From 011ce9576c780cba8a0f7b321366e08b557adcf6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 5 Sep 2013 16:03:17 +0200 Subject: -- Resign IdentityLink: if this feature is enabled, the identitylink is resigned in case of businessservice by using MOASS -- GeneralConfigReloadDaemon: Reload general MOA-ID configuration from database every minute if it has changed --- .../moa/id/auth/AuthenticationServer.java | 10 +- .../moa/id/auth/AuthenticationSessionCleaner.java | 2 +- .../moa/id/auth/MOAIDAuthInitializer.java | 28 +--- .../moa/id/config/auth/AuthConfigLoader.java | 47 ++++++ .../id/config/auth/AuthConfigurationProvider.java | 129 ++++++++++------ .../pvp2x/builder/PVPAttributeBuilder.java | 2 + .../builder/attributes/EIDIdentityLinkBuilder.java | 70 +++++++++ ...dateNaturalPersonSourcePinAttributeBuilder.java | 2 +- ...NaturalPersonSourcePinTypeAttributeBuilder.java | 2 +- .../protocols/saml1/SAML1AuthenticationServer.java | 4 +- .../moa/id/util/IdentityLinkReSigner.java | 169 +++++++++++++++++++++ 11 files changed, 388 insertions(+), 77 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index ff2cee559..1bd9205ca 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -2305,6 +2305,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { MISMandate mandate = session.getMISMandate(); authData.setBPK(mandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); + authData.setIdentityLink(identityLink); } else { @@ -2397,14 +2398,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { public void cleanup() { long now = new Date().getTime(); - //clean AuthenticationSessionStore - //TODO: acutally the StartAuthentificaten timestamp is used!!!!! - //TODO: maybe change this to lastupdate timestamp. + //clean AuthenticationSessionStore + AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated); - + //clean AssertionStore AssertionStorage assertionstore = AssertionStorage.getInstance(); - assertionstore.clean(now, authDataTimeOut); + assertionstore.clean(now, authDataTimeOut); } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java index 82c1da74a..7db8adb6f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationSessionCleaner.java @@ -37,7 +37,7 @@ import at.gv.egovernment.moa.logging.Logger; public class AuthenticationSessionCleaner implements Runnable { /** interval the AuthenticationSessionCleaner is run in */ - private static final long SESSION_CLEANUP_INTERVAL = 30 * 60; // 30 min + private static final long SESSION_CLEANUP_INTERVAL = 5 * 60; // 30 min /** * Runs the thread. Cleans the AuthenticationServer session store diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 725773b75..a73d76d68 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -39,6 +39,7 @@ import javax.net.ssl.SSLSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.config.auth.AuthConfigLoader; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.iaik.config.LoggerConfigImpl; import at.gv.egovernment.moa.id.util.AxisSecureSocketFactory; @@ -174,33 +175,10 @@ public class MOAIDAuthInitializer { } - // sets the authentication session and authentication data time outs - BigInteger param = authConf.getTimeOuts().getMOASessionCreated(); - if (param != null) { - long sessionTimeOut = param.longValue(); - if (sessionTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsSessionTimeOutCreated(sessionTimeOut); - } - - param = authConf.getTimeOuts().getMOASessionUpdated(); - if (param != null) { - long sessionTimeOut = param.longValue(); - if (sessionTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsSessionTimeOutUpdated(sessionTimeOut); - } - - param = authConf.getTimeOuts().getAssertion(); - if (param != null) { - long authDataTimeOut = param.longValue(); - if (authDataTimeOut > 0) - AuthenticationServer.getInstance() - .setSecondsAuthDataTimeOut(authDataTimeOut); - } - // Starts the session cleaner thread to remove unpicked authentication data AuthenticationSessionCleaner.start(); + AuthConfigLoader.start(); } + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java new file mode 100644 index 000000000..56105e64d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigLoader.java @@ -0,0 +1,47 @@ +package at.gv.egovernment.moa.id.config.auth; + +import java.util.Date; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; +import at.gv.egovernment.moa.logging.Logger; + + +public class AuthConfigLoader implements Runnable { + + private static final long INTERVAL = 60; // 60 sec + + public void run() { + while (true) { + try { + Thread.sleep(INTERVAL * 1000); + + Logger.info("check for new config."); + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + Date dbdate = moaidconfig.getTimestampItem(); + ConfigurationDBUtils.closeSession(); + + Date date = AuthConfigurationProvider.getTimeStamp(); + + if (dbdate != null && dbdate.after(date)) { + AuthConfigurationProvider instance = AuthConfigurationProvider.getInstance(); + instance.reloadDataBaseConfig(); + date = dbdate; + } + } catch (Exception e) { + Logger.warn("MOA-ID Configuration is actually not loadable. Reuse old configuration.", e); + } + } + + } + + public static void start() { + // start the session cleanup thread + Thread configLoader = new Thread(new AuthConfigLoader()); + configLoader.setName("ConfigurationLoader"); + configLoader.setDaemon(true); + configLoader.setPriority(Thread.MIN_PRIORITY); + configLoader.start(); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 28288815a..df303cde2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -35,6 +35,7 @@ import java.net.MalformedURLException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.util.ArrayList; +import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -187,6 +188,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider { private static SSO ssoconfig = null; + private static Date date = null; + /** * Return the single instance of configuration data. * @@ -202,6 +205,10 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return instance; } + public static Date getTimeStamp() { + return date; + } + /** * Reload the configuration data and set it if successful. * @@ -244,7 +251,9 @@ public class AuthConfigurationProvider extends ConfigurationProvider { try { //Initial Hibernate Framework Logger.trace("Initializing Hibernate framework."); - + + date = new Date(); + //Load MOAID-2.0 properties file File propertiesFile = new File(fileName); FileInputStream fis; @@ -383,6 +392,16 @@ public class AuthConfigurationProvider extends ConfigurationProvider { Logger.info("XML Configuration load is completed."); } + reloadDataBaseConfig(); + + + } catch (Throwable t) { + throw new ConfigurationException("config.02", null, t); + } + } + + public synchronized void reloadDataBaseConfig() throws ConfigurationException { + Logger.info("Read MOA-ID 2.0 configuration from database."); moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); Logger.info("MOA-ID 2.0 is loaded."); @@ -431,41 +450,41 @@ public class AuthConfigurationProvider extends ConfigurationProvider { throw new ConfigurationException("config.02", null); } - //set Trusted CA certs directory - trustedCACertificates = rootConfigFileDir + moaidconfig.getTrustedCACertificates(); + //set Trusted CA certs directory + trustedCACertificates = rootConfigFileDir + moaidconfig.getTrustedCACertificates(); - //set CertStoreDirectory - setCertStoreDirectory(); - - //set TrustManagerRevocationChecking - setTrustManagerRevocationChecking(); - - //set TimeOuts + //set CertStoreDirectory + setCertStoreDirectory(); + + //set TrustManagerRevocationChecking + setTrustManagerRevocationChecking(); + + //set TimeOuts if (auth.getGeneralConfiguration() != null) { - if (auth.getGeneralConfiguration().getTimeOuts() != null) { - - timeouts = new TimeOuts(); - if (auth.getGeneralConfiguration().getTimeOuts().getAssertion() == null) - timeouts.setAssertion(new BigInteger("120")); - else - timeouts.setAssertion(auth.getGeneralConfiguration().getTimeOuts().getAssertion()); - - if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated() == null) - timeouts.setMOASessionCreated(new BigInteger("2700")); - else - timeouts.setMOASessionCreated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated()); - - if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated() == null) - timeouts.setMOASessionUpdated(new BigInteger("1200")); - else - timeouts.setMOASessionUpdated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated()); - } - } - else { - Logger.warn("Error in MOA-ID Configuration. No TimeOuts defined."); - throw new ConfigurationException("config.02", null); - } - + if (auth.getGeneralConfiguration().getTimeOuts() != null) { + + timeouts = new TimeOuts(); + if (auth.getGeneralConfiguration().getTimeOuts().getAssertion() == null) + timeouts.setAssertion(new BigInteger("120")); + else + timeouts.setAssertion(auth.getGeneralConfiguration().getTimeOuts().getAssertion()); + + if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated() == null) + timeouts.setMOASessionCreated(new BigInteger("2700")); + else + timeouts.setMOASessionCreated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated()); + + if (auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated() == null) + timeouts.setMOASessionUpdated(new BigInteger("1200")); + else + timeouts.setMOASessionUpdated(auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated()); + } + } + else { + Logger.warn("Error in MOA-ID Configuration. No TimeOuts defined."); + throw new ConfigurationException("config.02", null); + } + //set PVP2 general config Protocols protocols = auth.getProtocols(); if (protocols != null) { @@ -504,6 +523,33 @@ public class AuthConfigurationProvider extends ConfigurationProvider { //set alternativeSourceID if (auth.getGeneralConfiguration() != null) alternativesourceid = auth.getGeneralConfiguration().getAlternativeSourceID(); + + // sets the authentication session and authentication data time outs + BigInteger param = auth.getGeneralConfiguration().getTimeOuts().getMOASessionCreated(); + + if (param != null) { + long sessionTimeOut = param.longValue(); + if (sessionTimeOut > 0) + AuthenticationServer.getInstance() + .setSecondsSessionTimeOutCreated(sessionTimeOut); + } + + param = auth.getGeneralConfiguration().getTimeOuts().getMOASessionUpdated(); + if (param != null) { + long sessionTimeOut = param.longValue(); + if (sessionTimeOut > 0) + AuthenticationServer.getInstance() + .setSecondsSessionTimeOutUpdated(sessionTimeOut); + } + + param = auth.getGeneralConfiguration().getTimeOuts().getAssertion(); + if (param != null) { + long authDataTimeOut = param.longValue(); + if (authDataTimeOut > 0) + AuthenticationServer.getInstance() + .setSecondsAuthDataTimeOut(authDataTimeOut); + } + else { Logger.warn("Error in MOA-ID Configuration. No GeneralConfig defined."); throw new ConfigurationException("config.02", null); @@ -613,15 +659,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } else { Logger.warn("Error in MOA-ID Configuration. No Single Sign-On Config found"); } - + //close Database ConfigurationDBUtils.closeSession(); - - } catch (Throwable t) { - throw new ConfigurationException("config.02", null, t); - } - } - + } + public Properties getGeneralPVP2ProperiesConfig() { Properties configProp = new Properties(); @@ -879,7 +921,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } } - private AuthComponentGeneral getAuthComponentGeneral() throws ConfigurationException { + private static AuthComponentGeneral getAuthComponentGeneral() throws ConfigurationException { AuthComponentGeneral authgeneral = moaidconfig.getAuthComponentGeneral(); if (authgeneral == null) { Logger.warn("Error in MOA-ID Configuration. No generalAuthConfiguration found"); @@ -888,7 +930,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider { return authgeneral; } - private MOASP getMOASPConfig(AuthComponentGeneral authgeneral) throws ConfigurationException { + private static MOASP getMOASPConfig(AuthComponentGeneral authgeneral) throws ConfigurationException { MOASP moasp = authgeneral.getMOASP(); if (moasp == null) { @@ -897,4 +939,5 @@ public class AuthConfigurationProvider extends ConfigurationProvider { } return moasp; } + } \ No newline at end of file diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 60e510de2..2748d74a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -13,6 +13,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BirthdateAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCitizenQAALevelAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIdentityLinkBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIssuingNationAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSectorForIDAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.GivenNameAttributeBuilder; @@ -54,6 +55,7 @@ public class PVPAttributeBuilder { addBuilder(new EIDCitizenQAALevelAttributeBuilder()); addBuilder(new EIDIssuingNationAttributeBuilder()); addBuilder(new EIDSectorForIDAttributeBuilder()); + addBuilder(new EIDIdentityLinkBuilder()); // Mandate Attributes addBuilder(new MandateTypeAttributeBuilder()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java new file mode 100644 index 000000000..19f89d6e7 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/EIDIdentityLinkBuilder.java @@ -0,0 +1,70 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes; + +import java.io.IOException; + +import javax.xml.transform.TransformerException; + +import org.opensaml.saml2.core.Attribute; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.DOMUtils; + +public class EIDIdentityLinkBuilder extends BaseAttributeBuilder { + + public String getName() { + return EID_IDENTITY_LINK_NAME; + } + + public Attribute build(AuthenticationSession authSession, + OAAuthParameter oaParam, AuthenticationData authData) + throws PVP2Exception { + try { + String ilAssertion = null; + if (oaParam.getBusinessService()) { + + IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); + + Element resignedilAssertion; + + resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() + .getSamlAssertion()); + + ilAssertion = DOMUtils.serializeNode(resignedilAssertion); + + } else + ilAssertion = authData.getIdentityLink().getSerializedSamlAssertion(); + + + return buildStringAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, + EID_IDENTITY_LINK_NAME, Base64Utils.encode(ilAssertion.getBytes())); + + } catch (MOAIDException e) { + Logger.warn("IdentityLink serialization error.", e); + return buildemptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, + EID_IDENTITY_LINK_NAME); + } catch (TransformerException e) { + Logger.warn("IdentityLink serialization error.", e); + return buildemptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, + EID_IDENTITY_LINK_NAME); + } catch (IOException e) { + Logger.warn("IdentityLink serialization error.", e); + return buildemptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, + EID_IDENTITY_LINK_NAME); + } + + } + + public Attribute buildEmpty() { + return buildemptyAttribute(EID_IDENTITY_LINK_FRIENDLY_NAME, + EID_IDENTITY_LINK_NAME); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java index eaa7e88af..aa8061506 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinAttributeBuilder.java @@ -18,7 +18,7 @@ public class MandateNaturalPersonSourcePinAttributeBuilder extends BaseAttributeBuilder { public String getName() { - return MANDATE_NAT_PER_SOURCE_PIN_OID; + return MANDATE_NAT_PER_SOURCE_PIN_NAME; } public Attribute build(AuthenticationSession authSession, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java index 7b8f59dd2..6ef2f5fa5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/attributes/MandateNaturalPersonSourcePinTypeAttributeBuilder.java @@ -18,7 +18,7 @@ public class MandateNaturalPersonSourcePinTypeAttributeBuilder extends BaseAttributeBuilder { public String getName() { - return MANDATE_NAT_PER_SOURCE_PIN_TYPE_OID; + return MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME; } public Attribute build(AuthenticationSession authSession, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index ee0b4e7e2..76757e28e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -196,7 +196,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer { //set IdentityLink for assortion String ilAssertion = ""; if (saml1parameter.isProvideIdentityLink()) { - if (session.getBusinessService()) { + if (oaParam.getBusinessService()) { IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance(); Element resignedilAssertion = identitylinkresigner.resignIdentityLink(authData.getIdentityLink() @@ -247,6 +247,8 @@ public class SAML1AuthenticationServer extends AuthenticationServer { case ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK: replaceExtendedSAMLAttribute(oaAttributes, samlAttribute); break; + case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY: + break; default: Logger .info("Invalid return value from method \"getAddToAUTHBlock()\" (" diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java new file mode 100644 index 000000000..da44a3905 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/IdentityLinkReSigner.java @@ -0,0 +1,169 @@ +package at.gv.egovernment.moa.id.util; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import javax.xml.transform.TransformerException; + +import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.SPSSFactory; +import at.gv.egovernment.moa.spss.api.SignatureCreationService; +import at.gv.egovernment.moa.spss.api.common.Content; +import at.gv.egovernment.moa.spss.api.common.MetaInfo; +import at.gv.egovernment.moa.spss.api.common.Transform; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureEnvironmentProfile; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateTransformsInfoProfile; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureRequest; +import at.gv.egovernment.moa.spss.api.xmlsign.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.DataObjectInfo; +import at.gv.egovernment.moa.spss.api.xmlsign.ErrorResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SignatureEnvironmentResponse; +import at.gv.egovernment.moa.spss.api.xmlsign.SingleSignatureInfo; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.MiscUtil; + +public class IdentityLinkReSigner { + + private static IdentityLinkReSigner instance; + + public static IdentityLinkReSigner getInstance() { + if (instance == null) { + instance = new IdentityLinkReSigner(); + } + return instance; + } + + public Element resignIdentityLink(Element idl) throws MOAIDException { + + try { + AuthConfigurationProvider config = AuthConfigurationProvider.getInstance(); + + if (config.isIdentityLinkResigning()) { + + if (idl == null) { + Logger.warn("IdentityLink is empty"); + return null; + + } else { + NodeList signatures = idl.getElementsByTagNameNS(Constants.DSIG_NS_URI, "Signature"); + Node signature = signatures.item(0); + Node parent = signature.getParentNode(); + parent.removeChild(signature); + } + + SPSSFactory spssFac = SPSSFactory.getInstance(); + + String keyGroupId = config.getIdentityLinkResigningKey(); + if (MiscUtil.isEmpty(keyGroupId)) { + Logger.warn("No IdentityLink reSigning-Key definded"); + throw new MOAIDException("config.19", new Object[]{}); + } + + MetaInfo mi = spssFac.createMetaInfo("text/xml", null, null, null); + + Transform envelopedSignatureTransform = spssFac.createEnvelopedSignatureTransform(); + List transformsList = new ArrayList(); + transformsList.add(envelopedSignatureTransform); + + CreateTransformsInfo ct = spssFac.createCreateTransformsInfo(transformsList, mi); + CreateTransformsInfoProfile ctip = spssFac.createCreateTransformsInfoProfile(ct, null); + + Content content = spssFac.createContent(""); + DataObjectInfo doi = spssFac.createDataObjectInfo(DataObjectInfo.STRUCTURE_DETACHED, false, content, ctip); + + // create signature environment + HashMap nsMap = new HashMap(); + nsMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI); + nsMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + nsMap.put(Constants.PD_PREFIX, Constants.PD_NS_URI); + + CreateSignatureLocation csl = spssFac.createCreateSignatureLocation("/" + Constants.SAML_PREFIX + ":" + "Assertion", -1, nsMap); + CreateSignatureEnvironmentProfile csep = spssFac.createCreateSignatureEnvironmentProfile(csl, null); + + + InputStream serializedIdl = new ByteArrayInputStream(DOMUtils.serializeNode(idl).getBytes()); + + Content confirmationContent = spssFac.createContent(serializedIdl, null); + CreateSignatureInfo csi = spssFac.createCreateSignatureInfo(confirmationContent, csep); + + List dataobjectinfoList = new ArrayList(); + dataobjectinfoList.add(doi); + SingleSignatureInfo ssi = spssFac.createSingleSignatureInfo(dataobjectinfoList, csi, false); + + + List singlesignatureinfolist = new ArrayList(); + singlesignatureinfolist.add(ssi); + + CreateXMLSignatureRequest cxsreq = spssFac.createCreateXMLSignatureRequest(keyGroupId, singlesignatureinfolist); + + + // signature creation service + SignatureCreationService scs = SignatureCreationService.getInstance(); + CreateXMLSignatureResponse cxresp; + Logger.info("Creating MOA-SS signature"); + cxresp = scs.createXMLSignature(cxsreq); + + // evaluate response + List elements = cxresp.getResponseElements(); + + if (elements.get(0) instanceof ErrorResponse) { + ErrorResponse errResponse = (ErrorResponse) elements.get(0); + Logger.warn("Error while calling MOA-SS: " + errResponse.getErrorCode() + " / " + errResponse.getInfo()); + throw new MOAIDException("builder.04", new Object[]{errResponse.getErrorCode(), errResponse.getInfo()}); + + } else if (elements.get(0) instanceof SignatureEnvironmentResponse) { + Logger.debug("Successfully created signature."); + SignatureEnvironmentResponse ser = (SignatureEnvironmentResponse) elements.get(0); + int responseType = ser.getResponseType(); + if (responseType == SignatureEnvironmentResponse.ERROR_RESPONSE) { + Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); + throw new MOAIDException("builder.05", new Object[]{}); + + } else { + return ser.getSignatureEnvironment(); + } + + } else { + Logger.warn("Allgemeiner Fehler beim Aufruf von MOA-SS: Unbekannter ResponseType von MOA-SS"); + throw new MOAIDException("builder.05", new Object[]{}); + } + + } else + return idl; + + } catch (ConfigurationException e) { + Logger.warn("Configuration can not be loaded", e); + throw new MOAIDException("config.18", new Object[]{}); + + } catch (TransformerException e) { + Logger.warn("IdentityLink serialization error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } catch (IOException e) { + Logger.warn("IdentityLink I/O error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } catch (MOAException e) { + Logger.warn("General IdentityLink signing error.", e); + throw new MOAIDException("builder.05", new Object[]{}); + + } + } + +} -- cgit v1.2.3