From 91b54c413aca1f214de482e7ea899bdec114880d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 28 Nov 2017 10:54:34 +0100 Subject: deactivated PVP EntityCategory mapper as default --- .../data/deploy/conf/moa-id/moa-id.properties | 7 +-- id/server/doc/handbook/config/config.html | 5 ++ .../PropertyBasedAuthConfigurationProvider.java | 2 +- .../pvp2x/metadata/MOAMetadataProvider.java | 6 ++- .../metadata/PVPEntityCategoryFilter.java | 60 ++++++++++++++-------- .../moa/id/commons/api/AuthConfiguration.java | 1 + 6 files changed, 52 insertions(+), 29 deletions(-) diff --git a/id/server/data/deploy/conf/moa-id/moa-id.properties b/id/server/data/deploy/conf/moa-id/moa-id.properties index 15084b387..4228b0d3a 100644 --- a/id/server/data/deploy/conf/moa-id/moa-id.properties +++ b/id/server/data/deploy/conf/moa-id/moa-id.properties @@ -43,12 +43,6 @@ service.foreignidentities.acceptedServerCertificates= service.foreignidentities.clientKeyStore=keys/.... service.foreignidentities.clientKeyStorePassword= -##STORK 2 -stork.fakeIdL.active=false -stork.fakeIdL.countries= -stork.fakeIdL.keygroup= -stork.documentservice.url= - ##Protocol configuration## #PVP2 protocols.pvp2.idp.ks.file=file:$PATH_TO_CONFIG$/conf/moa-id/keys/moa_idp[password].p12 @@ -59,6 +53,7 @@ protocols.pvp2.idp.ks.assertion.sign.alias=pvp_assertion protocols.pvp2.idp.ks.assertion.sign.keypassword=password protocols.pvp2.idp.ks.assertion.encryption.alias=pvp_assertion protocols.pvp2.idp.ks.assertion.encryption.keypassword=password +protocols.pvp2.metadata.entitycategories.active=false #OpenID connect (OAuth) protocols.oauth20.jwt.ks.file=file:$PATH_TO_CONFIG$/conf/moa-id/keys/moa_idp[password].p12 diff --git a/id/server/doc/handbook/config/config.html b/id/server/doc/handbook/config/config.html index e6b86204a..1972d2150 100644 --- a/id/server/doc/handbook/config/config.html +++ b/id/server/doc/handbook/config/config.html @@ -576,6 +576,11 @@ https://<host>:<port>/moa-id-auth/MonitoringServlet password Passwort des Schlüssels mit dem PVP 2.1 Assertion für MOA-ID-Auth als Service Provider durch einen weiteren IDP Verschlüsselt werden sollen (siehe Kapitel Interfederation) + + protocols.pvp2.metadata.entitycategories.active + true / false + Funktion zum Mappen einer in den Metadaten enthaltenen PVP EntityCategory auf ein Set von PVP Attributen, welche von MOA-ID returniert werden sollen. +

 

2.2.2.3.2 OpenID Connect
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java index 332604257..d3e340a90 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java @@ -1311,7 +1311,7 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide String value = properties.getProperty(key); if (MiscUtil.isNotEmpty(value)) - return Boolean.valueOf(value); + return Boolean.valueOf(value.trim()); return defaultValue; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 585aac805..7f6f9b88c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -51,6 +51,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.IDestroyableObject; import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; @@ -491,7 +492,10 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider private PVPMetadataFilterChain buildMetadataFilterChain(IOAAuthParameters oaParam, String metadataURL, byte[] certificate) throws CertificateException, ConfigurationException { PVPMetadataFilterChain filterChain = new PVPMetadataFilterChain(metadataURL, certificate); filterChain.getFilters().add(new SchemaValidationFilter()); - filterChain.getFilters().add(new PVPEntityCategoryFilter()); + filterChain.getFilters().add( + new PVPEntityCategoryFilter(authConfig.getBasicMOAIDConfigurationBoolean( + AuthConfiguration.PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER, + false))); if (oaParam.isInderfederationIDP()) { Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java index 95d30db49..ed96f1962 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/PVPEntityCategoryFilter.java @@ -54,6 +54,17 @@ import at.gv.egovernment.moaspss.logging.Logger; public class PVPEntityCategoryFilter implements MetadataFilter { + private boolean isUsed = false; + + /** + * Filter to map PVP EntityCategories into a set of single PVP attributes + * + * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored + * + */ + public PVPEntityCategoryFilter(boolean isUsed) { + this.isUsed = isUsed; + } /* (non-Javadoc) @@ -61,31 +72,38 @@ public class PVPEntityCategoryFilter implements MetadataFilter { */ @Override public void doFilter(XMLObject metadata) throws FilterException { - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - Logger.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); + + if (isUsed) { + Logger.trace("Map PVP EntityCategory to single PVP Attributes ... "); + String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + Logger.trace("Find EnitiesDescriptor ... "); + EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) + resolveEntityCategoriesToAttributes(el); + + } + + } else if (metadata instanceof EntityDescriptor) { + Logger.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - } - - } else if (metadata instanceof EntityDescriptor) { - Logger.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); + + } else + throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - } else - throw new MOAIDException("Invalid Metadata file Root element is no Entities- or EntityDescriptor", null); - - - - } catch (Exception e) { - Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } catch (Exception e) { + Logger.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); + + } - } + } else + Logger.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); + } private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java index 07b07d980..4dda4c736 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -13,6 +13,7 @@ public interface AuthConfiguration extends ConfigurationProvider{ public static final String PROP_KEY_SSL_HOSTNAME_VALIDATION = "configuration.ssl.validation.hostname"; public static final String PROP_KEY_OVS_SSL_HOSTNAME_VALIDATION = "service.onlinemandates.ssl.validation.hostname"; + public static final String PROP_KEY_PROTOCOL_PVP_METADATA_ENTITYCATEGORY_RESOLVER = "protocols.pvp2.metadata.entitycategories.active"; public static final String DEFAULT_X509_CHAININGMODE = "pkix"; -- cgit v1.2.3