From 72e6c6c36bcbbedf073758299acca4ad9673ba9e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:35:14 +0100 Subject: add PVP SecClass to STORK QAA mapping --- .../id/auth/builder/AuthenticationDataBuilder.java | 37 +++++++- .../id/protocols/stork2/MOAAttributeProvider.java | 10 +- .../egovernment/moa/id/util/PVPtoSTORKMapper.java | 105 +++++++++++++++++++++ .../moa/id/util/PVPtoSTORKRoleMapper.java | 83 ---------------- 4 files changed, 141 insertions(+), 94 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 5c0e497a3..52488c3cb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -96,6 +96,7 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; @@ -526,10 +527,40 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + try { + String qaaLevel = extractor.getQAALevel(); + if (MiscUtil.isNotEmpty(qaaLevel) && + qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(qaaLevel); + + } else { + Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); + String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel); + if (MiscUtil.isNotEmpty(mappedQAA)) + authData.setQAALevel(mappedQAA); + + else + throw new AssertionAttributeExtractorExeption("PVP SecClass not mappable"); + + } + + } catch (AssertionAttributeExtractorExeption e) { + Logger.warn("No QAA level found in element of interfederated assertion. " + + "(ErrorHeader=" + e.getMessage() + ")"); + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) { + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + } else { + Logger.info("No QAA level found. Set to default level " + + PVPConstants.STORK_QAA_PREFIX + "1"); + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + + } + + } + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { try { byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index aaded0ce6..993514ec7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -23,11 +23,10 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.data.AuthenticationRole; import at.gv.egovernment.moa.id.data.IAuthData; -import at.gv.egovernment.moa.id.util.PVPtoSTORKRoleMapper; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -44,11 +43,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import org.joda.time.format.DateTimeFormat; -import org.joda.time.format.DateTimeFormatter; - -import javassist.expr.Instanceof; - /** * @author bsuzic * Date: 2/19/14, Time: 4:42 PM @@ -125,7 +119,7 @@ public class MOAAttributeProvider { && authData.getAuthenticationRoles().size() > 0) { storkRoles = new ArrayList(); - PVPtoSTORKRoleMapper mapper = PVPtoSTORKRoleMapper.getInstance(); + PVPtoSTORKMapper mapper = PVPtoSTORKMapper.getInstance(); for (AuthenticationRole el : authData.getAuthenticationRoles()) { String storkRole = mapper.map(el); if (MiscUtil.isNotEmpty(storkRole)) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java new file mode 100644 index 000000000..0ea03e29d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -0,0 +1,105 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.util; + +import java.io.IOException; +import java.util.Properties; + +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class PVPtoSTORKMapper { + + private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; + + private static final String MAPPING_RESOURCE = + "resources/properties/pvp-stork_mapping.properties"; + + private Properties mapping = null; + + private static PVPtoSTORKMapper instance = null; + + public static PVPtoSTORKMapper getInstance() { + if (instance == null) { + instance = new PVPtoSTORKMapper(); + } + + return instance; + } + + private PVPtoSTORKMapper() { + try { + mapping = new Properties(); + mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); + Logger.debug("PVP -> STORK Role mapping initialisation finished."); + + } catch (IOException e) { + Logger.error("PVP -> STORK Role mapping initialisation FAILED." , e); + mapping = null; + + } + + + } + + /**Map a PVP SecClass to STORK QAA level + * + * @param PVP SecClass pvpQAALevel + * @return STORK-QAA level + */ + public String mapQAALevel(String pvpQAALevel) { + if (mapping != null) { + String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length()); + String mappedQAA = mapping.getProperty(input); + if (MiscUtil.isNotEmpty(mappedQAA)) { + Logger.info("Map PVP SecClass " + pvpQAALevel + " to STORK-QAA " + mappedQAA); + return mappedQAA; + + } + } + Logger.warn("No mapping for PVP SecClass " + pvpQAALevel +" !"); + return null; + } + + /**Map a PVP Role attribute to STORK ECAuthenticationRole attribute values + * + * @param PVP Role attribute + * @return STORK ECAuthenticationRole attribute value + */ + public String map(AuthenticationRole el) { + if (mapping != null) { + String ecRole = mapping.getProperty(el.getRawRoleString()); + if (MiscUtil.isNotEmpty(ecRole)) { + Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + return ecRole; + } + } + Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + return null; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java deleted file mode 100644 index 20f541a1a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.util; - -import java.io.IOException; -import java.util.Properties; - -import at.gv.egovernment.moa.id.data.AuthenticationRole; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -public class PVPtoSTORKRoleMapper { - - private static final String MAPPING_RESOURCE = - "resources/properties/pvp-stork_role_mapping.properties"; - - private Properties mapping = null; - - private static PVPtoSTORKRoleMapper instance = null; - - public static PVPtoSTORKRoleMapper getInstance() { - if (instance == null) { - instance = new PVPtoSTORKRoleMapper(); - } - - return instance; - } - - private PVPtoSTORKRoleMapper() { - try { - mapping = new Properties(); - mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); - Logger.debug("PVP -> STORK Role mapping initialisation finished."); - - } catch (IOException e) { - Logger.error("PVP -> STORK Role mapping initialisation FAILED." , e); - mapping = null; - - } - - - } - - /** - * @param el - * @return - */ - public String map(AuthenticationRole el) { - if (mapping != null) { - String ecRole = mapping.getProperty(el.getRawRoleString()); - if (MiscUtil.isNotEmpty(ecRole)) { - Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); - return ecRole; - } - } - Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); - return null; - } -} -- cgit v1.2.3 From bc1de58de93532b7f819a7feabc57961baef41ba Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:36:07 +0100 Subject: fix problems with list access --- .../protocols/pvp2x/verification/SAMLVerificationEngine.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 3be5df917..4ba93f8fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -170,6 +170,7 @@ public class SAMLVerificationEngine { } + List validatedassertions = new ArrayList(); for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { Conditions conditions = saml2assertion.getConditions(); @@ -177,19 +178,21 @@ public class SAMLVerificationEngine { DateTime notafter = conditions.getNotOnOrAfter(); if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { Logger.warn("PVP2 Assertion is out of Date"); - saml2assertions.remove(saml2assertion); + + } else { + validatedassertions.add(saml2assertion); - } + } } - if (saml2assertions.isEmpty()) { + if (validatedassertions.isEmpty()) { Logger.info("No valid PVP 2.1 assertion received."); throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); } samlResp.getAssertions().clear(); samlResp.getEncryptedAssertions().clear(); - samlResp.getAssertions().addAll(saml2assertions); + samlResp.getAssertions().addAll(validatedassertions); } else { Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " -- cgit v1.2.3 From db040cc2832f845db0919d1c4e2b034b8737ef24 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:37:02 +0100 Subject: add check if requested STORK-QAA level matches auth QAA level --- .../id/protocols/stork2/AuthenticationRequest.java | 37 ++++++++++++++++++++-- .../PVPAuthenticationProvider.java | 6 ++-- 2 files changed, 36 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at/gv') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index aa018d5a3..d59191c08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction { // Get personal attributtes from MOA/IdentityLink //build STORK attributes from local authentication information - if (authData != null) + if (authData != null) { + int reqQaa = -1; + int authQaa = -1; + try { + reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa(); + authQaa = Integer.valueOf( + authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length())); + + if (reqQaa > authQaa) { + Logger.warn("Requested QAA level does not match to authenticated QAA level"); + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + + } catch (MOAIDException e) { + throw e; + + } catch (Exception e) { + if (Logger.isDebugEnabled()) + Logger.warn("STORK QAA Level evaluation error", e); + + else + Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" + + e.getMessage() + ")"); + + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam)); + + } } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); - + // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest); @@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction { Logger.error("Exception, attributes: " + e.getMessage()); } - Logger.debug("AUTHBLOCK " + authData.getAuthBlock()); + Logger.trace("AUTHBLOCK " + authData.getAuthBlock()); Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier()); return attributeList; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index 88c59ccf9..96aa55bcf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider { authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList()); authRequest.setCitizenCountryCode("AT"); - authRequest.setQaa(oaParam.getQaaLevel()); + //authRequest.setQaa(oaParam.getQaaLevel()); + authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa()); - if (authRequest.getQaa() == 0 ) { - authRequest.setQaa(4); // workaround - } -- cgit v1.2.3