diff options
Diffstat (limited to 'id/server/modules')
104 files changed, 3877 insertions, 184 deletions
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml index e5b38f9b6..6596312f3 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml +++ b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-modul-citizencard_authentication</artifactId> diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index b1c303267..348c204bf 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -968,7 +968,7 @@ public class AuthenticationServer extends BaseAuthenticationServer { else new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, - authConfig.getBasicMOAIDConfigurationBoolean( + authConfig.getBasicConfigurationBoolean( ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true)); // builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java index 1962d6c82..82fb42c32 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal; import org.apache.commons.lang3.StringUtils; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -18,7 +19,7 @@ public class DefaultCitizenCardAuthModuleImpl implements AuthModule { } @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { //select process if BKU is selected and it is no STORK authentication boolean performBKUSelection = false; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java index 9b9b76ffc..4102a15b0 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java @@ -99,6 +99,9 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask { //verify authBlock authServer.verifyAuthenticationBlock(pendingReq, moasession, createXMLSignatureResponse); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + //store pending request with new MOASession data information requestStoreage.storePendingRequest(pendingReq); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java index 582af517c..b63501a6f 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java @@ -31,6 +31,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; /** @@ -47,7 +48,7 @@ public class CitizenCardAuthProcessEngineSignalController extends AbstractProces "/VerifyIdentityLink" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index fe0e659c7..596b28576 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -305,7 +305,7 @@ public class MISSimpleClient { try { httpclient = HttpClientWithProxySupport.getHttpClient( sSLSocketFactory, - authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); + authConfig.getBasicConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); // set http POST Request HttpPost post = new HttpPost(webServiceURL); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml index c340f90c9..2ba496dd7 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-AT_eIDAS_connector</artifactId> <name>moa-id-module-AT_eIDAS_connector</name> @@ -43,7 +43,10 @@ <groupId>MOA.id.server</groupId> <artifactId>moa-id-lib</artifactId> </dependency> - + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> <dependency> <groupId>org.springframework</groupId> @@ -55,5 +58,23 @@ <artifactId>junit</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_core_utils</artifactId> + <scope>test</scope> + <type>test-jar</type> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf-core</artifactId> + <scope>test</scope> + <type>test-jar</type> + </dependency> + <dependency> + <groupId>org.hamcrest</groupId> + <artifactId>hamcrest-library</artifactId> + <version>1.3</version> + <scope>test</scope> + </dependency> </dependencies> </project> diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java index 19950a078..96c78abb4 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java @@ -27,6 +27,7 @@ import java.util.Collections; import java.util.List; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.Trible; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -60,6 +61,8 @@ public class EidasCentralAuthConstants { public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; + public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX + "semper.mandates.active"; + public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX + "semper.msproxy.list"; public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH; public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = @@ -81,6 +84,22 @@ public class EidasCentralAuthConstants { } }); + public static final List<Pair<String, Boolean>> DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList<Pair<String, Boolean>>() { + private static final long serialVersionUID = 1L; + { + //request entity information + add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, false)); + + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, false)); + + + } + }); + public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = Collections.unmodifiableList(new ArrayList<String>() { private static final long serialVersionUID = 1L; diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java index 821a200c7..53b3f3e1a 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java @@ -29,6 +29,7 @@ import javax.annotation.PostConstruct; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -64,7 +65,7 @@ public class EidasCentralAuthModuleImpl implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { Serializable paramObj = context.get(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION); if (paramObj != null ) { if (paramObj instanceof String) { diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java index aad1244f1..2bb384c74 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java @@ -334,7 +334,7 @@ public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilde * @param additionalAttr List of PVP attribute name and isRequired flag */ public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) { - if (additionalAttr != null) { + if (additionalAttr != null && !additionalAttr.isEmpty()) { additionalAttributes = new ArrayList<RequestedAttribute>(); for (Pair<String, Boolean> el : additionalAttr) { Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst()); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java index 4898c8f1e..a0c1fa30b 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java @@ -37,6 +37,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import com.google.common.net.MediaType; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; @@ -72,7 +73,7 @@ public class EidasCentralAuthMetadataController extends AbstractController { @RequestMapping(value = EidasCentralAuthConstants.ENDPOINT_METADATA, method = {RequestMethod.GET}) - public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { String authURL = HTTPUtils.extractAuthURLFromRequest(req); @@ -101,16 +102,24 @@ public class EidasCentralAuthMetadataController extends AbstractController { } catch (Exception e) { Logger.warn("Build federated-authentication PVP metadata FAILED.", e); - handleErrorNoRedirect(e, req, resp, false); + protAuthService.handleErrorNoRedirect(e, req, resp, false); } } private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() { - Map<String, String> addReqAttributes = authConfig.getBasicMOAIDConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); - if (addReqAttributes != null) { - List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>(); + List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>(); + + //load SEMPER attributes if required + if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { + result.addAll(EidasCentralAuthConstants.DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES); + + } + + //load attributes from configuration + Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); + if (addReqAttributes != null) { for (String el : addReqAttributes.values()) { if (MiscUtil.isNotEmpty(el)) { Logger.trace("Parse additional attr. definition: " + el); @@ -122,12 +131,12 @@ public class EidasCentralAuthMetadataController extends AbstractController { Logger.info("IGNORE additional attr. definition: " + el + " Reason: Format not valid"); } - } - - return result; + } } - return null; + return result; + + } } diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java index 1486ef841..60a98213e 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java @@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +56,7 @@ public class EidasCentralAuthSignalController extends AbstractProcessEngineSigna EidasCentralAuthConstants.ENDPOINT_REDIRECT }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java new file mode 100644 index 000000000..222ba812c --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java @@ -0,0 +1,151 @@ +package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper; + +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.xml.XMLObject; +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor; +import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.logging.Logger; + +public class AuthnRequestSemperProcessor implements IAuthnRequestPostProcessor { + + @Autowired IConfiguration authConfig; + + @Override + public void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq, + SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException { + if (authConfig.getBasicConfigurationBoolean( + EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false) + && isSpAllowed(authReq)) { + + Logger.debug("SEMPER mode detected. Starting SP-Info extraction from requested attributes ..."); + extractRequestedAttributeInformation(authReq, pendingReq); + + } else { + Logger.trace("Skip: " + AuthnRequestSemperProcessor.class.getSimpleName() + " because is's not active or not allowed"); + + } + + } + + private boolean isSpAllowed(AuthnRequest authReq) { + String csvOfAllowedProxies = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST); + List<String> allowedProxies = KeyValueUtils.getListOfCSVValues(csvOfAllowedProxies); + Logger.trace("Validate SP-EntityId: " + authReq.getIssuer().getValue() + + " with allowed MS-Proxies: [" + StringUtils.join(allowedProxies, ", ") + "]"); + return allowedProxies.contains(authReq.getIssuer().getValue()); + + } + + + private void extractRequestedAttributeInformation(AuthnRequest authnReq, IRequest pendingReq) throws AuthnRequestValidatorException { + // validate and process requested attributes + boolean hasValidBpkTarget = false; + if (authnReq.getExtensions() != null) { + final List<XMLObject> requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects(); + for (final XMLObject reqAttrObj : requestedAttributes) { + if (reqAttrObj instanceof EAAFRequestedAttributes) { + final EAAFRequestedAttributes reqAttr = (EAAFRequestedAttributes) reqAttrObj; + if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) { + for (final EAAFRequestedAttribute el : reqAttr.getAttributes()) { + Logger.trace("Processing req. attribute '" + el.getName() + "' ... "); + if (el.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + hasValidBpkTarget = extractBpkTarget(el, pendingReq); + + } else if (el.getName().equals(ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME )) { + extractMandateProfiles(el, pendingReq); + + } else { + Logger.debug("Ignore req. attribute: " + el.getName()); + } + + } + + } else { + Logger.debug("No requested Attributes in Authn. Request"); + } + + } else { + Logger.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString()); + } + + } + } + + if (!hasValidBpkTarget) { + Logger.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information."); + throw new AuthnRequestValidatorException("pvp2.22", new Object[] { + "NO or NO VALID target-sector information" }); + + } + + } + + private void extractMandateProfiles(EAAFRequestedAttribute el, IRequest pendingReq) { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String profiles = el.getAttributeValues().get(0).getDOM().getTextContent(); + Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration(); + Logger.debug("Set MandateProfiles to: " + profiles); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE, + String.valueOf(true)); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES, + profiles); + + } else { + Logger.info("Req. attribute '" + el.getName() + + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); + } + + } + + + private boolean extractBpkTarget(final EAAFRequestedAttribute el, IRequest pendingReq) { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent(); + Map<String, String> configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration(); + if (sectorId.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) { + Logger.debug("Set eIDAS target to: " + sectorId); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, + MOAIDConstants.IDENIFICATIONTYPE_EIDAS); + configProps.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, + sectorId.substring(EAAFConstants.URN_PREFIX_EIDAS.length())); + return true; + + } else { + Logger.info("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: " + + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + + } + + } else { + Logger.info("Req. attribute '" + el.getName() + + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); + } + + return false; + + } + +} diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java index f3eaff11a..eeef68c3e 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks; import java.io.IOException; +import java.util.Arrays; import java.util.Set; import javax.servlet.http.HttpServletRequest; @@ -64,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentral import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -148,6 +150,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class)); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -194,7 +199,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING}); } - + //copy attributes into MOASession AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class); Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); @@ -207,12 +212,32 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //set foreigner flag session.setForeigner(true); + + //set CCE URL if (extractor.getFullAssertion().getIssuer() != null && StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue())) session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue()); else session.setBkuURL("eIDAS_Authentication"); + if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { + if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME)) { + Logger.trace("Check attributes in SEMPER eIDAS mode."); + if (!extractor.containsAllRequiredAttributes(Arrays.asList( + PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, + PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, + PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME))) { + Logger.warn("PVP Response from 'ms-specific eIDAS node' contains not all required attributes for eIDAS SEMPER process."); + throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + Logger.info("SEMPER mode is active and mandates are found. Activing mandates for eIDAS login ... "); + session.setUseMandates(true); + + } + } + } catch (AssertionValidationExeption e) { throw new BuildException("builder.06", null, e); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java index cd3f1f788..5c3bf0d27 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java @@ -44,7 +44,7 @@ import org.opensaml.xml.parse.BasicParserPool; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IDestroyableObject; +import at.gv.egiz.components.spring.api.IDestroyableObject; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; @@ -323,14 +323,14 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, moaAuthConfig.isTrustmanagerrevoationchecking(), moaAuthConfig.getRevocationMethodOrder(), - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule new file mode 100644 index 000000000..b0bb67f32 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule @@ -0,0 +1 @@ +at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthModuleImpl
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml index f57d4a94b..baf7e84b5 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml @@ -31,6 +31,10 @@ <bean id="pvpAuthnRequestBuilder" class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" /> + <bean id="semperAuthnRequestPostProcessor" + class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.AuthnRequestSemperProcessor" /> + + <!-- Federated Authentication Process Tasks --> <bean id="CreateEidasCentrialAuthnRequestTask" class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.CreateAuthnRequestTask" diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java new file mode 100644 index 000000000..9b0ebf88c --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessorTest.java @@ -0,0 +1,348 @@ +package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper; + +import static org.hamcrest.collection.IsIterableContainingInOrder.contains; +import static org.junit.Assert.assertThat; + +import java.io.IOException; +import java.util.HashMap; +import java.util.Map; + +import javax.xml.parsers.ParserConfigurationException; + +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.xml.ConfigurationException; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.ClassMode; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egiz.eaaf.core.api.data.EAAFConfigConstants; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.core.impl.idp.conf.SPConfigurationImpl; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EAAFDefaultSAML2Bootstrap; +import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameterDecorator; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ + "/SpringTest-context_basic_test.xml" }) +@DirtiesContext(classMode = ClassMode.BEFORE_CLASS) +public class AuthnRequestSemperProcessorTest { + + @Autowired DummyAuthConfigMap configMap; + @Autowired AuthnRequestSemperProcessor processor; + + private MockHttpServletRequest httpReq; + private MockHttpServletResponse httpResp; + private TestRequestImpl pendingReq; + + /** + * jUnit class initializer. + * @throws ConfigurationException In case of an OpenSAML error + * + */ + @BeforeClass + public static void classInitializer() throws ConfigurationException { + EAAFDefaultSAML2Bootstrap.bootstrap(); + + } + + /** + * jUnit test set-up. + * + */ + @Before + public void initialize() { + configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, "true"); + configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST, + RandomStringUtils.randomAlphabetic(15) + ",https://demo.egiz.gv.at/ms_connector/sp/metadata"); + + httpReq = new MockHttpServletRequest("POST", "https://localhost/ms_connector"); + httpResp = new MockHttpServletResponse(); + RequestContextHolder.resetRequestAttributes(); + RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpReq, httpResp)); + + Map<String, String> spConfig = new HashMap<>(); + spConfig.put(EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER, + "https://demo.egiz.gv.at/ms_connector/sp/metadata"); + + pendingReq = new TestRequestImpl(); + pendingReq.setAuthURL("https://localhost/ms_connector"); + pendingReq.setPendingReqId(RandomStringUtils.randomAlphanumeric(10)); + pendingReq.setSpConfig(new OAAuthParameterDecorator(new SPConfigurationImpl(spConfig, configMap))); + + } + + @Test + public void semperModeNotSet() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + configMap.removeConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE); + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void semperModeInactive() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + configMap.putConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, "false"); + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void allowedSPsNotSet() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + configMap.removeConfigValue(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST); + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void nonValidSpEntityId() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + + + pendingReq.getServiceProviderConfiguration().getFullConfiguration().put( + EAAFConfigConstants.SERVICE_UNIQUEIDENTIFIER, + "https://apps.egiz.gv.at/ms_connector/sp/metadata"); + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_2.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void bPKTargetIsMissing_1() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_3.xml"); + + try { + processor.process(httpReq, pendingReq, authReq , null); + Assert.fail("No bPK target not detected"); + + } catch (AuthnRequestValidatorException e) { + Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void bPKTargetIsMissing_2() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_4.xml"); + + try { + processor.process(httpReq, pendingReq, authReq , null); + Assert.fail("No bPK target not detected"); + + } catch (AuthnRequestValidatorException e) { + Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void bPKTargetIsMissing_3() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_5.xml"); + + try { + processor.process(httpReq, pendingReq, authReq , null); + Assert.fail("No bPK target not detected"); + + } catch (AuthnRequestValidatorException e) { + Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void noRequestedAttributes() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_9.xml"); + + try { + processor.process(httpReq, pendingReq, authReq , null); + Assert.fail("No bPK target not detected"); + + } catch (AuthnRequestValidatorException e) { + Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void noSAML2ExtentsionElement() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_10.xml"); + + try { + processor.process(httpReq, pendingReq, authReq , null); + Assert.fail("No bPK target not detected"); + + } catch (AuthnRequestValidatorException e) { + Assert.assertEquals("ErrorMessage", "pvp2.22", e.getErrorId()); + + } + } + + @Test + public void validSpEntityIdNoMandateProfiles() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_6.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier()); + + + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void validSpEntityIdNotValidMandateProfiles_1() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_7.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier()); + + + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void validSpEntityIdNotValidMandateProfiles_2() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_8.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier()); + + + Assert.assertFalse("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + Assert.assertNull("Mandate profiles", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + + } + + @Test + public void validSpEntityIdWithMandateProfiles() throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, AuthnRequestValidatorException { + + AuthnRequest authReq = getAuthRequest("/data/pvp2_authn_1.xml"); + + processor.process(httpReq, pendingReq, authReq , null); + + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); + Assert.assertNotNull("SP config is null", spConfig); + org.springframework.util.Assert.isInstanceOf(OAAuthParameterDecorator.class, + spConfig, "SP config is NOT of type MOA-ID SP Config"); + + Assert.assertNotNull("SP target is null", spConfig.getAreaSpecificTargetIdentifier()); + Assert.assertEquals("SP target not match", "urn:publicid:gv.at:eidasid+AT+EE", spConfig.getAreaSpecificTargetIdentifier()); + + + Assert.assertTrue("UseMandates flag", ((OAAuthParameterDecorator)spConfig).isShowMandateCheckBox()); + + Assert.assertNotNull("Mandate profiles are null", ((OAAuthParameterDecorator)spConfig).getMandateProfiles()); + Assert.assertEquals("Number of mandate profiles not match", 3, ((OAAuthParameterDecorator)spConfig).getMandateProfiles().size()); + assertThat("Mandate profiles not match", ((OAAuthParameterDecorator)spConfig).getMandateProfiles(), + contains("Einzelvertretungsbefugnis", "1.2.40.0.10.1.7.3.1.1", "ERsB")); + + } + + private AuthnRequest getAuthRequest(String resource) throws + ParserConfigurationException, SAXException, IOException, UnmarshallingException { + final Element authBlockDom = + DOMUtils.parseXmlValidating(AuthnRequestSemperProcessor.class.getResourceAsStream(resource)); + + final UnmarshallerFactory unmarshallerFactory = + org.opensaml.xml.Configuration.getUnmarshallerFactory(); + final Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(authBlockDom); + return (AuthnRequest) unmarshaller.unmarshall(authBlockDom); + +} +} diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java new file mode 100644 index 000000000..1cc51f2e0 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/DummyAuthConfigMap.java @@ -0,0 +1,136 @@ +package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper; + +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URL; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import org.apache.commons.lang3.StringUtils; + +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; + +/** + * Dummy Application-configuration implementation for jUnit tests. + * + * @author tlenz + * + */ +public class DummyAuthConfigMap implements IConfigurationWithSP { + + private Map<String, String> config = new HashMap<>(); + + public DummyAuthConfigMap() { + + } + + /** + * Dummy Application-configuration. + * + * @param configIs Property based configuration + * @throws IOException In case of an configuration read error + */ + public DummyAuthConfigMap(final InputStream configIs) throws IOException { + + final Properties props = new Properties(); + props.load(configIs); + + config = KeyValueUtils.convertPropertiesToMap(props); + + } + + /** + * Dummy Application-configuration. + * + * @param path Path to property based configuration + * @throws IOException In case of an configuration read error + */ + public DummyAuthConfigMap(final String path) throws IOException { + + final Properties props = new Properties(); + props.load(this.getClass().getResourceAsStream(path)); + + config = KeyValueUtils.convertPropertiesToMap(props); + + } + + + @Override + public String getBasicConfiguration(final String key) { + return config.get(key); + + } + + @Override + public String getBasicConfiguration(final String key, final String defaultValue) { + final String value = getBasicConfiguration(key); + if (StringUtils.isEmpty(value)) { + return defaultValue; + } else { + return value; + } + + } + + @Override + public Boolean getBasicConfigurationBoolean(final String key) { + final String value = getBasicConfiguration(key); + if (StringUtils.isEmpty(value)) { + return false; + } else { + return Boolean.valueOf(value); + } + } + + @Override + public boolean getBasicConfigurationBoolean(final String key, final boolean defaultValue) { + return Boolean.parseBoolean(getBasicConfiguration(key, String.valueOf(defaultValue))); + + } + + @Override + public Map<String, String> getBasicConfigurationWithPrefix(final String prefix) { + return KeyValueUtils.getSubSetWithPrefix(config, prefix); + + } + + @Override + public ISPConfiguration getServiceProviderConfiguration(final String uniqueID) + throws EAAFConfigurationException { + return null; + } + + @Override + public <T> T getServiceProviderConfiguration(final String spIdentifier, final Class<T> decorator) + throws EAAFConfigurationException { + return null; + } + + @Override + public URI getConfigurationRootDirectory() { + return new java.io.File(".").toURI(); + + } + + @Override + public String validateIDPURL(final URL authReqUrl) throws EAAFException { + return null; + } + + public void putConfigValue(final String key, final String value) { + config.put(key, value); + } + + public void removeConfigValue(final String key) { + config.remove(key); + + } + + +} diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml new file mode 100644 index 000000000..18900c27d --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/SpringTest-context_basic_test.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:tx="http://www.springframework.org/schema/tx" + xmlns:aop="http://www.springframework.org/schema/aop" + xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + <context:annotation-config /> + + <bean id="semperAuthnRequestPostProcessor" + class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.AuthnRequestSemperProcessor" /> + + <bean id="dummyConfig" + class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper.DummyAuthConfigMap" /> + +</beans>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml new file mode 100644 index 000000000..f6c6b26ee --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_1.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml new file mode 100644 index 000000000..1d52986fc --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_10.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml new file mode 100644 index 000000000..c5b634539 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_2.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://apps.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml new file mode 100644 index 000000000..d79caa0fe --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_3.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml new file mode 100644 index 000000000..c04a97a7f --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_4.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"></eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml new file mode 100644 index 000000000..339514323 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_5.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+XX</eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml new file mode 100644 index 000000000..8a046363c --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_6.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml new file mode 100644 index 000000000..502619e94 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_7.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Einzelvertretungsbefugnis,1.2.40.0.10.1.7.3.1.1,ERsB</eid:AttributeValue> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml new file mode 100644 index 000000000..ff667168a --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_8.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + <eid:RequestedAttributes xmlns:eid="http://eid.gv.at/eID/attributes/saml-extensions"> + <eid:RequestedAttribute FriendlyName="EID-SECTOR-FOR-IDENTIFIER" Name="urn:oid:1.2.40.0.10.2.1.1.261.34" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + <eid:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">urn:publicid:gv.at:eidasid+AT+EE</eid:AttributeValue> + </eid:RequestedAttribute> + <eid:RequestedAttribute FriendlyName="ServiceProvider-MandateProfiles" Name="urn:eidgvat:attributes.ServiceProviderMandateProfiles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"> + </eid:RequestedAttribute> + </eid:RequestedAttributes> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml new file mode 100644 index 000000000..5506b2f31 --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/test/resources/data/pvp2_authn_9.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="0" Destination="https://vidp.gv.at/ms_connector/pvp/post" ID="_5f6e9aff8ff6fa4b84e888bf99400f95" IsPassive="false" IssueInstant="2019-12-13T06:42:21.185Z" ProviderName="OpenID Connect Demo" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> + <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://demo.egiz.gv.at/ms_connector/sp/metadata</saml2:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> + <ds:Reference URI="#_5f6e9aff8ff6fa4b84e888bf99400f95"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> + <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> + </ds:Transform> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>mOljEGj9lBXPvJbT3biANFlsYGLrKtcaoHTNDmjRuko=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>ARMTDwMGYMJteX/wjLqtONtFoHWc34gd6KKkgxnWe17xrUns1gHo/wDnKhvyG6kNtUZgfrebbdNA5Z4XZC+wiGkeZggKXaPdxAKco9amauuwSwoK8C556bQFA0F7yEjhypZGZxCoEMhS+hDKN+r/Pgh5QxkTgYi5DJXK6tIYgewt41k1YOAtrhr/RbyqvlFLvdZig2Sr8eotsCfATmics6NXeHGJV2ajaFITmNZd09exAoe4oi0zk2DUOUc2611bPW+4wrAb4F0iB4sPGxngfKArdMeJ8Ybh4nnA0WncwwJ2WMVu4CF87cWQKU1VIIPTisJjSN5pFXnm6wMQQUZu1A==</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIDKzCCAhMCBFrxKO4wDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQVQxDTALBgNVBAoMBEVH SVoxGDAWBgNVBAsMD2RlbW8uZWdpei5ndi5hdDEiMCAGA1UEAwwZTU9BLUlEIElEUCAoVGVzdC1W ZXJzaW9uKTAeFw0xODA1MDgwNDM0NTRaFw0yMTAxMzEwNDM0NTRaMFoxCzAJBgNVBAYTAkFUMQ0w CwYDVQQKDARFR0laMRgwFgYDVQQLDA9kZW1vLmVnaXouZ3YuYXQxIjAgBgNVBAMMGU1PQS1JRCBJ RFAgKFRlc3QtVmVyc2lvbikwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFnqoaYoq UptenemC6FiVDg5F2hEjpjix8+ow6/6QhUl2cPOS0uwZHaIvwT/RVbJ9CPdil6+11qaCPfZ+FoY+ M+ke7TRd2RS1DqFbe1KC0imEnwemyLQrYe5Pm7DNcaY/kHTTq+k0eeGbYH0U/Iopyi0VuN5OWl4F Vg45pf7knhXkaimItdjnCXnKcYM91mmltCf6TDgUrz7US7PmgvinnhfBgdITAT4GRr4ehliT+/jt 1OzHEyWRHanBGIpXNeZNqxgnpnGtaDh4JZuYR8qfH+GRK6dtW2ziej6rGIiUElGVCkXsohgxMNzq nWeD9JT8+yyp1XZlyQf+IxhhESQLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIFejAFQepaEl/kC VLvidMR+MXq5LCGHthUiI6eDTQZ+H7lZdHlj547XwEdX15b6Md3h7eSJ4hwlfV4go/0FaoLPzvVq itwtYY5htywB3B6ZV34Eyi6C59Gl34XrV8CWxH4KKwLsVAjAy+/p/Xh0q2pzSBkeOChzBMBkjmyc 2Ue4MEKdL9guzp6+Yc/HL/phHAKYapkVyFwvsdqWOgyRzxAHINko8ExImMMB3xB5a52kfqLcui5O fzEhjwLFJaGBMmFCmFGGOUwtIvl/6ZQ2LLzOE9+giVK9WsIgH11Pu+ejPFAbXf8cf4oWhbAfTkiy 4jpXrp77JXFRSDWddb0yePc=</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml2p:Extensions> + </saml2p:Extensions> + <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> + <saml2p:RequestedAuthnContext Comparison="minimum"> + <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://eidas.europa.eu/LoA/low</saml2:AuthnContextClassRef> + </saml2p:RequestedAuthnContext> + <saml2p:Scoping> + <saml2p:RequesterID>https://demo.egiz.gv.at/demoportal-openID_demo</saml2p:RequesterID> + </saml2p:Scoping> +</saml2p:AuthnRequest>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-E-ID_connector/pom.xml b/id/server/modules/moa-id-module-E-ID_connector/pom.xml new file mode 100644 index 000000000..d21654fd1 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/pom.xml @@ -0,0 +1,70 @@ +<?xml version="1.0"?> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>MOA.id.server.modules</groupId> + <artifactId>moa-id-modules</artifactId> + <version>4.1.0</version> + </parent> + <artifactId>moa-id-module-EID_connector</artifactId> + <name>moa-id-module-E-ID_connector</name> + <url>http://maven.apache.org</url> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <repositoryPath>${basedir}/../../../../repository</repositoryPath> + </properties> + + <profiles> + <profile> + <id>default</id> + <activation> + <activeByDefault>true</activeByDefault> + </activation> + <repositories> + <repository> + <id>local</id> + <name>local</name> + <url>file:${basedir}/../../../../repository</url> + </repository> + <repository> + <id>egiz-commons</id> + <url>https://demo.egiz.gv.at/int-repo/</url> + <releases> + <enabled>true</enabled> + </releases> + </repository> + </repositories> + </profile> + </profiles> + + <dependencies> + <dependency> + <groupId>MOA.id.server</groupId> + <artifactId>moa-id-lib</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_core</artifactId> + </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_pvp2_sp</artifactId> + </dependency> + + <dependency> + <groupId>org.springframework</groupId> + <artifactId>spring-test</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + </dependencies> +</project> diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java new file mode 100644 index 000000000..b057ecaf8 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java @@ -0,0 +1,120 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; + +/** + * @author tlenz + * + */ +public class EIDProxyAuthConstants { + + public static final String MODULE_NAME_FOR_LOGGING = "E-ID proxy authentication"; + + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + + public static final String HTTP_PARAM_EIDPROXY_AUTH_SELECTION = "forwardToEID"; + + public static final String ENDPOINT_POST = "/sp/eid/post"; + public static final String ENDPOINT_REDIRECT = "/sp/eid/redirect"; + public static final String ENDPOINT_METADATA = "/sp/eid/metadata"; + + public static final String CONFIG_PROPS_PREFIX = "modules.eidproxyauth."; + public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path"; + public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias"; + public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password"; + public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias"; + public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password"; + public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; + public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "EID.entityId"; + public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "EID.metadataUrl"; + public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "EID.trustprofileID"; + public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes"; + public static final String CONFIG_PROPS_DISABLE_PROCESS_ENFORCEMENT = CONFIG_PROPS_PREFIX + "enforce.process.disabled"; + + public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH; + public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() { + private static final long serialVersionUID = 1L; + { + //add PVP Version attribute + add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, false)); + + //request entity information + add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.BPK_NAME, PVPConstants.BPK_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.BPK_LIST_NAME, PVPConstants.BPK_LIST_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.ENC_BPK_LIST_NAME, PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME, false)); + + //E-ID metadata attributes + add(Trible.newInstance(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_IDENTITY_STATUS_LEVEL_NAME, PVPConstants.EID_IDENTITY_STATUS_LEVEL_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_ISSUING_NATION_NAME, PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CCS_URL_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.EID_E_ID_TOKEN_NAME, PVPConstants.EID_E_ID_TOKEN_FRIENDLY_NAME, false)); + + //mandate attributes + add(Trible.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, PVPConstants.MANDATE_TYPE_OID_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_LIST_NAME, PVPConstants.MANDATE_NAT_PER_BPK_LIST_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_ENC_BPK_LIST_NAME, PVPConstants.MANDATE_NAT_PER_ENC_BPK_LIST_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, PVPConstants.MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_PROF_REP_OID_NAME, PVPConstants.MANDATE_PROF_REP_OID_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_PROF_REP_DESC_NAME, PVPConstants.MANDATE_PROF_REP_DESC_FRIENDLY_NAME, false)); + add(Trible.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, false)); + + } + }); + + public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = + Collections.unmodifiableList(new ArrayList<String>() { + private static final long serialVersionUID = 1L; + { + for (Trible<String, String, Boolean> el : DEFAULT_REQUIRED_PVP_ATTRIBUTES) + add(el.getFirst()); + } + }); + + +} + + diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java new file mode 100644 index 000000000..85d9d0f76 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthModuleImpl.java @@ -0,0 +1,119 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth; + +import java.io.Serializable; + +import javax.annotation.PostConstruct; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class EIDProxyAuthModuleImpl implements AuthModule { + + @Autowired(required=true) private IConfiguration authConfig; + @Autowired(required=true) private AuthenticationManager authManager; + + private int priority = 0; + private final String AUTH_PROCESS_NAME = "EIDAuthentication"; + + @PostConstruct + protected void initalizeEIDProxyAuthentication() { + //parameter to whiteList + authManager.addParameterNameToWhiteList(EIDProxyAuthConstants.HTTP_PARAM_EIDPROXY_AUTH_SELECTION); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority() + */ + @Override + public int getPriority() { + return priority; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) + */ + @Override + public String selectProcess(ExecutionContext context, IRequest pendingReq) { + + if (Boolean.parseBoolean( + pendingReq.getServiceProviderConfiguration().getConfigurationValue( + MOAIDConfigurationConstants.SERVICE_AUTH_AUSTRIAN_EID_DEMO_MODE, + String.valueOf(false)))) { + Logger.debug("SP: " + pendingReq.getSPEntityId() + " activates E-ID mode."); + return AUTH_PROCESS_NAME; + + } else { + if (authConfig.getBasicConfigurationBoolean(EIDProxyAuthConstants.CONFIG_PROPS_DISABLE_PROCESS_ENFORCEMENT, true)) { + Logger.trace("Disable E-ID enforcment is 'true' "); + Serializable paramObj = context.get(EIDProxyAuthConstants.HTTP_PARAM_EIDPROXY_AUTH_SELECTION); + if (paramObj != null ) { + if (paramObj instanceof String) { + String param = (String)paramObj; + if (StringUtils.isNotEmpty(param) && Boolean.parseBoolean(param)) { + Logger.debug("Manually selected E-ID authentication process "); + return AUTH_PROCESS_NAME; + } + } + } + + return null; + + } else { + Logger.trace("Select E-ID authentication process ... "); + return AUTH_PROCESS_NAME; + + } + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions() + */ + @Override + public String[] getProcessDefinitions() { + return new String[] { "classpath:EID_connector_auth.process.xml" }; + } + + /** + * @param priority the priority to set + */ + public void setPriority(int priority) { + this.priority = priority; + + } +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java new file mode 100644 index 000000000..a38b84122 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthSpringResourceProvider.java @@ -0,0 +1,63 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +/** + * @author tlenz + * + */ +public class EIDProxyAuthSpringResourceProvider implements SpringResourceProvider { + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad() + */ + @Override + public Resource[] getResourcesToLoad() { + ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_EID_connector.beans.xml", EIDProxyAuthSpringResourceProvider.class); + + return new Resource[] {federationAuthConfig}; + } + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan() + */ + @Override + public String[] getPackagesToScan() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName() + */ + @Override + public String getName() { + return "MOA-ID Auth-module 'E-ID Authentication'"; + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java new file mode 100644 index 000000000..bd1157142 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthMetadataConfiguration.java @@ -0,0 +1,355 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.security.credential.Credential; + +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.data.Trible; +import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class EIDAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration { + + private Collection<RequestedAttribute> additionalAttributes = null; + + + private String authURL; + private EIDAuthCredentialProvider credentialProvider; + private IPVP2BasicConfiguration pvpConfiguration; + + public EIDAuthMetadataConfiguration(String authURL, + EIDAuthCredentialProvider credentialProvider, + IPVP2BasicConfiguration pvpConfiguration) { + this.authURL = authURL; + this.credentialProvider = credentialProvider; + this.pvpConfiguration = pvpConfiguration; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return EIDProxyAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() + */ + @Override + public boolean buildIDPSSODescriptor() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() + */ + @Override + public boolean buildSPSSODescriptor() { + return true; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix() + */ + @Override + public String getEntityID() { + return authURL + EIDProxyAuthConstants.ENDPOINT_METADATA; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() + */ + @Override + public List<ContactPerson> getContactPersonInformation() { + try { + return pvpConfiguration.getIDPContacts(); + + } catch (EAAFException e) { + Logger.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return pvpConfiguration.getIDPOrganisation(); + + } catch (EAAFException e) { + Logger.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() + */ + @Override + public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPMetaDataSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionEncryptionCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() + */ + @Override + public String getIDPWebSSOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIDPWebSSORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() + */ + @Override + public String getIDPSLOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() + */ + @Override + public String getIDPSLORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSPAssertionConsumerServicePostBindingURL() { + return authURL + EIDProxyAuthConstants.ENDPOINT_POST; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSPAssertionConsumerServiceRedirectBindingURL() { + return authURL + EIDProxyAuthConstants.ENDPOINT_REDIRECT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() + */ + @Override + public String getSPSLOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() + */ + @Override + public String getSPSLORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() + */ + @Override + public String getSPSLOSOAPBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() + */ + @Override + public List<Attribute> getIDPPossibleAttributes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() + */ + @Override + public List<String> getIDPPossibleNameITTypes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() + */ + @Override + public Collection<RequestedAttribute> getSPRequiredAttributes() { + Map<String, RequestedAttribute> requestedAttributes = new HashMap<String, RequestedAttribute>(); + for (Trible<String, String, Boolean> el : EIDProxyAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES) + requestedAttributes.put(el.getFirst(), PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); + + if (additionalAttributes != null) { + Logger.trace("Add additional PVP attributes into metadata ... "); + for (RequestedAttribute el : additionalAttributes) { + if (requestedAttributes.containsKey(el.getName())) + Logger.debug("Attribute " + el.getName() + " is already added by default configuration. Overwrite it by user configuration"); + + requestedAttributes.put(el.getName(), el); + + } + } + + return requestedAttributes.values(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() + */ + @Override + public List<String> getSPAllowedNameITTypes() { + return Arrays.asList(NameIDType.PERSISTENT); + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging() + */ + @Override + public String getSPNameForLogging() { + return EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return false; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + } + + /** + * Add additonal PVP attributes that are required by this deployment + * + * @param additionalAttr List of PVP attribute name and isRequired flag + */ + public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) { + if (additionalAttr != null) { + additionalAttributes = new ArrayList<RequestedAttribute>(); + for (Pair<String, Boolean> el : additionalAttr) { + Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst()); + if (attributBuilder != null) { + additionalAttributes.add( + PVPAttributeBuilder.buildReqAttribute( + attributBuilder.getName(), + attributBuilder.getFriendlyName(), + el.getSecond())); + + } else + Logger.info("NO PVP attribute with name: " + el.getFirst()); + + } + } + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java new file mode 100644 index 000000000..5ed41c397 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/config/EIDAuthRequestBuilderConfiguration.java @@ -0,0 +1,271 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config; + +import java.util.List; + +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.xml.security.credential.Credential; +import org.w3c.dom.Element; + +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; + +/** + * @author tlenz + * + */ +public class EIDAuthRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation { + + private boolean isPassive; + private String SPEntityID; + private String QAA_Level; + private EntityDescriptor idpEntity; + private Credential signCred; + private String scopeRequesterId; + private String providerName; + private List<EAAFRequestedAttribute> requestedAttributes; + private String reqId; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() + */ + @Override + public Boolean isPassivRequest() { + return this.isPassive; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() + */ + @Override + public Integer getAssertionConsumerServiceId() { + return 0; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID() + */ + @Override + public String getSPEntityID() { + return this.SPEntityID; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public String getNameIDPolicyFormat() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public boolean getNameIDPolicyAllowCreation() { + return true; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() + */ + @Override + public String getAuthnContextClassRef() { + return this.QAA_Level; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() + */ + @Override + public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { + return AuthnContextComparisonTypeEnumeration.MINIMUM; + } + + /** + * @param isPassive the isPassive to set + */ + public void setPassive(boolean isPassive) { + this.isPassive = isPassive; + } + + /** + * @param sPEntityID the sPEntityID to set + */ + public void setSPEntityID(String sPEntityID) { + SPEntityID = sPEntityID; + } + + /** + * @param qAA_Level the qAA_Level to set + */ + public void setQAA_Level(String qAA_Level) { + QAA_Level = qAA_Level; + } + + /** + * @param idpEntity the idpEntity to set + */ + public void setIdpEntity(EntityDescriptor idpEntity) { + this.idpEntity = idpEntity; + } + + /** + * @param signCred the signCred to set + */ + public void setSignCred(Credential signCred) { + this.signCred = signCred; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() + */ + @Override + public Credential getAuthnRequestSigningCredential() { + return this.signCred; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() + */ + @Override + public EntityDescriptor getIDPEntityDescriptor() { + return this.idpEntity; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() + */ + @Override + public String getSubjectNameID() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() + */ + @Override + public String getSPNameForLogging() { + return EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() + */ + @Override + public String getSubjectNameIDFormat() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID() + */ + @Override + public String getRequestID() { + return this.reqId; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() + */ + @Override + public String getSubjectNameIDQualifier() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() + */ + @Override + public String getSubjectConformationMethode() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() + */ + @Override + public Element getSubjectConformationDate() { + return null; + } + + @Override + public List<EAAFRequestedAttribute> getRequestedAttributes() { + return this.requestedAttributes; + + } + + @Override + public String getProviderName() { + return this.providerName; + } + + @Override + public String getScopeRequesterId() { + return this.scopeRequesterId; + } + + /** + * Set the entityId of the SP that requests the proxy for eIDAS authentication + * + * @param scopeRequesterId + */ + public void setScopeRequesterId(String scopeRequesterId) { + this.scopeRequesterId = scopeRequesterId; + } + + /** + * Set a friendlyName for the SP that requests the proxy for eIDAS authentication + * + * @param providerName + */ + public void setProviderName(String providerName) { + this.providerName = providerName; + } + + /** + * Set a Set of PVP attributes that a requested by using requested attributes + * + * @param requestedAttributes + */ + public void setRequestedAttributes(List<EAAFRequestedAttribute> requestedAttributes) { + this.requestedAttributes = requestedAttributes; + } + + /** + * Set a RequestId for this Authn. Request + * + * @param reqId + */ + public void setRequestId(String reqId) { + this.reqId = reqId; + } + + + + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java new file mode 100644 index 000000000..90ecb0942 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthMetadataController.java @@ -0,0 +1,133 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import com.google.common.net.MediaType; + +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPMetadataBuilder; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config.EIDAuthMetadataConfiguration; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Controller +public class EIDAuthMetadataController extends AbstractController { + + @Autowired PVPMetadataBuilder metadatabuilder; + @Autowired AuthConfiguration authConfig; + @Autowired EIDAuthCredentialProvider credentialProvider; + @Autowired IPVP2BasicConfiguration pvpConfiguration; + + public EIDAuthMetadataController() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + + " with mappings '" + EIDProxyAuthConstants.ENDPOINT_METADATA + + "'."); + + } + + @RequestMapping(value = EIDProxyAuthConstants.ENDPOINT_METADATA, + method = {RequestMethod.GET}) + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { + //check PublicURL prefix + try { + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!authConfig.getPublicURLPrefix().contains(authURL)) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL"); + return; + + } else { + //initialize metadata builder configuration + EIDAuthMetadataConfiguration metadataConfig = + new EIDAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration); + metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes()); + + //build metadata + String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); + + //write response + byte[] content = xmlMetadata.getBytes("UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + resp.setContentLength(content.length); + resp.setContentType(MediaType.XML_UTF_8.toString()); + resp.getOutputStream().write(content); + + } + + } catch (Exception e) { + Logger.warn("Build E-ID Proxy PVP metadata FAILED.", e); + protAuthService.handleErrorNoRedirect(e, req, resp, false); + + } + + } + + private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() { + Map<String, String> addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EIDProxyAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); + if (addReqAttributes != null) { + List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>(); + for (String el : addReqAttributes.values()) { + if (MiscUtil.isNotEmpty(el)) { + Logger.trace("Parse additional attr. definition: " + el); + List<String> attr = KeyValueUtils.getListOfCSVValues(el.trim()); + if (attr.size() == 2) { + result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1)))); + + } else + Logger.info("IGNORE additional attr. definition: " + el + + " Reason: Format not valid"); + } + } + + return result; + } + + return null; + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java new file mode 100644 index 000000000..16a6e5aab --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EIDAuthSignalController.java @@ -0,0 +1,68 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.text.StringEscapeUtils; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Controller +public class EIDAuthSignalController extends AbstractProcessEngineSignalController { + + public EIDAuthSignalController() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + + " with mappings '" + EIDProxyAuthConstants.ENDPOINT_POST + + "' and '" + EIDProxyAuthConstants.ENDPOINT_REDIRECT + "'."); + + } + + @RequestMapping(value = { EIDProxyAuthConstants.ENDPOINT_POST, + EIDProxyAuthConstants.ENDPOINT_REDIRECT + }, + method = {RequestMethod.POST, RequestMethod.GET}) + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { + signalProcessManagement(req, resp); + + } + + public String getPendingRequestId(HttpServletRequest request) { + return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState")); + + } +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java new file mode 100644 index 000000000..38a7c4add --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java @@ -0,0 +1,146 @@ +/* + * Copyright 2019 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks; + +import java.security.NoSuchAlgorithmException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.config.EIDAuthRequestBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.Utils; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Component("CreateEIDSystemAuthnRequestTask") +public class CreateAuthnRequestTask extends AbstractAuthServletTask { + + @Autowired PVPAuthnRequestBuilder authnReqBuilder; + @Autowired EIDAuthCredentialProvider credential; + @Autowired EIDAuthMetadataProvider metadataService; + + //@Autowired(required=true) ILoALevelMapper loaMapper; + //@Autowired(required=true) MOAMetadataProvider metadataProvider; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try{ + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_SELECTED); + + // get entityID for central ms-specific eIDAS node + String msNodeEntityID = Utils.getEIDSystemEntityId(pendingReq.getServiceProviderConfiguration(), authConfig); + + + if (MiscUtil.isEmpty(msNodeEntityID)) { + Logger.info("E-ID authentication not possible -> NO EntityID for E-ID System FOUND!"); + throw new MOAIDException("NO EntityID for E-ID System FOUND", null); + + } + + //load metadata with metadataURL, as backup + String metadataURL = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_METADATAURL); + if (MiscUtil.isNotEmpty(metadataURL)) { + Logger.warn("Use not recommended metadata-provider initialization!" + + " SAML2 'Well-Known-Location' is the preferred methode."); + Logger.info("Initialize 'E-ID System' metadata-provider with URL:" + metadataURL); + metadataService.addMetadataWithMetadataURL(metadataURL); + + } + + //load IDP SAML2 entitydescriptor + EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID); + if (entityDesc == null) { + Logger.error("Requested 'E-ID System' " + entityDesc + + " has no valid metadata or metadata is not found"); + throw new MOAIDException("Requested 'E-ID System' " + entityDesc + + " has no valid metadata or metadata is not found", null); + + } + + //setup AuthnRequestBuilder configuration + EIDAuthRequestBuilderConfiguration authnReqConfig = new EIDAuthRequestBuilderConfiguration(); + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authnReqConfig.setRequestId(gen.generateIdentifier()); + authnReqConfig.setIdpEntity(entityDesc); + authnReqConfig.setPassive(false); + authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential()); + authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_METADATA); + authnReqConfig.setScopeRequesterId(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + + //build and transmit AuthnRequest + authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); + + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_REQUESTED, + authnReqConfig.getRequestID()); + + } catch (MOAIDException e) { + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (MetadataProviderException e) { + + throw new TaskExecutionException(pendingReq, + "Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED.", + new AuthnRequestBuildException("sp.pvp2.02", new Object[] {"'E-ID System'"},e )); + + } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) { + Logger.error("Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED", e); + throw new TaskExecutionException(pendingReq, + e.getMessage(), + new AuthnRequestBuildException("sp.pvp2.13", new Object[] {"'E-ID System'"},e )); + + } catch (Exception e) { + Logger.error("Build PVP2.1 AuthnRequest to connect 'E-ID System' FAILED", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java new file mode 100644 index 000000000..6da4ba047 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/ReceiveAuthnResponseTask.java @@ -0,0 +1,309 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks; + +import java.io.IOException; +import java.util.List; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; +import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException; +import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.Utils; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Component("ReceiveEIDSystemAuthnResponseTask") +public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { + + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; + @Autowired private EIDAuthCredentialProvider credentialProvider; + @Autowired(required=true) EIDAuthMetadataProvider metadataProvider; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + InboundMessage msg = null; + + try { + + IDecoder decoder = null; + EAAFURICompare comperator = null; + //select Response Binding + if (request.getMethod().equalsIgnoreCase("POST")) { + decoder = new PostBinding(); + comperator = new EAAFURICompare(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_POST); + Logger.trace("Receive PVP Response from 'E-ID System', by using POST-Binding."); + + } else if (request.getMethod().equalsIgnoreCase("GET")) { + decoder = new RedirectBinding(); + comperator = new EAAFURICompare(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_REDIRECT); + Logger.trace("Receive PVP Response from 'E-ID System', by using Redirect-Binding."); + + } else { + Logger.warn("Receive PVP Response, but Binding (" + + request.getMethod() + ") is not supported."); + throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + //decode PVP response object + msg = (InboundMessage) decoder.decode( + request, response, metadataProvider, true, + comperator); + + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw new InvalidProtocolRequestException("sp.pvp2.04", + new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + //validate response signature + if(!msg.isVerified()) { + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + msg.setVerified(true); + + } + + //validate assertion + PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg); + + //validate entityId of response + String msNodeEntityID = Utils.getEIDSystemEntityId(pendingReq.getServiceProviderConfiguration(), authConfig); + String respEntityId = msg.getEntityID(); + if (!msNodeEntityID.equals(respEntityId)) { + Logger.warn("Response Issuer is not a 'E-ID System'. Stopping authentication via E-ID Proxy ..."); + throw new AuthnResponseValidationException("sp.pvp2.08", + new Object[] {EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING, + msg.getEntityID()}); + + } + + //initialize Attribute extractor + AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor((Response) processedMsg.getResponse()); + + getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class)); + + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + + //store pending-request + requestStoreage.storePendingRequest(pendingReq); + + //write log entries + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EID_SERVICE_ATTRIBUTES_VALID); + Logger.info("Receive a valid assertion from E-ID System " + msg.getEntityID()); + + } catch (MessageDecodingException | SecurityException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID PVP Response from 'E-ID System': " + samlRequest, e); + throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", + new AuthnResponseValidationException("sp.pvp2.11", new Object[] {"'E-ID System'"}, e)); + + } catch (IOException | MarshallingException | TransformerException e) { + Logger.warn("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e); + throw new TaskExecutionException(pendingReq, "Processing PVP response from 'E-ID System' FAILED.", + new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'E-ID System'", e.getMessage()}, e)); + + } catch (CredentialsNotAvailableException e) { + Logger.error("PVP response decrytion FAILED. No credential found.", e); + throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", + new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'E-ID System'"}, e)); + + } catch (AssertionValidationExeption | AuthnResponseValidationException e) { + Logger.info("PVP response validation FAILED. Msg:" + e.getMessage()); + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", + new AuthnResponseValidationException("sp.pvp2.10", new Object[] {"'E-ID System'"}, e)); + + } catch (Exception e) { + Logger.warn("PVP response validation FAILED. Msg:" + e.getMessage(), e); + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", + new AuthnResponseValidationException("sp.pvp2.12", new Object[] {"'E-ID System'", e.getMessage()}, e)); + + } + + } + + private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig) throws BuildException, ConfigurationException{ + try { + //check if all attributes are include +// if (!extractor.containsAllRequiredAttributes() +// && !extractor.containsAllRequiredAttributes(EIDProxyAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES)) { +// Logger.warn("PVP Response from 'E-ID System' contains not all requested attributes."); +// throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING}); +// +// } + + //copy attributes into MOASession + AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class); + Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (String el : includedAttrNames) { + String value = extractor.getSingleAttributeValue(el); + session.setGenericDataToSession(el, value); + Logger.debug("Add PVP-attribute " + el + " into MOASession"); + + } + + //set foreigner flag + List<String> eidIssuer = extractor.getAttributeValues(PVPConstants.EID_ISSUING_NATION_NAME); + if (eidIssuer != null && !eidIssuer.isEmpty() && MiscUtil.isNotEmpty(eidIssuer.get(0))) { + String cc = eidIssuer.get(0); + Logger.debug("Find Attr: '" + PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME + "' with value: " + cc); + if (EAAFConstants.COUNTRYCODE_AUSTRIA.equals(cc)) + session.setForeigner(false); + else + session.setForeigner(true); + + } + + //set BKU URL + List<String> ccsUrl = extractor.getAttributeValues(PVPConstants.EID_CCS_URL_NAME); + if (ccsUrl != null && !ccsUrl.isEmpty() && MiscUtil.isNotEmpty(ccsUrl.get(0))) + session.setBkuURL(ccsUrl.get(0)); + else if (extractor.getFullAssertion().getIssuer() != null && + StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue())) + session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue()); + else + session.setBkuURL("E-ID_Authentication"); + + //check if mandates are included + if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_TYPE_OID_NAME) + || extractor.containsAttribute(PVPConstants.MANDATE_REFERENCE_VALUE_NAME) ) { + + Logger.debug("Find Mandate-Attributes in E-ID response. Switch to mandate-mode ... "); + session.setUseMandates(true); + + //check if mandate was used by ... + if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME) || + extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_DESC_NAME) ) { + Logger.debug("Find PROF_REP information in mandate. Switch to 'Organwalter' mode ..."); + session.setOW(true); + + } + + } + + + + +// } catch (AssertionValidationExeption e) { +// throw new BuildException("builder.06", null, e); + + } catch (EAAFStorageException e) { + throw new BuildException("builder.06", null, e); + + } + } + + /** + * PreProcess AuthResponse and Assertion + * @param msg + * @throws TransformerException + * @throws MarshallingException + * @throws IOException + * @throws CredentialsNotAvailableException + * @throws AssertionValidationExeption + * @throws AuthnResponseValidationException + */ + private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException { + Logger.debug("Start PVP21 assertion processing... "); + Response samlResp = (Response) msg.getResponse(); + + // check SAML2 response status-code + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + //validate PVP 2.1 assertion + samlVerificationEngine.validateAssertion(samlResp, true, + credentialProvider.getIDPAssertionEncryptionCredential(), + pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_METADATA, + EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING); + + msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED, + samlResp.getID()); + return msg; + + } else { + Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + + " from 'E-ID System'."); + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR); + throw new AuthnResponseValidationException("sp.pvp2.05", + new Object[]{EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING, + samlResp.getIssuer().getValue(), + samlResp.getStatus().getStatusCode().getValue(), + samlResp.getStatus().getStatusMessage().getMessage()}); + + } + + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java new file mode 100644 index 000000000..a9b886a85 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthCredentialProvider.java @@ -0,0 +1,124 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; + +/** + * @author tlenz + * + */ +@Service("EIDAuthCredentialProvider") +public class EIDAuthCredentialProvider extends AbstractCredentialProvider { + + @Autowired AuthConfiguration authConfig; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() + */ + @Override + public String getKeyStoreFilePath() throws ConfigurationException { + return FileUtils.makeAbsoluteURL( + authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_KEYSTORE), + authConfig.getRootConfigFileDir()); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword() + */ + @Override + public String getKeyStorePassword() { + return authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias() + */ + @Override + public String getMetadataKeyAlias() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword() + */ + @Override + public String getMetadataKeyPassword() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias() + */ + @Override + public String getSignatureKeyAlias() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword() + */ + @Override + public String getSignatureKeyPassword() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias() + */ + @Override + public String getEncryptionKeyAlias() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword() + */ + @Override + public String getEncryptionKeyPassword() { + return authConfig.getBasicConfiguration( + EIDProxyAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName() + */ + @Override + public String getFriendlyName() { + return "E-ID Proxy authentication"; + } + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java new file mode 100644 index 000000000..649cfa691 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/EIDAuthMetadataProvider.java @@ -0,0 +1,347 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils; + +import java.net.MalformedURLException; +import java.util.List; +import java.util.Timer; + +import javax.xml.namespace.QName; + +import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.MOAHttpClient; +import org.apache.commons.httpclient.params.HttpClientParams; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egiz.components.spring.api.IDestroyableObject; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ + +@Service("EIDAuthMetadataProvider") +public class EIDAuthMetadataProvider extends SimpleMetadataProvider + implements IDestroyableObject { + @Autowired(required=true) AuthConfiguration moaAuthConfig; + + private ChainingMetadataProvider metadataProvider = new ChainingMetadataProvider(); + private Timer timer = null; + + + public EIDAuthMetadataProvider() { + metadataProvider.setRequireValidMetadata(true); + + } + + public void addMetadataWithMetadataURL(String metadataURL) throws MetadataProviderException { + internalInitialize(metadataURL); + + } + + public void destroy() { + fullyDestroy(); + + } + + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata() + */ + @Override + public boolean requireValidMetadata() { + return metadataProvider.requireValidMetadata(); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setRequireValidMetadata(boolean) + */ + @Override + public void setRequireValidMetadata(boolean requireValidMetadata) { + metadataProvider.setRequireValidMetadata(requireValidMetadata); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadataFilter() + */ + @Override + public MetadataFilter getMetadataFilter() { + return metadataProvider.getMetadataFilter(); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter) + */ + @Override + public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException { + Logger.fatal("Set Metadata Filter is not implemented her!"); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadata() + */ + @Override + public XMLObject getMetadata() throws MetadataProviderException { + return metadataProvider.getMetadata(); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntitiesDescriptor(java.lang.String) + */ + @Override + public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException { + return metadataProvider.getEntitiesDescriptor(name); + + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntityDescriptor(java.lang.String) + */ + @Override + public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException { + try { + //search if metadata is already loaded + EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID); + + if (entityDesc != null) + return entityDesc; + else + Logger.info("No metadata from centrial E-ID system " + entityID + " Starting refresh process ..."); + + } catch (MetadataProviderException e) { + Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ..."); + + } + + //(re)initialize ms-specific eIDAS node + internalInitialize(entityID); + + //search again after reload (re)initialization + try { + EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID); + if (entityDesc == null) { + Logger.error("E-ID Proxy Client ERROR: No EntityID with "+ entityID); + throw new MetadataProviderException("No EntityID with "+ entityID); + } + + return entityDesc; + + } catch (MetadataProviderException e) { + Logger.error("E-ID Proxy Client ERROR: Metadata extraction FAILED.", e); + throw new MetadataProviderException("Metadata extraction FAILED", e); + + } + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName) + */ + @Override + public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException { + try { + //search if metadata is already loaded + List<RoleDescriptor> role = metadataProvider.getRole(entityID, roleName); + + if (role != null) + return role; + else + Logger.info("No metadata from centrial E-ID system: " + entityID + " Starting refresh process ..."); + + } catch (MetadataProviderException e) { + Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ..."); + + } + + //(re)initialize ms-specific eIDAS node + internalInitialize(entityID); + + //search again after reload (re)initialization + return metadataProvider.getRole(entityID, roleName); + } + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName, java.lang.String) + */ + @Override + public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) + throws MetadataProviderException { + try { + //search if metadata is already loaded + RoleDescriptor role = metadataProvider.getRole(entityID, roleName, supportedProtocol); + + if (role != null) + return role; + else + Logger.info("No metadata from centrial E-ID system: " + entityID + " Starting refresh process ..."); + + } catch (MetadataProviderException e) { + Logger.info("Access metadata from centrial E-ID system: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ..."); + + } + + //(re)initialize ms-specific eIDAS node + internalInitialize(entityID); + + //search again after reload (re)initialization + return metadataProvider.getRole(entityID, roleName, supportedProtocol); + } + + private synchronized void internalInitialize(String metdataURL) throws MetadataProviderException { + + //check if metadata with EntityID already exists in chaining metadata provider + boolean addNewMetadata = true; + try { + addNewMetadata = (metadataProvider.getEntityDescriptor(metdataURL) == null); + + } catch (MetadataProviderException e) {} + + //switch between metadata refresh and add new metadata + if (addNewMetadata) { + //Metadata provider seems not loaded --> Add new metadata provider + Logger.info("Initialize PVP MetadataProvider:" + metdataURL + " to connect centrial E-ID system"); + + String trustProfileID = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_TRUSTPROFILEID); + if (MiscUtil.isEmpty(trustProfileID)) { + Logger.error("Create E-ID proxy client FAILED: No trustProfileID to verify PVP metadata." ); + throw new MetadataProviderException("No trustProfileID to verify PVP metadata."); + } + + //initialize Timer if it is null + if (timer == null) + timer = new Timer(true); + + //create metadata validation filter chain + MetadataFilterChain filter = new MetadataFilterChain(); + filter.addFilter(new SchemaValidationFilter(true)); + filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID)); + + MetadataProvider idpMetadataProvider = createNewSimpleMetadataProvider(metdataURL, + filter, + EIDProxyAuthConstants.MODULE_NAME_FOR_LOGGING, + timer, + new BasicParserPool(), + createHttpClient(metdataURL)); + + if (idpMetadataProvider == null) { + Logger.error("Create E-ID Proxy client FAILED."); + throw new MetadataProviderException("Can not initialize 'E-ID Proxy client' metadata provider."); + + } + + idpMetadataProvider.setRequireValidMetadata(true); + metadataProvider.addMetadataProvider(idpMetadataProvider); + + } else { + //Metadata provider seems already loaded --> start refresh process + List<MetadataProvider> loadedProvider = metadataProvider.getProviders(); + for (MetadataProvider el : loadedProvider) { + if (el instanceof HTTPMetadataProvider) { + HTTPMetadataProvider prov = (HTTPMetadataProvider)el; + if (prov.getMetadataURI().equals(metdataURL)) + prov.refresh(); + + } else + Logger.warn("'E-ID Proxy client' Metadata provider is not of Type 'HTTPMetadataProvider'! Something is suspect!!!!"); + + } + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy() + */ + @Override + public void fullyDestroy() { + Logger.info("Destroy 'E-ID Proxy client' PVP metadata pool ... "); + + if (metadataProvider != null) { + metadataProvider.destroy(); + + } + + if (timer != null) + timer.cancel(); + + } + + private HttpClient createHttpClient(String metadataURL) { + MOAHttpClient httpClient = new MOAHttpClient(); + HttpClientParams httpClientParams = new HttpClientParams(); + httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT); + httpClient.setParams(httpClientParams); + + if (metadataURL.startsWith("https:")) { + try { + //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + moaAuthConfig.getBasicConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), + moaAuthConfig.getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + moaAuthConfig.isTrustmanagerrevoationchecking(), + moaAuthConfig.getRevocationMethodOrder(), + moaAuthConfig.getBasicConfigurationBoolean( + AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException | MalformedURLException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e); + + } + } + + return httpClient; + + } +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java new file mode 100644 index 000000000..cd578d373 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java @@ -0,0 +1,45 @@ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils; + +import java.util.List; + +import org.apache.commons.lang3.StringUtils; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.logging.Logger; + +public class Utils { + + public static String getEIDSystemEntityId(ISPConfiguration spConfiguration, IConfiguration authConfig) { + //load from service-provider configuration + String msNodeEntityID = spConfiguration.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_EXTERNAL_EID_SYSTEM_SERVICE_URL); + + if (StringUtils.isEmpty(msNodeEntityID)) { + Logger.debug("No SP-specific E-ID system URL. Switch to general configuration ... "); + if (authConfig instanceof AuthConfiguration) { + AuthConfiguration moaAuthConfig = (AuthConfiguration)authConfig; + List<String> configuratedEntityIDs = KeyValueUtils.getListOfCSVValues( + moaAuthConfig.getConfigurationWithKey(MOAIDConfigurationConstants.GENERAL_AUTH_SERVICES_EID_SYSTEM_SERVICE_URL)); + + if (configuratedEntityIDs.size() > 0) + msNodeEntityID = configuratedEntityIDs.get(0); + else + Logger.info("No E-ID system URL in IDP configuration. Switch to backup configuration ... "); + + } else + Logger.info("Basic configuration is NOT of type '" + AuthConfiguration.class.getName() + + "' Switch to generic Type ... "); + + + if (StringUtils.isEmpty(msNodeEntityID)) + msNodeEntityID = authConfig.getBasicConfiguration(EIDProxyAuthConstants.CONFIG_PROPS_NODE_ENTITYID); + + } + + return msNodeEntityID; + } +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml new file mode 100644 index 000000000..aee4ab403 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/EID_connector_auth.process.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<pd:ProcessDefinition id="EIDAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1"> + + <pd:Task id="createEIDAuthnRequest" class="CreateEIDSystemAuthnRequestTask" /> + <pd:Task id="receiveEIDAuthnResponse" class="ReceiveEIDSystemAuthnResponseTask" async="true" /> + <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" /> + + <pd:StartEvent id="start" /> + + <pd:Transition from="start" to="createEIDAuthnRequest" /> + <pd:Transition from="createEIDAuthnRequest" to="receiveEIDAuthnResponse"/> + <pd:Transition from="receiveEIDAuthnResponse" to="finalizeAuthentication"/> + <pd:Transition from="finalizeAuthentication" to="end" /> + + <pd:EndEvent id="end" /> + +</pd:ProcessDefinition>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider new file mode 100644 index 000000000..7e511c22f --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider @@ -0,0 +1 @@ +at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthSpringResourceProvider
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml new file mode 100644 index 000000000..d5d255680 --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/resources/moaid_EID_connector.beans.xml @@ -0,0 +1,43 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:tx="http://www.springframework.org/schema/tx" + xmlns:aop="http://www.springframework.org/schema/aop" + xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> + + +<!-- Federated authentication services --> + <bean id="EidAuthCredentialProvider" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthCredentialProvider"/> + + <bean id="EidAuthMetadataController" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller.EIDAuthMetadataController"/> + + <bean id="EidAuthModuleImpl" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthModuleImpl"> + <property name="priority" value="2" /> + </bean> + + <bean id="EidAuthSignalController" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller.EIDAuthSignalController"/> + + <bean id="EidAuthMetadataProvider" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.EIDAuthMetadataProvider" /> + + <bean id="pvpAuthnRequestBuilder" + class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" /> + +<!-- Federated Authentication Process Tasks --> + <bean id="CreateEIDSystemAuthnRequestTask" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks.CreateAuthnRequestTask" + scope="prototype"/> + + <bean id="ReceiveEIDSystemAuthnResponseTask" + class="at.gv.egovernment.moa.id.auth.modules.eidproxyauth.tasks.ReceiveAuthnResponseTask" + scope="prototype"/> + +</beans>
\ No newline at end of file diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml index 0207eb6c9..12c5e1319 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-bkaMobilaAuthSAML2Test</artifactId> <description>BKA MobileAuth Test for SAML2 applications</description> diff --git a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java index b17f0c121..50f675c6e 100644 --- a/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java +++ b/id/server/modules/moa-id-module-bkaMobilaAuthSAML2Test/src/main/java/at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/BKAMobileAuthModule.java @@ -29,6 +29,7 @@ import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; @@ -95,7 +96,7 @@ public class BKAMobileAuthModule implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { String spEntityID = (String) context.get(EAAFConstants.PROCESS_ENGINE_SERVICE_PROVIDER_ENTITYID); String sl20ClientTypeHeader = (String) context.get("SL2ClientType".toLowerCase()); String sl20VDATypeHeader = (String) context.get("X-MOA-VDA".toLowerCase()); diff --git a/id/server/modules/moa-id-module-eIDAS-v2/pom.xml b/id/server/modules/moa-id-module-eIDAS-v2/pom.xml index 2ad14a24f..e4e05a860 100644 --- a/id/server/modules/moa-id-module-eIDAS-v2/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS-v2/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.0.1-snapshot</version> </parent> <artifactId>moa-id-module-eIDAS-v2</artifactId> <name>MOA-ID eIDAS module v2</name> diff --git a/id/server/modules/moa-id-module-eIDAS/pom.xml b/id/server/modules/moa-id-module-eIDAS/pom.xml index 5f4192645..4562f3239 100644 --- a/id/server/modules/moa-id-module-eIDAS/pom.xml +++ b/id/server/modules/moa-id-module-eIDAS/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-eIDAS</artifactId> <name>MOA-ID eIDAS Module</name> @@ -22,28 +22,29 @@ </properties> - <profiles> - <profile> - <id>default</id> - <activation> - <activeByDefault>true</activeByDefault> - </activation> - <repositories> - <repository> - <id>local</id> - <name>local</name> - <url>file:${basedir}/../../../../repository</url> - </repository> - <repository> - <id>egiz-commons</id> - <url>https://demo.egiz.gv.at/int-repo/</url> - <releases> - <enabled>true</enabled> - </releases> - </repository> - </repositories> - </profile> - </profiles> + + <repositories> + <repository> + <id>egiz-shibboleth-mirror</id> + <name>egiz-shibboleth-mirror</name> + <url>https://apps.egiz.gv.at/shibboleth_nexus/</url> + <releases> + <enabled>true</enabled> + </releases> + </repository> + <repository> + <id>moaid_local</id> + <name>local</name> + <url>file:${basedir}/../../../../repository</url> + </repository> + <repository> + <id>egiz-commons</id> + <url>https://apps.egiz.gv.at/maven/</url> + <releases> + <enabled>true</enabled> + </releases> + </repository> + </repositories> <dependencies> <dependency> @@ -69,6 +70,12 @@ </exclusion> </exclusions> </dependency> + + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + <version>2.8.5</version> + </dependency> <dependency> <groupId>eu.eidas.extension.eID4U</groupId> @@ -76,6 +83,11 @@ <version>${eID4U.module.version}</version> </dependency> + <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> + <dependency> <groupId>com.google.code.findbugs</groupId> <artifactId>jsr305</artifactId> @@ -93,6 +105,37 @@ <scope>test</scope> </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml</artifactId> + <exclusions> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>log4j-over-slf4j</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>xmltooling</artifactId> + <exclusions> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>log4j-over-slf4j</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>openws</artifactId> + <exclusions> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>log4j-over-slf4j</artifactId> + </exclusion> + </exclusions> + </dependency> + <!-- eidas Commons --> <dependency> <groupId>eu.eidas</groupId> diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/AustrianAuthWitheID4UAuthenticationModulImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/AustrianAuthWitheID4UAuthenticationModulImpl.java index d3aa7b4a0..daaf6a0f5 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/AustrianAuthWitheID4UAuthenticationModulImpl.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/AustrianAuthWitheID4UAuthenticationModulImpl.java @@ -23,16 +23,13 @@ package at.gv.egovernment.moa.id.auth.modules.eidas; -import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.IRequestStorage; -import at.gv.egiz.eaaf.core.api.data.EAAFConstants; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.auth.modules.internal.DefaultCitizenCardAuthModuleImpl; import at.gv.egovernment.moa.id.protocols.eidas.EIDASData; -import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; /** @@ -63,21 +60,14 @@ public class AustrianAuthWitheID4UAuthenticationModulImpl extends DefaultCitizen * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { - String selectedProcessID = super.selectProcess(context); + public String selectProcess(ExecutionContext context, IRequest pendingReq) { + String selectedProcessID = super.selectProcess(context, pendingReq); if (MiscUtil.isNotEmpty(selectedProcessID)) { - String pendingReqId = (String)context.get(EAAFConstants.PROCESS_ENGINE_PENDINGREQUESTID); - - if (StringUtils.isEmpty(pendingReqId)) - Logger.warn("Process execution context contains NO 'pendingReqId'. Looks very suspect!"); - - else { - IRequest pendingReq = requestStore.getPendingRequest(pendingReqId); - if (pendingReq != null && pendingReq instanceof EIDASData) { - return "eID4UAttributCollectionAuthentication"; - - } + if (pendingReq != null && pendingReq instanceof EIDASData) { + return "eID4UAttributCollectionAuthentication"; + } + } return selectedProcessID; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java index 8779436e0..1b0f258ab 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java @@ -99,10 +99,21 @@ public class ModifiedEncryptionSW extends KeyStoreSamlEngineEncryption { return useEncryption; } catch(NullPointerException | ConfigurationException e) { - Logger.warn("failed to gather information about encryption for countryCode " + countryCode + " - thus, enabling encryption"); - if(Logger.isDebugEnabled()) - e.printStackTrace(); - return true; + try { + return !Boolean.valueOf( + AuthConfigurationProviderFactory.getInstance().getBasicConfiguration( + "moa.id.protocols.eIDAS.encryption.disabled", + "false" + )); + + } catch (ConfigurationException e1) { + Logger.warn("failed to gather information about encryption for countryCode " + countryCode + " - thus, enabling encryption"); + if(Logger.isDebugEnabled()) + e.printStackTrace(); + + return true; + + } } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eID4UAPSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eID4UAPSignalServlet.java index c8c65ce76..65b6d1725 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eID4UAPSignalServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eID4UAPSignalServlet.java @@ -9,6 +9,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.util.CookieUtils; @@ -26,7 +27,7 @@ public class eID4UAPSignalServlet extends AbstractProcessEngineSignalController @RequestMapping(value = {eID4UConstants.HTTP_ENDPOINT_AP_CONSENT_RETURN }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASAuthenticationModulImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASAuthenticationModulImpl.java index ec042949a..cf9a5cc60 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASAuthenticationModulImpl.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASAuthenticationModulImpl.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.auth.modules.eidas; import org.apache.commons.lang3.StringUtils; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; @@ -52,7 +53,7 @@ public class eIDASAuthenticationModulImpl implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { if (StringUtils.isNotBlank((String) context.get("ccc")) || StringUtils.isNotBlank((String) context.get("CCC"))) return "eIDASAuthentication"; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java index 49d98ed33..70c86dad8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java @@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.logging.Logger; @@ -54,7 +55,7 @@ public class eIDASSignalServlet extends AbstractProcessEngineSignalController { "/eidas/sp/redirect" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eid4u/utils/AttributeScopeMapper.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eid4u/utils/AttributeScopeMapper.java index 69cc131ff..48e64da62 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eid4u/utils/AttributeScopeMapper.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eid4u/utils/AttributeScopeMapper.java @@ -180,7 +180,12 @@ public class AttributeScopeMapper { if (StringUtils.isNotEmpty(eIDASAttr)) { if (!AttributeScopeMapper.getInstance().isComplexeScope(key)) { Logger.debug("Map simple TUG scope: " + key + " to eIDAS attribute: " + eIDASAttr); - result.put(eIDASAttr, el.getValue().getAsString()); + if (StringUtils.isNotEmpty(el.getValue().getAsString())) { + Logger.trace("eIDAS attribute: " + eIDASAttr + " has value: " + el.getValue().getAsString()); + result.put(eIDASAttr, el.getValue().getAsString()); + + } else + Logger.info("Ignore empty attr: "+ eIDASAttr); } else { Logger.trace("Find complex TUG scope: " + key); @@ -205,6 +210,7 @@ public class AttributeScopeMapper { address.cvAddressArea(jsonObject.get(AttributeScopeMapper.HomeInstitutionAddressStreet).getAsString()); address.thoroughfare(jsonObject.get(AttributeScopeMapper.HomeInstitutionAddressStreet).getAsString()); result.put(attr, address.build()); + Logger.debug("Add eIDAS attr: " + Definitions.HOMEINSTITUTIONADDRESS_NAME); } else if (Definitions.TEMPORARYADDRESS_NAME.equals(attr)) { address.postCode(jsonObject.get(AttributeScopeMapper.StudyAddressPostalCode).getAsString()); @@ -212,6 +218,7 @@ public class AttributeScopeMapper { address.cvAddressArea(jsonObject.get(AttributeScopeMapper.StudyAddressStreet).getAsString()); address.thoroughfare(jsonObject.get(AttributeScopeMapper.StudyAddressStreet).getAsString()); result.put(attr, address.build()); + Logger.debug("Add eIDAS attr: " + Definitions.TEMPORARYADDRESS_NAME); } else if (eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_ADDRESS.getNameUri().toString().equals(attr)) { address.postCode(jsonObject.get(AttributeScopeMapper.PermanentAddressPostalCode).getAsString()); @@ -219,6 +226,7 @@ public class AttributeScopeMapper { address.cvAddressArea(jsonObject.get(AttributeScopeMapper.PermanentAddressStreet).getAsString()); address.thoroughfare(jsonObject.get(AttributeScopeMapper.PermanentAddressStreet).getAsString()); result.put(attr, address.build()); + Logger.debug("Add eIDAS attr: " + eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_ADDRESS); } else { Logger.warn("Complexe eID4U attribute: " + attr + " is NOT SUPPORTED yet!"); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index feeff6f84..e879fd95b 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -29,10 +29,10 @@ import org.opensaml.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IDestroyableObject; +import at.gv.egiz.components.spring.api.IDestroyableObject; import at.gv.egiz.eaaf.core.api.IGarbageCollectorProcessing; import at.gv.egiz.eaaf.core.api.IPostStartupInitializable; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; @@ -52,7 +52,7 @@ import eu.eidas.auth.engine.AbstractProtocolEngine; public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing, IDestroyableObject, IRefreshableMetadataProvider, IPostStartupInitializable{ - @Autowired(required=true) IConfiguration basicConfig; + @Autowired(required=true) IConfigurationWithSP basicConfig; private Timer timer = null; @@ -82,7 +82,7 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider imp protected void initializeEidasMetadataFromFileSystem() throws ConfigurationException { try { - Map<String, String> metadataToLoad = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX); + Map<String, String> metadataToLoad = basicConfig.getBasicConfigurationWithPrefix(Constants.CONIG_PROPS_EIDAS_METADATA_URLS_LIST_PREFIX); if (!metadataToLoad.isEmpty()) { Logger.info("Load static configurated eIDAS metadata ... "); for (String metaatalocation : metadataToLoad.values()) { @@ -441,14 +441,14 @@ public class MOAeIDASChainingMetadataProvider extends SimpleMetadataProvider imp //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - basicConfig.getBasicMOAIDConfigurationBoolean( + basicConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, moaAuthConfig.isTrustmanagerrevoationchecking(), moaAuthConfig.getRevocationMethodOrder(), - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CollectAddtionalAttributesTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CollectAddtionalAttributesTask.java index a58bc4f8d..3b976b99e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CollectAddtionalAttributesTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CollectAddtionalAttributesTask.java @@ -12,10 +12,12 @@ import org.springframework.stereotype.Component; import com.google.common.collect.UnmodifiableIterator; import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; +import at.gv.egiz.eaaf.core.impl.idp.builder.SimpleStringAttributeGenerator; import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.BPKAttributeBuilder; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egiz.eid4u.api.attributes.Definitions; @@ -23,7 +25,6 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.modules.eidas.eID4UConstants; import at.gv.egovernment.moa.id.auth.modules.eidas.eid4u.utils.AttributeScopeMapper; -import at.gv.egovernment.moa.id.protocols.builder.attributes.SimpleStringAttributeGenerator; import at.gv.egovernment.moa.id.protocols.eidas.EIDASData; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; @@ -43,6 +44,7 @@ public class CollectAddtionalAttributesTask extends AbstractAuthServletTask { @Autowired private OAuth20AuthAction openIDAuthAction; @Autowired private ITransactionStorage transactionStorage; @Autowired private AuthenticationDataBuilder authDataBuilder; + @Autowired(required=true) protected IConfigurationWithSP authConfigWithSp; @Override public void execute(ExecutionContext context, HttpServletRequest httpReq, HttpServletResponse httpResp) @@ -84,6 +86,12 @@ public class CollectAddtionalAttributesTask extends AbstractAuthServletTask { } + if (MiscUtil.isEmpty(scopes)) { + scopes = "ANY@tugraz.idm.attr.EmailStud"; + Logger.info("Add dummy-scope: '" + scopes + "' because its emtpy!!"); + + } + Logger.debug("Load eID4U AP-Config:" + " EntityID: " + uniqueID + " RedirectURL:" + redirectURI @@ -96,10 +104,10 @@ public class CollectAddtionalAttributesTask extends AbstractAuthServletTask { //generate fake OpenID_Connect request OAuth20AuthRequest fakeOpenIDReq = new OAuth20AuthRequest(); - fakeOpenIDReq.initialize(httpReq, authConfig); + fakeOpenIDReq.initialize(httpReq, authConfigWithSp); fakeOpenIDReq.setSPEntityId(uniqueID); fakeOpenIDReq.setModule(OAuth20Protocol.NAME); - fakeOpenIDReq.setOnlineApplicationConfiguration(authConfig.getServiceProviderConfiguration(uniqueID)); + fakeOpenIDReq.setOnlineApplicationConfiguration(authConfigWithSp.getServiceProviderConfiguration(uniqueID)); fakeOpenIDReq.setScope("openId profile"); //populate with SessionData diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveConsentForAddtionalAttributesTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveConsentForAddtionalAttributesTask.java index e878f8ab1..3e7dcbdfc 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveConsentForAddtionalAttributesTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveConsentForAddtionalAttributesTask.java @@ -86,7 +86,7 @@ public class ReceiveConsentForAddtionalAttributesTask extends AbstractAuthServle tokenServiceURL); CloseableHttpClient httpClient = HttpClientWithProxySupport.getHttpClient( sslFactory, - authConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); + authConfig.getBasicConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); //build request URL URIBuilder uriBuilderToken = new URIBuilder(tokenServiceURL); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java index d2323d161..4a6f83e5f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/eIDASAttributeBuilder.java @@ -36,9 +36,9 @@ import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.builder.SimpleStringAttributeGenerator; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.data.IMOAAuthData; -import at.gv.egovernment.moa.id.protocols.builder.attributes.SimpleStringAttributeGenerator; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASMetadata; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 7c9e66ba0..3ba7664a8 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -48,7 +48,7 @@ import at.gv.egiz.eaaf.core.api.idp.IModulInfo; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractAuthProtocolModulController; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; @@ -82,7 +82,7 @@ import eu.eidas.engine.exceptions.EIDASSAMLEngineException; * @author tlenz */ @Controller -public class EIDASProtocol extends AbstractAuthProtocolModulController implements IModulInfo { +public class EIDASProtocol extends AbstractController implements IModulInfo { public static final String eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE = "eIDAS_GENERIC_REQ_DATA_LEVELOFASSURENCE"; @@ -169,7 +169,8 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController implement pendingReq.setAction(eIDASAuthenticationRequest.class.getName()); //switch to session authentication - performAuthentication(req, resp, pendingReq); + protAuthService.performAuthentication(req, resp, pendingReq); + } /* @@ -375,6 +376,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController implement } catch (MOAIDException e) { Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage()); + Logger.debug("eIDAS AuthnReq: " + base64SamlToken); //write revision log entries if (pendingReq != null) @@ -384,6 +386,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController implement } catch (EIDASSAMLEngineException e) { Logger.info("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage()); + Logger.debug("eIDAS AuthnReq: " + base64SamlToken); //write revision log entries if (pendingReq != null) @@ -393,6 +396,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController implement } catch(Exception e) { Logger.warn("eIDAS AuthnRequest preProcessing FAILED. Msg:" + e.getMessage(), e); + Logger.debug("eIDAS AuthnReq: " + base64SamlToken); //write revision log entries if (pendingReq != null) diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentDegreeAttrBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentDegreeAttrBuilder.java index 7b4c16a5a..cc4026253 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentDegreeAttrBuilder.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentDegreeAttrBuilder.java @@ -9,17 +9,31 @@ import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eid4u.api.attributes.Definitions; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASMetadata; +import at.gv.egovernment.moa.logging.Logger; @eIDASMetadata public class CurrentDegreeAttrBuilder implements IeIDASAttribute { + private static final String DELIMITER = ";"; + @Override public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { String idType= authData.getGenericData(getName(), String.class); - if (StringUtils.isNotEmpty(idType)) - return g.buildStringAttribute(Definitions.CURRENTDEGREE_FRIENDLYNAME, getName(), idType); + if (StringUtils.isNotEmpty(idType)) { + String[] split = idType.split(DELIMITER); + if (split.length > 1) { + Logger.debug("Find more than one attribute values: " + idType + " Using first one ... "); + return g.buildStringAttribute(Definitions.CURRENTDEGREE_FRIENDLYNAME, getName(), split[0]); + + } else { + return g.buildStringAttribute(Definitions.CURRENTDEGREE_FRIENDLYNAME, getName(), idType); + + } + + + } else throw new AttributeBuilderException("Attribute '" + getName() + "' is not available"); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentLevelOfStudyAttrBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentLevelOfStudyAttrBuilder.java index 5210676c2..a0a7ff95e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentLevelOfStudyAttrBuilder.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/CurrentLevelOfStudyAttrBuilder.java @@ -9,19 +9,44 @@ import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; import at.gv.egiz.eid4u.api.attributes.Definitions; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute; import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASMetadata; +import at.gv.egovernment.moa.logging.Logger; @eIDASMetadata public class CurrentLevelOfStudyAttrBuilder implements IeIDASAttribute { + private static final String DELIMITER = ";"; + @Override public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { String idType= authData.getGenericData(getName(), String.class); - if (StringUtils.isNotEmpty(idType)) + if (StringUtils.isNotEmpty(idType)) { + String[] split = idType.split(DELIMITER); + if (split.length > 1) { + //select the highest level + int currentValue = -1; + for (String el : split) { + int elInt; + try { + elInt = Integer.valueOf(el); + if (currentValue < elInt) + currentValue = elInt; + + } catch (NumberFormatException e) { + Logger.warn("Can NOT convert CurrentLevelOfStudy: " + el, e); + + } + + } + + idType = String.valueOf(currentValue); + + } + return g.buildStringAttribute(Definitions.CURRENTLEVELOFSTUDY_FRIENDLYNAME, getName(), idType); - else + } else throw new AttributeBuilderException("Attribute '" + getName() + "' is not available"); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/FieldOfStudyAttrBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/FieldOfStudyAttrBuilder.java index ba486079e..28023a219 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/FieldOfStudyAttrBuilder.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/FieldOfStudyAttrBuilder.java @@ -13,15 +13,34 @@ import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASMetadata @eIDASMetadata public class FieldOfStudyAttrBuilder implements IeIDASAttribute { + private static final String DELIMITER = ";"; + private static final String UNDEFINED_CODE = "9999"; + @Override public <ATT> ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator<ATT> g) throws AttributeBuilderException { String idType= authData.getGenericData(getName(), String.class); - if (StringUtils.isNotEmpty(idType)) + if (StringUtils.isNotEmpty(idType)) { + String[] split = idType.split(DELIMITER); + if (split.length > 1) { + String currentSelected = UNDEFINED_CODE; + for (String el : split) { + if (!el.equals(currentSelected)) { + //select first that is not undefined code + currentSelected = el; + break; + } + + } + + idType = currentSelected; + } + + return g.buildStringAttribute(Definitions.FIELDOFSTUDY_FRIENDLYNAME, getName(), idType); - else + } else throw new AttributeBuilderException("Attribute '" + getName() + "' is not available"); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/test/java/test/at/gv/egovernment/moa/id/modules/eidas/eid4u/AttributeScopeMapperTest.java b/id/server/modules/moa-id-module-eIDAS/src/test/java/test/at/gv/egovernment/moa/id/modules/eidas/eid4u/AttributeScopeMapperTest.java index 0daa90b40..1df15cf24 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/test/java/test/at/gv/egovernment/moa/id/modules/eidas/eid4u/AttributeScopeMapperTest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/test/java/test/at/gv/egovernment/moa/id/modules/eidas/eid4u/AttributeScopeMapperTest.java @@ -37,8 +37,8 @@ public class AttributeScopeMapperTest { Assert.assertTrue("eID4u attribte-table is EMPTY after mapping", !result.isEmpty()); - Assert.assertTrue(result.containsKey(Definitions.COUNTRYOFBIRTH_NAME)); - Assert.assertEquals("", result.get(Definitions.COUNTRYOFBIRTH_NAME)); + Assert.assertFalse(result.containsKey(Definitions.COUNTRYOFBIRTH_NAME)); + //Assert.assertEquals("", result.get(Definitions.COUNTRYOFBIRTH_NAME)); Assert.assertTrue(result.containsKey(Definitions.CURRENTDEGREE_NAME)); Assert.assertEquals("Dr.techn.", result.get(Definitions.CURRENTDEGREE_NAME)); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/pom.xml b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml index 3b5d1ba66..bdc83f686 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/pom.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-elga_mandate_service</artifactId> <version>${moa-id-module-elga_mandate_client}</version> @@ -34,6 +34,11 @@ </dependency> <dependency> + <groupId>at.gv.egiz.components</groupId> + <artifactId>egiz-spring-api</artifactId> + </dependency> + + <dependency> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modul-citizencard_authentication</artifactId> <exclusions> diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java index 0d460f293..a0aa45794 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates; import org.springframework.beans.factory.annotation.Autowired; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.auth.modules.internal.DefaultCitizenCardAuthModuleImpl; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -52,8 +53,8 @@ public class ELGAMandatesAuthModuleImpl extends DefaultCitizenCardAuthModuleImpl } @Override - public String selectProcess(ExecutionContext context) { - String selectedProcessID = super.selectProcess(context); + public String selectProcess(ExecutionContext context, IRequest pendingReq) { + String selectedProcessID = super.selectProcess(context, pendingReq); //check if BKU authentication is selected and ELGA-MandateService is configurated if (MiscUtil.isNotEmpty(selectedProcessID)) { diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java index d52cd750a..be7778abc 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java @@ -34,6 +34,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import com.google.common.net.MediaType; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; @@ -67,7 +68,7 @@ public class ELGAMandateMetadataController extends AbstractController { @RequestMapping(value = "/sp/elga_mandate/metadata", method = {RequestMethod.GET}) - public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { String authURL = HTTPUtils.extractAuthURLFromRequest(req); @@ -94,7 +95,7 @@ public class ELGAMandateMetadataController extends AbstractController { } catch (Exception e) { Logger.warn("Build federated-authentication PVP metadata FAILED.", e); - handleErrorNoRedirect(e, req, resp, false); + protAuthService.handleErrorNoRedirect(e, req, resp, false); } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java index 503884edd..7effbc905 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java @@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +56,7 @@ public class ELGAMandateSignalController extends AbstractProcessEngineSignalCont "/sp/elga_mandate/redirect" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java index 5c1f8e7bb..9980c4884 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java @@ -94,7 +94,7 @@ public class EvaluateMandateServiceTask extends AbstractAuthServletTask { requestStoreage.storePendingRequest(pendingReq); //redirect to protocol finalization - performRedirectToProtocolFinialization(pendingReq, response); + performRedirectToProtocolFinialization(executionContext, pendingReq, request, response); } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java index 854f9d2bb..1cd697c4e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java @@ -69,7 +69,7 @@ public class SelectMandateServiceTask extends AbstractAuthServletTask { GeneralProcessEngineSignalController.ENDPOINT_GENERIC, authConfig.getConfigurationRootDirectory().toURL().toString()); - guiBuilder.build(response, config, "Mandate-Service selection"); + guiBuilder.build(request, response, config, "Mandate-Service selection"); Logger.debug("GUI for mandate-service selection is generated. Wait for user interaction ... "); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java index 7bb98c719..f97267b3d 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java @@ -44,7 +44,7 @@ import org.opensaml.xml.parse.BasicParserPool; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IDestroyableObject; +import at.gv.egiz.components.spring.api.IDestroyableObject; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; @@ -323,14 +323,14 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMetadataProvider //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, moaAuthConfig.isTrustmanagerrevoationchecking(), moaAuthConfig.getRevocationMethodOrder(), - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml index 9a8dbb236..f74177cd4 100644 --- a/id/server/modules/moa-id-module-openID/pom.xml +++ b/id/server/modules/moa-id-module-openID/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-openID</artifactId> diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java index 9cceea7d5..8ef33381f 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java @@ -32,6 +32,7 @@ import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; @@ -60,7 +61,7 @@ abstract class OAuth20BaseRequest extends RequestImpl { return param; } - protected void populateParameters(final HttpServletRequest request, IConfiguration authConfig) throws OAuth20Exception { + protected void populateParameters(final HttpServletRequest request, IConfigurationWithSP authConfig) throws OAuth20Exception { // moa id - load oa with client id! try { diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index 0952ba0a6..4f3c683ce 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -23,7 +23,7 @@ import at.gv.egiz.eaaf.core.api.idp.IModulInfo; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.exceptions.ProtocolNotActiveException; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractAuthProtocolModulController; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; @@ -37,7 +37,7 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @Controller -public class OAuth20Protocol extends AbstractAuthProtocolModulController implements IModulInfo { +public class OAuth20Protocol extends AbstractController implements IModulInfo { public static final String NAME = OAuth20Protocol.class.getName(); public static final String PATH = "id_oauth20"; @@ -101,7 +101,7 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController impleme req.getRemoteAddr()); //process request - performAuthentication(req, resp, (RequestImpl)pendingReq); + protAuthService.performAuthentication(req, resp, (RequestImpl)pendingReq); } @@ -135,7 +135,7 @@ public class OAuth20Protocol extends AbstractAuthProtocolModulController impleme req.getRemoteAddr()); //process request - performAuthentication(req, resp, (RequestImpl)pendingReq); + protAuthService.performAuthentication(req, resp, (RequestImpl)pendingReq); } diff --git a/id/server/modules/moa-id-module-pvp2/pom.xml b/id/server/modules/moa-id-module-pvp2/pom.xml index 0a71e27ce..28de0c2a4 100644 --- a/id/server/modules/moa-id-module-pvp2/pom.xml +++ b/id/server/modules/moa-id-module-pvp2/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.0.1-snapshot</version> </parent> <artifactId>moa-id-module-pvp2</artifactId> <name>PVP2 Module</name> diff --git a/id/server/modules/moa-id-module-sl20_authentication/pom.xml b/id/server/modules/moa-id-module-sl20_authentication/pom.xml index 74aa6682b..d41e221af 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/pom.xml +++ b/id/server/modules/moa-id-module-sl20_authentication/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-sl20_authentication</artifactId> <name>moa-id-module-sl20_authentication</name> @@ -45,6 +45,10 @@ <groupId>MOA.id.server</groupId> <artifactId>moa-id-lib</artifactId> </dependency> + <dependency> + <groupId>at.gv.egiz.eaaf</groupId> + <artifactId>eaaf_module_auth_sl20</artifactId> + </dependency> <dependency> <groupId>com.google.code.gson</groupId> @@ -65,6 +69,7 @@ </dependency> + <!-- Dependencies for testing --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-test</artifactId> @@ -75,6 +80,27 @@ <artifactId>junit</artifactId> <scope>test</scope> </dependency> + <dependency> + <groupId>xerces</groupId> + <artifactId>xercesImpl</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>xalan-bin-dist</groupId> + <artifactId>xml-apis</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>xalan-bin-dist</groupId> + <artifactId>xalan</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>xalan-bin-dist</groupId> + <artifactId>serializer</artifactId> + <scope>test</scope> + </dependency> + </dependencies> </project> diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java index 9c2d47ca7..9142210c8 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20AuthenticationModulImpl.java @@ -29,7 +29,7 @@ import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; -import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; @@ -77,11 +77,8 @@ public class SL20AuthenticationModulImpl implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { - ISPConfiguration spConfig = (ISPConfiguration) context.get(EAAFConstants.PROCESSCONTEXT_SP_CONFIG); -// if (spConfigObj != null && spConfigObj instanceof IOAAuthParameters) -// spConfig = (IOAAuthParameters)spConfigObj; - + public String selectProcess(ExecutionContext context, IRequest pendingReq) { + ISPConfiguration spConfig = pendingReq.getServiceProviderConfiguration(); String sl20ClientTypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE.toLowerCase()); String sl20VDATypeHeader = (String) context.get(SL20Constants.HTTP_HEADER_SL20_VDA_TYPE.toLowerCase()); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java index a8c4a941e..a5a472ed8 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/SL20SignalServlet.java @@ -31,6 +31,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.logging.Logger; @@ -54,7 +55,7 @@ public class SL20SignalServlet extends AbstractProcessEngineSignalController { Constants.HTTP_ENDPOINT_RESUME }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { Logger.trace("Receive req. on SL2.0 servlet with pendingReqId ... "); signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java index a02f86376..39364f062 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/JsonSecurityUtils.java @@ -32,6 +32,7 @@ import com.google.gson.JsonSyntaxException; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.utils.X509Utils; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.data.VerificationResult; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20Exception; @@ -40,11 +41,11 @@ import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoBuil import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SLCommandoParserException; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; -import at.gv.egovernment.moa.id.commons.utils.X509Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; + @Service public class JsonSecurityUtils implements IJOSETools{ diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java index 599a67dfd..8a288b9b8 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.java @@ -19,6 +19,7 @@ import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; +import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants; @@ -112,7 +113,7 @@ public class QualifiedeIDVerifier { // date and time validateSigningDateTime(sigVerifyResult, authBlockExtractor); - } catch ( Exception e) { + } catch ( ValidateException e) { Logger.warn("Validation of eID information FAILED. ", e); throw new SL20eIDDataValidationException(new Object[] { SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java index 3408cf538..9c74a3cdb 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/CreateQualeIDRequestTask.java @@ -55,6 +55,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { @Autowired(required=true) private IJOSETools joseTools; @Autowired private AuthConfiguration moaAuthConfig; + @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { @@ -97,7 +98,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { X509Certificate encCert = null; - if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_ENABLE_EID_ENCRYPTION, true)) + if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_ENABLE_EID_ENCRYPTION, true)) encCert = joseTools.getEncryptionCertificate(); else Logger.info("eID data encryption is disabled by configuration"); @@ -120,7 +121,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { vdaQualeIDUrl); CloseableHttpClient httpClient = HttpClientWithProxySupport.getHttpClient( sslFactory, - moaAuthConfig.getBasicMOAIDConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); + moaAuthConfig.getBasicConfigurationBoolean(AuthConfiguration.PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION, true)); //build http POST request HttpPost httpReq = new HttpPost(new URIBuilder(vdaQualeIDUrl).build()); @@ -211,7 +212,7 @@ public class CreateQualeIDRequestTask extends AbstractAuthServletTask { private String extractVDAURLForSpecificOA(ISPConfiguration oaConfig, ExecutionContext executionContext) { String spSpecificVDAEndpoints = oaConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS); - Map<String, String> endPointMap = authConfig.getBasicMOAIDConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); + Map<String, String> endPointMap = moaAuthConfig.getBasicConfigurationWithPrefix(Constants.CONFIG_PROP_VDA_ENDPOINT_QUALeID_LIST); if (MiscUtil.isNotEmpty(spSpecificVDAEndpoints)) { endPointMap.putAll(KeyValueUtils.convertListToMap( KeyValueUtils.getListOfCSVValues( diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java index fc386b796..1826f824d 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java @@ -103,10 +103,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { //validate signature VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad( sl20ReqObj, joseTools, - authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); + authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)); if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) { - if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { + if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) { Logger.info("SL20 result from VDA was not valid signed"); throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."}); @@ -133,7 +133,7 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask { JsonElement qualeIDResult = SL20JSONExtractorUtils.extractSL20Result( payLoad, joseTools, - authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_ENCRYPTION, true)); + authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_ENCRYPTION, true)); //extract attributes from result Map<String, String> eIDData = SL20JSONExtractorUtils.getMapOfStringElements(qualeIDResult); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java index 0c97641c7..fa48b9c64 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/VerifyQualifiedeIDTask.java @@ -94,7 +94,7 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { //TODO: add LoA verification } catch (MOAIDException e) { - if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) { + if (authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) { Logger.warn("SL20 eID data validation IS DISABLED!!"); Logger.warn("SL20 eID data IS NOT VALID!!! Reason: " + e.getMessage(), e); @@ -116,6 +116,8 @@ public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { } else moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance())); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); //store pending request requestStoreage.storePendingRequest(pendingReq); diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java b/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java index fe12e9b76..b43eb22f8 100644 --- a/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java +++ b/id/server/modules/moa-id-module-sl20_authentication/src/test/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/dummydata/DummyAuthConfig.java @@ -127,7 +127,7 @@ public class DummyAuthConfig implements AuthConfiguration { } @Override - public Map<String, String> getBasicMOAIDConfigurationWithPrefix(String prefix) { + public Map<String, String> getBasicConfigurationWithPrefix(String prefix) { // TODO Auto-generated method stub return null; } @@ -395,45 +395,39 @@ public class DummyAuthConfig implements AuthConfiguration { } @Override - public boolean getBasicMOAIDConfigurationBoolean(String key, boolean defaultValue) { - // TODO Auto-generated method stub - return false; - } - - @Override - public URI getConfigurationFilePath() { + public URI getConfigurationRootDirectory() { // TODO Auto-generated method stub return null; } @Override - public URI getConfigurationRootDirectory() { + public ISPConfiguration getServiceProviderConfiguration(String arg0) throws EAAFConfigurationException { // TODO Auto-generated method stub return null; } @Override - public Properties getFullConfigurationProperties() { + public <T> T getServiceProviderConfiguration(String arg0, Class<T> arg1) throws EAAFConfigurationException { // TODO Auto-generated method stub return null; } @Override - public ISPConfiguration getServiceProviderConfiguration(String arg0) throws EAAFConfigurationException { + public String validateIDPURL(URL arg0) throws EAAFException { // TODO Auto-generated method stub return null; } @Override - public <T> T getServiceProviderConfiguration(String arg0, Class<T> arg1) throws EAAFConfigurationException { + public Boolean getBasicConfigurationBoolean(String key) { // TODO Auto-generated method stub return null; } @Override - public String validateIDPURL(URL arg0) throws EAAFException { + public boolean getBasicConfigurationBoolean(String key, boolean defaultValue) { // TODO Auto-generated method stub - return null; + return false; } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/pom.xml b/id/server/modules/moa-id-module-ssoTransfer/pom.xml index b15d7dc85..68e984ef5 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/pom.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-ssoTransfer</artifactId> <name>MOA-ID_SSO_Transfer_modul</name> diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java index b9d08a20f..2d7e209ca 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; @@ -53,7 +54,7 @@ public class SSOTransferAuthModuleImpl implements AuthModule{ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { Object restoreSSOSessionObj = context.get("restoreSSOSession"); if (restoreSSOSessionObj != null && restoreSSOSessionObj instanceof String) { boolean restoreSSOSession = (boolean) Boolean.parseBoolean((String)restoreSSOSessionObj); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index e7280f847..b22dfa3a7 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -28,6 +28,7 @@ import java.util.List; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions.EID_IDENTITY_STATUS_LEVEL_VALUES; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -393,5 +394,35 @@ public class SSOTransferAuthenticationData implements IMOAAuthData { return null; } + @Override + public String getEncryptedSourceId() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getEncryptedSourceIdType() { + // TODO Auto-generated method stub + return null; + } + + @Override + public byte[] getEIDToken() { + // TODO Auto-generated method stub + return null; + } + + @Override + public EID_IDENTITY_STATUS_LEVEL_VALUES getEIDStatus() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getVdaEndPointUrl() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index dc2baab7d..3ab826bcd 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -158,7 +158,7 @@ public class SSOTransferServlet{ DefaultGUIFormBuilderConfiguration.VIEW_SSO_SESSION_TRANSFER, null); - internalCreateQRCodeForTransfer(resp, authURL, + internalCreateQRCodeForTransfer(req, resp, authURL, "123456", "/TestTransmitSSOSession", config); } catch (MOAIDException | MOADatabaseException e) { @@ -423,7 +423,7 @@ public class SSOTransferServlet{ String ssoSessionId = authenticationSessionStorage.getInternalSSOSessionWithSSOID(ssoid); if(ssoSessionId != null) { - internalCreateQRCodeForTransfer(resp, authURL, + internalCreateQRCodeForTransfer(req, resp, authURL, ssoSessionId, SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE, config); @@ -432,10 +432,10 @@ public class SSOTransferServlet{ } - config.putCustomParameter("errorMsg", + config.putCustomParameter(null, "errorMsg", "No active Single Sign-On session found! SSO Session transfer is not possible."); - guiBuilder.build(resp, config, "SSO-Transfer-Module"); + guiBuilder.build(req, resp, config, "SSO-Transfer-Module"); } catch (MOAIDException | MOADatabaseException e) { e.printStackTrace(); @@ -518,7 +518,7 @@ public class SSOTransferServlet{ } - private void internalCreateQRCodeForTransfer(HttpServletResponse resp, String authURL, + private void internalCreateQRCodeForTransfer(HttpServletRequest req, HttpServletResponse resp, String authURL, String moaSessionID, String servletEndPoint, DefaultGUIFormBuilderConfiguration config) throws Exception { SSOTransferContainer container = new SSOTransferContainer(); String token = Random.nextRandom(); @@ -572,12 +572,12 @@ public class SSOTransferServlet{ ByteArrayOutputStream qrStream = QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(350, 350).stream(); String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); - config.putCustomParameter("QRImage", base64EncodedImage); + config.putCustomParameter(null, "QRImage", base64EncodedImage); - config.putCustomParameterWithOutEscaption("successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation."); + config.putCustomParameterWithOutEscaption(null, "successMsg", "Scan the QR-Code with your <i>SSO-Transfer App</i> to start the transfer operation."); - guiBuilder.build(resp, config, "SSO-Session Transfer-Module"); + guiBuilder.build(req, resp, config, "SSO-Session Transfer-Module"); } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java index bf215373d..169eb464b 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -33,6 +33,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; @@ -53,13 +54,13 @@ public class SSOTransferSignalServlet extends AbstractProcessEngineSignalControl @RequestMapping(value = { "/SSOTransferSignalEndpoint" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performSSOTransfer(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performSSOTransfer(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } @Override - protected void signalProcessManagement(HttpServletRequest req, HttpServletResponse resp) throws IOException { + protected void signalProcessManagement(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { String pendingRequestID = StringEscapeUtils.escapeHtml(getPendingRequestId(req)); IRequest pendingReq = null; try { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java index 921e3844b..7132eb08e 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -85,7 +85,7 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { Pair<DHPublicKeySpec, PrivateKey> dhKeyIDP = ssoTransferUtils.createSpecificKey(dhSpec.getP(), dhSpec.getG()); String nonce = Random.nextLongRandom(); - GUIUtils.buildSSOTransferGUI(guiBuilder, response, authURL, + GUIUtils.buildSSOTransferGUI(guiBuilder, request, response, authURL, pendingReq.getPendingRequestId(), nonce, dhKeyIDP.getF()); //store DH params and nonce to pending-request diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 90b74ebd7..8839d5a94 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -189,6 +189,9 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { AuthenticationSessionWrapper moaSession = pendingReq.getSessionData(AuthenticationSessionWrapper.class); ssoTransferUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moaSession, attributeExtractor); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + // store MOASession into database requestStoreage.storePendingRequest(pendingReq); @@ -267,7 +270,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { } - GUIUtils.buildSSOTransferGUI(guiBuilder, response, + GUIUtils.buildSSOTransferGUI(guiBuilder, request, response, authURL, pendingReq.getPendingRequestId(), nonce, container.getDhParams().getF()); } catch (IOException | MOAIDException e) { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index 1a4a9b80b..2814874bd 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -26,6 +26,7 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import javax.crypto.spec.DHPublicKeySpec; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.google.gson.JsonObject; @@ -50,9 +51,9 @@ public class GUIUtils { public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec public static void buildSSOTransferGUI( - IGUIFormBuilder guiBuilder, HttpServletResponse httpResp, + IGUIFormBuilder guiBuilder, HttpServletRequest httpReq,HttpServletResponse httpResp, String authURL, String pendingReqID) throws ConfigurationException, IOException { - buildSSOTransferGUI(guiBuilder, httpResp, authURL, pendingReqID, null, null); + buildSSOTransferGUI(guiBuilder, httpReq, httpResp, authURL, pendingReqID, null, null); } @@ -66,7 +67,7 @@ public class GUIUtils { * @throws ConfigurationException * @throws IOException */ - public static void buildSSOTransferGUI(IGUIFormBuilder guiBuilder, HttpServletResponse response, String authURL, + public static void buildSSOTransferGUI(IGUIFormBuilder guiBuilder, HttpServletRequest request, HttpServletResponse response, String authURL, String requestID, String nonce, DHPublicKeySpec dhKeyIDP) throws ConfigurationException, IOException { try { String containerURL = authURL @@ -103,12 +104,12 @@ public class GUIUtils { DefaultGUIFormBuilderConfiguration.VIEW_SSO_SESSION_TRANSFER, null); - config.putCustomParameter("QRImage", base64EncodedImage); - config.putCustomParameterWithOutEscaption("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process."); - config.putCustomParameterWithOutEscaption("timeoutURL", containerURL); - config.putCustomParameter("timeout", String.valueOf(REFESH_TIMEOUT)); + config.putCustomParameter(null, "QRImage", base64EncodedImage); + config.putCustomParameterWithOutEscaption(null, "successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process."); + config.putCustomParameterWithOutEscaption(null, "timeoutURL", containerURL); + config.putCustomParameter(null, "timeout", String.valueOf(REFESH_TIMEOUT)); - guiBuilder.build(response, config, "SSO-Transfer-Module"); + guiBuilder.build(request, response, config, "SSO-Transfer-Module"); } catch (GUIBuildException e) { Logger.warn("Can not build GUI:'BKU-Selection'. Msg:" + e.getMessage(), e); diff --git a/id/server/modules/moa-id-modules-federated_authentication/pom.xml b/id/server/modules/moa-id-modules-federated_authentication/pom.xml index 7e8ac86af..044eb5732 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/pom.xml +++ b/id/server/modules/moa-id-modules-federated_authentication/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-modules-federated_authentication</artifactId> <description>PVP2 ServiceProvider implementation for federated authentication</description> diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java index 4068d2d99..e50836712 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.federatedauth; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; @@ -45,7 +46,7 @@ public class FederatedAuthenticationModuleImpl implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { //select interfederation authentication if PERFORM_INTERFEDERATION_AUTH flag is set Object performfedAuthObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH); if (performfedAuthObj != null && performfedAuthObj instanceof Boolean) { diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java index 6a733adb8..8eb6e7b92 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -34,6 +34,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import com.google.common.net.MediaType; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; @@ -67,7 +68,7 @@ public class FederatedAuthMetadataController extends AbstractController { @RequestMapping(value = "/sp/federated/metadata", method = {RequestMethod.GET}) - public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { String authURL = HTTPUtils.extractAuthURLFromRequest(req); @@ -94,7 +95,7 @@ public class FederatedAuthMetadataController extends AbstractController { } catch (Exception e) { Logger.warn("Build federated-authentication PVP metadata FAILED.", e); - handleErrorNoRedirect(e, req, resp, false); + protAuthService.handleErrorNoRedirect(e, req, resp, false); } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java index 5edd36248..ae68261ee 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java @@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +56,7 @@ public class FederatedAuthSignalController extends AbstractProcessEngineSignalCo "/sp/federated/redirect" }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index d0d97e9e8..a798679d7 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -36,6 +36,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; @@ -64,6 +65,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { @Autowired FederatedAuthCredentialProvider credential; @Autowired(required=true) MOAMetadataProvider metadataProvider; @Autowired(required=true) ILoALevelMapper loaMapper; + @Autowired(required=true) protected IConfigurationWithSP authConfigWithSp; /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) @@ -82,7 +84,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { } //load IDP configuration from MOA-ID Configuration - IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(idpEntityID, IOAAuthParameters.class); + IOAAuthParameters idpConfig = authConfigWithSp.getServiceProviderConfiguration(idpEntityID, IOAAuthParameters.class); //validate IDP if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation."); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 6b6d1a196..ad79d5b3b 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -42,6 +42,7 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; @@ -94,6 +95,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { @Autowired private AuthenticationDataBuilder authDataBuilder; @Autowired(required=true) MOAMetadataProvider metadataProvider; @Autowired(required=true) protected IAuthenticationSessionStoreage authenticatedSessionStorage; + @Autowired(required=true) protected IConfigurationWithSP authConfigWithSp; /* (non-Javadoc) @@ -150,7 +152,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg); //load IDP and SP configuration - IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + IOAAuthParameters idpConfig = authConfigWithSp.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); IOAAuthParameters spConfig = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class); //check if response Entity is valid @@ -199,6 +201,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); pendingReq.setRawDataToTransaction(SSOManager.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -224,7 +229,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { if (msg != null) { IOAAuthParameters idpConfig = null; try { - idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + idpConfig = authConfigWithSp.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); //remove federated IDP from SSO session if exists ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); diff --git a/id/server/modules/moa-id-modules-saml1/pom.xml b/id/server/modules/moa-id-modules-saml1/pom.xml index 3a401d80e..9c27134d0 100644 --- a/id/server/modules/moa-id-modules-saml1/pom.xml +++ b/id/server/modules/moa-id-modules-saml1/pom.xml @@ -3,7 +3,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-saml1</artifactId> diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 7a9557baf..af8211dee 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -53,6 +53,9 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFBuilderException; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.auth.builder.BPKBuilder; +import at.gv.egiz.eaaf.core.impl.idp.builder.SimpleStringAttributeGenerator; +import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.EIDEIDTokenBuilder; +import at.gv.egiz.eaaf.core.impl.idp.builder.attributes.EidIdentityStatusLevelAttributeBuiler; import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.auth.AuthenticationServer; @@ -67,6 +70,7 @@ import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.ExtendedSAMLAttribute; @@ -78,7 +82,6 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKListAttributeBui import at.gv.egovernment.moa.id.protocols.builder.attributes.EncryptedBPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonBPKListAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateNaturalPersonEncBPKListAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.builder.attributes.SimpleStringAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -393,6 +396,42 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } + try { + String onlineIDL = new EIDEIDTokenBuilder().build( + oaParam, + authData, + new SimpleStringAttributeGenerator()); + if (MiscUtil.isNotEmpty(onlineIDL)) { + Logger.trace("Adding Online-IDL: " + onlineIDL + " as attribute into SAML1 assertion ... "); + oaAttributes.add(new ExtendedSAMLAttributeImpl( + PVPAttributeDefinitions.EID_E_ID_TOKEN_FRIENDLY_NAME, onlineIDL, + Constants.MOA_NS_URI, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + } + } catch (AttributeBuilderException e) { + Logger.info("Can NOT build additional 'Online-IDL' attribute. Reason: " + e.getMessage()); + + } + + try { + String eidStatusLevel = new EidIdentityStatusLevelAttributeBuiler().build( + oaParam, + authData, + new SimpleStringAttributeGenerator()); + if (MiscUtil.isNotEmpty(eidStatusLevel)) { + Logger.trace("Adding IdentityStatusLevel: " + eidStatusLevel + " as attribute into SAML1 assertion ... "); + oaAttributes.add(new ExtendedSAMLAttributeImpl( + PVPAttributeDefinitions.EID_IDENTITY_STATUS_LEVEL_FRIENDLY_NAME, eidStatusLevel, + Constants.MOA_NS_URI, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + } + } catch (AttributeBuilderException e) { + Logger.info("Can NOT build additional 'IdentityStatusLevel' attribute. Reason: " + e.getMessage()); + + } + //for mandates try { String additionalMandatorBpks = new MandateNaturalPersonBPKListAttributeBuilder().build( @@ -429,12 +468,15 @@ public class SAML1AuthenticationServer extends AuthenticationServer { Logger.info("Can NOT build foreign Mandator bPKs. Reason: " + e.getMessage()); } + + } String samlAssertion = null; //add mandate info's if (authData.isUseMandate()) { + //only provide full mandate if it is included. if (saml1parameter.isProvideFullMandatorData() && authData.getMISMandate() != null) { @@ -506,8 +548,12 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } } + //build mandateDate Attribute String mandateDate = generateMandateDate(oaParam, authData); + //build RepresentationType and + generateRepresentationTypeAndOWInfos(oaAttributes, oaParam, authData); + samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, prPerson, @@ -553,6 +599,65 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } + private void generateRepresentationTypeAndOWInfos(List<ExtendedSAMLAttribute> oaAttributes, + IOAAuthParameters oaParam, SAML1AuthenticationData authData) { + boolean isRepresentationTypeSet = false; + boolean isOWOIDSet = false; + boolean isOWFriendlyNameSet = false; + + for (ExtendedSAMLAttribute el : oaAttributes) { + if (EXT_SAML_MANDATE_REPRESENTATIONTYPE.equals(el.getName())) + isRepresentationTypeSet = true; + + if (EXT_SAML_MANDATE_OID.equals(el.getName())) + isOWOIDSet = true; + + if (EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION.equals(el.getName())) + isOWFriendlyNameSet = true; + } + + + if (!isRepresentationTypeSet) + oaAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_REPRESENTATIONTYPE, + EXT_SAML_MANDATE_REPRESENTATIONTEXT, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + + String oid = null; + String oidDescription = null; + + if (authData.getMISMandate() != null) { + oid = authData.getMISMandate().getProfRep(); + oidDescription = authData.getMISMandate().getTextualDescriptionOfOID(); + + } else { + oid = authData.getGenericData(PVPConstants.MANDATE_PROF_REP_OID_NAME, String.class); + oidDescription = authData.getGenericData(PVPConstants.MANDATE_PROF_REP_DESC_NAME, String.class); + + } + + + + + if (!isOWOIDSet && oid != null) + oaAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_OID, oid, + SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + if (!isOWFriendlyNameSet && oidDescription != null) + oaAttributes.add(new ExtendedSAMLAttributeImpl( + EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, + oidDescription, SZRGWConstants.MANDATE_NS, + ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK)); + + + + } + + private String generateMandateDate(IOAAuthParameters oaParam, MOAAuthenticationData authData ) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 20c66d7a2..bb1f3c155 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -42,7 +42,7 @@ import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.exceptions.ProtocolNotActiveException; -import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractAuthProtocolModulController; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; @@ -66,7 +66,7 @@ import at.gv.egovernment.moa.util.URLEncoder; */ @Controller -public class SAML1Protocol extends AbstractAuthProtocolModulController implements IModulInfo { +public class SAML1Protocol extends AbstractController implements IModulInfo { @Autowired private SAML1AuthenticationServer saml1AuthServer; @@ -127,7 +127,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController implement //preProcess SAML1 Request preProcess(req, resp, pendingReq); - performAuthentication(req, resp, pendingReq); + protAuthService.performAuthentication(req, resp, pendingReq); return; } diff --git a/id/server/modules/module-monitoring/pom.xml b/id/server/modules/module-monitoring/pom.xml index 0718f9017..1be1574a5 100644 --- a/id/server/modules/module-monitoring/pom.xml +++ b/id/server/modules/module-monitoring/pom.xml @@ -5,7 +5,7 @@ <parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> + <version>4.1.0</version> </parent> <artifactId>moa-id-module-monitoring</artifactId> @@ -18,9 +18,13 @@ </properties> <dependencies> - <dependency> + <!-- dependency> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modul-citizencard_authentication</artifactId> + </dependency--> + <dependency> + <groupId>MOA.id.server</groupId> + <artifactId>moa-id-lib</artifactId> </dependency> </dependencies> diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml index a86090178..72f568a8a 100644 --- a/id/server/modules/pom.xml +++ b/id/server/modules/pom.xml @@ -5,12 +5,11 @@ <parent> <groupId>MOA.id</groupId> <artifactId>moa-id</artifactId> - <version>3.x</version> + <version>4.1.0</version> </parent> <groupId>MOA.id.server.modules</groupId> <artifactId>moa-id-modules</artifactId> - <version>${moa-id-version}</version> <packaging>pom</packaging> <name>MOA ID-Modules</name> @@ -35,8 +34,9 @@ <module>moa-id-module-ssoTransfer</module> <module>moa-id-module-bkaMobilaAuthSAML2Test</module> - <module>moa-id-module-sl20_authentication</module> + <module>moa-id-module-sl20_authentication</module> <module>moa-id-module-AT_eIDAS_connector</module> + <module>moa-id-module-E-ID_connector</module> </modules> <dependencies> |