From 3c7e34f087687f886590071f5811d80f223fc3d1 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 8 Aug 2019 07:40:20 +0200
Subject: re-add configuration parameter to disable 'targetFriendlyName'
 validation in signed AuthBlock

---
 .../moa/id/auth/AuthenticationServer.java            |  8 ++++++--
 .../tasks/VerifyAuthenticationBlockTask.java         |  7 ++++++-
 .../CreateXMLSignatureResponseValidator.java         | 20 +++++++++++++++-----
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index a500a7c93..348c204bf 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -20,6 +20,7 @@ import org.apache.xpath.XPathAPI;
 import org.opensaml.xml.util.Base64;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -69,6 +70,7 @@ import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
 import at.gv.egovernment.moa.id.commons.api.exceptions.BKUException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.config.ConfigurationProviderImpl;
 import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.logging.Logger;
@@ -448,7 +450,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		.build(authBlock, oaParam.getKeyBoxIdentifier(),
 				transformsInfos);
 		
-		SpecificTraceLogger.trace("Req. Authblock: " + createXMLSignatureRequest);
+		SpecificTraceLogger.trace("Req. Authblock: " + Base64Utils.encodeToString(createXMLSignatureRequest.getBytes()));
 		SpecificTraceLogger.trace("OA config: " + pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).toString());
 		SpecificTraceLogger.trace("saml1RequestedTarget: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class));
 		SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + pendingReq.getRawData(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, String.class));	
@@ -965,7 +967,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			new CreateXMLSignatureResponseValidator().validateSSO(csresp, session, pendingReq);
 		
 		else
-			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq);
+			new CreateXMLSignatureResponseValidator().validate(csresp, session, pendingReq, 
+					authConfig.getBasicConfigurationBoolean(
+							ConfigurationProviderImpl.VALIDATION_AUTHBLOCK_TARGETFRIENDLYNAME, true));
 
 		// builds a <VerifyXMLSignatureRequest> for a MOA-SPSS call
 		List<String> vtids = authConfig.getMoaSpAuthBlockVerifyTransformsInfoIDs();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index c8b562282..9b9b76ffc 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -12,6 +12,7 @@ import org.apache.commons.fileupload.FileUploadException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
+import org.springframework.util.Base64Utils;
 
 import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
@@ -21,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.logging.SpecificTraceLogger;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -80,7 +82,10 @@ public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 	    }
 	    
 	    String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-	    		
+		if (createXMLSignatureResponse != null)
+			SpecificTraceLogger.trace("Raw signed AuthBlock: " + Base64Utils.encodeToString(createXMLSignatureResponse.getBytes()));
+	
+	    
 		try {
 			//check if authblock is received
 			if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
index 78d999971..49b2d2032 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java
@@ -54,6 +54,7 @@ import java.util.List;
 import javax.xml.bind.DatatypeConverter;
 
 import org.jaxen.SimpleNamespaceContext;
+import org.springframework.util.Base64Utils;
 import org.w3c.dom.Element;
 
 import at.gv.egiz.eaaf.core.api.IRequest;
@@ -131,12 +132,13 @@ public class CreateXMLSignatureResponseValidator {
    * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse}
    * @param createXMLSignatureResponse
    * @param session
- * @param pendingReq 
+   * @param pendingReq
+   * @param validateTargetFriendlyName 
    * @throws ValidateException
  * @throws BuildException 
  * @throws ConfigurationException 
    */
-  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq)
+  public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, IAuthenticationSession session, IRequest pendingReq, boolean validateTargetFriendlyName)
    throws ValidateException, BuildException, ConfigurationException, EAAFBuilderException {
       // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier
     IOAAuthParameters oaParam = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class);
@@ -273,8 +275,16 @@ public class CreateXMLSignatureResponseValidator {
 	    			}
 	    			
 	    			String refValueSector = userSectorId.getSecond().substring(MOAIDAuthConstants.PREFIX_CDID.length()) + " (" + sectorName + ")";
-	    			if (!refValueSector.equals((String)samlAttribute.getValue()))
-	    				throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});             
+	    			if (!refValueSector.equals((String)samlAttribute.getValue())) {
+	    				if (validateTargetFriendlyName)	    				
+	    					throw new ValidateException("validator.13", new Object[] {(String)samlAttribute.getValue(), refValueSector});
+	    				
+	    				else {
+	    					Logger.warn("AuthBlock 'TargetFriendlyName' " + samlAttribute.getValue() + " does not match to " + refValueSector);
+	    						    					
+	    				}
+	    				
+	    			}             
 	    	  
 	    		} else
 	    			throw new ValidateException("validator.12", null);
@@ -430,7 +440,7 @@ public class CreateXMLSignatureResponseValidator {
 	  
 	  } catch (Exception e) {
 		  SpecificTraceLogger.trace("Validate AuthBlock without SSO");
-		  SpecificTraceLogger.trace("Signed AuthBlock: " + session.getAuthBlock());
+		  SpecificTraceLogger.trace("Signed AuthBlock: " + Base64Utils.encodeToString(session.getAuthBlock().getBytes()));
 		  SpecificTraceLogger.trace("OA config: " + oaParam.toString());
 		  SpecificTraceLogger.trace("saml1RequestedTarget: " + saml1RequestedTarget);
 		  SpecificTraceLogger.trace("saml1RequestedFriendlyName: " + saml1RequestedFriendlyName);		  
-- 
cgit v1.2.3