From c4633dffe99d4cc41e25fe165b6b8b5013ea34bd Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 28 Aug 2020 07:34:55 +0200
Subject: fix wrong SAML2 SubjectNameGeneration in case of mandate-attribute
 processing in proxy-mode

---
 .../auth/builder/MOAIDSubjectNameIdGenerator.java  | 128 +++++++++++++--------
 1 file changed, 79 insertions(+), 49 deletions(-)

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
index 3dfba9cca..6864d4ec3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
@@ -1,6 +1,5 @@
 package at.gv.egovernment.moa.id.auth.builder;
 
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 
@@ -18,9 +17,11 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
 import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
 import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
 import at.gv.egovernment.moa.id.data.IMOAAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
 import at.gv.egovernment.moa.id.util.MandateBuilder;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
 import at.gv.egovernment.moa.util.Constants;
 
 @Service("MOASAML2SubjectNameIDGenerator")
@@ -31,8 +32,8 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
 		//build nameID and nameID Format from moasessio
 		if (authData instanceof IMOAAuthData && 
 				((IMOAAuthData)authData).isUseMandate()) {
-			String bpktype = null;
-			String bpk = null;
+			String identifier = null;
+			String identifierType = null;
 			
 			Element mandate = ((IMOAAuthData)authData).getMandate();
 			if(mandate != null) {
@@ -56,59 +57,88 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
 					Logger.error("Failed to generate IdentificationType");
 					throw new NoMandateDataAvailableException();		
 				}
-			
-				bpktype = id.getType();
-				bpk = id.getValue().getValue();
-								
+							
+				identifier = id.getValue().getValue();
+				identifierType = id.getType();
+				
 			} else {
 				Logger.debug("Read mandator bPK|baseID from PVP attributes ... ");
-				bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
-				bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);				
-				
-				if (StringUtils.isEmpty(bpk)) {
-					//no sourcePin is included --> search for bPK
-					bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
-					
-					try {
-						if (bpk.contains(":"))
-							bpk = bpk.split(":")[1];
-						
-					} catch (Exception e) {
-						Logger.warn("Can not split bPK from mandator attribute!", e);
-						
-					}
-					
-					//set bPK-Type from configuration, because it MUST be equal to service-provider type
-					bpktype = spConfig.getAreaSpecificTargetIdentifier();
-										
-				} else {
-					//sourcePin is include --> check sourcePinType
-					if (StringUtils.isEmpty(bpktype))
-						bpktype = Constants.URN_PREFIX_BASEID;
-					
-				}				
-			}
-			
-			if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) {
-				throw new NoMandateDataAvailableException();
+				String natSourcePin = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
+				String natSourcePinType = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);				
+				String natBpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
 				
-			}
-			
-			if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {				
-				try {
-					return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier());
+				String jurSourcePin = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+        String jurSourcePinType = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class);
+         
+        if ( (MiscUtil.isNotEmpty(jurSourcePin) || MiscUtil.isNotEmpty(jurSourcePinType)) 
+            && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natBpk))) {
+          Logger.warn("Found mandate attributes for legal- AND natural-person. "
+              + "Both not allowed during on authentication. Process stops now!");
+          throw new MandateAttributesNotHandleAbleException();
+          
+        }
+        
+        if (MiscUtil.isNotEmpty(jurSourcePin) && MiscUtil.isNotEmpty(jurSourcePinType)) {
+          Logger.debug("Find jur. person sourcepin. Build SubjectNameId from this ... ");
+          return Pair.newInstance(jurSourcePin, jurSourcePinType);
+          
+          
+        } else if (MiscUtil.isNotEmpty(natSourcePin)) {
+          Logger.debug("Find nat. person sourcepin. Build SubjectNameId from this ... ");
+          identifier = natSourcePin;
+          
+          if (MiscUtil.isNotEmpty(natSourcePinType)) {
+            identifierType = natSourcePinType;
+            
+          } else {
+            identifierType = Constants.URN_PREFIX_BASEID;
+            
+          }
+          
+        } else if (MiscUtil.isNotEmpty(natBpk)) {
+          Logger.debug("Find nat. person bPK. Build SubjectNameId from this ... ");
+          try {
+            if (natBpk.contains(":")) {
+              natBpk = natBpk.split(":")[1];
+              
+            }
+            
+          } catch (Exception e) {            
+            Logger.warn("Can not split bPK from mandator attribute!", e);
+            Logger.info("Use nat. person bPK as it is");
+            
+          }
+          
+          return Pair.newInstance(natBpk, 
+              spConfig.getAreaSpecificTargetIdentifier());
+                            
+        } else {
+          throw new NoMandateDataAvailableException();
+          
+        }
+			} 			
+			  
+			if (identifierType.equals(Constants.URN_PREFIX_BASEID)) {				
+			  try {
+			     return BPKBuilder.generateAreaSpecificPersonIdentifier(
+			        identifier, spConfig.getAreaSpecificTargetIdentifier());
 										
-				} catch (EAAFBuilderException e) {
-					Logger.warn("Can NOT generate SubjectNameId." , e);
-					throw new ResponderErrorException("pvp2.01", null);
+			  } catch (EAAFBuilderException e) {
+			    Logger.warn("Can NOT generate SubjectNameId." , e);
+			    throw new ResponderErrorException("pvp2.01", null);
 
-				}								
+			  }								
 				
-			} else
-				return Pair.newInstance(bpk, bpktype);
-									
-		} else
+			} else {
+			  return Pair.newInstance(identifier, identifierType);
+				
+			}
+						
+			//no mandate available. Use bPK from authenticated entity
+		} else {
 			return Pair.newInstance(authData.getBPK(), authData.getBPKType());
+			
+		}
 
 	}
 
-- 
cgit v1.2.3