aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules')
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java3
-rw-r--r--id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java132
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java54
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml13
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml24
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java2
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java2
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java2
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java9
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java18
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java4
-rw-r--r--id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java213
-rw-r--r--id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java2
13 files changed, 312 insertions, 166 deletions
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 965abcde1..55504dcb0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -178,7 +179,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
//add Metadata filters
MetadataFilterChain filter = new MetadataFilterChain();
- filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+ filter.addFilter(new MOASPMetadataSignatureFilter(
authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
httpProvider.setMetadataFilter(filter);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
deleted file mode 100644
index c9f3e5bcd..000000000
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
-
-import java.io.IOException;
-import java.io.StringWriter;
-
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerConfigurationException;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.TransformerFactoryConfigurationError;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.provider.FilterException;
-import org.opensaml.saml2.metadata.provider.MetadataFilter;
-import org.opensaml.xml.XMLObject;
-
-import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
-import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
-import at.gv.egovernment.moa.id.auth.exception.BuildException;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.logging.Logger;
-
-/**
- * @author tlenz
- *
- */
-public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
-
- private String trustProfileID = null;
-
- /**
- *
- */
- public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
- this.trustProfileID = trustProfileID;
-
- }
-
-
- /* (non-Javadoc)
- * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
- */
- @Override
- public void doFilter(XMLObject metadata) throws FilterException {
- if (metadata instanceof EntityDescriptor) {
- if (((EntityDescriptor) metadata).isSigned()) {
- EntityDescriptor entityDes = (EntityDescriptor) metadata;
- //check signature;
- try {
- Transformer transformer = TransformerFactory.newInstance()
- .newTransformer();
- StringWriter sw = new StringWriter();
- StreamResult sr = new StreamResult(sw);
- DOMSource source = new DOMSource(metadata.getDOM());
- transformer.transform(source, sr);
- sw.close();
- String metadataXML = sw.toString();
-
- SignatureVerificationUtils sigVerify =
- new SignatureVerificationUtils();
- VerifyXMLSignatureResponse result = sigVerify.verify(
- metadataXML.getBytes(), trustProfileID);
-
- //check signature-verification result
- if (result.getSignatureCheckCode() != 0) {
- Logger.warn("eIDAS Metadata signature-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getSignatureCheckCode());
- throw new FilterException("eIDAS Metadata signature-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getSignatureCheckCode());
-
- }
-
- if (result.getCertificateCheckCode() != 0) {
- Logger.warn("eIDAS Metadata certificate-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getCertificateCheckCode());
- throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
- + " Metadata: " + entityDes.getEntityID()
- + " StatusCode:" + result.getCertificateCheckCode());
-
- }
-
-
- } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
- Logger.error("eIDAS Metadata verification has an interal error.", e);
- throw new FilterException("eIDAS Metadata verification has an interal error."
- + " Message:" + e.getMessage());
-
- }
-
-
- } else {
- Logger.warn("eIDAS Metadata root-element MUST be signed.");
- throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
-
- }
-
- } else {
- Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
- throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
-
- }
-
- }
-
-}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
index 935cefdf9..f682913e6 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
@@ -22,6 +22,12 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
/**
* @author tlenz
@@ -29,13 +35,24 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates;
*/
public class ELGAMandatesAuthConstants {
+ public static final String MODULE_NAME_FOR_LOGGING = "ELGA Mandate-Service";
+
public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
+ //Service endpoint definitions
public static final String ENDPOINT_POST = "/sp/elga_mandate/post";
public static final String ENDPOINT_REDIRECT = "/sp/elga_mandate/redirect";
public static final String ENDPOINT_METADATA = "/sp/elga_mandate/metadata";
- public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";
+ //configuration properties
+ public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";
+
+ public static final String CONFIG_PROPS_SUBJECTNAMEID_TARGET = CONFIG_PROPS_PREFIX + "nameID.target";
+
+ public static final String CONFIG_PROPS_ENTITYID = CONFIG_PROPS_PREFIX + "service.entityID";
+ public static final String CONFIG_PROPS_METADATAURL = CONFIG_PROPS_PREFIX + "service.metadataurl";
+ public static final String CONFIG_PROPS_METADATA_TRUSTPROFILE = CONFIG_PROPS_PREFIX + "service.metadata.trustprofileID";
+
public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
@@ -45,7 +62,42 @@ public class ELGAMandatesAuthConstants {
public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+
+ /**
+ *
+ * Get required PVP attributes
+ * First : PVP attribute name (OID)
+ * Second: FriendlyName
+ *
+ */
+ public static final List<Pair<String, String>> REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Pair<String, String>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //request mandate type
+ add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME));
+
+ //request attributes for natural mandators
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME));
+
+ //request reference_value
+ add(Pair.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME));
+ }
+ });
+
+
public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3";
+
+ public static List<String> getRequiredAttributeNames() {
+ List<String> list = new ArrayList<String>();
+ for (Pair<String, String> el : REQUIRED_PVP_ATTRIBUTES)
+ list.add(el.getFirst());
+ return list;
+ }
+
}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
index 1c0071c4a..b648e4d27 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -16,6 +16,11 @@
<pd:Task id="prepareGetMISMandate" class="PrepareGetMISMandateTask" />
<pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
<pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+
+ <!-- ELGA Mandate-Service Tasks -->
+ <pd:Task id="requestELGAMandateTask" class="RequestELGAMandateTask" />
+ <pd:Task id="receiveElgaMandateResponseTask" class="ReceiveElgaMandateResponseTask" async="true"/>
+
<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
<pd:StartEvent id="start" />
@@ -39,11 +44,15 @@
<pd:Transition from="verifyCertificate" to="getForeignID" />
<pd:Transition from="verifyAuthBlock" to="prepareGetMISMandate" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyAuthBlock" to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />
<pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
-
- <pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
+ <pd:Transition from="requestELGAMandateTask" to="receiveElgaMandateResponseTask" />
+ <pd:Transition from="receiveElgaMandateResponseTask" to="finalizeAuthentication" />
+
+ <pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
<pd:Transition from="getMISMandate" to="finalizeAuthentication" />
+
<pd:Transition from="getForeignID" to="finalizeAuthentication" />
<pd:Transition from="finalizeAuthentication" to="end" />
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
index 89f1edd06..6e567a42c 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
@@ -14,23 +14,25 @@
<property name="priority" value="1" />
</bean>
- <bean id="FederatedAuthCredentialProvider"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider"/>
+ <bean id="ELGAMandate_MetadataProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider"/>
- <bean id="FederatedAuthMetadataController"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthMetadataController"/>
-
- <bean id="FederatedAuthSignalController"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.controller.FederatedAuthSignalController"/>
+ <bean id="ELGAMandatesCredentialProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider"/>
+ <bean id="ELGAMandateMetadataController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateMetadataController"/>
+
+ <bean id="ELGAMandateSignalController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>
<!-- Federated Authentication Process Tasks -->
- <bean id="CreateFederatedAuthnRequestTask"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.CreateAuthnRequestTask"
+ <bean id="RequestELGAMandateTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"
scope="prototype"/>
- <bean id="ReceiveFederatedAuthnResponseTask"
- class="at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks.ReceiveAuthnResponseTask"
+ <bean id="ReceiveElgaMandateResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ReceiveElgaMandateResponseTask"
scope="prototype"/>
</beans> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
index 1f9d9e3a0..21fe4e5fa 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -33,6 +33,7 @@ import com.google.gson.JsonPrimitive;
import at.gv.egovernment.moa.id.auth.stork.STORKConstants;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDAuthBlock;
import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDCcsURL;
@@ -59,7 +60,6 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepDescA
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepOIDAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateReferenceValueAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeAttributeBuilder;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 33d057fe9..518a694b0 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -38,13 +38,13 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.Pair;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.data.SLOInformationInterface;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IRequest;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
-import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
index e2f851132..1f7f27617 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java
@@ -28,6 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth;
*/
public class FederatedAuthConstants {
+ public static final String MODULE_NAME_FOR_LOGGING = "federated IDP";
+
public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
public static final String ENDPOINT_POST = "/sp/federated/post";
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
index 29b6ea18b..0f2c85350 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
@@ -278,4 +278,13 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo
}
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index eca5c7649..4ae162f5a 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -27,6 +27,7 @@ import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.security.credential.Credential;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
/**
@@ -157,5 +158,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
return null;
}
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+ */
+ @Override
+ public String getSubjectNameIDFormat() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
index 2e134713b..06664af45 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
@@ -89,7 +89,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP())
+ " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed()));
- handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID});
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});
return;
@@ -102,7 +102,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
Logger.warn("Requested IDP " + idpEntityID
+ " has no valid metadata or metadata is not found");
- handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID});
+ handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID});
return;
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 49f9782ae..d87109244 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -23,14 +23,21 @@
package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.TransformerException;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.ws.soap.common.SOAPException;
+import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.springframework.beans.factory.annotation.Autowired;
@@ -38,25 +45,39 @@ import org.springframework.stereotype.Component;
import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
import at.gv.egovernment.moa.id.moduls.RequestImpl;
import at.gv.egovernment.moa.id.moduls.SSOManager;
import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -67,9 +88,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
@Component("ReceiveFederatedAuthnResponseTask")
public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
- @Autowired SAMLVerificationEngine samlVerificationEngine;
- @Autowired FederatedAuthCredentialProvider credentialProvider;
- @Autowired SSOManager ssoManager;
+ @Autowired private SAMLVerificationEngine samlVerificationEngine;
+ @Autowired private FederatedAuthCredentialProvider credentialProvider;
+ @Autowired private SSOManager ssoManager;
+ @Autowired private AttributQueryBuilder attributQueryBuilder;
+ @Autowired private ITransactionStorage transactionStorage;
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
@@ -94,21 +118,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
Logger.warn("Receive PVP Response, but Binding ("
+ request.getMethod() + ") is not supported.");
- throw new AuthnResponseValidationException("sp.pvp2.03", null);
+ throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
}
//decode PVP response object
- msg = (InboundMessage) decoder.decode(request, response, true);
+ msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);
if (MiscUtil.isEmpty(msg.getEntityID())) {
- throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {});
+ throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
}
//validate response signature
if(!msg.isVerified()) {
- samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine());
+ samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
msg.setVerified(true);
}
@@ -118,12 +142,77 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
//validate assertion
MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
- //store valid assertion into pending-request
- pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+ //load IDP and SP configuration
+ IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID());
+ IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration();
+
+ //check if response Entity is valid
+ if (!idpConfig.isInderfederationIDP()) {
+ Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ...");
+ throw new AuthnResponseValidationException("sp.pvp2.08",
+ new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING,
+ msg.getEntityID()});
+
+ }
- //update MOASession with federation information
- authenticatedSessionStorage.createInterfederatedSession(pendingReq, true);
+ //load MOASession from database
+ defaultTaskInitialization(request, executionContext);
+ //initialize Attribute extractor
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+
+ //check if SP is also a federated IDP
+ if (spConfig.isInderfederationIDP()) {
+ //SP is a federated IDP --> answer only with nameID and wait for attribute-Query
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true);
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID());
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel());
+
+ //build data-container for AttributeQuery
+ FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer();
+ container.setIdpEntityID(idpConfig.getPublicURLPrefix());
+ container.setUserNameID(extractor.getNameID());
+ container.setUserQAALevel(extractor.getQAALevel());
+
+ if (idpConfig.isInterfederationSSOStorageAllowed()) {
+ //open SSO session and store IDP as federated IDP
+ container.setMoaSessionID(moasession.getSessionID());
+
+ //store federatedIDP to MOASession
+ authenticatedSessionStorage.
+ addFederatedSessionInformation(pendingReq,
+ idpConfig.getPublicURLPrefix(), extractor);
+
+ }
+
+ //store container into transaction storage
+ transactionStorage.put(container.getId(), container);
+
+ //store container ID to pending-request
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID,
+ container.getId());
+
+ } else {
+ //SP is real Service-Provider --> check attributes in response
+ // and start Attribute-Query if required
+
+ //get authenticationData and store it into MOASession
+ getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(),
+ idpConfig);
+
+ //update MOASession
+ authenticatedSessionStorage.storeSession(moasession);
+
+ }
+
+ //store valid assertion into pending-request
+ pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
+
//store pending-request
requestStoreage.storePendingRequest(pendingReq);
@@ -165,6 +254,104 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
}
+ private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig,
+ IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
+
+ try {
+ Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
+ Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
+
+ //check if SAML2 Assertion contains a minimal set of attributes
+ if (!extractor.containsAllRequiredAttributes()) {
+ Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
+ //collect attributes by using BackChannel communication
+ String endpoint = idpConfig.getIDPAttributQueryServiceURL();
+ if (MiscUtil.isEmpty(endpoint)) {
+ Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
+ throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null);
+
+ }
+
+ //build attributQuery request
+ List<Attribute> attributs =
+ attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
+ AttributeQuery query =
+ attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs);
+
+ //build SOAP request
+ List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
+
+ if (xmlObjects.size() == 0) {
+ Logger.error("Receive emptry AttributeQuery response-body.");
+ throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
+
+ }
+
+ if (xmlObjects.get(0) instanceof Response) {
+ Response intfResp = (Response) xmlObjects.get(0);
+
+ //validate PVP 2.1 response
+ try {
+ samlVerificationEngine.verifyIDPResponse(intfResp,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(
+ MOAMetadataProvider.getInstance()));
+
+ //create assertion attribute extractor from AttributeQuery response
+ extractor = new AssertionAttributeExtractor(intfResp);
+
+ } catch (Exception e) {
+ Logger.warn("PVP 2.1 assertion validation FAILED.", e);
+ throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
+ }
+
+ } else {
+ Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
+ throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
+
+ }
+
+ } else {
+ Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
+
+ }
+
+ //check if all attributes are include
+ if (!extractor.containsAllRequiredAttributes(
+ pendingReq.getRequestedAttributes())) {
+ Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+ throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //copy attributes into MOASession
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+ Logger.debug("Add PVP-attribute " + el + " into MOASession");
+
+ }
+
+ } catch (SOAPException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (SecurityException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AttributQueryException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (SessionDataStorageException e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AssertionValidationExeption e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (AssertionAttributeExtractorExeption e) {
+ throw new BuildException("builder.06", null, e);
+
+ }
+ }
+
/**
* @param executionContext
* @param idpConfig
@@ -215,8 +402,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
} else {
Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ " from federated IDP.");
- throw new AuthnResponseValidationException("sp.pvp2.04",
- new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
index e85f8ce6b..64c0a0c8e 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
@@ -81,8 +81,6 @@ public class SAML1RequestImpl extends RequestImpl {
reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME);
}
- //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.iterator());
-
return reqAttr;
}