diff options
Diffstat (limited to 'id')
26 files changed, 351 insertions, 45 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java index 332adaa80..7bf2cf93f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java @@ -46,7 +46,6 @@ public class MetaDataVerificationFilter implements MetadataFilter { public void doFilter(XMLObject metadata) throws FilterException { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { throw new FilterException("Root element of metadata file has to be signed", null); } @@ -57,7 +56,7 @@ public class MetaDataVerificationFilter implements MetadataFilter { throw new FilterException("Invalid Metadata file Root element is no EntitiesDescriptor", null); } - } if (metadata instanceof EntityDescriptor) { + } if (metadata instanceof EntityDescriptor) { try { EntityDescriptor entity = (EntityDescriptor) metadata; if (entity.getSignature() != null) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java index 0e65b7dca..a9c914f74 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAAuthenticationData.java @@ -30,6 +30,7 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.DefaultBKUs; @@ -40,6 +41,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentials; +import at.gv.egovernment.moa.id.commons.db.dao.config.TestCredentialsCredentialOIDItem; import at.gv.egovernment.moa.id.commons.db.dao.config.TransformsInfoType; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; @@ -207,8 +209,9 @@ public class OAAuthenticationData implements IOnlineApplicationData { } if (oaauth.getTestCredentials() != null) { - enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials(); - testCredentialOIDs = oaauth.getTestCredentials().getCredentialOID(); + enableTestCredentials = oaauth.getTestCredentials().isEnableTestCredentials(); + testCredentialOIDs = new ArrayList<String>(); + testCredentialOIDs.addAll(oaauth.getTestCredentials().getCredentialOID()); } @@ -315,12 +318,20 @@ public class OAAuthenticationData implements IOnlineApplicationData { if (enableTestCredentials) { TestCredentials testing = authoa.getTestCredentials(); - if (testing == null) - testing = new TestCredentials(); - - testing.setEnableTestCredentials(enableTestCredentials); + if (testing != null) + ConfigurationDBUtils.delete(testing); + + testing = new TestCredentials(); + authoa.setTestCredentials(testing); + testing.setEnableTestCredentials(enableTestCredentials); testing.setCredentialOID(testCredentialOIDs); + } else { + TestCredentials testing = authoa.getTestCredentials(); + if (testing != null) { + testing.setEnableTestCredentials(false); + } + } return null; @@ -576,12 +587,14 @@ public class OAAuthenticationData implements IOnlineApplicationData { */ public String getTestCredentialOIDs() { String value = null; - for (String el : testCredentialOIDs) { - if (value == null) - value = el; - else - value += "," + el; + if (testCredentialOIDs != null) { + for (String el : testCredentialOIDs) { + if (value == null) + value = el; + else + value += "," + el; + } } return value; @@ -595,12 +608,13 @@ public class OAAuthenticationData implements IOnlineApplicationData { * @param testCredentialOIDs the testCredentialOIDs to set */ public void setTestCredentialOIDs(String testCredentialOIDs) { - String[] oidList = testCredentialOIDs.split(","); + if (MiscUtil.isNotEmpty(testCredentialOIDs)) { + String[] oidList = testCredentialOIDs.split(","); - this.testCredentialOIDs = new ArrayList<String>(); - for (int i=0; i<oidList.length; i++) - this.testCredentialOIDs.add(oidList[i].trim()); + this.testCredentialOIDs = new ArrayList<String>(); + for (int i=0; i<oidList.length; i++) + this.testCredentialOIDs.add(oidList[i].trim()); + } } - - + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java index b66bf878a..e5ee5ac09 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/FormDataHelper.java @@ -64,7 +64,8 @@ public class FormDataHelper { (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway()) || (dboa.getAuthComponentOA().getOASTORK() != null && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled() != null - && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()))) { + && dboa.getAuthComponentOA().getOASTORK().isVidpEnabled()) || + (dboa.isIsInterfederationGateway() != null && dboa.isIsInterfederationGateway() ))) { formOAs.add(addOAFormListElement(dboa, ServiceType.OA)); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java index 5a9787069..26d97484b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java @@ -291,8 +291,17 @@ public class BasicOAAction extends BasicAction { } else { - if (oaid == -1) { - onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); + if (oaid == -1) { + List<OnlineApplication> oaList = ConfigurationDBRead.getAllOnlineApplications(); + for (OnlineApplication el : oaList) { + if (el.getPublicURLPrefix().startsWith(oaidentifier) ) + onlineapplication = el; + + } + if (onlineapplication == null) { + onlineapplication = ConfigurationDBRead.getOnlineApplication(oaidentifier); + + } setNewOA(true); if (onlineapplication != null) { log.info("The OAIdentifier is not unique"); @@ -306,7 +315,17 @@ public class BasicOAAction extends BasicAction { onlineapplication = ConfigurationDBRead.getOnlineApplication(oaid); if (!oaidentifier.equals(onlineapplication.getPublicURLPrefix())) { - if (ConfigurationDBRead.getOnlineApplication(oaidentifier) != null) { + OnlineApplication dbOA = null; + List<OnlineApplication> oaList = ConfigurationDBRead.getAllOnlineApplications(); + for (OnlineApplication el : oaList) { + if (el.getPublicURLPrefix().startsWith(oaidentifier) ) + dbOA = el; + + } + if (dbOA == null) + dbOA = ConfigurationDBRead.getOnlineApplication(oaidentifier); + + if ( (dbOA != null && !dbOA.getHjid().equals(oaid))) { log.info("The OAIdentifier is not unique"); throw new BasicOAActionException( LanguageHelper.getErrorString("validation.general.oaidentifier.notunique", request), diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 31c29aef0..4236c0d13 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -241,6 +241,9 @@ public class EditGeneralConfigAction extends BasicAction { } MOAIDConfiguration dbconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (dbconfig == null) + dbconfig = new MOAIDConfiguration(); + AuthComponentGeneral dbauth = dbconfig.getAuthComponentGeneral(); if (dbauth == null) { diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java index 7f7f083c9..335dbc91e 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java @@ -133,7 +133,7 @@ public class ListOAsAction extends BasicAction { } else { if (ValidationHelper.containsPotentialCSSCharacter(friendlyname, false)) { log.warn("SearchOA textfield contains potential XSS characters"); - addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname", + addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname.valid", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request)); return Constants.STRUTS_SUCCESS; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java index fd40bd447..fd4226c5b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java @@ -147,12 +147,14 @@ public class OAAuthenticationDataValidation { } } - if (form.isEnableTestCredentials()) { + if (form.isEnableTestCredentials() + && form.getTestCredialOIDList() != null && !form.getTestCredialOIDList().isEmpty()) { for (String el : form.getTestCredialOIDList()) { - if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID)) + if (!el.startsWith(MOAIDAuthConstants.TESTCREDENTIALROOTOID)) { log.warn("Test credential OID does not start with test credential root OID"); errors.add(LanguageHelper.getErrorString("validation.general.testcredentials.oid.valid", new Object[] {el}, request )); + } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java index d122b6bde..8e1dd6e64 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java @@ -36,8 +36,10 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.httpclient.MOAHttpClient; import org.apache.log4j.Logger; import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataFilterChain; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallerFactory; @@ -58,6 +60,7 @@ import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.util.MiscUtil; public class OAPVP2ConfigValidation { @@ -127,16 +130,28 @@ public class OAPVP2ConfigValidation { log.info("No MOA specific SSL-TrustStore configured. Use default Java TrustStore.", e); } + + List<MetadataFilter> filterList = new ArrayList<MetadataFilter>(); + filterList.add(new MetaDataVerificationFilter(credential)); + filterList.add(new SchemaValidationFilter()); + MetadataFilterChain filter = new MetadataFilterChain(); + filter.setFilters(filterList); httpProvider = new HTTPMetadataProvider(timer, httpClient, form.getMetaDataURL()); httpProvider.setParserPool(new BasicParserPool()); httpProvider.setRequireValidMetadata(true); - httpProvider.setMetadataFilter(new MetaDataVerificationFilter(credential)); + httpProvider.setMetadataFilter(filter); httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + + httpProvider.setRequireValidMetadata(true); + httpProvider.initialize(); + + + if (httpProvider.getMetadata() == null) { log.info("Metadata could be received but validation FAILED."); errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.validation", request)); diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer Binary files differnew file mode 100644 index 000000000..1bb449441 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-enc-02.20140701-20240701.SerNo144dfd.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-enc-02.20140701-20240701.SerNo144dfd.cer Binary files differnew file mode 100644 index 000000000..6c0c042b4 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Premium-enc-02.20140701-20240701.SerNo144dfd.cer diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Qual-01.20141117-20241111.SerNo16120f.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Qual-01.20141117-20241111.SerNo16120f.cer new file mode 100644 index 000000000..60bc9a557 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-Test-Qual-01.20141117-20241111.SerNo16120f.cer @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2zCCAsOgAwIBAgIDFhIPMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJB +VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp +bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRwwGgYDVQQLDBNhLXNpZ24tVEVT +VC1RdWFsLTAxMRwwGgYDVQQDDBNhLXNpZ24tVEVTVC1RdWFsLTAxMB4XDTE0MTEx +NzA3NDAzNloXDTI0MTExMTA2NDAzNlowgZMxCzAJBgNVBAYTAkFUMUgwRgYDVQQK +DD9BLVRydXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4g +RGF0ZW52ZXJrZWhyIEdtYkgxHDAaBgNVBAsME2Etc2lnbi1URVNULVF1YWwtMDEx +HDAaBgNVBAMME2Etc2lnbi1URVNULVF1YWwtMDEwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQD4TRgyXzhxJ2AkndX0RPY771f64dsJrReEeuShLRK5io0B +kJWc4t7wuD1B98cJ0MUPlMmOJ2Ckc/vuLhQUyY3qEUmhMhixCUIcdHQ5yH3H0yMV +HxyJxAG83fE8M25kpKA4TzzMW8KPd2S63wbpPElyEy7vrllrLxvdQRSDpMZMvRg8 +fvoDGAehxsnKKwlXZuMq1aSBzfMz3cMBDKxvqzDIz7yC1iWNkdiwog3a5a5PbViK +shhZ0h+bx9WFDpiN6ooPQgcGhjD+NqIDoiOr7CUFHp+HiC6xIsEFJaBHTf3dRZ61 +0r1FDABx0Yj8+wlXSQLYq/1nR/QMwsvH0Cz1qYTPAgMBAAGjNjA0MA8GA1UdEwEB +/wQFMAMBAf8wEQYDVR0OBAoECE8h1CulBqTdMA4GA1UdDwEB/wQEAwIBBjANBgkq +hkiG9w0BAQUFAAOCAQEAimFu+xTm3UdyU+fO+2hz4DS20OGSC9NBDkorjzhRPWoZ +IVhUi6yH5drqSBm4/2ZYS1Ba5npzfyJwm+cLO28ljxAApfRHlbN0y83hKv7c0I7g +zWTMRs8X8ar5Gd7d4O5jpC4PAaZ1ozSDoE06U5im6YMLaJy/0QYvf5EQBMvLdeoc +d1vl17JYKYqYzcX2dvayikrfiglFqDaZZ66yJPBSuiyNhXpPkbXsOoyyTPtV/0Bh +eKIQiQyJID5aZtR7D4fBAzKdp5wB9KLQXBZ80hrwqrIuy+ME0tFaBWYBi8dzQ1iq +/E3Qz0USfGmxPMm8y/zRqsDvxZCRiSuvzBkOXbGMdA== +-----END CERTIFICATE----- diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer Binary files differnew file mode 100644 index 000000000..e4bd48dac --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-02.20140701-20240701.SerNo144e10.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-02.20140701-20240701.SerNo144e10.cer Binary files differnew file mode 100644 index 000000000..74c4ce3b8 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-02.20140701-20240701.SerNo144e10.cer diff --git a/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-03.20140701-20240701.SerNo144e13.cer b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-03.20140701-20240701.SerNo144e13.cer Binary files differnew file mode 100644 index 000000000..6c50ec079 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/certstore/toBeAdded/a-sign-premium-sig-03.20140701-20240701.SerNo144e13.cer diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer Binary files differnew file mode 100644 index 000000000..1bb449441 --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten/a-sign-Premium-Test-Sig-02.20141124-20241118.SerNo3969edc1.cer diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungMitTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungMitTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer Binary files differnew file mode 100644 index 000000000..e4bd48dac --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungMitTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer diff --git a/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungOhneTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungOhneTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer Binary files differnew file mode 100644 index 000000000..e4bd48dac --- /dev/null +++ b/id/server/data/deploy/conf/moa-spss/trustProfiles/MOAIDBuergerkartePersonenbindungOhneTestkarten/a-sign-corporate-light-02.20140905-20240905.SerNo153B49.cer diff --git a/id/server/idserverlib/.gitignore b/id/server/idserverlib/.gitignore index ea8c4bf7f..19f2e002c 100644 --- a/id/server/idserverlib/.gitignore +++ b/id/server/idserverlib/.gitignore @@ -1 +1,2 @@ /target +/target diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java new file mode 100644 index 000000000..fc4ed1f28 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SchemaValidationException.java @@ -0,0 +1,52 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class SchemaValidationException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = 1L; + + /** + * @param messageId + * @param parameters + */ + public SchemaValidationException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + /** + * @param messageId + * @param parameters + */ + public SchemaValidationException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index cba64e080..12afa14bc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -324,6 +325,7 @@ public class MOAMetadataProvider implements MetadataProvider { private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + filterChain.getFilters().add(new SchemaValidationFilter()); if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); @@ -374,6 +376,8 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider.setMetadataFilter(filter); httpProvider.initialize(); + httpProvider.setRequireValidMetadata(true); + return httpProvider; } catch (Throwable e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 2247ad227..257f9dac4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -25,14 +25,20 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.util.ArrayList; import java.util.List; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; + import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Conditions; import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.core.validator.AuthnRequestSchemaValidator; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; @@ -51,11 +57,14 @@ import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; @@ -81,9 +90,15 @@ public class SAMLVerificationEngine { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(samlObj.getSignature()); + performSchemaValidation(samlObj.getDOM()); + } catch (ValidationException e) { - // Indicates signature did not conform to SAML Signature profile - e.printStackTrace(); + Logger.warn("Signature is not conform to SAML signature profile", e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SchemaValidationException e) { + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + } CriteriaSet criteriaSet = new CriteriaSet(); @@ -103,12 +118,17 @@ public class SAMLVerificationEngine { public void verifyRequest(RequestAbstractType samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); + profileValidator.validate(samlObj.getSignature()); + performSchemaValidation(samlObj.getDOM()); + } catch (ValidationException e) { - // Indicates signature did not conform to SAML Signature profile - e.printStackTrace(); + Logger.warn("Signature is not conform to SAML signature profile", e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SchemaValidationException e) { + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + } CriteriaSet criteriaSet = new CriteriaSet(); @@ -173,7 +193,10 @@ public class SAMLVerificationEngine { List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>(); for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - Conditions conditions = saml2assertion.getConditions(); + try { + performSchemaValidation(saml2assertion.getDOM()); + + Conditions conditions = saml2assertion.getConditions(); DateTime notbefore = conditions.getNotBefore().minusMinutes(5); DateTime notafter = conditions.getNotOnOrAfter(); if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { @@ -181,12 +204,16 @@ public class SAMLVerificationEngine { + "{ Current : " + new DateTime() + " NotBefore: " + notbefore + " NotAfter : " + notafter - + " }"); + + " }");; - } else { - validatedassertions.add(saml2assertion); + } else { + validatedassertions.add(saml2assertion); + + } + + } catch (SchemaValidationException e) { - } + } } if (validatedassertions.isEmpty()) { @@ -217,4 +244,35 @@ public class SAMLVerificationEngine { throw new AssertionValidationExeption("pvp.12", null, e); } } + + private static void performSchemaValidation(Element source) throws SchemaValidationException { + + String err = null; + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + val.validate(new DOMSource(source)); + Logger.debug("Schema validation check done OK"); + return; + + } catch (SAXException e) { + err = e.getMessage(); + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Schema validation FAILED with exception:", e); + else + Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); + + } catch (Exception e) { + err = e.getMessage(); + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Schema validation FAILED with exception:", e); + else + Logger.warn("Schema validation FAILED with message: "+ e.getMessage()); + + } + + throw new SchemaValidationException("pvp2.22", new Object[]{err}); + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java index 3d608fd6d..4d9b97a52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -26,7 +26,6 @@ import org.opensaml.saml2.metadata.provider.FilterException; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; -import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.logging.Logger; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java new file mode 100644 index 000000000..403b68524 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -0,0 +1,103 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.io.IOException; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; + +import org.opensaml.common.xml.SAMLSchemaBuilder; + +import org.xml.sax.SAXException; + +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class SchemaValidationFilter implements MetadataFilter { + + private boolean isActive = true; + + public SchemaValidationFilter() { + + } + + /** + * + */ + public SchemaValidationFilter(boolean useSchemaValidation) { + this.isActive = useSchemaValidation; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + + String errString = null; + + if (isActive) { + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + DOMSource source = new DOMSource(arg0.getDOM()); + val.validate(source); + Logger.info("Metadata Schema validation check done OK"); + return; + + } catch (SAXException e) { + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Metadata Schema validation FAILED with exception:", e); + else + Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); + + errString = e.getMessage(); + + } catch (Exception e) { + if (Logger.isDebugEnabled() || Logger.isTraceEnabled()) + Logger.warn("Metadata Schema validation FAILED with exception:", e); + else + Logger.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); + + errString = e.getMessage(); + + } + + throw new FilterException("Metadata Schema validation FAILED with message: "+ errString); + + } else + Logger.info("Metadata Schema validation check is DEACTIVATED!"); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index 15b2a89b5..ab8d19803 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -56,6 +56,7 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException;
import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.StringRequestEntity;
diff --git a/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java b/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java index ec908f78b..549eb4f2b 100644 --- a/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java +++ b/id/server/idserverlib/src/test/java/test/tlenz/simpletest.java @@ -1,3 +1,8 @@ +package test.tlenz; + +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; + /******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal @@ -38,12 +43,19 @@ //import at.gv.egovernment.moa.id.storage.AssertionStorage; //import at.gv.egovernment.moa.util.MiscUtil; // -//public class simpletest { +public class simpletest { // -// public static void main(String[] args) { + public static void main(String[] args) { + + AuthenticationRole test = AuthenticationRoleFactory.buildFormPVPole("ecas-demo-EUROPEAN_COMMISSION(key=A\\,B)"); + + test = AuthenticationRoleFactory.buildFormPVPole("ecas-demo-EUROPEAN_COMMISSION"); + test = AuthenticationRoleFactory.buildFormPVPole("ecas-demo-EUROPEAN_COMMISSION(key=A)"); + test = AuthenticationRoleFactory.buildFormPVPole("ecas-demo-EUROPEAN_COMMISSION(keyA=A,keyB=B)"); + // // System.setProperty("mandates.configuration", "D:/Projekte/svn/moa-id/moa-id.properties"); -// String propertiesFileLocation = System.getProperty("mandates.configuration"); +// String propertiesFileLocation = Systm.getProperty("mandates.configuration"); // // MiscUtil.assertNotNull(propertiesFileLocation, "propertiesFileName"); // File propertiesFile = new File(propertiesFileLocation); @@ -95,5 +107,5 @@ // // // -// } -//} + } +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java index a3f445fcf..6efdd6223 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/ConfigurationDBRead.java @@ -152,7 +152,7 @@ public class ConfigurationDBRead { if (result.size() == 0) { Logger.trace("No entries found. Create fresh instance."); - return new MOAIDConfiguration(); + return null; } return (MOAIDConfiguration) result.get(0); |