From 3a55eb69e5fa94d0bcc43a1732850a14e524f6cc Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Feb 2017 15:31:18 +0100
Subject: add support of additional eIDAS attributes by using a simple
 configuration file

---
 .../moa/id/auth/modules/eidas/Constants.java       | 51 +++++++++++++---------
 .../eidas/engine/MOAEidasProtocolProcesser.java    | 13 ++++--
 .../eidas/utils/MOAeIDASMetadataGenerator.java     |  7 ++-
 .../auth/modules/eidas/utils/SAMLEngineUtils.java  | 33 +++++++++++++-
 4 files changed, 77 insertions(+), 27 deletions(-)

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 369d77863..eb5adcce1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -22,14 +22,15 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
 import org.apache.xml.security.signature.XMLSignature;
 import org.opensaml.xml.encryption.EncryptionConstants;
 import org.opensaml.xml.signature.SignatureConstants;
 //import eu.eidas.auth.engine.core.validator.eidas.EIDASAttributes;
 
-import eu.eidas.auth.commons.attribute.AttributeRegistries;
-import eu.eidas.auth.commons.attribute.AttributeRegistry;
-
 /**
  * @author tlenz
  *
@@ -61,12 +62,16 @@ public class Constants {
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." 
 			+ CONIG_PROPS_EIDAS_SAMLENGINE_SIGN + ".config.file";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." 
-			+ CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";	
+			+ CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";
+	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ATTIONAL_ATTRIBUTE_DEFINITIONS = 
+			CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".attributes.addition.config";
 	public static final String CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE = CONIG_PROPS_EIDAS_PREFIX + ".metadata.validation.truststore";
 	
+	
 	public static final String CONIG_PROPS_EIDAS_NODE_COUNTRYCODE = CONIG_PROPS_EIDAS_NODE + ".countrycode";
 	public static final String CONIG_PROPS_EIDAS_NODE_COUNTRY = CONIG_PROPS_EIDAS_NODE + ".country";
-	public static final String CONIG_PROPS_EIDAS_NODE_LoA = CONIG_PROPS_EIDAS_NODE + ".LoA";
+	public static final String CONIG_PROPS_EIDAS_NODE_LoA = CONIG_PROPS_EIDAS_NODE + ".LoA";	
+	
 	
 	
 	//timeouts and clock skews
@@ -115,21 +120,27 @@ public class Constants {
 //                }
 //            }
 //    );
-    
-	public static final AttributeRegistry NAT_ATTR =
-            AttributeRegistries.of( eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER,
-            						eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME,
-            						eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME, 
-            						eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH
-                                  );
-	
-	public static final AttributeRegistry LEGAL_ATTR =
-            AttributeRegistries.of( eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, 
-            						eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME
-                                  );
-	
-	public static final AttributeRegistry MOA_IDP_ATTR_REGISTRY =
-            AttributeRegistries.copyOf(NAT_ATTR, LEGAL_ATTR);
+    	
+	//eIDAS attributes that can be provided by MOA-ID
+	public static final List<String> MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES;            
+	static {
+		List<String> supportAttrList = new ArrayList<String>();
+		//natural person attributes that can be provided by MOA-ID
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.PERSON_IDENTIFIER.getNameUri().toString());
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_FAMILY_NAME.getNameUri().toString());
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.CURRENT_GIVEN_NAME.getNameUri().toString());
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.NaturalPersonSpec.Definitions.DATE_OF_BIRTH.getNameUri().toString());
+		
+		//legal person attributes that can be provided by MOA-ID
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri().toString());
+		supportAttrList.add(eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri().toString());
+		
+		//additionl person attributes that can be provided by MOA-ID
+		//supportAttrList.add("http://ehn/attributes/ehealth/patientidentifier");
+		
+		MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES = Collections.unmodifiableList(supportAttrList);
+		
+	}
 	
 	
     public static final String METADATA_ALLOWED_ALG_DIGIST = 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
index c24c5efca..8abf29703 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAEidasProtocolProcesser.java
@@ -22,7 +22,9 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
 
+import eu.eidas.auth.commons.attribute.AttributeRegistry;
 import eu.eidas.auth.engine.core.eidas.EidasProtocolProcessor;
+import eu.eidas.auth.engine.core.eidas.spec.EidasSpec;
 import eu.eidas.auth.engine.metadata.MetadataFetcherI;
 import eu.eidas.auth.engine.metadata.MetadataSignerI;
 
@@ -38,11 +40,14 @@ public class MOAEidasProtocolProcesser extends EidasProtocolProcessor {
 	 private final MetadataSignerI metadataSigner;
 	 
 	/**
-	 * @param metadataFetcher
-	 * @param metadataSigner
+	 * Build a MOA specific eIDAS-engine protocol processor
+	 * 
+	 * @param metadataFetcher eIDAS-engine Metadata fetcher implementation
+	 * @param metadataSigner eIDAS-engine Signer implementation 
+	 * @param addAttrDefinitions additinal eIDAS attributes
 	 */
-	public MOAEidasProtocolProcesser(MetadataFetcherI metadataFetcher, MetadataSignerI metadataSigner) {
-		super(metadataFetcher, metadataSigner);
+	public MOAEidasProtocolProcesser(MetadataFetcherI metadataFetcher, MetadataSignerI metadataSigner, AttributeRegistry addAttrDefinitions) {
+			super(EidasSpec.REGISTRY, addAttrDefinitions, metadataFetcher, metadataSigner);
 		
 		this.metadataFetcher = metadataFetcher;
 		this.metadataSigner = metadataSigner;
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
index 8faaf1874..1bebdebbf 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/MOAeIDASMetadataGenerator.java
@@ -305,7 +305,12 @@ public class MOAeIDASMetadataGenerator extends MetadataGenerator {
     public ImmutableSortedSet<AttributeDefinition<?>> getAllSupportedAttributes() {
         ImmutableSortedSet.Builder<AttributeDefinition<?>> builder =
                 new ImmutableSortedSet.Builder<>(Ordering.<AttributeDefinition<?>>natural());
-        builder.addAll(Constants.MOA_IDP_ATTR_REGISTRY.getAttributes());
+        
+        for (String attr : Constants.MOA_IDP_SUPPORTED_eIDAS_ATTRIBUTES) {
+        	AttributeDefinition<?> supAttr = params.getIdpEngine().getProtocolProcessor().getAttributeDefinitionNullable(attr);
+        	builder.add(supAttr);
+        }
+
         return builder.build();
     }
     
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index 70135c06f..edbecc4a0 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -23,6 +23,8 @@
 package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
 
 import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -36,8 +38,13 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAEidasProtocolProces
 import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.FileUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.commons.attribute.AttributeDefinition;
+import eu.eidas.auth.commons.attribute.AttributeRegistries;
+import eu.eidas.auth.commons.attribute.AttributeRegistry;
 import eu.eidas.auth.engine.ProtocolEngineI;
 import eu.eidas.auth.engine.SamlEngineSystemClock;
 import eu.eidas.auth.engine.metadata.MetadataFetcherI;
@@ -62,6 +69,7 @@ public class SAMLEngineUtils {
 		
 		if (eIDASEngine == null) {
 			try {
+			
 				//get eIDAS SAMLengine configuration from MOA-ID configuration
 				CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
 								
@@ -70,12 +78,25 @@ public class SAMLEngineUtils {
 								
 				//set metadata signer	
 				metadataSigner = new MOAExtendedSWSigner(configManager);
-								 
+				
+				//load additional eIDAS attribute definitions
+				String additionalAttributeConfigFile = 
+						AuthConfigurationProviderFactory.getInstance().getBasicMOAIDConfiguration(
+								Constants.CONIG_PROPS_EIDAS_SAMLENGINE_ATTIONAL_ATTRIBUTE_DEFINITIONS);
+				AttributeRegistry addAttrDefinitions = AttributeRegistries.empty();				
+				if (MiscUtil.isNotEmpty(additionalAttributeConfigFile)) {
+					URL addAttrConfigUrl = new URL(FileUtils.makeAbsoluteURL(
+							additionalAttributeConfigFile,
+							AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir()));					
+					addAttrDefinitions = AttributeRegistries.fromFile(addAttrConfigUrl.getPath());
+					
+				}
+								
 				//build eIDAS SAML eninge
 				ProtocolEngineI engine = MOAProtocolEngineFactory.createProtocolEngine(
 						Constants.eIDAS_SAML_ENGINE_NAME, 
 						configManager, 
-						new MOAEidasProtocolProcesser(metadataFetcher, metadataSigner), 
+						new MOAEidasProtocolProcesser(metadataFetcher, metadataSigner, addAttrDefinitions), 
 						new SamlEngineSystemClock());
 				
 				//build a map with all actually supported attributes
@@ -93,6 +114,14 @@ public class SAMLEngineUtils {
 				Logger.error("eIDAS SAMLengine initialization FAILED!", e);
 				throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e);
 				
+			} catch (at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException e) {				
+				Logger.error("eIDAS SAMLengine initialization FAILED!", e);
+				throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e);
+				
+			} catch (MalformedURLException e) {
+				Logger.error("eIDAS SAMLengine initialization FAILED!", e);
+				throw new EIDASEngineException("eIDAS.00", new Object[]{e.getMessage()}, e);
+				
 			}
 		}
 		
-- 
cgit v1.2.3