expectedElementName}); + + } else + // should not happen + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, "java.lang.String oder org.wrc.dom.Element", expectedValue.getClass().getName()}); + + } catch (ClassCastException e) { + throw new ValidateException("validator.38", + new Object[] {"Typ", String.valueOf((i+1)), expectedName, expectedValue.getClass().getName(), actualValue.getClass().getName()}); + } + + i++; + } + } + + if (!foundOA) + throw new ValidateException("validator.14", null); + + if (userSectorId != null && !userSectorId.getSecond().startsWith(MOAIDAuthConstants.PREFIX_CDID)) { + if (session.getSAMLAttributeGebeORwbpk() && !foundWBPK) + throw new ValidateException("validator.31", null); + + } else { + if (!foundGB) + throw new ValidateException("validator.11", null); + } - //Check if dsig:Signature exists -// NodeList nl = createXMLSignatureResponse.getSamlAssertion().getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); -// if (nl.getLength() != 1) { -// throw new ValidateException("validator.05", null); -// } - Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); - if (dsigSignature == null) { - throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; - } + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(samlAssertion, SIGNATURE_XPATH); + if (dsigSignature == null) + throw new ValidateException("validator.05", new Object[] {"im AUTHBlock"}) ; + } /** @@ -521,7 +540,7 @@ public class CreateXMLSignatureResponseValidator { try { if (MiscUtil.isNotEmpty(AuthConfigurationProviderFactory.getInstance().getSSOSpecialText())) { text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText(); - Logger.info("Use addional AuthBlock Text from SSO=" +text); + Logger.debug("Use addional AuthBlock Text from SSO=" +text); } else @@ -531,7 +550,9 @@ public class CreateXMLSignatureResponseValidator { } - String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, issuer, identityLink.getDateOfBirth(), issueInstant); + String specialText = AuthenticationBlockAssertionBuilder.generateSpecialText(text, + AuthenticationBlockAssertionBuilder.generateSpezialAuthBlockPatternMap( + pendingReq, issuer, identityLink.getDateOfBirth(), issueInstant)); if (!samlSpecialText.equals(specialText)) { throw new ValidateException("validator.67", new Object[] {samlSpecialText, specialText}); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index 4953dad02..c4ea80df9 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -183,7 +183,7 @@ public class VerifyXMLSignatureResponseValidator { // to be ignored boolean ignoreManifestValidationResult = false; if (whatToCheck.equals(CHECK_IDENTITY_LINK)) - ignoreManifestValidationResult = (oaParam.getBusinessService()) ? true + ignoreManifestValidationResult = (oaParam.hasBaseIdInternalProcessingRestriction()) ? true : false; if (ignoreManifestValidationResult) { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 55562176d..09c64c267 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -66,10 +66,10 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; @@ -688,7 +688,7 @@ public class ParepUtils { * <code>false</code> calculates (w)bPKs and changes also the <code>pr:Identifivation/pr:Type</code> elements. * @return The element where Stammzahlen are hidden. */ - public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String target, String registerID, boolean blank) + public static Element HideStammZahlen(Element hideElement, boolean businessApplication, String oaTargetAreaId, boolean blank) throws BuildException { try { if (hideElement != null) { @@ -706,20 +706,11 @@ public class ParepUtils { } if (blank) { idValueNode.setNodeValue(""); - } else { - String idValue = idValueNode.getNodeValue(); - if (businessApplication) { - // wbPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_WBPK + "+" + registerID); - String bpkBase64 = new BPKBuilder().buildWBPK(idValueNode.getNodeValue(), registerID); - idValueNode.setNodeValue(bpkBase64); - - } else { - // bPK berechnen - idTypeNode.setNodeValue(Constants.URN_PREFIX_BPK); - String bpkBase64 = new BPKBuilder().buildBPK(idValueNode.getNodeValue(), target); - idValueNode.setNodeValue(bpkBase64); - } + + } else { + Pair<String, String> calcId = new BPKBuilder().generateAreaSpecificPersonIdentifier(idValueNode.getNodeValue(), oaTargetAreaId); + idValueNode.setNodeValue(calcId.getFirst()); + } } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml index 0db2b26a8..0207eb6c9 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml @@ -7,4 +7,35 @@ </parent> <artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId> <description>BKA MobileAuth Test for SAML2 applications</description> + + <dependencies> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-jdk15on</artifactId> + <version>1.52</version> + </dependency> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + <version>1.52</version> + </dependency> + + <!-- JSON JWT implementation --> + <dependency> + <groupId>com.googlecode.jsontoken</groupId> + <artifactId>jsontoken</artifactId> + <version>1.1</version> + <exclusions> + <exclusion> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + </exclusion> + <exclusion> + <artifactId>google-collections</artifactId> + <groupId>com.google.collections</groupId> + </exclusion> + </exclusions> + </dependency> + </dependencies> + </project>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java index 44554e21d..0cef4cb41 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java @@ -30,9 +30,11 @@ import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks.FirstBKAMobileAuthTask; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -45,7 +47,8 @@ public class BKAMobileAuthModule implements AuthModule { private int priority = 1; - @Autowired protected AuthConfiguration authConfig; + @Autowired(required=true) protected AuthConfiguration authConfig; + @Autowired(required=true) private AuthenticationManager authManager; private List<String> uniqueIDsDummyAuthEnabled = new ArrayList<String>(); @@ -77,7 +80,10 @@ public class BKAMobileAuthModule implements AuthModule { for (String el : uniqueIDsDummyAuthEnabled) Logger.info(" EntityID: " + el); } - } + } + + //parameter to whiteList + authManager.addParameterNameToWhiteList(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); } /* (non-Javadoc) @@ -87,10 +93,22 @@ public class BKAMobileAuthModule implements AuthModule { public String selectProcess(ExecutionContext context) { String spEntityID = (String) context.get(MOAIDAuthConstants.PROCESSCONTEXT_UNIQUE_OA_IDENTFIER); if (MiscUtil.isNotEmpty(spEntityID)) { - if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) - return "BKAMobileAuthentication"; - - } + if (uniqueIDsDummyAuthEnabled.contains(spEntityID)) { + String eIDBlob = (String)context.get(FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW); + if (eIDBlob != null && MiscUtil.isNotEmpty(eIDBlob.trim())) { + return "BKAMobileAuthentication"; + + } else { + Logger.debug("Dummy-auth are enabled for " + spEntityID + " but no '" + + FirstBKAMobileAuthTask.REQ_PARAM_eID_BLOW + "' req. parameter available."); + + } + + } else + Logger.debug("Unique SP-Id: " + spEntityID + " is not in whitelist of mobile-auth module."); + + } else + Logger.debug("No unique service-provider identifier!"); return null; } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java index 884129453..aa16a9172 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthSpringResourceProvider.java @@ -56,7 +56,7 @@ public class BKAMobileAuthSpringResourceProvider implements SpringResourceProvid */ @Override public String getName() { - return "BKA MobileAuth SAML2 Test"; + return "Module for 'Mobile-Auth with Crypto-Binding'"; } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java index 66112edc5..43043ddd6 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.java @@ -22,16 +22,56 @@ */ package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.KeySpec; + +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; +import javax.security.cert.CertificateException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; +import org.bouncycastle.cms.CMSSignedData; +import org.joda.time.DateTime; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import com.google.gson.JsonObject; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; + +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; +import at.gv.egovernment.moa.id.commons.api.data.IIdentityLink; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; +import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement; +import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; /** @@ -41,6 +81,20 @@ import at.gv.egovernment.moa.logging.Logger; @Component("FirstBKAMobileAuthTask") public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { + private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile"; + private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter"; + private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass"; + + private static final String EIDCONTAINER_KEY_SALT = "salt"; + private static final String EIDCONTAINER_KEY_IV = "iv"; + private static final String EIDCONTAINER_EID = "eid"; + private static final String EIDCONTAINER_KEY_IDL = "idl"; + private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert"; + + public static final String REQ_PARAM_eID_BLOW = "eidToken"; + + @Autowired(required=true) private AuthConfiguration authConfig; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -48,9 +102,196 @@ public class FirstBKAMobileAuthTask extends AbstractAuthServletTask { public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { - Logger.info("Redirect to Second BKA Mobile Auth task"); - performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + try { + String eIDBlobRawB64 = request.getParameter(REQ_PARAM_eID_BLOW); + if (MiscUtil.isEmpty(eIDBlobRawB64)) { + //TODO: add dummy-auth functionality + + Logger.warn("NO eID data blob included!"); + throw new MOAIDException("NO eID data blob included!", null); + } + + parseDemoValuesIntoMOASession(pendingReq, pendingReq.getMOASession(), eIDBlobRawB64); + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + + //Logger.info("Redirect to Second BKA Mobile Auth task"); + //performRedirectToItself(pendingReq, response, GeneralProcessEngineSignalController.ENDPOINT_GENERIC); + + } + + /** + * @param pendingReq + * @param moaSession + * @param eIDBlobRaw + * @throws MOAIDException + * @throws IOException + */ + private void parseDemoValuesIntoMOASession(IRequest pendingReq, IAuthenticationSession moaSession, String eIDBlobRawB64) throws MOAIDException, IOException { + Logger.debug("Check eID blob signature ... "); + byte[] eIDBlobRaw = Base64Utils.decode(eIDBlobRawB64.trim(), false); + + VerifyCMSSignatureResponse cmsResp = SignatureVerificationInvoker.getInstance().verifyCMSSignature( + createCMSVerificationReq(eIDBlobRaw)); + + if (cmsResp.getResponseElements().isEmpty()) { + Logger.warn("No CMS signature-verification response"); + throw new MOAIDException("Signature verification FAILED: No response", null); + + } + VerifyCMSSignatureResponseElement sigVerifyResp = (VerifyCMSSignatureResponseElement) cmsResp.getResponseElements().get(0); + analyseCMSSignatureVerificationResponse(sigVerifyResp); + + + Logger.info("eID blob signature is VALID!"); + byte[] decRawEidBlob = null; + byte[] signedData = null; + try { + Logger.debug("Starting eID information extraction ... "); + CMSSignedData cmsContent = new CMSSignedData(eIDBlobRaw); + signedData = (byte[])cmsContent.getSignedContent().getContent(); + if (!cmsContent.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) { + Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1"); + throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", null); + } + if (signedData == null) { + Logger.warn("CMS SignedData is empty or null"); + throw new MOAIDException("CMS SignedData is empty or null", null); + } + Logger.info("Signed content extracted"); + + + Logger.debug("Starting signed content decryption ... "); + JsonParser parser = new JsonParser(); + JsonObject signedDataJson = (JsonObject) parser.parse(new String(signedData, "UTF-8")); + byte[] salt = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_SALT).getAsString(), false); + byte[] ivraw = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_KEY_IV).getAsString(), false); + byte[] encRawEidBlob = Base64Utils.decode(signedDataJson.get(EIDCONTAINER_EID).getAsString(), false); + SecretKey seckey = generateDecryptionKey(salt); + IvParameterSpec iv = new IvParameterSpec(ivraw); + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + cipher.init(Cipher.DECRYPT_MODE, seckey, iv); + decRawEidBlob = cipher.doFinal(encRawEidBlob); + Logger.info("eID data decryption completed"); + + + Logger.debug("Starting eID-blob parsing ..."); + JsonObject eIDBlobJson = (JsonObject) parser.parse(new String(decRawEidBlob, "UTF-8")); + String idlB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_IDL).getAsString(); + String bindingCertB64 = eIDBlobJson.get( + EIDCONTAINER_KEY_BINDINGCERT).getAsString(); + javax.security.cert.X509Certificate bindingCert = javax.security.cert.X509Certificate.getInstance(Base64Utils.decode(bindingCertB64, false)); + if (!sigVerifyResp.getSignerInfo().getSignerCertificate().equals(bindingCert)) { + Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!"); + Logger.info("BindingCert: " + bindingCert.toString()); + Logger.info("SigningCert: " + sigVerifyResp.getSignerInfo().getSignerCertificate().toString()); + throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", null); + + } + Logger.info("eID-blob parsing completed"); + + + Logger.debug("Parse eID information into MOA-Session ..."); + byte[] rawIDL = Base64Utils.decode(idlB64, false); + IIdentityLink identityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(rawIDL)).parseIdentityLink(); + moaSession.setIdentityLink(identityLink); + moaSession.setUseMandates(false); + moaSession.setForeigner(false); + moaSession.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest"); + moaSession.setQAALevel(PVPConstants.STORK_QAA_1_3); + Logger.info("Session Restore completed"); + + + } catch (MOAIDException e) { + throw e; + + } catch (JsonParseException e) { + if (decRawEidBlob != null) + Logger.error("eID-blob parse error! blob: " + new String(decRawEidBlob, "UTF-8"), e); + + if (signedData != null) + Logger.error("eID-blob parse error! blob: " + new String(signedData, "UTF-8"), e); + + if (decRawEidBlob == null && signedData == null) + Logger.error("eID-blob parse error!", e); + + throw new MOAIDException("eID-blob parse error!", null); + + } catch (org.bouncycastle.cms.CMSException e) { + Logger.error("Can not parse CMS signature.", e); + throw new MOAIDException("Can not parse CMS signature.", null, e); + + } catch (InvalidAlgorithmParameterException| NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException e) { + Logger.error("Can not decrypte eID data.", e); + throw new MOAIDException("Can not decrypte eID data", null, e); + } catch (CertificateException e) { + Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e); + throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", null, e); + + } finally { + + } + + } + + private SecretKey generateDecryptionKey(byte[] salt) throws MOAIDException { + String decryptionPassPhrase = authConfig.getBasicMOAIDConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD"); + try { + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); + KeySpec spec = new PBEKeySpec(decryptionPassPhrase.toCharArray(), salt, 2000, 128); + SecretKey derivedKey = factory.generateSecret(spec); + SecretKeySpec symKeySpec = new SecretKeySpec(derivedKey.getEncoded(), "AES"); + return symKeySpec; + + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { + Logger.error("Mobile-Auth Module has an internal errror.", e); + throw new MOAIDException("Mobile-Auth Module has an internal errror.", null, e); + + } + } + + /** + * @throws MOAIDException + * + */ + private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifySigResult) throws MOAIDException { + //validate CMS signature verification response + if (verifySigResult.getSignatureCheck().getCode() != 0) { + Logger.warn("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode()); + throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifySigResult.getSignatureCheck().getCode(), null); + + } + if (verifySigResult.getCertificateCheck().getCode() != 0) { + Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode()); + throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifySigResult.getCertificateCheck().getCode(), null); + + } + SignerInfo signerInfos = verifySigResult.getSignerInfo(); + DateTime date = new DateTime(signerInfos.getSigningTime().getTime()); + Integer signingTimeJitter = Integer.valueOf(authConfig.getBasicMOAIDConfiguration(CONF_SIGNING_TIME_JITTER, "5")); + if (date.plusMinutes(signingTimeJitter).isBeforeNow()) { + Logger.warn("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter)); + throw new MOAIDException("CMS signature-time is before: " + date.plusMinutes(signingTimeJitter), null); + + } + } + private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] eIDBlobRaw) { + VerifyCMSSignatureRequestImpl cmsSigVerifyReq = new VerifyCMSSignatureRequestImpl(); + cmsSigVerifyReq.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES); + cmsSigVerifyReq.setExtended(false); + cmsSigVerifyReq.setPDF(false); + cmsSigVerifyReq.setTrustProfileId(authConfig.getBasicMOAIDConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!")); + cmsSigVerifyReq.setCMSSignature(new ByteArrayInputStream(eIDBlobRaw)); + return cmsSigVerifyReq; + } } diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml index 4a0f4d5f2..6f41f347a 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/resources/BKAMobileAuth.process.xml @@ -12,8 +12,10 @@ <pd:StartEvent id="start" /> <pd:Transition from="start" to="firstStep" /> - <pd:Transition from="firstStep" to="secondStep"/> - <pd:Transition from="secondStep" to="finalizeAuthentication" /> + <!-- pd:Transition from="firstStep" to="secondStep"/> + <pd:Transition from="secondStep" to="finalizeAuthentication" /--> + + <pd:Transition from="firstStep" to="finalizeAuthentication" /> <pd:Transition from="finalizeAuthentication" to="end" /> diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index f3d8eeb36..cf3325d24 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -12,11 +12,11 @@ <properties> <repositoryPath>${basedir}/../../../../repository</repositoryPath> - <eidas-commons.version>1.4.0-SNAPSHOT</eidas-commons.version> - <eidas-light-commons.version>1.4.0-SNAPSHOT</eidas-light-commons.version> - <eidas-saml-engine.version>1.4.0-SNAPSHOT</eidas-saml-engine.version> - <eidas-encryption.version>1.4.0-SNAPSHOT</eidas-encryption.version> - <eidas-configmodule.version>1.4.0-SNAPSHOT</eidas-configmodule.version> + <eidas-commons.version>1.4.0</eidas-commons.version> + <eidas-light-commons.version>1.4.0</eidas-light-commons.version> + <eidas-saml-engine.version>1.4.0</eidas-saml-engine.version> + <eidas-encryption.version>1.4.0</eidas-encryption.version> + <eidas-configmodule.version>1.4.0</eidas-configmodule.version> </properties> diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java index d5cbb2cfd..8779436e0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java @@ -93,7 +93,7 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption { //encryption is enabled by default in MOA-ID configuration object try { AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance(); - Boolean useEncryption = moaconfig.getStorkConfig().getCPEPS(countryCode).isXMLSignatureSupported(); + Boolean useEncryption = moaconfig.getStorkConfig().getCPEPSWithCC(countryCode).isXMLSignatureSupported(); String logResult = useEncryption ? " using encryption" : " do not use encrpytion"; Logger.debug("eIDAS respone for country " + countryCode + logResult); return useEncryption; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 490dc9dcf..a2ec47a45 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -189,8 +189,18 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider } } for (String el : nonValidMetadataProvider) { - loadedproviders.remove(el); - isUpdateRequired = true; + HTTPMetadataProvider provider = loadedproviders.get(el); + + //destroy metadata provider + if (provider != null) { + provider.destroy(); + loadedproviders.remove(el); + isUpdateRequired = true; + + } else { + Logger.error("Can not destroy eIDAS metadata for: " + el + " Reason: !!!!!NOT FOUND ANY MORE!!!!!!"); + + } } @@ -257,6 +267,8 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider } + Logger.debug("Find #" + loadedproviders.size() + " eIDAS metadata provider"); + return loadedproviders; } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java index 9895ca79f..5a2253cc8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/validation/MoaEidasConditionsValidator.java @@ -74,10 +74,10 @@ public class MoaEidasConditionsValidator extends ConditionsSpecValidator { throw new ValidationException("AudienceRestriction is required."); } - if (conditions.getOneTimeUse() == null) { - - throw new ValidationException("OneTimeUse is required."); - } +// if (conditions.getOneTimeUse() == null) { +// +// throw new ValidationException("OneTimeUse is required."); +// } } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index c55b5a749..7242795d4 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -104,7 +104,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { throw new AuthenticationException("eIDAS.03", new Object[] { "" }); } - CPEPS cpeps = authConfig.getStorkConfig().getCPEPS(citizenCountryCode); + CPEPS cpeps = authConfig.getStorkConfig().getCPEPSWithFullName(citizenCountryCode); if(null == cpeps) { Logger.error("PEPS unknown for country", new Object[] {citizenCountryCode}); throw new AuthenticationException("eIDAS.04", new Object[] {citizenCountryCode}); @@ -227,7 +227,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { authnRequestBuilder.levelOfAssuranceComparison(LevelOfAssuranceComparison.MINIMUM); //set correct SPType for this online application - if (oaConfig.getBusinessService()) + if (oaConfig.hasBaseIdTransferRestriction()) authnRequestBuilder.spType(SpType.PRIVATE.getValue()); else authnRequestBuilder.spType(SpType.PUBLIC.getValue()); @@ -302,21 +302,20 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { String actionType = "SAMLRequest"; context.put(actionType, SAMLRequest); - Logger.debug("Encoded " + actionType + " original: " + SAMLRequest); - context.put("RelayState", pendingReq.getRequestID()); + context.put("action", authnReqEndpoint.getLocation()); Logger.debug("Using SingleSignOnService url as action: " + authnReqEndpoint.getLocation()); - context.put("action", authnReqEndpoint.getLocation()); + Logger.debug("Encoded " + actionType + " original: " + SAMLRequest); - Logger.debug("Starting template merge"); + Logger.trace("Starting template merge"); StringWriter writer = new StringWriter(); - Logger.debug("Doing template merge"); + Logger.trace("Doing template merge"); template.merge(context, writer); - Logger.debug("Template merge done"); - - Logger.debug("Sending html content: " + writer.getBuffer().toString()); + + Logger.trace("Template merge done"); + Logger.trace("Sending html content: " + writer.getBuffer().toString()); byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index 17e112c4c..5e83f0a3f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -114,7 +114,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e); }catch (EIDASSAMLEngineException e) { - Logger.error("eIDAS AuthnRequest generation FAILED.", e); + Logger.warn("eIDAS Response validation FAILED.", e); + Logger.debug("eIDAS response was: " + request.getParameter("SAMLResponse")); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", @@ -127,7 +128,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { new MOAIDException("init.04", new Object[]{""}, e)); } catch (Exception e) { - Logger.error("eIDAS Response processing FAILED.", e); + Logger.warn("eIDAS Response processing FAILED.", e); revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR); throw new TaskExecutionException(pendingReq, e.getMessage(), diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java index 22b94178e..f148421bd 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java @@ -155,17 +155,22 @@ public class eIDASAttributeBuilder extends PVPAttributeBuilder { * @return true if eIDAS attribute holds the unique ID, otherwise false */ private static boolean evaluateUniqueID(String attrName, boolean useMandate) { - //if no mandate is used the natural person identifier is the unique ID - if (!useMandate && - attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString())) - return true; - - //if mandates are used the the legal person identifier or the natural person identifier of the mandator is the unique ID - else if (useMandate && - attrName.equals(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString())) + + //from eIDAS spec 1.2 there exists single attr. for representation + if (attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString())) return true; - //TODO: implement flag selector for mandates and natural persons + //if no mandate is used the natural person identifier is the unique ID +// if (!useMandate && +// attrName.equals(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString())) +// return true; +// +// //if mandates are used the the legal person identifier or the natural person identifier of the mandator is the unique ID +// else if (useMandate && +// attrName.equals(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString())) +// return true; +// +// //TODO: implement flag selector for mandates and natural persons return false; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 4b67370d6..1ce900ebb 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -270,7 +270,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { //validate request country-code against eIDAS node config String reqCC = samlReq.getOriginCountryCode(); - String eIDASTarget = oaConfig.getIdentityLinkDomainIdentifier(); + String eIDASTarget = oaConfig.getAreaSpecificTargetIdentifier(); //validate eIDAS target Pattern pattern = Pattern.compile("^" + at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java index 51a2bd69b..63a4e89d5 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalName.java @@ -28,6 +28,7 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonF * @author tlenz * */ +@Deprecated public class eIDASAttrLegalName extends MandateLegalPersonFullNameAttributeBuilder implements IeIDASAttribute { @Override diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java index c008048cb..4d89aec3d 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrLegalPersonIdentifier.java @@ -22,15 +22,47 @@ */ package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz * */ +@Deprecated public class eIDASAttrLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute { @Override + public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + if(authData.isUseMandate()) { + + //extract eIDAS unique Id prefix from naturalPerson bPK identifier + if (MiscUtil.isEmpty(authData.getBPKType()) + || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { + Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); + throw new AttributeException("Suspect bPKType for eIDAS identifier generation"); + + } + + //add eIDAS eID prefix to legal person identifier + String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); + String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData); + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID); + + } + + return null; + + } + + @Override public String getName() { return eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString(); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java new file mode 100644 index 000000000..43d2f96c2 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeDateOfBirth.java @@ -0,0 +1,40 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeDateOfBirth extends MandateNaturalPersonBirthDateAttributeBuilder implements IeIDASAttribute { + + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri().toString(); + + } + + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java new file mode 100644 index 000000000..924a275b1 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeFamilyName.java @@ -0,0 +1,41 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeFamilyName extends MandateNaturalPersonFamilyNameAttributeBuilder implements IeIDASAttribute{ + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName() + */ + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri().toString(); + } + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java new file mode 100644 index 000000000..2de585918 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeGivenName.java @@ -0,0 +1,42 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeGivenName extends MandateNaturalPersonGivenNameAttributeBuilder implements IeIDASAttribute{ + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName() + */ + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri().toString(); + } + + +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java new file mode 100644 index 000000000..92456d202 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalName.java @@ -0,0 +1,37 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonFullNameAttributeBuilder; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeLegalName extends MandateLegalPersonFullNameAttributeBuilder implements IeIDASAttribute { + + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec.Definitions.LEGAL_NAME.getNameUri().toString(); + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java new file mode 100644 index 000000000..47cc71e01 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeLegalPersonIdentifier.java @@ -0,0 +1,68 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeLegalPersonIdentifier extends MandateLegalPersonSourcePinAttributeBuilder implements IeIDASAttribute { + + @Override + public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, + IAttributeGenerator<ATT> g) throws AttributeException { + if(authData.isUseMandate()) { + + //extract eIDAS unique Id prefix from naturalPerson bPK identifier + if (MiscUtil.isEmpty(authData.getBPKType()) + || !authData.getBPKType().startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { + Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); + throw new AttributeException("Suspect bPKType for eIDAS identifier generation"); + + } + + //add eIDAS eID prefix to legal person identifier + String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); + String legalPersonID = prefix.replaceAll("\\+", "/") + "/" + getLegalPersonIdentifierFromMandate(authData); + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, + MANDATE_LEG_PER_SOURCE_PIN_NAME, legalPersonID); + + } + + return null; + + } + + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString(); + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java new file mode 100644 index 000000000..52396ae90 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASAttrRepresentativeNaturalPersonalIdentifier.java @@ -0,0 +1,133 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder; + +import java.security.MessageDigest; + +import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeProcessingUtils; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.data.Trible; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.eidas.EIDASData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class eIDASAttrRepresentativeNaturalPersonalIdentifier extends MandateNaturalPersonBPKAttributeBuilder implements IeIDASAttribute{ + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#getName() + */ + @Override + public String getName() { + return eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#build(at.gv.egovernment.moa.id.commons.api.IOAAuthParameters, at.gv.egovernment.moa.id.data.IAuthData, at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator) + */ + @Override + public <ATT> ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator<ATT> g) + throws AttributeException { + + try { + Pair<String, String> calcResult = internalBPKGenerator(oaParam, authData); + if (calcResult != null) { + String personalID = calcResult.getFirst(); + String type = calcResult.getSecond(); + + //generate eIDAS conform 'PersonalIdentifier' attribute + if (!eIDASAttributeProcessingUtils.validateEidasPersonalIdentifier(personalID)) { + Logger.debug("preCalculated PersonalIdentifier does not include eIDAS conform prefixes ... add prefix now"); + if (MiscUtil.isEmpty(type) + || !type.startsWith(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS)) { + Logger.error("BPKType is empty or does not start with eIDAS bPKType prefix! bPKType:" + authData.getBPKType()); + throw new AttributeException("Suspect bPKType for eIDAS identifier generation"); + + } + + String prefix = authData.getBPKType().substring(at.gv.egovernment.moa.util.Constants.URN_PREFIX_EIDAS.length() + 1); + personalID = prefix.replaceAll("\\+", "/") + "/" + personalID; + + } + + //generate a transient unique identifier if it is requested + Boolean isTransiendIDRequested = + authData.getGenericData(EIDASData.REQ_PARAM_eIDAS_AUTHN_TRANSIENT_ID, Boolean.class); + if (isTransiendIDRequested != null && isTransiendIDRequested) + personalID = generateTransientNameID(personalID); + + return g.buildStringAttribute(null, getName(), personalID); + + } + + } catch (Exception e) { + Logger.info("Can not generate eIDAS attr: " + getName() + ". Reason:" + e.getMessage()); + + } + + return null; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder#buildEmpty(at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator) + */ + @Override + public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { + return null; + } + + private String generateTransientNameID(String nameID) { + //extract source-country and destination country from persistent identifier + Trible<String, String, String> split = eIDASAttributeProcessingUtils.parseEidasPersonalIdentifier(nameID); + if (split == null) { + Logger.error("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!"); + throw new IllegalStateException("eIDAS 'PersonalIdentifier' has a wrong format. There had to be a ERROR in implementation!!!!"); + + } + + //build correct formated transient identifier + String random = Random.nextLongRandom(); + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + byte[] hash = md.digest((split.getThird() + random).getBytes("ISO-8859-1")); + return split.getFirst() + "/" + split.getSecond() + "/" + Base64Utils.encode(hash); + + } catch (Exception e) { + Logger.error("Can not generate transient personal identifier!", e); + return null; + + } + + } +} diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index d0cda38c7..ee0f72f34 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -40,7 +40,6 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; -import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SimpleEidasAttributeGenerator; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeBuilder; import at.gv.egovernment.moa.id.commons.MOAIDConstants; import at.gv.egovernment.moa.id.commons.api.IRequest; @@ -50,15 +49,17 @@ import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.commons.EidasStringUtil; import eu.eidas.auth.commons.attribute.AttributeDefinition; import eu.eidas.auth.commons.attribute.AttributeValue; import eu.eidas.auth.commons.attribute.ImmutableAttributeMap; +import eu.eidas.auth.commons.attribute.ImmutableAttributeMap.Builder; import eu.eidas.auth.commons.protocol.IResponseMessage; import eu.eidas.auth.commons.protocol.impl.AuthenticationResponse; import eu.eidas.auth.engine.ProtocolEngineI; +import eu.eidas.auth.engine.core.eidas.spec.RepresentativeLegalPersonSpec; +import eu.eidas.auth.engine.core.eidas.spec.RepresentativeNaturalPersonSpec; import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils; @@ -71,12 +72,12 @@ import eu.eidas.auth.engine.xml.opensaml.SAMLEngineUtils; @Service("eIDASAuthenticationRequest") public class eIDASAuthenticationRequest implements IAction { - - private static IAttributeGenerator<String> generator = new SimpleEidasAttributeGenerator(); @Autowired protected MOAReversionLogger revisionsLogger; @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider; + + @Override public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { EIDASData eidasRequest; @@ -89,31 +90,55 @@ public class eIDASAuthenticationRequest implements IAction { String subjectNameID = null; //gather attributes - ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes(); - ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder(); - - //generate eIDAS attributes - for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) { - Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( - attr, req.getOnlineApplicationConfiguration(), authData); + ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes(); + + //add mandate attr. to requested attributes of eMandates are used an no mandate attr. are requested + if (authData.isUseMandate()) { + Logger.trace("eMandates are used. Starting eIDAS requsted attr. update process ...."); + Builder reqAttrWithMandates = ImmutableAttributeMap.builder(reqAttributeList); + + //check if the exists a local builder + for (AttributeDefinition<?> el : RepresentativeNaturalPersonSpec.REGISTRY.getAttributes()) { + if (eIDASAttributeBuilder.getAllProvideableeIDASAttributes().contains(el.getNameUri().toString())) { + if (reqAttributeList.getDefinitionByNameUri(el.getNameUri()) == null) { + Logger.debug("Add eIDAS attr: " + el.getNameUri().toString() + " to requested attributes"); + reqAttrWithMandates.put(AttributeDefinition.builder(el).required(false).build()); - if(eIDASAttr == null) { - if (attr.isRequired()) { - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); - throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); + } } else - Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); - - } else { - //add attribute to Map - attrMapBuilder.put( - (AttributeDefinition)eIDASAttr.getFirst(), - (ImmutableSet)eIDASAttr.getSecond()); - + Logger.trace("eIDAS attribute: " + el.getNameUri().toString() + " is not providable by Austrian eIDAS node."); + + } + for (AttributeDefinition<?> el : RepresentativeLegalPersonSpec.REGISTRY.getAttributes()) { + if (eIDASAttributeBuilder.getAllProvideableeIDASAttributes().contains(el.getNameUri().toString())) { + if (reqAttributeList.getDefinitionByNameUri(el.getNameUri()) == null) { + Logger.debug("Add eIDAS attr: " + el.getNameUri().toString() + " to requested attributes"); + reqAttrWithMandates.put(AttributeDefinition.builder(el).required(false).build()); + + } + + } else + Logger.trace("eIDAS attribute: " + el.getNameUri().toString() + " is not providable by Austrian eIDAS node."); + } + + reqAttributeList = reqAttrWithMandates.build(); + Logger.trace("eIDAS requsted attr. update process finished"); + } + Logger.trace("Starting eIDAS response generation ...."); + + //generate eIDAS attributes + ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder(); + for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) + buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData); + + + //build final attibute set + ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build(); + // construct eIDaS response AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder(); @@ -127,7 +152,7 @@ public class eIDASAuthenticationRequest implements IAction { responseBuilder.levelOfAssurance(authData.getEIDASQAALevel()); //add attributes - responseBuilder.attributes(attrMapBuilder.build()); + responseBuilder.attributes(eIDASAttrbutMap); //set success statuscode responseBuilder.statusCode(StatusCode.SUCCESS_URI); @@ -178,8 +203,6 @@ public class eIDASAuthenticationRequest implements IAction { template.merge(context, writer); Logger.trace("Template merge done"); - Logger.trace("Sending html content : " + new String(writer.getBuffer())); - byte[] content = writer.getBuffer().toString().getBytes("UTF-8"); httpResp.setContentType(MOAIDConstants.DEFAULT_CONTENT_TYPE_HTML_UTF8); httpResp.setContentLength(content.length); @@ -221,6 +244,26 @@ public class eIDASAuthenticationRequest implements IAction { return "eIDAS_AuthnRequest"; } + private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException { + Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute( + attr, req.getOnlineApplicationConfiguration(), authData); + + if(eIDASAttr == null) { + if (attr.isRequired()) { + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available."); + throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()}); + + } else + Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available."); + + } else { + //add attribute to Map + attrMapBuilder.put( + (AttributeDefinition)eIDASAttr.getFirst(), + (ImmutableSet)eIDASAttr.getSecond()); + + } + } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder index 62e7c20ab..3c11c725d 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder @@ -2,5 +2,10 @@ at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrDateOfBirth at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrFamilyName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrGivenName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier -at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalPersonIdentifier -at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeDateOfBirth +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeFamilyName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeGivenName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalPersonIdentifier +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeNaturalPersonalIdentifier diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute index 62e7c20ab..ad87adb6a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute @@ -2,5 +2,9 @@ at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrDateOfBirth at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrFamilyName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrGivenName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier -at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalPersonIdentifier -at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrLegalName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeDateOfBirth +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeFamilyName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeGivenName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalName +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalPersonIdentifier +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeNaturalPersonalIdentifier
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index d65d74c3f..299eb442e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -48,6 +48,7 @@ import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; @@ -150,7 +151,8 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { String sourcePinType = moasession.getIdentityLink().getIdentificationType(); String sourcePinValue = moasession.getIdentityLink().getIdentificationValue(); if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) { - representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget); + Pair<String, String> userId = new BPKBuilder().generateAreaSpecificPersonIdentifier(sourcePinValue, configTarget); + representativeBPK = userId.getFirst(); } else { Logger.debug("No 'SourcePin' found for representative. " diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index f0cf45293..b2522ea33 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -142,11 +142,14 @@ class OAuth20AuthAction implements IAction { // build id token and scope Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, authData); - Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); + params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); - Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond()); + Logger.debug("OpenID-Connect ID_TOKEN completed"); + Logger.trace("RESPONSE ID_TOKEN: " + pair.getFirst()); + Logger.trace("RESPONSE SCOPE: " + pair.getSecond()); + return params; } diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index 75ea41449..d72fe9686 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -20,6 +20,7 @@ import com.google.gson.JsonObject; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; +import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.moduls.RequestImpl; @@ -210,10 +211,13 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController { URLEncoder.encode(errorUri + "#" + moaError, "UTF-8")); + String redirectURL = protocolRequest.getAuthURL() + RedirectServlet.SERVICE_ENDPOINT; + redirectURL = addURLParameter(redirectURL, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(url.toString(), "UTF-8")); + response.setContentType("text/html"); response.setStatus(HttpServletResponse.SC_FOUND); - response.addHeader("Location", url.toString()); - Logger.debug("REDIRECT TO: " + url.toString()); + response.addHeader("Location", redirectURL); + Logger.debug("REDIRECT TO: " + redirectURL); return true; } else { @@ -255,4 +259,13 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController { return true; } + protected static String addURLParameter(String url, String paramname, + String paramvalue) { + String param = paramname + "=" + paramvalue; + if (url.indexOf("?") < 0) + return url + "?" + param; + else + return url + "&" + param; + } + } diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index 985e1d1c5..2117e2ab8 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -77,14 +77,15 @@ class OAuth20TokenAction implements IAction { if (auth20SessionObject == null || !auth20SessionObject.getCode().equals(oAuthRequest.getCode())) { throw new OAuth20UnauthorizedClientException(); } else { - Logger.debug("Loaded of OAuth20SessionObject was successful"); + Logger.debug("Loaded of OAuth20SessionObject was successful. Build jSON response ..."); } // create response JsonObject jsonObject = new JsonObject(); OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession()); byte[] jsonResponse = jsonObject.toString().getBytes("UTF-8"); - Logger.debug("JSON Response: " + new String(jsonResponse)); + Logger.debug("jSON response completed."); + Logger.trace("jSON response: " + new String(jsonResponse)); // write respone to http response httpResp.setContentType("application/json"); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 2f6a54027..4ce77d861 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -75,14 +75,6 @@ public class SSOTransferAuthenticationData implements IAuthData { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() - */ - @Override - public boolean isBusinessService() { - return this.isIDPPrivateService; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession() */ @Override @@ -362,4 +354,13 @@ public class SSOTransferAuthenticationData implements IAuthData { return this.authSession.getGenericDataFromSession(key, clazz); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBaseIDTransferRestrication() + */ + @Override + public boolean isBaseIDTransferRestrication() { + return this.isIDPPrivateService; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 3affa17b3..c2132c1f9 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.commons.api.data.CPEPS; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz @@ -42,15 +43,7 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { public SSOTransferOnlineApplication() { } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() - */ - @Override - public boolean getBusinessService() { - return false; - } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() */ @@ -107,33 +100,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() - */ - @Override - public String getOaType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() - */ - @Override - public String getTarget() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() - */ - @Override - public String getTargetFriendlyName() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() */ @Override @@ -151,14 +117,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() - */ - @Override - public String getIdentityLinkDomainIdentifier() { - // TODO Auto-generated method stub - return null; - } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() @@ -226,15 +184,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { } /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() - */ - @Override - public String getIdentityLinkDomainIdentifierType() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() */ @Override @@ -441,4 +390,38 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdInternalProcessingRestriction() + */ + @Override + public boolean hasBaseIdInternalProcessingRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#hasBaseIdTransferRestriction() + */ + @Override + public boolean hasBaseIdTransferRestriction() throws ConfigurationException { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifier() + */ + @Override + public String getAreaSpecificTargetIdentifier() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.commons.api.IOAAuthParameters#getAreaSpecificTargetIdentifierFriendlyName() + */ + @Override + public String getAreaSpecificTargetIdentifierFriendlyName() throws ConfigurationException { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html index 962faa58f..c2195d300 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/resources/sso_transfer_template.html @@ -3,379 +3,9 @@ <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <!-- MOA-ID 2.x BKUSelection Layout CSS --> - <style type="text/css"> - @media screen and (min-width: 650px) { - - body { - margin:0; - padding:0; - color : #000; - background-color : #fff; - text-align: center; - background-color: #6B7B8B; - } - - #page { - display: block; - border: 2px solid rgb(0,0,0); - width: 650px; - height: 460px; - margin: 0 auto; - margin-top: 5%; - position: relative; - border-radius: 25px; - background: rgb(255,255,255); - } - - #page1 { - text-align: center; - } - - #main { - /* clear:both; */ - position:relative; - margin: 0 auto; - width: 250px; - text-align: center; - } - - .OA_header { - /* background-color: white;*/ - font-size: 20pt; - margin-bottom: 25px; - margin-top: 25px; - } - - #leftcontent { - /*float:left; */ - width:250px; - margin-bottom: 25px; - text-align: left; - /*border: 1px solid rgb(0,0,0);*/ - } - - #leftcontent { - width: 300px; - margin-top: 30px; - } - - h2#tabheader{ - font-size: 1.1em; - padding-left: 2%; - padding-right: 2%; - position: relative; - } - - .setAssertionButton_full { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 100px; - height: 30px - } - - #leftbutton { - width: 30%; - float:left; - margin-left: 40px; - } - - #rightbutton { - width: 30%; - float:right; - margin-right: 45px; - text-align: right; - } - - button { - height: 25px; - width: 75px; - margin-bottom: 10px; - } - - #validation { - position: absolute; - bottom: 0px; - margin-left: 270px; - padding-bottom: 10px; - } - - } - - @media screen and (max-width: 205px) { - #localBKU p { - font-size: 0.6em; - } - - #localBKU input { - font-size: 0.6em; - min-width: 60px; - /* max-width: 65px; */ - min-height: 1.0em; - /* border-radius: 5px; */ - } - - } - - @media screen and (max-width: 249px) and (min-width: 206px) { - #localBKU p { - font-size: 0.7em; - } - - #localBKU input { - font-size: 0.7em; - min-width: 70px; - /* max-width: 75px; */ - min-height: 0.95em; - /* border-radius: 6px; */ - } - - } - - @media screen and (max-width: 299px) and (min-width: 250px) { - #localBKU p { - font-size: 0.9em; - } - - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 75px; */ - /* border-radius: 6px; */ - } - - } - - @media screen and (max-width: 399px) and (min-width: 300px) { - #localBKU p { - font-size: 0.9em; - } - - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 75px; */ - /* border-radius: 6px; */ - } - - } - - @media screen and (max-width: 649px) and (min-width: 400px) { - #localBKU p { - font-size: 0.9em; - } - - #localBKU input { - font-size: 0.8em; - min-width: 70px; - /* max-width: 80px; */ - /* border-radius: 6px; */ - } - - } - - - - @media screen and (max-width: 649px) { - - body { - margin:0; - padding:0; - color : #000; - text-align: center; - font-size: 100%; - background-color: #MAIN_BACKGOUNDCOLOR#; - } - - #page { - visibility: hidden; - margin-top: 0%; - } - - #page1 { - visibility: hidden; - } - - #main { - visibility: hidden; - } - - #validation { - visibility: hidden; - display: none; - } - - .OA_header { - margin-bottom: 0px; - margin-top: 0px; - font-size: 0pt; - visibility: hidden; - } - - #leftcontent { - visibility: visible; - margin-bottom: 0px; - text-align: left; - border:none; - vertical-align: middle; - min-height: 173px; - min-width: 204px; - - } - - input[type=button] { -/* height: 11%; */ - width: 70%; - } - } - - * { - margin: 0; - padding: 0; - font-family: #FONTTYPE#; - } - - #selectArea { - padding-top: 10px; - padding-bottom: 55px; - padding-left: 10px; - } - - .setAssertionButton { - background: #efefef; - cursor: pointer; - margin-top: 15px; - width: 70px; - height: 25px; - } - - #leftbutton { - width: 35%; - float:left; - margin-left: 15px; - } - - #rightbutton { - width: 35%; - float:right; - margin-right: 25px; - text-align: right; - } - -/* input[type=button], .sendButton { - background: #BUTTON_BACKGROUNDCOLOR#; - color: #BUTTON_COLOR#; -/* border:1px solid #000; */ -/* cursor: pointer; -/* box-shadow: 3px 3px 3px #222222; */ -/* } - -/* button:hover, button:focus, button:active, - .sendButton:hover , .sendButton:focus, .sendButton:active, - #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active { - background: #BUTTON_BACKGROUNDCOLOR_FOCUS#; - color: #BUTTON_COLOR#; -/* border:1px solid #000; */ -/* cursor: pointer; -/* box-shadow: -1px -1px 3px #222222; */ -/* } - -*/ - input { - /*border:1px solid #000;*/ - cursor: pointer; - } - - #localBKU input { -/* color: #BUTTON_COLOR#; */ - border: 0px; - display: inline-block; - - } - - #localBKU input:hover, #localBKU input:focus, #localBKU input:active { - text-decoration: underline; - } - - #installJava, #BrowserNOK { - clear:both; - font-size:0.8em; - padding:4px; - } - - .selectText{ - - } - - .selectTextHeader{ - - } - - .sendButton { - width: 30%; - margin-bottom: 1%; - } - - #leftcontent a { - text-decoration:none; - color: #000; - /* display:block;*/ - padding:4px; - } - - #leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { - text-decoration:underline; - color: #000; - } - - .infobutton { - background-color: #005a00; - color: white; - font-family: serif; - text-decoration: none; - padding-top: 2px; - padding-right: 4px; - padding-bottom: 2px; - padding-left: 4px; - font-weight: bold; - } - - .hell { - background-color : #MAIN_BACKGOUNDCOLOR#; - color: #MAIN_COLOR#; - } - - .dunkel { - background-color: #HEADER_BACKGROUNDCOLOR#; - color: #HEADER_COLOR#; - } - - .main_header { - color: black; - font-size: 32pt; - position: absolute; - right: 10%; - top: 40px; - - } - - #alert { - margin: 100px 250px; - font-family: Verdana, Arial, Helvetica, sans-serif; - font-size: 14px; - font-weight: normal; - color: red; - } - - .reqframe { - /*display: none;*/ - visibility: hidden; - - } - - </style> + <link rel="stylesheet" href="$contextPath/css/buildCSS" /> - #if($timeoutURL) + #if($timeoutURL) <script type="text/javascript"> function sloTimeOut() { window.location.href="$timeoutURL"; @@ -385,30 +15,31 @@ </script> #end - <title>Single Sign-On Session Transfer</title> </head> + #if($timeoutURL) <body onload='setTimeout(sloTimeOut, $timeout);'> #else <body> #end + +<!--body--> <noscript> <p> <strong>Note:</strong> Since your browser does not support - JavaScript, you must press the Continue button to resume - the authentication process after the SSO session transfer from smartphone to application is complete. + JavaScript, you must press the Continue button once to proceed. </p> - - <a href="$timeoutURL">Press this link to resume</a> + + <a href="$timeoutURL">Press this link to resume</a> </noscript> <div id="page"> <div id="page1" class="case selected-case" role="main"> <h2 class="OA_header" role="heading">MOA-ID Single Sign-On Session Transfer Service</h2> <div id="main"> - <div id="leftcontent" class="hell" role="application"> + <!--div id="leftcontent" class="hell" role="application"--> #if($errorMsg) <div class="alert"> @@ -421,26 +52,26 @@ <p>$successMsg</p> </div> #end - - #if($QRImage) + + #if($QRImage) <div> - <img src="data:image/gif;base64,$QRImage"> + <img id="qrCode" src="data:image/gif;base64,$QRImage"> </div> #end - - </div> + + <!--/div--> </div> </div> - <div id="validation"> + <!--div id="validation"> <a href="http://validator.w3.org/check?uri="> <img style="border: 0; width: 88px; height: 31px" - src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" /> + src="$contextPath/img/valid-html5-blue.png" alt="HTML5 ist valide!" /> </a> <a href="http://jigsaw.w3.org/css-validator/"> <img style="border: 0; width: 88px; height: 31px" src="http://jigsaw.w3.org/css-validator/images/vcss-blue" alt="CSS ist valide!" /> </a> - </div> + </div--> </div> </body> diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java index fe859c7bc..8ca087e1d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java @@ -232,6 +232,14 @@ public class Tests { */ public static void main(String[] args) { + String org_resp = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8+PGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU+TWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI+PHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+RHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+bW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+WndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+QVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU+Mjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+"; + String org_req = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L1NhbWwyL2Fjcy9wb3N0IiBJRD0iXzQ0MDVlMmE5NTBiYWVkODdjYTBjOWNhZWY4ZThhYzBmIiBJblJlc3BvbnNlVG89ImlkLWY3VUhoSU1BOFdqeXFkUEJ3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGE1MTIiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NDA1ZTJhOTUwYmFlZDg3Y2EwYzljYWVmOGU4YWMwZiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhNTEyIi8%2BPGRzOkRpZ2VzdFZhbHVlPng3a2RBVVRJTmlpak9sbmZNRVJnY29tZEFub2MwejIwTEI5NXN3TitIRXdnRTBCUUNaR0ZIZVJKQWVxbmxjRmZabUZNZnUyejE3OGFlRlVaK1VCOGpRPT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BcVFsWFRPdmtON2QzZ1BxaXR0VDRnNUtYNDkrNE45TWMza2NvS1p1RUhTZU1zd2p4dzNkZHpVcGd4bHJnUWc2QTl5cC80dTgxSlM3dVpSSWRESm9iRm81OUE4RWV0Qmh2cXptdElaOUt3ejJad0IyclhENlBFaERxOURnbHpZR0dOd05od2dFZXpPbzBlRTRpNHBETkRQdDkxaC9FOU1qMkxoR0NVM3U2ZEZ0ZHQ2R2FEa000RHVJcVZKeWdHQzdVZDJMeU14Q1NyVC9mRHpQSUN6RENCcDExRTNEaVRYWk55MTBaa1J2RU5tOUZrY0lPVHlRcmlrNXkrV25Ed0UrTDUzZUhNL1l4WkJBa2pGMjRRaEc0YVBxY1FhcFdEdWNSaDdYNkZsU1Y0bUpqNHp5TlMzSmZBeUFaN0J4S2w3anlxWjIzT1VTYm5MTkRIdVNpK2JzZkt3PT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZ5VENDQkxHZ0F3SUJBZ0lDQXJRd0RRWUpLb1pJaHZjTkFRRUxCUUF3Z1pneEN6QUpCZ05WQkFZVEFrRlVNUTB3Q3dZRFZRUUkKRXdSWGFXVnVNU2N3SlFZRFZRUUtFeDVDZFc1a1pYTnRhVzVwYzNSbGNtbDFiU0JtZFdWeUlFbHVibVZ5WlhNeERqQU1CZ05WQkFzVApCVWxVTFUxVE1Sa3dGd1lEVlFRREV4QlFiM0owWVd4MlpYSmlkVzVrTFVOQk1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaWJXa3RhWFl0Ck1pMWxMV05oUUdKdGFTNW5kaTVoZERBZUZ3MHhOakV5TWpBd09ETXlNVFphRncweE9UQXhNRGt3T0RNeU1UWmFNSUdITVFzd0NRWUQKVlFRR0V3SkJWREVOTUFzR0ExVUVDQk1FVjJsbGJqRVpNQmNHQTFVRUNoTVFRblZ1WkdWemEyRnVlbXhsY21GdGRERUxNQWtHQTFVRQpDeE1DU1ZReEhEQWFCZ05WQkFNVEUzTjBjQzFsYm5SM0xXSnJZUzFqYkdsbGJuUXhJekFoQmdrcWhraUc5dzBCQ1FFV0ZIcGxjblJwClptbHJZWFJBWW10aExtZDJMbUYwTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEya2lxMTZNQWNUTTkKRjJPUzlNZEJ0eHpqMmdnSmpuZWVjNFRvZitvZXBEVWRpTk5HRDFmSDFZRU9qZ3ZiSzhvc2tXZ3ptbmFRM1FyV0RrZmlEM2l1dXpLKwp1eWc3L3psSHdyV2VmY0sycGkvbTJqQXNqTXZXZFlDWk9raDNoL3dEN25oMkpRd0N4Sy91K1hxbnVMWnBHQkRlTExqMStHWTFQL3F0CktNWWxzZ2ZwWTNjWFlKL3dvWk9ZblZhK1liOE1USHNNempQcEpXVkw2QURFREhMU1lVZ3h2LzMzSDlISGFQUXNNRmpDejVuRitWUkUKQ0EwbnpWS3dXcFN1dWdabmk5KzdMNVlUUUR5VDNNUUtQeURxRmZnMUVQS21BV1F0UU84OXUvZ3JERVNZNldLMlFxV2JieUZ6Ykx4TQozVjI3Sit6OE8wV3dsMzlyTS9DVDdIcjNkd0lEQVFBQm80SUNLakNDQWlZd0NRWURWUjBUQkFJd0FEQUxCZ05WSFE4RUJBTUNCZUF3CkxBWUpZSVpJQVliNFFnRU5CQjhXSFU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdRV0JCUmcKUURkQnNoT1BpYUs0VGxNT3Nqdlltek04U0RDQjBRWURWUjBqQklISk1JSEdnQlNtSHZSZUdrTzBpTjZpeUwxb1pRUEZNRzltMDZHQgpxcVNCcHpDQnBERUxNQWtHQTFVRUJoTUNRVlF4RFRBTEJnTlZCQWdUQkZkcFpXNHhEVEFMQmdOVkJBY1RCRmRwWlc0eEp6QWxCZ05WCkJBb1RIa0oxYm1SbGMyMXBibWx6ZEdWeWFYVnRJR1oxWlhJZ1NXNXVaWEpsY3pFT01Bd0dBMVVFQ3hNRlNWUXRUVk14RmpBVUJnTlYKQkFNVERWQnZjblJoYkZKdmIzUXRRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGMkp0YVMxcGRpMHlMV1V0WTJGQVltMXBMbWQyTG1GMApnZ0VCTUI4R0ExVWRFUVFZTUJhQkZIcGxjblJwWm1scllYUkFZbXRoTG1kMkxtRjBNQ0lHQTFVZEVnUWJNQm1CRjJKdGFTMXBkaTB5CkxXVXRZMkZBWW0xcExtZDJMbUYwTUVVR0ExVWRId1ErTUR3d09xQTRvRGFHTkdoMGRIQTZMeTl3YjNKMFlXd3VZbTFwTG1kMkxtRjAKTDNKbFppOXdhMmt2Y0c5eWRHRnNRMEV2VUc5eWRHRnNWaTVqY213d1R3WUlLd1lCQlFVSEFRRUVRekJCTUQ4R0NDc0dBUVVGQnpBQwpoak5vZEhSd09pOHZjRzl5ZEdGc0xtSnRhUzVuZGk1aGRDOXlaV1l2Y0d0cEwzQnZjblJoYkVOQkwybHVaR1Y0TG1oMGJXd3dEZ1lICktpZ0FDZ0VCQVFRREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJtRGRkb2NaakNUMmlDOGx4bUNwdGQxTEtMaEUvdVVUTEYKZDVCUUlFMm52bUYrcUdwd09HSXlLUlhvSVJ2R04rZjU2Tm53cCthVTNqdjJONWh1OURoRWlubGYxbmRDTzJiSGlUYTZyS3FyZDY5dApTY0tjUWk5empHd25iOXV2MU5BR05UN0pxVWN5VGh3bTB6bnpGWU9CMXdZQnVyaC9kQWVaYkR4ekpDNnZLdjZZT2gvWWV5MWdDUGZNCkYxRlFnUVQ5QXRDZTFvTVA0dHQ4dXZVUldSYm0za3JEaFNsL3kxSDN0WDVJQlZ2cjl0cko0ekpiYkZNUGdLS0FXaERINEI0aUJaNmwKUzZILzBqWjlUSWsyRFpjbExISjUvNnVuajg4ZnBXcis2dUE4K3F3alNWUjY5RnZHdXJwckZzOVFMMDZCUjBELzRXNXkrNFFSUk9HWQpNYVVCPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNTkzWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOklzc3Vlcj5odHRwczovL3N0cC1hdXRoLWFwcC5lbnR3LnBvcnRhbC5ia2EuZ3YuYXQvc3RkcG9ydGFsLWlkcC9wb3J0YWx2ZXJidW5kLmd2LmF0PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTUxMiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZmZmIyMzg2NGVlMDQ2MzJiYmNmMjU2ZjlmMTc4ZDA2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGE1MTIiLz48ZHM6RGlnZXN0VmFsdWU%2BTWZVYVFUQ3A4N05CejdHanBOcXU5LzJCUm0yNFRac1hFRWQvK0YwTDZHTjZMWlRvWFdoaTQ3b2g3WW8rQ0RySTcxUS9hUXp6NmdqZU5YeC9ManViaXc9PTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5rUXlmclkyb3phODBNOEY4VFh0SXJtVno4SEFuaHJOY0wxblJRSW1IY2d5VjBnMFcxMW9JaVMzM1ZCbDJLeHVZaVdicFg0ZXdzcW9rSTBaZWxGQ0RoU1ZtTFpZUlRzWGV4ellSZ3hhUUdQZnNnMUh6eStYRzVEQUFSRk9pdDh3SGlpeFE1QVIzOFJRendudml0bTJRYkNoVGhzVk5zeHp4RmpEZnh3ejlpNzcvd3VPZTVERlU5Z0hzWUtEVUxrVFVyT1BveGM0RFgyQjYvd0E0cFJ2Z1lhTnFSQVltenFpSWlQQW5DMnZETXdjemQ2M2wzb3NuNHZlb3k3a0pYN0JkZTVUM29MREx5Tno4VXFua1pHY2c3Nkp4WGVweGptdmtnSy8yRk91d3VvUTY4WnI5T25hRE1vNmRqTlFzU2xpL2ZlMGFjVVpHVDVrajRBUU12NDYyc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRnlUQ0NCTEdnQXdJQkFnSUNBclF3RFFZSktvWklodmNOQVFFTEJRQXdnWmd4Q3pBSkJnTlZCQVlUQWtGVU1RMHdDd1lEVlFRSQpFd1JYYVdWdU1TY3dKUVlEVlFRS0V4NUNkVzVrWlhOdGFXNXBjM1JsY21sMWJTQm1kV1Z5SUVsdWJtVnlaWE14RGpBTUJnTlZCQXNUCkJVbFVMVTFUTVJrd0Z3WURWUVFERXhCUWIzSjBZV3gyWlhKaWRXNWtMVU5CTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGRpYldrdGFYWXQKTWkxbExXTmhRR0p0YVM1bmRpNWhkREFlRncweE5qRXlNakF3T0RNeU1UWmFGdzB4T1RBeE1Ea3dPRE15TVRaYU1JR0hNUXN3Q1FZRApWUVFHRXdKQlZERU5NQXNHQTFVRUNCTUVWMmxsYmpFWk1CY0dBMVVFQ2hNUVFuVnVaR1Z6YTJGdWVteGxjbUZ0ZERFTE1Ba0dBMVVFCkN4TUNTVlF4SERBYUJnTlZCQU1URTNOMGNDMWxiblIzTFdKcllTMWpiR2xsYm5ReEl6QWhCZ2txaGtpRzl3MEJDUUVXRkhwbGNuUnAKWm1scllYUkFZbXRoTG1kMkxtRjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJraXExNk1BY1RNOQpGMk9TOU1kQnR4emoyZ2dKam5lZWM0VG9mK29lcERVZGlOTkdEMWZIMVlFT2pndmJLOG9za1dnem1uYVEzUXJXRGtmaUQzaXV1eksrCnV5ZzcvemxId3JXZWZjSzJwaS9tMmpBc2pNdldkWUNaT2toM2gvd0Q3bmgySlF3Q3hLL3UrWHFudUxacEdCRGVMTGoxK0dZMVAvcXQKS01ZbHNnZnBZM2NYWUovd29aT1luVmErWWI4TVRIc016alBwSldWTDZBREVESExTWVVneHYvMzNIOUhIYVBRc01GakN6NW5GK1ZSRQpDQTBuelZLd1dwU3V1Z1puaTkrN0w1WVRRRHlUM01RS1B5RHFGZmcxRVBLbUFXUXRRTzg5dS9nckRFU1k2V0syUXFXYmJ5RnpiTHhNCjNWMjdKK3o4TzBXd2wzOXJNL0NUN0hyM2R3SURBUUFCbzRJQ0tqQ0NBaVl3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFQkFNQ0JlQXcKTEFZSllJWklBWWI0UWdFTkJCOFdIVTl3Wlc1VFUwd2dSMlZ1WlhKaGRHVmtJRU5sY25ScFptbGpZWFJsTUIwR0ExVWREZ1FXQkJSZwpRRGRCc2hPUGlhSzRUbE1Pc2p2WW16TThTRENCMFFZRFZSMGpCSUhKTUlIR2dCU21IdlJlR2tPMGlONml5TDFvWlFQRk1HOW0wNkdCCnFxU0JwekNCcERFTE1Ba0dBMVVFQmhNQ1FWUXhEVEFMQmdOVkJBZ1RCRmRwWlc0eERUQUxCZ05WQkFjVEJGZHBaVzR4SnpBbEJnTlYKQkFvVEhrSjFibVJsYzIxcGJtbHpkR1Z5YVhWdElHWjFaWElnU1c1dVpYSmxjekVPTUF3R0ExVUVDeE1GU1ZRdFRWTXhGakFVQmdOVgpCQU1URFZCdmNuUmhiRkp2YjNRdFEwRXhKakFrQmdrcWhraUc5dzBCQ1FFV0YySnRhUzFwZGkweUxXVXRZMkZBWW0xcExtZDJMbUYwCmdnRUJNQjhHQTFVZEVRUVlNQmFCRkhwbGNuUnBabWxyWVhSQVltdGhMbWQyTG1GME1DSUdBMVVkRWdRYk1CbUJGMkp0YVMxcGRpMHkKTFdVdFkyRkFZbTFwTG1kMkxtRjBNRVVHQTFVZEh3UStNRHd3T3FBNG9EYUdOR2gwZEhBNkx5OXdiM0owWVd3dVltMXBMbWQyTG1GMApMM0psWmk5d2Eya3ZjRzl5ZEdGc1EwRXZVRzl5ZEdGc1ZpNWpjbXd3VHdZSUt3WUJCUVVIQVFFRVF6QkJNRDhHQ0NzR0FRVUZCekFDCmhqTm9kSFJ3T2k4dmNHOXlkR0ZzTG1KdGFTNW5kaTVoZEM5eVpXWXZjR3RwTDNCdmNuUmhiRU5CTDJsdVpHVjRMbWgwYld3d0RnWUgKS2lnQUNnRUJBUVFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQm1EZGRvY1pqQ1QyaUM4bHhtQ3B0ZDFMS0xoRS91VVRMRgpkNUJRSUUybnZtRitxR3B3T0dJeUtSWG9JUnZHTitmNTZObndwK2FVM2p2Mk41aHU5RGhFaW5sZjFuZENPMmJIaVRhNnJLcXJkNjl0ClNjS2NRaTl6akd3bmI5dXYxTkFHTlQ3SnFVY3lUaHdtMHpuekZZT0Ixd1lCdXJoL2RBZVpiRHh6SkM2dkt2NllPaC9ZZXkxZ0NQZk0KRjFGUWdRVDlBdENlMW9NUDR0dDh1dlVSV1JibTNrckRoU2wveTFIM3RYNUlCVnZyOXRySjR6SmJiRk1QZ0tLQVdoREg0QjRpQlo2bApTNkgvMGpaOVRJazJEWmNsTEhKNS82dW5qODhmcFdyKzZ1QTgrcXdqU1ZSNjlGdkd1cnByRnM5UUwwNkJSMEQvNFc1eSs0UVJST0dZCk1hVUI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6cGVyc2lzdGVudCIgTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zdHAtYXV0aC1hcHAuZW50dy5wb3J0YWwuYmthLmd2LmF0L3N0ZHBvcnRhbC1pZHAvcG9ydGFsdmVyYnVuZC5ndi5hdCIgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL3NhbWxwcm94eS10ZXN0LnVjb20uZ3YuYXQvc3AiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj54bnRHMDBlakpBZ0w3KzBtdVRJb3JoYUljeW89PC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgQWRkcmVzcz0iMTI5LjI3LjE1Mi4xMjYiIEluUmVzcG9uc2VUbz0iaWQtZjdVSGhJTUE4V2p5cWRQQnciIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi42MjNaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2FtbHByb3h5LXRlc3QudWNvbS5ndi5hdC9TYW1sMi9hY3MvcG9zdCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTA5LTIwVDE0OjQ5OjUyLjU5M1oiIE5vdE9uT3JBZnRlcj0iMjAxNy0wOS0yMFQxNDo1NDo1Mi41OTNaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9zYW1scHJveHktdGVzdC51Y29tLmd2LmF0L3NwPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTctMDktMjBUMTQ6NDk6NTIuNDk1WiIgU2Vzc2lvbkluZGV4PSJfYjBhOGUxOTQ5YzQyMjU5NjA0MzAxMDUwNjBkMGQyYTgiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDktMjBUMTU6MTk6NTIuNjAyWiI%2BPHNhbWwyOlN1YmplY3RMb2NhbGl0eSBBZGRyZXNzPSIxMjkuMjcuMTUyLjEyNiIvPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPmh0dHA6Ly93d3cucmVmLmd2LmF0L25zL25hbWVzL2FnaXovcHZwL3NlY2NsYXNzLzAtMjwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJDT1NULUNFTlRFUi1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQQVJUSUNJUEFOVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS43MSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCOjExMTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlBSSU5DSVBBTC1OQU1FIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS4yMCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5Nb2JpbGVBdXRoPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iT1UiIE5hbWU9InVybjpvaWQ6Mi41LjQuMTEiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BRHVtbXktT0U8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJNQUlMIiBOYW1lPSJ1cm46b2lkOjAuOS4yMzQyLjE5MjAwMzAwLjEwMC4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BbW9iaWxlLmF1dGguMkBia2EuZ3YuYXQ8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJQVlAtVkVSU0lPTiIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMTAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMi4xPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iSU5WT0lDRS1SRUNQVC1JRCIgTmFtZT0idXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuNDAiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QjoxMTE8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJPVS1PS1oiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTUzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPkJLQS1EVU1NWTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IlVTRVJJRCIgTmFtZT0idXJuOm9pZDowLjkuMjM0Mi4xOTIwMDMwMC4xMDAuMS4xIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPm1vYmlsZS5hdXRoLjJAYmthLmd2LmF0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iUk9MRVMiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMjYxLjMwIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlPnVjb21tX1VzZXIoKTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9IkdJVkVOLU5BTUUiIE5hbWU9InVybjpvaWQ6Mi41LjQuNDIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BWndlaTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBGcmllbmRseU5hbWU9Ik9VLUdWLU9VLUlEIiBOYW1lPSJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjMiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BQVQ6QktBOjEwMDk5OTg8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgRnJpZW5kbHlOYW1lPSJHSUQiIE5hbWU9InVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZT5BVDpCS0E6cGd1bHJyZHBvPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIEZyaWVuZGx5TmFtZT0iU0VDQ0xBU1MiIE5hbWU9Imh0dHA6Ly9sZnJ6LmF0L3N0ZHBvcnRhbC9uYW1lcy9wdnAvc2VjQ2xhc3MiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDI6QXR0cmlidXRlVmFsdWU%2BMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2BPC9zYW1sMnA6UmVzcG9uc2U%2B"; + String req = java.net.URLEncoder.encode(org_resp); + + System.out.println(org_resp); + System.out.println(req); + System.out.println(org_req); + /* * Test verifyable random functions with RSA diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index d3ebffdfd..99d5d9063 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @Service("SAML1_GetArtifactAction") @@ -84,10 +85,12 @@ public class GetArtifactAction implements IAction { String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); + String oaTargetArea = req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class); + if (authData.isSsoSession()) { - String url = req.getAuthURL() + "/RedirectServlet"; + String url = req.getAuthURL() + RedirectServlet.SERVICE_ENDPOINT; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); - if (!oaParam.getBusinessService()) + if (MiscUtil.isNotEmpty(oaTargetArea)) url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); @@ -99,7 +102,7 @@ public class GetArtifactAction implements IAction { } else { String redirectURL = oaURL; - if (!oaParam.getBusinessService()) { + if (MiscUtil.isNotEmpty(oaTargetArea)) { redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8")); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index df8f13544..bf4a55e46 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -48,7 +48,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -65,6 +64,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; @@ -239,7 +239,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set prPersion boolean provideStammzahl = saml1parameter.isProvideStammzahl() - || oaParam.getBusinessService(); + || oaParam.hasBaseIdTransferRestriction(); String prPerson = ""; String ilAssertion = ""; @@ -268,7 +268,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { id.setValue(value ); if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && - saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) { + saml1parameter.isProvideIdentityLink() && !authData.isBaseIDTransferRestrication()) { //add baseID if it is requested and available and SP is publicService value.setValue(authData.getIdentificationValue()); id.setType(authData.getIdentificationType()); @@ -332,7 +332,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - authData.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.hasBaseIdTransferRestriction(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -406,7 +406,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), oaAttributes, useCondition, conditionLength); @@ -419,7 +419,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ilAssertion, authData.getBkuURL(), signerCertificateBase64, - oaParam.getBusinessService(), + oaParam.hasBaseIdTransferRestriction(), authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); @@ -486,27 +486,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson = ParepUtils.extractPrPersonOfMandate(mandate); if (physical - && oaParam.getBusinessService() + && oaParam.hasBaseIdTransferRestriction() && identificationType != null && Constants.URN_PREFIX_BASEID .equals(identificationType)) { // now we calculate the wbPK and do so if we got it from the // BKU - - //load IdentityLinkDomainType from OAParam - String type = oaParam.getIdentityLinkDomainIdentifier(); - if (type.startsWith(Constants.URN_PREFIX_WBPK + "+")) - identificationType = type; - else - identificationType = Constants.URN_PREFIX_WBPK + "+" - + type; - - - identificationValue = new BPKBuilder().buildWBPK( - identificationValue, identificationType); - ParepUtils - .HideStammZahlen(prPerson, true, null, null, true); + //load IdentityLinkDomainType from OAParam + Pair<String, String> targedId = new BPKBuilder().generateAreaSpecificPersonIdentifier( + identificationValue, oaParam.getAreaSpecificTargetIdentifier()); + identificationValue = targedId.getFirst(); + identificationType = targedId.getSecond(); + + ParepUtils.HideStammZahlen(prPerson, true, null, true); } } @@ -520,18 +513,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { try { boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl(); - String oatargetType; - if(oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) - oatargetType = oaParam.getIdentityLinkDomainIdentifier(); - else - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); - - } else { - oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); - - } - + String oatargetType = oaParam.getAreaSpecificTargetIdentifier(); Element prIdentification = (Element) prPerson. getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0); @@ -544,7 +526,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String baseid = getBaseId(prPerson); Element identificationBpK; if (MiscUtil.isNotEmpty(baseid)) { - identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget()); + identificationBpK = createIdentificationBPK(prPerson, baseid, oatargetType); if (!provideStammzahl) { prIdentification.getFirstChild().setTextContent(""); diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 37d66d29b..19fadb318 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; @@ -118,7 +119,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { //preProcess SAML1 Request preProcess(req, resp, pendingReq); - + performAuthentication(req, resp, pendingReq); return; @@ -190,14 +191,19 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { if (MiscUtil.isNotEmpty(target)) { pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target); - pendingRequest.setTarget(target); + pendingRequest.setTarget(MOAIDAuthConstants.PREFIX_CDID + target); + + } else { + String targetArea = oaParam.getAreaSpecificTargetIdentifier(); + pendingRequest.setTarget(targetArea); + + if (targetArea.startsWith(MOAIDAuthConstants.PREFIX_CDID)) + pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, + targetArea.substring(MOAIDAuthConstants.PREFIX_CDID.length())); - } - else { - pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget()); - pendingRequest.setTarget(oaParam.getTarget()); } + //AuthnRequest needs authentication pendingRequest.setNeedAuthentication(true); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java index b232b9512..fdc1c9cc1 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java @@ -30,6 +30,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @@ -58,11 +59,9 @@ public class MonitoringController { throws ServletException, IOException{ if (authConfig.isMonitoringActive()) { - Logger.debug("Monitoring Servlet received request"); - - + Logger.debug("Monitoring Servlet received request"); + String modulename = StringEscapeUtils.escapeHtml(req.getParameter(REQUEST_ATTR_MODULE)); - String modulename = req.getParameter(REQUEST_ATTR_MODULE); if (MiscUtil.isEmpty(modulename)) { List<String> error = tests.executeTests(); diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 6372fefa8..a56be1f46 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -78,7 +78,8 @@ public class IdentityLinkTestModule implements TestModuleInterface { domVerifyXMLSignatureResponse).parseData(); DynamicOAAuthParameters oaParam = new DynamicOAAuthParameters(); - oaParam.setBusinessService(true); + oaParam.setHasBaseIdProcessingRestriction(true); + oaParam.setHasBaseIdTransfergRestriction(true); VerifyXMLSignatureResponseValidator.getInstance().validate( verifyXMLSignatureResponse, |