From 5acd1d23f3702d8899f531e823da68cd9fccaaa4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 2 Jul 2018 18:08:04 +0200
Subject: update auth. module for central eIDAS node connection
---
id/server/auth-edu/pom.xml | 4 +
id/server/auth-final/pom.xml | 5 +
.../pvp2x/validation/AuthnRequestValidator.java | 78 +++++
.../main/resources/moaid.authentication.beans.xml | 3 +
.../moa-id-module-AT_eIDAS_connector/pom.xml | 59 ++++
.../EidasCentralAuthConstants.java | 93 ++++++
.../EidasCentralAuthModuleImpl.java | 92 ++++++
.../EidasCentralAuthSpringResourceProvider.java | 63 ++++
.../EidasCentralAuthMetadataConfiguration.java | 355 +++++++++++++++++++++
...idasCentralAuthRequestBuilderConfiguration.java | 262 +++++++++++++++
.../EidasCentralAuthMetadataController.java | 133 ++++++++
.../EidasCentralAuthSignalController.java | 67 ++++
.../tasks/CreateAuthnRequestTask.java | 164 ++++++++++
.../tasks/ReceiveAuthnResponseTask.java | 272 ++++++++++++++++
.../utils/EidasCentralAuthCredentialProvider.java | 124 +++++++
.../utils/EidasCentralAuthMetadataProvider.java | 345 ++++++++++++++++++++
...iz.components.spring.api.SpringResourceProvider | 1 +
.../resources/eIDAS_central_node_auth.process.xml | 17 +
.../moaid_eIDAS_central_node_auth.beans.xml | 41 +++
.../eidas/attributes/builder/eIDASMetadata.java | 5 +
.../ELGAMandatesRequestBuilderConfiguration.java | 13 +-
.../FederatedAuthnRequestBuilderConfiguration.java | 13 +-
id/server/modules/pom.xml | 1 +
pom.xml | 6 +
24 files changed, 2214 insertions(+), 2 deletions(-)
create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java
diff --git a/id/server/auth-edu/pom.xml b/id/server/auth-edu/pom.xml
index 455278edd..8f4ab662e 100644
--- a/id/server/auth-edu/pom.xml
+++ b/id/server/auth-edu/pom.xml
@@ -213,6 +213,10 @@
<artifactId>moa-id-module-sl20_authentication</artifactId>
</dependency>
+ <dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+ </dependency>
<!--
<dependency>
diff --git a/id/server/auth-final/pom.xml b/id/server/auth-final/pom.xml
index 4f5f219a1..15208bb47 100644
--- a/id/server/auth-final/pom.xml
+++ b/id/server/auth-final/pom.xml
@@ -165,6 +165,11 @@
<artifactId>moa-id-modul-citizencard_authentication</artifactId>
</dependency>
+ <dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+ </dependency>
+
<!--dependency>
<groupId>MOA.id.server.modules</groupId>
<artifactId>moa-id-modules-federated_authentication</artifactId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
new file mode 100644
index 000000000..b42a1de28
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java
@@ -0,0 +1,78 @@
+/*******************************************************************************
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.pvp2x.validation;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.NameIDPolicy;
+import org.opensaml.saml2.metadata.AttributeConsumingService;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException;
+import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator;
+import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;
+import at.gv.egovernment.moa.logging.Logger;
+
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("MOAAuthnRequestValidator")
+public class AuthnRequestValidator implements IAuthnRequestValidator {
+
+ public void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq, SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException{
+
+ //validate NameIDPolicy
+ NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy();
+ if (nameIDPolicy != null) {
+ String nameIDFormat = nameIDPolicy.getFormat();
+ if (nameIDFormat != null) {
+ if ( !(NameID.TRANSIENT.equals(nameIDFormat) ||
+ NameID.PERSISTENT.equals(nameIDFormat) ||
+ NameID.UNSPECIFIED.equals(nameIDFormat)) ) {
+
+ throw new NameIDFormatNotSupportedException(nameIDFormat);
+
+ }
+
+ } else
+ Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'");
+ } else
+ Logger.trace("AuthnRequest includes no 'NameIDPolicy'");
+
+ //select AttributeConsumingService from request
+ AttributeConsumingService attributeConsumer = null;
+ Integer aIdx = authnReq.getAttributeConsumingServiceIndex();
+ int attributeIdx = 0;
+
+ if(aIdx != null) {
+ attributeIdx = aIdx.intValue();
+ }
+
+ if (spSSODescriptor.getAttributeConsumingServices() != null &&
+ spSSODescriptor.getAttributeConsumingServices().size() > 0) {
+ attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx);
+ }
+
+ String useMandate = httpReq.getParameter(MOAIDAuthConstants.PARAM_USEMANDATE);
+ if(useMandate != null) {
+ if(useMandate.equals("true") && attributeConsumer != null) {
+ if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) {
+ MandateAttributesNotHandleAbleException e = new MandateAttributesNotHandleAbleException();
+ throw new AuthnRequestValidatorException(e.getErrorId(), e.getParams(), e.getMessage(), pendingReq, e);
+ }
+ }
+ }
+
+
+ }
+
+}
diff --git a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
index 5ccacf350..a0bf1e86c 100644
--- a/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
+++ b/id/server/idserverlib/src/main/resources/moaid.authentication.beans.xml
@@ -46,6 +46,9 @@
</property>
</bean>
+ <bean id="MOAAuthnRequestValidator"
+ class="at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator" />
+
<bean id="MOAID_AuthenticationManager"
class="at.gv.egovernment.moa.id.moduls.AuthenticationManager"/>
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
new file mode 100644
index 000000000..c340f90c9
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/pom.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-modules</artifactId>
+ <version>${moa-id-version}</version>
+ </parent>
+ <artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+ <name>moa-id-module-AT_eIDAS_connector</name>
+ <url>http://maven.apache.org</url>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <repositoryPath>${basedir}/../../../../repository</repositoryPath>
+ </properties>
+
+ <profiles>
+ <profile>
+ <id>default</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <repositories>
+ <repository>
+ <id>local</id>
+ <name>local</name>
+ <url>file:${basedir}/../../../../repository</url>
+ </repository>
+ <repository>
+ <id>egiz-commons</id>
+ <url>https://demo.egiz.gv.at/int-repo/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ </repository>
+ </repositories>
+ </profile>
+ </profiles>
+
+ <dependencies>
+ <dependency>
+ <groupId>MOA.id.server</groupId>
+ <artifactId>moa-id-lib</artifactId>
+ </dependency>
+
+
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-test</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
new file mode 100644
index 000000000..e8694383f
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.data.EAAFConstants;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthConstants {
+
+ public static final String MODULE_NAME_FOR_LOGGING = "eIDAS central authentication";
+
+ public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
+
+ public static final String HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION = "useeIDAS";
+
+ public static final String ENDPOINT_POST = "/sp/eidas/post";
+ public static final String ENDPOINT_REDIRECT = "/sp/eidas/redirect";
+ public static final String ENDPOINT_METADATA = "/sp/eidas/metadata";
+
+ public static final String CONFIG_PROPS_PREFIX = "modules.eidascentralauth.";
+ public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
+ public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
+ public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
+ public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+ public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additinal.attributes";
+ public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId";
+ public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl";
+ public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID";
+
+
+ public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_QAA_HIGH;
+ public static final List<Trible<String, String, Boolean>> DEFAULT_REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //add PVP Version attribute
+ add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, true));
+
+ //request entity information
+ add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.BPK_NAME, PVPConstants.BPK_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_EIDAS_QAA_LEVEL_FRIENDLY_NAME, true));
+ add(Trible.newInstance(PVPConstants.EID_ISSUING_NATION_NAME, PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME, true));
+ }
+ });
+
+ public static final List<String> DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES =
+ Collections.unmodifiableList(new ArrayList<String>() {
+ private static final long serialVersionUID = 1L;
+ {
+ for (Trible<String, String, Boolean> el : DEFAULT_REQUIRED_PVP_ATTRIBUTES)
+ add(el.getFirst());
+ }
+ });
+}
+
+
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
new file mode 100644
index 000000000..f1bec9dac
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import java.io.Serializable;
+
+import javax.annotation.PostConstruct;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egovernment.moa.id.moduls.AuthenticationManager;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthModuleImpl implements AuthModule {
+
+ @Autowired(required=true) private AuthenticationManager authManager;
+
+ @PostConstruct
+ protected void initalCentralEidasAuthentication() {
+ //parameter to whiteList
+ authManager.addParameterNameToWhiteList(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION);
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+ */
+ @Override
+ public int getPriority() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext)
+ */
+ @Override
+ public String selectProcess(ExecutionContext context) {
+ Serializable paramObj = context.get(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION);
+ if (paramObj instanceof String) {
+ String param = (String)paramObj;
+ if (StringUtils.isNotEmpty(param) && Boolean.parseBoolean(param)) {
+ Logger.debug("Centrial eIDAS authentication process selected ");
+ return "centrialEidasAuthentication";
+
+ } else
+ Logger.trace(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION
+ + " is empty or has value: " + Boolean.parseBoolean(param));
+
+ } else
+ Logger.info("Find suspect http param '" + EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION
+ + "' of type: " + paramObj.getClass().getName());
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+ */
+ @Override
+ public String[] getProcessDefinitions() {
+ return new String[] { "classpath:eIDAS_central_node_auth.process.xml" };
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
new file mode 100644
index 000000000..beaaee619
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthSpringResourceProvider implements SpringResourceProvider {
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+ */
+ @Override
+ public Resource[] getResourcesToLoad() {
+ ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_eIDAS_central_node_auth.beans.xml", EidasCentralAuthSpringResourceProvider.class);
+
+ return new Resource[] {federationAuthConfig};
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+ */
+ @Override
+ public String[] getPackagesToScan() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+ */
+ @Override
+ public String getName() {
+ return "MOA-ID Auth-module 'central eIDAS Authentication'";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
new file mode 100644
index 000000000..aad1244f1
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java
@@ -0,0 +1,355 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egiz.eaaf.core.exceptions.EAAFException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.data.Trible;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataBuilderConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration {
+
+ private Collection<RequestedAttribute> additionalAttributes = null;
+
+
+ private String authURL;
+ private EidasCentralAuthCredentialProvider credentialProvider;
+ private IPVP2BasicConfiguration pvpConfiguration;
+
+ public EidasCentralAuthMetadataConfiguration(String authURL,
+ EidasCentralAuthCredentialProvider credentialProvider,
+ IPVP2BasicConfiguration pvpConfiguration) {
+ this.authURL = authURL;
+ this.credentialProvider = credentialProvider;
+ this.pvpConfiguration = pvpConfiguration;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+ */
+ @Override
+ public int getMetadataValidUntil() {
+ return EidasCentralAuthConstants.METADATA_VALIDUNTIL_IN_HOURS;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+ */
+ @Override
+ public boolean buildEntitiesDescriptorAsRootElement() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+ */
+ @Override
+ public boolean buildIDPSSODescriptor() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+ */
+ @Override
+ public boolean buildSPSSODescriptor() {
+ return true;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix()
+ */
+ @Override
+ public String getEntityID() {
+ return authURL + EidasCentralAuthConstants.ENDPOINT_METADATA;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+ */
+ @Override
+ public String getEntityFriendlyName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+ */
+ @Override
+ public List<ContactPerson> getContactPersonInformation() {
+ try {
+ return pvpConfiguration.getIDPContacts();
+
+ } catch (EAAFException e) {
+ Logger.warn("Can not load Metadata entry: Contect Person", e);
+ return null;
+
+ }
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+ */
+ @Override
+ public Organization getOrgansiationInformation() {
+ try {
+ return pvpConfiguration.getIDPOrganisation();
+
+ } catch (EAAFException e) {
+ Logger.warn("Can not load Metadata entry: Organisation", e);
+ return null;
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+ */
+ @Override
+ public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPMetaDataSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+ */
+ @Override
+ public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+ */
+ @Override
+ public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionEncryptionCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+ */
+ @Override
+ public String getIDPWebSSOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+ */
+ @Override
+ public String getIDPWebSSORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+ */
+ @Override
+ public String getIDPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+ */
+ @Override
+ public String getIDPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServicePostBindingURL() {
+ return authURL + EidasCentralAuthConstants.ENDPOINT_POST;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServiceRedirectBindingURL() {
+ return authURL + EidasCentralAuthConstants.ENDPOINT_REDIRECT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+ */
+ @Override
+ public String getSPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+ */
+ @Override
+ public String getSPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+ */
+ @Override
+ public String getSPSLOSOAPBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+ */
+ @Override
+ public List<Attribute> getIDPPossibleAttributes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+ */
+ @Override
+ public List<String> getIDPPossibleNameITTypes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+ */
+ @Override
+ public Collection<RequestedAttribute> getSPRequiredAttributes() {
+ Map<String, RequestedAttribute> requestedAttributes = new HashMap<String, RequestedAttribute>();
+ for (Trible<String, String, Boolean> el : EidasCentralAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTES)
+ requestedAttributes.put(el.getFirst(), PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+
+ if (additionalAttributes != null) {
+ Logger.trace("Add additional PVP attributes into metadata ... ");
+ for (RequestedAttribute el : additionalAttributes) {
+ if (requestedAttributes.containsKey(el.getName()))
+ Logger.debug("Attribute " + el.getName() + " is already added by default configuration. Overwrite it by user configuration");
+
+ requestedAttributes.put(el.getName(), el);
+
+ }
+ }
+
+ return requestedAttributes.values();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+ */
+ @Override
+ public List<String> getSPAllowedNameITTypes() {
+ return Arrays.asList(NameIDType.PERSISTENT);
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned()
+ */
+ @Override
+ public boolean wantAssertionSigned() {
+ return false;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned()
+ */
+ @Override
+ public boolean wantAuthnRequestSigned() {
+ return true;
+ }
+
+ /**
+ * Add additonal PVP attributes that are required by this deployment
+ *
+ * @param additionalAttr List of PVP attribute name and isRequired flag
+ */
+ public void setAdditionalRequiredAttributes(List<Pair<String, Boolean>> additionalAttr) {
+ if (additionalAttr != null) {
+ additionalAttributes = new ArrayList<RequestedAttribute>();
+ for (Pair<String, Boolean> el : additionalAttr) {
+ Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst());
+ if (attributBuilder != null) {
+ additionalAttributes.add(
+ PVPAttributeBuilder.buildReqAttribute(
+ attributBuilder.getName(),
+ attributBuilder.getFriendlyName(),
+ el.getSecond()));
+
+ } else
+ Logger.info("NO PVP attribute with name: " + el.getFirst());
+
+ }
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
new file mode 100644
index 000000000..ebbe08588
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java
@@ -0,0 +1,262 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config;
+
+import java.util.List;
+
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.security.credential.Credential;
+import org.w3c.dom.Element;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+ private boolean isPassive;
+ private String SPEntityID;
+ private String QAA_Level;
+ private EntityDescriptor idpEntity;
+ private Credential signCred;
+ private String scopeRequesterId;
+ private String providerName;
+ private List<EAAFRequestedAttribute> requestedAttributes;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+ */
+ @Override
+ public Boolean isPassivRequest() {
+ return this.isPassive;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+ */
+ @Override
+ public Integer getAssertionConsumerServiceId() {
+ return 0;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+ */
+ @Override
+ public String getSPEntityID() {
+ return this.SPEntityID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public String getNameIDPolicyFormat() {
+ return NameID.PERSISTENT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public boolean getNameIDPolicyAllowCreation() {
+ return true;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+ */
+ @Override
+ public String getAuthnContextClassRef() {
+ return this.QAA_Level;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+ */
+ @Override
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+ return AuthnContextComparisonTypeEnumeration.MINIMUM;
+ }
+
+ /**
+ * @param isPassive the isPassive to set
+ */
+ public void setPassive(boolean isPassive) {
+ this.isPassive = isPassive;
+ }
+
+ /**
+ * @param sPEntityID the sPEntityID to set
+ */
+ public void setSPEntityID(String sPEntityID) {
+ SPEntityID = sPEntityID;
+ }
+
+ /**
+ * @param qAA_Level the qAA_Level to set
+ */
+ public void setQAA_Level(String qAA_Level) {
+ QAA_Level = qAA_Level;
+ }
+
+ /**
+ * @param idpEntity the idpEntity to set
+ */
+ public void setIdpEntity(EntityDescriptor idpEntity) {
+ this.idpEntity = idpEntity;
+ }
+
+ /**
+ * @param signCred the signCred to set
+ */
+ public void setSignCred(Credential signCred) {
+ this.signCred = signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+ */
+ @Override
+ public Credential getAuthnRequestSigningCredential() {
+ return this.signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+ */
+ @Override
+ public EntityDescriptor getIDPEntityDescriptor() {
+ return this.idpEntity;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+ */
+ @Override
+ public String getSubjectNameID() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+ */
+ @Override
+ public String getSubjectNameIDFormat() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode()
+ */
+ @Override
+ public String getSubjectConformationMethode() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate()
+ */
+ @Override
+ public Element getSubjectConformationDate() {
+ return null;
+ }
+
+ @Override
+ public List<EAAFRequestedAttribute> getRequestedAttributes() {
+ return this.requestedAttributes;
+
+ }
+
+ @Override
+ public String getProviderName() {
+ return this.providerName;
+ }
+
+ @Override
+ public String getScopeRequesterId() {
+ return this.scopeRequesterId;
+ }
+
+ /**
+ * Set the entityId of the SP that requests the proxy for eIDAS authentication
+ *
+ * @param scopeRequesterId
+ */
+ public void setScopeRequesterId(String scopeRequesterId) {
+ this.scopeRequesterId = scopeRequesterId;
+ }
+
+ /**
+ * Set a friendlyName for the SP that requests the proxy for eIDAS authentication
+ *
+ * @param providerName
+ */
+ public void setProviderName(String providerName) {
+ this.providerName = providerName;
+ }
+
+ /**
+ * Set a Set of PVP attributes that a requested by using requested attributes
+ *
+ * @param requestedAttributes
+ */
+ public void setRequestedAttributes(List<EAAFRequestedAttribute> requestedAttributes) {
+ this.requestedAttributes = requestedAttributes;
+ }
+
+
+
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
new file mode 100644
index 000000000..4898c8f1e
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import com.google.common.net.MediaType;
+
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController;
+import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
+import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
+import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EidasCentralAuthMetadataController extends AbstractController {
+
+ @Autowired PVPMetadataBuilder metadatabuilder;
+ @Autowired AuthConfiguration authConfig;
+ @Autowired EidasCentralAuthCredentialProvider credentialProvider;
+ @Autowired IPVP2BasicConfiguration pvpConfiguration;
+
+ public EidasCentralAuthMetadataController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + EidasCentralAuthConstants.ENDPOINT_METADATA
+ + "'.");
+
+ }
+
+ @RequestMapping(value = EidasCentralAuthConstants.ENDPOINT_METADATA,
+ method = {RequestMethod.GET})
+ public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ //check PublicURL prefix
+ try {
+ String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+ if (!authConfig.getPublicURLPrefix().contains(authURL)) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL");
+ return;
+
+ } else {
+ //initialize metadata builder configuration
+ EidasCentralAuthMetadataConfiguration metadataConfig =
+ new EidasCentralAuthMetadataConfiguration(authURL, credentialProvider, pvpConfiguration);
+ metadataConfig.setAdditionalRequiredAttributes(getAdditonalRequiredAttributes());
+
+
+ //build metadata
+ String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
+
+ //write response
+ byte[] content = xmlMetadata.getBytes("UTF-8");
+ resp.setStatus(HttpServletResponse.SC_OK);
+ resp.setContentLength(content.length);
+ resp.setContentType(MediaType.XML_UTF_8.toString());
+ resp.getOutputStream().write(content);
+
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Build federated-authentication PVP metadata FAILED.", e);
+ handleErrorNoRedirect(e, req, resp, false);
+
+ }
+
+ }
+
+ private List<Pair<String, Boolean>> getAdditonalRequiredAttributes() {
+ Map<String, String> addReqAttributes = authConfig.getBasicMOAIDConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST);
+ if (addReqAttributes != null) {
+ List<Pair<String, Boolean>> result = new ArrayList<Pair<String, Boolean>>();
+ for (String el : addReqAttributes.values()) {
+ if (MiscUtil.isNotEmpty(el)) {
+ Logger.trace("Parse additional attr. definition: " + el);
+ List<String> attr = KeyValueUtils.getListOfCSVValues(el.trim());
+ if (attr.size() == 2) {
+ result.add(Pair.newInstance(attr.get(0), Boolean.parseBoolean(attr.get(1))));
+
+ } else
+ Logger.info("IGNORE additional attr. definition: " + el
+ + " Reason: Format not valid");
+ }
+ }
+
+ return result;
+ }
+
+ return null;
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
new file mode 100644
index 000000000..1486ef841
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class EidasCentralAuthSignalController extends AbstractProcessEngineSignalController {
+
+ public EidasCentralAuthSignalController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + EidasCentralAuthConstants.ENDPOINT_POST
+ + "' and '" + EidasCentralAuthConstants.ENDPOINT_REDIRECT + "'.");
+
+ }
+
+ @RequestMapping(value = { EidasCentralAuthConstants.ENDPOINT_POST,
+ EidasCentralAuthConstants.ENDPOINT_REDIRECT
+ },
+ method = {RequestMethod.POST, RequestMethod.GET})
+ public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ signalProcessManagement(req, resp);
+
+ }
+
+ public String getPendingRequestId(HttpServletRequest request) {
+ return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState"));
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
new file mode 100644
index 000000000..7fb6fb4f8
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java
@@ -0,0 +1,164 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions;
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("CreateEidasCentrialAuthnRequestTask")
+public class CreateAuthnRequestTask extends AbstractAuthServletTask {
+
+ @Autowired PVPAuthnRequestBuilder authnReqBuilder;
+ @Autowired EidasCentralAuthCredentialProvider credential;
+ @Autowired EidasCentralAuthMetadataProvider metadataService;
+
+ //@Autowired(required=true) ILoALevelMapper loaMapper;
+ //@Autowired(required=true) MOAMetadataProvider metadataProvider;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try{
+ //check if eIDAS authentication is enabled for this SP
+ if (!Boolean.parseBoolean(pendingReq.getServiceProviderConfiguration().getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_STORK_ENABLED, String.valueOf(false)))) {
+ Logger.info("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+ throw new MOAIDException("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier(), null);
+
+ }
+
+ // get entityID for central ms-specific eIDAS node
+ String msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+
+ if (MiscUtil.isEmpty(msNodeEntityID)) {
+ Logger.info("eIDAS authentication not possible -> NO EntityID for central eIDAS node FOUND!");
+ throw new MOAIDException("NO EntityID for central eIDAS node FOUND", null);
+
+ }
+
+ //load metadata with metadataURL, as backup
+ String metadataURL = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_METADATAURL);
+ if (MiscUtil.isNotEmpty(metadataURL)) {
+ Logger.warn("Use not recommended metadata-provider initialization!"
+ + " SAML2 'Well-Known-Location' is the preferred methode.");
+ Logger.info("Initialize 'ms-specific eIDAS node' metadata-provider with URL:" + metadataURL);
+ metadataService.addMetadataWithMetadataURL(metadataURL);
+
+ }
+
+ //load IDP SAML2 entitydescriptor
+ EntityDescriptor entityDesc = metadataService.getEntityDescriptor(msNodeEntityID);
+ if (entityDesc == null) {
+ Logger.error("Requested 'ms-specific eIDAS node' " + entityDesc
+ + " has no valid metadata or metadata is not found");
+ throw new MOAIDException("Requested 'ms-specific eIDAS node' " + entityDesc
+ + " has no valid metadata or metadata is not found", null);
+
+ }
+
+ //setup AuthnRequestBuilder configuration
+ EidasCentralAuthRequestBuilderConfiguration authnReqConfig = new EidasCentralAuthRequestBuilderConfiguration();
+ authnReqConfig.setIdpEntity(entityDesc);
+ authnReqConfig.setPassive(false);
+ authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+ authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_METADATA);
+ authnReqConfig.setQAA_Level(
+ pendingReq.getServiceProviderConfiguration().getConfigurationValue(
+ MOAIDConfigurationConstants.SERVICE_AUTH_STORK_MINQAALEVEL,
+ EidasCentralAuthConstants.CONFIG_DEFAULT_LOA_EIDAS_LEVEL));
+
+ authnReqConfig.setScopeRequesterId(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier());
+ authnReqConfig.setProviderName(pendingReq.getServiceProviderConfiguration().getFriendlyName());
+ authnReqConfig.setRequestedAttributes(buildRequestedAttributes());
+
+ //build and transmit AuthnRequest
+ authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (MetadataProviderException e) {
+ throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest to connect 'ms-specific eIDAS node' FAILED.", e);
+
+ } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) {
+ Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+
+ private List<EAAFRequestedAttribute> buildRequestedAttributes() {
+ List<EAAFRequestedAttribute> attributs = new ArrayList<EAAFRequestedAttribute>();
+
+ //build EID sector for identification attribute
+ Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME);
+ EAAFRequestedAttribute reqAttr = SAML2Utils.generateReqAuthnAttributeSimple(
+ attr ,
+ true,
+ pendingReq.getServiceProviderConfiguration().getAreaSpecificTargetIdentifier());
+ attributs.add(reqAttr );
+
+ return attributs;
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
new file mode 100644
index 000000000..f9686029f
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java
@@ -0,0 +1,272 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks;
+
+import java.io.IOException;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
+import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
+import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
+import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EAAFURICompare;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnResponseValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveFederatedAuthnResponseTask")
+public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
+
+ @Autowired private SAMLVerificationEngineSP samlVerificationEngine;
+ @Autowired private EidasCentralAuthCredentialProvider credentialProvider;
+ @Autowired(required=true) EidasCentralAuthMetadataProvider metadataProvider;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ InboundMessage msg = null;
+
+ try {
+
+ IDecoder decoder = null;
+ EAAFURICompare comperator = null;
+ //select Response Binding
+ if (request.getMethod().equalsIgnoreCase("POST")) {
+ decoder = new PostBinding();
+ comperator = new EAAFURICompare(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_POST);
+ Logger.trace("Receive PVP Response from 'ms-specific eIDAS node', by using POST-Binding.");
+
+ } else if (request.getMethod().equalsIgnoreCase("GET")) {
+ decoder = new RedirectBinding();
+ comperator = new EAAFURICompare(pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_REDIRECT);
+ Logger.trace("Receive PVP Response from 'ms-specific eIDAS node', by using Redirect-Binding.");
+
+ } else {
+ Logger.warn("Receive PVP Response, but Binding ("
+ + request.getMethod() + ") is not supported.");
+ throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //decode PVP response object
+ msg = (InboundMessage) decoder.decode(
+ request, response, metadataProvider, true,
+ comperator);
+
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw new InvalidProtocolRequestException("sp.pvp2.04",
+ new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING},
+ "NO configuration for SP entityID: " + msg.getEntityID());
+
+ }
+
+ //validate response signature
+ if(!msg.isVerified()) {
+ samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ msg.setVerified(true);
+
+ }
+
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE);
+
+ //validate assertion
+ PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg);
+
+ //validate entityId of response
+ String msNodeEntityID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_ENTITYID);
+ String respEntityId = msg.getEntityID();
+ if (!msNodeEntityID.equals(respEntityId)) {
+ Logger.warn("Response Issuer is not a 'ms-specific eIDAS node'. Stopping eIDAS authentication ...");
+ throw new AuthnResponseValidationException("sp.pvp2.08",
+ new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING,
+ msg.getEntityID()});
+
+ }
+
+ //initialize Attribute extractor
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor((Response) processedMsg.getResponse());
+
+ getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class));
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //write log entries
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED);
+ Logger.info("Receive a valid assertion from IDP " + msg.getEntityID());
+
+ } catch (MessageDecodingException | SecurityException e) {
+ String samlRequest = request.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID PVP Response from 'ms-specific eIDAS node': " + samlRequest, e);
+ throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e);
+
+ } catch (IOException | MarshallingException | TransformerException e) {
+ Logger.warn("Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+ throw new TaskExecutionException(pendingReq, "Processing PVP response from 'ms-specific eIDAS node' FAILED.", e);
+
+ } catch (CredentialsNotAvailableException e) {
+ Logger.error("PVP response decrytion FAILED. No credential found.", e);
+ throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e);
+
+ } catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+ Logger.info("PVP response validation FAILED. Msg:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+
+ } catch (Exception e) {
+ Logger.warn("PVP response validation FAILED. Msg:" + e.getMessage(), e);
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+
+ }
+
+ }
+
+ private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig) throws BuildException, ConfigurationException{
+ try {
+ //check if all attributes are include
+ if (!extractor.containsAllRequiredAttributes()
+ && !extractor.containsAllRequiredAttributes(EidasCentralAuthConstants.DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES)) {
+ Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
+ throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //copy attributes into MOASession
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ String value = extractor.getSingleAttributeValue(el);
+ pendingReq.setGenericDataToSession(el, value);
+ Logger.debug("Add PVP-attribute " + el + " into MOASession");
+
+ }
+
+ } catch (AssertionValidationExeption e) {
+ throw new BuildException("builder.06", null, e);
+
+ } catch (EAAFStorageException e) {
+ throw new BuildException("builder.06", null, e);
+
+ }
+ }
+
+ /**
+ * @param executionContext
+ * @param idpConfig
+ * @param message
+ * @param objects
+ * @throws TaskExecutionException
+ * @throws Throwable
+ */
+ private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException {
+
+ if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) {
+ Logger.info("Switch to local authentication on this IDP ... ");
+
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true);
+ executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true);
+
+ executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH);
+
+ } else {
+ throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e);
+
+ }
+
+ }
+
+ /**
+ * PreProcess AuthResponse and Assertion
+ * @param msg
+ * @throws TransformerException
+ * @throws MarshallingException
+ * @throws IOException
+ * @throws CredentialsNotAvailableException
+ * @throws AssertionValidationExeption
+ * @throws AuthnResponseValidationException
+ */
+ private PVPSProfileResponse preProcessAuthResponse(PVPSProfileResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+ Logger.debug("Start PVP21 assertion processing... ");
+ Response samlResp = (Response) msg.getResponse();
+
+ // check SAML2 response status-code
+ if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ //validate PVP 2.1 assertion
+ samlVerificationEngine.validateAssertion(samlResp, true,
+ credentialProvider.getIDPAssertionEncryptionCredential(),
+ pendingReq.getAuthURL() + EidasCentralAuthConstants.ENDPOINT_METADATA,
+ EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+ msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+ return msg;
+
+ } else {
+ Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue()
+ + " from 'ms-specific eIDAS node'.");
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()});
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
new file mode 100644
index 000000000..f2f8530f6
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthCredentialProvider.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("EidasCentralAuthCredentialProvider")
+public class EidasCentralAuthCredentialProvider extends AbstractCredentialProvider {
+
+ @Autowired AuthConfiguration authConfig;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+ */
+ @Override
+ public String getKeyStoreFilePath() throws ConfigurationException {
+ return FileUtils.makeAbsoluteURL(
+ authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_KEYSTORE),
+ authConfig.getRootConfigFileDir());
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+ */
+ @Override
+ public String getKeyStorePassword() {
+ return authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+ */
+ @Override
+ public String getMetadataKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+ */
+ @Override
+ public String getMetadataKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+ */
+ @Override
+ public String getSignatureKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+ */
+ @Override
+ public String getSignatureKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+ */
+ @Override
+ public String getEncryptionKeyAlias() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+ */
+ @Override
+ public String getEncryptionKeyPassword() {
+ return authConfig.getBasicConfiguration(
+ EidasCentralAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+ */
+ @Override
+ public String getFriendlyName() {
+ return "eIDAS centrial authentication";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
new file mode 100644
index 000000000..5cee90658
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java
@@ -0,0 +1,345 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils;
+
+import java.net.MalformedURLException;
+import java.util.List;
+import java.util.Timer;
+
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.parse.BasicParserPool;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egiz.eaaf.core.api.IDestroyableObject;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter;
+import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+
+@Service("EidasCentralAuthMetadataProvider")
+public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider
+ implements IDestroyableObject {
+ @Autowired(required=true) AuthConfiguration moaAuthConfig;
+
+ private ChainingMetadataProvider metadataProvider = new ChainingMetadataProvider();
+ private Timer timer = null;
+
+
+ public EidasCentralAuthMetadataProvider() {
+ metadataProvider.setRequireValidMetadata(true);
+
+ }
+
+ public void addMetadataWithMetadataURL(String metadataURL) throws MetadataProviderException {
+ internalInitialize(metadataURL);
+
+ }
+
+ public void destroy() {
+ fullyDestroy();
+
+ }
+
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata()
+ */
+ @Override
+ public boolean requireValidMetadata() {
+ return metadataProvider.requireValidMetadata();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setRequireValidMetadata(boolean)
+ */
+ @Override
+ public void setRequireValidMetadata(boolean requireValidMetadata) {
+ metadataProvider.setRequireValidMetadata(requireValidMetadata);
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadataFilter()
+ */
+ @Override
+ public MetadataFilter getMetadataFilter() {
+ return metadataProvider.getMetadataFilter();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter)
+ */
+ @Override
+ public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
+ Logger.fatal("Set Metadata Filter is not implemented her!");
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadata()
+ */
+ @Override
+ public XMLObject getMetadata() throws MetadataProviderException {
+ return metadataProvider.getMetadata();
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntitiesDescriptor(java.lang.String)
+ */
+ @Override
+ public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
+ return metadataProvider.getEntitiesDescriptor(name);
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntityDescriptor(java.lang.String)
+ */
+ @Override
+ public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+
+ if (entityDesc != null)
+ return entityDesc;
+ else
+ Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ try {
+ EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+ if (entityDesc == null) {
+ Logger.error("MS-specific eIDAS node Client ERROR: No EntityID with "+ entityID);
+ throw new MetadataProviderException("No EntityID with "+ entityID);
+ }
+
+ return entityDesc;
+
+ } catch (MetadataProviderException e) {
+ Logger.error("MS-specific eIDAS node Client ERROR: Metadata extraction FAILED.", e);
+ throw new MetadataProviderException("Metadata extraction FAILED", e);
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName)
+ */
+ @Override
+ public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ List<RoleDescriptor> role = metadataProvider.getRole(entityID, roleName);
+
+ if (role != null)
+ return role;
+ else
+ Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ return metadataProvider.getRole(entityID, roleName);
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName, java.lang.String)
+ */
+ @Override
+ public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
+ throws MetadataProviderException {
+ try {
+ //search if metadata is already loaded
+ RoleDescriptor role = metadataProvider.getRole(entityID, roleName, supportedProtocol);
+
+ if (role != null)
+ return role;
+ else
+ Logger.info("No ms-specific eIDAS node: " + entityID + " Starting refresh process ...");
+
+ } catch (MetadataProviderException e) {
+ Logger.info("Access ms-specific eIDAS node: " + entityID + " FAILED. Reason:" + e.getMessage() + " Starting refresh process ...");
+
+ }
+
+ //(re)initialize ms-specific eIDAS node
+ internalInitialize(entityID);
+
+ //search again after reload (re)initialization
+ return metadataProvider.getRole(entityID, roleName, supportedProtocol);
+ }
+
+ private synchronized void internalInitialize(String metdataURL) throws MetadataProviderException {
+
+ //check if metadata with EntityID already exists in chaining metadata provider
+ boolean addNewMetadata = true;
+ try {
+ addNewMetadata = (metadataProvider.getEntityDescriptor(metdataURL) == null);
+
+ } catch (MetadataProviderException e) {}
+
+ //switch between metadata refresh and add new metadata
+ if (addNewMetadata) {
+ //Metadata provider seems not loaded --> Add new metadata provider
+ Logger.info("Initialize PVP MetadataProvider:" + metdataURL + " to connect ms-specific eIDAS node");
+
+ String trustProfileID = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_NODE_TRUSTPROFILEID);
+ if (MiscUtil.isEmpty(trustProfileID)) {
+ Logger.error("Create ms-specific eIDAS node Client FAILED: No trustProfileID to verify PVP metadata." );
+ throw new MetadataProviderException("No trustProfileID to verify PVP metadata.");
+ }
+
+ //initialize Timer if it is null
+ if (timer == null)
+ timer = new Timer(true);
+
+ //create metadata validation filter chain
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new SchemaValidationFilter(true));
+ filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID));
+
+ MetadataProvider idpMetadataProvider = createNewSimpleMetadataProvider(metdataURL,
+ filter,
+ EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING,
+ timer,
+ new BasicParserPool(),
+ createHttpClient(metdataURL));
+
+ if (idpMetadataProvider == null) {
+ Logger.error("Create ms-specific eIDAS node Client FAILED.");
+ throw new MetadataProviderException("Can not initialize 'ms-specific eIDAS node' metadata provider.");
+
+ }
+
+ idpMetadataProvider.setRequireValidMetadata(true);
+ metadataProvider.addMetadataProvider(idpMetadataProvider);
+
+ } else {
+ //Metadata provider seems already loaded --> start refresh process
+ List<MetadataProvider> loadedProvider = metadataProvider.getProviders();
+ for (MetadataProvider el : loadedProvider) {
+ if (el instanceof HTTPMetadataProvider) {
+ HTTPMetadataProvider prov = (HTTPMetadataProvider)el;
+ if (prov.getMetadataURI().equals(metdataURL))
+ prov.refresh();
+
+ } else
+ Logger.warn("'ms-specific eIDAS node' Metadata provider is not of Type 'HTTPMetadataProvider'! Something is suspect!!!!");
+
+ }
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
+ */
+ @Override
+ public void fullyDestroy() {
+ Logger.info("Destroy 'ms-specific eIDAS node' PVP metadata pool ... ");
+
+ if (metadataProvider != null) {
+ metadataProvider.destroy();
+
+ }
+
+ if (timer != null)
+ timer.cancel();
+
+ }
+
+ private HttpClient createHttpClient(String metadataURL) {
+ MOAHttpClient httpClient = new MOAHttpClient();
+ HttpClientParams httpClientParams = new HttpClientParams();
+ httpClientParams.setSoTimeout(AuthConfiguration.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+ httpClient.setParams(httpClientParams);
+
+ if (metadataURL.startsWith("https:")) {
+ try {
+ //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
+ MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+ PVPConstants.SSLSOCKETFACTORYNAME,
+ moaAuthConfig.getTrustedCACertificates(),
+ null,
+ AuthConfiguration.DEFAULT_X509_CHAININGMODE,
+ moaAuthConfig.isTrustmanagerrevoationchecking(),
+ moaAuthConfig.getRevocationMethodOrder(),
+ moaAuthConfig.getBasicMOAIDConfigurationBoolean(
+ AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
+
+ httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+ } catch (MOAHttpProtocolSocketFactoryException | MalformedURLException e) {
+ Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.", e);
+
+ }
+ }
+
+ return httpClient;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..5954455a4
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthSpringResourceProvider
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
new file mode 100644
index 000000000..02bf7bcad
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/eIDAS_central_node_auth.process.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="centrialEidasAuthentication" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+ <pd:Task id="createEidasAuthnRequest" class="CreateEidasCentrialAuthnRequestTask" />
+ <pd:Task id="receiveEidasAuthnResponse" class="ReceiveEidasCentrialAuthnResponseTask" async="true" />
+ <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
+
+ <pd:StartEvent id="start" />
+
+ <pd:Transition from="start" to="createEidasAuthnRequest" />
+ <pd:Transition from="createEidasAuthnRequest" to="receiveEidasAuthnResponse"/>
+ <pd:Transition from="receiveEidasAuthnResponse" to="finalizeAuthentication"/>
+ <pd:Transition from="finalizeAuthentication" to="end" />
+
+ <pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
new file mode 100644
index 000000000..9c6ee3c67
--- /dev/null
+++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/resources/moaid_eIDAS_central_node_auth.beans.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+
+<!-- Federated authentication services -->
+ <bean id="EidasCentralAuthCredentialProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider"/>
+
+ <bean id="EidasCentralAuthMetadataController"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller.EidasCentralAuthMetadataController"/>
+
+ <bean id="EidasCentralAuthModuleImpl"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthModuleImpl"/>
+
+ <bean id="EidasCentralAuthSignalController"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.controller.EidasCentralAuthSignalController"/>
+
+ <bean id="EidasCentralAuthMetadataProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider" />
+
+ <bean id="pvpAuthnRequestBuilder"
+ class="at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder" />
+
+<!-- Federated Authentication Process Tasks -->
+ <bean id="CreateEidasCentrialAuthnRequestTask"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.CreateAuthnRequestTask"
+ scope="prototype"/>
+
+ <bean id="ReceiveEidasCentrialAuthnResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks.ReceiveAuthnResponseTask"
+ scope="prototype"/>
+
+</beans>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java
new file mode 100644
index 000000000..db072203d
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eIDASMetadata.java
@@ -0,0 +1,5 @@
+package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder;
+
+public @interface eIDASMetadata {
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
index 719629936..6548f9fcf 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
@@ -40,6 +40,7 @@ import org.opensaml.xml.security.credential.Credential;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
@@ -302,10 +303,20 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest
}
@Override
- public List<String> getRequestedAttributes() {
+ public List<EAAFRequestedAttribute> getRequestedAttributes() {
return null;
}
+
+ @Override
+ public String getProviderName() {
+ return null;
+ }
+
+ @Override
+ public String getScopeRequesterId() {
+ return null;
+ }
}
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index e9c3115fe..50da5187b 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -30,6 +30,7 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.xml.security.credential.Credential;
import org.w3c.dom.Element;
+import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute;
import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPVPAuthnRequestBuilderConfiguruation;
import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
@@ -210,10 +211,20 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
}
@Override
- public List<String> getRequestedAttributes() {
+ public List<EAAFRequestedAttribute> getRequestedAttributes() {
return null;
}
+ @Override
+ public String getProviderName() {
+ return null;
+ }
+
+ @Override
+ public String getScopeRequesterId() {
+ return null;
+ }
+
}
diff --git a/id/server/modules/pom.xml b/id/server/modules/pom.xml
index a9aed2d24..06c9a341a 100644
--- a/id/server/modules/pom.xml
+++ b/id/server/modules/pom.xml
@@ -36,6 +36,7 @@
<module>moa-id-module-bkaMobilaAuthSAML2Test</module>
<module>moa-id-module-sl20_authentication</module>
+ <module>moa-id-module-AT_eIDAS_connector</module>
</modules>
<dependencies>
diff --git a/pom.xml b/pom.xml
index 2faf73b09..8d7773b5a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -566,6 +566,12 @@
<groupId>MOA.id.server.modules</groupId>
<artifactId>moa-id-module-sl20_authentication</artifactId>
<version>${moa-id-version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-module-AT_eIDAS_connector</artifactId>
+ <version>${moa-id-version}</version>
</dependency>
<dependency>
--
cgit v1.2.3