From c4633dffe99d4cc41e25fe165b6b8b5013ea34bd Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 28 Aug 2020 07:34:55 +0200 Subject: fix wrong SAML2 SubjectNameGeneration in case of mandate-attribute processing in proxy-mode --- .../auth/builder/MOAIDSubjectNameIdGenerator.java | 128 +++++++++++++-------- 1 file changed, 79 insertions(+), 49 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java index 3dfba9cca..6864d4ec3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java @@ -1,6 +1,5 @@ package at.gv.egovernment.moa.id.auth.builder; -import org.apache.commons.lang3.StringUtils; import org.springframework.stereotype.Service; import org.w3c.dom.Element; @@ -18,9 +17,11 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception; import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; import at.gv.egovernment.moa.id.data.IMOAAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil; import at.gv.egovernment.moa.util.Constants; @Service("MOASAML2SubjectNameIDGenerator") @@ -31,8 +32,8 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { //build nameID and nameID Format from moasessio if (authData instanceof IMOAAuthData && ((IMOAAuthData)authData).isUseMandate()) { - String bpktype = null; - String bpk = null; + String identifier = null; + String identifierType = null; Element mandate = ((IMOAAuthData)authData).getMandate(); if(mandate != null) { @@ -56,59 +57,88 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAvailableException(); } - - bpktype = id.getType(); - bpk = id.getValue().getValue(); - + + identifier = id.getValue().getValue(); + identifierType = id.getType(); + } else { Logger.debug("Read mandator bPK|baseID from PVP attributes ... "); - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); - bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); - - if (StringUtils.isEmpty(bpk)) { - //no sourcePin is included --> search for bPK - bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); - - try { - if (bpk.contains(":")) - bpk = bpk.split(":")[1]; - - } catch (Exception e) { - Logger.warn("Can not split bPK from mandator attribute!", e); - - } - - //set bPK-Type from configuration, because it MUST be equal to service-provider type - bpktype = spConfig.getAreaSpecificTargetIdentifier(); - - } else { - //sourcePin is include --> check sourcePinType - if (StringUtils.isEmpty(bpktype)) - bpktype = Constants.URN_PREFIX_BASEID; - - } - } - - if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) { - throw new NoMandateDataAvailableException(); + String natSourcePin = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + String natSourcePinType = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); + String natBpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); - } - - if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - try { - return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier()); + String jurSourcePin = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + String jurSourcePinType = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if ( (MiscUtil.isNotEmpty(jurSourcePin) || MiscUtil.isNotEmpty(jurSourcePinType)) + && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natBpk))) { + Logger.warn("Found mandate attributes for legal- AND natural-person. " + + "Both not allowed during on authentication. Process stops now!"); + throw new MandateAttributesNotHandleAbleException(); + + } + + if (MiscUtil.isNotEmpty(jurSourcePin) && MiscUtil.isNotEmpty(jurSourcePinType)) { + Logger.debug("Find jur. person sourcepin. Build SubjectNameId from this ... "); + return Pair.newInstance(jurSourcePin, jurSourcePinType); + + + } else if (MiscUtil.isNotEmpty(natSourcePin)) { + Logger.debug("Find nat. person sourcepin. Build SubjectNameId from this ... "); + identifier = natSourcePin; + + if (MiscUtil.isNotEmpty(natSourcePinType)) { + identifierType = natSourcePinType; + + } else { + identifierType = Constants.URN_PREFIX_BASEID; + + } + + } else if (MiscUtil.isNotEmpty(natBpk)) { + Logger.debug("Find nat. person bPK. Build SubjectNameId from this ... "); + try { + if (natBpk.contains(":")) { + natBpk = natBpk.split(":")[1]; + + } + + } catch (Exception e) { + Logger.warn("Can not split bPK from mandator attribute!", e); + Logger.info("Use nat. person bPK as it is"); + + } + + return Pair.newInstance(natBpk, + spConfig.getAreaSpecificTargetIdentifier()); + + } else { + throw new NoMandateDataAvailableException(); + + } + } + + if (identifierType.equals(Constants.URN_PREFIX_BASEID)) { + try { + return BPKBuilder.generateAreaSpecificPersonIdentifier( + identifier, spConfig.getAreaSpecificTargetIdentifier()); - } catch (EAAFBuilderException e) { - Logger.warn("Can NOT generate SubjectNameId." , e); - throw new ResponderErrorException("pvp2.01", null); + } catch (EAAFBuilderException e) { + Logger.warn("Can NOT generate SubjectNameId." , e); + throw new ResponderErrorException("pvp2.01", null); - } + } - } else - return Pair.newInstance(bpk, bpktype); - - } else + } else { + return Pair.newInstance(identifier, identifierType); + + } + + //no mandate available. Use bPK from authenticated entity + } else { return Pair.newInstance(authData.getBPK(), authData.getBPKType()); + + } } -- cgit v1.2.3