From 1cf340e047d2d701d9bfe442f291231ec477d2f4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 17 May 2018 17:13:03 +0200
Subject: fix some more bugs in SAML2 ATTRIBUTEQUERRY implementation for
 federated authentication

---
 .../moa/id/auth/builder/AuthenticationDataBuilder.java   |  6 +++---
 .../moa/id/protocols/pvp2x/AttributQueryAction.java      |  6 +++++-
 .../moa/id/protocols/pvp2x/PVP2XProtocol.java            |  2 +-
 .../id/protocols/pvp2x/builder/AttributQueryBuilder.java |  8 ++------
 .../moa/id/protocols/pvp2x/config/PVPConfiguration.java  |  4 ----
 .../pvp2x/utils/AssertionAttributeExtractor.java         | 16 +++++++++++-----
 6 files changed, 22 insertions(+), 20 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index cc716f9f8..b93de5119 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -189,7 +189,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 	 * @throws MOAIDException
 	 */
 	public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List<Attribute> reqQueryAttr,
-			String userNameID, IOAAuthParameters idpConfig ) throws MOAIDException{
+			String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{
 		String idpEnityID = idpConfig.getPublicURLPrefix();
 		
 		try {		
@@ -203,7 +203,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 			}
 				
 			//build attributQuery request
-			AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(userNameID, endpoint, reqQueryAttr);
+			AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr);
 			
 			//build SOAP request				
 			List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
@@ -362,7 +362,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants {
 			else {
 				String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class);
 				if (MiscUtil.isNotEmpty(qaaLevel)) {
-					Logger.debug("Find PVP-Attr: " + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME
+					Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + qaaLevel
 							+ " --> Parse QAA-Level from that attribute.");
 						
 					if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
index 72691a034..4ef9fa05e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java
@@ -235,8 +235,12 @@ public class AttributQueryAction implements IAction {
 				}	
 				
 				//validation complete --> start AttributeQuery Request
+				/*TODO:
+				 * 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module 
+				 *  but used in moa-id-lib. This should be refactored!!!  
+				 */
 				AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes, 
-						nextIDPInformation.getUserNameID(), idp);
+						nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata");
 								
 				//mark attribute request as used
 				if (nextIDPInformation.isStoreSSOInformation()) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 4369a469a..4b9b21093 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -634,7 +634,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController  {
 		
 		//validate destination
 		String destinaten = attrQuery.getDestination();
-		if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
+		if (!PVPConfiguration.getInstance().getIDPSSOSOAPService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) {
 			Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL");
 			throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null);
 			
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
index 4aa4f7419..f4cd7422c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java
@@ -101,7 +101,7 @@ public class AttributQueryBuilder {
 	}
 	
 	
-	public AttributeQuery buildAttributQueryRequest(String nameID, 
+	public AttributeQuery buildAttributQueryRequest(String spEntityID, String nameID, 
 			String endpoint, List<Attribute> requestedAttributes) throws AttributQueryException {
 		
 		
@@ -125,7 +125,7 @@ public class AttributQueryBuilder {
 			query.setIssueInstant(now);
 			
 			Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class);
-			nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0));
+			nissuer.setValue(spEntityID);
 			nissuer.setFormat(NameID.ENTITY);
 			query.setIssuer(nissuer);
 			
@@ -156,10 +156,6 @@ public class AttributQueryBuilder {
 			
 			return query;
 			
-		} catch (ConfigurationException e) {
-			Logger.error("Build AttributQuery Request FAILED.", e);
-			throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e);
-			
 		} catch (CredentialsNotAvailableException e) {
 			Logger.error("Build AttributQuery Request FAILED.", e);
 			throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
index 480656e30..47c4b0736 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java
@@ -138,10 +138,6 @@ public class PVPConfiguration {
 	public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException {
 		return publicURLPrefix + PVP2_IDP_SOAP;
 	}
-	
-	public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException {
-		return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY;
-	}
 		
 	public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException {
 		return publicURLPrefix + PVP2_METADATA;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
index 106be8a09..9d585bc86 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java
@@ -52,12 +52,17 @@ public class AssertionAttributeExtractor {
 	private Map<String, List<String>> attributs = new HashMap<String, List<String>>();
 	//private PersonalAttributeList storkAttributes = new PersonalAttributeList();
 		
-	private final List<String> minimalAttributeNameList = Arrays.asList(
+	private final List<String> minimalMDSAttributeNamesList = Arrays.asList(
 			PVPConstants.PRINCIPAL_NAME_NAME, 
 			PVPConstants.GIVEN_NAME_NAME,
-			PVPConstants.ENC_BPK_LIST_NAME,
+			PVPConstants.BIRTHDATE_NAME,
 			PVPConstants.BPK_NAME);
-		
+
+	private final List<String> minimalIDLAttributeNamesList = Arrays.asList(
+			PVPConstants.EID_IDENTITY_LINK_NAME,			
+			PVPConstants.EID_SOURCE_PIN_NAME,
+			PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
+	
 	/**
 	 * Parse the SAML2 Response element and extracts included information
 	 * <br><br>
@@ -132,7 +137,8 @@ public class AssertionAttributeExtractor {
 	 * @return
 	 */
 	public boolean containsAllRequiredAttributes() {
-		return containsAllRequiredAttributes(minimalAttributeNameList);
+		return containsAllRequiredAttributes(minimalMDSAttributeNamesList) 
+				|| containsAllRequiredAttributes(minimalIDLAttributeNamesList);
 		
 	}
 	
@@ -161,7 +167,7 @@ public class AssertionAttributeExtractor {
 			return flag;
 		
 		else {			
-			Logger.debug("Assertion contains no bPK or encryptedbPK.");
+			Logger.debug("Assertion contains no all minimum attributes from: " + attributeNameList.toString());
 			return false;
 			
 		}		
-- 
cgit v1.2.3