From c1b2382fcecd5bc47935ad46e16824802cfadeb2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Apr 2014 13:29:20 +0200 Subject: add pvp2.1 configuration fpr assertion encryption key in moa-id.properties update handbook pvp2.1 configuration --- .../protocols/pvp2x/config/PVPConfiguration.java | 17 ++++++++++--- .../protocols/pvp2x/signer/CredentialProvider.java | 28 +++++++++++++++++++++- 2 files changed, 41 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 9f2ad2e1b..c189d44a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -69,9 +69,9 @@ public class PVPConfiguration { return instance; } - public static final String PVP2_METADATA = "/pvp2/metadata"; - public static final String PVP2_REDIRECT = "/pvp2/redirect"; - public static final String PVP2_POST = "/pvp2/post"; + public static final String PVP2_METADATA = "/pvp2/metadata"; + public static final String PVP2_REDIRECT = "/pvp2/redirect"; + public static final String PVP2_POST = "/pvp2/post"; public static final String PVP_CONFIG_FILE = "pvp2config.properties"; @@ -84,6 +84,9 @@ public class PVPConfiguration { public static final String IDP_KEYALIASASSERTION = "idp.ks.assertion.sign.alias"; public static final String IDP_KEY_PASSASSERTION = "idp.ks.assertion.sign.keypassword"; + public static final String IDP_KEYALIASENCRYTPION = "sp.ks.assertion.encryption.alias"; + public static final String IDP_KEY_PASSENCRYTPION = "sp.ks.assertion.encryption.keypassword"; + public static final String IDP_ISSUER_NAME = "idp.issuer.name"; public static final String METADATA_FILE = "md.dir"; @@ -173,6 +176,14 @@ public class PVPConfiguration { return props.getProperty(IDP_KEY_PASSASSERTION); } + public String getIDPKeyAliasAssertionEncryption() { + return props.getProperty(IDP_KEYALIASASSERTION); + } + + public String getIDPKeyPasswordAssertionEncryption() { + return props.getProperty(IDP_KEY_PASSASSERTION); + } + public String getIDPIssuerName() throws ConfigurationException { if (moaIDVersion == null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java index d95e21a0e..48e435777 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/CredentialProvider.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.KeyStoreUtils; +import at.gv.egovernment.moa.util.MiscUtil; public class CredentialProvider { @@ -86,7 +87,32 @@ public class CredentialProvider { throw new CredentialsNotAvailableException(e.getMessage(), null); } } - + + public static X509Credential getIDPAssertionEncryptionCredential() + throws CredentialsNotAvailableException { + PVPConfiguration config = PVPConfiguration.getInstance(); + try { + if (keyStore == null) + keyStore = KeyStoreUtils.loadKeyStore(config.getIDPKeyStoreFilename(), + config.getIDPKeyStorePassword()); + + //if no encryption key is configured return null + if (MiscUtil.isEmpty(config.getIDPKeyAliasAssertionEncryption())) + return null; + + MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter( + keyStore, config.getIDPKeyAliasAssertionEncryption(), config + .getIDPKeyPasswordAssertionEncryption().toCharArray()); + + credentials.setUsageType(UsageType.ENCRYPTION); + return (X509Credential) credentials; + } catch (Exception e) { + Logger.error("Failed to generate IDP Assertion Encryption credentials"); + e.printStackTrace(); + throw new CredentialsNotAvailableException(e.getMessage(), null); + } + } + public static Signature getIDPSignature(Credential credentials) { PrivateKey privatekey = credentials.getPrivateKey(); -- cgit v1.2.3 From 7f1a1d200e647fce391f674994b908ef2c799f4d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Apr 2014 13:29:57 +0200 Subject: add SPSSODescriptor for MOA-ID interfederation --- .../moa/id/protocols/pvp2x/MetadataAction.java | 304 ++++++++++++++------- 1 file changed, 206 insertions(+), 98 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index a29728245..fd501fde7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import java.io.StringWriter; +import java.security.KeyStore; import java.util.List; import javax.servlet.http.HttpServletRequest; @@ -38,18 +39,27 @@ import org.joda.time.DateTime; import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.ContactPerson; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.Signer; @@ -57,14 +67,17 @@ import org.w3c.dom.Document; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MetadataAction implements IAction { @@ -111,6 +124,7 @@ public class MetadataAction implements IAction { //keyInfoFactory.setEmitPublicKeyValue(true); keyInfoFactory.setEmitEntityIDAsKeyName(true); keyInfoFactory.setEmitEntityCertificate(true); + KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); Credential metadataSigningCredential = CredentialProvider.getIDPMetaDataSigningCredential(); @@ -121,106 +135,12 @@ public class MetadataAction implements IAction { SecurityHelper.prepareSignatureParams(signature, metadataSigningCredential, null, null); idpEntitiesDescriptor.setSignature(signature); - -// //set SignatureMethode -// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); -// -// //set DigestMethode -// List contentList = signature.getContentReferences(); -// for (ContentReference content : contentList) { -// -// if (content instanceof SAMLObjectContentReference) { -// -// SAMLObjectContentReference el = (SAMLObjectContentReference) content; -// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); -// -// } -// } - - -// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); -// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); -// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); -// signature.setKeyInfo(metadataKeyInfo ); - - - IDPSSODescriptor idpSSODescriptor = SAML2Utils - .createSAMLObject(IDPSSODescriptor.class); - - idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - - idpSSODescriptor.setWantAuthnRequestsSigned(true); - - if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { - SingleSignOnService postSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - postSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSOPostService()); - postSingleSignOnService - .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - postSingleSignOnService); - } - - if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { - SingleSignOnService redirectSingleSignOnService = SAML2Utils - .createSAMLObject(SingleSignOnService.class); - - redirectSingleSignOnService.setLocation(PVPConfiguration - .getInstance().getIDPSSORedirectService()); - redirectSingleSignOnService - .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - - idpSSODescriptor.getSingleSignOnServices().add( - redirectSingleSignOnService); - } - - /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { - ArtifactResolutionService artifactResolutionService = SAML2Utils - .createSAMLObject(ArtifactResolutionService.class); - - artifactResolutionService - .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - artifactResolutionService.setLocation(PVPConfiguration - .getInstance().getIDPResolveSOAPService()); - - artifactResolutionService.setIndex(0); - - idpSSODescriptor.getArtifactResolutionServices().add( - artifactResolutionService); - }*/ - - //set assertion signing key - Credential assertionSigingCredential = CredentialProvider - .getIDPAssertionSigningCredential(); - - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); - idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); - - NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); + //set IDP metadata + idpEntityDescriptor.getRoleDescriptors().add(generateIDPMetadata(keyInfoGenerator)); - idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); - - NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - transientNameIDFormat.setFormat(NameIDType.TRANSIENT); - - idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); - - NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); - - idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); - - idpEntityDescriptor.getRoleDescriptors().add(idpSSODescriptor); + //set SP metadata for interfederation + idpEntityDescriptor.getRoleDescriptors().add(generateSPMetadata(keyInfoGenerator)); DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory @@ -269,4 +189,192 @@ public class MetadataAction implements IAction { return (PVP2XProtocol.METADATA); } + private RoleDescriptor generateSPMetadata(KeyInfoGenerator keyInfoGenerator) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + + Logger.debug("Set SP Metadata key information"); + + SPSSODescriptor spSSODescriptor = SAML2Utils + .createSAMLObject(SPSSODescriptor.class); + + spSSODescriptor.setAuthnRequestsSigned(true); + spSSODescriptor.setWantAssertionsSigned(true); + + + //Set AuthRequest Signing certificate + X509Credential authcredential = CredentialProvider.getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); + spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + + //set AuthRequest encryption certificate + + X509Credential authEncCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + if (authEncCredential != null) { + KeyDescriptor encryKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + NameIDFormat persistentnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistentnameIDFormat.setFormat(NameIDType.PERSISTENT); + + spSSODescriptor.getNameIDFormats().add(persistentnameIDFormat); + + NameIDFormat transientnameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientnameIDFormat.setFormat(NameIDType.TRANSIENT); + + spSSODescriptor.getNameIDFormats().add(transientnameIDFormat); + + NameIDFormat unspecifiednameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); + + AssertionConsumerService postassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + postassertionConsumerService.setIndex(0); + postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + postassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postassertionConsumerService.setIsDefault(true); + spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + + + AssertionConsumerService redirectassertionConsumerService = + SAML2Utils.createSAMLObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + AttributeConsumingService attributeService = + SAML2Utils.createSAMLObject(AttributeConsumingService.class); + + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "de")); + attributeService.getNames().add(serviceName); + + return spSSODescriptor; + } + + private IDPSSODescriptor generateIDPMetadata(KeyInfoGenerator keyInfoGenerator) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { + + +// //set SignatureMethode +// signature.setSignatureAlgorithm(PVPConstants.DEFAULT_SIGNING_METHODE); +// +// //set DigestMethode +// List contentList = signature.getContentReferences(); +// for (ContentReference content : contentList) { +// +// if (content instanceof SAMLObjectContentReference) { +// +// SAMLObjectContentReference el = (SAMLObjectContentReference) content; +// el.setDigestAlgorithm(PVPConstants.DEFAULT_DIGESTMETHODE); +// +// } +// } + + +// KeyInfoBuilder metadataKeyInfoBuilder = new KeyInfoBuilder(); +// KeyInfo metadataKeyInfo = metadataKeyInfoBuilder.buildObject(); +// //KeyInfoHelper.addCertificate(metadataKeyInfo, metadataSigningCredential.); +// signature.setKeyInfo(metadataKeyInfo ); + + + IDPSSODescriptor idpSSODescriptor = SAML2Utils + .createSAMLObject(IDPSSODescriptor.class); + + idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + idpSSODescriptor.setWantAuthnRequestsSigned(true); + + if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { + SingleSignOnService postSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + + postSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSOPostService()); + postSingleSignOnService + .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + + idpSSODescriptor.getSingleSignOnServices().add( + postSingleSignOnService); + } + + if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { + SingleSignOnService redirectSingleSignOnService = SAML2Utils + .createSAMLObject(SingleSignOnService.class); + + redirectSingleSignOnService.setLocation(PVPConfiguration + .getInstance().getIDPSSORedirectService()); + redirectSingleSignOnService + .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + + idpSSODescriptor.getSingleSignOnServices().add( + redirectSingleSignOnService); + } + + /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { + ArtifactResolutionService artifactResolutionService = SAML2Utils + .createSAMLObject(ArtifactResolutionService.class); + + artifactResolutionService + .setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + artifactResolutionService.setLocation(PVPConfiguration + .getInstance().getIDPResolveSOAPService()); + + artifactResolutionService.setIndex(0); + + idpSSODescriptor.getArtifactResolutionServices().add( + artifactResolutionService); + }*/ + + //set assertion signing key + Credential assertionSigingCredential = CredentialProvider + .getIDPAssertionSigningCredential(); + + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(assertionSigingCredential)); + idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + idpSSODescriptor.getAttributes().addAll(PVPAttributeBuilder.buildSupportedEmptyAttributes()); + + NameIDFormat persistenNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + persistenNameIDFormat.setFormat(NameIDType.PERSISTENT); + + idpSSODescriptor.getNameIDFormats().add(persistenNameIDFormat); + + NameIDFormat transientNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + transientNameIDFormat.setFormat(NameIDType.TRANSIENT); + + idpSSODescriptor.getNameIDFormats().add(transientNameIDFormat); + + NameIDFormat unspecifiedNameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + unspecifiedNameIDFormat.setFormat(NameIDType.UNSPECIFIED); + + idpSSODescriptor.getNameIDFormats().add(unspecifiedNameIDFormat); + + return idpSSODescriptor; + + } + } -- cgit v1.2.3 From c124f3d23b91823e1db167c41b769aa5a2b3e7e5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 15 Apr 2014 17:16:34 +0200 Subject: add MOA-ID AuthnRequest generation --- .../moa/id/moduls/AuthenticationManager.java | 213 ++++++++++++++++++--- .../at/gv/egovernment/moa/id/moduls/IRequest.java | 3 +- .../gv/egovernment/moa/id/moduls/RequestImpl.java | 18 ++ .../protocols/pvp2x/binding/ArtifactBinding.java | 2 +- .../moa/id/protocols/pvp2x/binding/IEncoder.java | 2 +- .../id/protocols/pvp2x/binding/PostBinding.java | 38 +++- .../protocols/pvp2x/binding/RedirectBinding.java | 2 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 2 +- .../moa/id/protocols/stork2/MOASTORKRequest.java | 9 + 9 files changed, 251 insertions(+), 38 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 03a61d08f..b76863602 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -24,12 +24,37 @@ package at.gv.egovernment.moa.id.moduls; import java.io.IOException; import java.io.PrintWriter; +import java.security.NoSuchAlgorithmException; import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.joda.time.DateTime; +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.NameIDPolicy; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCredentialResolverFactory; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.criteria.EntityIDCriteria; + import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder; import at.gv.egovernment.moa.id.auth.builder.SendAssertionFormBuilder; import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder; @@ -42,9 +67,17 @@ import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; public class AuthenticationManager extends AuthServlet { @@ -148,16 +181,158 @@ public class AuthenticationManager extends AuthServlet { public void doAuthentication(HttpServletRequest request, HttpServletResponse response, IRequest target) throws ServletException, IOException, MOAIDException { + Logger.info("Starting authentication ..."); + + if (MiscUtil.isEmpty(target.getRequestedIDP())) { + perfomLocalAuthentication(request, response, target); + + } else { + Logger.info("Use IDP " + target.getRequestedIDP() + " for authentication ..."); + buildPVP21AuthenticationRequest(request, response, target); + + } + } + + public void sendTransmitAssertionQuestion(HttpServletRequest request, + HttpServletResponse response, IRequest target, OAAuthParameter oaParam) + throws ServletException, IOException, MOAIDException { + + String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), + target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath()); + + response.setContentType("text/html;charset=UTF-8"); + PrintWriter out = new PrintWriter(response.getOutputStream()); + out.print(form); + out.flush(); + } + + private void buildPVP21AuthenticationRequest(HttpServletRequest request, + HttpServletResponse response, IRequest target) + throws ServletException, IOException, MOAIDException { + + boolean requiredLocalAuthentication = true; + + Logger.debug("Build PVP 2.1 authentication request"); + + //get IDP metadata + try { + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). + getEntityDescriptor(target.getRequestedIDP()); + + if (idpEntity != null ) { + + //fetch endpoint from IDP metadata + SingleSignOnService redirectEndpoint = null; + for (SingleSignOnService sss : + idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { + + // use POST binding as default if it exists + if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + redirectEndpoint = sss; + + } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && + redirectEndpoint == null ) + redirectEndpoint = sss; + } + + if (redirectEndpoint != null) { + + AuthnRequest authReq = SAML2Utils + .createSAMLObject(AuthnRequest.class); + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authReq.setID(gen.generateIdentifier()); + + //send passive AuthnRequest + authReq.setIsPassive(true); -// if (!ParamValidatorUtils.isValidOA(target.getOAURL())) -// throw new WrongParametersException("StartAuthentication", PARAM_OA, -// "auth.12"); -// -// if (target.getOAURL() == null) { -// throw new WrongParametersException("StartAuthentication", PARAM_OA, -// "auth.12"); -// } + authReq.setAssertionConsumerServiceIndex(0); + authReq.setIssueInstant(new DateTime()); + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + NameID name = SAML2Utils.createSAMLObject(NameID.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + + String serviceURL = PVPConfiguration.getInstance().getIDPPublicPath(); + name.setValue(serviceURL); + issuer.setValue(serviceURL); + + subject.setNameID(name); + authReq.setSubject(subject); + issuer.setFormat(NameIDType.ENTITY); + authReq.setIssuer(issuer); + NameIDPolicy policy = SAML2Utils + .createSAMLObject(NameIDPolicy.class); + policy.setAllowCreate(true); + policy.setFormat(NameID.TRANSIENT); + authReq.setNameIDPolicy(policy); + + authReq.setDestination(redirectEndpoint.getLocation()); + + RequestedAuthnContext reqAuthContext = + SAML2Utils.createSAMLObject(RequestedAuthnContext.class); + + AuthnContextClassRef authnClassRef = + SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); + reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); + authReq.setRequestedAuthnContext(reqAuthContext); + + + IEncoder binding = null; + if (redirectEndpoint.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (redirectEndpoint.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + binding.encodeRequest(request, response, authReq, + redirectEndpoint.getLocation(), target.getRequestID()); + + //build and send request without an error + requiredLocalAuthentication = false; + + } else { + Logger.warn("Requested IDP " + target.getRequestedIDP() + + " does not support POST or Redirect Binding."); + + } + + } else { + Logger.warn("Requested IDP " + target.getRequestedIDP() + + " is not found in InterFederation configuration"); + + } + + } catch (MetadataProviderException e) { + Logger.error("IDP metadata error." , e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } catch (MessageEncodingException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } catch (SecurityException e) { + Logger.error("Build IDP authentication request FAILED.", e); + + } + + if (requiredLocalAuthentication) { + Logger.info("Switch to local authentication on this IDP ... "); + perfomLocalAuthentication(request, response, target); + } + } + + + private void perfomLocalAuthentication(HttpServletRequest request, + HttpServletResponse response, IRequest target) + throws ServletException, IOException, MOAIDException { + Logger.debug("Starting authentication on this IDP ..."); setNoCachingHeadersInHttpRespone(request, response); @@ -183,17 +358,12 @@ public class AuthenticationManager extends AuthServlet { if (legacyallowed && legacyparamavail) { - //parse request parameter into MOASession - + //parse request parameter into MOASession StartAuthentificationParameterParser.parse(request, response, moasession, target); Logger.info("Start Authentication Module: " + moasession.getModul() + " Action: " + moasession.getAction()); - - //start authentication process -// session.getServletContext().getNamedDispatcher("StartAuthentication") -// .forward(request, response); - + StartAuthenticationBuilder startauth = StartAuthenticationBuilder.getInstance(); String getIdentityLinkForm = startauth.build(moasession, request, response); @@ -260,17 +430,4 @@ public class AuthenticationManager extends AuthServlet { out.flush(); } } - - public void sendTransmitAssertionQuestion(HttpServletRequest request, - HttpServletResponse response, IRequest target, OAAuthParameter oaParam) - throws ServletException, IOException, MOAIDException { - - String form = SendAssertionFormBuilder.buildForm(target.requestedModule(), - target.requestedAction(), target.getRequestID(), oaParam, request.getContextPath()); - - response.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(response.getOutputStream()); - out.print(form); - out.flush(); - } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index 2ef24c084..a33d39ba7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -33,7 +33,8 @@ public interface IRequest { public void setAction(String action); public String getTarget(); public void setRequestID(String id); - public String getRequestID(); + public String getRequestID(); + public String getRequestedIDP(); //public void setTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index b9b1742e4..d3ab640f1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -36,6 +36,7 @@ public class RequestImpl implements IRequest, Serializable{ private String action = null; private String target = null; private String requestID; + private String requestedIDP = null; public void setOAURL(String value) { @@ -102,4 +103,21 @@ public class RequestImpl implements IRequest, Serializable{ public String getRequestID() { return requestID; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP() + */ + @Override + public String getRequestedIDP() { + return requestedIDP; + } + + /** + * @param requestedIDP the requestedIDP to set + */ + public void setRequestedIDP(String requestedIDP) { + this.requestedIDP = requestedIDP; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index 43a17af23..1a2a02037 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -49,7 +49,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx public class ArtifactBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index f7dfd055c..de5548a44 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -34,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; public interface IEncoder { public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation) + HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException, PVP2Exception; /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 11e280d8f..b190ca24e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -47,6 +47,7 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -56,10 +57,38 @@ import at.gv.egovernment.moa.logging.Logger; public class PostBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { - // TODO Auto-generated method stub + + try { + X509Credential credentials = CredentialProvider + .getIDPAssertionSigningCredential(); + + VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); + HTTPPostEncoder encoder = new HTTPPostEncoder(engine, + "resources/templates/pvp_postbinding_template.html"); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder().buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); + service.setLocation(targetLocation);; + + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(request); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + encoder.encode(context); + + } catch (CredentialsNotAvailableException e) { + e.printStackTrace(); + throw new SecurityException(e); + } catch (Exception e) { + e.printStackTrace(); + throw new SecurityException(e); + } } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, @@ -117,9 +146,7 @@ public class PostBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - - - + MOARequest request = new MOARequest(inboundMessage); request.setVerified(false); @@ -159,4 +186,5 @@ public class PostBinding implements IDecoder, IEncoder { public boolean handleDecode(String action, HttpServletRequest req) { return (req.getMethod().equals("POST")); } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index dc6a1f637..f8eb84c02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -61,7 +61,7 @@ import at.gv.egovernment.moa.util.DOMUtils; public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { // TODO: implement } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 1d41654eb..d2a4d4f60 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -77,7 +77,7 @@ public class SoapBinding implements IDecoder, IEncoder { } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation) + RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException, PVP2Exception { } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index 9ea33c8ef..23b8b3f7a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -210,4 +210,13 @@ public class MOASTORKRequest implements IRequest, Serializable { else return this.storkAuthnRequest.getAssertionConsumerServiceURL(); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedIDP() + */ + @Override + public String getRequestedIDP() { + // TODO Auto-generated method stub + return null; + } } -- cgit v1.2.3 From 1b6b4dabd0333367abe2ccb0e72bd5986df65327 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 16 Apr 2014 11:47:25 +0200 Subject: refactor PVP21 inbound message processing --- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 189 ++++++++++++--------- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 2 +- .../protocols/pvp2x/binding/ArtifactBinding.java | 9 +- .../moa/id/protocols/pvp2x/binding/IDecoder.java | 9 +- .../moa/id/protocols/pvp2x/binding/MOARequest.java | 124 -------------- .../id/protocols/pvp2x/binding/MOAResponse.java | 60 ------- .../id/protocols/pvp2x/binding/PostBinding.java | 76 ++++----- .../protocols/pvp2x/binding/RedirectBinding.java | 126 ++++++++------ .../id/protocols/pvp2x/binding/SoapBinding.java | 10 +- .../protocols/pvp2x/messages/InboundMessage.java | 114 +++++++++++++ .../pvp2x/messages/InboundMessageInterface.java | 38 +++++ .../id/protocols/pvp2x/messages/MOARequest.java | 58 +++++++ .../id/protocols/pvp2x/messages/MOAResponse.java | 56 ++++++ .../pvp2x/requestHandler/ArtifactResolution.java | 2 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 2 +- .../pvp2x/requestHandler/IRequestHandler.java | 2 +- .../pvp2x/requestHandler/RequestManager.java | 2 +- .../pvp2x/verification/SAMLVerificationEngine.java | 18 +- 18 files changed, 507 insertions(+), 390 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index e81b23d41..46cf7dfec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -56,7 +56,10 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; @@ -133,7 +136,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public PVP2XProtocol() { super(); } - + public IRequest preProcess(HttpServletRequest request, HttpServletResponse response, String action) throws MOAIDException { @@ -154,100 +157,30 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return null; } try { - PVPTargetConfiguration config = new PVPTargetConfiguration(); - - - MOARequest moaRequest = decoder.decodeRequest(request, response); - - RequestAbstractType samlReq = moaRequest.getSamlRequest(); - //String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq)); - //Logger.info("SAML : " + xml); + InboundMessage msg = (InboundMessage) decoder.decode(request, response); - if(!moaRequest.isVerified()) { + if(!msg.isVerified()) { SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyRequest(samlReq, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - moaRequest.setVerified(true); - } - - if(!(samlReq instanceof AuthnRequest)) { - throw new MOAIDException("Unsupported request", new Object[] {}); - } - - EntityDescriptor metadata = moaRequest.getEntityMetadata(); - if(metadata == null) { - throw new NoMetadataInformationException(); - } - SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - AuthnRequest authnRequest = (AuthnRequest)samlReq; - - Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); - int assertionidx = 0; - - if(aIdx != null) { - assertionidx = aIdx.intValue(); + engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + msg.setVerified(true); - } else { - assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); } - aIdx = authnRequest.getAttributeConsumingServiceIndex(); - int attributeIdx = 0; - - if(aIdx != null) { - attributeIdx = aIdx.intValue(); - } - - AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); - - AttributeConsumingService attributeConsumer = null; + if (msg instanceof MOARequest) + return preProcessAuthRequest(request, response, (MOARequest) msg); - if (spSSODescriptor.getAttributeConsumingServices() != null && - spSSODescriptor.getAttributeConsumingServices().size() > 0) { - attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); - } - - String oaURL = moaRequest.getEntityMetadata().getEntityID(); - String binding = consumerService.getBinding(); -// String entityID = moaRequest.getEntityMetadata().getEntityID(); - - Logger.info("Dispatch PVP2 Request: OAURL=" + oaURL + " Binding=" + binding); - - oaURL = StringEscapeUtils.escapeHtml(oaURL); - - config.setOAURL(oaURL); - config.setBinding(binding); - config.setRequest(moaRequest); - config.setConsumerURL(consumerService.getLocation()); - - String useMandate = request.getParameter(PARAM_USEMANDATE); - if(useMandate != null) { - if(useMandate.equals("true") && attributeConsumer != null) { - if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { - throw new MandateAttributesNotHandleAbleException(); - } - } + else if (msg instanceof MOAResponse) { + return null; + } - - //validate AuthnRequest - try { - AuthnRequestValidator.validate((AuthnRequestImpl) samlReq); - } catch (AuthnRequestValidatorException e) { - if (generateErrorMessage(e, request, response, config)) { - throw new AuthnRequestValidatorException(e.getMessage(), - new Object[] {}, config); - - } else { - throw new MOAIDException(e.getMessage(), new Object[] {}); - - } + + else { + Logger.error("Receive unsupported PVP21 message"); + throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } - - //request.getSession().setAttribute(PARAM_OA, oaURL); - return config; } catch (PVP2Exception e) { throw e; @@ -356,4 +289,90 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return true; } + private IRequest preProcessAuthRequest(HttpServletRequest request, + HttpServletResponse response, MOARequest moaRequest) throws Throwable { + + RequestAbstractType samlReq = moaRequest.getSamlRequest(); + + if(!(samlReq instanceof AuthnRequest)) { + throw new MOAIDException("Unsupported request", new Object[] {}); + } + + EntityDescriptor metadata = moaRequest.getEntityMetadata(); + if(metadata == null) { + throw new NoMetadataInformationException(); + } + SPSSODescriptor spSSODescriptor = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + AuthnRequest authnRequest = (AuthnRequest)samlReq; + + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); + int assertionidx = 0; + + if(aIdx != null) { + assertionidx = aIdx.intValue(); + + } else { + assertionidx = SAML2Utils.getDefaultAssertionConsumerServiceIndex(spSSODescriptor); + } + + aIdx = authnRequest.getAttributeConsumingServiceIndex(); + int attributeIdx = 0; + + if(aIdx != null) { + attributeIdx = aIdx.intValue(); + } + + AssertionConsumerService consumerService = spSSODescriptor.getAssertionConsumerServices().get(assertionidx); + + AttributeConsumingService attributeConsumer = null; + + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + } + + + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + + + String oaURL = moaRequest.getEntityMetadata().getEntityID(); + String binding = consumerService.getBinding(); + + Logger.info("Dispatch PVP2 Request: OAURL=" + oaURL + " Binding=" + binding); + + oaURL = StringEscapeUtils.escapeHtml(oaURL); + + config.setOAURL(oaURL); + config.setBinding(binding); + config.setRequest(moaRequest); + config.setConsumerURL(consumerService.getLocation()); + + String useMandate = request.getParameter(PARAM_USEMANDATE); + if(useMandate != null) { + if(useMandate.equals("true") && attributeConsumer != null) { + if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { + throw new MandateAttributesNotHandleAbleException(); + } + } + } + + //validate AuthnRequest + try { + AuthnRequestValidator.validate((AuthnRequestImpl) samlReq); + + } catch (AuthnRequestValidatorException e) { + if (generateErrorMessage(e, request, response, config)) { + throw new AuthnRequestValidatorException(e.getMessage(), + new Object[] {}, config); + + } else { + throw new MOAIDException(e.getMessage(), new Object[] {}); + + } + } + + return config; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index b3887a444..03b65bc7e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -23,7 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import at.gv.egovernment.moa.id.moduls.RequestImpl; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; public class PVPTargetConfiguration extends RequestImpl { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index 1a2a02037..6801d25d5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -43,6 +43,7 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.Signature; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -100,19 +101,13 @@ public class ArtifactBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { return null; } - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - return null; - } public boolean handleDecode(String action, HttpServletRequest req) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index b64b28de8..108caf047 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -29,15 +29,12 @@ import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; public interface IDecoder { - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException, PVP2Exception; - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) - throws MessageDecodingException, SecurityException, PVP2Exception; - + public boolean handleDecode(String action, HttpServletRequest req); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java deleted file mode 100644 index 11054fd57..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java +++ /dev/null @@ -1,124 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import java.io.Serializable; - -import org.opensaml.Configuration; -import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.impl.RequestAbstractTypeMarshaller; -import org.opensaml.saml2.core.impl.RequestAbstractTypeUnmarshaller; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; -import org.opensaml.xml.io.UnmarshallingException; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.logging.Logger; - -public class MOARequest implements Serializable{ - - private static final long serialVersionUID = 2395131650841669663L; - - private Element samlRequest; - private boolean verified = false; - private String entityID = null; - private String relayState = null; - - public MOARequest(RequestAbstractType request) { - samlRequest = request.getDOM(); - } - - public RequestAbstractType getSamlRequest() { - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(samlRequest); - - try { - return (RequestAbstractType) unmashaller.unmarshall(samlRequest); - - } catch (UnmarshallingException e) { - Logger.warn("AuthnRequest Unmarshaller error", e); - return null; - } - - } - - - - /** - * @return the relayState - */ - public String getRelayState() { - return relayState; - } - - /** - * @param relayState the relayState to set - */ - public void setRelayState(String relayState) { - this.relayState = relayState; - } - - public void setSamlRequest(RequestAbstractType request) { - this.samlRequest = request.getDOM(); - } - - public boolean isVerified() { - return verified; - } - - public void setVerified(boolean verified) { - this.verified = verified; - } - - public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { - - try { - return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); - - } catch (MetadataProviderException e) { - Logger.warn("No Metadata for EntitiyID " + entityID); - throw new NoMetadataInformationException(); - } - } - - /** - * @return the entitiyID - */ - public String getEntityID() { - return entityID; - } - - /** - * @param entitiyID the entitiyID to set - */ - public void setEntityID(String entitiyID) { - this.entityID = entitiyID; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java deleted file mode 100644 index 3d21d95c4..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java +++ /dev/null @@ -1,60 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.binding; - -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.metadata.EntityDescriptor; - -public class MOAResponse { - private Response samlResponse; - private EntityDescriptor entityMetadata; - private boolean verified = false; - - public MOAResponse(Response response) { - samlResponse = response; - } - - public Response getSamlResponse() { - return samlResponse; - } - - public void setSamlResponse(Response samlResponse) { - this.samlResponse = samlResponse; - } - - public boolean isVerified() { - return verified; - } - - public void setVerified(boolean verified) { - this.verified = verified; - } - - public EntityDescriptor getEntityMetadata() { - return entityMetadata; - } - - public void setEntityMetadata(EntityDescriptor entityMetadata) { - this.entityMetadata = entityMetadata; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index b190ca24e..a7633952a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -34,6 +34,7 @@ import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; @@ -48,6 +49,10 @@ import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -129,58 +134,51 @@ public class PostBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); decode.setURIComparator(new MOAURICompare()); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - - decode.decode(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); + + decode.decode(messageContext); - MOARequest request = new MOARequest(inboundMessage); - request.setVerified(false); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + + InboundMessage msg = null; + if (messageContext.getInboundMessage() instanceof RequestAbstractType) { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + .getInboundMessage(); + msg = new MOARequest(inboundMessage); + + } else if (messageContext.getInboundMessage() instanceof Response){ + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + Response inboundMessage = (Response) messageContext.getInboundMessage(); + msg = new MOAResponse(inboundMessage); + + } else + //create empty container if request type is unknown + msg = new InboundMessage(); + + msg.setVerified(false); + + decode.decode(messageContext); if (messageContext.getPeerEntityMetadata() != null) - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); else - Logger.info("No Metadata found for OA with EntityID " + inboundMessage.getIssuer().getValue()); + Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); - request.setRelayState(messageContext.getRelayState()); - return request; - - } - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - - decode.decode(messageContext); - - Response inboundMessage = (Response) messageContext.getInboundMessage(); - - MOAResponse moaResponse = new MOAResponse(inboundMessage); - moaResponse.setVerified(false); - moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); - return moaResponse; - + msg.setRelayState(messageContext.getRelayState()); + + return msg; } public boolean handleDecode(String action, HttpServletRequest req) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index f8eb84c02..9254ec279 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -35,6 +35,7 @@ import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; @@ -51,6 +52,10 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -63,7 +68,32 @@ public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState) throws MessageEncodingException, SecurityException { - // TODO: implement + + try { + X509Credential credentials = CredentialProvider + .getIDPAssertionSigningCredential(); + + Logger.debug("create SAML RedirectBinding response"); + + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + service.setLocation(targetLocation); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + context.setOutboundSAMLMessage(request); + context.setOutboundMessageTransport(responseAdapter); + context.setRelayState(relayState); + + encoder.encode(context); + } catch (CredentialsNotAvailableException e) { + e.printStackTrace(); + throw new SecurityException(e); + } } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, @@ -85,10 +115,10 @@ public class RedirectBinding implements IDecoder, IEncoder { service.setLocation(targetLocation); context.setOutboundSAMLMessageSigningCredential(credentials); context.setPeerEntityEndpoint(service); - // context.setOutboundMessage(authReq); context.setOutboundSAMLMessage(response); context.setOutboundMessageTransport(responseAdapter); - + context.setRelayState(relayState); + encoder.encode(context); } catch (CredentialsNotAvailableException e) { e.printStackTrace(); @@ -96,80 +126,64 @@ public class RedirectBinding implements IDecoder, IEncoder { } } - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); decode.setURIComparator(new MOAURICompare()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + decode.decode(messageContext); + messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); - + SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); - - BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); - policy.getPolicyRules().add(signedRole); - + policy.getPolicyRules().add(signedRole); SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + policy); messageContext.setSecurityPolicyResolver(resolver); - decode.decode(messageContext); - - signatureRule.evaluate(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext - .getInboundMessage(); - MOARequest request = new MOARequest(inboundMessage); - request.setVerified(true); - request.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); - return request; - } - - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException { - - HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( - new BasicParserPool()); - BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); - messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - - SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - - // signatureRule.evaluate(messageContext); - BasicSecurityPolicy policy = new BasicSecurityPolicy(); - policy.getPolicyRules().add(signatureRule); - SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( - policy); - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - messageContext.setSecurityPolicyResolver(resolver); - MOAMetadataProvider provider = null; - - provider = MOAMetadataProvider.getInstance(); + InboundMessage msg = null; + + if (messageContext.getInboundMessage() instanceof RequestAbstractType) { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + + RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + .getInboundMessage(); + msg = new MOARequest(inboundMessage); + + + } else if (messageContext.getInboundMessage() instanceof Response){ + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + + Response inboundMessage = (Response) messageContext.getInboundMessage(); + msg = new MOAResponse(inboundMessage); + + } else + //create empty container if request type is unknown + msg = new InboundMessage(); - messageContext.setMetadataProvider(provider); + signatureRule.evaluate(messageContext); + msg.setVerified(true); decode.decode(messageContext); - - Response inboundMessage = (Response) messageContext.getInboundMessage(); - - MOAResponse moaResponse = new MOAResponse(inboundMessage); - moaResponse.setVerified(true); - moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); - return moaResponse; + if (messageContext.getPeerEntityMetadata() != null) + msg.setEntityID(messageContext.getPeerEntityMetadata().getEntityID()); + + else + Logger.info("No Metadata found for OA with EntityID " + messageContext.getInboundMessageIssuer()); + + msg.setRelayState(messageContext.getRelayState()); + + return msg; } public boolean handleDecode(String action, HttpServletRequest req) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index d2a4d4f60..ec24a2a0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -42,12 +42,14 @@ import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; public class SoapBinding implements IDecoder, IEncoder { - public MOARequest decodeRequest(HttpServletRequest req, + public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException, PVP2Exception { HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(); @@ -66,12 +68,6 @@ public class SoapBinding implements IDecoder, IEncoder { return request; } - public MOAResponse decodeRespone(HttpServletRequest req, - HttpServletResponse resp) throws MessageDecodingException, - SecurityException, PVP2Exception { - throw new BindingNotSupportedException(SAMLConstants.SAML2_SOAP11_BINDING_URI + " response"); - } - public boolean handleDecode(String action, HttpServletRequest req) { return (action.equals(PVP2XProtocol.SOAP)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java new file mode 100644 index 000000000..332caf967 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessage.java @@ -0,0 +1,114 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + +import java.io.Serializable; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class InboundMessage implements InboundMessageInterface, Serializable{ + + private static final long serialVersionUID = 2395131650841669663L; + + private Element samlMessage = null; + private boolean verified = false; + private String entityID = null; + private String relayState = null; + + + public EntityDescriptor getEntityMetadata() throws NoMetadataInformationException { + + try { + return MOAMetadataProvider.getInstance().getEntityDescriptor(this.entityID); + + } catch (MetadataProviderException e) { + Logger.warn("No Metadata for EntitiyID " + entityID); + throw new NoMetadataInformationException(); + } + } + + /** + * @param entitiyID the entitiyID to set + */ + public void setEntityID(String entitiyID) { + this.entityID = entitiyID; + } + + public void setVerified(boolean verified) { + this.verified = verified; + } + + /** + * @param relayState the relayState to set + */ + public void setRelayState(String relayState) { + this.relayState = relayState; + } + + public void setSAMLMessage(Element msg) { + this.samlMessage = msg; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getRelayState() + */ + @Override + public String getRelayState() { + return relayState; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getEntityID() + */ + @Override + public String getEntityID() { + return entityID; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#isVerified() + */ + @Override + public boolean isVerified() { + return verified; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.messages.PVP21InboundMessage#getInboundMessage() + */ + @Override + public Element getInboundMessage() { + return samlMessage; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java new file mode 100644 index 000000000..60a6f069a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/InboundMessageInterface.java @@ -0,0 +1,38 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + +import org.w3c.dom.Element; + +/** + * @author tlenz + * + */ +public interface InboundMessageInterface { + + public String getRelayState(); + public String getEntityID(); + public boolean isVerified(); + public Element getInboundMessage(); + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java new file mode 100644 index 000000000..75442ebb6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java @@ -0,0 +1,58 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + + +import org.opensaml.Configuration; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; + +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.logging.Logger; + +public class MOARequest extends InboundMessage{ + + private static final long serialVersionUID = 8613921176727607896L; + + public MOARequest(RequestAbstractType inboundMessage) { + setSAMLMessage(inboundMessage.getDOM()); + + } + + public RequestAbstractType getSamlRequest() { + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); + + try { + return (RequestAbstractType) unmashaller.unmarshall(getInboundMessage()); + + } catch (UnmarshallingException e) { + Logger.warn("AuthnRequest Unmarshaller error", e); + return null; + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java new file mode 100644 index 000000000..870273cf3 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOAResponse.java @@ -0,0 +1,56 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.messages; + +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Response; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; + +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.logging.Logger; + +public class MOAResponse extends InboundMessage { + + private static final long serialVersionUID = -1133012928130138501L; + + public MOAResponse(Response response) { + setSAMLMessage(response.getDOM()); + } + + public Response getResponse() { + UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); + + try { + return (Response) unmashaller.unmarshall(getInboundMessage()); + + } catch (UnmarshallingException e) { + Logger.warn("AuthnResponse Unmarshaller error", e); + return null; + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java index f5fc01b2c..210cb6be8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java @@ -34,7 +34,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.RequestDeniedException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 0e4cd679b..92c2cd585 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -64,7 +64,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index 6c4f460f1..9356eb6ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -28,7 +28,7 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; public interface IRequestHandler { public boolean handleObject(MOARequest obj); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index 264802f09..59353b9ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -32,7 +32,7 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; public class RequestManager { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index ac222ee54..e4ae01066 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; @@ -35,8 +36,23 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; + public class SAMLVerificationEngine { + + public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { + if (msg instanceof MOARequest) + verifyRequest(((MOARequest)msg).getSamlRequest(), sigTrustEngine); + + else + verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); + + } + + public void verifyResponse(Response samlObj, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { @@ -48,7 +64,7 @@ public class SAMLVerificationEngine { CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add( new EntityIDCriteria(samlObj.getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); criteriaSet.add( new UsageCriteria(UsageType.SIGNING) ); try { -- cgit v1.2.3 From fb85746274a04f77ac3a76b1a790fbe210148ee6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 16 Apr 2014 15:51:02 +0200 Subject: parse additional AuthRequest attributs --- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 27 ++++++---------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 46cf7dfec..e7b64be6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -332,11 +332,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); } - - PVPTargetConfiguration config = new PVPTargetConfiguration(); - - + String oaURL = moaRequest.getEntityMetadata().getEntityID(); String binding = consumerService.getBinding(); @@ -349,6 +346,11 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { config.setRequest(moaRequest); config.setConsumerURL(consumerService.getLocation()); + //parse AuthRequest + AuthnRequestImpl authReq = (AuthnRequestImpl) samlReq; + config.setPassiv(authReq.isPassive()); + config.setForce(authReq.isForceAuthn()); + String useMandate = request.getParameter(PARAM_USEMANDATE); if(useMandate != null) { if(useMandate.equals("true") && attributeConsumer != null) { @@ -357,22 +359,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } } } - - //validate AuthnRequest - try { - AuthnRequestValidator.validate((AuthnRequestImpl) samlReq); - - } catch (AuthnRequestValidatorException e) { - if (generateErrorMessage(e, request, response, config)) { - throw new AuthnRequestValidatorException(e.getMessage(), - new Object[] {}, config); - - } else { - throw new MOAIDException(e.getMessage(), new Object[] {}); - - } - } - + return config; } } -- cgit v1.2.3 From 432441f6debd593f86075d1995fdb1d48cbd8b36 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 07:58:01 +0200 Subject: compare SAML2 destination URL with expected URL --- .../moa/id/protocols/pvp2x/binding/MOAURICompare.java | 18 ++++++++++++++++-- .../moa/id/protocols/pvp2x/binding/PostBinding.java | 9 ++++++++- .../id/protocols/pvp2x/binding/RedirectBinding.java | 12 +++++++++++- 3 files changed, 35 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java index 1d6b227d6..3094abba8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAURICompare.java @@ -26,9 +26,23 @@ import org.opensaml.common.binding.decoding.URIComparator; public class MOAURICompare implements URIComparator { + /** + * @param idpssoPostService + */ + + private String serviceURL = ""; + + public MOAURICompare(String serviceURL) { + this.serviceURL = serviceURL; + } + public boolean compare(String uri1, String uri2) { - // TODO: implement proper equalizer for rewritten URLS - return true; + + if (this.serviceURL.equals(uri1)) + return true; + + else + return false; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index a7633952a..645d15086 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -48,6 +48,8 @@ import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; @@ -142,7 +144,12 @@ public class PostBinding implements IDecoder, IEncoder { BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - decode.setURIComparator(new MOAURICompare()); + try { + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService())); + + } catch (ConfigurationException e) { + throw new SecurityException(e); + } decode.decode(messageContext); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 9254ec279..68069f3a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -51,7 +51,9 @@ import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.x509.X509Credential; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -132,7 +134,15 @@ public class RedirectBinding implements IDecoder, IEncoder { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); - decode.setURIComparator(new MOAURICompare()); + + try { + decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService())); + + } catch (ConfigurationException e) { + throw new SecurityException(e); + + } + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); -- cgit v1.2.3 From 9d1cbc894680a3b93f98e1f173e6ffa27ffbca96 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 08:01:12 +0200 Subject: + preProcess inbound PVP2.1 assertion + add inbound PVP2.1 assertion to IReqeust --- .../at/gv/egovernment/moa/id/moduls/IRequest.java | 3 + .../gv/egovernment/moa/id/moduls/RequestImpl.java | 20 ++++ .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 115 ++++++++++++++++++++- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 4 +- .../moa/id/protocols/stork2/MOASTORKRequest.java | 10 ++ 5 files changed, 147 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index a33d39ba7..c29c3a1b3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; + public interface IRequest { public String getOAURL(); public boolean isPassiv(); @@ -35,6 +37,7 @@ public interface IRequest { public void setRequestID(String id); public String getRequestID(); public String getRequestedIDP(); + public MOAResponse getInterfederationResponse(); //public void setTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index d3ab640f1..94851ee8f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.moduls; import java.io.Serializable; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; + public class RequestImpl implements IRequest, Serializable{ private static final long serialVersionUID = 1L; @@ -36,7 +38,10 @@ public class RequestImpl implements IRequest, Serializable{ private String action = null; private String target = null; private String requestID; + + //MOA-ID interfederation private String requestedIDP = null; + private MOAResponse response = null; public void setOAURL(String value) { @@ -118,6 +123,21 @@ public class RequestImpl implements IRequest, Serializable{ public void setRequestedIDP(String requestedIDP) { this.requestedIDP = requestedIDP; } + + /** + * @return the response + */ + public MOAResponse getInterfederationResponse() { + return response; + } + + /** + * @param response the response to set + */ + public void setInterfederationResponse(MOAResponse response) { + this.response = response; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index e7b64be6a..3ab4dd74c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -33,18 +33,29 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; +import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; import org.opensaml.saml2.core.impl.AuthnRequestImpl; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -54,22 +65,23 @@ import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.VelocityLogAdapter; @@ -171,6 +183,28 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return preProcessAuthRequest(request, response, (MOARequest) msg); else if (msg instanceof MOAResponse) { + //load service provider AuthRequest from session + + IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); + if (obj instanceof RequestImpl) { + RequestImpl iReq = (RequestImpl) obj; + + MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); + + if ( processedMsg != null ) { + iReq.setInterfederationResponse((MOAResponse) msg); + + } else { + Logger.info("Receive NO valid SSO session from " + msg.getEntityID() + +". Switch to local authentication process ..."); + iReq.setRequestedIDP(null); + } + + return iReq; + + } + + Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type."); return null; } @@ -362,4 +396,79 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return config; } + + /** + * @param msg + */ + private MOAResponse preProcessAuthResponse(MOAResponse msg) { + Logger.debug("Start PVP21 assertion processing... "); + Response samlResp = msg.getResponse(); + + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + List saml2assertions = new ArrayList(); + + //check encrypted Assertion + List encryAssertionList = samlResp.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + Logger.debug("Found encryped assertion. Start decryption ..."); + + X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + Logger.debug("Assertion decryption finished. "); + + } else { + saml2assertions = samlResp.getAssertions(); + + } + + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore(); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + Logger.warn("PVP2 Assertion is out of Date"); + return null; + + } + + samlResp.getAssertions().clear(); + samlResp.getEncryptedAssertions().clear(); + samlResp.getAssertions().addAll(saml2assertions); + + msg.setSAMLMessage(samlResp.getDOM()); + return msg; + + } + } + + } catch (CredentialsNotAvailableException e) { + Logger.warn("Assertion decrypt FAILED - No Credentials", e); + + } catch (DecryptionException e) { + Logger.warn("Assertion decrypt FAILED.", e); + + } + + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 03b65bc7e..6e749aaf0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; public class PVPTargetConfiguration extends RequestImpl { @@ -55,6 +56,5 @@ public class PVPTargetConfiguration extends RequestImpl { public void setConsumerURL(String consumerURL) { this.consumerURL = consumerURL; - } - + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index 23b8b3f7a..0eb1b83ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.protocols.stork2; import java.io.Serializable; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.STORKAttrQueryRequest; @@ -219,4 +220,13 @@ public class MOASTORKRequest implements IRequest, Serializable { // TODO Auto-generated method stub return null; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getInterfederationResponse() + */ + @Override + public MOAResponse getInterfederationResponse() { + // TODO Auto-generated method stub + return null; + } } -- cgit v1.2.3 From 0dedfd784b7be0e91fc4690271e8dfcde41eea02 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 12:57:32 +0200 Subject: move TimeOut check to get operation --- .../moa/id/storage/AssertionStorage.java | 28 +++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index 6d8979da3..77cd23b60 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -31,9 +31,11 @@ import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -82,10 +84,34 @@ public class AssertionStorage { } - public T get(String artifact, final Class clazz) throws MOADatabaseException { + + /** + * @param samlArtifact + * @param class1 + * @param authdatatimeout + * @return + * @throws MOADatabaseException + * @throws AuthenticationException + */ + public T get(String samlArtifact, + final Class clazz) throws MOADatabaseException, AuthenticationException { + + return get(samlArtifact, clazz, -1); + } + + public T get(String artifact, final Class clazz, long authdatatimeout) throws MOADatabaseException, AuthenticationException { AssertionStore element = searchInDatabase(artifact); + if (authdatatimeout > -1) { + //check timeout + long now = new Date().getTime(); + + if (now - element.getDatatime().getTime() > authdatatimeout) + throw new AuthenticationException("1207", new Object[] { artifact }); + } + + //Deserialize Assertion Object data = SerializationUtils.deserialize(element.getAssertion()); -- cgit v1.2.3 From 5ac7c031b38bd652e984ad58285b1cb4af4c5e1f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 13:18:04 +0200 Subject: blank database elements with sensitive data before delete the entry --- .../moa/id/storage/AssertionStorage.java | 21 +++++++++++-- .../id/storage/AuthenticationSessionStoreage.java | 34 +++++++++++++++++----- 2 files changed, 45 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index 77cd23b60..cca13fad9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -144,7 +144,7 @@ public class AssertionStorage { if (results.size() != 0) { for(AssertionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Remove sessioninformation with ID=" + result.getArtifact() + " after timeout."); @@ -161,7 +161,7 @@ public class AssertionStorage { try { AssertionStore element = searchInDatabase(artifact); - MOASessionDBUtils.delete(element); + cleanDelete(element); Logger.info("Remove sessioninformation with ID" + artifact); @@ -174,6 +174,23 @@ public class AssertionStorage { } } + private void cleanDelete(AssertionStore element) { + try { + element.setAssertion(new byte[]{}); + MOASessionDBUtils.saveOrUpdate(element); + + } catch (MOADatabaseException e) { + Logger.warn("Blank shortTime session with artifact=" + element.getArtifact() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(element)) + Logger.error("ShortTime session with artifact=" + element.getArtifact() + + " not removed! (Error during Database communication)"); + + } + + } + @SuppressWarnings("rawtypes") private AssertionStore searchInDatabase(String artifact) throws MOADatabaseException { MiscUtil.assertNotNull(artifact, "artifact"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 27f219452..ca5cb9226 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -156,7 +156,7 @@ public class AuthenticationSessionStoreage { public static void destroySession(String moaSessionID) throws MOADatabaseException { - Session session = MOASessionDBUtils.getCurrentSession(); + Session session = MOASessionDBUtils.getCurrentSession(); List result; @@ -176,11 +176,11 @@ public class AuthenticationSessionStoreage { throw new MOADatabaseException("No session found with this sessionID"); } - AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - - //delete MOA Session - session.delete(dbsession); - session.getTransaction().commit(); + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); + + session.getTransaction().commit(); + + cleanDelete(dbsession); } } @@ -443,7 +443,7 @@ public class AuthenticationSessionStoreage { return false; } else { - MOASessionDBUtils.delete(result.get(0)); + cleanDelete(result.get(0)); return true; } @@ -521,7 +521,7 @@ public class AuthenticationSessionStoreage { if (results.size() != 0) { for(AuthenticatedSessionStore result : results) { try { - MOASessionDBUtils.delete(result); + cleanDelete(result); Logger.info("Authenticated session with sessionID=" + result.getSessionid() + " after session timeout."); @@ -534,6 +534,24 @@ public class AuthenticationSessionStoreage { } } + private static void cleanDelete(AuthenticatedSessionStore result) { + try { + result.setSession(new byte[] {}); + MOASessionDBUtils.saveOrUpdate(result); + + } catch (MOADatabaseException e) { + Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(result)) + Logger.error("Authenticated session with sessionID=" + result.getSessionid() + + " not removed! (Error during Database communication)"); + + } + + + } + @SuppressWarnings("rawtypes") private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { MiscUtil.assertNotNull(sessionID, "moasessionID"); -- cgit v1.2.3 From 5d398941deba98bac5ed119b511fc809634ae6ff Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 17:23:38 +0200 Subject: update get() Methode --- .../at/gv/egovernment/moa/id/storage/AssertionStorage.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index cca13fad9..bc9de7a50 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -94,9 +94,16 @@ public class AssertionStorage { * @throws AuthenticationException */ public T get(String samlArtifact, - final Class clazz) throws MOADatabaseException, AuthenticationException { + final Class clazz) throws MOADatabaseException { - return get(samlArtifact, clazz, -1); + try { + return get(samlArtifact, clazz, -1); + + } catch (AuthenticationException e) { + //this execption only occurs if an additional timeOut is used + Logger.error("This exeption should not occur!!!!", e); + return null; + } } public T get(String artifact, final Class clazz, long authdatatimeout) throws MOADatabaseException, AuthenticationException { -- cgit v1.2.3 From ede744e9af545db61a0d46f44279a4a8a216c633 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 17:24:53 +0200 Subject: fix NullPointer if representative has no OID --- .../moa/id/util/client/mis/simple/MISMandate.java | 25 ++++++++++++++-------- 1 file changed, 16 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java index 385dd753c..f7785d2c2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java @@ -48,6 +48,8 @@ package at.gv.egovernment.moa.id.util.client.mis.simple; import java.io.Serializable; +import at.gv.egovernment.moa.util.MiscUtil; + public class MISMandate implements Serializable{ private static final long serialVersionUID = 1L; @@ -90,16 +92,21 @@ public class MISMandate implements Serializable{ } public String getTextualDescriptionOfOID() { - if (this.oid.equalsIgnoreCase(OID_NOTAR)) - return TEXT_NOTAR; - if (this.oid.equalsIgnoreCase(OID_RECHTSANWALT)) - return TEXT_RECHTSANWALT; - if (this.oid.equalsIgnoreCase(OID_ZIVILTECHNIKER)) - return TEXT_ZIVILTECHNIKER; - if (this.oid.equalsIgnoreCase(OID_ORGANWALTER)) - return TEXT_ORGANWALTER; + if (MiscUtil.isNotEmpty(this.oid)) { + if (this.oid.equalsIgnoreCase(OID_NOTAR)) + return TEXT_NOTAR; + if (this.oid.equalsIgnoreCase(OID_RECHTSANWALT)) + return TEXT_RECHTSANWALT; + if (this.oid.equalsIgnoreCase(OID_ZIVILTECHNIKER)) + return TEXT_ZIVILTECHNIKER; + if (this.oid.equalsIgnoreCase(OID_ORGANWALTER)) + return TEXT_ORGANWALTER; - return "Keine textuelle Beschreibung für OID " + oid; + return "Keine textuelle Beschreibung für OID " + oid; + + } else { + return null; + } } -- cgit v1.2.3 From 7222102b1c6092f5062c5476f2f05bba07e82c30 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 Apr 2014 17:32:23 +0200 Subject: refector attribute generation from session information --- .../moa/id/auth/AuthenticationServer.java | 121 --- .../AuthenticationDataAssertionBuilder.java | 5 +- .../id/auth/builder/AuthenticationDataBuilder.java | 235 +++++ .../moa/id/auth/data/AuthenticationSession.java | 15 +- .../moa/id/data/AuthenticationData.java | 968 +++++++++++---------- .../at/gv/egovernment/moa/id/data/IAuthData.java | 79 ++ .../moa/id/entrypoints/DispatcherServlet.java | 24 +- .../moa/id/moduls/AuthenticationManager.java | 5 +- .../at/gv/egovernment/moa/id/moduls/IAction.java | 5 +- .../attributes/OAuth20AttributeBuilder.java | 43 +- .../OpenIdAuthenticationTimeAttribute.java | 7 +- .../attributes/OpenIdExpirationTimeAttribute.java | 5 +- .../attributes/OpenIdIssueInstantAttribute.java | 5 +- .../oauth20/attributes/OpenIdIssuerAttribute.java | 5 +- .../OpenIdSubjectIdentifierAttribute.java | 5 +- .../attributes/ProfileDateOfBirthAttribute.java | 7 +- .../attributes/ProfileFamilyNameAttribute.java | 5 +- .../attributes/ProfileGivenNameAttribute.java | 5 +- .../oauth20/protocol/OAuth20AuthAction.java | 29 +- .../oauth20/protocol/OAuth20TokenAction.java | 4 +- .../id/protocols/pvp2x/AuthenticationAction.java | 6 +- .../moa/id/protocols/pvp2x/MetadataAction.java | 7 +- .../pvp2x/builder/PVPAttributeBuilder.java | 9 +- .../builder/assertion/PVP2AssertionBuilder.java | 41 +- .../builder/attributes/BPKAttributeBuilder.java | 5 +- .../attributes/BirthdateAttributeBuilder.java | 40 +- .../pvp2x/builder/attributes/EIDAuthBlock.java | 7 +- .../pvp2x/builder/attributes/EIDCcsURL.java | 7 +- .../EIDCitizenQAALevelAttributeBuilder.java | 14 +- .../builder/attributes/EIDIdentityLinkBuilder.java | 35 +- .../EIDIssuingNationAttributeBuilder.java | 27 +- .../pvp2x/builder/attributes/EIDSTORKTOKEN.java | 9 +- .../attributes/EIDSectorForIDAttributeBuilder.java | 5 +- .../builder/attributes/EIDSignerCertificate.java | 7 +- .../pvp2x/builder/attributes/EIDSourcePIN.java | 8 +- .../pvp2x/builder/attributes/EIDSourcePINType.java | 5 +- .../attributes/GivenNameAttributeBuilder.java | 7 +- .../builder/attributes/IAttributeBuilder.java | 5 +- .../MandateFullMandateAttributeBuilder.java | 9 +- ...MandateLegalPersonFullNameAttributeBuilder.java | 9 +- ...andateLegalPersonSourcePinAttributeBuilder.java | 9 +- ...teLegalPersonSourcePinTypeAttributeBuilder.java | 9 +- .../MandateNaturalPersonBPKAttributeBuilder.java | 16 +- ...dateNaturalPersonBirthDateAttributeBuilder.java | 9 +- ...ateNaturalPersonFamilyNameAttributeBuilder.java | 9 +- ...dateNaturalPersonGivenNameAttributeBuilder.java | 9 +- ...dateNaturalPersonSourcePinAttributeBuilder.java | 16 +- ...NaturalPersonSourcePinTypeAttributeBuilder.java | 14 +- .../MandateProfRepDescAttributeBuilder.java | 30 +- .../MandateProfRepOIDAttributeBuilder.java | 28 +- .../MandateReferenceValueAttributeBuilder.java | 9 +- .../attributes/MandateTypeAttributeBuilder.java | 9 +- .../attributes/PVPVersionAttributeBuilder.java | 5 +- .../attributes/PrincipalNameAttributeBuilder.java | 7 +- .../STORKAdoptedFamilyNameAttributBuilder.java | 7 +- .../attributes/STORKAgeAttributBuilder.java | 7 +- .../builder/attributes/STORKAttributHelper.java | 3 +- ...RKCanonicalResidenceAddressAttributBuilder.java | 7 +- .../STORKCountryCodeOfBirthAttributBuilder.java | 7 +- .../STORKFiscalNumberAttributBuilder.java | 7 +- .../attributes/STORKGenderAttributBuilder.java | 7 +- .../STORKInhertedFamilyNameAttributBuilder.java | 7 +- .../attributes/STORKIsAgeOverAttributBuilder.java | 7 +- .../STORKMaritalStatusAttributBuilder.java | 7 +- .../STORKNationalityCodeAttributBuilder.java | 7 +- .../attributes/STORKPseudonymAttributBuilder.java | 7 +- .../STORKResidencePermitAttributBuilder.java | 7 +- .../STORKTextResidenceAddressAttributBuilder.java | 7 +- .../attributes/STORKTitleAttributBuilder.java | 7 +- .../exceptions/AttributePolicyException.java | 40 + .../pvp2x/requestHandler/ArtifactResolution.java | 4 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 8 +- .../pvp2x/requestHandler/IRequestHandler.java | 4 +- .../pvp2x/requestHandler/RequestManager.java | 7 +- .../moa/id/protocols/saml1/GetArtifactAction.java | 54 +- .../saml1/GetAuthenticationDataService.java | 6 +- .../protocols/saml1/SAML1AuthenticationData.java | 179 ++++ .../protocols/saml1/SAML1AuthenticationServer.java | 84 +- .../id/protocols/stork2/AttributeCollector.java | 11 +- .../moa/id/protocols/stork2/AttributeProvider.java | 5 +- .../id/protocols/stork2/AuthenticationRequest.java | 34 +- .../moa/id/protocols/stork2/ConsentEvaluator.java | 3 +- .../stork2/EHvdAttributeProviderPlugin.java | 9 +- .../stork2/MandateAttributeRequestProvider.java | 3 +- .../protocols/stork2/MandateRetrievalRequest.java | 3 +- .../moa/id/protocols/stork2/STORKProtocol.java | 1 + .../stork2/SignedDocAttributeRequestProvider.java | 3 +- .../stork2/StorkAttributeRequestProvider.java | 3 +- 88 files changed, 1476 insertions(+), 1104 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index d7083ec81..a35bee2f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -1414,127 +1414,6 @@ public class AuthenticationServer implements MOAIDAuthConstants { return "new Session"; } - /** - * Builds the AuthenticationData object together with the corresponding - * <saml:Assertion> - * - * @param session authentication session - * @param verifyXMLSigResp VerifyXMLSignatureResponse from MOA-SP - * @param useUTC uses correct UTC time format - * @param useUTC indicates that authenticated citizen is a foreigner - * @param isForeigner indicates whether Austrian (false) or foreigner (true) authenticates - * @return AuthenticationData object - * @throws ConfigurationException while accessing configuration data - * @throws BuildException while building the <saml:Assertion> - */ - public static AuthenticationData buildAuthenticationData( - AuthenticationSession session, OAAuthParameter oaParam, String target) - throws ConfigurationException, BuildException { - - IdentityLink identityLink = session.getIdentityLink(); - AuthenticationData authData = new AuthenticationData(); - - VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - - boolean businessService = oaParam.getBusinessService(); - - authData.setMajorVersion(1); - authData.setMinorVersion(0); - authData.setAssertionID(Random.nextRandom()); - authData.setIssuer(session.getAuthURL()); - - authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar - .getInstance())); - - //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO - authData.setIdentificationValue(identityLink.getIdentificationValue()); - authData.setIdentificationType(identityLink.getIdentificationType()); - - authData.setGivenName(identityLink.getGivenName()); - authData.setFamilyName(identityLink.getFamilyName()); - authData.setDateOfBirth(identityLink.getDateOfBirth()); - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); - authData.setBkuURL(session.getBkuURL()); - - try { - - MISMandate mandate = session.getMISMandate(); - - if (session.getUseMandate() && session.isOW() - && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { - authData.setBPK(mandate.getOWbPK()); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); - authData.setIdentityLink(identityLink); - Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - - } else { - - if (businessService) { - //since we have foreigner, wbPK is not calculated in BKU - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - - if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { - // If domainIdentifier starts with prefix - // "urn:publicid:gv.at:wbpk+"; remove this prefix - registerAndOrdNr = registerAndOrdNr - .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); - Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " - + registerAndOrdNr); - } - - String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); - authData.setBPK(wbpkBase64); - authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - - } else { - authData.setBPK(identityLink.getIdentificationValue()); - authData.setBPKType(identityLink.getIdentificationType()); - - } - - Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - - Element idlassertion = session.getIdentityLink().getSamlAssertion(); - //set bpk/wpbk; - Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type - Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - - IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); - IdentityLink idl = idlparser.parseIdentityLink(); - authData.setIdentityLink(idl); - - } else { - - if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - } - - Logger.trace("Authenticate user with bPK " + authData.getBPK()); - - authData.setIdentityLink(identityLink); - } - } - - return authData; - - } catch (Throwable ex) { - throw new BuildException("builder.00", new Object[]{ - "AuthenticationData", ex.toString()}, ex); - } - } - /** * Retrieves a session from the session store. * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 531303300..4c824354c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DateTimeUtils; @@ -224,7 +225,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB * @throws BuildException if an error occurs during the build process */ public String build( - AuthenticationData authData, + SAML1AuthenticationData authData, String xmlPersonData, String xmlAuthBlock, String xmlIdentityLink, @@ -344,7 +345,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB * @throws BuildException if an error occurs during the build process */ public String buildMandate( - AuthenticationData authData, + SAML1AuthenticationData authData, String xmlPersonData, String xmlMandateData, String xmlAuthBlock, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java new file mode 100644 index 000000000..00528f7a1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -0,0 +1,235 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.builder; + +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * @author tlenz + * + */ +public class AuthenticationDataBuilder implements MOAIDAuthConstants { + + public static IAuthData buildAuthenticationData(IRequest protocolRequest, + AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException { + + + String oaID = protocolRequest.getOAURL(); + if (oaID == null) { + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + } + + // check parameter + if (!ParamValidatorUtils.isValidOA(oaID)) + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(oaID); + + + /* TODO: Support Mandate MODE! + * Insert functionality to translate mandates in case of SSO + */ + + + AuthenticationData authdata = null; + if (protocolRequest instanceof SAML1RequestImpl) { + //request is SAML1 + SAML1AuthenticationData saml1authdata = new SAML1AuthenticationData(); + saml1authdata.setExtendedSAMLAttributesOA(session.getExtendedSAMLAttributesOA()); + + authdata = saml1authdata; + + } else { + authdata = new AuthenticationData(); + + } + + + if (protocolRequest.getInterfederationResponse() != null) { + //get attributes from interfederated IDP + + + } else { + //build AuthenticationData from MOASession + buildAuthDataFormMOASession(authdata, session, oaParam); + + } + + return authdata; + } + + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, + OAAuthParameter oaParam) throws BuildException { + + String target = oaParam.getTarget(); + + IdentityLink identityLink = session.getIdentityLink(); + + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); + + boolean businessService = oaParam.getBusinessService(); + + authData.setIssuer(session.getAuthURL()); + + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO + authData.setIdentificationValue(identityLink.getIdentificationValue()); + authData.setIdentificationType(identityLink.getIdentificationType()); + + authData.setGivenName(identityLink.getGivenName()); + authData.setFamilyName(identityLink.getFamilyName()); + authData.setDateOfBirth(identityLink.getDateOfBirth()); + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); + authData.setBkuURL(session.getBkuURL()); + + authData.setStorkAttributes(session.getStorkAttributes()); + authData.setStorkAuthnResponse(session.getStorkAuthnResponse()); + authData.setStorkRequest(session.getStorkAuthnRequest()); + + authData.setSignerCertificate(session.getEncodedSignerCertificate()); + authData.setAuthBlock(session.getAuthBlock()); + + authData.setForeigner(session.isForeigner()); + authData.setQAALevel(session.getQAALevel()); + + try { + + authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); + + MISMandate mandate = session.getMISMandate(); + authData.setMISMandate(mandate); + authData.setUseMandate(session.getUseMandate()); + authData.setMandateReferenceValue(session.getMandateReferenceValue()); + + if (session.getUseMandate() && session.isOW() + && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { + authData.setBPK(mandate.getOWbPK()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); + + //TODO: check in case of mandates for business services + authData.setIdentityLink(identityLink); + Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); + + } else { + + if (businessService) { + //since we have foreigner, wbPK is not calculated in BKU + if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { + // If domainIdentifier starts with prefix + // "urn:publicid:gv.at:wbpk+"; remove this prefix + registerAndOrdNr = registerAndOrdNr + .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); + Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + + registerAndOrdNr); + } + + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); + authData.setBPK(wbpkBase64); + authData.setBPKType(Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); + + } else { + authData.setBPK(identityLink.getIdentificationValue()); + authData.setBPKType(identityLink.getIdentificationType()); + + } + + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); + + Element idlassertion = session.getIdentityLink().getSamlAssertion(); + //set bpk/wpbk; + Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); + prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + //set bkp/wpbk type + Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); + prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); + IdentityLink idl = idlparser.parseIdentityLink(); + + //resign IDL + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + Element resignedilAssertion; + resignedilAssertion = identitylinkresigner.resignIdentityLink(idl.getSamlAssertion()); + IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); + IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); + + authData.setIdentityLink(resignedIDL); + + } else { + + if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + // only compute bPK if online application is a public service and we have the Stammzahl + String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); + authData.setBPK(bpkBase64); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); + } + + Logger.trace("Authenticate user with bPK " + authData.getBPK()); + + authData.setIdentityLink(identityLink); + } + } + + + } catch (Throwable ex) { + throw new BuildException("builder.00", new Object[]{ + "AuthenticationData", ex.toString()}, ex); + } + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 4bae0300b..58412b218 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -956,20 +956,7 @@ public class AuthenticationSession implements Serializable { public void setMISMandate(MISMandate mandate) { this.mandate = mandate; } - - public Element getMandate() { - try { - byte[] byteMandate = mandate.getMandate(); - String stringMandate = new String(byteMandate); - return DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); - - } - catch (Throwable e) { - Logger.warn("Mandate content could not be generated from MISMandate."); - return null; - } - } - + /** * @return the ssoRequested */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index f9d3986d7..e73bac41c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -1,27 +1,5 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ /* - * Copyright 2003 Federal Chancellery Austria + * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * @@ -42,455 +20,565 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ - - package at.gv.egovernment.moa.id.data; import java.io.Serializable; +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.Date; +import org.w3c.dom.Element; + +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; + import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.DateTimeUtils; +import at.gv.egovernment.moa.util.MiscUtil; /** - * Encapsulates authentication data contained in a <saml:Assertion>. + * @author tlenz * - * @author Paul Ivancsics - * @version $Id$ */ +public class AuthenticationData implements IAuthData, Serializable { -public class AuthenticationData implements Serializable { - /** - * - */ private static final long serialVersionUID = -1042697056735596866L; -/** - * major version number of the SAML assertion - */ - private int majorVersion; - /** - * minor version number of the SAML assertion - */ - private int minorVersion; - /** - * identifier for this assertion - */ - private String assertionID; - /** - * URL of the MOA-ID Auth component issueing this assertion - */ - private String issuer; - /** - * time instant of issue of this assertion - */ - private String issueInstant; - /** - * user identification value (Stammzahl); null, - * if the authentication module is configured not to return this data - */ - private String identificationValue; + public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd"; + + /** + * URL of the MOA-ID Auth component issueing this assertion + */ + private String issuer; + /** + * time instant of issue of this assertion + */ + private Date issueInstant; + /** + * user identification value (Stammzahl); null, + * if the authentication module is configured not to return this data + */ + private String identificationValue; + /** + * user identification type + */ + private String identificationType; + + /** + * user identityLink specialized to OAParamter + */ + private IdentityLink identityLink; + + /** + * application specific user identifier (bPK/wbPK) + */ + private String bPK; + + /** + * application specific user identifier type + */ + private String bPKType; + + /** + * given name of the user + */ + private String givenName; + /** + * family name of the user + */ + private String familyName; + /** + * date of birth of the user + */ + private Date dateOfBirth; + /** + * says whether the certificate is a qualified certificate or not + */ + private boolean qualifiedCertificate; + /** + * says whether the certificate is a public authority or not + */ + private boolean publicAuthority; + /** + * public authority code (Behördenkennzeichen - BKZ) + */ + private String publicAuthorityCode; + + /** + * URL of the BKU + */ + private String bkuURL; + /** + * the corresponding lt;saml:Assertion> + */ + + /** + * STORK attributes from response + */ + private String ccc = null; + private IPersonalAttributeList storkAttributes = null; + private String storkAuthnResponse; + private STORKAuthnRequest storkRequest = null; + + private byte[] signerCertificate = null; + + private String authBlock = null; + + private boolean useMandate = false; + private MISMandate mandate = null; + private String mandateReferenceValue = null; + + private boolean foreigner; + private String QAALevel = null; + + private boolean ssoSession; + + public AuthenticationData() { + issueInstant = new Date(); + } + + /** + * Returns the publicAuthority. + * @return boolean + */ + public boolean isPublicAuthority() { + return publicAuthority; + } + + /** + * Returns the publicAuthorityCode. + * @return String + */ + public String getPublicAuthorityCode() { + return publicAuthorityCode; + } + + /** + * Returns the qualifiedCertificate. + * @return boolean + */ + public boolean isQualifiedCertificate() { + return qualifiedCertificate; + } + + /** + * Returns the bPK. + * @return String + */ + public String getBPK() { + return bPK; + } + + /** + * Sets the publicAuthority. + * @param publicAuthority The publicAuthority to set + */ + public void setPublicAuthority(boolean publicAuthority) { + this.publicAuthority = publicAuthority; + } + + /** + * Sets the publicAuthorityCode. + * @param publicAuthorityIdentification The publicAuthorityCode to set + */ + public void setPublicAuthorityCode(String publicAuthorityIdentification) { + this.publicAuthorityCode = publicAuthorityIdentification; + } + + /** + * Sets the qualifiedCertificate. + * @param qualifiedCertificate The qualifiedCertificate to set + */ + public void setQualifiedCertificate(boolean qualifiedCertificate) { + this.qualifiedCertificate = qualifiedCertificate; + } + + /** + * Sets the bPK. + * @param bPK The bPK to set + */ + public void setBPK(String bPK) { + this.bPK = bPK; + } + + /** + * Returns the dateOfBirth. + * @return String + */ + public Date getDateOfBirth() { + return dateOfBirth; + } + + public String getFormatedDateOfBirth() { + DateFormat pvpDateFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + return pvpDateFormat.format(getDateOfBirth()); + } + + /** + * Returns the familyName. + * @return String + */ + public String getFamilyName() { + return familyName; + } + + /** + * Returns the givenName. + * @return String + */ + public String getGivenName() { + return givenName; + } + + /** + * Returns the identificationValue. + * @return String + */ + public String getIdentificationValue() { + return identificationValue; + } + + /** + * Returns the identificationType + * @return String + */ + public String getIdentificationType() { + return identificationType; + } + + /** + * Returns the issueInstant. + * @return String + */ + public String getIssueInstantString() { + return DateTimeUtils.buildDateTimeUTC(issueInstant); + + } + + /** + * Returns the issueInstant. + * @return String + */ + public Date getIssueInstant() { + return issueInstant; + + } + + public void setIssueInstant(Date date) { + this.issueInstant = date; + } + + /** + * Returns the issuer. + * @return String + */ + public String getIssuer() { + return issuer; + } + + /** + * Returns the BKU URL. + * @return String + */ + public String getBkuURL() { + return bkuURL; + } + + /** + * Sets the dateOfBirth. + * @param dateOfBirth The dateOfBirth to set + */ + public void setDateOfBirth(Date dateOfBirth) { + this.dateOfBirth = dateOfBirth; + } + + public void setDateOfBirth(String dateOfBirth) { + try { + if (MiscUtil.isNotEmpty(dateOfBirth)) { + DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + this.dateOfBirth = identityLinkFormat.parse(dateOfBirth); + } + + } catch (ParseException e) { + Logger.warn("Parse dateOfBirht from IdentityLink FAILED", e); + + } + } + + /** + * Sets the familyName. + * @param familyName The familyName to set + */ + public void setFamilyName(String familyName) { + this.familyName = familyName; + } + + /** + * Sets the givenName. + * @param givenName The givenName to set + */ + public void setGivenName(String givenName) { + this.givenName = givenName; + } + + /** + * Sets the identificationValue. + * @param identificationValue The identificationValue to set + */ + public void setIdentificationValue(String identificationValue) { + this.identificationValue = identificationValue; + } + + /** + * Sets the identificationType. + * @param identificationType The identificationType to set + */ + public void setIdentificationType(String identificationType) { + this.identificationType = identificationType; + } + + /** + * Sets the issuer. + * @param issuer The issuer to set + */ + public void setIssuer(String issuer) { + this.issuer = issuer; + } + + /** + * Sets the bkuURL + * @param url The BKU URL to set + */ + public void setBkuURL(String url) { + this.bkuURL = url; + } + + public String getBPKType() { + return bPKType; + } + + public void setBPKType(String bPKType) { + this.bPKType = bPKType; + } + /** - * user identification type + * @return the identityLink */ - private String identificationType; - + public IdentityLink getIdentityLink() { + return identityLink; + } + /** - * user identityLink specialized to OAParamter + * @param identityLink the identityLink to set */ - private IdentityLink identityLink; + public void setIdentityLink(IdentityLink identityLink) { + this.identityLink = identityLink; + } + + + /** + * @return the storkAttributes + */ + public IPersonalAttributeList getStorkAttributes() { + return storkAttributes; + } + + + /** + * @param storkAttributes the storkAttributes to set + */ + public void setStorkAttributes(IPersonalAttributeList storkAttributes) { + this.storkAttributes = storkAttributes; + } + + + /** + * @return the signerCertificate + */ + public byte[] getSignerCertificate() { + return signerCertificate; + } + + + /** + * @param signerCertificate the signerCertificate to set + */ + public void setSignerCertificate(byte[] signerCertificate) { + this.signerCertificate = signerCertificate; + } + + + /** + * @return the authBlock + */ + public String getAuthBlock() { + return authBlock; + } + + + /** + * @param authBlock the authBlock to set + */ + public void setAuthBlock(String authBlock) { + this.authBlock = authBlock; + } + + + /** + * @return the mandate + */ + public MISMandate getMISMandate() { + return mandate; + } + + public Element getMandate() { + try { + byte[] byteMandate = mandate.getMandate(); + String stringMandate = new String(byteMandate); + return DOMUtils.parseDocument(stringMandate, false, null, null).getDocumentElement(); + + } + catch (Throwable e) { + Logger.warn("Mandate content could not be generated from MISMandate."); + return null; + } + } - /** - * application specific user identifier (bPK/wbPK) - */ - private String bPK; - - /** - * application specific user identifier type - */ - private String bPKType; - - /** - * given name of the user - */ - private String givenName; - /** - * family name of the user - */ - private String familyName; - /** - * date of birth of the user - */ - private String dateOfBirth; - /** - * says whether the certificate is a qualified certificate or not - */ - private boolean qualifiedCertificate; - /** - * says whether the certificate is a public authority or not - */ - private boolean publicAuthority; - /** - * public authority code (Behördenkennzeichen - BKZ) - */ - private String publicAuthorityCode; - /** - * The base64 encoded signer certificate. - */ - private String signerCertificate; - /** - * URL of the BKU - */ - private String bkuURL; - /** - * the corresponding lt;saml:Assertion> - */ - private String samlAssertion; - - /** useUTC */ -// private boolean useUTC; - /** - * creation timestamp - */ - Date timestamp; - - - - //this method is only required for MOA-ID Proxy 2.0 Release. - //TODO: remove it, if MOA-ID Proxy is not supported anymore. - public String getWBPK() { - return bPK; + + /** + * @param mandate the mandate to set + */ + public void setMISMandate(MISMandate mandate) { + this.mandate = mandate; } - - - /** - * Constructor for AuthenticationData. - */ - public AuthenticationData() { - timestamp = new Date(); - } - - /** - * Returns the minorVersion. - * @return int - */ - public int getMinorVersion() { - return minorVersion; - } - - /** - * Returns the publicAuthority. - * @return boolean - */ - public boolean isPublicAuthority() { - return publicAuthority; - } - - /** - * Returns the publicAuthorityCode. - * @return String - */ - public String getPublicAuthorityCode() { - return publicAuthorityCode; - } - - /** - * Returns the qualifiedCertificate. - * @return boolean - */ - public boolean isQualifiedCertificate() { - return qualifiedCertificate; - } - - /** - * Returns the bPK. - * @return String - */ - public String getBPK() { - return bPK; - } - -// /** -// * Returns useUTC -// * @return useUTC -// */ -// public boolean getUseUTC() { -// return useUTC; -// } - - /** - * Sets the minorVersion. - * @param minorVersion The minorVersion to set - */ - public void setMinorVersion(int minorVersion) { - this.minorVersion = minorVersion; - } - - /** - * Sets the publicAuthority. - * @param publicAuthority The publicAuthority to set - */ - public void setPublicAuthority(boolean publicAuthority) { - this.publicAuthority = publicAuthority; - } - - /** - * Sets the publicAuthorityCode. - * @param publicAuthorityIdentification The publicAuthorityCode to set - */ - public void setPublicAuthorityCode(String publicAuthorityIdentification) { - this.publicAuthorityCode = publicAuthorityIdentification; - } - - /** - * Sets the qualifiedCertificate. - * @param qualifiedCertificate The qualifiedCertificate to set - */ - public void setQualifiedCertificate(boolean qualifiedCertificate) { - this.qualifiedCertificate = qualifiedCertificate; - } - - /** - * Sets the bPK. - * @param bPK The bPK to set - */ - public void setBPK(String bPK) { - this.bPK = bPK; - } - -// /** -// * Sets the wbPK. -// * @param wbPK The wbPK to set -// */ -// public void setWBPK(String wbPK) { -// this.wbPK = wbPK; -// } - -// public void setUseUTC(boolean useUTC) { -// this.useUTC = useUTC; -// } - - /** - * Returns the assertionID. - * @return String - */ - public String getAssertionID() { - return assertionID; - } - - /** - * Returns the dateOfBirth. - * @return String - */ - public String getDateOfBirth() { - return dateOfBirth; - } - - /** - * Returns the familyName. - * @return String - */ - public String getFamilyName() { - return familyName; - } - - /** - * Returns the givenName. - * @return String - */ - public String getGivenName() { - return givenName; - } - - /** - * Returns the identificationValue. - * @return String - */ - public String getIdentificationValue() { - return identificationValue; - } + /** - * Returns the identificationType - * @return String + * @return the useMandate */ - public String getIdentificationType() { - return identificationType; + public boolean isUseMandate() { + return useMandate; } - /** - * Returns the issueInstant. - * @return String - */ - public String getIssueInstant() { - return issueInstant; - } - - /** - * Returns the issuer. - * @return String - */ - public String getIssuer() { - return issuer; - } - - /** - * Returns the majorVersion. - * @return int - */ - public int getMajorVersion() { - return majorVersion; - } - - /** - * Returns the BKU URL. - * @return String - */ - public String getBkuURL() { - return bkuURL; - } - - /** - * Returns the signer certificate. - * @return String - */ - public String getSignerCertificate() { - return signerCertificate; - } - - /** - * Sets the assertionID. - * @param assertionID The assertionID to set - */ - public void setAssertionID(String assertionID) { - this.assertionID = assertionID; - } - - /** - * Sets the dateOfBirth. - * @param dateOfBirth The dateOfBirth to set - */ - public void setDateOfBirth(String dateOfBirth) { - this.dateOfBirth = dateOfBirth; - } - - /** - * Sets the familyName. - * @param familyName The familyName to set - */ - public void setFamilyName(String familyName) { - this.familyName = familyName; - } - - /** - * Sets the givenName. - * @param givenName The givenName to set - */ - public void setGivenName(String givenName) { - this.givenName = givenName; - } - - /** - * Sets the identificationValue. - * @param identificationValue The identificationValue to set - */ - public void setIdentificationValue(String identificationValue) { - this.identificationValue = identificationValue; - } /** - * Sets the identificationType. - * @param identificationType The identificationType to set + * @param useMandate the useMandate to set */ - public void setIdentificationType(String identificationType) { - this.identificationType = identificationType; + public void setUseMandate(boolean useMandate) { + this.useMandate = useMandate; } - /** - * Sets the issueInstant. - * @param issueInstant The issueInstant to set - */ - public void setIssueInstant(String issueInstant) { - this.issueInstant = issueInstant; - } - - /** - * Sets the issuer. - * @param issuer The issuer to set - */ - public void setIssuer(String issuer) { - this.issuer = issuer; - } - - /** - * Sets the majorVersion. - * @param majorVersion The majorVersion to set - */ - public void setMajorVersion(int majorVersion) { - this.majorVersion = majorVersion; - } - - /** - * Sets the bkuURL - * @param url The BKU URL to set - */ - public void setBkuURL(String url) { - this.bkuURL = url; - } - - /** - * Sets the signer certificate - * @param signerCertificate The signer certificate - */ - public void setSignerCertificate(String signerCertificate) { - this.signerCertificate = signerCertificate; - } - - /** - * Returns the samlAssertion. - * @return String - */ - public String getSamlAssertion() { - return samlAssertion; - } - - /** - * Sets the samlAssertion. - * @param samlAssertion The samlAssertion to set - */ - public void setSamlAssertion(String samlAssertion) { - this.samlAssertion = samlAssertion; - } - - /** - * Returns the timestamp. - * @return Date - */ - public Date getTimestamp() { - return timestamp; - } - -public String getBPKType() { - return bPKType; -} -public void setBPKType(String bPKType) { - this.bPKType = bPKType; -} + /** + * @return + */ + public String getQAALevel() { + return this.QAALevel; + } -/** - * @return the identityLink - */ -public IdentityLink getIdentityLink() { - return identityLink; -} -/** - * @param identityLink the identityLink to set - */ -public void setIdentityLink(IdentityLink identityLink) { - this.identityLink = identityLink; -} + /** + * @return + */ + public boolean isForeigner() { + return this.foreigner; + } + + /** + * @param foreigner the foreigner to set + */ + public void setForeigner(boolean foreigner) { + this.foreigner = foreigner; + } + + + /** + * @param qAALevel the qAALevel to set + */ + public void setQAALevel(String qAALevel) { + QAALevel = qAALevel; + } + + + /** + * @return the ssoSession + */ + public boolean isSsoSession() { + return ssoSession; + } + + + /** + * @param ssoSession the ssoSession to set + */ + public void setSsoSession(boolean ssoSession) { + this.ssoSession = ssoSession; + } + /** + * @param storkRequest the storkRequest to set + */ + public void setStorkRequest(STORKAuthnRequest storkRequest) { + this.storkRequest = storkRequest; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnRequest() + */ + @Override + public STORKAuthnRequest getStorkAuthnRequest() { + return this.storkRequest; + } + + /** + * @return the storkAuthnResponse + */ + public String getStorkAuthnResponse() { + return storkAuthnResponse; + } + + /** + * @param storkAuthnResponse the storkAuthnResponse to set + */ + public void setStorkAuthnResponse(String storkAuthnResponse) { + this.storkAuthnResponse = storkAuthnResponse; + } + + /** + * @return the mandateReferenceValue + */ + public String getMandateReferenceValue() { + return mandateReferenceValue; + } + + /** + * @param mandateReferenceValue the mandateReferenceValue to set + */ + public void setMandateReferenceValue(String mandateReferenceValue) { + this.mandateReferenceValue = mandateReferenceValue; + } + + /** + * @return the ccc + */ + public String getCcc() { + return ccc; + } + + /** + * @param ccc the ccc to set + */ + public void setCcc(String ccc) { + this.ccc = ccc; + } + + + + + - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java new file mode 100644 index 000000000..699bd871b --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -0,0 +1,79 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.util.Date; + +import org.w3c.dom.Element; + +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; + +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; + +/** + * @author tlenz + * + */ +public interface IAuthData { + + Date getIssueInstant(); + String getIssuer(); + + boolean isSsoSession(); + boolean isUseMandate(); + + String getFamilyName(); + String getGivenName(); + Date getDateOfBirth(); + String getFormatedDateOfBirth(); + + String getBPK(); + String getBPKType(); + + String getIdentificationValue(); + String getIdentificationType(); + + String getBkuURL(); + + IdentityLink getIdentityLink(); + byte[] getSignerCertificate(); + String getAuthBlock(); + + boolean isPublicAuthority(); + String getPublicAuthorityCode(); + boolean isQualifiedCertificate(); + + MISMandate getMISMandate(); + Element getMandate(); + String getMandateReferenceValue(); + + String getQAALevel(); + + boolean isForeigner(); + String getCcc(); + STORKAuthnRequest getStorkAuthnRequest(); + String getStorkAuthnResponse(); + IPersonalAttributeList getStorkAttributes(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 9fb2c7a69..31e19ee46 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -25,18 +25,15 @@ package at.gv.egovernment.moa.id.entrypoints; import java.io.IOException; import java.util.Iterator; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger; import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -46,6 +43,7 @@ import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.IAction; @@ -250,7 +248,8 @@ public class DispatcherServlet extends AuthServlet{ try { protocolRequest = info.preProcess(req, resp, action); - if (protocolRequest != null) { + if (protocolRequest != null && + MiscUtil.isEmpty(protocolRequest.getRequestID())) { //Start new Authentication protocolRequest.setAction(action); @@ -262,6 +261,10 @@ public class DispatcherServlet extends AuthServlet{ Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); + } else if (protocolRequest != null && + protocolRequest.getInterfederationResponse() != null ) { + Logger.info("PreProcessing of SSO interfederation response complete. "); + } else { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); @@ -297,11 +300,12 @@ public class DispatcherServlet extends AuthServlet{ String moasessionID = null; String newSSOSessionId = null; AuthenticationSession moasession = null; + IAuthData authData = null; //get SSO Cookie for Request String ssoId = ssomanager.getSSOSessionID(req); - boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); + boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); if (needAuthentication) { @@ -405,11 +409,11 @@ public class DispatcherServlet extends AuthServlet{ moasessionID = AuthenticationSessionStoreage.changeSessionID(moasession); } - - + //build authenticationdata from session information and OA configuration + authData = AuthenticationDataBuilder.buildAuthenticationData(protocolRequest, moasession); } - - SLOInformationInterface assertionID = moduleAction.processRequest(protocolRequest, req, resp, moasession); + + SLOInformationInterface assertionID = moduleAction.processRequest(protocolRequest, req, resp, authData); RequestStorage.removePendingRequest(protocolRequestID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index b76863602..8a7a876a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -115,9 +115,7 @@ public class AuthenticationManager extends AuthServlet { AuthenticationSession authSession; try { authSession = AuthenticationSessionStoreage.getSession(sessionID); - - - + if (authSession != null) { Logger.info("MOASession found! A: " + authSession.isAuthenticated() + ", AU " @@ -228,6 +226,7 @@ public class AuthenticationManager extends AuthServlet { idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { // use POST binding as default if it exists + //TODO: maybe use RedirectBinding as default if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { redirectEndpoint = sss; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java index a2843d026..529e2ab81 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java @@ -26,12 +26,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; public interface IAction extends MOAIDAuthConstants { - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException; public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 394fd1430..9376e3d58 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -27,9 +27,8 @@ import java.util.List; import org.apache.commons.lang.StringUtils; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.oauth20.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock; @@ -173,10 +172,10 @@ public final class OAuth20AttributeBuilder { } private static void addAttibutes(final List builders, final JsonObject jsonObject, - final AuthenticationSession authSession, final OAAuthParameter oaParam, final AuthenticationData authData) { + final OAAuthParameter oaParam, final IAuthData authData) { for (IAttributeBuilder b : builders) { try { - Pair attribute = b.build(authSession, oaParam, authData, generator); + Pair attribute = b.build(oaParam, authData, generator); if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) { jsonObject.add(attribute.getFirst(), attribute.getSecond()); } @@ -187,33 +186,33 @@ public final class OAuth20AttributeBuilder { } } - public static void addScopeOpenId(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersOpenId, jsonObject, authSession, oaParam, authData); + public static void addScopeOpenId(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersOpenId, jsonObject, oaParam, authData); } - public static void addScopeProfile(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersProfile, jsonObject, authSession, oaParam, authData); + public static void addScopeProfile(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersProfile, jsonObject, oaParam, authData); } - public static void addScopeEID(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersEID, jsonObject, authSession, oaParam, authData); + public static void addScopeEID(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEID, jsonObject, oaParam, authData); } - public static void addScopeEIDGov(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersEIDGov, jsonObject, authSession, oaParam, authData); + public static void addScopeEIDGov(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEIDGov, jsonObject, oaParam, authData); } - public static void addScopeMandate(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersMandate, jsonObject, authSession, oaParam, authData); + public static void addScopeMandate(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersMandate, jsonObject, oaParam, authData); } - public static void addScopeSTORK(final JsonObject jsonObject, final AuthenticationSession authSession, - final OAAuthParameter oaParam, final AuthenticationData authData) { - addAttibutes(buildersSTORK, jsonObject, authSession, oaParam, authData); + public static void addScopeSTORK(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersSTORK, jsonObject, oaParam, authData); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java index da1980896..121648499 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,9 +34,9 @@ public class OpenIdAuthenticationTimeAttribute implements IAttributeBuilder { return "auth_time"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - return g.buildLongAttribute(this.getName(), "", ((long) (authData.getTimestamp().getTime() / 1000))); + return g.buildLongAttribute(this.getName(), "", ((long) (authData.getIssueInstant().getTime() / 1000))); } public ATT buildEmpty(IAttributeGenerator g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java index e7a85705a..9230c0105 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java @@ -24,9 +24,8 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -39,7 +38,7 @@ public class OpenIdExpirationTimeAttribute implements IAttributeBuilder { return "exp"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000 + expirationTime)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java index a75dfd029..3bdda5c2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java @@ -24,9 +24,8 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -37,7 +36,7 @@ public class OpenIdIssueInstantAttribute implements IAttributeBuilder { return "iat"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java index d21f1a5bb..85c46d5b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class OpenIdIssuerAttribute implements IAttributeBuilder { return "iss"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getIssuer()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java index bc48ce915..d5bda0dba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class OpenIdSubjectIdentifierAttribute implements IAttributeBuilder { return "sub"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getBPK()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java index a92b0c12d..dd84536ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,9 +34,9 @@ public class ProfileDateOfBirthAttribute implements IAttributeBuilder { return "birthdate"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - return g.buildStringAttribute(this.getName(), "", authData.getDateOfBirth()); + return g.buildStringAttribute(this.getName(), "", authData.getFormatedDateOfBirth()); } public ATT buildEmpty(IAttributeGenerator g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java index 5ce22a6c6..02cc66e4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class ProfileFamilyNameAttribute implements IAttributeBuilder { return "family_name"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getFamilyName()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java index 047bfa9a9..302ce8105 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -35,7 +34,7 @@ public class ProfileGivenNameAttribute implements IAttributeBuilder { return "given_name"; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(this.getName(), "", authData.getGivenName()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 3cc12ff98..2a1fe0882 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -30,13 +30,10 @@ import java.util.UUID; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; @@ -53,14 +50,13 @@ import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil; import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken; import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner; import at.gv.egovernment.moa.id.storage.AssertionStorage; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; class OAuth20AuthAction implements IAction { public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, - AuthenticationSession moasession) throws MOAIDException { + IAuthData authData) throws MOAIDException { OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; String responseType = oAuthRequest.getResponseType(); @@ -78,7 +74,7 @@ class OAuth20AuthAction implements IAction { o.setCode(code); //generate idToken from MOASession - Map idToken = generateIDToken(o, oAuthRequest, moasession, accessToken); + Map idToken = generateIDToken(o, oAuthRequest, authData, accessToken); o.setAuthDataSession(idToken); } else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) { @@ -124,7 +120,7 @@ class OAuth20AuthAction implements IAction { } private Map generateIDToken(OAuth20SessionObject auth20SessionObject, - OAuth20AuthRequest oAuthRequest, AuthenticationSession moasession, String accessToken) throws SignatureException, MOAIDException { + OAuth20AuthRequest oAuthRequest, IAuthData authData, String accessToken) throws SignatureException, MOAIDException { // create response Map params = new HashMap(); @@ -134,7 +130,7 @@ class OAuth20AuthAction implements IAction { // build id token and scope Pair pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, - moasession); + authData); Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); @@ -144,34 +140,33 @@ class OAuth20AuthAction implements IAction { } - private Pair buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, AuthenticationSession session) + private Pair buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, IAuthData authData) throws MOAIDException, SignatureException { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); - AuthenticationData authData = AuthenticationServer.buildAuthenticationData(session, oaParam, oAuthRequest.getTarget()); OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer()); OAuthJsonToken token = new OAuthJsonToken(signer); StringBuilder resultScopes = new StringBuilder(); // always fill with open id - OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append("openId"); for (String s : scope.split(" ")) { if (s.equalsIgnoreCase("profile")) { - OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" profile"); } else if (s.equalsIgnoreCase("eID")) { - OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" eID"); } else if (s.equalsIgnoreCase("eID_gov")) { - OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" eID_gov"); } else if (s.equalsIgnoreCase("mandate")) { - OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" mandate"); } else if (s.equalsIgnoreCase("stork")) { - OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), session, oaParam, authData); + OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), oaParam, authData); resultScopes.append(" stork"); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index be320271a..944da38d0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -26,9 +26,9 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -44,7 +44,7 @@ import com.google.gson.JsonObject; class OAuth20TokenAction implements IAction { public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, - AuthenticationSession moasession) throws MOAIDException { + IAuthData authData) throws MOAIDException { OAuth20SessionObject auth20SessionObject = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 1221e7234..7410e0624 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -25,8 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; @@ -36,10 +36,10 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler.RequestManager; public class AuthenticationAction implements IAction { public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; - SLOInformationImpl sloInformation = (SLOInformationImpl) RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, moasession); + SLOInformationImpl sloInformation = (SLOInformationImpl) RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, authData); //set protocol type sloInformation.setProtocolType(req.requestedModule()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index fd501fde7..283142cda 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import java.io.StringWriter; -import java.security.KeyStore; import java.util.List; import javax.servlet.http.HttpServletRequest; @@ -58,16 +57,15 @@ import org.opensaml.xml.security.SecurityHelper; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; -import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.Signer; import org.w3c.dom.Document; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -77,14 +75,13 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; public class MetadataAction implements IAction { private static final int VALIDUNTIL_IN_HOURS = 24; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { try { EntitiesDescriptor idpEntitiesDescriptor = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 39e35120c..57f01210d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -29,9 +29,8 @@ import java.util.List; import org.opensaml.saml2.core.Attribute; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BirthdateAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock; @@ -150,11 +149,11 @@ public class PVPAttributeBuilder { addBuilder(new STORKTitleAttributBuilder()); } - public static Attribute buildAttribute(String name, AuthenticationSession authSession, OAAuthParameter oaParam, - AuthenticationData authData) throws PVP2Exception { + public static Attribute buildAttribute(String name, OAAuthParameter oaParam, + IAuthData authData) throws PVP2Exception { if (builders.containsKey(name)) { try { - return builders.get(name).build(authSession, oaParam, authData, generator); + return builders.get(name).build(oaParam, authData, generator); } catch (AttributeException e) { if (e instanceof UnavailableAttributeException) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index def0d9b80..5f16bcfce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -58,13 +58,12 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; @@ -83,7 +82,7 @@ import at.gv.egovernment.moa.util.Constants; public class PVP2AssertionBuilder implements PVPConstants { public static Assertion buildAssertion(AuthnRequest authnRequest, - AuthenticationSession authSession, EntityDescriptor peerEntity, DateTime date, + IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); @@ -99,7 +98,7 @@ public class PVP2AssertionBuilder implements PVPConstants { peerEntity.getEntityID()); if (reqAuthnContext == null) { - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { @@ -110,7 +109,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (reqAuthnContextClassRefIt.size() == 0) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_1_4); stork_qaa_1_4_found = true; @@ -124,20 +123,20 @@ public class PVP2AssertionBuilder implements PVPConstants { || qaa_uri.trim().equals(STORK_QAA_1_2) || qaa_uri.trim().equals(STORK_QAA_1_1)) { - if (authSession.isForeigner()) { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + if (authData.isForeigner()) { + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), STORK_QAA_PREFIX + oaParam.getQaaLevel()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } else { - QAALevelVerifier.verifyQAALevel(authSession.getQAALevel(), + QAALevelVerifier.verifyQAALevel(authData.getQAALevel(), qaa_uri.trim()); stork_qaa_1_4_found = true; - authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); } break; @@ -172,10 +171,6 @@ public class PVP2AssertionBuilder implements PVPConstants { Subject subject = SAML2Utils.createSAMLObject(Subject.class); - AuthenticationData authData = AuthenticationServer - .buildAuthenticationData(authSession, oaParam, - oaParam.getTarget()); - //add Attributes to Assertion if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -205,7 +200,7 @@ public class PVP2AssertionBuilder implements PVPConstants { RequestedAttribute reqAttribut = it.next(); try { Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttribut.getName(), authSession, oaParam, authData); + reqAttribut.getName(), oaParam, authData); if (attr == null) { if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( @@ -222,6 +217,16 @@ public class PVP2AssertionBuilder implements PVPConstants { throw new UnprovideableAttributeException( reqAttribut.getName()); } + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttribut.getFriendlyName(), e); + if (reqAttribut.isRequired()) { + throw new UnprovideableAttributeException( + reqAttribut.getName()); + } + } } } @@ -233,8 +238,8 @@ public class PVP2AssertionBuilder implements PVPConstants { NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); //TLenz: set correct bPK Type and Value from AuthData - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAvailableException(); } @@ -263,7 +268,7 @@ public class PVP2AssertionBuilder implements PVPConstants { if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { - if (authSession.getBusinessService()) { + if (oaParam.getBusinessService()) { subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java index 648651350..3dd1dd064 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BPKAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -35,7 +34,7 @@ public class BPKAttributeBuilder implements IPVPAttributeBuilder { return BPK_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { String bpk = authData.getBPK(); String type = authData.getBPKType(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java index f3d815e7d..89ec383ce 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/BirthdateAttributeBuilder.java @@ -23,47 +23,31 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import java.text.DateFormat; -import java.text.ParseException; import java.text.SimpleDateFormat; -import java.util.Date; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.util.MiscUtil; public class BirthdateAttributeBuilder implements IPVPAttributeBuilder { - - public static final String IDENTITY_LINK_DATE_FORMAT = "yyyy-MM-dd"; - + public String getName() { return BIRTHDATE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - try { - DateFormat identityLinkFormat = new SimpleDateFormat(IDENTITY_LINK_DATE_FORMAT); + + if (authData.getDateOfBirth() != null) { + DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); + String dateString = pvpDateFormat.format(authData.getDateOfBirth()); + + return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - if (MiscUtil.isNotEmpty(authSession.getIdentityLink().getDateOfBirth())) { - Date date = identityLinkFormat.parse(authSession.getIdentityLink().getDateOfBirth()); - DateFormat pvpDateFormat = new SimpleDateFormat(BIRTHDATE_FORMAT_PATTERN); - String dateString = pvpDateFormat.format(date); + } else { + //build empty attribute if no Birthday date is found (STORK2) + return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME); - return g.buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - - } else { - //build empty attribute if no Birthday date is found (STORK2) - return g.buildEmptyAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME); - - } - - //return buildStringAttribute(BIRTHDATE_FRIENDLY_NAME, BIRTHDATE_NAME, dateString); - } - catch (ParseException e) { - e.printStackTrace(); - return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java index 56972248b..ded9e7166 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDAuthBlock.java @@ -26,9 +26,8 @@ import iaik.util.logging.Log; import java.io.IOException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,11 +39,11 @@ public class EIDAuthBlock implements IPVPAttributeBuilder { return EID_AUTH_BLOCK_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { try { - String authblock = authSession.getAuthBlock(); + String authblock = authData.getAuthBlock(); if (MiscUtil.isNotEmpty(authblock)) { return g.buildStringAttribute(EID_AUTH_BLOCK_FRIENDLY_NAME, EID_AUTH_BLOCK_NAME, Base64Utils.encode(authblock.getBytes())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java index 7179dd090..2df5ec22e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCcsURL.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.MiscUtil; @@ -35,10 +34,10 @@ public class EIDCcsURL implements IPVPAttributeBuilder { return EID_CCS_URL_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - String bkuurl = authSession.getBkuURL(); + String bkuurl = authData.getBkuURL(); if (MiscUtil.isNotEmpty(bkuurl)) return g.buildStringAttribute(EID_CCS_URL_FRIENDLY_NAME, EID_CCS_URL_NAME, bkuurl); else diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java index 02088eea1..365f36594 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDCitizenQAALevelAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class EIDCitizenQAALevelAttributeBuilder implements IPVPAttributeBuilder { @@ -33,10 +32,17 @@ public class EIDCitizenQAALevelAttributeBuilder implements IPVPAttributeBuilder return EID_CITIZEN_QAA_LEVEL_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { + + String qaaLevel = null; + if (authData.getQAALevel().startsWith(STORK_QAA_PREFIX)) + qaaLevel = authData.getQAALevel().substring(STORK_QAA_PREFIX.length()); + else + qaaLevel = authData.getQAALevel(); + return g.buildIntegerAttribute(EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, - EID_CITIZEN_QAA_LEVEL_NAME, 4); + EID_CITIZEN_QAA_LEVEL_NAME, Integer.valueOf(qaaLevel)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java index 2d86586d2..531369e9a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -24,19 +24,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import java.io.IOException; -import javax.xml.transform.TransformerException; - -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.DOMUtils; public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { @@ -44,36 +36,15 @@ public class EIDIdentityLinkBuilder implements IPVPAttributeBuilder { return EID_IDENTITY_LINK_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { try { String ilAssertion = null; - if (oaParam.getBusinessService()) { + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - - Element resignedilAssertion; - - resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() - .getSamlAssertion()); - - ilAssertion = DOMUtils.serializeNode(resignedilAssertion); - - } else - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - return g.buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); - } catch (MOAIDException e) { - Logger.warn("IdentityLink serialization error.", e); - return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME); - } catch (TransformerException e) { - Logger.warn("IdentityLink serialization error.", e); - return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, - EID_IDENTITY_LINK_NAME); } catch (IOException e) { Logger.warn("IdentityLink serialization error.", e); return g.buildEmptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java index 39d4d29e7..6ad3017d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java @@ -27,9 +27,8 @@ import iaik.x509.X509Certificate; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.logging.Logger; @@ -39,21 +38,23 @@ public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { return EID_ISSUING_NATION_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { String countryCode = "AT"; - if (authSession.getStorkAuthnRequest() != null) { - countryCode = authSession.getStorkAuthnRequest() + if (authData.getStorkAuthnRequest() != null) { + countryCode = authData.getStorkAuthnRequest() .getCitizenCountryCode(); - } else { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = authSession.getSignerCertificate(); + } else { + + try { + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); + + if (certificate != null) { - if (certificate != null) { - try { LdapName ln = new LdapName(certificate.getIssuerDN() .getName()); for (Rdn rdn : ln.getRdns()) { @@ -63,9 +64,11 @@ public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { break; } } - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate", e); } + + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate", e); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index e8fba6af2..9a65157a4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.MiscUtil; @@ -35,15 +34,15 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder { return EID_STORK_TOKEN_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (!authSession.isForeigner()) { + if (!authData.isForeigner()) { throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); } else { - String storkResponse = authSession.getStorkAuthnResponse(); + String storkResponse = authData.getStorkAuthnResponse(); if ( MiscUtil.isEmpty(storkResponse) ) { throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java index 807d59050..7f52e1d47 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSectorForIDAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { @@ -33,7 +32,7 @@ public class EIDSectorForIDAttributeBuilder implements IPVPAttributeBuilder { return EID_SECTOR_FOR_IDENTIFIER_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { String bpktype = authData.getBPKType(); return g.buildStringAttribute(EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java index 7cd415ada..df1bc1860 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSignerCertificate.java @@ -26,9 +26,8 @@ import iaik.util.logging.Log; import java.io.IOException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.util.Base64Utils; @@ -39,11 +38,11 @@ public class EIDSignerCertificate implements IPVPAttributeBuilder { return EID_SIGNER_CERTIFICATE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { try { - byte[] signerCertificate = authSession.getEncodedSignerCertificate(); + byte[] signerCertificate = authData.getSignerCertificate(); if (signerCertificate != null) { return g.buildStringAttribute(EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, EID_SIGNER_CERTIFICATE_NAME, Base64Utils .encode(signerCertificate)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java index 5bf65da04..a8b703fc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePIN.java @@ -22,10 +22,10 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; public class EIDSourcePIN implements IPVPAttributeBuilder { @@ -34,11 +34,11 @@ public class EIDSourcePIN implements IPVPAttributeBuilder { return EID_SOURCE_PIN_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (oaParam.getBusinessService()) - throw new UnavailableAttributeException(EID_SOURCE_PIN_NAME); + throw new AttributePolicyException(EID_SOURCE_PIN_NAME); else { return g.buildStringAttribute(EID_SOURCE_PIN_FRIENDLY_NAME, EID_SOURCE_PIN_NAME, authData.getIdentificationValue()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java index ec509f74b..0681419fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSourcePINType.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; @@ -34,7 +33,7 @@ public class EIDSourcePINType implements IPVPAttributeBuilder { return EID_SOURCE_PIN_TYPE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (oaParam.getBusinessService()) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java index 7bd5e2db5..fcde1e9bd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/GivenNameAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class GivenNameAttributeBuilder implements IPVPAttributeBuilder { @@ -33,9 +32,9 @@ public class GivenNameAttributeBuilder implements IPVPAttributeBuilder { return GIVEN_NAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - return g.buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authSession.getIdentityLink().getGivenName()); + return g.buildStringAttribute(GIVEN_NAME_FRIENDLY_NAME, GIVEN_NAME_NAME, authData.getGivenName()); } public ATT buildEmpty(IAttributeGenerator g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java index 55b16edfb..d66b0ab02 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/IAttributeBuilder.java @@ -22,15 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public interface IAttributeBuilder { public String getName(); - public ATT build(final AuthenticationSession authSession, final OAAuthParameter oaParam, final AuthenticationData authData, + public ATT build(final OAAuthParameter oaParam, final IAuthData authData, final IAttributeGenerator g) throws AttributeException; public ATT buildEmpty(final IAttributeGenerator g); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java index 4528aa1fe..670398ff6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -29,6 +29,7 @@ import javax.xml.transform.TransformerException; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -40,13 +41,13 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder return MANDATE_FULL_MANDATE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - if (authSession.getMandate() != null) { + if (authData.isUseMandate()) { + if (authData.getMandate() != null) { String fullMandate; try { - fullMandate = DOMUtils.serializeNode(authSession + fullMandate = DOMUtils.serializeNode(authData .getMandate()); return g.buildStringAttribute(MANDATE_FULL_MANDATE_FRIENDLY_NAME, MANDATE_FULL_MANDATE_NAME, Base64Utils.encode(fullMandate.getBytes())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 9ab1de50d..9230e47fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -26,9 +26,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -40,10 +39,10 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute return MANDATE_LEG_PER_FULL_NAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index ca68704c9..04103f28a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu return MANDATE_LEG_PER_SOURCE_PIN_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index 5656d1769..02e1d7ce0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr return MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index 039fc8af8..38456302c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -28,10 +28,9 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -44,10 +43,10 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui return MANDATE_NAT_PER_BPK_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } @@ -62,11 +61,6 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - // if(authSession.getBusinessService()) { - // id = MandateBuilder.getWBPKIdentification(physicalPerson); - // } else { - // id = MandateBuilder.getBPKIdentification(physicalPerson); - // } if (id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); @@ -76,7 +70,7 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui try { if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - if (authSession.getBusinessService()) { + if (oaParam.getBusinessService()) { bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index f5dc277bd..4fcfd4650 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -31,9 +31,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; @@ -46,10 +45,10 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib return MANDATE_NAT_PER_BIRTHDATE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index 2a7bafdbc..3452d7ed0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -29,9 +29,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -43,10 +42,10 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr return MANDATE_NAT_PER_FAMILY_NAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4707c385a..59d5c65fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -28,9 +28,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -42,10 +41,10 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib return MANDATE_NAT_PER_GIVEN_NAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index 7fbbce9bc..444312759 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -30,7 +30,9 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; @@ -41,10 +43,10 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri return MANDATE_NAT_PER_SOURCE_PIN_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } @@ -61,12 +63,10 @@ public class MandateNaturalPersonSourcePinAttributeBuilder implements IPVPAttri IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - if(authSession.getBusinessService()) { - id = MandateBuilder.getWBPKIdentification(physicalPerson); - -// } else { -// id = MandateBuilder.getBPKIdentification(physicalPerson); + if(oaParam.getBusinessService()) { + throw new AttributePolicyException(this.getName()); } + if(id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 538cee048..6adc9b532 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -27,9 +27,8 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -41,10 +40,10 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt return MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + Element mandate = authData.getMandate(); if(mandate == null) { throw new NoMandateDataAttributeException(); } @@ -60,11 +59,6 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder implements IPVPAt } IdentificationType id = null; id = physicalPerson.getIdentification().get(0); - /*if(authSession.getBusinessService()) { - id = MandateBuilder.getWBPKIdentification(physicalPerson); - } else { - id = MandateBuilder.getBPKIdentification(physicalPerson); - }*/ if(id == null) { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java index 814211b24..4c981cb24 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -22,14 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AttributeExtractor; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder { @@ -37,24 +35,24 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder return MANDATE_PROF_REP_DESC_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if(authData.isUseMandate()) { + MISMandate mandate = authData.getMISMandate(); + + if(mandate == null) { throw new NoMandateDataAttributeException(); } - String text = AttributeExtractor.extractSAMLAttributeOA( - EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, - authSession); + String text = mandate.getTextualDescriptionOfOID(); - if(text == null) { + if(MiscUtil.isEmpty(text)) { return null; - } - - return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, - MANDATE_PROF_REP_DESC_NAME, text); + + } else + return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, + MANDATE_PROF_REP_DESC_NAME, text); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java index b040072a6..1a3311c8a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateProfRepOIDAttributeBuilder.java @@ -22,14 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import org.w3c.dom.Element; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AttributeExtractor; +import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { @@ -37,21 +35,21 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { return MANDATE_PROF_REP_OID_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + + MISMandate mandate = authData.getMISMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } - String oid = AttributeExtractor.extractSAMLAttributeOA(EXT_SAML_MANDATE_OID, authSession); - - if (oid == null) { - return null; - } - - return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); + String oid = mandate.getProfRep(); + + if(MiscUtil.isEmpty(oid)) + return null; + else + return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java index 7e7b57e4f..7b41e9bb6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateReferenceValueAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuilder { @@ -33,12 +32,12 @@ public class MandateReferenceValueAttributeBuilder implements IPVPAttributeBuild return MANDATE_REFERENCE_VALUE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { + if (authData.isUseMandate()) { return g.buildStringAttribute(MANDATE_REFERENCE_VALUE_FRIENDLY_NAME, MANDATE_REFERENCE_VALUE_NAME, - authSession.getMandateReferenceValue()); + authData.getMandateReferenceValue()); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java index 4842141fc..63165f52a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateTypeAttributeBuilder.java @@ -25,9 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; @@ -38,10 +37,10 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { return MANDATE_TYPE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authSession.getUseMandate()) { - Element mandate = authSession.getMandate(); + if (authData.isUseMandate()) { + Element mandate = authData.getMandate(); if (mandate == null) { throw new NoMandateDataAttributeException(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java index e8c410555..674efa0d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PVPVersionAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class PVPVersionAttributeBuilder implements IPVPAttributeBuilder { @@ -33,7 +32,7 @@ public class PVPVersionAttributeBuilder implements IPVPAttributeBuilder { return PVP_VERSION_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(PVP_VERSION_FRIENDLY_NAME, PVP_VERSION_NAME, PVP_VERSION_2_1); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java index c687b2bff..11fdeb232 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/PrincipalNameAttributeBuilder.java @@ -22,9 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class PrincipalNameAttributeBuilder implements IPVPAttributeBuilder { @@ -33,9 +32,9 @@ public class PrincipalNameAttributeBuilder implements IPVPAttributeBuilder { return PRINCIPAL_NAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - return g.buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authSession.getIdentityLink().getFamilyName()); + return g.buildStringAttribute(PRINCIPAL_NAME_FRIENDLY_NAME, PRINCIPAL_NAME_NAME, authData.getFamilyName()); } public ATT buildEmpty(IAttributeGenerator g) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java index b81b30e5b..aff0fc0ef 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAdoptedFamilyNameAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKAdoptedFamilyNameAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKAdoptedFamilyNameAttributBuilder implements IPVPAttributeBuild return STORKConstants.ADOPTEDFAMILYNAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.ADOPTEDFAMILYNAME_FRIENDLYNAME, STORKConstants.ADOPTEDFAMILYNAME_NAME, - STORKAttributHelper.getAttribut(STORKConstants.ADOPTEDFAMILYNAME_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.ADOPTEDFAMILYNAME_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java index 98fe853ff..fb7c60a95 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAgeAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKAgeAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKAgeAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.AGE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.AGE_FRIENDLYNAME, STORKConstants.AGE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.AGE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.AGE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java index 6d2b031a5..387e49d25 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKAttributHelper.java @@ -26,6 +26,7 @@ import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; import at.gv.egovernment.moa.logging.Logger; @@ -36,7 +37,7 @@ import at.gv.egovernment.moa.logging.Logger; public class STORKAttributHelper { public static String getAttribut(String attributName, - AuthenticationSession authSession) throws UnavailableAttributeException { + IAuthData authSession) throws UnavailableAttributeException { if (!authSession.isForeigner()) { throw new UnavailableAttributeException(attributName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java index c3d6f070d..ddfa63b51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCanonicalResidenceAddressAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKCanonicalResidenceAddressAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKCanonicalResidenceAddressAttributBuilder implements IPVPAttrib return STORKConstants.CANONICALRESIDENCEADDRESS_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.CANONICALRESIDENCEADDRESS_FRIENDLYNAME, STORKConstants.CANONICALRESIDENCEADDRESS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.CANONICALRESIDENCEADDRESS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.CANONICALRESIDENCEADDRESS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java index c873a86ea..08cd65a6d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKCountryCodeOfBirthAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKCountryCodeOfBirthAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKCountryCodeOfBirthAttributBuilder implements IPVPAttributeBuil return STORKConstants.CONTRYCODEOFBIRTH_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.CONTRYCODEOFBIRTH_FRIENDLYNAME, STORKConstants.CONTRYCODEOFBIRTH_NAME, - STORKAttributHelper.getAttribut(STORKConstants.CONTRYCODEOFBIRTH_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.CONTRYCODEOFBIRTH_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java index 394bffa31..f3a77708b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKFiscalNumberAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKFiscalNumberAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKFiscalNumberAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.FISCALNUMBER_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.FISCALNUMBER_FRIENDLYNAME, STORKConstants.FISCALNUMBER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.FISCALNUMBER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.FISCALNUMBER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java index 9209e73c4..6f62dbf89 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKGenderAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKGenderAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKGenderAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.GENDER_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.GENDER_FRIENDLYNAME, STORKConstants.GENDER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.GENDER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.GENDER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java index 59f345bd3..65bf9ff6e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKInhertedFamilyNameAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKInhertedFamilyNameAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKInhertedFamilyNameAttributBuilder implements IPVPAttributeBuil return STORKConstants.INHERITEDFAMILYNAME_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.INHERITEDFAMILYNAME_FRIENDLYNAME, STORKConstants.INHERITEDFAMILYNAME_NAME, - STORKAttributHelper.getAttribut(STORKConstants.INHERITEDFAMILYNAME_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.INHERITEDFAMILYNAME_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java index d99833f13..a7a77d7b4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKIsAgeOverAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKIsAgeOverAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKIsAgeOverAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.ISAGEOVER_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.ISAGEOVER_FRIENDLYNAME, STORKConstants.ISAGEOVER_NAME, - STORKAttributHelper.getAttribut(STORKConstants.ISAGEOVER_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.ISAGEOVER_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java index 1e627e723..c6ce4e32a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKMaritalStatusAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKMaritalStatusAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKMaritalStatusAttributBuilder implements IPVPAttributeBuilder return STORKConstants.MARITALSTATUS_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.MARITALSTATUS_FRIENDLYNAME, STORKConstants.MARITALSTATUS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.MARITALSTATUS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.MARITALSTATUS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java index d46219996..8db5ceeb8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKNationalityCodeAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKNationalityCodeAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKNationalityCodeAttributBuilder implements IPVPAttributeBuilder return STORKConstants.NATIONALITYCODE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.NATIONALITYCODE_FRIENDLYNAME, STORKConstants.NATIONALITYCODE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.NATIONALITYCODE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.NATIONALITYCODE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java index 7bf6716ec..421f8c28d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKPseudonymAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKPseudonymAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKPseudonymAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.PSEUDONYM_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.PSEUDONYM_FRIENDLYNAME, STORKConstants.PSEUDONYM_NAME, - STORKAttributHelper.getAttribut(STORKConstants.PSEUDONYM_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.PSEUDONYM_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java index d47de1ff9..ceff4cf4f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKResidencePermitAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKResidencePermitAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKResidencePermitAttributBuilder implements IPVPAttributeBuilder return STORKConstants.RESIDENCEPERMIT_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.RESIDENCEPERMIT_FRIENDLYNAME, STORKConstants.RESIDENCEPERMIT_NAME, - STORKAttributHelper.getAttribut(STORKConstants.RESIDENCEPERMIT_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.RESIDENCEPERMIT_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java index c75d6b0fb..1344883bf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTextResidenceAddressAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKTextResidenceAddressAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKTextResidenceAddressAttributBuilder implements IPVPAttributeBu return STORKConstants.TEXTRESIDENCEADDRESS_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.TEXTRESIDENCEADDRESS_FRIENDLYNAME, STORKConstants.TEXTRESIDENCEADDRESS_NAME, - STORKAttributHelper.getAttribut(STORKConstants.TEXTRESIDENCEADDRESS_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.TEXTRESIDENCEADDRESS_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java index 357b2fe0d..5209697d6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/STORKTitleAttributBuilder.java @@ -22,10 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; public class STORKTitleAttributBuilder implements IPVPAttributeBuilder { @@ -34,11 +33,11 @@ public class STORKTitleAttributBuilder implements IPVPAttributeBuilder { return STORKConstants.TITLE_NAME; } - public ATT build(AuthenticationSession authSession, OAAuthParameter oaParam, AuthenticationData authData, + public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { return g.buildStringAttribute(STORKConstants.TITLE_FRIENDLYNAME, STORKConstants.TITLE_NAME, - STORKAttributHelper.getAttribut(STORKConstants.TITLE_NAME, authSession)); + STORKAttributHelper.getAttribut(STORKConstants.TITLE_NAME, authData)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java new file mode 100644 index 000000000..1e0e2ee51 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/exceptions/AttributePolicyException.java @@ -0,0 +1,40 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions; + +public class AttributePolicyException extends AttributeException { + + private static final long serialVersionUID = 1L; + + private String attributeName; + + public AttributePolicyException(String attributeName) { + super("Attribute " + attributeName + " is restricted by IDP policy."); + this.attributeName = attributeName; + } + + public String getAttributeName() { + return attributeName; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java index 210cb6be8..a1bf92592 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java @@ -30,8 +30,8 @@ import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry import org.opensaml.saml2.core.ArtifactResolve; import org.opensaml.saml2.core.ArtifactResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -47,7 +47,7 @@ public class ArtifactResolution implements IRequestHandler { } public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException { + HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index 92c2cd585..c5f73a59f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -55,10 +55,10 @@ import org.opensaml.xml.security.criteria.UsageCriteria; import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -83,7 +83,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { } public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession authSession) throws MOAIDException { + HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } @@ -118,7 +118,7 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { SLOInformationImpl sloInformation = new SLOInformationImpl(); //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authSession, + Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData, peerEntity, date, consumerService, sloInformation); Response authResponse = SAML2Utils.createSAMLObject(Response.class); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index 9356eb6ba..fb4f5134f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -25,8 +25,8 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -34,5 +34,5 @@ public interface IRequestHandler { public boolean handleObject(MOARequest obj); public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, - HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException; + HttpServletResponse resp, IAuthData authData) throws MOAIDException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index 59353b9ee..563712907 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -29,8 +29,9 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; @@ -54,13 +55,13 @@ public class RequestManager { handler.add(new ArtifactResolution()); } - public SLOInformationInterface handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp, AuthenticationSession moasession) + public SLOInformationInterface handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws SAMLRequestNotSupported, MOAIDException { Iterator it = handler.iterator(); while(it.hasNext()) { IRequestHandler handler = it.next(); if(handler.handleObject(obj)) { - return handler.process(obj, req, resp, moasession); + return handler.process(obj, req, resp, authData); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 587ca04e7..6ce647ff8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -27,32 +27,26 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.URLEncoder; public class GetArtifactAction implements IAction { public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp, AuthenticationSession session) throws AuthenticationException { + HttpServletResponse httpResp, IAuthData obj) throws AuthenticationException { String oaURL = (String) req.getOAURL(); - String target = (String) req.getTarget(); String sourceID = null; if (req instanceof SAML1RequestImpl) { @@ -61,41 +55,31 @@ public class GetArtifactAction implements IAction { } - try { - + SAML1AuthenticationData authData; + if (obj instanceof SAML1AuthenticationData) { + authData = (SAML1AuthenticationData) obj; - if (oaURL == null) { - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - } - - // check parameter - if (!ParamValidatorUtils.isValidOA(oaURL)) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - - // TODO: Support Mandate MODE! + } else { + Logger.error("AuthDate is NOT of type SAML1AuthenticationData."); + throw new AuthenticationException("AuthDate is NOT of type SAML1AuthenticationData.", new Object[]{}); + } + + try { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(oaURL); - - SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace(); - - AuthenticationData authData = SAML1AuthenticationServer.buildAuthenticationData(session, - oaParam, - target); + .getOnlineApplicationParameter(oaURL); + SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace(); + // add other stork attributes to MOA assertion if available - if(null != session.getStorkAttributes()) { - List moaExtendedSAMLAttibutes = STORKResponseProcessor.addAdditionalSTORKAttributes(session.getStorkAttributes()); - session.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes); - //produce MOA-Assertion and artifact - AuthenticationServer.getInstance().getForeignAuthenticationData(session); + if(null != authData.getStorkAttributes()) { + List moaExtendedSAMLAttibutes = STORKResponseProcessor.addAdditionalSTORKAttributes(authData.getStorkAttributes()); + authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes); Logger.info("MOA assertion assembled and SAML Artifact generated."); } - String samlArtifactBase64 = saml1server.BuildSAMLArtifact(session, oaParam, authData, sourceID); + String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); - if (AuthenticationSessionStoreage.isSSOSession(session.getSessionID())) { + if (authData.isSsoSession()) { String url = "RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); if (!oaParam.getBusinessService()) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index f622f4b94..66861afa3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -56,7 +56,6 @@ import org.w3c.dom.NodeList; import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.Constants; @@ -138,12 +137,9 @@ public class GetAuthenticationDataService implements Constants { try { - AuthenticationData authData = saml1server.getSaml1AuthenticationData(samlArtifact); + samlAssertion = saml1server.getSaml1AuthenticationData(samlArtifact); -// useUTC = authData.getUseUTC(); - // success - samlAssertion = authData.getSamlAssertion(); statusCode = "samlp:Success"; statusMessageCode = "1200"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java new file mode 100644 index 000000000..7569eef84 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java @@ -0,0 +1,179 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.protocols.saml1; + +import java.text.DateFormat; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.List; + +import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.DateTimeUtils; + +/** + * Encapsulates authentication data contained in a <saml:Assertion>. + * + * @author Paul Ivancsics + * @version $Id$ + */ + +public class SAML1AuthenticationData extends AuthenticationData { + /** + * + */ + private static final long serialVersionUID = -1042697056735596866L; +/** + * major version number of the SAML assertion + */ + private int majorVersion; + /** + * minor version number of the SAML assertion + */ + private int minorVersion; + /** + * identifier for this assertion + */ + private String assertionID; +/** + * @return the majorVersion + */ + + private String samlAssertion = null; + + private List extendedSAMLAttributesOA; + + + public SAML1AuthenticationData() { + this.setMajorVersion(1); + this.setMinorVersion(0); + this.setAssertionID(Random.nextRandom()); + } + + + //this method is only required for MOA-ID Proxy 2.0 Release. + //TODO: remove it, if MOA-ID Proxy is not supported anymore. + public String getWBPK() { + return getBPK(); + } + +public int getMajorVersion() { + return majorVersion; +} +/** + * @param majorVersion the majorVersion to set + */ +public void setMajorVersion(int majorVersion) { + this.majorVersion = majorVersion; +} +/** + * @return the minorVersion + */ +public int getMinorVersion() { + return minorVersion; +} +/** + * @param minorVersion the minorVersion to set + */ +public void setMinorVersion(int minorVersion) { + this.minorVersion = minorVersion; +} +/** + * @return the assertionID + */ +public String getAssertionID() { + return assertionID; +} +/** + * @param assertionID the assertionID to set + */ +public void setAssertionID(String assertionID) { + this.assertionID = assertionID; +} + +public void setIssueInstant(String date) { + try { + setIssueInstant(DateTimeUtils.parseDateTime(date)); + + } catch (ParseException e) { + Logger.error("Parse IssueInstant element FAILED.", e); + + } +} + +/** + * @return the samlAssertion + */ +public String getSamlAssertion() { + return samlAssertion; +} + +/** + * @param samlAssertion the samlAssertion to set + */ +public void setSamlAssertion(String samlAssertion) { + this.samlAssertion = samlAssertion; +} + +/** + * @return the extendedSAMLAttributesOA + */ +public List getExtendedSAMLAttributesOA() { + return extendedSAMLAttributesOA; +} + +/** + * @param extendedSAMLAttributesOA the extendedSAMLAttributesOA to set + */ +public void setExtendedSAMLAttributesOA( + List extendedSAMLAttributesOA) { + this.extendedSAMLAttributesOA = extendedSAMLAttributesOA; +} + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 6391860ff..52b9b40ab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.saml1; import java.io.IOException; -import java.util.Date; import java.util.List; import javax.xml.parsers.ParserConfigurationException; @@ -116,7 +115,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { * * @return AuthenticationData */ - public AuthenticationData getSaml1AuthenticationData(String samlArtifact) + public String getSaml1AuthenticationData(String samlArtifact) throws AuthenticationException { try { new SAMLArtifactParser(samlArtifact).parseAssertionHandle(); @@ -125,13 +124,13 @@ public class SAML1AuthenticationServer extends AuthenticationServer { throw new AuthenticationException("1205", new Object[] { samlArtifact, ex.toString() }); } - AuthenticationData authData = null; + String authData = null; synchronized (authenticationDataStore) { // System.out.println("assertionHandle: " + assertionHandle); try { authData = authenticationDataStore - .get(samlArtifact, AuthenticationData.class); + .get(samlArtifact, String.class, authDataTimeOut); } catch (MOADatabaseException e) { Logger.error("Assertion not found for SAML Artifact: " + samlArtifact); @@ -140,12 +139,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } authenticationDataStore.remove(samlArtifact); - - long now = new Date().getTime(); - - if (now - authData.getTimestamp().getTime() > authDataTimeOut) - throw new AuthenticationException("1207", new Object[] { samlArtifact }); - + Logger.debug("Assertion delivered for SAML Artifact: " + samlArtifact); return authData; @@ -163,9 +157,8 @@ public class SAML1AuthenticationServer extends AuthenticationServer { return samlArtifact; } - public String BuildSAMLArtifact(AuthenticationSession session, - OAAuthParameter oaParam, - AuthenticationData authData, String sourceID) + public String BuildSAMLArtifact(OAAuthParameter oaParam, + SAML1AuthenticationData authData, String sourceID) throws ConfigurationException, BuildException, AuthenticationException { //Load SAML1 Parameter from OA config @@ -179,7 +172,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set BASE64 encoded signer certificate String signerCertificateBase64 = ""; if (saml1parameter.isProvideCertificate()) { - byte[] signerCertificate = session.getEncodedSignerCertificate(); + byte[] signerCertificate = authData.getSignerCertificate(); if (signerCertificate != null) { signerCertificateBase64 = Base64Utils @@ -195,41 +188,31 @@ public class SAML1AuthenticationServer extends AuthenticationServer { provideStammzahl); //set Authblock - String authBlock = saml1parameter.isProvideAUTHBlock() ? session + String authBlock = saml1parameter.isProvideAUTHBlock() ? authData .getAuthBlock() : ""; //set IdentityLink for assortion String ilAssertion = ""; if (saml1parameter.isProvideIdentityLink()) { - if (oaParam.getBusinessService()) { - //IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); - -// Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() -// .getSamlAssertion()); -// -// ilAssertion = DOMUtils.serializeNode(resignedilAssertion); + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - } else { - ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); - - if (!saml1parameter.isProvideStammzahl()) - ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() - .getIdentificationValue(), ""); - - } + if (!saml1parameter.isProvideStammzahl()) + ilAssertion = StringUtils.replaceAll(ilAssertion, authData.getIdentityLink() + .getIdentificationValue(), ""); } + String samlAssertion; - if (session.getUseMandate()) { - List oaAttributes = session.getExtendedSAMLAttributesOA(); + if (authData.isUseMandate()) { + List oaAttributes = authData.getExtendedSAMLAttributesOA(); if (saml1parameter.isProvideFullMandatorData()) { try { ExtendedSAMLAttribute[] extendedSAMLAttributes = addExtendedSamlAttributes( - session.getMISMandate(), oaParam.getBusinessService(), + authData.getMISMandate(), oaParam.getBusinessService(), saml1parameter.isProvideStammzahl()); if (extendedSAMLAttributes != null) { @@ -293,7 +276,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } } - String mandateDate = generateMandateDate(session, oaParam, authData); + String mandateDate = generateMandateDate(oaParam, authData); samlAssertion = new AuthenticationDataAssertionBuilder().buildMandate( authData, @@ -301,7 +284,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { mandateDate, authBlock, ilAssertion, - session.getBkuURL(), + authData.getBkuURL(), signerCertificateBase64, oaParam.getBusinessService(), oaAttributes, @@ -314,24 +297,23 @@ public class SAML1AuthenticationServer extends AuthenticationServer { prPerson, authBlock, ilAssertion, - session.getBkuURL(), + authData.getBkuURL(), signerCertificateBase64, oaParam.getBusinessService(), - session.getExtendedSAMLAttributesOA(), + authData.getExtendedSAMLAttributesOA(), useCondition, conditionLength); } - authData.setSamlAssertion(samlAssertion); + //authData.setSamlAssertion(samlAssertion); String samlArtifact = new SAMLArtifactBuilder().build( - session.getAuthURL(), Random.nextRandom(), + authData.getIssuer(), Random.nextRandom(), sourceID); - storeAuthenticationData(samlArtifact, authData); + storeAuthenticationData(samlArtifact, samlAssertion); - Logger.info("Anmeldedaten zu MOASession " + session.getSessionID() - + " angelegt, SAML Artifakt " + samlArtifact); + Logger.info("Anmeldedaten angelegt, SAML Artifakt " + samlArtifact); return samlArtifact; } catch (Throwable ex) { @@ -341,21 +323,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } - private String generateMandateDate(AuthenticationSession session, - OAAuthParameter oaParam, AuthenticationData authData + private String generateMandateDate(OAAuthParameter oaParam, AuthenticationData authData ) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException { - if (session == null) + if (authData == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); IdentityLink tempIdentityLink = null; - Element mandate = session.getMandate(); + Element mandate = authData.getMandate(); - if (session.getUseMandate()) { + if (authData.isUseMandate()) { tempIdentityLink = new IdentityLink(); Element mandator = ParepUtils.extractMandator(mandate); String dateOfBirth = ""; @@ -432,7 +413,10 @@ public class SAML1AuthenticationServer extends AuthenticationServer { String oatargetType; if(oaParam.getBusinessService()) { - oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier(); + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + oatargetType = oaParam.getIdentityLinkDomainIdentifier(); + else + oatargetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+oaParam.getIdentityLinkDomainIdentifier(); } else { oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); @@ -509,7 +493,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { * when SAML artifact is invalid */ private void storeAuthenticationData(String samlArtifact, - AuthenticationData authData) throws AuthenticationException { + String samlAssertion) throws AuthenticationException { try { SAMLArtifactParser parser = new SAMLArtifactParser(samlArtifact); @@ -523,7 +507,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { synchronized (authenticationDataStore) { Logger.debug("Assertion stored for SAML Artifact: " + samlArtifact); - authenticationDataStore.put(samlArtifact, authData); + authenticationDataStore.put(samlArtifact, samlAssertion); } } catch (AuthenticationException ex) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 20351749b..75f40c89e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -9,6 +9,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; @@ -41,7 +42,7 @@ public class AttributeCollector implements IAction { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.auth.data.AuthenticationSession) */ - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { // - fetch the container String artifactId = (String) httpReq.getParameter(ARTIFACT_ID); @@ -56,7 +57,7 @@ public class AttributeCollector implements IAction { // read configuration parameters of OA OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(container.getRequest().getAssertionConsumerServiceURL()); if (oaParam == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + throw new AuthenticationException("stork.12", new Object[]{container.getRequest().getAssertionConsumerServiceURL()}); // find the attribute provider plugin that can handle the response IPersonalAttributeList newAttributes = null; @@ -81,7 +82,7 @@ public class AttributeCollector implements IAction { addOrUpdateAll(container.getResponse().getPersonalAttributeList(), newAttributes); // see if we need some more attributes - SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, moasession, oaParam); + SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam); if (sloInfo == null) { sloInfo = new SLOInformationImpl(null, null, req.requestedModule()); @@ -99,7 +100,7 @@ public class AttributeCollector implements IAction { * @return the string * @throws MOAIDException */ - public SLOInformationInterface processRequest(DataContainer container, HttpServletRequest request, HttpServletResponse response, AuthenticationSession moasession, OAAuthParameter oaParam) throws MOAIDException { + public SLOInformationInterface processRequest(DataContainer container, HttpServletRequest request, HttpServletResponse response, IAuthData authData, OAAuthParameter oaParam) throws MOAIDException { // check if there are attributes we need to fetch IPersonalAttributeList requestAttributeList = container.getRequest().getPersonalAttributeList(); @@ -131,7 +132,7 @@ public class AttributeCollector implements IAction { try { // - hand over control to the suitable plugin Logger.info(currentProvider.getClass().getSimpleName() + " called to handle attribute '" + currentAttribute.getName() + "'"); - aquiredAttributes = currentProvider.acquire(currentAttribute, container.getRequest().getSpCountry(), moasession); + aquiredAttributes = currentProvider.acquire(currentAttribute, container.getRequest().getSpCountry(), authData); Logger.info(currentProvider.getClass().getSimpleName() + " can handle attribute '" + currentAttribute.getName() + "'"); break; } catch (UnsupportedAttributeException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java index 2914d8f7d..b1eb3a021 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeProvider.java @@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -23,13 +24,13 @@ public interface AttributeProvider { * * @param attributes the list of attributes to be acquired * @param spCountyCode the sp county code - * @param moasession the moasession + * @param authData the moasession * @return the personal attribute * @throws UnsupportedAttributeException the unsupported attribute exception * @throws ExternalAttributeRequestRequiredException an attribute request to an external service has to be done * @throws MOAIDException the mOAID exception */ - public IPersonalAttributeList acquire(PersonalAttribute attributes, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; + public IPersonalAttributeList acquire(PersonalAttribute attributes, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException; /** * Perform redirect. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index 7269e361c..a3996d52b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -5,6 +5,7 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -34,13 +35,13 @@ public class AuthenticationRequest implements IAction { private VelocityEngine velocityEngine; - private AuthenticationSession moaSession = null; + private IAuthData authData = null; private MOASTORKRequest moaStorkRequest = null; - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - this.moaSession = moasession; + this.authData = authData; if (req instanceof MOASTORKRequest) { @@ -49,9 +50,10 @@ public class AuthenticationRequest implements IAction { Logger.debug("Entering MOASTORKRequest"); httpResp.reset(); - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); + //TODO: CHECK: req.getOAURL() should return the unique OA identifier + OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(req.getOAURL()); if (oaParam == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + throw new AuthenticationException("stork.12", new Object[]{req.getOAURL()}); MOASTORKResponse moaStorkResponse = new MOASTORKResponse(); @@ -77,7 +79,7 @@ public class AuthenticationRequest implements IAction { } // Get personal attributtes from MOA/IdentityLink - moaStorkResponse.setPersonalAttributeList(populateAttributes()); + moaStorkResponse.setPersonalAttributeList(populateAttributes(oaParam)); } @@ -115,7 +117,7 @@ public class AuthenticationRequest implements IAction { Logger.debug("Data container prepared"); //TODO: in case of Single LogOut -> SLO information has to be stored - return (new AttributeCollector()).processRequest(container, httpReq, httpResp, moasession, oaParam); + return (new AttributeCollector()).processRequest(container, httpReq, httpResp, authData, oaParam); } else { Logger.error("Could not recognize request."); throw new MOAIDException("stork.15", null); @@ -137,16 +139,16 @@ public class AuthenticationRequest implements IAction { // does nothing - public void mandate(AuthenticationSession moasession) { + public void mandate(IAuthData authData) { - if (moasession.getUseMandate()) { + if (authData.isUseMandate()) { try { - MISMandate mandate = moasession.getMISMandate(); + MISMandate mandate = authData.getMISMandate(); String owbpk = mandate.getOWbPK(); byte[] mand = mandate.getMandate(); String profprep = mandate.getProfRep(); //String textdesc = mandate.getTextualDescriptionOfOID(); - Element mndt = moasession.getMandate(); + Element mndt = authData.getMandate(); iterate(mndt.getAttributes()); Logger.debug("mandate encoded: " + new String(org.bouncycastle.util.encoders.Base64.encode(mand))); @@ -158,14 +160,14 @@ public class AuthenticationRequest implements IAction { } - public PersonalAttributeList populateAttributes() { + public PersonalAttributeList populateAttributes(OAAuthParameter oaParam) { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); - MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(moaSession.getIdentityLink(), moaStorkRequest); + MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData.getIdentityLink(), moaStorkRequest); try { for (PersonalAttribute personalAttribute : attrLst) { @@ -176,10 +178,8 @@ public class AuthenticationRequest implements IAction { Logger.error("Exception, attributes: " + e.getMessage()); } - Logger.debug("AUTHBLOCK " + moaSession.getAuthBlock()); - Logger.debug("TARGET " + moaSession.getTarget() + " " + moaSession.getTargetFriendlyName()); - Logger.debug("SESSION IDENTIFIER " + moaSession.getCcc() + " " + moaSession.getDomainIdentifier()); - Logger.debug("AUTHBLOCKTOKKEN" + moaSession.getAuthBlockTokken()); + Logger.debug("AUTHBLOCK " + authData.getAuthBlock()); + Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier()); return attributeList; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index a08872029..06e6a9038 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -8,6 +8,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -41,7 +42,7 @@ public class ConsentEvaluator implements IAction { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.auth.data.AuthenticationSession) */ - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { // - fetch the container String artifactId = (String) httpReq.getParameter(ARTIFACT_ID); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java index 370182e71..e7b5ebae4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/EHvdAttributeProviderPlugin.java @@ -22,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -54,7 +55,7 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(eu.stork.peps.auth.commons.PersonalAttribute) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, AuthenticationSession moasession) + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { @@ -97,7 +98,9 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { requestBodyElem.addAttribute(envelope.createName("xmlns"), "http://gesundheit.gv.at/BAGDAD/DataAccessService"); SOAPElement requestBodyElem1 = requestBodyElem.addChildElement("bPK"); - requestBodyElem1.addTextNode(new BPKBuilder().buildBPK(moasession.getIdentityLink().getIdentificationValue(), "GH")); + + //TODO: CHECK: IdentificationValue containts wbPK if MOA-ID is used as VIDP + requestBodyElem1.addTextNode(new BPKBuilder().buildBPK(authData.getIdentificationValue(), "GH")); requestMessage.saveChanges(); @@ -193,7 +196,7 @@ public class EHvdAttributeProviderPlugin implements AttributeProvider { // add stork id for verification ArrayList value = new ArrayList(); - value.add(new BPKBuilder().buildStorkeIdentifier(moasession.getIdentityLink(), spCountryCode)); + value.add(new BPKBuilder().buildStorkeIdentifier(authData.getIdentityLink(), spCountryCode)); result.add(new PersonalAttribute("eIdentifier", false, value, "Available")); return result; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java index 0e94600db..eda712467 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateAttributeRequestProvider.java @@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; @@ -45,7 +46,7 @@ public class MandateAttributeRequestProvider implements AttributeProvider { return "MandateAttributeRequestProvider"; } - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, AuthenticationSession moasession) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountryCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException, MOAIDException { Logger.info("Acquiring attribute: " + attribute.getName() + ", by: " + getAttrProviderName()); this.spCountryCode = spCountryCode; requestedAttributes = new PersonalAttributeList(1); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java index dea74aa75..a3b3263d6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MandateRetrievalRequest.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -14,7 +15,7 @@ import javax.servlet.http.HttpServletResponse; * */ public class MandateRetrievalRequest implements IAction { - public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession moasession) throws MOAIDException { + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { Logger.info("Entering mandateretrievalrequest"); return null; // } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java index 00f919c82..8c63b8cb1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/STORKProtocol.java @@ -110,6 +110,7 @@ public class STORKProtocol implements IModulInfo, MOAIDAuthConstants { STORK2Request.setSTORKAuthnRequest(authnRequest); STORK2Request.setSTORKAttrRequest(attrRequest); + return STORK2Request; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java index 89eb07815..e522627be 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/SignedDocAttributeRequestProvider.java @@ -16,6 +16,7 @@ import org.apache.velocity.app.VelocityEngine; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; @@ -56,7 +57,7 @@ public class SignedDocAttributeRequestProvider implements AttributeProvider { * at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java * .lang.String) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, AuthenticationSession moasession) throws UnsupportedAttributeException, + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if(!attributes.contains(attribute.getName())) { throw new UnsupportedAttributeException(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java index c0e613b82..3999451cc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/StorkAttributeRequestProvider.java @@ -11,6 +11,7 @@ import org.apache.velocity.app.VelocityEngine; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +56,7 @@ public class StorkAttributeRequestProvider implements AttributeProvider { /* (non-Javadoc) * @see at.gv.egovernment.moa.id.protocols.stork2.AttributeProvider#acquire(java.lang.String) */ - public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, AuthenticationSession moasession) + public IPersonalAttributeList acquire(PersonalAttribute attribute, String spCountyCode, IAuthData authData) throws UnsupportedAttributeException, ExternalAttributeRequestRequiredException { if (!attributes.contains(attribute.getName())) -- cgit v1.2.3 From 02769f78b45dfbbaaaa45f067cf49011d7113d9e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Apr 2014 08:38:42 +0200 Subject: update MOA-ID-Proxy to use refactored AuthenticationData --- .../moa/id/proxy/DefaultLoginParameterResolver.java | 9 +++++---- .../at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java | 5 +++-- .../moa/id/proxy/XMLLoginParameterResolverEncryptedData.java | 9 +++++---- .../moa/id/proxy/XMLLoginParameterResolverPlainData.java | 10 ++++++---- .../moa/id/proxy/invoke/GetAuthenticationDataInvoker.java | 3 ++- .../moa/id/proxy/parser/AuthenticationDataAssertionParser.java | 5 +++-- .../gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java | 3 ++- .../at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java | 3 ++- 8 files changed, 28 insertions(+), 19 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java index 34add9895..f094dfabf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/DefaultLoginParameterResolver.java @@ -54,6 +54,7 @@ import java.util.Map; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.URLEncoder; @@ -78,7 +79,7 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { @@ -116,7 +117,7 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { @@ -149,13 +150,13 @@ public class DefaultLoginParameterResolver implements LoginParameterResolver { * @param clientIPAddress client IP address * @return header or parameter value resolved; null if unknown name is given */ - private static String resolveValue(String predicate, AuthenticationData authData, String clientIPAddress) { + private static String resolveValue(String predicate, SAML1AuthenticationData authData, String clientIPAddress) { if (predicate.equals(MOAGivenName)) return authData.getGivenName(); if (predicate.equals(MOAFamilyName)) return authData.getFamilyName(); if (predicate.equals(MOADateOfBirth)) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if (predicate.equals(MOABPK)) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java index cd751b7ee..d432f8c41 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/LoginParameterResolver.java @@ -50,6 +50,7 @@ import java.util.Map; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; /** * Determines authentication parameters and headers to be added to a {@link java.net.URLConnection} @@ -102,7 +103,7 @@ public interface LoginParameterResolver { */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException; @@ -122,7 +123,7 @@ public interface LoginParameterResolver { */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java index 9f3de08aa..a5c632077 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverEncryptedData.java @@ -77,6 +77,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -373,7 +374,7 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ public Map getAuthenticationHeaders( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException { @@ -447,7 +448,7 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ public Map getAuthenticationParameters( OAConfiguration oaConf, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws LoginParameterResolverException, NotAllowedException { @@ -511,14 +512,14 @@ public class XMLLoginParameterResolverEncryptedData implements LoginParameterRes */ private static String resolveValue( String predicate, - AuthenticationData authData, + SAML1AuthenticationData authData, String clientIPAddress) { if (predicate.equals("MOAGivenName")) return authData.getGivenName(); if (predicate.equals("MOAFamilyName")) return authData.getFamilyName(); if (predicate.equals("MOADateOfBirth")) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if (predicate.equals("MOABPK")) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java index 2760a736b..740421024 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/XMLLoginParameterResolverPlainData.java @@ -48,10 +48,12 @@ package at.gv.egovernment.moa.id.proxy; import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import java.io.IOException; import java.util.*; + import org.apache.xerces.parsers.DOMParser; import org.w3c.dom.*; @@ -196,7 +198,7 @@ public class XMLLoginParameterResolverPlainData } //TODO document - public Map getAuthenticationHeaders(OAConfiguration oaConf, AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws NotAllowedException + public Map getAuthenticationHeaders(OAConfiguration oaConf, SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) throws NotAllowedException { Map result = new HashMap(); if(oaConf.getAuthType().equals("basic")) @@ -318,7 +320,7 @@ public class XMLLoginParameterResolverPlainData return result; } - public Map getAuthenticationParameters(OAConfiguration oaConf, AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) + public Map getAuthenticationParameters(OAConfiguration oaConf, SAML1AuthenticationData authData, String clientIPAddress, boolean businessService, String publicURLPrefix) { Map result = new HashMap(); if(oaConf.getAuthType().equals("param")) @@ -336,14 +338,14 @@ public class XMLLoginParameterResolverPlainData return result; } - private static String resolveValue(String predicate, AuthenticationData authData, String clientIPAddress) + private static String resolveValue(String predicate, SAML1AuthenticationData authData, String clientIPAddress) { if(predicate.equals(MOAGivenName)) return authData.getGivenName(); if(predicate.equals(MOAFamilyName)) return authData.getFamilyName(); if(predicate.equals(MOADateOfBirth)) - return authData.getDateOfBirth(); + return authData.getFormatedDateOfBirth(); if(predicate.equals(MOABPK)) return authData.getBPK(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java index 0ef2077a3..26da33e34 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/invoke/GetAuthenticationDataInvoker.java @@ -68,6 +68,7 @@ import at.gv.egovernment.moa.id.config.legacy.ConnectionParameter; import at.gv.egovernment.moa.id.config.proxy.ProxyConfigurationProvider; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.SAMLStatus; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.proxy.builder.SAMLRequestBuilder; import at.gv.egovernment.moa.id.proxy.parser.SAMLResponseParser; import at.gv.egovernment.moa.id.proxy.servlet.ProxyException; @@ -107,7 +108,7 @@ public class GetAuthenticationDataInvoker { * @return AuthenticationData * @throws MOAIDException */ - public AuthenticationData getAuthenticationData(String samlArtifact) + public SAML1AuthenticationData getAuthenticationData(String samlArtifact) throws MOAIDException { ConnectionParameter authConnParam = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java index 35f72d36d..ebda8dae0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/AuthenticationDataAssertionParser.java @@ -50,6 +50,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; @@ -147,11 +148,11 @@ public class AuthenticationDataAssertionParser implements Constants { * @return AuthenticationData object * @throws ParseException on any error */ - public AuthenticationData parseAuthenticationData() + public SAML1AuthenticationData parseAuthenticationData() throws ParseException { try { - AuthenticationData authData = new AuthenticationData(); + SAML1AuthenticationData authData = new SAML1AuthenticationData(); //ÄNDERN: NUR der Identification-Teil authData.setSamlAssertion(DOMUtils.serializeNode(samlAssertion)); authData.setMajorVersion(new Integer( diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java index 9835c554d..cec8dbe6c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/parser/SAMLResponseParser.java @@ -51,6 +51,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.SAMLStatus; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.XPathUtils; @@ -130,7 +131,7 @@ public class SAMLResponseParser implements Constants { * @return AuthenticationData object * @throws ParseException on any parsing error */ - public AuthenticationData parseAuthenticationData() + public SAML1AuthenticationData parseAuthenticationData() throws ParseException { Element samlAssertion; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java index 52f72f577..9447f2e35 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java @@ -84,6 +84,7 @@ import at.gv.egovernment.moa.id.config.proxy.OAConfiguration; import at.gv.egovernment.moa.id.config.proxy.OAProxyParameter; import at.gv.egovernment.moa.id.config.proxy.ProxyConfigurationProvider; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.proxy.ConnectionBuilder; import at.gv.egovernment.moa.id.proxy.ConnectionBuilderFactory; import at.gv.egovernment.moa.id.proxy.LoginParameterResolver; @@ -232,7 +233,7 @@ public class ProxyServlet extends HttpServlet { // boolean targetprovided = req.getParameter(PARAM_TARGET) != null; // get authentication data from the MOA-ID Auth component - AuthenticationData authData; + SAML1AuthenticationData authData; try { authData = new GetAuthenticationDataInvoker().getAuthenticationData(samlArtifact); -- cgit v1.2.3 From e71dc9f4f38fc762dad0ce5e0c0cbb8bd5884685 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Apr 2014 08:41:11 +0200 Subject: add new DB for interfederation to AuthenticatedSessionStore --- .../at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 8b5c8d796..1e1652412 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -96,6 +96,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.VerifyIdentityLink; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.ExceptionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; @@ -339,6 +340,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { config.addAnnotatedClass(OASessionStore.class); config.addAnnotatedClass(OldSSOSessionIDStore.class); config.addAnnotatedClass(ExceptionStore.class); + config.addAnnotatedClass(InterfederationSessionStore.class); config.addProperties(moaSessionProp); MOASessionDBUtils.initHibernate(config, moaSessionProp); -- cgit v1.2.3 From a184de09bda4327441c214aa84d77e57500b28ca Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Apr 2014 09:56:19 +0200 Subject: Finish PVP21 interfederation assertion preprocessing --- .../gv/egovernment/moa/id/config/OAParameter.java | 15 +++ .../moa/id/entrypoints/DispatcherServlet.java | 8 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 8 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 111 +++++++++++++++++++++ .../protocols/pvp2x/utils/AttributeExtractor.java | 85 ---------------- .../id/storage/AuthenticationSessionStoreage.java | 50 ++++++++++ 6 files changed, 186 insertions(+), 91 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index 31b88263b..b2bcd443f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -68,6 +68,7 @@ public class OAParameter { this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20(); + this.isInderfederationIDP = oa.isIsInterfederationIDP(); } @@ -104,6 +105,8 @@ public class OAParameter { private boolean removePBKFromAuthblock; + private Boolean isInderfederationIDP; + /** * Contains the oAuth 2.0 configuration (client id, secret and redirect uri) */ @@ -141,4 +144,16 @@ public class OAParameter { return oAuth20Config; } + /** + * @return the isInderfederationIDP + */ + public boolean isInderfederationIDP() { + if (isInderfederationIDP == null) + return false; + + return isInderfederationIDP; + } + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 31e19ee46..2f4bbbcf4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; @@ -262,9 +263,12 @@ public class DispatcherServlet extends AuthServlet{ Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); } else if (protocolRequest != null && - protocolRequest.getInterfederationResponse() != null ) { + protocolRequest.getInterfederationResponse() != null ) { + Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest"); + String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true); + req.getParameterMap().put(PARAM_SESSIONID, sessionID); Logger.info("PreProcessing of SSO interfederation response complete. "); - + } else { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 3ab4dd74c..639b8672b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -187,20 +187,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); if (obj instanceof RequestImpl) { - RequestImpl iReq = (RequestImpl) obj; + RequestImpl iReqSP = (RequestImpl) obj; MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); if ( processedMsg != null ) { - iReq.setInterfederationResponse((MOAResponse) msg); + iReqSP.setInterfederationResponse((MOAResponse) msg); } else { Logger.info("Receive NO valid SSO session from " + msg.getEntityID() +". Switch to local authentication process ..."); - iReq.setRequestedIDP(null); + iReqSP.setRequestedIDP(null); } - return iReq; + return iReqSP; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java new file mode 100644 index 000000000..61b481447 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -0,0 +1,111 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.Subject; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class AssertionAttributeExtractor { + + private Assertion assertion = null; + + public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption { + if (samlResponse != null) { + if (samlResponse.getAssertions().size() == 0) + throw new AssertionAttributeExtractorExeption("Assertion"); + + else if (samlResponse.getAssertions().size() > 1) + Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); + + assertion = samlResponse.getAssertions().get(0); + + } else + throw new AssertionAttributeExtractorExeption(); + } + + public String getNameID() throws AssertionAttributeExtractorExeption { + if (assertion.getSubject() != null) { + Subject subject = assertion.getSubject(); + + if (subject.getNameID() != null) { + if (MiscUtil.isNotEmpty(subject.getNameID().getValue())) + return subject.getNameID().getValue(); + + else + Logger.error("SAML2 NameID Element is empty."); + } + } + + throw new AssertionAttributeExtractorExeption("nameID"); + } + + public String getSessionIndex() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + + if (MiscUtil.isNotEmpty(authn.getSessionIndex())) + return authn.getSessionIndex(); + + else + throw new AssertionAttributeExtractorExeption("SessionIndex"); + } + + /** + * @return + * @throws AssertionAttributeExtractorExeption + */ + public String getQAALevel() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) { + AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef(); + + if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef())) + return qaaClass.getAuthnContextClassRef(); + + else + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)"); + } + + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); + } + + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { + List authnList = assertion.getAuthnStatements(); + if (authnList.size() == 0) + throw new AssertionAttributeExtractorExeption("AuthnStatement"); + + else if (authnList.size() > 1) + Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used."); + + return authnList.get(0); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java deleted file mode 100644 index 666bfab3c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java +++ /dev/null @@ -1,85 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; - -public class AttributeExtractor { - - public static String extractSAMLAttributeOA(String name, - AuthenticationSession authSession) { - List extAttributes = authSession.getExtendedSAMLAttributesOA(); - if(extAttributes == null) { - return null; - } - Iterator extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeAUTH(String name, - AuthenticationSession authSession) { - List extAttributes = authSession.getExtendedSAMLAttributesAUTH(); - if(extAttributes == null) { - return null; - } - Iterator extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeBOTH(String name, - AuthenticationSession authSession) { - String value = extractSAMLAttributeOA(name, authSession); - if(value == null) { - value = extractSAMLAttributeAUTH(name, authSession); - } - return value; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index ca5cb9226..69167c75d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.storage; +import java.util.ArrayList; import java.util.Date; import java.util.List; @@ -36,11 +37,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; @@ -105,6 +110,51 @@ public class AuthenticationSessionStoreage { return session; } + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { + String id = Random.nextRandom(); + AuthenticationSession session = new AuthenticationSession(id); + + AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); + dbsession.setSessionid(id); + dbsession.setAuthenticated(isAuthenticated); + + //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + Date now = new Date(); + dbsession.setCreated(now); + dbsession.setUpdated(now); + + dbsession.setSession(SerializationUtils.serialize(session)); + + //add interfederation information + List idpList = dbsession.getInderfederation(); + if (idpList == null) + idpList = new ArrayList(); + + InterfederationSessionStore idp = new InterfederationSessionStore(); + idp.setCreated(now); + idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + + AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + idp.setSessionIndex(extract.getSessionIndex()); + idp.setUserNameID(extract.getNameID()); + idp.setAttributesRequested(false); + idp.setQAALevel(extract.getQAALevel()); + idpList.add(idp); + + //store AssertionStore element to Database + try { + MOASessionDBUtils.saveOrUpdate(dbsession); + Logger.info("MOASession with sessionID=" + id + " is stored in Database"); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession could not be created."); + throw new MOADatabaseException(e); + } + + return id; + } + + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { try { -- cgit v1.2.3 From 7ae642ec1857d0c796ba21ffcd6b5466285c92af Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Apr 2014 12:48:33 +0200 Subject: create methodes to parse interfederated assertions into authData --- .../id/auth/builder/AuthenticationDataBuilder.java | 49 +++++++++++++++++++--- .../id/storage/AuthenticationSessionStoreage.java | 20 +++++++++ 2 files changed, 63 insertions(+), 6 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 00528f7a1..1e0089a53 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -38,6 +38,8 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; @@ -72,12 +74,6 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(oaID); - - - /* TODO: Support Mandate MODE! - * Insert functionality to translate mandates in case of SSO - */ - AuthenticationData authdata = null; if (protocolRequest instanceof SAML1RequestImpl) { @@ -95,6 +91,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (protocolRequest.getInterfederationResponse() != null) { //get attributes from interfederated IDP + buildAuthDataFromInterfederationResponse(authdata, session, oaParam, protocolRequest); } else { @@ -106,6 +103,40 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { return authdata; } + /** + * @param authdata + * @param session + * @param oaParam + */ + private static void buildAuthDataFromInterfederationResponse( + AuthenticationData authdata, AuthenticationSession session, + OAAuthParameter oaParam, IRequest req) { + + try { + AssertionAttributeExtractor extract = + new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + + if (oaParam.isInderfederationIDP()) { + //only set minimal response attributes + authdata.setQAALevel(extract.getQAALevel()); + authdata.setBPK(extract.getNameID()); + + } else { + //IDP response to service provider + // --> collect attributes by using BackChannel communication + + //TODO: get protocol specific requested attributes + + + + } + + } catch (AssertionAttributeExtractorExeption e) { + Logger.error("Build authData from interfederated PVP2.1 assertion FAILED.", e); + + } + } + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, OAAuthParameter oaParam) throws BuildException { @@ -147,6 +178,12 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); + + /* TODO: Support SSO Mandate MODE! + * Insert functionality to translate mandates in case of SSO + */ + + MISMandate mandate = session.getMISMandate(); authData.setMISMandate(mandate); authData.setUseMandate(session.getUseMandate()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 69167c75d..e18d9786d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -154,6 +154,26 @@ public class AuthenticationSessionStoreage { return id; } + public static void setInterfederationAttributCollectorUsed(AuthenticationSession session, String idpID) throws MOADatabaseException { + AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); + List idpList = dbsession.getInderfederation(); + for (InterfederationSessionStore idp : idpList) { + if (idp.getIdpurlprefix().endsWith(idpID)) + idp.setAttributesRequested(true); + } + + //store AssertionStore element to Database + try { + MOASessionDBUtils.saveOrUpdate(dbsession); + Logger.info("MOASession with sessionID=" + session.getSessionID() + + " is stored in Database"); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession could not stored.",e); + throw e; + } + } + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { -- cgit v1.2.3 From 7bd82975b45983c7376b7ac998f0d47a14a6db0b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 29 Apr 2014 08:21:21 +0200 Subject: map protocol specific requested attributes to PVP 2.1 attributes --- .../gv/egovernment/moa/id/moduls/RequestImpl.java | 11 +++- .../oauth20/protocol/OAuth20AuthRequest.java | 13 +++++ .../oauth20/protocol/OAuth20TokenRequest.java | 12 +++++ .../id/protocols/pvp2x/PVPTargetConfiguration.java | 14 +++++ .../moa/id/protocols/saml1/SAML1RequestImpl.java | 13 +++++ .../moa/id/protocols/stork2/MOASTORKRequest.java | 61 +++++----------------- 6 files changed, 76 insertions(+), 48 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 94851ee8f..4a54a516b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -23,10 +23,13 @@ package at.gv.egovernment.moa.id.moduls; import java.io.Serializable; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -public class RequestImpl implements IRequest, Serializable{ +public abstract class RequestImpl implements IRequest, Serializable{ private static final long serialVersionUID = 1L; @@ -43,6 +46,12 @@ public class RequestImpl implements IRequest, Serializable{ private String requestedIDP = null; private MOAResponse response = null; + /** + * This method map the protocol specific requested attributes to PVP 2.1 attributes. + * + * @return List of PVP 2.1 attributes with maps all protocol specific attributes + */ + public abstract List getRequestedAttributes(); public void setOAURL(String value) { oaURL = value; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java index dc3335631..6a9e98792 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -22,8 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.util.List; + import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -153,4 +157,13 @@ class OAuth20AuthRequest extends OAuth20BaseRequest { } } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + //TODO: implement attribut mapping + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java index 0f1ba23b3..3c90a5773 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java @@ -22,8 +22,12 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.util.List; + import javax.servlet.http.HttpServletRequest; +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; @@ -137,4 +141,12 @@ class OAuth20TokenRequest extends OAuth20BaseRequest { this.allowedParameters.add(OAuth20Constants.PARAM_SCOPE); this.allowedParameters.add(OAuth20Constants.PARAM_REDIRECT_URI); } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + return null; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 6e749aaf0..9cddb9a17 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -22,6 +22,10 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; @@ -56,5 +60,15 @@ public class PVPTargetConfiguration extends RequestImpl { public void setConsumerURL(String consumerURL) { this.consumerURL = consumerURL; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + // TODO Auto-generated method stub + return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index 72adfe0e7..dc5e715c9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -22,6 +22,10 @@ */ package at.gv.egovernment.moa.id.protocols.saml1; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.moduls.RequestImpl; /** @@ -48,4 +52,13 @@ public class SAML1RequestImpl extends RequestImpl { this.sourceID = sourceID; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + //TODO: implement attribut mapping + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java index 0eb1b83ca..9508919b0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java @@ -1,8 +1,10 @@ package at.gv.egovernment.moa.id.protocols.stork2; -import java.io.Serializable; +import java.util.List; -import at.gv.egovernment.moa.id.moduls.IRequest; +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.logging.Logger; import eu.stork.peps.auth.commons.IPersonalAttributeList; @@ -14,7 +16,7 @@ import eu.stork.peps.auth.commons.STORKAuthnRequest; * * @author bsuzic */ -public class MOASTORKRequest implements IRequest, Serializable { +public class MOASTORKRequest extends RequestImpl { /** The Constant serialVersionUID. */ private static final long serialVersionUID = 4581953368724501376L; @@ -22,15 +24,6 @@ public class MOASTORKRequest implements IRequest, Serializable { /** The request id. */ private String requestID; - /** The target. */ - private String target = null; - - /** The module. */ - String module = null; - - /** The action. */ - String action = null; - /** The stork authn request. */ private STORKAuthnRequest storkAuthnRequest; @@ -127,41 +120,6 @@ public class MOASTORKRequest implements IRequest, Serializable { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedModule() - */ - public String requestedModule() { - return this.module; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#requestedAction() - */ - public String requestedAction() { - return action; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#setModule(java.lang.String) - */ - public void setModule(String module) { - this.module = module; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#setAction(java.lang.String) - */ - public void setAction(String action) { - this.action = action; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.moduls.IRequest#getTarget() - */ - public String getTarget() { - return this.target; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.moduls.IRequest#setRequestID(java.lang.String) */ @@ -229,4 +187,13 @@ public class MOASTORKRequest implements IRequest, Serializable { // TODO Auto-generated method stub return null; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } } -- cgit v1.2.3 From ae7303098d7bd3574c83f3ba4f4c57ae14c476c7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 29 Apr 2014 08:22:20 +0200 Subject: add log message --- .../at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 283142cda..5333a58ab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -161,9 +161,8 @@ public class MetadataAction implements IAction { sw.close(); String metadataXML = sw.toString(); - - System.out.println("METADATA: " + metadataXML); - + Logger.debug("METADATA: " + metadataXML); + httpResp.setContentType("text/xml"); httpResp.getOutputStream().write(metadataXML.getBytes()); -- cgit v1.2.3 From 9fe8db82075de8780feec90f94063e708e521391 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 2 May 2014 13:16:29 +0200 Subject: add interfederation attribute query --- .../moa/id/advancedlogging/StatisticLogger.java | 56 +-- .../AuthenticationBlockAssertionBuilder.java | 3 +- .../AuthenticationDataAssertionBuilder.java | 1 + .../id/auth/builder/AuthenticationDataBuilder.java | 423 +++++++++++++++++++-- .../builder/DynamicOAAuthParameterBuilder.java | 109 ++++++ .../auth/builder/GetIdentityLinkFormBuilder.java | 4 +- .../moa/id/auth/builder/LoginFormBuilder.java | 7 +- .../id/auth/exception/DynamicOABuildException.java | 40 ++ .../moa/id/auth/servlet/LogOutServlet.java | 2 +- .../id/auth/servlet/SSOSendAssertionServlet.java | 2 +- .../id/config/auth/AuthConfigurationProvider.java | 16 +- .../moa/id/config/auth/IOAAuthParameters.java | 133 +++++++ .../moa/id/config/auth/OAAuthParameter.java | 146 +++++-- .../config/auth/data/DynamicOAAuthParameters.java | 359 +++++++++++++++++ .../moa/id/data/AuthenticationData.java | 85 ++++- .../at/gv/egovernment/moa/id/data/IAuthData.java | 7 + .../moa/id/data/SLOInformationImpl.java | 23 +- .../moa/id/data/SLOInformationInterface.java | 5 + .../moa/id/entrypoints/DispatcherServlet.java | 46 ++- .../at/gv/egovernment/moa/id/moduls/IRequest.java | 5 + .../gv/egovernment/moa/id/moduls/SSOManager.java | 95 ++++- .../attributes/OAuth20AttributeBuilder.java | 37 ++ .../oauth20/protocol/OAuth20AuthAction.java | 2 +- .../oauth20/protocol/OAuth20AuthRequest.java | 47 ++- .../oauth20/protocol/OAuth20Protocol.java | 11 + .../id/protocols/pvp2x/AttributQueryAction.java | 178 +++++++++ .../id/protocols/pvp2x/AuthenticationAction.java | 1 + .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 233 ++++++++---- .../moa/id/protocols/pvp2x/PVPConstants.java | 2 + .../id/protocols/pvp2x/PVPTargetConfiguration.java | 77 +++- .../id/protocols/pvp2x/binding/PostBinding.java | 3 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 39 +- .../pvp2x/builder/AttributQueryBuilder.java | 185 +++++++++ .../pvp2x/builder/AuthResponseBuilder.java | 152 ++++++++ .../pvp2x/builder/PVPAttributeBuilder.java | 16 + .../builder/assertion/PVP2AssertionBuilder.java | 157 ++++++-- .../EIDIssuingNationAttributeBuilder.java | 38 +- .../pvp2x/builder/attributes/EIDSTORKTOKEN.java | 13 +- .../protocols/pvp2x/config/PVPConfiguration.java | 13 +- .../AssertionAttributeExtractorExeption.java | 50 +++ .../exceptions/AssertionValidationExeption.java | 49 +++ .../pvp2x/exceptions/AttributQueryException.java | 44 +++ .../id/protocols/pvp2x/messages/MOARequest.java | 7 +- .../pvp2x/requestHandler/ArtifactResolution.java | 13 +- .../pvp2x/requestHandler/AuthnRequestHandler.java | 146 +------ .../pvp2x/requestHandler/IRequestHandler.java | 5 +- .../pvp2x/requestHandler/RequestManager.java | 3 +- .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 13 + .../pvp2x/verification/SAMLVerificationEngine.java | 110 +++++- .../moa/id/protocols/saml1/GetArtifactAction.java | 4 +- .../protocols/saml1/SAML1AuthenticationData.java | 2 - .../moa/id/protocols/saml1/SAML1Protocol.java | 27 +- .../moa/id/protocols/saml1/SAML1RequestImpl.java | 36 +- .../id/protocols/stork2/AttributeCollector.java | 2 +- .../id/protocols/stork2/AuthenticationRequest.java | 3 +- .../moa/id/protocols/stork2/ConsentEvaluator.java | 4 +- .../moa/id/storage/AssertionStorage.java | 2 +- .../id/storage/AuthenticationSessionStoreage.java | 294 ++++++++++++-- .../moa/id/storage/DBExceptionStoreImpl.java | 2 +- 59 files changed, 3083 insertions(+), 504 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index d4b5d1c05..0e5f9bcc3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -51,7 +51,8 @@ import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -97,9 +98,9 @@ public class StatisticLogger { } } - public void logSuccessOperation(IRequest protocolRequest, AuthenticationSession moasession, boolean isSSOSession) { + public void logSuccessOperation(IRequest protocolRequest, IAuthData authData, boolean isSSOSession) { - if ( isAktive && protocolRequest != null && moasession != null) { + if ( isAktive && protocolRequest != null && authData != null) { OnlineApplication dbOA = ConfigurationDBRead.getOnlineApplication(protocolRequest.getOAURL()); @@ -128,9 +129,18 @@ public class StatisticLogger { dblog.setOatarget(dbOA.getAuthComponentOA().getIdentificationNumber().getValue()); else dblog.setOatarget(dbOA.getTarget()); + + dblog.setInterfederatedSSOSession(authData.isInterfederatedSSOSession()); - dblog.setBkuurl(moasession.getBkuURL()); - dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA)); + if (authData.isInterfederatedSSOSession()) { + dblog.setBkutype(IOAAuthParameters.INDERFEDERATEDIDP); + dblog.setBkuurl(authData.getInterfederatedIDP()); + + } else { + dblog.setBkuurl(authData.getBkuURL()); + dblog.setBkutype(findBKUType(authData.getBkuURL(), dbOA)); + + } dblog.setProtocoltype(protocolRequest.requestedModule()); dblog.setProtocolsubtype(protocolRequest.requestedAction()); @@ -138,10 +148,10 @@ public class StatisticLogger { //log MandateInforamtion - if (moasession.getUseMandate()) { - dblog.setMandatelogin(moasession.getUseMandate()); + if (authData.isUseMandate()) { + dblog.setMandatelogin(authData.isUseMandate()); - MISMandate mandate = moasession.getMISMandate(); + MISMandate mandate = authData.getMISMandate(); if (mandate != null) { if (MiscUtil.isNotEmpty(mandate.getProfRep())) { @@ -333,13 +343,13 @@ public class StatisticLogger { BKUURLS bkuurls = oaAuth.getBKUURLS(); if (bkuurls != null) { if (bkuURL.equals(bkuurls.getHandyBKU())) - return OAAuthParameter.HANDYBKU; + return IOAAuthParameters.HANDYBKU; if (bkuURL.equals(bkuurls.getLocalBKU())) - return OAAuthParameter.LOCALBKU; + return IOAAuthParameters.LOCALBKU; if (bkuURL.equals(bkuurls.getOnlineBKU())) - return OAAuthParameter.ONLINEBKU; + return IOAAuthParameters.ONLINEBKU; } } } @@ -348,14 +358,14 @@ public class StatisticLogger { try { AuthConfigurationProvider authconfig = AuthConfigurationProvider.getInstance(); - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.ONLINEBKU))) - return OAAuthParameter.ONLINEBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.ONLINEBKU))) + return IOAAuthParameters.ONLINEBKU; - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.LOCALBKU))) - return OAAuthParameter.LOCALBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.LOCALBKU))) + return IOAAuthParameters.LOCALBKU; - if (bkuURL.equals(authconfig.getDefaultBKUURL(OAAuthParameter.HANDYBKU))) - return OAAuthParameter.HANDYBKU; + if (bkuURL.equals(authconfig.getDefaultBKUURL(IOAAuthParameters.HANDYBKU))) + return IOAAuthParameters.HANDYBKU; } catch (ConfigurationException e) { Logger.info("Advanced Logging: Default BKUs read failed"); @@ -364,17 +374,17 @@ public class StatisticLogger { Logger.debug("Staticic Log search BKUType from generneric Parameters"); if (bkuURL.endsWith(GENERIC_LOCALBKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.LOCALBKU); - return OAAuthParameter.LOCALBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.LOCALBKU); + return IOAAuthParameters.LOCALBKU; } if (bkuURL.startsWith(GENERIC_HANDYBKU)) { - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.HANDYBKU); - return OAAuthParameter.HANDYBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.HANDYBKU); + return IOAAuthParameters.HANDYBKU; } - Logger.debug("BKUURL " + bkuURL + " is mapped to " + OAAuthParameter.ONLINEBKU); - return OAAuthParameter.ONLINEBKU; + Logger.debug("BKUURL " + bkuURL + " is mapped to " + IOAAuthParameters.ONLINEBKU); + return IOAAuthParameters.ONLINEBKU; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index 30ad0bdc9..a6c2cde05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -51,6 +51,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -496,7 +497,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion String gebDat, List extendedSAMLAttributes, AuthenticationSession session, - OAAuthParameter oaParam) + IOAAuthParameters oaParam) throws BuildException { session.setSAMLAttributeGebeORwbpk(true); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java index 4c824354c..ba4440bf8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataAssertionBuilder.java @@ -239,6 +239,7 @@ public class AuthenticationDataAssertionBuilder extends AuthenticationAssertionB { String isQualifiedCertificate = authData.isQualifiedCertificate() ? "true" : "false"; + String publicAuthorityAttribute = ""; if (authData.isPublicAuthority()) { String publicAuthorityIdentification = authData.getPublicAuthorityCode(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 1e0089a53..33c150927 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -22,24 +22,64 @@ */ package at.gv.egovernment.moa.id.auth.builder; +import iaik.x509.X509Certificate; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.AttributeStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; +import org.opensaml.ws.soap.client.http.HttpClientBuilder; +import org.opensaml.ws.soap.client.http.HttpSOAPClient; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.ws.soap.soap11.Body; +import org.opensaml.ws.soap.soap11.Envelope; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; + import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; @@ -47,6 +87,7 @@ import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.XPathUtils; @@ -58,7 +99,7 @@ import at.gv.egovernment.moa.util.XPathUtils; public class AuthenticationDataBuilder implements MOAIDAuthConstants { public static IAuthData buildAuthenticationData(IRequest protocolRequest, - AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException { + AuthenticationSession session, List reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { String oaID = protocolRequest.getOAURL(); @@ -71,11 +112,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { if (!ParamValidatorUtils.isValidOA(oaID)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() - .getOnlineApplicationParameter(oaID); - AuthenticationData authdata = null; + AuthenticationData authdata = null; + if (protocolRequest instanceof SAML1RequestImpl) { //request is SAML1 SAML1AuthenticationData saml1authdata = new SAML1AuthenticationData(); @@ -88,11 +127,65 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } + //reuse some parameters if it is a reauthentication + OASessionStore activeOA = AuthenticationSessionStoreage.searchActiveOASSOSession(session, oaID, protocolRequest.requestedModule()); + if (activeOA != null) { + authdata.setSessionIndex(activeOA.getAssertionSessionID()); + authdata.setNameID(activeOA.getUserNameID()); + authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); - if (protocolRequest.getInterfederationResponse() != null) { - //get attributes from interfederated IDP - buildAuthDataFromInterfederationResponse(authdata, session, oaParam, protocolRequest); + //mark AttributeQuery as used + if ( protocolRequest instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest && + ((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) { + try { + activeOA.setAttributeQueryUsed(true); + MOASessionDBUtils.saveOrUpdate(activeOA); + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + } + } + + InterfederationSessionStore interfIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); + + IOAAuthParameters oaParam = null; + if (reqAttributes == null) { + //get OnlineApplication from MOA-ID-Auth configuration + oaParam = AuthConfigurationProvider.getInstance() + .getOnlineApplicationParameter(oaID); + + } else { + //build OnlineApplication dynamic from requested attributes + oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); + + } + + if (interfIDP != null ) { + //IDP is a chained interfederated IDP and Authentication is requested + if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && + !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { + //only set minimal response attributes + authdata.setQAALevel(interfIDP.getQAALevel()); + authdata.setBPK(interfIDP.getUserNameID()); + + } else { + //mark attribute request as used + try { + interfIDP.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(interfIDP); + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + + //get attributes from interfederated IDP + getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, reqAttributes); + } } else { //build AuthenticationData from MOASession @@ -103,42 +196,283 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { return authdata; } + /** + * @param req + * @param session + * @param reqAttributes + * @return + * @throws WrongParametersException + * @throws ConfigurationException + * @throws BuildException + * @throws DynamicOABuildException + */ + public static IAuthData buildAuthenticationData(IRequest req, + AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException { + return buildAuthenticationData(req, session, null); + } + /** * @param authdata * @param session * @param oaParam + * @param protocolRequest + * @param interfIDP + * @param reqQueryAttr + * @throws ConfigurationException */ - private static void buildAuthDataFromInterfederationResponse( + private static void getAuthDataFromInterfederation( AuthenticationData authdata, AuthenticationSession session, - OAAuthParameter oaParam, IRequest req) { - - try { - AssertionAttributeExtractor extract = - new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + IOAAuthParameters oaParam, IRequest req, + InterfederationSessionStore interfIDP, List reqQueryAttr) throws BuildException, ConfigurationException{ - if (oaParam.isInderfederationIDP()) { - //only set minimal response attributes - authdata.setQAALevel(extract.getQAALevel()); - authdata.setBPK(extract.getNameID()); - + try { + List attributs = null; + + //IDP is a chained interfederated IDP and request is of type AttributQuery + if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration && + (((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) && + reqQueryAttr != null) { + attributs = reqQueryAttr; + + //IDP is a service provider IDP and request interfederated IDP to collect attributes } else { - //IDP response to service provider - // --> collect attributes by using BackChannel communication - - //TODO: get protocol specific requested attributes + //TODO: check if response include attributes and map this attributes to requested attributes + + //get PVP 2.1 attributes from protocol specific requested attributes + attributs = req.getRequestedAttributes(); + } + //collect attributes by using BackChannel communication + String endpoint = oaParam.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); } + + //build attributQuery request + AttributeQuery query = + AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + + //build SOAP request + BasicParserPool parserPool = new BasicParserPool(); + parserPool.setNamespaceAware(true); + + Envelope soapRequest = SAML2Utils.buildSOAP11Envelope(query); + + BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext(); + soapContext.setOutboundMessage(soapRequest); + HttpClientBuilder clientBuilder = new HttpClientBuilder(); + HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); + + //send request to IDP + soapClient.send(endpoint, soapContext); + + //parse response + Envelope soapResponse = (Envelope) soapContext.getInboundMessage(); + Body soapBody = soapResponse.getBody(); + + if (soapBody.getUnknownXMLObjects().size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + + } + + if (soapBody.getUnknownXMLObjects().get(0) instanceof Response) { + Response intfResp = (Response) soapBody.getUnknownXMLObjects().get(0); + + //validate PVP 2.1 response + try { + SAMLVerificationEngine engine = new SAMLVerificationEngine(); + engine.verifyResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + + SAMLVerificationEngine.validateAssertion(intfResp, false); + + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + //parse response information to authData + buildAuthDataFormInterfederationResponse(authdata, session, intfResp); + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + + } + + } catch (SOAPException e) { + throw new BuildException("builder.06", null, e); + + } catch (SecurityException e) { + throw new BuildException("builder.06", null, e); + + } catch (AttributQueryException e) { + throw new BuildException("builder.06", null, e); + + } catch (BuildException e) { + throw new BuildException("builder.06", null, e); + + } catch (AssertionValidationExeption e) { + throw new BuildException("builder.06", null, e); + } catch (AssertionAttributeExtractorExeption e) { - Logger.error("Build authData from interfederated PVP2.1 assertion FAILED.", e); + throw new BuildException("builder.06", null, e); } } + private static void buildAuthDataFormInterfederationResponse(AuthenticationData authData, AuthenticationSession session, + Response intfResp) throws BuildException, AssertionAttributeExtractorExeption { + + Logger.debug("Build AuthData from assertion starts ...."); + + Assertion assertion = intfResp.getAssertions().get(0); + + if (assertion.getAttributeStatements().size() == 0) { + Logger.warn("Can not build AuthData from Assertion. NO Attributes included."); + throw new AssertionAttributeExtractorExeption("Can not build AuthData from Assertion. NO Attributes included.", null); + + } + + AttributeStatement attrStat = assertion.getAttributeStatements().get(0); + for (Attribute attr : attrStat.getAttributes()) { + + if (attr.getName().equals(PVPConstants.PRINCIPAL_NAME_NAME)) + authData.setFamilyName(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.GIVEN_NAME_NAME)) + authData.setGivenName(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.BIRTHDATE_NAME)) + authData.setDateOfBirth(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.BPK_NAME)) { + String pvpbPK = attr.getAttributeValues().get(0).getDOM().getTextContent(); + authData.setBPK(pvpbPK.split(":")[1]); + } + + if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) + authData.setBPKType(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_ISSUING_NATION_NAME)) + authData.setCcc(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_CCS_URL_NAME)) + authData.setBkuURL(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_AUTH_BLOCK_NAME)) { + try { + byte[] authBlock = Base64Utils.decode(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); + + } catch (IOException e) { + Logger.error("Received AuthBlock is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { + try { + authData.setSignerCertificate(Base64Utils.decode( + attr.getAttributeValues().get(0).getDOM().getTextContent(), false)); + + } catch (IOException e) { + Logger.error("Received SignerCertificate is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_NAME)) + authData.setIdentificationValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)) + authData.setIdentificationType(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + if (attr.getName().equals(PVPConstants.EID_IDENTITY_LINK_NAME)) { + try { + InputStream idlStream = Base64Utils.decodeToStream(attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + authData.setIdentityLink(idl); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); + + } + } + + if (attr.getName().equals(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)) + authData.setMandateReferenceValue(attr.getAttributeValues().get(0).getDOM().getTextContent()); + + + if (attr.getName().equals(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { + try { + byte[] mandate = Base64Utils.decode( + attr.getAttributeValues().get(0).getDOM().getTextContent(), false); + + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setMandate(mandate); + + authData.setUseMandate(true); + + } catch (Exception e) { + Logger.error("Received Mandate is not valid", e); + throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + } + } + + if (attr.getName().equals(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { + if (authData.getMISMandate() == null) + authData.setMISMandate(new MISMandate()); + authData.getMISMandate().setProfRep( + attr.getAttributeValues().get(0).getDOM().getTextContent()); + + } + + if (attr.getName().equals(PVPConstants.EID_STORK_TOKEN_NAME)) { + authData.setStorkAuthnResponse(attr.getAttributeValues().get(0).getDOM().getTextContent()); + authData.setForeigner(true); + } + + if (attr.getName().startsWith(PVPConstants.STORK_ATTRIBUTE_PREFIX)) { + + if (authData.getStorkAttributes() == null) + authData.setStorkAttributes(new PersonalAttributeList()); + + List storkAttrValues = new ArrayList(); + storkAttrValues.add(attr.getAttributeValues().get(0).getDOM().getTextContent()); + PersonalAttribute storkAttr = new PersonalAttribute(attr.getName(), + false, storkAttrValues , "Available"); + authData.getStorkAttributes().put(attr.getName(), storkAttr ); + authData.setForeigner(true); + } + + } + + authData.setSsoSession(true); + + //only for SAML1 + if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) + authData.setQualifiedCertificate(true); + else + authData.setQualifiedCertificate(false); + authData.setPublicAuthority(false); + } + private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, - OAAuthParameter oaParam) throws BuildException { + IOAAuthParameters oaParam) throws BuildException { String target = oaParam.getTarget(); @@ -173,7 +507,42 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authData.setForeigner(session.isForeigner()); authData.setQAALevel(session.getQAALevel()); + + if (session.isForeigner()) { + if (authData.getStorkAuthnRequest() != null) { + authData.setCcc(authData.getStorkAuthnRequest() + .getCitizenCountryCode()); + } else { + + try { + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); + + if (certificate != null) { + + LdapName ln = new LdapName(certificate.getIssuerDN() + .getName()); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("C")) { + Logger.info("C is: " + rdn.getValue()); + authData.setCcc(rdn.getValue().toString()); + break; + } + } + } + + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate", e); + + } + } + + } else { + authData.setCcc("AT"); + + } + try { authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID())); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java new file mode 100644 index 000000000..132b6af01 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -0,0 +1,109 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.builder; + +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.auth.exception.DynamicOABuildException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +/** + * @author tlenz + * + */ +public class DynamicOAAuthParameterBuilder { + + public static IOAAuthParameters buildFromAttributeQuery(List reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { + + Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information"); + + try { + DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters(); + + for (Attribute attr : reqAttributes) { + //get Target or BusinessService from request + if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); + if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { + dynamicOA.setBusinessService(false); + dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + + } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || + attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { + dynamicOA.setBusinessService(true); + dynamicOA.setTarget(attrValue); + + } else { + Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); + throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); + + } + + } + + } + + if (interfIDP != null) { + //load interfederated IDP informations + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); + if (idp == null) { + Logger.warn("Interfederated IDP configuration is not loadable."); + throw new DynamicOABuildException("Interfederated IDP configuration is not loadable.", null); + + } + + dynamicOA.setApplicationID(idp.getPublicURLPrefix()); + dynamicOA.setInderfederatedIDP(idp.isInderfederationIDP()); + dynamicOA.setIDPQueryURL(idp.getIDPAttributQueryServiceURL()); + + //check if IDP service area policy. BusinessService IDPs can only request wbPKs + if (!dynamicOA.getBusinessService() && !idp.isIDPPublicService()) { + Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes."); + throw new DynamicOABuildException("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes.", null); + + } + } + + return dynamicOA; + + } catch (ConfigurationException e) { + Logger.warn("Internel server errror. Basic configuration load failed.", e); + throw new DynamicOABuildException("Basic configuration load failed.", null); + } + + + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index ab93f509c..dc981ba33 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -52,7 +52,7 @@ import java.io.StringWriter; import java.util.Map; import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.util.MiscUtil; @@ -153,7 +153,7 @@ public class GetIdentityLinkFormBuilder extends Builder { String dataURL, String certInfoXMLRequest, String certInfoDataURL, - String pushInfobox, OAAuthParameter oaParam, + String pushInfobox, IOAAuthParameters oaParam, String appletheigth, String appletwidth) throws BuildException diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java index 4d80be1e8..54196427e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java @@ -40,6 +40,7 @@ import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol; import at.gv.egovernment.moa.id.util.FormBuildUtils; @@ -105,9 +106,9 @@ public class LoginFormBuilder { IOUtils.copy(input, writer); template = writer.toString(); template = template.replace(AUTH_URL, SERVLET); - template = template.replace(BKU_ONLINE, OAAuthParameter.ONLINEBKU); - template = template.replace(BKU_HANDY, OAAuthParameter.HANDYBKU); - template = template.replace(BKU_LOCAL, OAAuthParameter.LOCALBKU); + template = template.replace(BKU_ONLINE, IOAAuthParameters.ONLINEBKU); + template = template.replace(BKU_HANDY, IOAAuthParameters.HANDYBKU); + template = template.replace(BKU_LOCAL, IOAAuthParameters.LOCALBKU); } catch (Exception e) { Logger.error("Failed to read template", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java new file mode 100644 index 000000000..554cf7370 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/DynamicOABuildException.java @@ -0,0 +1,40 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.exception; + +/** + * @author tlenz + * + */ +public class DynamicOABuildException extends MOAIDException { + + + private static final long serialVersionUID = 3756862942519706809L; + + + public DynamicOABuildException(String messageId, Object[] parameters) { + super(messageId, parameters); + // TODO Auto-generated constructor stub + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index fc4ec305d..9911fccd4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -101,7 +101,7 @@ public class LogOutServlet extends AuthServlet { } - if (ssomanager.isValidSSOSession(ssoid, req)) { + if (ssomanager.isValidSSOSession(ssoid, null)) { //TODO: Single LogOut Implementation diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java index 997241822..442ebe2f4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java @@ -108,7 +108,7 @@ public class SSOSendAssertionServlet extends AuthServlet{ } } - boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + boolean isValidSSOSession = ssomanager.isValidSSOSession(ssoId, null); String moaSessionID = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 1e1652412..143a04dad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -697,17 +697,17 @@ public class AuthConfigurationProvider extends ConfigurationProvider { Logger.warn("Error in MOA-ID Configuration. No SLRequestTemplates found"); throw new ConfigurationException("config.02", null); } else { - SLRequestTemplates.put(OAAuthParameter.ONLINEBKU, templ.getOnlineBKU()); - SLRequestTemplates.put(OAAuthParameter.LOCALBKU, templ.getLocalBKU()); - SLRequestTemplates.put(OAAuthParameter.HANDYBKU, templ.getHandyBKU()); + SLRequestTemplates.put(IOAAuthParameters.ONLINEBKU, templ.getOnlineBKU()); + SLRequestTemplates.put(IOAAuthParameters.LOCALBKU, templ.getLocalBKU()); + SLRequestTemplates.put(IOAAuthParameters.HANDYBKU, templ.getHandyBKU()); } //set Default BKU URLS DefaultBKUs bkuuls = moaidconfig.getDefaultBKUs(); if (bkuuls != null) { - DefaultBKUURLs.put(OAAuthParameter.ONLINEBKU, bkuuls.getOnlineBKU()); - DefaultBKUURLs.put(OAAuthParameter.LOCALBKU, bkuuls.getLocalBKU()); - DefaultBKUURLs.put(OAAuthParameter.HANDYBKU, bkuuls.getHandyBKU()); + DefaultBKUURLs.put(IOAAuthParameters.ONLINEBKU, bkuuls.getOnlineBKU()); + DefaultBKUURLs.put(IOAAuthParameters.LOCALBKU, bkuuls.getLocalBKU()); + DefaultBKUURLs.put(IOAAuthParameters.HANDYBKU, bkuuls.getHandyBKU()); } //set SSO Config @@ -886,7 +886,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return el; else { Logger.warn("getSLRequestTemplates: BKU Type does not match: " - + OAAuthParameter.ONLINEBKU + " or " + OAAuthParameter.HANDYBKU + " or " + OAAuthParameter.LOCALBKU); + + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); return null; } } @@ -901,7 +901,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return el; else { Logger.warn("getSLRequestTemplates: BKU Type does not match: " - + OAAuthParameter.ONLINEBKU + " or " + OAAuthParameter.HANDYBKU + " or " + OAAuthParameter.LOCALBKU); + + IOAAuthParameters.ONLINEBKU + " or " + IOAAuthParameters.HANDYBKU + " or " + IOAAuthParameters.LOCALBKU); return null; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java new file mode 100644 index 000000000..39c8ecfdc --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -0,0 +1,133 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth; + +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; + +/** + * @author tlenz + * + */ +public interface IOAAuthParameters { + + public static final String ONLINEBKU = "online"; + public static final String HANDYBKU = "handy"; + public static final String LOCALBKU = "local"; + public static final String INDERFEDERATEDIDP = "interfederated"; + + + public String getPublicURLPrefix(); + + public boolean getBusinessService(); + + public String getTarget(); + + public boolean isInderfederationIDP(); + + /** + * @return the identityLinkDomainIdentifier + */ + public String getIdentityLinkDomainIdentifier(); + + /** + * @return the keyBoxIdentifier + */ + public String getKeyBoxIdentifier(); + + /** + * @return the transformsInfos + */ + public List getTransformsInfos(); + + public OASAML1 getSAML1Parameter(); + + public OAPVP2 getPVP2Parameter(); + + /** + * @return the templateURL + */ + public List getTemplateURL(); + + public String getAditionalAuthBlockText(); + + public String getBKUURL(String bkutype); + + public List getBKUURL(); + + public boolean useSSO(); + + public boolean useSSOQuestion(); + + public String getSingleLogOutURL(); + + /** + * @return the mandateProfiles + */ + public List getMandateProfiles(); + + /** + * @return the identityLinkDomainIdentifierType + */ + public String getIdentityLinkDomainIdentifierType(); + + public boolean isShowMandateCheckBox(); + + public boolean isOnlyMandateAllowed(); + + /** + * Shall we show the stork login in the bku selection frontend? + * + * @return true, if is we should show stork login + */ + public boolean isShowStorkLogin(); + + public Map getFormCustomizaten(); + + public Integer getQaaLevel(); + + /** + * @return the requestedAttributes + */ + public List getRequestedAttributes(); + + public boolean isRequireConsentForStorkAttributes(); + + public List getStorkAPs(); + + public byte[] getBKUSelectionTemplate(); + + public byte[] getSendAssertionTemplate(); + + public List getPepsList(); + + public String getIDPAttributQueryServiceURL(); + +} \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 492770aad..63b91f6d2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -57,6 +57,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.BKUSelectionCustomizationT import at.gv.egovernment.moa.id.commons.db.dao.config.BKUURLS; import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; import at.gv.egovernment.moa.id.commons.db.dao.config.MandatesProfileNameItem; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; @@ -85,13 +86,11 @@ import at.gv.egovernment.moa.util.MiscUtil; * * @author Harald Bratko */ -public class OAAuthParameter extends OAParameter { +public class OAAuthParameter extends OAParameter implements IOAAuthParameters { - public static final String ONLINEBKU = "online"; - public static final String HANDYBKU = "handy"; - public static final String LOCALBKU = "local"; - private AuthComponentOA oa_auth; + private String keyBoxIdentifier; + private InterfederationIDPType inderfederatedIDP = null; public OAAuthParameter(OnlineApplication oa) { super(oa); @@ -99,13 +98,15 @@ public class OAAuthParameter extends OAParameter { this.oa_auth = oa.getAuthComponentOA(); this.keyBoxIdentifier = oa.getKeyBoxIdentifier().value(); -} + + this.inderfederatedIDP = oa.getInterfederationIDP(); + } - private String keyBoxIdentifier; -/** - * @return the identityLinkDomainIdentifier +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() */ +@Override public String getIdentityLinkDomainIdentifier() { IdentificationNumber idnumber = oa_auth.getIdentificationNumber(); @@ -115,34 +116,45 @@ public String getIdentityLinkDomainIdentifier() { return null; } -/** - * @return the keyBoxIdentifier +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() */ +@Override public String getKeyBoxIdentifier() { return keyBoxIdentifier; } -/** - * @return the transformsInfos +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTransformsInfos() */ +@Override public List getTransformsInfos() { List transformations = oa_auth.getTransformsInfo(); return ConfigurationUtils.getTransformInfos(transformations); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSAML1Parameter() + */ + @Override public OASAML1 getSAML1Parameter() { return oa_auth.getOASAML1(); } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPVP2Parameter() + */ + @Override public OAPVP2 getPVP2Parameter() { return oa_auth.getOAPVP2(); } - /** - * @return the templateURL + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTemplateURL() */ + @Override public List getTemplateURL() { TemplatesType templates = oa_auth.getTemplates(); @@ -154,6 +166,10 @@ public List getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getAditionalAuthBlockText() + */ + @Override public String getAditionalAuthBlockText() { TemplatesType templates = oa_auth.getTemplates(); @@ -163,6 +179,10 @@ public List getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL(java.lang.String) + */ + @Override public String getBKUURL(String bkutype) { BKUURLS bkuurls = oa_auth.getBKUURLS(); if (bkuurls != null) { @@ -179,6 +199,10 @@ public List getTransformsInfos() { return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL() + */ + @Override public List getBKUURL() { BKUURLS bkuurls = oa_auth.getBKUURLS(); @@ -196,6 +220,10 @@ public List getTransformsInfos() { } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() + */ + @Override public boolean useSSO() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -204,6 +232,10 @@ public List getTransformsInfos() { return false; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSOQuestion() + */ + @Override public boolean useSSOQuestion() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -213,6 +245,10 @@ public List getTransformsInfos() { } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSingleLogOutURL() + */ + @Override public String getSingleLogOutURL() { OASSO sso = oa_auth.getOASSO(); if (sso != null) @@ -221,9 +257,10 @@ public List getTransformsInfos() { return null; } -/** - * @return the mandateProfiles +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getMandateProfiles() */ +@Override public List getMandateProfiles() { Mandates mandates = oa_auth.getMandates(); @@ -253,9 +290,10 @@ public List getMandateProfiles() { return null; } -/** - * @return the identityLinkDomainIdentifierType +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() */ +@Override public String getIdentityLinkDomainIdentifierType() { IdentificationNumber idnumber = oa_auth.getIdentificationNumber(); if (idnumber != null) @@ -265,6 +303,10 @@ public String getIdentityLinkDomainIdentifierType() { } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() + */ +@Override public boolean isShowMandateCheckBox() { TemplatesType templates = oa_auth.getTemplates(); if (templates != null) { @@ -277,6 +319,10 @@ public boolean isShowMandateCheckBox() { return true; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOnlyMandateAllowed() + */ +@Override public boolean isOnlyMandateAllowed() { TemplatesType templates = oa_auth.getTemplates(); if (templates != null) { @@ -289,11 +335,10 @@ public boolean isOnlyMandateAllowed() { return false; } - /** - * Shall we show the stork login in the bku selection frontend? - * - * @return true, if is we should show stork login + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowStorkLogin() */ + @Override public boolean isShowStorkLogin() { try { return oa_auth.getOASTORK().isStorkLogonEnabled(); @@ -303,6 +348,10 @@ public boolean isOnlyMandateAllowed() { } } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ +@Override public Map getFormCustomizaten() { TemplatesType templates = oa_auth.getTemplates(); @@ -354,6 +403,10 @@ public Map getFormCustomizaten() { return map; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() + */ +@Override public Integer getQaaLevel() { if (oa_auth.getOASTORK() != null && oa_auth.getOASTORK().getQaa() != null) @@ -363,21 +416,34 @@ public Integer getQaaLevel() { return 4; } -/** - * @return the requestedAttributes +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getRequestedAttributes() */ +@Override public List getRequestedAttributes() { return oa_auth.getOASTORK().getOAAttributes(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRequireConsentForStorkAttributes() + */ +@Override public boolean isRequireConsentForStorkAttributes() { return oa_auth.getOASTORK().isRequireConsent(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getStorkAPs() + */ +@Override public List getStorkAPs() { return oa_auth.getOASTORK().getAttributeProviders(); } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUSelectionTemplate() + */ +@Override public byte[] getBKUSelectionTemplate() { TemplatesType templates = oa_auth.getTemplates(); @@ -389,6 +455,10 @@ public byte[] getBKUSelectionTemplate() { return null; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSendAssertionTemplate() + */ +@Override public byte[] getSendAssertionTemplate() { TemplatesType templates = oa_auth.getTemplates(); @@ -400,8 +470,34 @@ public byte[] getSendAssertionTemplate() { return null; } +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPepsList() + */ +@Override public List getPepsList() { return new ArrayList(oa_auth.getOASTORK().getCPEPS()); } + +/* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() + */ +@Override +public String getIDPAttributQueryServiceURL() { + if (inderfederatedIDP != null) + return inderfederatedIDP.getAttributeQueryURL(); + else + return null; + +} + +public boolean isIDPPublicService() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isPublicService(); + + else + return false; + +} + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java new file mode 100644 index 000000000..f35027f21 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -0,0 +1,359 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.config.auth.data; + +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; + +/** + * @author tlenz + * + */ +public class DynamicOAAuthParameters implements IOAAuthParameters { + + private String applicationID = null; + + private boolean isBusinessService; + private String target; + private String businessTarget; + + private boolean inderfederatedIDP; + private String IDPQueryURL; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() + */ + @Override + public boolean getBusinessService() { + return this.isBusinessService; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + */ + @Override + public String getTarget() { + return this.target; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + */ + @Override + public String getIdentityLinkDomainIdentifier() { + return this.businessTarget; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() + */ + @Override + public boolean isInderfederationIDP() { + return this.inderfederatedIDP; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() + */ + @Override + public String getIDPAttributQueryServiceURL() { + return this.IDPQueryURL; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() + */ + @Override + public String getKeyBoxIdentifier() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTransformsInfos() + */ + @Override + public List getTransformsInfos() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSAML1Parameter() + */ + @Override + public OASAML1 getSAML1Parameter() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPVP2Parameter() + */ + @Override + public OAPVP2 getPVP2Parameter() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTemplateURL() + */ + @Override + public List getTemplateURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getAditionalAuthBlockText() + */ + @Override + public String getAditionalAuthBlockText() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL(java.lang.String) + */ + @Override + public String getBKUURL(String bkutype) { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL() + */ + @Override + public List getBKUURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() + */ + @Override + public boolean useSSO() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSOQuestion() + */ + @Override + public boolean useSSOQuestion() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSingleLogOutURL() + */ + @Override + public String getSingleLogOutURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getMandateProfiles() + */ + @Override + public List getMandateProfiles() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() + */ + @Override + public String getIdentityLinkDomainIdentifierType() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() + */ + @Override + public boolean isShowMandateCheckBox() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOnlyMandateAllowed() + */ + @Override + public boolean isOnlyMandateAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowStorkLogin() + */ + @Override + public boolean isShowStorkLogin() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ + @Override + public Map getFormCustomizaten() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() + */ + @Override + public Integer getQaaLevel() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRequireConsentForStorkAttributes() + */ + @Override + public boolean isRequireConsentForStorkAttributes() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getStorkAPs() + */ + @Override + public List getStorkAPs() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUSelectionTemplate() + */ + @Override + public byte[] getBKUSelectionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSendAssertionTemplate() + */ + @Override + public byte[] getSendAssertionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPepsList() + */ + @Override + public List getPepsList() { + // TODO Auto-generated method stub + return null; + } + + /** + * @param isBusinessService the isBusinessService to set + */ + public void setBusinessService(boolean isBusinessService) { + this.isBusinessService = isBusinessService; + } + + /** + * @param target the target to set + */ + public void setTarget(String target) { + this.target = target; + } + + /** + * @param businessTarget the businessTarget to set + */ + public void setBusinessTarget(String businessTarget) { + this.businessTarget = businessTarget; + } + + /** + * @param inderfederatedIDP the inderfederatedIDP to set + */ + public void setInderfederatedIDP(boolean inderfederatedIDP) { + this.inderfederatedIDP = inderfederatedIDP; + } + + /** + * @param iDPQueryURL the iDPQueryURL to set + */ + public void setIDPQueryURL(String iDPQueryURL) { + IDPQueryURL = iDPQueryURL; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPublicURLPrefix() + */ + @Override + public String getPublicURLPrefix() { + return this.applicationID; + } + + /** + * @param applicationID the applicationID to set + */ + public void setApplicationID(String applicationID) { + this.applicationID = applicationID; + } + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index e73bac41c..7a9d2cfc1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -131,10 +131,17 @@ public class AuthenticationData implements IAuthData, Serializable { private MISMandate mandate = null; private String mandateReferenceValue = null; - private boolean foreigner; + private boolean foreigner =false; private String QAALevel = null; - private boolean ssoSession; + private boolean ssoSession = false; + + private boolean interfederatedSSOSession = false; + private String interfederatedIDP = null; + + private String sessionIndex = null; + private String nameID = null; + private String nameIDFormat = null; public AuthenticationData() { issueInstant = new Date(); @@ -575,10 +582,78 @@ public class AuthenticationData implements IAuthData, Serializable { public void setCcc(String ccc) { this.ccc = ccc; } + + /** + * @return the sessionIndex + */ + public String getSessionIndex() { + return sessionIndex; + } + + /** + * @param sessionIndex the sessionIndex to set + */ + public void setSessionIndex(String sessionIndex) { + this.sessionIndex = sessionIndex; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getNameID() + */ + @Override + public String getNameID() { + return this.nameID; + } + + /** + * @param nameID the nameID to set + */ + public void setNameID(String nameID) { + this.nameID = nameID; + } + + /** + * @return the nameIDFormat + */ + public String getNameIDFormat() { + return nameIDFormat; + } + + /** + * @param nameIDFormat the nameIDFormat to set + */ + public void setNameIDFormat(String nameIDFormat) { + this.nameIDFormat = nameIDFormat; + } + + /** + * @return the interfederatedSSOSession + */ + public boolean isInterfederatedSSOSession() { + return interfederatedSSOSession; + } + + /** + * @param interfederatedSSOSession the interfederatedSSOSession to set + */ + public void setInterfederatedSSOSession(boolean interfederatedSSOSession) { + this.interfederatedSSOSession = interfederatedSSOSession; + } + + /** + * @return the interfederatedIDP + */ + public String getInterfederatedIDP() { + return interfederatedIDP; + } + + /** + * @param interfederatedIDP the interfederatedIDP to set + */ + public void setInterfederatedIDP(String interfederatedIDP) { + this.interfederatedIDP = interfederatedIDP; + } - - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 699bd871b..4ea81f134 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -42,6 +42,7 @@ public interface IAuthData { String getIssuer(); boolean isSsoSession(); + boolean isInterfederatedSSOSession(); boolean isUseMandate(); String getFamilyName(); @@ -52,6 +53,8 @@ public interface IAuthData { String getBPK(); String getBPKType(); + String getInterfederatedIDP(); + String getIdentificationValue(); String getIdentificationType(); @@ -71,6 +74,10 @@ public interface IAuthData { String getQAALevel(); + String getSessionIndex(); + String getNameID(); + String getNameIDFormat(); + boolean isForeigner(); String getCcc(); STORKAuthnRequest getStorkAuthnRequest(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java index 971222b67..02bd74291 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -32,10 +32,12 @@ public class SLOInformationImpl implements SLOInformationInterface { private String sessionIndex = null; private String nameID = null; private String protocolType = null; + private String nameIDFormat = null; - public SLOInformationImpl(String sessionID, String nameID, String protocolType) { + public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) { this.sessionIndex = sessionID; this.nameID = nameID; + this.nameIDFormat = nameIDFormat; this.protocolType = protocolType; } @@ -100,6 +102,25 @@ public class SLOInformationImpl implements SLOInformationInterface { public String getProtocolType() { return protocolType; } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.SLOInformationInterface#getUserNameIDFormat() + */ + @Override + public String getUserNameIDFormat() { + return this.nameIDFormat; + } + + + /** + * @param nameIDFormat the nameIDFormat to set + */ + public void setNameIDFormat(String nameIDFormat) { + this.nameIDFormat = nameIDFormat; + } + + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java index 7290665e9..2c5682c0f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java @@ -53,6 +53,11 @@ public interface SLOInformationInterface { * return authentication protocol type */ public String getProtocolType(); + + /** + * @return + */ + public String getUserNameIDFormat(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 2f4bbbcf4..9f1b6b3e8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -249,26 +249,38 @@ public class DispatcherServlet extends AuthServlet{ try { protocolRequest = info.preProcess(req, resp, action); - if (protocolRequest != null && - MiscUtil.isEmpty(protocolRequest.getRequestID())) { - - //Start new Authentication - protocolRequest.setAction(action); - protocolRequest.setModule(module); - protocolRequestID = Random.nextRandom(); - protocolRequest.setRequestID(protocolRequestID); - - RequestStorage.setPendingRequest(protocolRequest); - - Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); - - } else if (protocolRequest != null && + //request is a valid interfederation response + if (protocolRequest != null && protocolRequest.getInterfederationResponse() != null ) { Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest"); + + //reload SP protocol implementation + info = ModulStorage.getModuleByPath(protocolRequest.requestedModule()); + moduleAction = info.getAction(protocolRequest.requestedAction()); + + //create interfederated mOASession String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true); req.getParameterMap().put(PARAM_SESSIONID, sessionID); + Logger.info("PreProcessing of SSO interfederation response complete. "); - + + //request is a not valid interfederation response -> Restart local authentication + } else if (protocolRequest != null && + MiscUtil.isNotEmpty(protocolRequest.getRequestID())) { + Logger.info("PreProcessing of SSO interfederation response FAILED. Starting local authentication ..."); + + //request is a new authentication request + } else if (protocolRequest != null && + MiscUtil.isEmpty(protocolRequest.getRequestID())) { + //Start new Authentication + protocolRequest.setAction(action); + protocolRequest.setModule(module); + protocolRequestID = Random.nextRandom(); + protocolRequest.setRequestID(protocolRequestID); + RequestStorage.setPendingRequest(protocolRequest); + Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); + + } else { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); @@ -335,7 +347,7 @@ public class DispatcherServlet extends AuthServlet{ } - isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req); + isValidSSOSession = ssomanager.isValidSSOSession(ssoId, protocolRequest); useSSOOA = oaParam.useSSO(); @@ -445,7 +457,7 @@ public class DispatcherServlet extends AuthServlet{ //Advanced statistic logging StatisticLogger logger = StatisticLogger.getInstance(); - logger.logSuccessOperation(protocolRequest, moasession, isSSOSession); + logger.logSuccessOperation(protocolRequest, authData, isSSOSession); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index c29c3a1b3..aaeb84f92 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,10 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; + import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; public interface IRequest { @@ -38,6 +42,7 @@ public interface IRequest { public String getRequestID(); public String getRequestedIDP(); public MOAResponse getInterfederationResponse(); + public List getRequestedAttributes(); //public void setTarget(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 684c6630a..c2e6cd273 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,11 +31,14 @@ import javax.servlet.http.HttpServletResponse; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -68,7 +71,7 @@ public class SSOManager { return instance; } - public boolean isValidSSOSession(String ssoSessionID, HttpServletRequest httpReq) { + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { // search SSO Session if (ssoSessionID == null) { @@ -76,10 +79,36 @@ public class SSOManager { return false; } - // String moaSessionId =HTTPSessionUtils.getHTTPSessionString(httpReq.getSession(), - // AuthenticationManager.MOA_SESSION, null); + AuthenticatedSessionStore storedSession = AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); - return AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); + if (storedSession == null) + return false; + + else { + if (protocolRequest != null && + protocolRequest instanceof RequestImpl && + storedSession.isInterfederatedSSOSession()) { + + if (MiscUtil.isEmpty(((RequestImpl) protocolRequest).getRequestedIDP())) { + InterfederationSessionStore selectedIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORSSOWithMOASession(storedSession.getSessionid()); + + if (selectedIDP != null) { + //no local SSO session exist -> request interfederated IDP + ((RequestImpl) protocolRequest).setRequestedIDP(selectedIDP.getIdpurlprefix()); + + } else { + Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); + MOASessionDBUtils.delete(storedSession); + + } + } + + return false; + + } + + return true; + } } @@ -95,24 +124,10 @@ public class SSOManager { List result; synchronized (session) { - -// try { -// session.getTransaction().rollback(); -// } -// catch (Exception e) { -// e.printStackTrace(); -// } -// try { -// session.getSessionFactory().openSession(); -// } -// catch (Exception e) { -// e.printStackTrace(); -// } - // session.getTransaction().begin(); - + session.beginTransaction(); Query query = session.getNamedQuery("getSSOSessionWithOldSessionID"); - query.setString("sessionid", ssoId); + query.setParameter("sessionid", ssoId); result = query.list(); // send transaction @@ -198,4 +213,44 @@ public class SSOManager { } } } + + /** + * @param entityID + * @param request + */ + public boolean removeInterfederatedSSOIDP(String entityID, + HttpServletRequest request) { + + String ssoSessionID = getSSOSessionID(request); + + if (MiscUtil.isNotEmpty(ssoSessionID)) { + + AuthenticatedSessionStore storedSession = AuthenticationSessionStoreage.isValidSessionWithSSOID(ssoSessionID, null); + + if (storedSession == null) + return false; + + InterfederationSessionStore selectedIDP = AuthenticationSessionStoreage.searchInterfederatedIDPFORSSOWithMOASessionIDPID(storedSession.getSessionid(), entityID); + + if (selectedIDP != null) { + //no local SSO session exist -> request interfederated IDP + Logger.info("Delete interfederated IDP " + selectedIDP.getIdpurlprefix() + + " from MOASession " + storedSession.getSessionid()); + MOASessionDBUtils.delete(selectedIDP); + + } else { + Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); + + } + + + + + return true; + + } else + return false; + + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 9376e3d58..3b0d07ce1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -215,4 +215,41 @@ public final class OAuth20AttributeBuilder { final OAAuthParameter oaParam, final IAuthData authData) { addAttibutes(buildersSTORK, jsonObject, oaParam, authData); } + + /** + * @return the buildersprofile + */ + public static List getBuildersprofile() { + return buildersProfile; + } + + /** + * @return the builderseid + */ + public static List getBuilderseid() { + return buildersEID; + } + + /** + * @return the builderseidgov + */ + public static List getBuilderseidgov() { + return buildersEIDGov; + } + + /** + * @return the buildersmandate + */ + public static List getBuildersmandate() { + return buildersMandate; + } + + /** + * @return the buildersstork + */ + public static List getBuildersstork() { + return buildersSTORK; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 2a1fe0882..4c70ce995 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -100,7 +100,7 @@ class OAuth20AuthAction implements IAction { //TODO: maybe add bPK / wbPK to SLO information - SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, req.requestedModule()); + SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule()); return sloInformation; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java index 6a9e98792..c47e366a1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -22,7 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; +import java.util.HashMap; import java.util.List; +import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -31,12 +33,18 @@ import org.opensaml.saml2.core.Attribute; import at.gv.egovernment.moa.id.commons.db.dao.config.OAOAUTH20; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.logging.Logger; class OAuth20AuthRequest extends OAuth20BaseRequest { @@ -163,7 +171,42 @@ class OAuth20AuthRequest extends OAuth20BaseRequest { */ @Override public List getRequestedAttributes() { - //TODO: implement attribut mapping - return null; + Map reqAttr = new HashMap(); + for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) + reqAttr.put(el, ""); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + + for (String s : scope.split(" ")) { + if (s.equalsIgnoreCase("profile")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersprofile()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseid()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID_gov")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseidgov()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("mandate")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersmandate()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("stork")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersstork()) + reqAttr.put(el.getName(), ""); + + } + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index 00b7a83f0..951960bc6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; import java.net.URLEncoder; import java.util.HashMap; +import java.util.List; import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -16,11 +17,14 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import com.google.gson.JsonObject; +import edu.emory.mathcs.backport.java.util.Arrays; + public class OAuth20Protocol implements IModulInfo { public static final String NAME = OAuth20Protocol.class.getName(); @@ -29,6 +33,13 @@ public class OAuth20Protocol implements IModulInfo { public static final String AUTH_ACTION = "AUTH"; public static final String TOKEN_ACTION = "TOKEN"; + @SuppressWarnings("unchecked") + public static final List DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.BPK_NAME + }); + private static HashMap actions = new HashMap(); static { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java new file mode 100644 index 000000000..71d1c26d4 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -0,0 +1,178 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x; + + +import java.util.ArrayList; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.joda.time.DateTime; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.Response; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; + +import edu.emory.mathcs.backport.java.util.Arrays; + +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class AttributQueryAction implements IAction { + + @SuppressWarnings("unchecked") + private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( + new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); + + @SuppressWarnings("unchecked") + private final static List DEFAULTMANDATEATTRIBUTES = Arrays.asList( + new String[]{ PVPConstants.MANDATE_FULL_MANDATE_NAME, + PVPConstants.MANDATE_PROF_REP_OID_NAME}); + + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public SLOInformationInterface processRequest(IRequest req, + HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + if (req instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) req).getRequest() instanceof MOARequest && + ((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest() instanceof AttributeQuery) { + + AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest(); + + //load moaSession + String nameID = attrQuery.getSubject().getNameID().getValue(); + + AuthenticationSession session = AuthenticationSessionStoreage.getSessionWithUserNameID(nameID); + if (session == null) { + Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); + throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); + + } + + DateTime date = new DateTime(); + + //generate authData + authData = AuthenticationDataBuilder.buildAuthenticationData(req, session, attrQuery.getAttributes()); + + //add default attributes in case of mandates or STORK is in use + List attrList = addDefaultAttributes(attrQuery, authData); + + //build PVP 2.1 assertion + Assertion assertion = PVP2AssertionBuilder.buildAssertion(attrQuery, attrList, authData, date, authData.getSessionIndex()); + + //build PVP 2.1 response + Response authResponse = AuthResponseBuilder.buildResponse(attrQuery, date, assertion); + + try { + SoapBinding decoder = new SoapBinding(); + decoder.encodeRespone(httpReq, httpResp, authResponse, null, null); + return null; + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } else { + Logger.error("Process AttributeQueryAction but request is NOT of type AttributQuery."); + throw new MOAIDException("pvp2.13", null); + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp) { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + @Override + public String getDefaultActionName() { + return PVP2XProtocol.ATTRIBUTEQUERY; + } + + private List addDefaultAttributes(AttributeQuery query, IAuthData authData) { + + List reqAttributs = new ArrayList(); + + for (Attribute attr : query.getAttributes()) { + reqAttributs.add(attr.getName()); + + } + + //add default STORK attributes if it is a STORK authentication + if (authData.isForeigner() && !reqAttributs.containsAll(DEFAULTSTORKATTRIBUTES)) { + for (String el : DEFAULTSTORKATTRIBUTES) { + if (!reqAttributs.contains(el)) + reqAttributs.add(el); + } + } + + //add default mandate attributes if it is a authentication with mandates + if (authData.isUseMandate() && !reqAttributs.containsAll(DEFAULTMANDATEATTRIBUTES)) { + for (String el : DEFAULTMANDATEATTRIBUTES) { + if (!reqAttributs.contains(el)) + reqAttributs.add(el); + } + } + + return reqAttributs; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 7410e0624..70db9cc23 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -39,6 +39,7 @@ public class AuthenticationAction implements IAction { HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; + SLOInformationImpl sloInformation = (SLOInformationImpl) RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp, authData); //set protocol type diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 639b8672b..d04480ff5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import iaik.pkcs.pkcs11.objects.Object; +import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -31,59 +32,66 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; import org.apache.commons.lang.StringEscapeUtils; import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.EncryptedAssertion; -import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusMessage; import org.opensaml.saml2.core.impl.AuthnRequestImpl; -import org.opensaml.saml2.encryption.Decrypter; -import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; -import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; -import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; -import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; -import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.signature.SignableXMLObject; + +import edu.emory.mathcs.backport.java.util.Arrays; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.VelocityLogAdapter; import at.gv.egovernment.moa.logging.Logger; @@ -96,18 +104,27 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public static final String POST = "Post"; public static final String SOAP = "Soap"; public static final String METADATA = "Metadata"; + public static final String ATTRIBUTEQUERY = "AttributeQuery"; private static List decoder = new ArrayList(); private static HashMap actions = new HashMap(); + @SuppressWarnings("unchecked") + public static final List DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME + }); + static { decoder.add(new PostBinding()); decoder.add(new RedirectBinding()); + decoder.add(new SoapBinding()); actions.put(REDIRECT, new AuthenticationAction()); actions.put(POST, new AuthenticationAction()); actions.put(METADATA, new MetadataAction()); + actions.put(ATTRIBUTEQUERY, new AttributQueryAction()); //TODO: insert getArtifact action @@ -179,9 +196,22 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } - if (msg instanceof MOARequest) + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof AuthnRequest) return preProcessAuthRequest(request, response, (MOARequest) msg); + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof AttributeQuery) + return preProcessAttributQueryRequest(request, response, (MOARequest) msg); + + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) + return preProcessLogOut(request, response, (MOARequest) msg); + + else if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof LogoutResponse) + return preProcessLogOut(request, response, (MOARequest) msg); + else if (msg instanceof MOAResponse) { //load service provider AuthRequest from session @@ -192,12 +222,17 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); if ( processedMsg != null ) { - iReqSP.setInterfederationResponse((MOAResponse) msg); + iReqSP.setInterfederationResponse(processedMsg); } else { Logger.info("Receive NO valid SSO session from " + msg.getEntityID() - +". Switch to local authentication process ..."); - iReqSP.setRequestedIDP(null); + +". Switch to local authentication process ..."); + + SSOManager ssomanager = SSOManager.getInstance(); + ssomanager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + + iReqSP.setRequestedIDP(null); + } return iReqSP; @@ -206,11 +241,8 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type."); return null; - - } - - - else { + + } else { Logger.error("Receive unsupported PVP21 message"); throw new MOAIDException("Unsupported PVP21 message", new Object[] {}); } @@ -273,16 +305,27 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { samlResponse.setStatus(status); String remoteSessionID = SAML2Utils.getSecureIdentifier(); samlResponse.setID(remoteSessionID); - + + samlResponse.setIssueInstant(new DateTime()); + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + samlResponse.setIssuer(nissuer); + IEncoder encoder = null; - if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { encoder = new RedirectBinding(); - } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { + + } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { // TODO: not supported YET!! //binding = new ArtifactBinding(); + } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { encoder = new PostBinding(); + + } else if (pvpRequest.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { + encoder = new SoapBinding(); } if(encoder == null) { @@ -323,10 +366,75 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return true; } + + /** + * PreProcess Single LogOut request + * @param request + * @param response + * @param msg + * @return + */ + private IRequest preProcessLogOut(HttpServletRequest request, + HttpServletResponse response, MOARequest msg) { + // TODO Auto-generated method stub + return null; + } + + /** + * PreProcess AttributeQuery request + * @param request + * @param response + * @param moaRequest + * @return + * @throws Throwable + */ + private IRequest preProcessAttributQueryRequest(HttpServletRequest request, + HttpServletResponse response, MOARequest moaRequest) throws Throwable { + + AttributeQuery attrQuery = (AttributeQuery) moaRequest.getSamlRequest(); + moaRequest.setEntityID(attrQuery.getIssuer().getValue()); + + //validate destination + String destinaten = attrQuery.getDestination(); + if (!PVPConfiguration.getInstance().getIDPAttributeQueryService().equals(destinaten)) { + Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); + throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); + + } + + //check if Issuer is an interfederation IDP + // check parameter + if (!ParamValidatorUtils.isValidOA(moaRequest.getEntityID())) + throw new WrongParametersException("StartAuthentication", + PARAM_OA, "auth.12"); + + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); + if (!oa.isInderfederationIDP()) { + Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); + throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); + + } + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + config.setRequest(moaRequest); + config.setOAURL(moaRequest.getEntityID()); + config.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + + return config; + } + + /** + * PreProcess Authn request + * @param request + * @param response + * @param moaRequest + * @return + * @throws Throwable + */ private IRequest preProcessAuthRequest(HttpServletRequest request, HttpServletResponse response, MOARequest moaRequest) throws Throwable { - RequestAbstractType samlReq = moaRequest.getSamlRequest(); + SignableXMLObject samlReq = moaRequest.getSamlRequest(); if(!(samlReq instanceof AuthnRequest)) { throw new MOAIDException("Unsupported request", new Object[] {}); @@ -398,6 +506,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } /** + * PreProcess AuthResponse and Assertion * @param msg */ private MOAResponse preProcessAuthResponse(MOAResponse msg) { @@ -406,67 +515,29 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { try { if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - List saml2assertions = new ArrayList(); - //check encrypted Assertion - List encryAssertionList = samlResp.getEncryptedAssertions(); - if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - - Logger.debug("Found encryped assertion. Start decryption ..."); - - X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); - - StaticKeyInfoCredentialResolver skicr = - new StaticKeyInfoCredentialResolver(authDecCredential); - - ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); - encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); - - for (EncryptedAssertion encAssertion : encryAssertionList) { - saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } - - Logger.debug("Assertion decryption finished. "); - - } else { - saml2assertions = samlResp.getAssertions(); - - } + //validate PVP 2.1 assertion + SAMLVerificationEngine.validateAssertion(samlResp, true); + + msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); + return msg; + + } else if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.NO_PASSIVE_URI)) { + Logger.info("Interfederation IDP has no valid Single Sign-On session. Starting local authentication ..."); - for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore(); - DateTime notafter = conditions.getNotOnOrAfter(); - if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date"); - return null; - - } - - samlResp.getAssertions().clear(); - samlResp.getEncryptedAssertions().clear(); - samlResp.getAssertions().addAll(saml2assertions); - - msg.setSAMLMessage(samlResp.getDOM()); - return msg; - - } } + + } catch (IOException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); - } catch (CredentialsNotAvailableException e) { - Logger.warn("Assertion decrypt FAILED - No Credentials", e); + } catch (MarshallingException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); - } catch (DecryptionException e) { - Logger.warn("Assertion decrypt FAILED.", e); + } catch (TransformerException e) { + Logger.warn("Interfederation response marshaling FAILED.", e); + } catch (AssertionValidationExeption e) { + //error is already logged, to nothing } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 7946c7596..dafaf6279 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -39,6 +39,8 @@ public interface PVPConstants { public static final String STORK_QAA_1_3 = "http://www.stork.gov.eu/1.0/citizenQAALevel/3"; public static final String STORK_QAA_1_4 = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; + public static final String STORK_ATTRIBUTE_PREFIX = "http://www.stork.gov.eu/1.0/"; + public static final String URN_OID_PREFIX = "urn:oid:"; public static final String PVP_VERSION_OID = "1.2.40.0.10.2.1.1.261.10"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 9cddb9a17..96e2bf7e9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -22,27 +22,40 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; +import java.util.HashMap; import java.util.List; +import java.util.Map; +import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.impl.AuthnRequestImpl; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.logging.Logger; public class PVPTargetConfiguration extends RequestImpl { private static final long serialVersionUID = 4889919265919638188L; - MOARequest request; + InboundMessage request; String binding; String consumerURL; - public MOARequest getRequest() { + public InboundMessage getRequest() { return request; } - public void setRequest(MOARequest request) { + public void setRequest(InboundMessage request) { this.request = request; } @@ -68,7 +81,59 @@ public class PVPTargetConfiguration extends RequestImpl { */ @Override public List getRequestedAttributes() { - // TODO Auto-generated method stub - return null; + + Map reqAttr = new HashMap(); + for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) + reqAttr.put(el, ""); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + + SPSSODescriptor spSSODescriptor = getRequest().getEntityMetadata().getSPSSODescriptor(SAMLConstants.SAML20P_NS); + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + + Integer aIdx = null; + if (getRequest() instanceof MOARequest && + ((MOARequest)getRequest()).getSamlRequest() instanceof AuthnRequestImpl) { + AuthnRequestImpl authnRequest = (AuthnRequestImpl)((MOARequest)getRequest()).getSamlRequest(); + aIdx = authnRequest.getAttributeConsumingServiceIndex(); + + } else { + Logger.error("MOARequest is NOT of type AuthnRequest"); + } + + int idx = 0; + + AttributeConsumingService attributeConsumingService = null; + + if (aIdx != null) { + idx = aIdx.intValue(); + attributeConsumingService = spSSODescriptor + .getAttributeConsumingServices().get(idx); + + } else { + List attrConsumingServiceList = spSSODescriptor.getAttributeConsumingServices(); + for (AttributeConsumingService el : attrConsumingServiceList) { + if (el.isDefault()) + attributeConsumingService = el; + } + } + + for ( RequestedAttribute attr : attributeConsumingService.getRequestAttributes()) + reqAttr.put(attr.getName(), ""); + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + + } catch (NoMetadataInformationException e) { + Logger.warn("NO metadata found for Entity " + getRequest().getEntityID()); + return null; + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 645d15086..020055139 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -49,6 +49,7 @@ import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; @@ -189,7 +190,7 @@ public class PostBinding implements IDecoder, IEncoder { } public boolean handleDecode(String action, HttpServletRequest req) { - return (req.getMethod().equals("POST")); + return (req.getMethod().equals("POST") && action.equals(PVP2XProtocol.POST)); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index ec24a2a0d..ec7c117b9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; +import java.util.List; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -33,43 +35,64 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; +import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.ws.soap.soap11.decoder.http.HTTPSOAP11Decoder; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.signature.SignableXMLObject; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; public class SoapBinding implements IDecoder, IEncoder { public InboundMessageInterface decode(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException, PVP2Exception { - HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(); - BasicSAMLMessageContext messageContext = - new BasicSAMLMessageContext(); + HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); + BasicSAMLMessageContext messageContext = + new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( req)); + soapDecoder.decode(messageContext); - - RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + + Envelope inboundMessage = (Envelope) messageContext .getInboundMessage(); - MOARequest request = new MOARequest(inboundMessage); + if (inboundMessage.getBody() != null) { + List xmlElemList = inboundMessage.getBody().getUnknownXMLObjects(); + + if (!xmlElemList.isEmpty()) { + SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); + MOARequest request = new MOARequest(attrReq); + + request.setVerified(false); + return request; + + } + } - return request; + Logger.error("Receive empty PVP 2.1 attributequery request."); + throw new AttributQueryException("Receive empty PVP 2.1 attributequery request.", null); } public boolean handleDecode(String action, HttpServletRequest req) { - return (action.equals(PVP2XProtocol.SOAP)); + return (req.getMethod().equals("POST") && + (action.equals(PVP2XProtocol.SOAP) || action.equals(PVP2XProtocol.ATTRIBUTEQUERY))); } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java new file mode 100644 index 000000000..6296d102f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -0,0 +1,185 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.core.impl.AttributeQueryBuilder; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.Signer; +import org.w3c.dom.Document; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Constants; + +/** + * @author tlenz + * + */ +public class AttributQueryBuilder { + + public static List buildSAML2AttributeList(OAAuthParameter oa, Iterator iterator) { + + Logger.debug("Build OA specific Attributes for AttributQuery request"); + + List attrList = new ArrayList(); + + SamlAttributeGenerator generator = new SamlAttributeGenerator(); + + while(iterator.hasNext()) { + String rA = iterator.next(); + Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(rA); + if (attr == null) { + Logger.warn("Attribut " + rA + " has no valid Name"); + + } else { + //add OA specific information + if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + if (oa.getBusinessService()) + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), oa.getIdentityLinkDomainIdentifier()); + else + attr = generator.buildStringAttribute(attr.getFriendlyName(), + attr.getName(), Constants.URN_PREFIX_CDID + "+" + oa.getTarget()); + } + + //TODO: add attribute values for SSO with mandates (ProfileList) + + + attrList.add(attr); + } + } + + return attrList; + } + + + public static AttributeQuery buildAttributQueryRequest(String nameID, + String endpoint, List requestedAttributes) throws AttributQueryException { + + + try { + + AttributeQuery query = new AttributeQueryBuilder().buildObject(); + + //set user nameID + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setValue(nameID); + subjectNameID.setFormat(NameID.TRANSIENT); + subject.setNameID(subjectNameID); + query.setSubject(subject); + + //set attributes + query.getAttributes().addAll(requestedAttributes); + + //set general request parameters + DateTime now = new DateTime(); + query.setIssueInstant(now); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + query.setIssuer(nissuer); + + String sessionID = SAML2Utils.getSecureIdentifier(); + query.setID(sessionID); + + query.setDestination(endpoint); + + X509Credential idpSigningCredential = CredentialProvider.getIDPAssertionSigningCredential(); + + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(idpSigningCredential); + query.setSignature(signer); + + DocumentBuilder builder; + DocumentBuilderFactory factory = DocumentBuilderFactory + .newInstance(); + + builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(query); + out.marshall(query, document); + + Signer.signObject(signer); + + return query; + + } catch (ConfigurationException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (CredentialsNotAvailableException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (ParserConfigurationException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (MarshallingException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } catch (SignatureException e) { + Logger.error("Build AttributQuery Request FAILED.", e); + throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); + + } + + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java new file mode 100644 index 000000000..4ef09184d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -0,0 +1,152 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.ArrayList; +import java.util.Date; +import java.util.List; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.EncryptedAssertion; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.encryption.Encrypter; +import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.security.MetadataCriteria; +import org.opensaml.xml.encryption.EncryptionException; +import org.opensaml.xml.encryption.EncryptionParameters; +import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.criteria.EntityIDCriteria; +import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.x509.X509Credential; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class AuthResponseBuilder { + + public static Response buildResponse(RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { + Response authResponse = SAML2Utils.createSAMLObject(Response.class); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + + //change to entity value from entity name to IDP EntityID (URL) + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + authResponse.setIssuer(nissuer); + authResponse.setInResponseTo(req.getID()); + + //set responseID + String remoteSessionID = SAML2Utils.getSecureIdentifier(); + authResponse.setID(remoteSessionID); + + + //SAML2 response required IssueInstant + authResponse.setIssueInstant(date); + + authResponse.setStatus(SAML2Utils.getSuccessStatus()); + + //check, if metadata includes an encryption key + MetadataCredentialResolver mdCredResolver = + new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); + + CriteriaSet criteriaSet = new CriteriaSet(); + criteriaSet.add( new EntityIDCriteria(req.getIssuer().getValue()) ); + criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); + criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); + + X509Credential encryptionCredentials = null; + try { + encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); + + } catch (SecurityException e2) { + Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); + throw new InvalidAssertionEncryptionException(); + + } + + boolean isEncryptionActive = AuthConfigurationProvider.getInstance().isPVP2AssertionEncryptionActive(); + if (encryptionCredentials != null && isEncryptionActive) { + //encrypt SAML2 assertion + + try { + + EncryptionParameters dataEncParams = new EncryptionParameters(); + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + + List keyEncParamList = new ArrayList(); + KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); + KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() + .getKeyInfoGeneratorManager().getDefaultManager() + .getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + EncryptedAssertion encryptAssertion = null; + + encryptAssertion = samlEncrypter.encrypt(assertion); + + authResponse.getEncryptedAssertions().add(encryptAssertion); + + } catch (EncryptionException e1) { + Logger.warn("Can not encrypt the PVP2 assertion", e1); + throw new InvalidAssertionEncryptionException(); + + } + + } else { + authResponse.getAssertions().add(assertion); + + } + + return authResponse; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 57f01210d..8b6e71e6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -170,6 +170,22 @@ public class PVPAttributeBuilder { return null; } + public static Attribute buildEmptyAttribute(String name) { + if (builders.containsKey(name)) { + return builders.get(name).buildEmpty(generator); + } + return null; + } + + public static Attribute buildAttribute(String name, String value) { + if (builders.containsKey(name)) { + return builders.get(name).buildEmpty(generator); + } + return null; + } + + + public static List buildSupportedEmptyAttributes() { List attributes = new ArrayList(); Iterator builderIt = builders.values().iterator(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 5f16bcfce..79a1c3e0f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion; import java.security.MessageDigest; +import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -30,6 +31,7 @@ import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Audience; import org.opensaml.saml2.core.AudienceRestriction; @@ -61,6 +63,7 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; @@ -79,13 +82,65 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { + + public static Assertion buildAssertion(AttributeQuery attrQuery, + List reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { + + + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); + + List attrList = new ArrayList(); + if (reqAttributes != null) { + Iterator it = reqAttributes.iterator(); + while (it.hasNext()) { + String reqAttributName = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttributName, null, authData); + if (attr == null) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } else { + attrList.add(attr); + + } + + } catch (PVP2Exception e) { + Logger.error( + "Attribute generation failed! for " + + reqAttributName); + + } catch (Exception e) { + Logger.error( + "General Attribute generation failed! for " + + reqAttributName); + + } + } + } + + + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat()); + subjectNameID.setValue(attrQuery.getSubject().getNameID().getValue()); + + SubjectConfirmationData subjectConfirmationData = null; + + return buildGenericAssertion(attrQuery.getIssuer().getValue(), date, + authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + public static Assertion buildAssertion(AuthnRequest authnRequest, IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { - Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); @@ -149,29 +204,13 @@ public class PVP2AssertionBuilder implements PVPConstants { } } - AuthnContext authnContext = SAML2Utils - .createSAMLObject(AuthnContext.class); - authnContext.setAuthnContextClassRef(authnContextClassRef); - - AuthnStatement authnStatement = SAML2Utils - .createSAMLObject(AuthnStatement.class); - - String sessionIndex = SAML2Utils.getSecureIdentifier(); - authnStatement.setAuthnInstant(date); - authnStatement.setSessionIndex(sessionIndex); - authnStatement.setAuthnContext(authnContext); - assertion.getAuthnStatements().add(authnStatement); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); - - AttributeStatement attributeStatement = SAML2Utils - .createSAMLObject(AttributeStatement.class); - - Subject subject = SAML2Utils.createSAMLObject(Subject.class); - + //add Attributes to Assertion + List attrList = new ArrayList(); if (spSSODescriptor.getAttributeConsumingServices() != null && spSSODescriptor.getAttributeConsumingServices().size() > 0) { @@ -192,7 +231,7 @@ public class PVP2AssertionBuilder implements PVPConstants { attributeConsumingService = el; } } - + if (attributeConsumingService != null) { Iterator it = attributeConsumingService .getRequestAttributes().iterator(); @@ -207,7 +246,7 @@ public class PVP2AssertionBuilder implements PVPConstants { reqAttribut.getName()); } } else { - attributeStatement.getAttributes().add(attr); + attrList.add(attr); } } catch (PVP2Exception e) { Logger.error( @@ -231,13 +270,10 @@ public class PVP2AssertionBuilder implements PVPConstants { } } } - if (attributeStatement.getAttributes().size() > 0) { - assertion.getAttributeStatements().add(attributeStatement); - } NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - //TLenz: set correct bPK Type and Value from AuthData + //build nameID and nameID Format from moasession if (authData.isUseMandate()) { Element mandate = authData.getMandate(); if(mandate == null) { @@ -337,21 +373,68 @@ public class PVP2AssertionBuilder implements PVPConstants { } } else - subjectNameID.setFormat(nameIDFormat); - - - subject.setNameID(subjectNameID); - - SubjectConfirmation subjectConfirmation = SAML2Utils - .createSAMLObject(SubjectConfirmation.class); - subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); + subjectNameID.setFormat(nameIDFormat); + + + String sessionIndex = null; + + //if request is a reauthentication and NameIDFormat match reuse old session information + if (MiscUtil.isNotEmpty(authData.getNameID()) && + MiscUtil.isNotEmpty(authData.getNameIDFormat()) && + nameIDFormat.equals(authData.getNameIDFormat())) { + subjectNameID.setValue(authData.getNameID()); + sessionIndex = authData.getSessionIndex(); + + } else + sessionIndex = SAML2Utils.getSecureIdentifier(); + SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5)); subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); + + //set SLO information + sloInformation.setUserNameIdentifier(subjectNameID.getValue()); + sloInformation.setNameIDFormat(subjectNameID.getFormat()); + sloInformation.setSessionIndex(sessionIndex); + + return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex); + } + + private static Assertion buildGenericAssertion(String entityID, DateTime date, + AuthnContextClassRef authnContextClassRef, List attrList, + NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, + String sessionIndex) throws ConfigurationException { + Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + + AuthnContext authnContext = SAML2Utils + .createSAMLObject(AuthnContext.class); + authnContext.setAuthnContextClassRef(authnContextClassRef); + + AuthnStatement authnStatement = SAML2Utils + .createSAMLObject(AuthnStatement.class); + + authnStatement.setAuthnInstant(date); + authnStatement.setSessionIndex(sessionIndex); + authnStatement.setAuthnContext(authnContext); + assertion.getAuthnStatements().add(authnStatement); + + AttributeStatement attributeStatement = SAML2Utils + .createSAMLObject(AttributeStatement.class); + attributeStatement.getAttributes().addAll(attrList); + if (attributeStatement.getAttributes().size() > 0) { + assertion.getAttributeStatements().add(attributeStatement); + } + + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + subject.setNameID(subjectNameID); + + SubjectConfirmation subjectConfirmation = SAML2Utils + .createSAMLObject(SubjectConfirmation.class); + subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); @@ -361,7 +444,7 @@ public class PVP2AssertionBuilder implements PVPConstants { .createSAMLObject(AudienceRestriction.class); Audience audience = SAML2Utils.createSAMLObject(Audience.class); - audience.setAudienceURI(peerEntity.getEntityID()); + audience.setAudienceURI(entityID); audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(date); @@ -380,11 +463,7 @@ public class PVP2AssertionBuilder implements PVPConstants { assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); assertion.setIssueInstant(date); - - //set SLO information - sloInformation.setUserNameIdentifier(subjectNameID.getValue()); - sloInformation.setSessionIndex(sessionIndex); - return assertion; + return assertion; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java index 6ad3017d1..9b85af9f8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIssuingNationAttributeBuilder.java @@ -22,15 +22,9 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; -import iaik.x509.X509Certificate; - -import javax.naming.ldap.LdapName; -import javax.naming.ldap.Rdn; - import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; -import at.gv.egovernment.moa.logging.Logger; public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { @@ -40,37 +34,7 @@ public class EIDIssuingNationAttributeBuilder implements IPVPAttributeBuilder { public ATT build(OAAuthParameter oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - String countryCode = "AT"; - - - if (authData.getStorkAuthnRequest() != null) { - countryCode = authData.getStorkAuthnRequest() - .getCitizenCountryCode(); - - } else { - - try { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); - - if (certificate != null) { - - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - countryCode = rdn.getValue().toString(); - break; - } - } - } - - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate", e); - - } - } + String countryCode = authData.getCcc(); return g.buildStringAttribute(EID_ISSUING_NATION_FRIENDLY_NAME, EID_ISSUING_NATION_NAME, countryCode); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java index 9a65157a4..04cc59b10 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDSTORKTOKEN.java @@ -22,10 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; +import java.io.IOException; + import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; public class EIDSTORKTOKEN implements IPVPAttributeBuilder { @@ -48,7 +52,14 @@ public class EIDSTORKTOKEN implements IPVPAttributeBuilder { throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); } else { - return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, storkResponse); + try { + return g.buildStringAttribute(EID_STORK_TOKEN_FRIENDLY_NAME, EID_STORK_TOKEN_NAME, + Base64Utils.encode(storkResponse.getBytes())); + + } catch (IOException e) { + Logger.warn("Encode AuthBlock BASE64 failed.", e); + throw new UnavailableAttributeException(EID_STORK_TOKEN_NAME); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index c189d44a6..255fba093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.Contact; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -72,6 +73,8 @@ public class PVPConfiguration { public static final String PVP2_METADATA = "/pvp2/metadata"; public static final String PVP2_REDIRECT = "/pvp2/redirect"; public static final String PVP2_POST = "/pvp2/post"; + public static final String PVP2_SOAP = "/pvp2/soap"; + public static final String PVP2_ATTRIBUTEQUERY = "/pvp2/attributequery"; public static final String PVP_CONFIG_FILE = "pvp2config.properties"; @@ -144,6 +147,14 @@ public class PVPConfiguration { return getIDPPublicPath() + PVP2_POST; } + public String getIDPSSOSOAPService() throws ConfigurationException { + return getIDPPublicPath() + PVP2_SOAP; + } + + public String getIDPAttributeQueryService() throws ConfigurationException { + return getIDPPublicPath() + PVP2_ATTRIBUTEQUERY; + } + public String getIDPSSORedirectService() throws ConfigurationException { return getIDPPublicPath() + PVP2_REDIRECT; } @@ -237,7 +248,7 @@ public class PVPConfiguration { public iaik.x509.X509Certificate getTrustEntityCertificate(String entityID) { try { - OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); + IOAAuthParameters oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(entityID); if (oaParam == null) { Logger.warn("Online Application with ID " + entityID + " not found!"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java new file mode 100644 index 000000000..69ca4e8f5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionAttributeExtractorExeption.java @@ -0,0 +1,50 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class AssertionAttributeExtractorExeption extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -6459000942830951492L; + + public AssertionAttributeExtractorExeption(String attributeName) { + super("Parse PVP2.1 assertion FAILED: Attribute " + attributeName + + " can not extract.", null); + } + + public AssertionAttributeExtractorExeption(String messageId, + Object[] parameters) { + super(messageId, parameters); + } + + public AssertionAttributeExtractorExeption() { + super("Parse PVP2.1 assertion FAILED. Interfederation not possible", null); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java new file mode 100644 index 000000000..fcd8472b1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AssertionValidationExeption.java @@ -0,0 +1,49 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +import at.gv.egovernment.moa.id.config.ConfigurationException; + +/** + * @author tlenz + * + */ +public class AssertionValidationExeption extends PVP2Exception { + + private static final long serialVersionUID = -3987805399122286259L; + + public AssertionValidationExeption(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + /** + * @param string + * @param object + * @param e + */ + public AssertionValidationExeption(String string, Object[] parameters, + Throwable e) { + super(string, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java new file mode 100644 index 000000000..9008a7183 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AttributQueryException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class AttributQueryException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -4302422507173728748L; + + public AttributQueryException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + public AttributQueryException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java index 75442ebb6..f2f8f0a23 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java @@ -28,6 +28,7 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.xml.io.Unmarshaller; import org.opensaml.xml.io.UnmarshallerFactory; import org.opensaml.xml.io.UnmarshallingException; +import org.opensaml.xml.signature.SignableXMLObject; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.logging.Logger; @@ -36,17 +37,17 @@ public class MOARequest extends InboundMessage{ private static final long serialVersionUID = 8613921176727607896L; - public MOARequest(RequestAbstractType inboundMessage) { + public MOARequest(SignableXMLObject inboundMessage) { setSAMLMessage(inboundMessage.getDOM()); } - public RequestAbstractType getSamlRequest() { + public SignableXMLObject getSamlRequest() { UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); try { - return (RequestAbstractType) unmashaller.unmarshall(getInboundMessage()); + return (SignableXMLObject) unmashaller.unmarshall(getInboundMessage()); } catch (UnmarshallingException e) { Logger.warn("AuthnRequest Unmarshaller error", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java index a1bf92592..303fc2924 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/ArtifactResolution.java @@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPAssertionStorage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.RequestDeniedException; @@ -42,18 +43,18 @@ import at.gv.egovernment.moa.logging.Logger; public class ArtifactResolution implements IRequestHandler { - public boolean handleObject(MOARequest obj) { - return (obj.getSamlRequest() instanceof ArtifactResolve); + public boolean handleObject(InboundMessage obj) { + return (obj instanceof MOARequest && + ((MOARequest)obj).getSamlRequest() instanceof ArtifactResolve); } - public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } - - ArtifactResolve artifactResolve = (ArtifactResolve) obj - .getSamlRequest(); + + ArtifactResolve artifactResolve = (ArtifactResolve) ((MOARequest)obj).getSamlRequest(); String artifactID = artifactResolve.getArtifact().getArtifact(); PVPAssertionStorage pvpAssertion = PVPAssertionStorage.getInstance(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index c5f73a59f..ca5210d21 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -22,74 +22,55 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; -import java.util.ArrayList; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.joda.time.DateTime; -import org.opensaml.Configuration; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.EncryptedAssertion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.encryption.Encrypter; -import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.security.MetadataCriteria; import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.encryption.EncryptionException; -import org.opensaml.xml.encryption.EncryptionParameters; -import org.opensaml.xml.encryption.KeyEncryptionParameters; -import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; -import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.ArtifactBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; public class AuthnRequestHandler implements IRequestHandler, PVPConstants { - public boolean handleObject(MOARequest obj) { - return (obj.getSamlRequest() instanceof AuthnRequest); + public boolean handleObject(InboundMessage obj) { + + return (obj instanceof MOARequest && + ((MOARequest)obj).getSamlRequest() instanceof AuthnRequest); } - public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws MOAIDException { if (!handleObject(obj)) { throw new MOAIDException("pvp2.13", null); } - + //get basic information - AuthnRequest authnRequest = (AuthnRequest) obj.getSamlRequest(); + MOARequest moaRequest = (MOARequest) obj; + AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); EntityDescriptor peerEntity = obj.getEntityMetadata(); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); @@ -121,88 +102,8 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { Assertion assertion = PVP2AssertionBuilder.buildAssertion(authnRequest, authData, peerEntity, date, consumerService, sloInformation); - Response authResponse = SAML2Utils.createSAMLObject(Response.class); - - Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - - //change to entity value from entity name to IDP EntityID (URL) - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); - nissuer.setFormat(NameID.ENTITY); - authResponse.setIssuer(nissuer); - authResponse.setInResponseTo(authnRequest.getID()); - - //set responseID - String remoteSessionID = SAML2Utils.getSecureIdentifier(); - authResponse.setID(remoteSessionID); - - - //SAML2 response required IssueInstant - authResponse.setIssueInstant(date); - - authResponse.setStatus(SAML2Utils.getSuccessStatus()); - - String oaURL = consumerService.getLocation(); - - //check, if metadata includes an encryption key - MetadataCredentialResolver mdCredResolver = - new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); - - CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add( new EntityIDCriteria(obj.getSamlRequest().getIssuer().getValue()) ); - criteriaSet.add( new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS) ); - criteriaSet.add( new UsageCriteria(UsageType.ENCRYPTION) ); - - X509Credential encryptionCredentials = null; - try { - encryptionCredentials = (X509Credential) mdCredResolver.resolveSingle(criteriaSet); - - } catch (SecurityException e2) { - Logger.warn("Can not extract the Assertion Encryption-Key from metadata", e2); - throw new InvalidAssertionEncryptionException(); - - } - - boolean isEncryptionActive = AuthConfigurationProvider.getInstance().isPVP2AssertionEncryptionActive(); - if (encryptionCredentials != null && isEncryptionActive) { - //encrypt SAML2 assertion - - try { - - EncryptionParameters dataEncParams = new EncryptionParameters(); - dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); - - List keyEncParamList = new ArrayList(); - KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); - - keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); - KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() - .getKeyInfoGeneratorManager().getDefaultManager() - .getFactory(encryptionCredentials); - keyEncParam.setKeyInfoGenerator(kigf.newInstance()); - keyEncParamList.add(keyEncParam); - - Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); - //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); - samlEncrypter.setKeyPlacement(KeyPlacement.PEER); - - EncryptedAssertion encryptAssertion = null; - - encryptAssertion = samlEncrypter.encrypt(assertion); - - authResponse.getEncryptedAssertions().add(encryptAssertion); - - } catch (EncryptionException e1) { - Logger.warn("Can not encrypt the PVP2 assertion", e1); - throw new InvalidAssertionEncryptionException(); - - } - - } else { - authResponse.getAssertions().add(assertion); - - } - + Response authResponse = AuthResponseBuilder.buildResponse(authnRequest, date, assertion); + IEncoder binding = null; if (consumerService.getBinding().equals( @@ -223,32 +124,21 @@ public class AuthnRequestHandler implements IRequestHandler, PVPConstants { if (binding == null) { throw new BindingNotSupportedException(consumerService.getBinding()); } - + try { - binding.encodeRespone(req, resp, authResponse, oaURL, obj.getRelayState()); - // TODO add remoteSessionID to AuthSession ExternalPVPSessionStore - -// Logger logger = new Logger(); -// logger.debug("Redirect Binding Request = " + PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(authResponse))); - - + binding.encodeRespone(req, resp, authResponse, + consumerService.getLocation(), obj.getRelayState()); + return sloInformation; } catch (MessageEncodingException e) { Logger.error("Message Encoding exception", e); throw new MOAIDException("pvp2.01", null, e); + } catch (SecurityException e) { Logger.error("Security exception", e); throw new MOAIDException("pvp2.01", null, e); -// } catch (TransformerException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); -// } catch (IOException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); -// } catch (MarshallingException e) { -// Logger.error("Security exception", e); -// throw new MOAIDException("pvp2.01", null, e); + } } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index fb4f5134f..d1ae0b202 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -28,11 +28,12 @@ import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; public interface IRequestHandler { - public boolean handleObject(MOARequest obj); + public boolean handleObject(InboundMessage obj); - public SLOInformationInterface process(MOARequest obj, HttpServletRequest req, + public SLOInformationInterface process(InboundMessage obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws MOAIDException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index 563712907..5b9bf940d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSupported; @@ -55,7 +56,7 @@ public class RequestManager { handler.add(new ArtifactResolution()); } - public SLOInformationInterface handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) + public SLOInformationInterface handle(InboundMessage obj, HttpServletRequest req, HttpServletResponse resp, IAuthData authData) throws SAMLRequestNotSupported, MOAIDException { Iterator it = handler.iterator(); while(it.hasNext()) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index b52e37e06..9d57c2bae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -38,6 +38,8 @@ import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.ws.soap.soap11.Body; +import org.opensaml.ws.soap.soap11.Envelope; import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; import org.opensaml.xml.io.Marshaller; @@ -115,4 +117,15 @@ public class SAML2Utils { return 0; } + + public static Envelope buildSOAP11Envelope(XMLObject payload) { + XMLObjectBuilderFactory bf = Configuration.getBuilderFactory(); + Envelope envelope = (Envelope) bf.getBuilder(Envelope.DEFAULT_ELEMENT_NAME).buildObject(Envelope.DEFAULT_ELEMENT_NAME); + Body body = (Body) bf.getBuilder(Body.DEFAULT_ELEMENT_NAME).buildObject(Body.DEFAULT_ELEMENT_NAME); + + body.getUnknownXMLObjects().add(payload); + envelope.setBody(body); + + return envelope; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index e4ae01066..fde453920 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,30 +22,52 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.util.ArrayList; +import java.util.List; + +import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.CriteriaSet; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; public class SAMLVerificationEngine { public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { - if (msg instanceof MOARequest) - verifyRequest(((MOARequest)msg).getSamlRequest(), sigTrustEngine); + if (msg instanceof MOARequest && + ((MOARequest)msg).getSamlRequest() instanceof RequestAbstractType) + verifyRequest(((RequestAbstractType)((MOARequest)msg).getSamlRequest()), sigTrustEngine); else verifyResponse(((MOAResponse)msg).getResponse(), sigTrustEngine); @@ -102,4 +124,88 @@ public class SAMLVerificationEngine { } } + public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + List saml2assertions = new ArrayList(); + + if (validateDestination && !samlResp.getDestination().startsWith( + PVPConfiguration.getInstance().getIDPPublicPath())) { + Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + + } + + //check encrypted Assertion + List encryAssertionList = samlResp.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + Logger.debug("Found encryped assertion. Start decryption ..."); + + X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(authDecCredential); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + Logger.debug("Assertion decryption finished. "); + + } else { + saml2assertions.addAll(samlResp.getAssertions()); + + } + + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore(); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + Logger.warn("PVP2 Assertion is out of Date"); + saml2assertions.remove(saml2assertion); + + } + } + + if (saml2assertions.isEmpty()) { + Logger.info("No valid PVP 2.1 assertion received."); + throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); + } + + samlResp.getAssertions().clear(); + samlResp.getEncryptedAssertions().clear(); + samlResp.getAssertions().addAll(saml2assertions); + + } else { + Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue()); + throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue(), null); + } + + } catch (CredentialsNotAvailableException e) { + Logger.warn("Assertion decrypt FAILED - No Credentials", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); + + } catch (DecryptionException e) { + Logger.warn("Assertion decrypt FAILED.", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); + + } catch (ConfigurationException e) { + throw new AssertionValidationExeption("pvp.12", null, e); + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index 6ce647ff8..67f780b3a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -80,7 +80,7 @@ public class GetArtifactAction implements IAction { String samlArtifactBase64 = saml1server.BuildSAMLArtifact(oaParam, authData, sourceID); if (authData.isSsoSession()) { - String url = "RedirectServlet"; + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8")); if (!oaParam.getBusinessService()) url = addURLParameter(url, PARAM_TARGET, URLEncoder.encode(oaParam.getTarget(), "UTF-8")); @@ -109,7 +109,7 @@ public class GetArtifactAction implements IAction { } SLOInformationInterface sloInformation = - new SLOInformationImpl(authData.getAssertionID(), null, req.requestedModule()); + new SLOInformationImpl(authData.getAssertionID(), null, null, req.requestedModule()); return sloInformation; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java index 7569eef84..d48c0a9bb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationData.java @@ -46,9 +46,7 @@ package at.gv.egovernment.moa.id.protocols.saml1; -import java.text.DateFormat; import java.text.ParseException; -import java.text.SimpleDateFormat; import java.util.List; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index b6a2ac0b6..7b106b206 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -23,12 +23,15 @@ package at.gv.egovernment.moa.id.protocols.saml1; import java.util.HashMap; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; +import edu.emory.mathcs.backport.java.util.Arrays; + import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -41,7 +44,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -54,8 +57,23 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { public static final String GETARTIFACT = "GetArtifact"; - private static HashMap actions = new HashMap(); + @SuppressWarnings("unchecked") + public static final List DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.BPK_NAME, + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.PRINCIPAL_NAME_NAME, + PVPConstants.BIRTHDATE_NAME, + PVPConstants.EID_CCS_URL_NAME, + PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, + PVPConstants.EID_IDENTITY_LINK_NAME, + PVPConstants.EID_SOURCE_PIN_NAME, + PVPConstants.EID_SOURCE_PIN_TYPE_NAME + }); + private static HashMap actions = new HashMap(); + static { actions.put(GETARTIFACT, new GetArtifactAction()); @@ -143,6 +161,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { config.setTarget(oaParam.getTarget()); + //config.setRequestedIDP("https://demo.egiz.gv.at/demoportal_moaid-2.0"); + config.setRequestedIDP("https://labda.iaik.tugraz.at:8443/moa-id-auth"); + // request.getSession().setAttribute(PARAM_OA, oaURL); // request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); return config; @@ -157,7 +178,7 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest); - String url = "RedirectServlet"; + String url = AuthConfigurationProvider.getInstance().getPublicURLPrefix() + "/RedirectServlet"; url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8")); url = addURLParameter(url, PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8")); url = response.encodeRedirectURL(url); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index dc5e715c9..9bf88534f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -22,11 +22,19 @@ */ package at.gv.egovernment.moa.id.protocols.saml1; +import java.util.ArrayList; import java.util.List; import org.opensaml.saml2.core.Attribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz @@ -57,8 +65,32 @@ public class SAML1RequestImpl extends RequestImpl { */ @Override public List getRequestedAttributes() { - //TODO: implement attribut mapping - return null; + + List reqAttr = new ArrayList(); + reqAttr.addAll(SAML1Protocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION); + + try { + OAAuthParameter oa = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(getOAURL()); + OASAML1 saml1 = oa.getSAML1Parameter(); + if (saml1 != null) { + if (saml1.isProvideAUTHBlock()) + reqAttr.add(PVPConstants.EID_AUTH_BLOCK_NAME); + + if (saml1.isProvideCertificate()) + reqAttr.add(PVPConstants.EID_SIGNER_CERTIFICATE_NAME); + + if (saml1.isProvideFullMandatorData()) + reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME); + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.iterator()); + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java index 75f40c89e..2b5879901 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java @@ -85,7 +85,7 @@ public class AttributeCollector implements IAction { SLOInformationImpl sloInfo = (SLOInformationImpl) processRequest(container, httpReq, httpResp, authData, oaParam); if (sloInfo == null) { - sloInfo = new SLOInformationImpl(null, null, req.requestedModule()); + sloInfo = new SLOInformationImpl(null, null, null, req.requestedModule()); } return sloInfo; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index a3996d52b..3ac71be3b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -4,6 +4,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; @@ -160,7 +161,7 @@ public class AuthenticationRequest implements IAction { } - public PersonalAttributeList populateAttributes(OAAuthParameter oaParam) { + public PersonalAttributeList populateAttributes(IOAAuthParameters oaParam) { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 06e6a9038..d827e73cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -7,7 +7,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; @@ -78,7 +78,7 @@ public class ConsentEvaluator implements IAction { * @return the string * @throws MOAIDException the mOAID exception */ - public String requestConsent(DataContainer container, HttpServletResponse response, OAAuthParameter oaParam) throws MOAIDException { + public String requestConsent(DataContainer container, HttpServletResponse response, IOAAuthParameters oaParam) throws MOAIDException { // prepare redirect String newArtifactId; try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java index bc9de7a50..890ec9f0d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AssertionStorage.java @@ -208,7 +208,7 @@ public class AssertionStorage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getAssertionWithArtifact"); - query.setString("artifact", artifact); + query.setParameter("artifact", artifact); result = query.list(); //send transaction diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index e18d9786d..2ee4327dc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -27,6 +27,7 @@ import java.util.Date; import java.util.List; import org.apache.commons.lang.SerializationUtils; +import org.apache.commons.lang.StringEscapeUtils; import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; @@ -113,10 +114,13 @@ public class AuthenticationSessionStoreage { public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { String id = Random.nextRandom(); AuthenticationSession session = new AuthenticationSession(id); + session.setAuthenticated(true); + session.setAuthenticatedUsed(false); AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); dbsession.setSessionid(id); dbsession.setAuthenticated(isAuthenticated); + dbsession.setInterfederatedSSOSession(true); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 Date now = new Date(); @@ -127,20 +131,37 @@ public class AuthenticationSessionStoreage { //add interfederation information List idpList = dbsession.getInderfederation(); - if (idpList == null) + InterfederationSessionStore idp = null; + if (idpList == null) { idpList = new ArrayList(); - - InterfederationSessionStore idp = new InterfederationSessionStore(); - idp.setCreated(now); - idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + dbsession.setInderfederation(idpList); + + } else { + for (InterfederationSessionStore el : idpList) { + //resue old entry if interfederation IDP is reused for authentication + if (el.getIdpurlprefix().equals(req.getInterfederationResponse().getEntityID())) + idp = el; + + } + } + + //create new interfederation IDP entry + if (idp == null) { + idp = new InterfederationSessionStore(); + idp.setCreated(now); + idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + + } AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); idp.setSessionIndex(extract.getSessionIndex()); idp.setUserNameID(extract.getNameID()); idp.setAttributesRequested(false); idp.setQAALevel(extract.getQAALevel()); + idp.setMoasession(dbsession); idpList.add(idp); + //store AssertionStore element to Database try { MOASessionDBUtils.saveOrUpdate(dbsession); @@ -153,28 +174,7 @@ public class AuthenticationSessionStoreage { return id; } - - public static void setInterfederationAttributCollectorUsed(AuthenticationSession session, String idpID) throws MOADatabaseException { - AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); - List idpList = dbsession.getInderfederation(); - for (InterfederationSessionStore idp : idpList) { - if (idp.getIdpurlprefix().endsWith(idpID)) - idp.setAttributesRequested(true); - } - //store AssertionStore element to Database - try { - MOASessionDBUtils.saveOrUpdate(dbsession); - Logger.info("MOASession with sessionID=" + session.getSessionID() - + " is stored in Database"); - - } catch (MOADatabaseException e) { - Logger.warn("MOASession could not stored.",e); - throw e; - } - } - - public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { try { @@ -234,7 +234,7 @@ public class AuthenticationSessionStoreage { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", moaSessionID); + query.setParameter("sessionid", moaSessionID); result = query.list(); @@ -308,7 +308,7 @@ public class AuthenticationSessionStoreage { tx = session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", moaSessionID); + query.setParameter("sessionid", moaSessionID); result = query.list(); @@ -344,7 +344,10 @@ public class AuthenticationSessionStoreage { if (SLOInfo != null) { activeOA.setAssertionSessionID(SLOInfo.getSessionIndex()); activeOA.setUserNameID(SLOInfo.getUserNameIdentifier()); + activeOA.setUserNameIDFormat(SLOInfo.getUserNameIDFormat()); activeOA.setProtocolType(SLOInfo.getProtocolType()); + activeOA.setAttributeQueryUsed(false); + } @@ -436,7 +439,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setString("sessionid", SSOSessionID); + query.setParameter("sessionid", SSOSessionID); result = query.list(); //send transaction @@ -457,7 +460,7 @@ public class AuthenticationSessionStoreage { } - public static boolean isValidSessionWithSSOID(String SSOId, String moaSessionId) { + public static AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId, String moaSessionId) { MiscUtil.assertNotNull(SSOId, "SSOSessionID"); Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); @@ -468,7 +471,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setString("sessionid", SSOId); + query.setParameter("sessionid", SSOId); result = query.list(); //send transaction @@ -480,10 +483,10 @@ public class AuthenticationSessionStoreage { //Assertion requires an unique artifact if (result.size() != 1) { Logger.trace("No entries found."); - return false; + return null; } else { - return true; + return result.get(0); } } @@ -498,7 +501,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithPendingRequestID"); - query.setString("sessionid", id); + query.setParameter("sessionid", id); result = query.list(); //send transaction @@ -532,6 +535,48 @@ public class AuthenticationSessionStoreage { } + + public static AuthenticationSession getSessionWithUserNameID(String nameID) { + + try { + MiscUtil.assertNotNull(nameID, "nameID"); + Logger.trace("Get authenticated session with pedingRequestID " + nameID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getMOAISessionWithUserNameID"); + query.setParameter("usernameid", StringEscapeUtils.escapeHtml(nameID)); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + } + + //decrypt Session + EncryptedData encdata = new EncryptedData(result.get(0).getSession(), + result.get(0).getIv()); + byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + return (AuthenticationSession) SerializationUtils.deserialize(decrypted); + + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + nameID); + return null; + } + + } + public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { try { @@ -544,7 +589,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithPendingRequestID"); - query.setString("sessionid", pedingRequestID); + query.setParameter("sessionid", pedingRequestID); result = query.list(); //send transaction @@ -622,6 +667,129 @@ public class AuthenticationSessionStoreage { } + public static OASessionStore searchActiveOASSOSession(AuthenticationSession moaSession, String oaID, String protocolType) { + MiscUtil.assertNotNull(moaSession, "MOASession"); + MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); + MiscUtil.assertNotNull(protocolType, "usedProtocol"); + Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSessionID() + " with OAID " + + oaID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); + query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("oaID", oaID); + query.setParameter("protocol", protocolType); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getActiveOAsessions().get(0); + } + + public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASession(String sessionID) { + MiscUtil.assertNotNull(sessionID, "MOASession"); + Logger.trace("Get interfederated IDP for SSO with sessionID " + sessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionID"); + query.setParameter("sessionID", sessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getInderfederation().get(0); + } + + public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASessionIDPID(String sessionID, String idpID) { + MiscUtil.assertNotNull(sessionID, "MOASession"); + MiscUtil.assertNotNull(idpID, "Interfederated IDP ID"); + Logger.trace("Get interfederated IDP "+ idpID + " for SSO with sessionID " + sessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getInterfederatedIDPForSSOWithSessionIDIDPID"); + query.setParameter("sessionID", sessionID); + query.setParameter("idpID", idpID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getInderfederation().get(0); + } + + public static InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); + Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID"); + query.setParameter("sessionID", moaSession.getSessionID()); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() == 0) { + Logger.trace("No entries found."); + return null; + + } + + return result.get(0).getInderfederation().get(0); + } + @SuppressWarnings("rawtypes") private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { MiscUtil.assertNotNull(sessionID, "moasessionID"); @@ -633,7 +801,7 @@ public class AuthenticationSessionStoreage { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getSessionWithID"); - query.setString("sessionid", sessionID); + query.setParameter("sessionid", sessionID); result = query.list(); //send transaction @@ -650,4 +818,58 @@ public class AuthenticationSessionStoreage { return (AuthenticatedSessionStore) result.get(0); } + + /** + * @param entityID + * @param requestID + */ + public static boolean removeInterfederetedSession(String entityID, + String pedingRequestID) { + + try { + Logger.debug("Remove interfederated IDP from local SSO session ..."); + + MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); + Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithPendingRequestID"); + query.setParameter("sessionid", pedingRequestID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return false; + } + + AuthenticatedSessionStore authsession = result.get(0); + + List idpSessions = authsession.getInderfederation(); + if (idpSessions != null) { + for (InterfederationSessionStore idp : idpSessions) { + if (idp.getIdpurlprefix().equals(entityID)) + idpSessions.remove(idp); + + } + } + + MOASessionDBUtils.saveOrUpdate(authsession); + return true; + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); + return false; + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java index ae8e5ee27..054ad1014 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBExceptionStoreImpl.java @@ -154,7 +154,7 @@ public class DBExceptionStoreImpl implements IExceptionStore { synchronized (session) { session.beginTransaction(); Query query = session.getNamedQuery("getExceptionWithID"); - query.setString("id", id); + query.setParameter("id", id); result = query.list(); //send transaction -- cgit v1.2.3 From ead506b950a862750ff361262dca82d96cdaea47 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 5 May 2014 08:01:58 +0200 Subject: add chainging filter to MOAMetadataProvider --- .../moa/id/config/auth/OAAuthParameter.java | 6 +- .../pvp2x/metadata/MOAMetadataProvider.java | 33 ++++- .../verification/MetadataSignatureFilter.java | 161 -------------------- .../InterfederatedIDPPublicServiceFilter.java | 76 ++++++++++ .../verification/metadata/MetadataFilterChain.java | 82 +++++++++++ .../metadata/MetadataSignatureFilter.java | 162 +++++++++++++++++++++ 6 files changed, 348 insertions(+), 172 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 63b91f6d2..fe2117b9c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -492,11 +492,7 @@ public String getIDPAttributQueryServiceURL() { } public boolean isIDPPublicService() { - if (inderfederatedIDP != null) - return inderfederatedIDP.isPublicService(); - - else - return false; + return !getBusinessService(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index f2e3e7cb1..aa61172d1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; import java.util.Date; @@ -48,7 +49,9 @@ import org.opensaml.xml.parse.BasicParserPool; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.MetadataSignatureFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -156,11 +159,14 @@ public class MOAMetadataProvider implements MetadataProvider { } else if ( MiscUtil.isNotEmpty(metadataurl) && !providersinuse.containsKey(metadataurl) ) { //PVP2 OA is new, add it to MOAMetadataProvider + Logger.info("Loading metadata for: " + oa.getFriendlyName()); httpProvider = createNewHTTPMetaDataProvider( pvp2Config.getMetadataURL(), pvp2Config.getCertificate(), - oa.getFriendlyName()); + oa.getFriendlyName(), + buildMetadataFilterChain(oa, pvp2Config.getMetadataURL(), + pvp2Config.getCertificate())); if (httpProvider != null) providersinuse.put(metadataurl, httpProvider); @@ -266,7 +272,9 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider = createNewHTTPMetaDataProvider( metadataURL, pvp2Config.getCertificate(), - oa.getFriendlyName()); + oa.getFriendlyName(), + buildMetadataFilterChain(oa, metadataURL, + pvp2Config.getCertificate())); if (httpProvider != null) providersinuse.put(metadataURL, httpProvider); @@ -305,7 +313,19 @@ public class MOAMetadataProvider implements MetadataProvider { timestamp = new Date(); } - private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName) { + private MetadataFilterChain buildMetadataFilterChain(OnlineApplication oa, String metadataURL, byte[] certificate) throws CertificateException { + MetadataFilterChain filterChain = new MetadataFilterChain(metadataURL, certificate); + + if (oa.isIsInterfederationIDP() != null && oa.isIsInterfederationIDP()) { + Logger.info("Online-Application is an interfederated IDP. Add addional Metadata policies"); + filterChain.getFilters().add(new InterfederatedIDPPublicServiceFilter(metadataURL, oa.getType())); + + } + + return filterChain; + } + + private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) { HTTPMetadataProvider httpProvider = null; Timer timer= null; @@ -321,8 +341,9 @@ public class MOAMetadataProvider implements MetadataProvider { // TODO: use proper SSL checking - MetadataFilter filter = new MetadataSignatureFilter( - metadataURL, certificate); + if (filter == null) { + filter = new MetadataFilterChain(metadataURL, certificate); + } httpProvider.setMetadataFilter(filter); httpProvider.initialize(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java deleted file mode 100644 index ed0cf9c62..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/MetadataSignatureFilter.java +++ /dev/null @@ -1,161 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.verification; - -import iaik.x509.X509Certificate; - -import java.security.cert.CertificateException; -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; - -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.x509.BasicX509Credential; - -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; -import at.gv.egovernment.moa.logging.Logger; - -public class MetadataSignatureFilter implements MetadataFilter { - - private String metadataURL; - private BasicX509Credential savedCredential; - - public MetadataSignatureFilter(String url, byte[] certificate) - throws CertificateException { - this.metadataURL = url; - X509Certificate cert = new X509Certificate(certificate); - savedCredential = new BasicX509Credential(); - savedCredential.setEntityCertificate(cert); - } - - public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { - -// String entityID = desc.getEntityID(); - - EntityVerifier.verify(desc); - } - - public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { - Iterator entID = desc.getEntitiesDescriptors().iterator(); - - if(desc.getSignature() != null) { - EntityVerifier.verify(desc, this.savedCredential); - } - - while(entID.hasNext()) { - processEntitiesDescriptor(entID.next()); - } - - Iterator entIT = desc.getEntityDescriptors().iterator(); - - List verifiedEntIT = new ArrayList(); - - //check every Entity - - while(entIT.hasNext()) { - - EntityDescriptor entity = entIT.next(); - - String entityID = entity.getEntityID(); - - //CHECK if Entity also match MetaData signature. - /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ - byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); - - if (entityCert != null) { - - X509Certificate cert; - try { - cert = new X509Certificate(entityCert); - BasicX509Credential entityCrendential = new BasicX509Credential(); - entityCrendential.setEntityCertificate(cert); - - EntityVerifier.verify(desc, entityCrendential); - - //add entity to verified entity-list - verifiedEntIT.add(entity); - - } catch (Exception e) { - - //remove entity of signature can not be verified. - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity verification error: " + e.getMessage()); -// throw new MOAIDException("The App", null, e); - } - - } else { - //remove entity if it is not registrated as OA - Logger.info("Entity " + entityID + " is removed from metadata " - + desc.getName() + ". Entity is not registrated or no certificate is found!"); -// throw new NoCredentialsException("NO Certificate found for OA " + entityID); - } - - //TODO: insert to support signed Entity-Elements - //processEntityDescriptorr(entIT.next()); - } - - //set only verified entity elements - desc.getEntityDescriptors().clear(); - desc.getEntityDescriptors().addAll(verifiedEntIT); - } - - public void doFilter(XMLObject metadata) throws FilterException { - try { - if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { - throw new MOAIDException("Root element of metadata file has to be signed", null); - } - processEntitiesDescriptor(entitiesDescriptor); - - - if (entitiesDescriptor.getEntityDescriptors().size() == 0) { - throw new MOAIDException("No valid entity in metadata " - + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); - } - - - } else if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - processEntityDescriptorr(entityDescriptor); - - } else { - throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); - } - - ConfigurationDBUtils.closeSession(); - - Logger.info("Metadata Filter done OK"); - } catch (MOAIDException e) { - e.printStackTrace(); - throw new FilterException(e); - } - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java new file mode 100644 index 000000000..3d608fd6d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/InterfederatedIDPPublicServiceFilter.java @@ -0,0 +1,76 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.commons.db.dao.config.InterfederationIDPType; +import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class InterfederatedIDPPublicServiceFilter implements MetadataFilter { + + private String metadataURL; + private boolean isPublicService = false; + + /** + * + */ + public InterfederatedIDPPublicServiceFilter(String metadataURL, String oaType) { + Logger.debug("Add " + this.getClass().getName() + " to metadata policy"); + this.metadataURL = metadataURL; + + if (oaType.equals("businessService")) + this.isPublicService = false; + else + this.isPublicService = true; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + + boolean metadatacheck = ValidationHelper.isPublicServiceAllowed(this.metadataURL); + + if (isPublicService && isPublicService != metadatacheck) { + Logger.warn("Interfederated IDP " + metadataURL + " is configured " + + "as Public-Servic IDP but PublicService policy check FAILED."); + throw new FilterException("Interfederated IDP " + metadataURL + " is configured " + + "as Public-Servic IDP but PublicService policy check FAILED."); + + } + + Logger.info("Metadata PublicService policy check done OK"); + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java new file mode 100644 index 000000000..4e1d939ff --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataFilterChain.java @@ -0,0 +1,82 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MetadataFilterChain implements MetadataFilter { + + private List filters = new ArrayList(); + + /** + * @throws CertificateException + * + */ + public MetadataFilterChain(String url, byte[] certificate) throws CertificateException { + addDefaultFilters(url, certificate); + } + + public void addDefaultFilters(String url, byte[] certificate) throws CertificateException { + filters.add(new MetadataSignatureFilter(url, certificate)); + + } + + /** + * @return the filter + */ + public List getFilters() { + return filters; + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject arg0) throws FilterException { + for (MetadataFilter filter : filters) { + Logger.trace("Use MOAMetadatafilter " + filter.getClass().getName()); + filter.doFilter(arg0); + } + + } + + + + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java new file mode 100644 index 000000000..0405fa114 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MetadataSignatureFilter.java @@ -0,0 +1,162 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import iaik.x509.X509Certificate; + +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.x509.BasicX509Credential; + +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; +import at.gv.egovernment.moa.logging.Logger; + +public class MetadataSignatureFilter implements MetadataFilter { + + private String metadataURL; + private BasicX509Credential savedCredential; + + public MetadataSignatureFilter(String url, byte[] certificate) + throws CertificateException { + this.metadataURL = url; + X509Certificate cert = new X509Certificate(certificate); + savedCredential = new BasicX509Credential(); + savedCredential.setEntityCertificate(cert); + } + + public void processEntityDescriptorr(EntityDescriptor desc) throws MOAIDException { + +// String entityID = desc.getEntityID(); + + EntityVerifier.verify(desc); + } + + public void processEntitiesDescriptor(EntitiesDescriptor desc) throws MOAIDException { + Iterator entID = desc.getEntitiesDescriptors().iterator(); + + if(desc.getSignature() != null) { + EntityVerifier.verify(desc, this.savedCredential); + } + + while(entID.hasNext()) { + processEntitiesDescriptor(entID.next()); + } + + Iterator entIT = desc.getEntityDescriptors().iterator(); + + List verifiedEntIT = new ArrayList(); + + //check every Entity + + while(entIT.hasNext()) { + + EntityDescriptor entity = entIT.next(); + + String entityID = entity.getEntityID(); + + //CHECK if Entity also match MetaData signature. + /*This check is necessary to prepend declaration of counterfeit OA metadata!!*/ + byte[] entityCert = EntityVerifier.fetchSavedCredential(entityID); + + if (entityCert != null) { + + X509Certificate cert; + try { + cert = new X509Certificate(entityCert); + BasicX509Credential entityCrendential = new BasicX509Credential(); + entityCrendential.setEntityCertificate(cert); + + EntityVerifier.verify(desc, entityCrendential); + + //add entity to verified entity-list + verifiedEntIT.add(entity); + + } catch (Exception e) { + + //remove entity of signature can not be verified. + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity verification error: " + e.getMessage()); +// throw new MOAIDException("The App", null, e); + } + + } else { + //remove entity if it is not registrated as OA + Logger.info("Entity " + entityID + " is removed from metadata " + + desc.getName() + ". Entity is not registrated or no certificate is found!"); +// throw new NoCredentialsException("NO Certificate found for OA " + entityID); + } + + //TODO: insert to support signed Entity-Elements + //processEntityDescriptorr(entIT.next()); + } + + //set only verified entity elements + desc.getEntityDescriptors().clear(); + desc.getEntityDescriptors().addAll(verifiedEntIT); + } + + public void doFilter(XMLObject metadata) throws FilterException { + try { + if (metadata instanceof EntitiesDescriptor) { + EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; + if(entitiesDescriptor.getSignature() == null) { + throw new MOAIDException("Root element of metadata file has to be signed", null); + } + processEntitiesDescriptor(entitiesDescriptor); + + + if (entitiesDescriptor.getEntityDescriptors().size() == 0) { + throw new MOAIDException("No valid entity in metadata " + + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); + } + + + } else if (metadata instanceof EntityDescriptor) { + EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; + processEntityDescriptorr(entityDescriptor); + + } else { + throw new MOAIDException("Invalid Metadata file Root element is no EntitiesDescriptor", null); + } + + ConfigurationDBUtils.closeSession(); + + Logger.info("Metadata signature policy check done OK"); + } catch (MOAIDException e) { + Logger.warn("Metadata signature policy check FAILED.", e); + throw new FilterException(e); + } + } + +} -- cgit v1.2.3 From 2e4354640986b86aaac16b59bc4836c8bf01cb25 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 6 May 2014 14:47:15 +0200 Subject: change refresh timestamp position --- .../moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index aa61172d1..31100bfac 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -121,15 +121,15 @@ public class MOAMetadataProvider implements MetadataProvider { } } - //load all PVP2 OAs form ConfigurationDatabase and - //compare actually loaded Providers with configured PVP2 OAs - List oaList = ConfigurationDBRead - .getAllActiveOnlineApplications(); - //set Timestamp Date oldTimeStamp = timestamp; timestamp = new Date(); + //load all PVP2 OAs form ConfigurationDatabase and + //compare actually loaded Providers with configured PVP2 OAs + List oaList = ConfigurationDBRead + .getAllActiveOnlineApplications(); + Iterator oaIt = oaList.iterator(); while (oaIt.hasNext()) { HTTPMetadataProvider httpProvider = null; -- cgit v1.2.3 From 0cdb39bbfbacbea3f809872f2570709eeca91ccf Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 10:48:09 +0200 Subject: move SSLSocketFactory to moa-id-commons --- .../moa/id/config/ConfigurationProvider.java | 20 +- .../id/iaik/config/CertStoreConfigurationImpl.java | 165 --------------- .../moa/id/iaik/config/PKIConfigurationImpl.java | 120 ----------- .../iaik/config/RevocationConfigurationImpl.java | 86 -------- .../iaik/config/ValidationConfigurationImpl.java | 97 --------- .../moa/id/iaik/pki/PKIProfileImpl.java | 232 --------------------- .../moa/id/iaik/pki/jsse/MOAIDTrustManager.java | 165 --------------- .../iaik/servertools/observer/ObservableImpl.java | 92 -------- .../at/gv/egovernment/moa/id/util/SSLUtils.java | 105 +++------- 9 files changed, 36 insertions(+), 1046 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java index dc5ec430e..88ed7885f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java @@ -135,23 +135,11 @@ public class ConfigurationProvider { return rootConfigFileDir; } - /** - * Return the chaining mode for a given trust anchor. - * - * @param trustAnchor The trust anchor for which the chaining mode should be - * returned. - * @return The chaining mode for the given trust anchor. If the trust anchor - * has not been configured separately, the system default will be returned. - */ - public String getChainingMode(X509Certificate trustAnchor) { - Principal issuer = trustAnchor.getIssuerDN(); - BigInteger serial = trustAnchor.getSerialNumber(); - IssuerAndSerial issuerAndSerial = new IssuerAndSerial(issuer, serial); - - String mode = (String) chainingModes.get(issuerAndSerial); - return mode != null ? mode : defaultChainingMode; + public String getDefaultChainingMode() { + return defaultChainingMode; } - + + /** * Returns the trustedCACertificates. * @return String diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java deleted file mode 100644 index b6fe20a61..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/CertStoreConfigurationImpl.java +++ /dev/null @@ -1,165 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; -import at.gv.egovernment.moa.logging.Logger; -import iaik.pki.store.certstore.CertStoreConfiguration; -import iaik.pki.store.certstore.CertStoreParameters; -import iaik.pki.store.certstore.CertStoreTypes; -import iaik.pki.store.certstore.directory.DirectoryCertStoreParameters; - -import java.io.File; - -/** - * Implementation of interface needed to initialize an IAIK JSSE TrustManager - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class CertStoreConfigurationImpl extends ObservableImpl - implements CertStoreConfiguration, DirectoryCertStoreParameters { - /** - * identifies the rootDirectory - */ - private String rootDirectory; - /** - * ConfigurationProvider - */ - private ConfigurationProvider conf; - /** - * Array for storing all CertStoreParameters - */ - private CertStoreParameters[] parameters; - - /** - * Create a new CertStoreConfigurationImpl. - * - * @param conf The MOA configuration from which the configuration data is - * @throws ConfigurationException an any config-error - * being read. - */ - public CertStoreConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { - this.conf = conf; - - String certStoreRootDirParam = conf.getCertstoreDirectory(); - - if (certStoreRootDirParam == null) - throw new ConfigurationException( - "config.08", new Object[]{"CertStoreDirectory"}); - - //rootDirectory = FileUtils.makeAbsoluteURL(certStoreRootDirParam, conf.getRootConfigFileDir()); - rootDirectory = certStoreRootDirParam; - Logger.error("Using file: " + rootDirectory); - if (rootDirectory.startsWith("file:")) rootDirectory = rootDirectory.substring(5); - Logger.error("Using file2: " + rootDirectory); - - File f = new File(rootDirectory); - //Logger.error("Using file: " + certStoreRootDirParam + " param: " + conf.getRootConfigFileDir()); - - if (!f.exists()) { - Logger.error("File does not exists: " + f.getAbsolutePath()); - throw new ConfigurationException( - "config.05", new Object[]{"CertStoreDirectory"}); - } - - if (!f.isDirectory()) { - Logger.error("File is not a directory: " + f.getAbsolutePath()); - throw new ConfigurationException( - "config.05", new Object[]{"CertStoreDirectory"}); - } - - - parameters = new CertStoreParameters[]{this}; - } - - /** - * @see iaik.pki.store.certstore.CertStoreConfiguration#getParameters() - */ - public CertStoreParameters[] getParameters() { - return parameters; - } - - /** - * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#getRootDirectory() - */ - public String getRootDirectory() { - return rootDirectory; - } - - /** - * @see iaik.pki.store.certstore.directory.DirectoryCertStoreParameters#createNew() - */ - public boolean createNew() { - return false; - } - - /** - * @see iaik.pki.store.certstore.CertStoreParameters#getId() - */ - public String getId() { - return "MOA ID Directory CertStore"; - } - - /** - * @see iaik.pki.store.certstore.CertStoreParameters#isReadOnly() - */ - public boolean isReadOnly() { - return false; - } - - /** - * @return CertStoreTypes.DIRECTORY - * @see iaik.pki.store.certstore.CertStoreParameters#getType() - */ - public String getType() { - return CertStoreTypes.DIRECTORY; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java deleted file mode 100644 index 064d8a835..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/PKIConfigurationImpl.java +++ /dev/null @@ -1,120 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import iaik.pki.PKIConfiguration; -import iaik.pki.pathvalidation.ValidationConfiguration; -import iaik.pki.revocation.RevocationConfiguration; -import iaik.pki.store.certstore.CertStoreConfiguration; -import iaik.pki.store.revocation.archive.ArchiveConfiguration; - -/** - * Implementation of interface PKIConfiguration needed to - * initialize an IAIK JSSE TrustManager - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class PKIConfigurationImpl implements PKIConfiguration { - /** The configuration for the CertStore */ - private CertStoreConfiguration certStoreConfiguration; - /** The configuration for the RevocationChecks */ - private RevocationConfiguration revocationConfiguration; - /** The configuration for the Validation */ - private ValidationConfiguration validationConfiguration; - - /** - * Constructor - * @param conf the Configuration for the PKIConfig - * @throws ConfigurationException for any config error - */ - public PKIConfigurationImpl(ConfigurationProvider conf) throws ConfigurationException { - - certStoreConfiguration = new CertStoreConfigurationImpl(conf); - revocationConfiguration = new RevocationConfigurationImpl(); - validationConfiguration = new ValidationConfigurationImpl(conf); - } - - /** - * @see iaik.pki.PKIConfiguration#getCertStoreConfiguration() - */ - public CertStoreConfiguration getCertStoreConfiguration() { - return certStoreConfiguration; - } - - /** - * @see iaik.pki.PKIConfiguration#getRevocationConfiguration() - */ - public RevocationConfiguration getRevocationConfiguration() { - return revocationConfiguration; - } - - /** - * @see iaik.pki.PKIConfiguration#getArchiveConfiguration() - */ - public ArchiveConfiguration getArchiveConfiguration() { - return null; - } - - /** - * @see iaik.pki.PKIConfiguration#getValidationConfiguration() - */ - public ValidationConfiguration getValidationConfiguration() { - return validationConfiguration; - } - -/* (non-Javadoc) - * @see iaik.pki.PKIConfiguration#getTimeout() - */ - public int getTimeout() { - // TODO Auto-generated method stub - return 0; -} - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java deleted file mode 100644 index 2c24161f6..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/RevocationConfigurationImpl.java +++ /dev/null @@ -1,86 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import iaik.pki.revocation.RevocationConfiguration; - -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Date; -import java.util.Set; - -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of interface needed to initialize an IAIK JSSE TrustManager - * @author Paul Ivancsics - * @version $Id$ - */ -public class RevocationConfigurationImpl extends ObservableImpl implements RevocationConfiguration { - - /** - * @see iaik.pki.revocation.RevocationConfiguration#getAlternativeDistributionPoints(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date) - */ - public Set getAlternativeDistributionPoints( - X509Certificate arg0, - X509Certificate arg1, - Date arg2) { - return Collections.EMPTY_SET; - } - - /** - * @see iaik.pki.revocation.RevocationConfiguration#archiveRevocationInfo(java.lang.String, java.lang.String) - */ - public boolean archiveRevocationInfo(String arg0, String arg1) { - return false; - } - - public Integer getCrlRetentionInterval(String arg0) { - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java deleted file mode 100644 index d230eef26..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/config/ValidationConfigurationImpl.java +++ /dev/null @@ -1,97 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.config; - -import iaik.pki.pathvalidation.ValidationConfiguration; - -import java.security.cert.X509Certificate; -import java.security.spec.AlgorithmParameterSpec; - -import at.gv.egovernment.moa.id.config.ConfigurationProvider; -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of interface needed to initialize an IAIK JSSE TrustManager - * @author Paul Ivancsics - * @version $Id$ - */ -public class ValidationConfigurationImpl extends ObservableImpl - implements ValidationConfiguration { - /** The ConfigurationProvider for the validation*/ - private ConfigurationProvider conf; - - /** - * Constructor - * @param conf with the configuration - */ - public ValidationConfigurationImpl(ConfigurationProvider conf) { - this.conf = conf; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getChainingMode(java.security.cert.X509Certificate) - */ - public String getChainingMode(X509Certificate trustAnchor) { - String chainingMode = conf.getChainingMode(trustAnchor); - return chainingMode; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsSpec(java.security.cert.X509Certificate) - */ - public AlgorithmParameterSpec getPublicKeyParamsAsSpec(X509Certificate arg0) { - return null; - } - - /** - * @see iaik.pki.pathvalidation.ValidationConfiguration#getPublicKeyParamsAsCert(java.security.cert.X509Certificate) - */ - public X509Certificate getPublicKeyParamsAsCert(X509Certificate arg0) { - return null; - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java deleted file mode 100644 index 8afba2a12..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/PKIProfileImpl.java +++ /dev/null @@ -1,232 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.pki; - -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Set; - -import iaik.pki.PKIProfile; -import iaik.pki.pathvalidation.ValidationProfile; -import iaik.pki.revocation.RevocationProfile; -import iaik.pki.revocation.RevocationSourceTypes; -import iaik.pki.store.truststore.TrustStoreProfile; -import iaik.pki.store.truststore.TrustStoreTypes; - -import at.gv.egovernment.moa.id.iaik.servertools.observer.ObservableImpl; - -/** - * Implementation of the PKIProfile interface and subinterfaces - * providing information needed for certificate path validation. - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class PKIProfileImpl extends ObservableImpl - implements PKIProfile, RevocationProfile, TrustStoreProfile, ValidationProfile { - - /** - * URI to the truststore - */ - private String trustStoreURI; - - /** - * revocation checking; - */ - private boolean revocationChecking; - - /** - * The trust profile identifier. - */ - private String id; - - - /** - * Create a new PKIProfileImpl. - * - * @param trustStoreURI trust store URI - */ - public PKIProfileImpl(String trustStoreURI, boolean revocationChecking) { - this.trustStoreURI = trustStoreURI; - this.revocationChecking = revocationChecking; - String id = String.valueOf(System.currentTimeMillis()); - setId("id-" + id); - } - - /** - * @see iaik.pki.PKIProfile#autoAddCertificates() - */ - public boolean autoAddCertificates() { - return true; - } - - /** - * @see iaik.pki.PKIProfile#getRevocationProfile() - */ - public RevocationProfile getRevocationProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#getTrustStoreProfile() - */ - public TrustStoreProfile getTrustStoreProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#getValidationProfile() - */ - public ValidationProfile getValidationProfile() { - return this; - } - - /** - * @see iaik.pki.PKIProfile#useAuthorityInfoAccess() - */ - public boolean useAuthorityInfoAccess() { - return true; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getMaxRevocationAge(java.lang.String) - */ - public long getMaxRevocationAge(String arg0) { - return 0; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getOCSPRequestHashAlgorithm() - */ - public String getOCSPRequestHashAlgorithm() { - return null; - } - - /** - * @see iaik.pki.revocation.RevocationProfile#getPreferredServiceOrder(java.security.cert.X509Certificate) - */ - public String[] getPreferredServiceOrder(X509Certificate arg0) { - return new String[] {RevocationSourceTypes.CRL}; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getType() - */ - public String getType() { - return TrustStoreTypes.DIRECTORY; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getURI() - */ - public String getURI() { - return trustStoreURI; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialAnyPolicyInhibit() - */ - public boolean getInitialAnyPolicyInhibit() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialExplicitPolicy() - */ - public boolean getInitialExplicitPolicy() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicyMappingInhibit() - */ - public boolean getInitialPolicyMappingInhibit() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getInitialPolicySet() - */ - public Set getInitialPolicySet() { - return Collections.EMPTY_SET; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getNameConstraintsProcessing() - */ - public boolean getNameConstraintsProcessing() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getPolicyProcessing() - */ - public boolean getPolicyProcessing() { - return false; - } - - /** - * @see iaik.pki.pathvalidation.ValidationProfile#getRevocationChecking() - */ - public boolean getRevocationChecking() { - return this.revocationChecking; - } - - /** - * @see iaik.pki.store.truststore.TrustStoreProfile#getId() - */ - public String getId() { - return id; - } - /** - * Sets the trust profile identifier. - * @param id The id to set. - */ - public void setId(String id) { - this.id = id; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java deleted file mode 100644 index 202be882e..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/pki/jsse/MOAIDTrustManager.java +++ /dev/null @@ -1,165 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.pki.jsse; - -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.net.URL; -import java.security.GeneralSecurityException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.List; - -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.logging.LoggingContext; -import at.gv.egovernment.moa.logging.LoggingContextManager; - -import iaik.pki.jsse.IAIKX509TrustManager; - -/** - * TrustManager implementation featuring CRL checking (inherited from - * IAIKX509TrustManager), plus server-end-SSL-certificate checking. - * - * @author Paul Ivancsics - * @version $Id$ - */ -public class MOAIDTrustManager extends IAIKX509TrustManager { - - /** an x509Certificate array containing all accepted server certificates*/ - private X509Certificate[] acceptedServerCertificates; - - /** - * Constructor - * @param acceptedServerCertificateStoreURL the url leading to the acceptedServer cert store - * @throws GeneralSecurityException occurs on security errors - * @throws IOException occurs on IO errors - */ - public MOAIDTrustManager(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - - if (acceptedServerCertificateStoreURL != null) - buildAcceptedServerCertificates(acceptedServerCertificateStoreURL); - else - acceptedServerCertificates = null; - } - - - /** - * Initializes the LoggingContextManager logging context. - * Fixes a bug occuring in the case MOA-SP is called by API. - * In this case, IAIKX509TrustManager uses the LogginConfig of MOA-SP. - * This method must be called before a MOAIDTrustManager is constructed, - * from every thread. - */ - public static void initializeLoggingContext() { - if (LoggingContextManager.getInstance().getLoggingContext() == null) - LoggingContextManager.getInstance().setLoggingContext( - new LoggingContext(Thread.currentThread().getName())); - } - - - /** - * Builds an Array of accepted server certificates from an URL, - * and stores it in acceptedServerCertificates. - * @param acceptedServerCertificateStoreURL file URL pointing to the directory - * containing accepted server X509 certificates - * @throws GeneralSecurityException on security errors - * @throws IOException on any IO errors - */ - private void buildAcceptedServerCertificates(String acceptedServerCertificateStoreURL) - throws IOException, GeneralSecurityException { - - List certList = new ArrayList(); - URL storeURL = new URL(acceptedServerCertificateStoreURL); - File storeDir = new File(storeURL.getFile()); - // list certificate files in directory - File[] certFiles = storeDir.listFiles(); - for (int i = 0; i < certFiles.length; i++) { - // for each: create an X509Certificate and store it in list - File certFile = certFiles[i]; - FileInputStream fis = new FileInputStream(certFile.getPath()); - CertificateFactory certFact = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate)certFact.generateCertificate(fis); - fis.close(); - certList.add(cert); - } - // store acceptedServerCertificates - acceptedServerCertificates = (X509Certificate[]) certList.toArray(new X509Certificate[0]); - } - - /** - * Does additional server-end-SSL-certificate checking. - * @see com.sun.net.ssl.X509TrustManager#isServerTrusted(java.security.cert.X509Certificate[]) - */ - public boolean isServerTrusted(X509Certificate[] certChain) { - boolean trusted = super.isServerTrusted(certChain); - if (! trusted || acceptedServerCertificates == null) - return trusted; - else { - // check server-end-SSL-certificate with acceptedServerCertificates - X509Certificate serverCert = certChain[0]; - for (int i = 0; i < acceptedServerCertificates.length; i++) { - X509Certificate acceptedServerCert = acceptedServerCertificates[i]; - if (serverCert.equals(acceptedServerCert)) - return true; - } - Logger.warn(MOAIDMessageProvider.getInstance().getMessage("ssl.01", null)); - return false; - } - } - /** - * In rare cases, this method is being called although it should not be. - * @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[]) - */ - public boolean isClientTrusted(java.security.cert.X509Certificate arg0[]) - { - return true; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java deleted file mode 100644 index 16184502d..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/iaik/servertools/observer/ObservableImpl.java +++ /dev/null @@ -1,92 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - ******************************************************************************/ -/* - * Copyright 2003 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egovernment.moa.id.iaik.servertools.observer; - -import iaik.pki.store.observer.NotificationData; -import iaik.pki.store.observer.Observable; -import iaik.pki.store.observer.Observer; - -import java.util.ArrayList; -import java.util.Iterator; -import java.util.List; - - -/** - * Implementation of interface TrustManager - * @author Paul Ivancsics - * @version $Id$ - */ -public class ObservableImpl implements Observable { - /** a List for all observers */ - private List observers = new ArrayList(); - - /** - * @see iaik.pki.store.observer.Observable#addObserver(iaik.pki.store.observer.Observer) - */ - public void addObserver(Observer observer) { - observers.add(observer); - } - - /** - * @see iaik.pki.store.observer.Observable#removeObserver(iaik.pki.store.observer.Observer) - */ - public boolean removeObserver(Observer observer) { - return observers.remove(observer); - } - - /** - * @see iaik.pki.store.observer.Observable#notify(iaik.pki.store.observer.NotificationData) - */ - public void notify(NotificationData data) { - Iterator iter = observers.iterator(); - for (iter = observers.iterator(); iter.hasNext();) { - Observer observer = (Observer) iter.next(); - observer.notify(data); - } - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java index ed3f297c7..81abe3f5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java @@ -46,11 +46,7 @@ package at.gv.egovernment.moa.id.util; -import iaik.pki.PKIConfiguration; import iaik.pki.PKIException; -import iaik.pki.PKIFactory; -import iaik.pki.PKIProfile; -import iaik.pki.jsse.IAIKX509TrustManager; import iaik.security.provider.IAIK; import java.io.BufferedInputStream; @@ -62,26 +58,19 @@ import java.io.Reader; import java.net.URL; import java.security.GeneralSecurityException; import java.security.Security; -import java.util.HashMap; -import java.util.Map; import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.TrustManager; import org.apache.regexp.RE; import org.apache.regexp.RESyntaxException; +import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConfigurationProvider; import at.gv.egovernment.moa.id.config.ConnectionParameter; import at.gv.egovernment.moa.id.config.ConnectionParameterInterface; -import at.gv.egovernment.moa.id.iaik.config.PKIConfigurationImpl; -import at.gv.egovernment.moa.id.iaik.pki.PKIProfileImpl; -import at.gv.egovernment.moa.id.iaik.pki.jsse.MOAIDTrustManager; -import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; /** @@ -94,14 +83,7 @@ import at.gv.egovernment.moa.logging.Logger; */ public class SSLUtils { - /** SSLSocketFactory store, mapping URL->SSLSocketFactory **/ - private static Map sslSocketFactories = new HashMap(); - - /** - * Initializes the SSLSocketFactory store. - */ public static void initialize() { - sslSocketFactories = new HashMap(); // JSSE Abhängigkeit //Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); Security.addProvider(new IAIK()); @@ -132,61 +114,38 @@ public class SSLUtils { ConnectionParameterInterface connParam) throws IOException, GeneralSecurityException, ConfigurationException, PKIException { - Logger.debug("Get SSLSocketFactory for " + connParam.getUrl()); - // retrieve SSLSocketFactory if already created - SSLSocketFactory ssf = (SSLSocketFactory)sslSocketFactories.get(connParam.getUrl()); - if (ssf != null) - return ssf; - - // else create new SSLSocketFactory - String trustStoreURL = conf.getTrustedCACertificates(); - - if (trustStoreURL == null) - throw new ConfigurationException( - "config.08", new Object[] {"TrustedCACertificates"}); - String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); - - TrustManager[] tms = getTrustManagers(conf, trustStoreURL, acceptedServerCertURL); - - KeyManager[] kms = at.gv.egovernment.moa.util.SSLUtils.getKeyManagers( - "pkcs12", connParam.getClientKeyStore(), connParam.getClientKeyStorePassword()); - SSLContext ctx = SSLContext.getInstance("TLS"); - ctx.init(kms, tms, null); ssf = ctx.getSocketFactory(); - // store SSLSocketFactory - sslSocketFactories.put(connParam.getUrl(), ssf); - return ssf; + // else create new SSLSocketFactory + String trustStoreURL = conf.getTrustedCACertificates(); + + if (trustStoreURL == null) + throw new ConfigurationException( + "config.08", new Object[] {"TrustedCACertificates"}); + + String acceptedServerCertURL = connParam.getAcceptedServerCertificates(); + + //INFO: MOA-ID 2.x always use defaultChainingMode + + try { + SSLSocketFactory ssf = + at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory( + connParam.getUrl(), + conf.getCertstoreDirectory(), + trustStoreURL, + acceptedServerCertURL, + AuthConfigurationProvider.getInstance().getDefaultChainingMode(), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking(), + connParam.getClientKeyStore(), + connParam.getClientKeyStorePassword(), + "pkcs12"); + + return ssf; + + } catch (SSLConfigurationException e) { + throw new ConfigurationException(e.getErrorID(), e.getParameters(), e.getE()); + + } } - - /** - * Initializes an IAIKX509TrustManager for a given trust store, - * using configuration data. - * - * @param conf MOA-ID configuration provider - * @param trustStoreURL trust store URL - * @param acceptedServerCertURL file URL pointing to directory containing accepted server SSL certificates - * @return TrustManager array containing the IAIKX509TrustManager - * @throws ConfigurationException on invalid configuration data - * @throws IOException on data-reading problems - * @throws PKIException while initializing the IAIKX509TrustManager - */ - public static TrustManager[] getTrustManagers( - ConfigurationProvider conf, String trustStoreURL, String acceptedServerCertURL) - throws ConfigurationException, PKIException, IOException, GeneralSecurityException { - - PKIConfiguration cfg = null; - if (! PKIFactory.getInstance().isAlreadyConfigured()) - cfg = new PKIConfigurationImpl(conf); - boolean checkRevocation = conf.isTrustmanagerrevoationchecking(); - PKIProfile profile = new PKIProfileImpl(trustStoreURL, checkRevocation); - // This call fixes a bug occuring when PKIConfiguration is - // initialized by the MOA-SP initialization code, in case - // MOA-SP is called by API - MOAIDTrustManager.initializeLoggingContext(); - IAIKX509TrustManager tm = new MOAIDTrustManager(acceptedServerCertURL); - tm.init(cfg, profile); - return new TrustManager[] {tm}; - } /** * Reads a file, given by URL, into a byte array, * securing the connection by IAIKX509TrustManager. -- cgit v1.2.3 From 5e78c0a4ecfc75b2e42c079c08cff8247845e293 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 16:00:49 +0200 Subject: change MOAMetaDataProvider to use MOA HttpClient --- .../pvp2x/metadata/MOAMetadataProvider.java | 35 +++++++++++++++++----- 1 file changed, 28 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 31100bfac..5c8e181a7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -34,7 +34,7 @@ import java.util.Timer; import javax.xml.namespace.QName; -import org.apache.commons.httpclient.HttpClient; +import org.apache.commons.httpclient.MOAHttpClient; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.RoleDescriptor; @@ -47,11 +47,14 @@ import org.opensaml.xml.XMLObject; import org.opensaml.xml.parse.BasicParserPool; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataSignatureFilter; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -328,10 +331,30 @@ public class MOAMetadataProvider implements MetadataProvider { private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, MetadataFilterChain filter) { HTTPMetadataProvider httpProvider = null; Timer timer= null; - - try { + MOAHttpClient httpClient = null; + try { + httpClient = new MOAHttpClient(); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + "MOAMetaDataProvider", + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + timer = new Timer(); - httpProvider = new HTTPMetadataProvider(timer, new HttpClient(), + httpProvider = new HTTPMetadataProvider(timer, httpClient, metadataURL); httpProvider.setParserPool(new BasicParserPool()); httpProvider.setRequireValidMetadata(true); @@ -339,8 +362,6 @@ public class MOAMetadataProvider implements MetadataProvider { httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours //httpProvider.setRefreshDelayFactor(0.1F); - // TODO: use proper SSL checking - if (filter == null) { filter = new MetadataFilterChain(metadataURL, certificate); } -- cgit v1.2.3 From 9ade292185a7cd7ebfd0aad27a48324433737bfe Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 17:16:42 +0200 Subject: add inbound/outbound interfederation SSO checks --- .../moa/id/config/auth/IOAAuthParameters.java | 15 ++++++++++++ .../moa/id/config/auth/OAAuthParameter.java | 24 +++++++++++++++++++ .../config/auth/data/DynamicOAAuthParameters.java | 27 ++++++++++++++++++++++ .../moa/id/moduls/AuthenticationManager.java | 10 +++++++- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 6 +++++ 5 files changed, 81 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java index 39c8ecfdc..a59cc10e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java @@ -130,4 +130,19 @@ public interface IOAAuthParameters { public String getIDPAttributQueryServiceURL(); + /** + * @return + */ + boolean isInboundSSOInterfederationAllowed(); + + /** + * @return + */ + boolean isInterfederationSSOStorageAllowed(); + + /** + * @return + */ + boolean isOutboundSSOInterfederationAllowed(); + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index fe2117b9c..7fc5746ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -491,6 +491,30 @@ public String getIDPAttributQueryServiceURL() { } +@Override +public boolean isInboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isInboundSSO(); + else + return false; +} + +@Override +public boolean isOutboundSSOInterfederationAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isOutboundSSO(); + else + return false; +} + +@Override +public boolean isInterfederationSSOStorageAllowed() { + if (inderfederatedIDP != null) + return inderfederatedIDP.isStoreSSOSession(); + else + return false; +} + public boolean isIDPPublicService() { return !getBusinessService(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java index f35027f21..02ac09d70 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/DynamicOAAuthParameters.java @@ -354,6 +354,33 @@ public class DynamicOAAuthParameters implements IOAAuthParameters { this.applicationID = applicationID; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInboundSSOInterfederationAllowed() + */ + @Override + public boolean isInboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInterfederationSSOStorageAllowed() + */ + @Override + public boolean isInterfederationSSOStorageAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOutboundSSOInterfederationAllowed() + */ + @Override + public boolean isOutboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 8a7a876a7..ee7d452c5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -212,9 +212,17 @@ public class AuthenticationManager extends AuthServlet { boolean requiredLocalAuthentication = true; Logger.debug("Build PVP 2.1 authentication request"); - + //get IDP metadata try { + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP()); + if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { + Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation."); + Logger.info("Switch to local authentication on this IDP ... "); + perfomLocalAuthentication(request, response, target); + + } + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). getEntityDescriptor(target.getRequestedIDP()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index d04480ff5..a786420cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -414,6 +414,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); } + + if (!oa.isOutboundSSOInterfederationAllowed()) { + Logger.warn("Interfederation IDP " + oa.getPublicURLPrefix() + " does not allow outgoing SSO interfederation."); + throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null); + + } PVPTargetConfiguration config = new PVPTargetConfiguration(); config.setRequest(moaRequest); -- cgit v1.2.3 From 14b0f46d1aa0b266547ac43dfc7a4ed2256cfc71 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 May 2014 17:17:18 +0200 Subject: use MOA SSL SocketFactory for AttributQueryRequests --- .../id/auth/builder/AuthenticationDataBuilder.java | 48 ++++++++++++++++++---- .../moa/id/protocols/pvp2x/PVPConstants.java | 2 + .../pvp2x/metadata/MOAMetadataProvider.java | 3 +- 3 files changed, 43 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 33c150927..a1a51f6c1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -32,6 +32,7 @@ import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; @@ -61,12 +62,16 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -173,18 +178,24 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { authdata.setBPK(interfIDP.getUserNameID()); } else { + //get attributes from interfederated IDP + OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); + getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes); + //mark attribute request as used try { - interfIDP.setAttributesRequested(true); - MOASessionDBUtils.saveOrUpdate(interfIDP); + if (idp.isInterfederationSSOStorageAllowed()) { + interfIDP.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(interfIDP); + + } else { + MOASessionDBUtils.delete(interfIDP); + } } catch (MOADatabaseException e) { Logger.error("MOASession interfederation information can not stored to database.", e); } - - //get attributes from interfederated IDP - getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, reqAttributes); } } else { @@ -217,13 +228,14 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { * @param oaParam * @param protocolRequest * @param interfIDP + * @param idp * @param reqQueryAttr * @throws ConfigurationException */ private static void getAuthDataFromInterfederation( AuthenticationData authdata, AuthenticationSession session, IOAAuthParameters oaParam, IRequest req, - InterfederationSessionStore interfIDP, List reqQueryAttr) throws BuildException, ConfigurationException{ + InterfederationSessionStore interfIDP, OAAuthParameter idp, List reqQueryAttr) throws BuildException, ConfigurationException{ try { List attributs = null; @@ -243,9 +255,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { attributs = req.getRequestedAttributes(); } - - //collect attributes by using BackChannel communication - String endpoint = oaParam.getIDPAttributQueryServiceURL(); + + //collect attributes by using BackChannel communication + String endpoint = idp.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { Logger.error("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix()); throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + oaParam.getPublicURLPrefix(), null); @@ -265,6 +277,24 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { soapContext.setOutboundMessage(soapRequest); HttpClientBuilder clientBuilder = new HttpClientBuilder(); + if (endpoint.startsWith("https")) { + try { + SecureProtocolSocketFactory sslprotocolsocketfactory = + new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); //send request to IDP diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index dafaf6279..47c297914 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -27,6 +27,8 @@ import org.opensaml.xml.signature.SignatureConstants; public interface PVPConstants { + public static final String SSLSOCKETFACTORYNAME = "MOAMetaDataProvider"; + public static final String DEFAULT_SIGNING_METHODE = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256; public static final String DEFAULT_DIGESTMETHODE = SignatureConstants.ALGO_ID_DIGEST_SHA256; public static final String DEFAULT_SYM_ENCRYPTION_METHODE = EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 5c8e181a7..f29c0eaef 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -53,6 +53,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MetadataFilterChain; import at.gv.egovernment.moa.logging.Logger; @@ -338,7 +339,7 @@ public class MOAMetadataProvider implements MetadataProvider { if (metadataURL.startsWith("https:")) { try { MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - "MOAMetaDataProvider", + PVPConstants.SSLSOCKETFACTORYNAME, AuthConfigurationProvider.getInstance().getCertstoreDirectory(), AuthConfigurationProvider.getInstance().getTrustedCACertificates(), null, -- cgit v1.2.3 From 7f00c5957134e95e5b59b1546388f4e49051f094 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 May 2014 10:17:09 +0200 Subject: add methode to get SAML2 binding URL --- .../moa/id/protocols/pvp2x/binding/ArtifactBinding.java | 4 ++++ .../gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java | 2 ++ .../egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java | 8 ++++++-- .../moa/id/protocols/pvp2x/binding/RedirectBinding.java | 6 +++++- .../egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java | 6 +++++- 5 files changed, 22 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java index 6801d25d5..8691667f0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/ArtifactBinding.java @@ -113,5 +113,9 @@ public class ArtifactBinding implements IDecoder, IEncoder { return false; } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_ARTIFACT_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 108caf047..fb17c02b8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -37,4 +37,6 @@ public interface IDecoder { throws MessageDecodingException, SecurityException, PVP2Exception; public boolean handleDecode(String action, HttpServletRequest req); + + public String getSAML2BindingName(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 020055139..a2fe5c01b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -36,6 +36,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; import org.opensaml.ws.message.decoder.MessageDecodingException; @@ -163,7 +164,7 @@ public class PostBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - msg = new MOARequest(inboundMessage); + msg = new MOARequest(inboundMessage, getSAML2BindingName()); } else if (messageContext.getInboundMessage() instanceof Response){ messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); @@ -192,5 +193,8 @@ public class PostBinding implements IDecoder, IEncoder { public boolean handleDecode(String action, HttpServletRequest req) { return (req.getMethod().equals("POST") && action.equals(PVP2XProtocol.POST)); } - + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_POST_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 68069f3a5..f5dba014b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -168,7 +168,7 @@ public class RedirectBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - msg = new MOARequest(inboundMessage); + msg = new MOARequest(inboundMessage, getSAML2BindingName()); } else if (messageContext.getInboundMessage() instanceof Response){ @@ -200,4 +200,8 @@ public class RedirectBinding implements IDecoder, IEncoder { return (action.equals(PVP2XProtocol.REDIRECT) && req.getMethod() .equals("GET")); } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_REDIRECT_BINDING_URI; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index ec7c117b9..048c7f14c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -78,7 +78,7 @@ public class SoapBinding implements IDecoder, IEncoder { if (!xmlElemList.isEmpty()) { SignableXMLObject attrReq = (SignableXMLObject) xmlElemList.get(0); - MOARequest request = new MOARequest(attrReq); + MOARequest request = new MOARequest(attrReq, getSAML2BindingName()); request.setVerified(false); return request; @@ -122,5 +122,9 @@ public class SoapBinding implements IDecoder, IEncoder { throw new SecurityException(e); } } + + public String getSAML2BindingName() { + return SAMLConstants.SAML2_SOAP11_BINDING_URI; + } } -- cgit v1.2.3 From 49e202080467e3da1b43505ace711001b6c18c4b Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 May 2014 10:17:42 +0200 Subject: add first parts for Single LogOut --- .../moa/id/entrypoints/DispatcherServlet.java | 12 +++-- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 60 ++++++++++++++++++++-- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 3 +- .../id/protocols/pvp2x/messages/MOARequest.java | 11 +++- 4 files changed, 76 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 9f1b6b3e8..1cc2a5711 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -41,7 +41,6 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; -import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; @@ -271,10 +270,17 @@ public class DispatcherServlet extends AuthServlet{ //request is a new authentication request } else if (protocolRequest != null && - MiscUtil.isEmpty(protocolRequest.getRequestID())) { + MiscUtil.isEmpty(protocolRequest.getRequestID())) { //Start new Authentication - protocolRequest.setAction(action); protocolRequest.setModule(module); + + //if preProcessing has not set a specific action from decoded request + // then set the default action + if (MiscUtil.isEmpty(protocolRequest.requestedAction())) + protocolRequest.setAction(action); + else + moduleAction = info.getAction(protocolRequest.requestedAction()); + protocolRequestID = Random.nextRandom(); protocolRequest.setRequestID(protocolRequestID); RequestStorage.setPendingRequest(protocolRequest); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index a786420cf..e2e6e752b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -52,6 +52,7 @@ import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.signature.SignableXMLObject; @@ -105,6 +106,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { public static final String SOAP = "Soap"; public static final String METADATA = "Metadata"; public static final String ATTRIBUTEQUERY = "AttributeQuery"; + public static final String SINGLELOGOUT = "SingleLogOut"; private static List decoder = new ArrayList(); @@ -125,6 +127,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { actions.put(POST, new AuthenticationAction()); actions.put(METADATA, new MetadataAction()); actions.put(ATTRIBUTEQUERY, new AttributQueryAction()); + actions.put(SINGLELOGOUT, new SingleLogOutAction()); //TODO: insert getArtifact action @@ -179,6 +182,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { if(METADATA.equals(action)) { return new PVPTargetConfiguration(); + } IDecoder decoder = findDecoder(action, request); @@ -350,8 +354,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { HttpServletResponse response) { if(request.getParameter("SAMLRequest") != null && request.getMethod().equals("GET")) { return getAction(REDIRECT); + } else if(request.getParameter("SAMLRequest") != null && request.getMethod().equals("POST")) { return getAction(POST); + } if(METADATA.equals(request.getParameter("action"))) { @@ -373,11 +379,57 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { * @param response * @param msg * @return + * @throws MOAIDException */ private IRequest preProcessLogOut(HttpServletRequest request, - HttpServletResponse response, MOARequest msg) { - // TODO Auto-generated method stub - return null; + HttpServletResponse response, MOARequest msg) throws MOAIDException { + + PVPTargetConfiguration config = new PVPTargetConfiguration(); + + if (((MOARequest)msg).getSamlRequest() instanceof LogoutRequest) { + //preProcess single logout request from service provider + + EntityDescriptor metadata = msg.getEntityMetadata(); + if(metadata == null) { + throw new NoMetadataInformationException(); + } + + + + String oaURL = metadata.getEntityID(); + oaURL = StringEscapeUtils.escapeHtml(oaURL); + + Logger.info("Dispatch PVP2 SingleLogOut: OAURL=" + oaURL + " Binding=" + msg.getRequestBinding()); + + config.setOAURL(oaURL); + config.setBinding(msg.getRequestBinding()); + + + } else if (((MOARequest)msg).getSamlRequest() instanceof LogoutResponse) { + //preProcess single logour response from service provider + + LogoutResponse resp = (LogoutResponse) (((MOARequest)msg).getSamlRequest()); + + Logger.debug("PreProcess SLO Response from " + resp.getIssuer()); + + if (!resp.getDestination().startsWith( + PVPConfiguration.getInstance().getIDPPublicPath())) { + Logger.warn("PVP 2.1 single logout response destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 single logout response destination does not match to IDP URL", null); + + } + + //TODO: check if relayState exists + msg.getRelayState(); + + + } else + throw new MOAIDException("Unsupported request", new Object[] {}); + + + config.setRequest(msg); + config.setAction(SINGLELOGOUT); + return config; } /** @@ -485,7 +537,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { String oaURL = moaRequest.getEntityMetadata().getEntityID(); String binding = consumerService.getBinding(); - Logger.info("Dispatch PVP2 Request: OAURL=" + oaURL + " Binding=" + binding); + Logger.info("Dispatch PVP2 AuthnRequest: OAURL=" + oaURL + " Binding=" + binding); oaURL = StringEscapeUtils.escapeHtml(oaURL); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 96e2bf7e9..65da23565 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.logging.Logger; public class PVPTargetConfiguration extends RequestImpl { @@ -50,7 +51,7 @@ public class PVPTargetConfiguration extends RequestImpl { InboundMessage request; String binding; String consumerURL; - + public InboundMessage getRequest() { return request; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java index f2f8f0a23..7679e74a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/messages/MOARequest.java @@ -37,11 +37,18 @@ public class MOARequest extends InboundMessage{ private static final long serialVersionUID = 8613921176727607896L; - public MOARequest(SignableXMLObject inboundMessage) { - setSAMLMessage(inboundMessage.getDOM()); + private String binding = null; + + public MOARequest(SignableXMLObject inboundMessage, String binding) { + setSAMLMessage(inboundMessage.getDOM()); + this.binding = binding; } + public String getRequestBinding() { + return binding; + } + public SignableXMLObject getSamlRequest() { UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmashaller = unmarshallerFactory.getUnmarshaller(getInboundMessage()); -- cgit v1.2.3 From f1fc72bdc42766c8195be1c150cf165685dc3abb Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 May 2014 14:39:32 +0200 Subject: add Interfederation to redirect servlet --- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../moa/id/auth/servlet/LogOutServlet.java | 4 +- .../moa/id/auth/servlet/RedirectServlet.java | 85 +++++++++----- .../id/auth/servlet/SSOSendAssertionServlet.java | 2 +- .../moa/id/entrypoints/DispatcherServlet.java | 27 ++--- .../gv/egovernment/moa/id/moduls/SSOManager.java | 126 ++++++++++++++------- .../id/storage/AuthenticationSessionStoreage.java | 2 +- 7 files changed, 160 insertions(+), 88 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 0173c67a1..6f83da367 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -31,6 +31,8 @@ public interface MOAIDAuthConstants { public static final String PARAM_MODUL = "MODUL"; public static final String PARAM_ACTION = "ACTION"; public static final String PARAM_SSO = "SSO"; + public static final String INTERFEDERATION_IDP = "interIDP"; + /** servlet parameter "sourceID" */ public static final String PARAM_SOURCEID = "sourceID"; /** servlet parameter "BKUSelectionTemplate" */ diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java index 9911fccd4..9b300578a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/LogOutServlet.java @@ -53,7 +53,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; @@ -62,7 +61,6 @@ import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -107,7 +105,7 @@ public class LogOutServlet extends AuthServlet { //delete SSO session and MOA session AuthenticationManager authmanager = AuthenticationManager.getInstance(); - String moasessionid = AuthenticationSessionStoreage.getMOASessionID(ssoid); + String moasessionid = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); RequestStorage.removePendingRequest(AuthenticationSessionStoreage.getPendingRequestID(moasessionid)); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java index 00acdc540..57755ca9f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/RedirectServlet.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.auth.builder.RedirectFormBuilder; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.URLEncoder; @@ -53,8 +54,10 @@ public class RedirectServlet extends AuthServlet{ String url = req.getParameter(REDIRCT_PARAM_URL); String target = req.getParameter(PARAM_TARGET); String artifact = req.getParameter(PARAM_SAMLARTIFACT); + String interIDP = req.getParameter(INTERFEDERATION_IDP); - if (MiscUtil.isEmpty(artifact)) { + + if (MiscUtil.isEmpty(artifact) && MiscUtil.isEmpty(interIDP)) { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; } @@ -68,14 +71,57 @@ public class RedirectServlet extends AuthServlet{ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); return; - } else { - try { - String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); - if (MiscUtil.isNotEmpty(test)) - redirectTarget = test; + } else { + //Redirect is a SAML1 send Artifact redirct + if (MiscUtil.isNotEmpty(artifact)) { + try { + String test = oa.getAuthComponentOA().getTemplates().getBKUSelectionCustomization().getAppletRedirectTarget(); + if (MiscUtil.isNotEmpty(test)) + redirectTarget = test; + + } catch (Exception e) { + Logger.debug("Use default redirectTarget."); + } + + Logger.info("Redirect to " + url); + + if (MiscUtil.isNotEmpty(target)) { +// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, +// URLEncoder.encode(session.getTarget(), "UTF-8")); + url = addURLParameter(url, PARAM_TARGET, + URLEncoder.encode(target, "UTF-8")); + + + } + url = addURLParameter(url, PARAM_SAMLARTIFACT, + URLEncoder.encode(artifact, "UTF-8")); + url = resp.encodeRedirectURL(url); + + String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); + + resp.setContentType("text/html;charset=UTF-8"); + resp.setStatus(HttpServletResponse.SC_OK); + PrintWriter out = new PrintWriter(resp.getOutputStream()); + out.write(redirect_form); + out.flush(); + + } else if (MiscUtil.isNotEmpty(interIDP)) { + //store IDP identifier and redirect to generate AuthRequst service + Logger.info("Receive an interfederation redirect request for IDP " + interIDP); + SSOManager sso = SSOManager.getInstance(); + sso.setInterfederationIDPCookie(req, resp, interIDP); + + Logger.debug("Redirect to " + url); + url = resp.encodeRedirectURL(url); + resp.setContentType("text/html"); + resp.setStatus(HttpServletResponse.SC_FOUND); + resp.addHeader("Location", url); + + + } else { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Parameters not valid"); + return; - } catch (Exception e) { - Logger.debug("Use default redirectTarget."); } } @@ -88,29 +134,6 @@ public class RedirectServlet extends AuthServlet{ ConfigurationDBUtils.closeSession(); } - - Logger.info("Redirect to " + url); - - if (MiscUtil.isNotEmpty(target)) { -// redirectURL = addURLParameter(redirectURL, PARAM_TARGET, -// URLEncoder.encode(session.getTarget(), "UTF-8")); - url = addURLParameter(url, PARAM_TARGET, - URLEncoder.encode(target, "UTF-8")); - - - } - url = addURLParameter(url, PARAM_SAMLARTIFACT, - URLEncoder.encode(artifact, "UTF-8")); - url = resp.encodeRedirectURL(url); - - String redirect_form = RedirectFormBuilder.buildLoginForm(url, redirectTarget); - - resp.setContentType("text/html;charset=UTF-8"); - PrintWriter out = new PrintWriter(resp.getOutputStream()); - out.write(redirect_form); - out.flush(); - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java index 442ebe2f4..495c4ca5b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SSOSendAssertionServlet.java @@ -124,7 +124,7 @@ public class SSOSendAssertionServlet extends AuthServlet{ } if (valueString.compareToIgnoreCase("true") == 0) { - moaSessionID = AuthenticationSessionStoreage.getMOASessionID(ssoId); + moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoId); AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moaSessionID); AuthenticationSessionStoreage.setAuthenticated(moaSessionID, true); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 1cc2a5711..30585c413 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -330,7 +330,10 @@ public class DispatcherServlet extends AuthServlet{ boolean needAuthentication = moduleAction.needAuthentication(protocolRequest, req, resp); if (needAuthentication) { - + + //check if interfederation IDP is requested + ssomanager.checkInterfederationIsRequested(req, resp, protocolRequest); + //check SSO session if (ssoId != null) { String correspondingMOASession = ssomanager.existsOldSSOSession(ssoId); @@ -404,31 +407,29 @@ public class DispatcherServlet extends AuthServlet{ if (oaParam.useSSOQuestion() && !AuthenticationSessionStoreage.isAuthenticated(moasessionID)) { authmanager.sendTransmitAssertionQuestion(req, resp, protocolRequest, oaParam); return; - } - } - else { + } - moasessionID = (String) req.getParameter(PARAM_SESSIONID); - + } else { + moasessionID = (String) req.getParameter(PARAM_SESSIONID); moasession = AuthenticationSessionStoreage.getSession(moasessionID); - } - + + } //save SSO session usage in Database newSSOSessionId = ssomanager.createSSOSessionInformations(moasessionID, protocolRequest.getOAURL()); - if (newSSOSessionId != null) { + if (MiscUtil.isNotEmpty(newSSOSessionId)) { ssomanager.setSSOSessionID(req, resp, newSSOSessionId); } else { ssomanager.deleteSSOSessionID(req, resp); + } - } else { - - moasessionID = (String) req.getParameter(PARAM_SESSIONID); - + } else { + moasessionID = (String) req.getParameter(PARAM_SESSIONID); moasession = AuthenticationSessionStoreage.getSession(moasessionID); moasessionID = AuthenticationSessionStoreage.changeSessionID(moasession); + } //build authenticationdata from session information and OA configuration diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index c2e6cd273..c2b9bab52 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletResponse; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; @@ -47,9 +48,12 @@ import at.gv.egovernment.moa.util.MiscUtil; public class SSOManager { private static final String SSOCOOKIE = "MOA_ID_SSO"; + private static final String SSOINTERFEDERATION = "MOA_INTERFEDERATION_SSO"; private static final int DEFAULTSSOTIMEOUT = 15 * 60; // sec + private static final int INTERFEDERATIONCOOKIEMAXAGE = 5 * 60;// sec + private static SSOManager instance = null; private static int sso_timeout; @@ -71,6 +75,45 @@ public class SSOManager { return instance; } + public void checkInterfederationIsRequested(HttpServletRequest httpReq, HttpServletResponse httpResp, + IRequest protocolRequest) { + String interIDP = httpReq.getParameter(MOAIDAuthConstants.INTERFEDERATION_IDP); + + if (MiscUtil.isNotEmpty(protocolRequest.getRequestedIDP())) { + Logger.info("Protocolspecific preprocessing already set interfederation IDP " + protocolRequest.getRequestedIDP()); + + } + + if (protocolRequest instanceof RequestImpl) { + //check if IDP is requested + RequestImpl moaReq = (RequestImpl) protocolRequest; + if (MiscUtil.isNotEmpty(interIDP)) { + Logger.info("Receive SSO request for interfederation IDP " + interIDP); + moaReq.setRequestedIDP(interIDP); + + } else { + //check if IDP cookie is set + String cookie = getValueFromCookie(httpReq, SSOINTERFEDERATION); + if (MiscUtil.isNotEmpty(cookie)) { + Logger.info("Receive SSO request for interfederation IDP from Cookie " + cookie); + moaReq.setRequestedIDP(cookie); + + deleteCookie(httpReq, httpResp, SSOINTERFEDERATION); + } + } + + } else { + Logger.warn("Request is not of type RequestImpl"); + + } + } + + public void setInterfederationIDPCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String value) { + setCookie(httpReq, httpResp, SSOINTERFEDERATION, value, INTERFEDERATIONCOOKIEMAXAGE); + + } + + public boolean isValidSSOSession(String ssoSessionID, IRequest protocolRequest) { // search SSO Session @@ -113,7 +156,8 @@ public class SSOManager { } public String getMOASession(String ssoSessionID) { - return AuthenticationSessionStoreage.getMOASessionID(ssoSessionID); + return AuthenticationSessionStoreage.getMOASessionSSOID(ssoSessionID); + } public String existsOldSSOSession(String ssoId) { @@ -171,49 +215,21 @@ public class SSOManager { return newSSOId; } - + public void setSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp, String ssoId) { - Cookie[] cookies = httpReq.getCookies(); + setCookie(httpReq, httpResp, SSOCOOKIE, ssoId, sso_timeout); - if (cookies != null) { - deleteSSOSessionID(httpReq, httpResp); - } - - Cookie cookie = new Cookie(SSOCOOKIE, ssoId); - cookie.setMaxAge(sso_timeout); - cookie.setSecure(true); - cookie.setPath(httpReq.getContextPath()); - httpResp.addCookie(cookie); } - + public String getSSOSessionID(HttpServletRequest httpReq) { - Cookie[] cookies = httpReq.getCookies(); + return getValueFromCookie(httpReq, SSOCOOKIE); - if (cookies != null) { - for (Cookie cookie : cookies) { - - // funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird - // (firefox) - // if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) { - - if (cookie.getName().equals(SSOCOOKIE)) { - return cookie.getValue(); - } - } - } - return null; } - - public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) { - Cookie[] cookies = httpReq.getCookies(); - if (cookies != null) { - for (Cookie cookie : cookies) { - if (!cookie.getName().equals(SSOCOOKIE)) httpResp.addCookie(cookie); - } - } + public void deleteSSOSessionID(HttpServletRequest httpReq, HttpServletResponse httpResp) { + deleteCookie(httpReq, httpResp, SSOCOOKIE); } - + /** * @param entityID * @param request @@ -242,9 +258,6 @@ public class SSOManager { Logger.warn("MOASession is marked as interfederated SSO session but no interfederated IDP is found. Switch to local authentication ..."); } - - - return true; @@ -252,5 +265,40 @@ public class SSOManager { return false; } + + private String getValueFromCookie(HttpServletRequest httpReq, String cookieName) { + Cookie[] cookies = httpReq.getCookies(); + + if (cookies != null) { + for (Cookie cookie : cookies) { + + // funktioniert nicht, da Cookie seltsamerweise immer unsecure übertragen wird + // (firefox) + // if (cookie.getName().equals(SSOCOOKIE) && cookie.getSecure()) { + + if (cookie.getName().equals(cookieName)) { + return cookie.getValue(); + } + } + } + return null; + } + + private void setCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, + String cookieName, String cookieValue, int maxAge) { + + Cookie cookie = new Cookie(cookieName, cookieValue); + cookie.setMaxAge(maxAge); + cookie.setSecure(true); + + //TODO: could be a problem if the IDP is accessible from different contextPaths or Domains + cookie.setPath(httpReq.getContextPath()); + + httpResp.addCookie(cookie); + } + + private void deleteCookie(HttpServletRequest httpReq, HttpServletResponse httpResp, String cookieName) { + setCookie(httpReq, httpResp, cookieName, "", 1); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 2ee4327dc..6437a4cac 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -429,7 +429,7 @@ public class AuthenticationSessionStoreage { } - public static String getMOASessionID(String SSOSessionID) { + public static String getMOASessionSSOID(String SSOSessionID) { MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); -- cgit v1.2.3 From bac9aefddd711fea0234144678fcd2f7dc624574 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 May 2014 14:39:56 +0200 Subject: remove some unused code --- .../at/gv/egovernment/moa/id/moduls/AuthenticationManager.java | 1 - .../gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java | 10 ++-------- 2 files changed, 2 insertions(+), 9 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index ee7d452c5..7456b8387 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -98,7 +98,6 @@ public class AuthenticationManager extends AuthServlet { return instance; } - /** * Checks if this request can authenticate a MOA Session * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 7b106b206..dafcb9987 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -157,15 +157,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { new Object[] { oaURL }); } - config.setSourceID(sourceID); - + config.setSourceID(sourceID); config.setTarget(oaParam.getTarget()); - - //config.setRequestedIDP("https://demo.egiz.gv.at/demoportal_moaid-2.0"); - config.setRequestedIDP("https://labda.iaik.tugraz.at:8443/moa-id-auth"); - -// request.getSession().setAttribute(PARAM_OA, oaURL); -// request.getSession().setAttribute(PARAM_TARGET, oaParam.getTarget()); + return config; } -- cgit v1.2.3 From a262c83730f2a50c41682226b53a6a82a937db7c Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 9 May 2014 08:33:13 +0200 Subject: add MOA SOAP client --- .../id/auth/builder/AuthenticationDataBuilder.java | 55 ++----------- .../protocols/pvp2x/utils/MOASAMLSOAPClient.java | 93 ++++++++++++++++++++++ 2 files changed, 99 insertions(+), 49 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index a1a51f6c1..792b6cdd7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -32,19 +32,13 @@ import java.util.List; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; -import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.client.BasicSOAPMessageContext; -import org.opensaml.ws.soap.client.http.HttpClientBuilder; -import org.opensaml.ws.soap.client.http.HttpSOAPClient; import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.ws.soap.soap11.Body; -import org.opensaml.ws.soap.soap11.Envelope; -import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.SecurityException; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -62,12 +56,9 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; -import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; -import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; @@ -82,7 +73,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExt import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; @@ -268,50 +259,16 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { AttributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); //build SOAP request - BasicParserPool parserPool = new BasicParserPool(); - parserPool.setNamespaceAware(true); - - Envelope soapRequest = SAML2Utils.buildSOAP11Envelope(query); - - BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext(); - soapContext.setOutboundMessage(soapRequest); - - HttpClientBuilder clientBuilder = new HttpClientBuilder(); - if (endpoint.startsWith("https")) { - try { - SecureProtocolSocketFactory sslprotocolsocketfactory = - new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, - AuthConfigurationProvider.getInstance().getCertstoreDirectory(), - AuthConfigurationProvider.getInstance().getTrustedCACertificates(), - null, - ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), - AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); - clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); - - } catch (MOAHttpProtocolSocketFactoryException e) { - Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); - - } - } - - HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - //send request to IDP - soapClient.send(endpoint, soapContext); - - //parse response - Envelope soapResponse = (Envelope) soapContext.getInboundMessage(); - Body soapBody = soapResponse.getBody(); - - if (soapBody.getUnknownXMLObjects().size() == 0) { + if (xmlObjects.size() == 0) { Logger.error("Receive emptry AttributeQuery response-body."); throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); } - if (soapBody.getUnknownXMLObjects().get(0) instanceof Response) { - Response intfResp = (Response) soapBody.getUnknownXMLObjects().get(0); + if (xmlObjects.get(0) instanceof Response) { + Response intfResp = (Response) xmlObjects.get(0); //validate PVP 2.1 response try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java new file mode 100644 index 000000000..12de97a3f --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/MOASAMLSOAPClient.java @@ -0,0 +1,93 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; +import org.opensaml.ws.soap.client.BasicSOAPMessageContext; +import org.opensaml.ws.soap.client.http.HttpClientBuilder; +import org.opensaml.ws.soap.client.http.HttpSOAPClient; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.ws.soap.soap11.Body; +import org.opensaml.ws.soap.soap11.Envelope; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.security.SecurityException; + +import at.gv.egovernment.moa.id.commons.db.dao.config.ChainingModeType; +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOASAMLSOAPClient { + + public static List send(String destination, XMLObject payLoad) throws ConfigurationException, SOAPException, SecurityException { + //build SOAP request + BasicParserPool parserPool = new BasicParserPool(); + parserPool.setNamespaceAware(true); + + Envelope soapRequest = SAML2Utils.buildSOAP11Envelope(payLoad); + + BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext(); + soapContext.setOutboundMessage(soapRequest); + + HttpClientBuilder clientBuilder = new HttpClientBuilder(); + if (destination.startsWith("https")) { + try { + SecureProtocolSocketFactory sslprotocolsocketfactory = + new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProvider.getInstance().getCertstoreDirectory(), + AuthConfigurationProvider.getInstance().getTrustedCACertificates(), + null, + ChainingModeType.fromValue(AuthConfigurationProvider.getInstance().getDefaultChainingMode()), + AuthConfigurationProvider.getInstance().isTrustmanagerrevoationchecking()); + clientBuilder.setHttpsProtocolSocketFactory(sslprotocolsocketfactory ); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), parserPool); + + //send request to IDP + soapClient.send(destination, soapContext); + + //parse response + Envelope soapResponse = (Envelope) soapContext.getInboundMessage(); + Body soapBody = soapResponse.getBody(); + + return soapBody.getUnknownXMLObjects(); + + } +} -- cgit v1.2.3 From f0d2dd0e999c3412083a3ee076b1fccbd1dca09a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 9 May 2014 08:49:37 +0200 Subject: add untested Single LogOut support --- .../moa/id/data/SLOInformationContainer.java | 155 +++++ .../moa/id/data/SLOInformationImpl.java | 35 +- .../moa/id/data/SLOInformationInterface.java | 2 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 5 + .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 361 +++++++++++ .../pvp2x/builder/SingleLogOutBuilder.java | 186 ++++++ .../NOSLOServiceDescriptorException.java | 44 ++ .../protocols/pvp2x/exceptions/SLOException.java | 41 ++ .../id/storage/AuthenticationSessionStoreage.java | 696 +++++++++++---------- 9 files changed, 1178 insertions(+), 347 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java new file mode 100644 index 000000000..a0f3dd309 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationContainer.java @@ -0,0 +1,155 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.io.Serializable; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.LinkedHashMap; +import java.util.List; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.metadata.SingleLogoutService; + +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; + +/** + * @author tlenz + * + */ +public class SLOInformationContainer implements Serializable { + + private static final long serialVersionUID = 7148730740582881862L; + + private PVPTargetConfiguration sloRequest = null; + private LinkedHashMap activeFrontChannalOAs = null; + private LinkedHashMap activeBackChannelOAs = null; + private List sloFailedOAs = null; + + + public void parseActiveOAs(List dbOAs, String removeOAID) { + activeFrontChannalOAs = new LinkedHashMap(); + activeBackChannelOAs = new LinkedHashMap(); + + if (dbOAs != null) { + for (OASessionStore oa : dbOAs) { + //Actually only PVP 2.1 support Single LogOut + if (PVP2XProtocol.NAME.equals(oa.getProtocolType()) && + !oa.getOaurlprefix().equals(removeOAID)) { + SingleLogoutService sloDesc; + try { + sloDesc = SingleLogOutBuilder.getRequestSLODescriptor(oa.getOaurlprefix()); + + if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + activeBackChannelOAs.put(oa.getOaurlprefix(), + new SLOInformationImpl( + oa.getAssertionSessionID(), + oa.getUserNameID(), + oa.getUserNameIDFormat(), + oa.getProtocolType(), + sloDesc)); + + else + activeFrontChannalOAs.put(oa.getOaurlprefix(), + new SLOInformationImpl( + oa.getAssertionSessionID(), + oa.getUserNameID(), + oa.getUserNameIDFormat(), + oa.getProtocolType(), + sloDesc)); + + } catch (NOSLOServiceDescriptorException e) { + putFailedOA(oa.getOaurlprefix()); + + } + + } else + putFailedOA(oa.getOaurlprefix()); + } + } + } + + public String getNextFrontChannelOA() { + Iterator interator = activeFrontChannalOAs.keySet().iterator(); + if (interator.hasNext()) + return interator.next(); + + else + return null; + } + + public SLOInformationImpl getFrontChannelOASessionDescripten(String oaID) { + return activeFrontChannalOAs.get(oaID); + } + + public void removeFrontChannelOA(String oaID) { + activeFrontChannalOAs.remove(oaID); + } + + public Iterator getNextBackChannelOA() { + return activeBackChannelOAs.keySet().iterator(); + } + + public SLOInformationImpl getBackChannelOASessionDescripten(String oaID) { + return activeBackChannelOAs.get(oaID); + } + + public void removeBackChannelOA(String oaID) { + activeBackChannelOAs.remove(oaID); + } + + /** + * @return the sloRequest + */ + public PVPTargetConfiguration getSloRequest() { + return sloRequest; + } + + /** + * @param sloRequest the sloRequest to set + */ + public void setSloRequest(PVPTargetConfiguration sloRequest) { + this.sloRequest = sloRequest; + } + + /** + * @return the sloFailedOAs + */ + public List getSloFailedOAs() { + return sloFailedOAs; + } + + public void putFailedOA(String oaID) { + if (sloFailedOAs == null) + sloFailedOAs = new ArrayList(); + sloFailedOAs.add(oaID); + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java index 02bd74291..55b213702 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationImpl.java @@ -22,24 +22,39 @@ */ package at.gv.egovernment.moa.id.data; +import java.io.Serializable; + +import org.opensaml.saml2.metadata.SingleLogoutService; + /** * @author tlenz * */ -public class SLOInformationImpl implements SLOInformationInterface { - +public class SLOInformationImpl implements SLOInformationInterface, Serializable { + private static final long serialVersionUID = 295577931870512387L; private String sessionIndex = null; private String nameID = null; private String protocolType = null; private String nameIDFormat = null; + private String binding = null; + private String serviceURL = null; public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType) { + new SLOInformationImpl(sessionID, nameID, nameIDFormat, protocolType, null); + } + + public SLOInformationImpl(String sessionID, String nameID, String nameIDFormat, String protocolType, SingleLogoutService sloService) { this.sessionIndex = sessionID; this.nameID = nameID; this.nameIDFormat = nameIDFormat; this.protocolType = protocolType; - + + if (sloService != null) { + this.binding = sloService.getBinding(); + this.serviceURL = sloService.getLocation(); + + } } @@ -119,6 +134,20 @@ public class SLOInformationImpl implements SLOInformationInterface { public void setNameIDFormat(String nameIDFormat) { this.nameIDFormat = nameIDFormat; } + + /** + * @return the binding + */ + public String getBinding() { + return binding; + } + + /** + * @return the serviceURL + */ + public String getServiceURL() { + return serviceURL; + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java index 2c5682c0f..b2241f8ed 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/SLOInformationInterface.java @@ -26,7 +26,7 @@ package at.gv.egovernment.moa.id.data; * @author tlenz * */ -public interface SLOInformationInterface { +public interface SLOInformationInterface{ /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index e2e6e752b..280b6495e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -87,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotH import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; @@ -288,6 +289,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { } else if (e instanceof NameIDFormatNotSupportedException) { statusCode.setValue(StatusCode.INVALID_NAMEID_POLICY_URI); statusMessage.setMessage(StringEscapeUtils.escapeXml(e.getLocalizedMessage())); + + } else if (e instanceof SLOException) { + //SLOExecpetions only occurs if session information is lost + return false; } else if(e instanceof PVP2Exception) { PVP2Exception ex = (PVP2Exception) e; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java new file mode 100644 index 000000000..c67d10ab7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SingleLogOutAction.java @@ -0,0 +1,361 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x; + +import java.util.Iterator; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Status; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.SecurityException; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationContainer; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class SingleLogOutAction implements IAction { + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) + */ + @Override + public SLOInformationInterface processRequest(IRequest req, + HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + PVPTargetConfiguration pvpReq = (PVPTargetConfiguration) req; + + if (pvpReq.getRequest() instanceof MOARequest) { + MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + if (samlReq.getSamlRequest() instanceof LogoutRequest) { + Logger.debug("Process Single LogOut request"); + LogoutRequest logOutReq = (LogoutRequest) samlReq.getSamlRequest(); + + AuthenticationSession session = + AuthenticationSessionStoreage.searchMOASessionWithNameIDandOAID( + logOutReq.getIssuer().getValue(), + logOutReq.getNameID().getValue()); + + if (session == null) { + Logger.warn("Can not find active SSO session with nameID " + + logOutReq.getNameID().getValue() + " and OA " + + logOutReq.getIssuer().getValue()); + Logger.info("Search active SSO session with SSO session cookie"); + SSOManager ssomanager = SSOManager.getInstance(); + String ssoID = ssomanager.getSSOSessionID(httpReq); + if (MiscUtil.isEmpty(ssoID)) { + Logger.warn("Can not find active Session. Single LogOut not possible!"); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } else { + String moasession = ssomanager.getMOASession(ssoID); + try { + session = AuthenticationSessionStoreage.getSession(moasession); + + } catch (MOADatabaseException e) { + Logger.warn("Can not find active Session. Single LogOut not possible!"); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } + } + } + + //store active OAs to SLOContaine + List dbOAs = AuthenticationSessionStoreage.getAllActiveOAFromMOASession(session); + SLOInformationContainer sloContainer = new SLOInformationContainer(); + sloContainer.setSloRequest(pvpReq); + sloContainer.parseActiveOAs(dbOAs, logOutReq.getIssuer().getValue()); + + //terminate MOASession + try { + AuthenticationSessionStoreage.destroySession(session.getSessionID()); + + } catch (MOADatabaseException e) { + Logger.warn("Delete MOASession FAILED."); + sloContainer.putFailedOA(AuthConfigurationProvider.getInstance().getPublicURLPrefix()); + + } + + //start service provider back channel logout process + Iterator nextOAInterator = sloContainer.getNextBackChannelOA(); + while (nextOAInterator.hasNext()) { + SLOInformationImpl sloDescr = sloContainer.getBackChannelOASessionDescripten(nextOAInterator.next()); + LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr); + + try { + List soapResp = MOASAMLSOAPClient.send(sloDescr.getServiceURL(), sloReq); + + LogoutResponse sloResp = null; + for (XMLObject el : soapResp) { + if (el instanceof LogoutResponse) + sloResp = (LogoutResponse) el; + } + + if (sloResp == null) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED. NO LogOut response received."); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } + + checkStatusCode(sloContainer, sloResp); + + } catch (SOAPException e) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED.", e); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } catch (SecurityException e) { + Logger.warn("Single LogOut for OA " + sloReq.getIssuer().getValue() + + " FAILED.", e); + sloContainer.putFailedOA(sloReq.getIssuer().getValue()); + + } + } + + //start service provider front channel logout process + try { + doFrontChannelLogOut(sloContainer, httpReq, httpResp); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOErrorResponse(sloService, pvpReq); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + return null; + + } + + } else if (samlReq.getSamlRequest() instanceof LogoutResponse) { + Logger.debug("Process Single LogOut response"); + LogoutResponse logOutResp = (LogoutResponse) samlReq.getSamlRequest(); + + try { + if (MiscUtil.isEmpty(samlReq.getRelayState())) { + Logger.warn("SLO Response from " + logOutResp.getIssuer().getValue() + + " has no SAML2 RelayState."); + throw new SLOException("pvp2.19", null); + + } + + SLOInformationContainer sloContainer = + AssertionStorage.getInstance().get(samlReq.getRelayState(), SLOInformationContainer.class); + checkStatusCode(sloContainer, logOutResp); + sloContainer.removeFrontChannelOA(logOutResp.getIssuer().getValue()); + doFrontChannelLogOut(sloContainer, httpReq, httpResp); + + } catch (MOADatabaseException e) { + Logger.error("MOA AssertionDatabase ERROR", e); + throw new SLOException("pvp2.19", null); + + } + + } else { + Logger.error("Process SingleLogOutAction but request is NOT of type LogoutRequest or LogoutResponse."); + throw new MOAIDException("pvp2.13", null); + + } + + } else { + Logger.error("Process SingleLogOutAction but request is NOT of type MOARequest."); + throw new MOAIDException("pvp2.13", null); + + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, + HttpServletResponse httpResp) { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + @Override + public String getDefaultActionName() { + return PVP2XProtocol.SINGLELOGOUT; + } + + private void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) { + Status status = logOutResp.getStatus(); + if (!status.getStatusCode().equals(StatusCode.SUCCESS_URI)) { + Logger.warn("Single LogOut for OA " + logOutResp.getIssuer().getValue() + + " FAILED. (ResponseCode: " + status.getStatusCode().getValue() + + " Message: " + status.getStatusMessage().getMessage() + ")"); + sloContainer.putFailedOA(logOutResp.getIssuer().getValue()); + + } else + Logger.debug("Single LogOut for OA " + logOutResp.getIssuer().getValue() + " SUCCESS"); + + } + + private void doFrontChannelLogOut(SLOInformationContainer sloContainer, + HttpServletRequest httpReq, HttpServletResponse httpResp + ) throws MOAIDException, MOADatabaseException { + String nextOA = sloContainer.getNextFrontChannelOA(); + if (MiscUtil.isNotEmpty(nextOA)) { + SLOInformationImpl sloDescr = sloContainer.getFrontChannelOASessionDescripten(nextOA); + LogoutRequest sloReq = SingleLogOutBuilder.buildSLORequestMessage(sloDescr); + String relayState = Random.nextRandom(); + + AssertionStorage.getInstance().put(relayState, sloContainer); + + sendFrontChannelSLOMessage(sloDescr.getServiceURL(), sloDescr.getBinding(), + sloReq, httpReq, httpResp, relayState); + + } else { + //send SLO response to SLO request issuer + PVPTargetConfiguration pvpReq = sloContainer.getSloRequest(); + MOARequest samlReq = (MOARequest) pvpReq.getRequest(); + SingleLogoutService sloService = SingleLogOutBuilder.getResponseSLODescriptor(pvpReq); + LogoutResponse message = SingleLogOutBuilder.buildSLOResponseMessage(sloService, pvpReq, sloContainer.getSloFailedOAs()); + sendFrontChannelSLOMessage(sloService, message, httpReq, httpResp, samlReq.getRelayState()); + + } + } + + /** + * @param serviceURL + * @param binding + * @param sloReq + * @param httpReq + * @param httpResp + * @param relayState + */ + private void sendFrontChannelSLOMessage(String serviceURL, String bindingType, + RequestAbstractType sloReq, HttpServletRequest httpReq, + HttpServletResponse httpResp, String relayState) throws MOAIDException { + IEncoder binding = null; + if (bindingType.equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (bindingType.equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + if (binding == null) { + throw new BindingNotSupportedException(bindingType); + } + + try { + binding.encodeRequest(httpReq, httpResp, sloReq, + serviceURL, relayState); + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } + + private void sendFrontChannelSLOMessage(SingleLogoutService consumerService, + LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp, + String relayState) throws MOAIDException { + IEncoder binding = null; + if (consumerService.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (consumerService.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + if (binding == null) { + throw new BindingNotSupportedException(consumerService.getBinding()); + } + + try { + binding.encodeRespone(req, resp, sloResp, + consumerService.getLocation(), relayState); + + } catch (MessageEncodingException e) { + Logger.error("Message Encoding exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } catch (SecurityException e) { + Logger.error("Security exception", e); + throw new MOAIDException("pvp2.01", null, e); + + } + + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java new file mode 100644 index 000000000..04d374e93 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -0,0 +1,186 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.util.List; + +import org.joda.time.DateTime; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.LogoutRequest; +import org.opensaml.saml2.core.LogoutResponse; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Status; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.StatusMessage; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescriptorException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class SingleLogOutBuilder { + + public static LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException { + LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class); + + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloReq.setIssuer(issuer); + sloReq.setIssueInstant(new DateTime()); + + sloReq.setDestination(sloInfo.getServiceURL()); + + NameID nameID = SAML2Utils.createSAMLObject(NameID.class); + nameID.setFormat(sloInfo.getUserNameIDFormat()); + nameID.setValue(sloInfo.getUserNameIdentifier()); + sloReq.setNameID(nameID ); + + return sloReq; + } + + public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException { + LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloResp.setIssuer(issuer); + sloResp.setIssueInstant(new DateTime()); + sloResp.setDestination(sloService.getLocation()); + Status status = SAML2Utils.createSAMLObject(Status.class); + StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); + statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + status.setStatusCode(statusCode); + status.setStatusMessage(statusMessage); + sloResp.setStatus(status); + return sloResp; + } + + public static LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List failedOAs) throws ConfigurationException { + LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class); + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + issuer.setFormat(NameID.ENTITY); + sloResp.setIssuer(issuer); + sloResp.setIssueInstant(new DateTime()); + sloResp.setDestination(sloService.getLocation()); + + Status status; + if (failedOAs == null || failedOAs.size() == 0) { + status = SAML2Utils.getSuccessStatus(); + + } else { + status = SAML2Utils.createSAMLObject(Status.class); + StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + StatusMessage statusMessage = SAML2Utils.createSAMLObject(StatusMessage.class); + statusCode.setValue(StatusCode.PARTIAL_LOGOUT_URI); + statusMessage.setMessage(MOAIDMessageProvider.getInstance().getMessage("pvp2.18", null)); + status.setStatusCode(statusCode); + status.setStatusMessage(statusMessage); + + } + sloResp.setStatus(status); + return sloResp; + + } + + public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException { + try { + EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID); + SPSSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + SingleLogoutService sloService = null; + for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + if (el.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + sloService = el; + + else if (el.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) + && ( + (sloService != null && !sloService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) + || sloService == null) + ) + sloService = el; + + else if (el.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI) + && ( + (sloService != null + && !sloService.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI) + && !sloService.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) + || sloService == null) + ) + sloService = el; + } + + if (sloService == null) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + + } + return sloService; + + } catch (MetadataProviderException e) { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + + } + + public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException { + MOARequest moaReq = (MOARequest) spRequest.getRequest(); + EntityDescriptor metadata = moaReq.getEntityMetadata(); + SPSSODescriptor spsso = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + + SingleLogoutService sloService = null; + for (SingleLogoutService el : spsso.getSingleLogoutServices()) { + if (el.getBinding().equals(spRequest.getBinding())) + sloService = el; + } + if (sloService == null && spsso.getSingleLogoutServices().size() != 0) + sloService = spsso.getSingleLogoutServices().get(0); + + else { + Logger.error("Found no SLO ServiceDescriptor in Metadata"); + throw new NOSLOServiceDescriptorException("NO SLO ServiceDescriptor", null); + } + return sloService; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java new file mode 100644 index 000000000..204e1c2a5 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NOSLOServiceDescriptorException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class NOSLOServiceDescriptorException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -3073730570511152661L; + + /** + * @param messageId + * @param parameters + */ + public NOSLOServiceDescriptorException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java new file mode 100644 index 000000000..9f1b6168e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/SLOException.java @@ -0,0 +1,41 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class SLOException extends PVP2Exception { + private static final long serialVersionUID = -5284624715788385022L; + + /** + * @param messageId + * @param parameters + */ + public SLOException(String messageId, Object[] parameters) { + super(messageId, parameters); + // TODO Auto-generated constructor stub + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index 6437a4cac..74a5e01ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -69,21 +69,6 @@ public class AuthenticationSessionStoreage { } } - public static void setAuthenticated(String moaSessionID, boolean value) { - - AuthenticatedSessionStore session; - - try { - session = searchInDatabase(moaSessionID); - session.setAuthenticated(value); - MOASessionDBUtils.saveOrUpdate(session); - - - } catch (MOADatabaseException e) { - Logger.warn("isAuthenticated can not be stored in MOASession " + moaSessionID, e); - } - } - public static AuthenticationSession createSession() throws MOADatabaseException { String id = Random.nextRandom(); AuthenticationSession session = new AuthenticationSession(id); @@ -110,108 +95,39 @@ public class AuthenticationSessionStoreage { return session; } - - public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { - String id = Random.nextRandom(); - AuthenticationSession session = new AuthenticationSession(id); - session.setAuthenticated(true); - session.setAuthenticatedUsed(false); - - AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); - dbsession.setSessionid(id); - dbsession.setAuthenticated(isAuthenticated); - dbsession.setInterfederatedSSOSession(true); - - //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 - Date now = new Date(); - dbsession.setCreated(now); - dbsession.setUpdated(now); - - dbsession.setSession(SerializationUtils.serialize(session)); - - //add interfederation information - List idpList = dbsession.getInderfederation(); - InterfederationSessionStore idp = null; - if (idpList == null) { - idpList = new ArrayList(); - dbsession.setInderfederation(idpList); - - } else { - for (InterfederationSessionStore el : idpList) { - //resue old entry if interfederation IDP is reused for authentication - if (el.getIdpurlprefix().equals(req.getInterfederationResponse().getEntityID())) - idp = el; - - } - } - //create new interfederation IDP entry - if (idp == null) { - idp = new InterfederationSessionStore(); - idp.setCreated(now); - idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); - - } - - AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); - idp.setSessionIndex(extract.getSessionIndex()); - idp.setUserNameID(extract.getNameID()); - idp.setAttributesRequested(false); - idp.setQAALevel(extract.getQAALevel()); - idp.setMoasession(dbsession); - idpList.add(idp); - + public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { - //store AssertionStore element to Database try { - MOASessionDBUtils.saveOrUpdate(dbsession); - Logger.info("MOASession with sessionID=" + id + " is stored in Database"); - + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return decryptSession(dbsession); + } catch (MOADatabaseException e) { - Logger.warn("MOASession could not be created."); - throw new MOADatabaseException(e); + Logger.info("No MOA Session with id: " + sessionID); + throw new MOADatabaseException("No MOA Session with id: " + sessionID); + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + sessionID, e); + throw new MOADatabaseException("MOASession deserialization-exception"); } - - return id; } - + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { - - try { - AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); - dbsession.setAuthenticated(session.isAuthenticated()); - byte[] serialized = SerializationUtils.serialize(session); - - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); - - //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 - dbsession.setUpdated(new Date()); - - MOASessionDBUtils.saveOrUpdate(dbsession); - Logger.debug("MOASession with sessionID=" + session.getSessionID() + " is stored in Database"); - - } catch (MOADatabaseException e) { - Logger.warn("MOASession could not be stored."); - throw new MOADatabaseException(e); - } + storeSession(session, null); } public static void storeSession(AuthenticationSession session, String pendingRequestID) throws MOADatabaseException, BuildException { try { AuthenticatedSessionStore dbsession = searchInDatabase(session.getSessionID()); - dbsession.setPendingRequestID(pendingRequestID); - dbsession.setAuthenticated(session.isAuthenticated()); - byte[] serialized = SerializationUtils.serialize(session); - - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); + if (MiscUtil.isNotEmpty(pendingRequestID)) + dbsession.setPendingRequestID(pendingRequestID); + + encryptSession(session, dbsession); //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + dbsession.setAuthenticated(session.isAuthenticated()); dbsession.setUpdated(new Date()); MOASessionDBUtils.saveOrUpdate(dbsession); @@ -223,7 +139,6 @@ public class AuthenticationSessionStoreage { } } - public static void destroySession(String moaSessionID) throws MOADatabaseException { Session session = MOASessionDBUtils.getCurrentSession(); @@ -246,10 +161,8 @@ public class AuthenticationSessionStoreage { throw new MOADatabaseException("No session found with this sessionID"); } - AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); - - session.getTransaction().commit(); - + AuthenticatedSessionStore dbsession = (AuthenticatedSessionStore) result.get(0); + session.getTransaction().commit(); cleanDelete(dbsession); } @@ -267,16 +180,11 @@ public class AuthenticationSessionStoreage { + "to " + id); session.setSessionID(id); + encryptSession(session, dbsession); dbsession.setSessionid(id); dbsession.setAuthenticated(session.isAuthenticated()); - - byte[] serialized = SerializationUtils.serialize(session); - - EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); - dbsession.setSession(encdata.getEncData()); - dbsession.setIv(encdata.getIv()); - + //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 dbsession.setUpdated(new Date()); @@ -290,7 +198,92 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("TODO!", null); } } + + public static void setAuthenticated(String moaSessionID, boolean value) { + + AuthenticatedSessionStore session; + + try { + session = searchInDatabase(moaSessionID); + session.setAuthenticated(value); + MOASessionDBUtils.saveOrUpdate(session); + + } catch (MOADatabaseException e) { + Logger.warn("isAuthenticated can not be stored in MOASession " + moaSessionID, e); + } + } + + public static String getMOASessionSSOID(String SSOSessionID) { + MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setParameter("sessionid", SSOSessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + + } else { + return result.get(0).getSessionid(); + + } + } + + public static boolean isSSOSession(String sessionID) throws MOADatabaseException { + try { + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return dbsession.isSSOSession(); + + } catch (MOADatabaseException e) { + Logger.info("No MOA Session with id: " + sessionID); + throw new MOADatabaseException("No MOA Session with id: " + sessionID); + } + } + + public static AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId, String moaSessionId) { + MiscUtil.assertNotNull(SSOId, "SSOSessionID"); + Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithSSOID"); + query.setParameter("sessionid", SSOId); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + + } else { + return result.get(0); + } + } + public static void addSSOInformation(String moaSessionID, String SSOSessionID, SLOInformationInterface SLOInfo, String OAUrl) throws AuthenticationException { @@ -390,56 +383,36 @@ public class AuthenticationSessionStoreage { throw new AuthenticationException("SSO Session information can not be stored! --> SSO is deactivated", null); } } - - - public static AuthenticationSession getSession(String sessionID) throws MOADatabaseException { + + public static List getAllActiveOAFromMOASession(AuthenticationSession moaSession) { + MiscUtil.assertNotNull(moaSession, "MOASession"); try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + AuthenticatedSessionStore dbsession = searchInDatabase(moaSession.getSessionID()); + return dbsession.getActiveOAsessions(); - //decrypt Session - EncryptedData encdata = new EncryptedData(dbsession.getSession(), - dbsession.getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); - - AuthenticationSession session = (AuthenticationSession) SerializationUtils.deserialize(decrypted); - - return session; - } catch (MOADatabaseException e) { - Logger.info("No MOA Session with id: " + sessionID); - throw new MOADatabaseException("No MOA Session with id: " + sessionID); - - } catch (Throwable e) { - Logger.warn("MOASession deserialization-exception by using MOASessionID=" + sessionID, e); - throw new MOADatabaseException("MOASession deserialization-exception"); - } - } - - public static boolean isSSOSession(String sessionID) throws MOADatabaseException { - try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); - return dbsession.isSSOSession(); + Logger.warn("NO session information found for sessionID " + moaSession.getSessionID(), e); - } catch (MOADatabaseException e) { - Logger.info("No MOA Session with id: " + sessionID); - throw new MOADatabaseException("No MOA Session with id: " + sessionID); } - - + + return null; } - public static String getMOASessionSSOID(String SSOSessionID) { - MiscUtil.assertNotNull(SSOSessionID, "moasessionID"); - Logger.trace("Get authenticated session with SSOID " + SSOSessionID + " from database."); + public static AuthenticationSession searchMOASessionWithNameIDandOAID(String oaID, String userNameID) { + MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); + MiscUtil.assertNotNull(userNameID, "userNameID"); + Logger.trace("Get moaSession for userNameID " + userNameID + " and OA " + + oaID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); - + List result; synchronized (session) { session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setParameter("sessionid", SSOSessionID); + Query query = session.getNamedQuery("getMOASessionWithNameIDandOAID"); + query.setParameter("oaID", oaID); + query.setParameter("nameID", userNameID); result = query.list(); //send transaction @@ -450,28 +423,35 @@ public class AuthenticationSessionStoreage { //Assertion requires an unique artifact if (result.size() != 1) { - Logger.trace("No entries found."); - return null; - - } else { - return result.get(0).getSessionid(); - + Logger.trace("No unique entry found."); + return null; + } - + try { + return decryptSession(result.get(0)); + + } catch (BuildException e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + result.get(0).getSessionid(), e); + return null; + } } - public static AuthenticatedSessionStore isValidSessionWithSSOID(String SSOId, String moaSessionId) { - - MiscUtil.assertNotNull(SSOId, "SSOSessionID"); - Logger.trace("Get authenticated session with SSOID " + SSOId + " from database."); + public static OASessionStore searchActiveOASSOSession(AuthenticationSession moaSession, String oaID, String protocolType) { + MiscUtil.assertNotNull(moaSession, "MOASession"); + MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); + MiscUtil.assertNotNull(protocolType, "usedProtocol"); + Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSessionID() + " with OAID " + + oaID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); List result; synchronized (session) { session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithSSOID"); - query.setParameter("sessionid", SSOId); + Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); + query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("oaID", oaID); + query.setParameter("protocol", protocolType); result = query.list(); //send transaction @@ -481,14 +461,58 @@ public class AuthenticationSessionStoreage { Logger.trace("Found entries: " + result.size()); //Assertion requires an unique artifact - if (result.size() != 1) { + if (result.size() == 0) { Logger.trace("No entries found."); - return null; - - } else { - return result.get(0); + return null; + } - + + return result.get(0).getActiveOAsessions().get(0); + } + + public static String getPendingRequestID(String sessionID) { + try { + AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); + return dbsession.getPendingRequestID(); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession with ID " + sessionID + " not found"); + return ""; + } + } + + public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { + try { + MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); + Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithPendingRequestID"); + query.setParameter("sessionid", pedingRequestID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + return null; + } + + return decryptSession(result.get(0)); + + } catch (Throwable e) { + Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); + return null; + } } public static boolean deleteSessionWithPendingRequestID(String id) { @@ -522,20 +546,7 @@ public class AuthenticationSessionStoreage { } - - public static String getPendingRequestID(String sessionID) { - try { - AuthenticatedSessionStore dbsession = searchInDatabase(sessionID); - return dbsession.getPendingRequestID(); - } catch (MOADatabaseException e) { - Logger.warn("MOASession with ID " + sessionID + " not found"); - return ""; - } - - } - - public static AuthenticationSession getSessionWithUserNameID(String nameID) { try { @@ -558,149 +569,20 @@ public class AuthenticationSessionStoreage { Logger.trace("Found entries: " + result.size()); //Assertion requires an unique artifact - if (result.size() != 1) { + if (result.size() == 0) { Logger.trace("No entries found."); return null; } - //decrypt Session - EncryptedData encdata = new EncryptedData(result.get(0).getSession(), - result.get(0).getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); - return (AuthenticationSession) SerializationUtils.deserialize(decrypted); - - + return decryptSession(result.get(0)); + } catch (Throwable e) { Logger.warn("MOASession deserialization-exception by using MOASessionID=" + nameID); return null; } } - - public static AuthenticationSession getSessionWithPendingRequestID(String pedingRequestID) { - - try { - MiscUtil.assertNotNull(pedingRequestID, "pedingRequestID"); - Logger.trace("Get authenticated session with pedingRequestID " + pedingRequestID + " from database."); - Session session = MOASessionDBUtils.getCurrentSession(); - - List result; - - synchronized (session) { - session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithPendingRequestID"); - query.setParameter("sessionid", pedingRequestID); - result = query.list(); - - //send transaction - session.getTransaction().commit(); - } - - Logger.trace("Found entries: " + result.size()); - - //Assertion requires an unique artifact - if (result.size() != 1) { - Logger.trace("No entries found."); - return null; - } - - //decrypt Session - EncryptedData encdata = new EncryptedData(result.get(0).getSession(), - result.get(0).getIv()); - byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); - return (AuthenticationSession) SerializationUtils.deserialize(decrypted); - - - } catch (Throwable e) { - Logger.warn("MOASession deserialization-exception by using MOASessionID=" + pedingRequestID); - return null; - } - } - - public static void clean(long now, long authDataTimeOutCreated, long authDataTimeOutUpdated) { - Date expioredatecreate = new Date(now - authDataTimeOutCreated); - Date expioredateupdate = new Date(now - authDataTimeOutUpdated); - - List results; - Session session = MOASessionDBUtils.getCurrentSession(); - - synchronized (session) { - session.beginTransaction(); - Query query = session.getNamedQuery("getMOAISessionsWithTimeOut"); - query.setTimestamp("timeoutcreate", expioredatecreate); - query.setTimestamp("timeoutupdate", expioredateupdate); - results = query.list(); - session.getTransaction().commit(); - } - - if (results.size() != 0) { - for(AuthenticatedSessionStore result : results) { - try { - cleanDelete(result); - Logger.info("Authenticated session with sessionID=" + result.getSessionid() - + " after session timeout."); - } catch (HibernateException e){ - Logger.warn("Authenticated session with sessionID=" + result.getSessionid() - + " not removed after timeout! (Error during Database communication)", e); - } - - } - } - } - - private static void cleanDelete(AuthenticatedSessionStore result) { - try { - result.setSession(new byte[] {}); - MOASessionDBUtils.saveOrUpdate(result); - - } catch (MOADatabaseException e) { - Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e); - - } finally { - if (!MOASessionDBUtils.delete(result)) - Logger.error("Authenticated session with sessionID=" + result.getSessionid() - + " not removed! (Error during Database communication)"); - - } - - - } - - public static OASessionStore searchActiveOASSOSession(AuthenticationSession moaSession, String oaID, String protocolType) { - MiscUtil.assertNotNull(moaSession, "MOASession"); - MiscUtil.assertNotNull(oaID, "OnlineApplicationIdentifier"); - MiscUtil.assertNotNull(protocolType, "usedProtocol"); - Logger.trace("Get active OnlineApplication for sessionID " + moaSession.getSessionID() + " with OAID " - + oaID + " from database."); - Session session = MOASessionDBUtils.getCurrentSession(); - - List result; - - synchronized (session) { - session.beginTransaction(); - Query query = session.getNamedQuery("getActiveOAWithSessionIDandOAIDandProtocol"); - query.setParameter("sessionID", moaSession.getSessionID()); - query.setParameter("oaID", oaID); - query.setParameter("protocol", protocolType); - result = query.list(); - - //send transaction - session.getTransaction().commit(); - } - - Logger.trace("Found entries: " + result.size()); - - //Assertion requires an unique artifact - if (result.size() == 0) { - Logger.trace("No entries found."); - return null; - - } - - return result.get(0).getActiveOAsessions().get(0); - } - public static InterfederationSessionStore searchInterfederatedIDPFORSSOWithMOASession(String sessionID) { MiscUtil.assertNotNull(sessionID, "MOASession"); Logger.trace("Get interfederated IDP for SSO with sessionID " + sessionID + " from database."); @@ -761,6 +643,70 @@ public class AuthenticationSessionStoreage { return result.get(0).getInderfederation().get(0); } + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { + String id = Random.nextRandom(); + AuthenticationSession session = new AuthenticationSession(id); + session.setAuthenticated(true); + session.setAuthenticatedUsed(false); + + AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); + dbsession.setSessionid(id); + dbsession.setAuthenticated(isAuthenticated); + dbsession.setInterfederatedSSOSession(true); + + //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + Date now = new Date(); + dbsession.setCreated(now); + dbsession.setUpdated(now); + + dbsession.setSession(SerializationUtils.serialize(session)); + + //add interfederation information + List idpList = dbsession.getInderfederation(); + InterfederationSessionStore idp = null; + if (idpList == null) { + idpList = new ArrayList(); + dbsession.setInderfederation(idpList); + + } else { + for (InterfederationSessionStore el : idpList) { + //resue old entry if interfederation IDP is reused for authentication + if (el.getIdpurlprefix().equals(req.getInterfederationResponse().getEntityID())) + idp = el; + + } + } + + //create new interfederation IDP entry + if (idp == null) { + idp = new InterfederationSessionStore(); + idp.setCreated(now); + idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + + } + + AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + idp.setSessionIndex(extract.getSessionIndex()); + idp.setUserNameID(extract.getNameID()); + idp.setAttributesRequested(false); + idp.setQAALevel(extract.getQAALevel()); + idp.setMoasession(dbsession); + idpList.add(idp); + + + //store AssertionStore element to Database + try { + MOASessionDBUtils.saveOrUpdate(dbsession); + Logger.info("MOASession with sessionID=" + id + " is stored in Database"); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession could not be created."); + throw new MOADatabaseException(e); + } + + return id; + } + public static InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) { MiscUtil.assertNotNull(moaSession, "MOASession"); Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database."); @@ -790,35 +736,6 @@ public class AuthenticationSessionStoreage { return result.get(0).getInderfederation().get(0); } - @SuppressWarnings("rawtypes") - private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { - MiscUtil.assertNotNull(sessionID, "moasessionID"); - Logger.trace("Get authenticated session with sessionID " + sessionID + " from database."); - Session session = MOASessionDBUtils.getCurrentSession(); - - List result; - - synchronized (session) { - session.beginTransaction(); - Query query = session.getNamedQuery("getSessionWithID"); - query.setParameter("sessionid", sessionID); - result = query.list(); - - //send transaction - session.getTransaction().commit(); - } - - Logger.trace("Found entries: " + result.size()); - - //Assertion requires an unique artifact - if (result.size() != 1) { - Logger.trace("No entries found."); - throw new MOADatabaseException("No session found with this sessionID"); - } - - return (AuthenticatedSessionStore) result.get(0); - } - /** * @param entityID * @param requestID @@ -872,4 +789,97 @@ public class AuthenticationSessionStoreage { return false; } } + + public static void clean(long now, long authDataTimeOutCreated, long authDataTimeOutUpdated) { + Date expioredatecreate = new Date(now - authDataTimeOutCreated); + Date expioredateupdate = new Date(now - authDataTimeOutUpdated); + + List results; + Session session = MOASessionDBUtils.getCurrentSession(); + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getMOAISessionsWithTimeOut"); + query.setTimestamp("timeoutcreate", expioredatecreate); + query.setTimestamp("timeoutupdate", expioredateupdate); + results = query.list(); + session.getTransaction().commit(); + } + + if (results.size() != 0) { + for(AuthenticatedSessionStore result : results) { + try { + cleanDelete(result); + Logger.info("Authenticated session with sessionID=" + result.getSessionid() + + " after session timeout."); + + } catch (HibernateException e){ + Logger.warn("Authenticated session with sessionID=" + result.getSessionid() + + " not removed after timeout! (Error during Database communication)", e); + } + } + } + } + + private static void encryptSession(AuthenticationSession session, AuthenticatedSessionStore dbsession) throws BuildException { + byte[] serialized = SerializationUtils.serialize(session); + + EncryptedData encdata = SessionEncrytionUtil.encrypt(serialized); + dbsession.setSession(encdata.getEncData()); + dbsession.setIv(encdata.getIv()); + } + + private static AuthenticationSession decryptSession(AuthenticatedSessionStore dbsession) throws BuildException { + EncryptedData encdata = new EncryptedData(dbsession.getSession(), + dbsession.getIv()); + byte[] decrypted = SessionEncrytionUtil.decrypt(encdata); + + return (AuthenticationSession) SerializationUtils.deserialize(decrypted); + + } + + private static void cleanDelete(AuthenticatedSessionStore result) { + try { + result.setSession(new byte[] {}); + MOASessionDBUtils.saveOrUpdate(result); + + } catch (MOADatabaseException e) { + Logger.warn("Blank authenticated session with sessionID=" + result.getSessionid() + " FAILED.", e); + + } finally { + if (!MOASessionDBUtils.delete(result)) + Logger.error("Authenticated session with sessionID=" + result.getSessionid() + + " not removed! (Error during Database communication)"); + + } + } + + @SuppressWarnings("rawtypes") + private static AuthenticatedSessionStore searchInDatabase(String sessionID) throws MOADatabaseException { + MiscUtil.assertNotNull(sessionID, "moasessionID"); + Logger.trace("Get authenticated session with sessionID " + sessionID + " from database."); + Session session = MOASessionDBUtils.getCurrentSession(); + + List result; + + synchronized (session) { + session.beginTransaction(); + Query query = session.getNamedQuery("getSessionWithID"); + query.setParameter("sessionid", sessionID); + result = query.list(); + + //send transaction + session.getTransaction().commit(); + } + + Logger.trace("Found entries: " + result.size()); + + //Assertion requires an unique artifact + if (result.size() != 1) { + Logger.trace("No entries found."); + throw new MOADatabaseException("No session found with this sessionID"); + } + + return (AuthenticatedSessionStore) result.get(0); + } } -- cgit v1.2.3 From 5c3841139097ce9de9c4fc7aa666df36b8d50214 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 9 May 2014 08:57:12 +0200 Subject: add SLO information into SAML2 metadata (actually not active code) --- .../moa/id/protocols/pvp2x/MetadataAction.java | 51 +++++++++++++++++++--- 1 file changed, 44 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index 5333a58ab..01f7e18ba 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -50,6 +50,7 @@ import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.RoleDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.SingleLogoutService; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.security.SecurityException; @@ -236,7 +237,8 @@ public class MetadataAction implements IAction { unspecifiednameIDFormat.setFormat(NameIDType.UNSPECIFIED); spSSODescriptor.getNameIDFormats().add(unspecifiednameIDFormat); - + + //add assertion consumer services AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); postassertionConsumerService.setIndex(0); @@ -245,8 +247,7 @@ public class MetadataAction implements IAction { .getInstance().getIDPSSOPostService()); postassertionConsumerService.setIsDefault(true); spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); - - + AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); redirectassertionConsumerService.setIndex(1); @@ -255,6 +256,25 @@ public class MetadataAction implements IAction { .getInstance().getIDPSSORedirectService()); spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + //add SLO descriptor +// SingleLogoutService postSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// postSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// postSLOService +// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +// spSSODescriptor.getSingleLogoutServices().add(postSLOService); +// +// SingleLogoutService redirectSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// redirectSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// redirectSLOService +// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +// spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); + + spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); AttributeConsumingService attributeService = @@ -302,29 +322,46 @@ public class MetadataAction implements IAction { idpSSODescriptor.setWantAuthnRequestsSigned(true); if (PVPConfiguration.getInstance().getIDPSSOPostService() != null) { + //add SSO descriptor SingleSignOnService postSingleSignOnService = SAML2Utils .createSAMLObject(SingleSignOnService.class); - postSingleSignOnService.setLocation(PVPConfiguration .getInstance().getIDPSSOPostService()); postSingleSignOnService .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add( postSingleSignOnService); + + //add SLO descriptor +// SingleLogoutService postSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// postSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// postSLOService +// .setBinding(SAMLConstants.SAML2_POST_BINDING_URI); +// idpSSODescriptor.getSingleLogoutServices().add(postSLOService); + } if (PVPConfiguration.getInstance().getIDPSSORedirectService() != null) { + //add SSO descriptor SingleSignOnService redirectSingleSignOnService = SAML2Utils .createSAMLObject(SingleSignOnService.class); - redirectSingleSignOnService.setLocation(PVPConfiguration .getInstance().getIDPSSORedirectService()); redirectSingleSignOnService .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add( redirectSingleSignOnService); + + //add SLO descriptor +// SingleLogoutService redirectSLOService = +// SAML2Utils.createSAMLObject(SingleLogoutService.class); +// redirectSLOService.setLocation(PVPConfiguration +// .getInstance().getIDPSSOPostService()); +// redirectSLOService +// .setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); +// idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); } /*if (PVPConfiguration.getInstance().getIDPResolveSOAPService() != null) { -- cgit v1.2.3 From 719b06ae04a8d96bf24268a4e25a0cd7b0768e95 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 9 May 2014 11:52:30 +0200 Subject: add AuthnRequest validation --- .../java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java | 5 +++++ .../pvp2x/exceptions/NameIDFormatNotSupportedException.java | 4 ++++ 2 files changed, 9 insertions(+) (limited to 'id/server/idserverlib/src/main/java/at') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 280b6495e..6527f03b5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -90,6 +90,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; @@ -301,6 +302,7 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { if(statusMessageValue != null) { statusMessage.setMessage(StringEscapeUtils.escapeXml(statusMessageValue)); } + } else { statusCode.setValue(StatusCode.RESPONDER_URI); @@ -556,6 +558,9 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { config.setPassiv(authReq.isPassive()); config.setForce(authReq.isForceAuthn()); + //validate AuthnRequest + AuthnRequestValidator.validate(authReq); + String useMandate = request.getParameter(PARAM_USEMANDATE); if(useMandate != null) { if(useMandate.equals("true") && attributeConsumer != null) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java index b5facde34..87e443930 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/NameIDFormatNotSupportedException.java @@ -22,10 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; +import org.opensaml.saml2.core.StatusCode; + public class NameIDFormatNotSupportedException extends AuthnRequestValidatorException { public NameIDFormatNotSupportedException(String nameIDFormat) { super("pvp2.12", new Object[] {nameIDFormat}); + statusCodeValue = StatusCode.INVALID_NAMEID_POLICY_URI; + } /** -- cgit v1.2.3