From 5acd1d23f3702d8899f531e823da68cd9fccaaa4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 2 Jul 2018 18:08:04 +0200 Subject: update auth. module for central eIDAS node connection --- .../pvp2x/validation/AuthnRequestValidator.java | 78 ++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java new file mode 100644 index 000000000..b42a1de28 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AuthnRequestValidator.java @@ -0,0 +1,78 @@ +/******************************************************************************* + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import javax.servlet.http.HttpServletRequest; + +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.NameIDPolicy; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.springframework.stereotype.Service; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator; +import at.gv.egiz.eaaf.modules.pvp2.exception.NameIDFormatNotSupportedException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; +import at.gv.egovernment.moa.logging.Logger; + + +/** + * @author tlenz + * + */ +@Service("MOAAuthnRequestValidator") +public class AuthnRequestValidator implements IAuthnRequestValidator { + + public void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authnReq, SPSSODescriptor spSSODescriptor) throws AuthnRequestValidatorException{ + + //validate NameIDPolicy + NameIDPolicy nameIDPolicy = authnReq.getNameIDPolicy(); + if (nameIDPolicy != null) { + String nameIDFormat = nameIDPolicy.getFormat(); + if (nameIDFormat != null) { + if ( !(NameID.TRANSIENT.equals(nameIDFormat) || + NameID.PERSISTENT.equals(nameIDFormat) || + NameID.UNSPECIFIED.equals(nameIDFormat)) ) { + + throw new NameIDFormatNotSupportedException(nameIDFormat); + + } + + } else + Logger.trace("Find NameIDPolicy, but NameIDFormat is 'null'"); + } else + Logger.trace("AuthnRequest includes no 'NameIDPolicy'"); + + //select AttributeConsumingService from request + AttributeConsumingService attributeConsumer = null; + Integer aIdx = authnReq.getAttributeConsumingServiceIndex(); + int attributeIdx = 0; + + if(aIdx != null) { + attributeIdx = aIdx.intValue(); + } + + if (spSSODescriptor.getAttributeConsumingServices() != null && + spSSODescriptor.getAttributeConsumingServices().size() > 0) { + attributeConsumer = spSSODescriptor.getAttributeConsumingServices().get(attributeIdx); + } + + String useMandate = httpReq.getParameter(MOAIDAuthConstants.PARAM_USEMANDATE); + if(useMandate != null) { + if(useMandate.equals("true") && attributeConsumer != null) { + if(!CheckMandateAttributes.canHandleMandate(attributeConsumer)) { + MandateAttributesNotHandleAbleException e = new MandateAttributesNotHandleAbleException(); + throw new AuthnRequestValidatorException(e.getErrorId(), e.getParams(), e.getMessage(), pendingReq, e); + } + } + } + + + } + +} -- cgit v1.2.3