From 31d5edb552ba03ce474f050bf2e69316af1ee623 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 12 Jan 2016 15:34:46 +0100 Subject: use general config eidas (in progress) --- .../java/at/gv/egovernment/moa/logging/Logger.java | 22 +++++++++ .../eidas/tasks/GenerateAuthnRequestTask.java | 54 ++++++++++++++-------- 2 files changed, 56 insertions(+), 20 deletions(-) diff --git a/common/src/main/java/at/gv/egovernment/moa/logging/Logger.java b/common/src/main/java/at/gv/egovernment/moa/logging/Logger.java index 7cb2e7daf..3730b36ce 100644 --- a/common/src/main/java/at/gv/egovernment/moa/logging/Logger.java +++ b/common/src/main/java/at/gv/egovernment/moa/logging/Logger.java @@ -167,6 +167,17 @@ public class Logger { logger.info(prepareMessage(message)); } + /** + * Info. + * + * @param string the string + * @param args the objects + */ + public static void info(String message, Object[] args) { + org.slf4j.Logger logger = getLogger(); + logger.info(prepareMessage(message), args); + } + /** * Log a warning message. * @@ -209,6 +220,17 @@ public class Logger { logger.error(prepareMessage(message), t); } + /** + * Log an error message with additional information. + * + * @param message The message to log. + * @param variables The values to substitute {} of the logmessage with. + */ + public static void error(Object message, Object[] variables) { + org.slf4j.Logger logger = getLogger(); + logger.error(prepareMessage(message), variables); + } + /** * Log a fatal error message. * diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 9ae61edd9..9b289a435 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -24,11 +24,11 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; import java.io.IOException; import java.io.StringWriter; -import java.security.Security; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -41,16 +41,21 @@ import eu.eidas.auth.commons.IPersonalAttributeList; import eu.eidas.auth.commons.PersonalAttribute; import eu.eidas.auth.commons.PersonalAttributeList; import eu.eidas.auth.engine.EIDASSAMLEngine; +import eu.eidas.auth.engine.core.eidas.SPType; import eu.eidas.engine.exceptions.EIDASSAMLEngineException; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.stork.CPEPS; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -79,19 +84,36 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { //load pending request IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); if (pendingReq == null) { - Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure."); + Logger.info("No PendingRequest with Id: '{}' Maybe, a transaction timeout occure.", new Object[] {pendingRequestID}); throw new MOAIDException("auth.28", new Object[]{pendingRequestID}); } - - //load MOASession object and OA-configuration + + //load MOASession object, configuration and OA-configuration AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionid); IOAAuthParameters oaConfig = pendingReq.getOnlineApplicationConfiguration(); + AuthConfiguration moaconfig = AuthConfigurationProviderFactory.getInstance(); - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + // get target country + String citizenCountryCode = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC); + + if (StringUtils.isEmpty(citizenCountryCode)) { + // illegal state; task should not have been executed without a selected country + throw new AuthenticationException("stork.22", new Object[] { moasessionid }); + } + + CPEPS cpeps = moaconfig.getStorkConfig().getCPEPS(citizenCountryCode); + if(null == cpeps) { + Logger.error("PEPS unknown for country", new Object[] {citizenCountryCode}); + throw new AuthenticationException("Unknown PEPS for citizen country '{}'", new Object[] {citizenCountryCode}); + } + Logger.debug("Found C-PEPS configuration for citizen of country: " + citizenCountryCode); + String destination = cpeps.getPepsURL().toString().split(";")[1].trim(); // FIXME convenience for metadata url and assertion destination + String metadataUrl = cpeps.getPepsURL().toString().split(";")[0].trim(); + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); IPersonalAttributeList pAttList = new PersonalAttributeList(); - + //create template requested attribute //TODO: load required attributes from OA configuration PersonalAttribute attr = new PersonalAttribute(); @@ -112,23 +134,15 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { //build eIDAS AuthnRequest EIDASAuthnRequest authnRequest = new EIDASAuthnRequest(); - String assertionConsumerURL="https://demo.a-sit.at/EidasNode/ColleagueRequest"; -// authnRequest.setAssertionConsumerServiceURL(assertionConsumerURL); - String providerName = "sp3fr-moa"; - authnRequest.setProviderName(providerName); -// int qaaLevel = 1; -// authnRequest.setQaa(qaaLevel); // not needed anymore. furthermore this may make the node think the request at hand is a stork request and we do not want that. + authnRequest.setProviderName(moaconfig.getPublicURLPrefix()); authnRequest.setPersonalAttributeList(pAttList); - String issuer = "http://localhost:12343/moa-id-auth/eidas/metadata"; - authnRequest.setIssuer(issuer); - authnRequest.setDestination(assertionConsumerURL); + authnRequest.setIssuer(moaconfig.getPublicURLPrefix() + "/eidas/metadata"); + authnRequest.setDestination(destination); authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED); authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue()); authnRequest.setEidasLoACompareType(EidasLoaCompareType.MINIMUM.stringValue()); - authnRequest.setAlias(providerName); + authnRequest.setSPType(SPType.DEFAULT_VALUE); - authnRequest.setSPType("public"); - engine.initRequestedAttributes(pAttList); authnRequest = engine.generateEIDASAuthnRequest(authnRequest); @@ -149,8 +163,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { context.put("RelayState", moasessionid); - Logger.debug("Using assertion consumer url as action: " + assertionConsumerURL); - context.put("action", assertionConsumerURL); + Logger.debug("Using assertion consumer url as action: " + destination); + context.put("action", destination); Logger.debug("Starting template merge"); StringWriter writer = new StringWriter(); -- cgit v1.2.3 From 1092129203ea1f5c17ae8a10ec43f7907140759c Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 12 Jan 2016 15:35:50 +0100 Subject: fixed bug of missing citizen country code for stork module --- .../id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java index ef61739f8..e19947313 100644 --- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java +++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java @@ -41,9 +41,10 @@ import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; import eu.stork.peps.auth.commons.STORKAuthnRequest; import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.auth.engine.core.CitizenCountryCode; import eu.stork.peps.exceptions.STORKSAMLEngineException; - import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; @@ -126,6 +127,9 @@ public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask { AuthenticationSession moasession = BaseAuthenticationServer.getSession(sessionID); IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); + // bugfix: the new task system fails to initialize the CCC - set it here + moasession.setCcc((String) executionContext.get(MOAIDAuthConstants.PARAM_CCC)); + if (StringUtils.isEmpty(moasession.getCcc())) { // illegal state; task should not have been executed without a selected country throw new AuthenticationException("stork.22", new Object[] { sessionID }); -- cgit v1.2.3 From 29f01a4975f637c26fbcd0b43a9c844d7d3d2e54 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 12 Jan 2016 15:57:30 +0100 Subject: fetch requested attributes from configuration --- .../validation/moaconfig/StorkConfigValidator.java | 5 +-- .../task/impl/GeneralSTORKConfigurationTask.java | 3 +- .../eidas/tasks/GenerateAuthnRequestTask.java | 42 ++++++++++++---------- 3 files changed, 29 insertions(+), 21 deletions(-) diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java index b69d37d57..b73859d81 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java @@ -90,12 +90,13 @@ public class StorkConfigValidator { // check attributes if (MiscUtil.isNotEmpty(form.getAttributes())) { for(StorkAttribute check : form.getAttributes()) { - if (ValidationHelper.containsPotentialCSSCharacter(check.getName(), true)) { + String tmp = check.getName().replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? + if (ValidationHelper.containsPotentialCSSCharacter(tmp, true)) { log.warn("default attributes contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); } - if(!check.getName().toLowerCase().matches("^[a-z0-9]*$")) { + if(!tmp.toLowerCase().matches("^[A-Za-z]*$")) { log.warn("default attributes do not match the requested format : " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", new Object[] {check}, request )); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java index c6086583a..1747e2207 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java @@ -210,6 +210,7 @@ public static final List KEYWHITELIST; for(String key : attributeList.keySet()) { if (key.endsWith(MOAIDConfigurationConstants.GENERAL_AUTH_STORK_ATTRIBUTES_LIST_NAME)) { String value = attributeList.get(key); + value = value.replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? if (!validatedAttributes.contains(value)) { if (ValidationHelper.containsPotentialCSSCharacter(value, true)) { log.warn("default attributes contains potentail XSS characters: " + value); @@ -219,7 +220,7 @@ public static final List KEYWHITELIST; LanguageHelper.getErrorString("validation.stork.requestedattributes", new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}))); } - if(!value.toLowerCase().matches("^[a-z0-9]*$")) { + if(!value.toLowerCase().matches("^[A-Za-z]*$")) { log.warn("default attributes do not match the requested format : " + value); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_STORK_QAA, diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 9b289a435..57588287d 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -24,10 +24,12 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.tasks; import java.io.IOException; import java.io.StringWriter; +import java.util.Collection; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.BooleanUtils; import org.apache.commons.lang3.StringUtils; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; @@ -56,6 +58,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.stork.CPEPS; +import at.gv.egovernment.moa.id.config.stork.StorkAttribute; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -111,27 +114,30 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask { String destination = cpeps.getPepsURL().toString().split(";")[1].trim(); // FIXME convenience for metadata url and assertion destination String metadataUrl = cpeps.getPepsURL().toString().split(";")[0].trim(); - EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); + // assemble requested attributes + Collection attributesFromConfig = oaConfig.getRequestedSTORKAttributes(); + + // - prepare attribute list IPersonalAttributeList pAttList = new PersonalAttributeList(); - //create template requested attribute - //TODO: load required attributes from OA configuration - PersonalAttribute attr = new PersonalAttribute(); - attr.setName("eidas/attributes/CurrentFamilyName"); - pAttList.add(attr); + // - fill container + for (StorkAttribute current : attributesFromConfig) { + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName(current.getName()); + + boolean globallyMandatory = false; + for (StorkAttribute currentGlobalAttribute : moaconfig.getStorkConfig().getStorkAttributes()) + if (current.getName().equals(currentGlobalAttribute.getName())) { + globallyMandatory = BooleanUtils.isTrue(currentGlobalAttribute.getMandatory()); + break; + } + + newAttribute.setIsRequired(current.getMandatory() || globallyMandatory); + pAttList.add(newAttribute); + } + + EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(); - PersonalAttribute attr1 = new PersonalAttribute(); - attr1.setName("eidas/attributes/CurrentGivenName"); - pAttList.add(attr1); - - PersonalAttribute attr2 = new PersonalAttribute(); - attr2.setName("eidas/attributes/DateOfBirth"); - pAttList.add(attr2); - - PersonalAttribute attr3 = new PersonalAttribute(); - attr3.setName("eidas/attributes/PersonIdentifier"); - pAttList.add(attr3); - //build eIDAS AuthnRequest EIDASAuthnRequest authnRequest = new EIDASAuthnRequest(); authnRequest.setProviderName(moaconfig.getPublicURLPrefix()); -- cgit v1.2.3