From 26822fcf41e37e0fedca87489b60304496c9d0f0 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 7 May 2014 16:28:22 +0200
Subject: check SAML2 metadata URL against publicService flag

---
 .../configuration/data/oa/OAMOAIDPInterfederationConfig.java | 12 +-----------
 .../struts/action/InterfederationIDPAction.java              | 12 ++++++++++++
 .../configuration/validation/oa/OAPVP2ConfigValidation.java  | 12 ++++++++++--
 .../src/main/resources/applicationResources_de.properties    |  3 ++-
 .../src/main/resources/applicationResources_en.properties    |  3 ++-
 5 files changed, 27 insertions(+), 15 deletions(-)

(limited to 'id/ConfigWebTool/src')

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java
index 7dad12477..5db9029bd 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAMOAIDPInterfederationConfig.java
@@ -114,17 +114,7 @@ public class OAMOAIDPInterfederationConfig implements IOnlineApplicationData {
 				log.info("AttributeQuery URL is not valid");
 				errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.queryurl.valid", request));
 				
-			}
-			
-			boolean publicServiceAllowed = ValidationHelper.isPublicServiceAllowed(queryURL);
-			if (!publicServiceAllowed && !general.isBusinessService()) {
-				log.info("AttributQuery Service URL " + queryURL + " does not allow PublicService.");
-				errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.queryurl.publicservice", 
-						new Object[] {queryURL}, request ));
-				general.setBusinessService(true);
-				
-			}
-			
+			}			
 		}
 		
 		if (inboundSSO && MiscUtil.isEmpty(queryURL)) {
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java
index 4c0830ae9..7a05d6497 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/InterfederationIDPAction.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;
 import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration;
 import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication;
 import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
 import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.data.FormularCustomization;
 import at.gv.egovernment.moa.id.configuration.data.OAListElement;
@@ -219,6 +220,17 @@ public class InterfederationIDPAction extends BasicOAAction {
 	        for (IOnlineApplicationData form : formList.values())
 	        	errors.addAll(form.validate(getGeneralOA(), authUser, request));
 	        
+	        
+			boolean publicServiceAllowed = ValidationHelper.isPublicServiceAllowed(getPvp2OA().getMetaDataURL());
+			if (!publicServiceAllowed && !getGeneralOA().isBusinessService()) {
+				log.info("Metadata URL " + getPvp2OA().getMetaDataURL() + " does not allow PublicService.");
+				errors.add(LanguageHelper.getErrorString("validation.interfederation.moaidp.metadataurl.publicservice", 
+						new Object[] {getPvp2OA().getMetaDataURL()}, request ));
+				getGeneralOA().setBusinessService(true);
+				
+			}
+	        
+	        
 	        if (errors.size() > 0) {
 	            log.info("IDP-Configuration with ID " + getGeneralOA().getIdentifier() + " has some errors.");
 	            for (String el : errors)
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
index 98d500526..62fc83ab9 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAPVP2ConfigValidation.java
@@ -30,6 +30,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Timer;
 
+import javax.net.ssl.SSLHandshakeException;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.httpclient.MOAHttpClient;
@@ -142,8 +143,15 @@ public class OAPVP2ConfigValidation {
 			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadataurl.read", request));
 			
 		} catch (MetadataProviderException e) {
-			log.info("MetaDate verification failed");
-			errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
+			
+			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+				log.info("SSL Server certificate not trusted.", e);
+				errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.ssl", request));
+				
+			} else {			
+				log.info("MetaDate verification failed", e);
+				errors.add(LanguageHelper.getErrorString("validation.pvp2.metadata.verify", request));
+			}
 			
 		} finally {			
 			if (httpProvider != null)
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
index 8e58f4f1d..acadde847 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_de.properties
@@ -458,13 +458,14 @@ validation.pvp2.metadataurl.read=Unter der angegebenen Metadaten URL konnten kei
 validation.pvp2.metadata.verify=Die Metadaten konnten nicht mit dem angegebenen Zertifikat verifziert werden.
 validation.pvp2.certificate.format=Das angegebene PVP2 Zertifikat wei\u00DFt kein g\u00FCltiges Format auf. 
 validation.pvp2.certificate.notfound=Kein PVP2 Zertifikat eingef\u00FCgt.
+validation.pvp2.metadata.ssl=Das SSL Serverzertifikat des Metadaten Service ist nicht vertrauensw\u00FCrdig.
 
 validation.sso.logouturl.empty=Eine URL zum Single Log-Out Service ist erforderlich.
 validation.sso.logouturl.valid=Die URL zum Single Log-Out Service wei\u00DFt kein g\u00FCltiges Format auf.
 
 validation.interfederation.moaidp.queryurl.valid=Die URL zum zum AttributQuery Service wei\u00DFt kein g\u00FCltiges Format auf.
 validation.interfederation.moaidp.queryurl.empty=Die URL zum zum AttributQuery Service muss f\u00FCr eingehende Single Sign-On Interfederation konfiguriert werden. 
-validation.interfederation.moaidp.queryurl.publicservice=Die Domain des AttributQuery Services f\u00FCr diesen IDP erlaubt nur Applikationen aus dem privatwirtschaftlichen Bereich.
+validation.interfederation.moaidp.metadataurl.publicservice=Die Domain des Metadaten Services f\u00FCr diesen IDP erlaubt nur Applikationen aus dem privatwirtschaftlichen Bereich.
 
 validation.saml1.providestammzahl=ProvideStammZahl kann nicht mit Applikationen aus dem privatwirtschaftlichen Bereich kombiniert werden.
 
diff --git a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
index e15f44d87..2871c24e4 100644
--- a/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
+++ b/id/ConfigWebTool/src/main/resources/applicationResources_en.properties
@@ -456,13 +456,14 @@ validation.pvp2.metadataurl.read=No information could be found under provided UR
 validation.pvp2.metadata.verify=The metadata could not be verified with the provided certificate.
 validation.pvp2.certificate.format=The provided PVP2 certificate has invalid format.
 validation.pvp2.certificate.notfound=There is no PVP2 inserted.
+validation.pvp2.metadata.ssl=The SSL server certificate is not trusted.
 
 validation.sso.logouturl.empty=URL for Single Log-Out Service is necessary.
 validation.sso.logouturl.valid=URL for Single Log-Out Service has incorrect format.
 
 validation.interfederation.moaidp.queryurl.valid=URL for AttributQuery Service has incorrect format.
 validation.interfederation.moaidp.queryurl.empty=URL for AttributQuery Service is necessary for inbound Single Sign-On interfederation.
-validation.interfederation.moaidp.queryurl.publicservice=The domain of AttributQuery service for that IDP permits private sector only.
+validation.interfederation.moaidp.metadataurl.publicservice=The domain of Metadata service for that IDP permits private sector only.
 
 validation.saml1.providestammzahl=ProvideSourcePIN cannot be combined with applications from private sector.
 
-- 
cgit v1.2.3