From db040cc2832f845db0919d1c4e2b034b8737ef24 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 3 Nov 2014 09:37:02 +0100
Subject: add check if requested STORK-QAA level matches auth QAA level

---
 .../id/protocols/stork2/AuthenticationRequest.java | 37 ++++++++++++++++++++--
 .../PVPAuthenticationProvider.java                 |  6 ++--
 2 files changed, 36 insertions(+), 7 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
index aa018d5a3..d59191c08 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java
@@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
@@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction {
                 // Get personal attributtes from MOA/IdentityLink
                 
                 //build STORK attributes from local authentication information
-                if (authData != null)
+                if (authData != null) {
+                	int reqQaa = -1;
+                	int authQaa = -1;
+                	try {
+                		reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa();
+                		authQaa = Integer.valueOf(
+                				authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length()));
+                		
+                		if (reqQaa > authQaa) {
+                			Logger.warn("Requested QAA level does not match to authenticated QAA level");
+                			throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                			
+                		}
+                	
+                	} catch (MOAIDException e) {
+                		throw e;
+                		
+                	} catch (Exception e) {
+                		if (Logger.isDebugEnabled())
+                			Logger.warn("STORK QAA Level evaluation error", e);
+                		
+                		else
+                			Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" 
+                					+  e.getMessage() + ")");
+                		
+                		throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+                		
+                	}
+                	                	
                 	moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam));
+                	
+                }
             }
 
             //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry());
@@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction {
 
         IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList();
         Logger.info("Found " + attrLst.size() + " personal attributes in the request.");
-
+        
         // Define attribute list to be populated
         PersonalAttributeList attributeList = new PersonalAttributeList();
         MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest);
@@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction {
             Logger.error("Exception, attributes: " + e.getMessage());
         }
 
-        Logger.debug("AUTHBLOCK " + authData.getAuthBlock());
+        Logger.trace("AUTHBLOCK " + authData.getAuthBlock());
         Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier());
 
         return attributeList;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
index 88c59ccf9..96aa55bcf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java
@@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider {
         authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList());
 
         authRequest.setCitizenCountryCode("AT");
-        authRequest.setQaa(oaParam.getQaaLevel());
+        //authRequest.setQaa(oaParam.getQaaLevel());
+       	authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa());
 
-        if (authRequest.getQaa() == 0 )  {
-        	authRequest.setQaa(4); // workaround
-        }
 
 
 
-- 
cgit v1.2.3