From 9c6fece57add83ce29e6ba1acc55a11d2ed89fc0 Mon Sep 17 00:00:00 2001 From: Alexander Marsalek Date: Thu, 30 Oct 2014 19:41:56 +0100 Subject: fix for "failed "SignResponses (ResultMajor != Success) --- .../SignedDocAttributeRequestProvider.java | 202 +++++++++++---------- 1 file changed, 108 insertions(+), 94 deletions(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java index 06cb99da0..124b91e8b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/SignedDocAttributeRequestProvider.java @@ -64,6 +64,7 @@ import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.stork.oasisdss.api.ApiUtils; import eu.stork.oasisdss.api.LightweightSourceResolver; +import eu.stork.oasisdss.api.ResultMajor; import eu.stork.oasisdss.api.exceptions.ApiUtilsException; import eu.stork.oasisdss.api.exceptions.UtilsException; import eu.stork.oasisdss.profile.AnyType; @@ -166,114 +167,127 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { //create SignResponse object Source response = new StreamSource(new java.io.StringReader(signResponseString)); SignResponse signResponse = ApiUtils.unmarshal(response, SignResponse.class); - //extract doc from signresponse - DataSource dataSource = LightweightSourceResolver.getDataSource(signResponse); - - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - IOUtils.copy(dataSource.getInputStream(), baos); - byte[] data = baos.toByteArray(); + //Check if Signing was successfully or not - //update doc in DTL - String docId, dssId = ""; - docId = signResponse.getDocUI(); - //For reference dssId equals docId - dssId = docId; - if (dssId != null && data!=null) + if(!signResponse.getResult().getResultMajor().equals(ResultMajor.RESULT_MAJOR_SUCCESS)) { - boolean success = false; - try{ - success = updateDocumentInDtl(data, docId, signResponseString); - }catch(Exception e){//No document service used? - Logger.info("No document service used?"); - e.printStackTrace(); - success = false; - } - if(success) - { - // set the url in the SignResponse - DocumentWithSignature documentWithSignature = new DocumentWithSignature(); - DocumentType value = new DocumentType(); - value.setDocumentURL(dtlUrl); - documentWithSignature.setDocument(value); - if(signResponse.getOptionalOutputs()!=null) - { - //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); - for(Object o :signResponse.getOptionalOutputs().getAny()) + //Pass unmodifed or unmarshal & marshal?? + InputStream istr = ApiUtils.marshalToInputStream(signResponse); + StringWriter writer = new StringWriter(); + IOUtils.copy(istr, writer, "UTF-8"); + signResponseString = writer.toString(); + Logger.info("SignResponse with error (unmodified):"+signResponseString); + } + else + { + //extract doc from signresponse + DataSource dataSource = LightweightSourceResolver.getDataSource(signResponse); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + IOUtils.copy(dataSource.getInputStream(), baos); + byte[] data = baos.toByteArray(); + + //update doc in DTL + String docId, dssId = ""; + docId = signResponse.getDocUI(); + //For reference dssId equals docId + dssId = docId; + if (dssId != null && data!=null) + { + boolean success = false; + try{ + success = updateDocumentInDtl(data, docId, signResponseString); + }catch(Exception e){//No document service used? + Logger.info("No document service used?"); + e.printStackTrace(); + success = false; + } + if(success) + { + // set the url in the SignResponse + DocumentWithSignature documentWithSignature = new DocumentWithSignature(); + DocumentType value = new DocumentType(); + value.setDocumentURL(dtlUrl); + documentWithSignature.setDocument(value); + if(signResponse.getOptionalOutputs()!=null) { - if(o instanceof DocumentWithSignature) + //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + for(Object o :signResponse.getOptionalOutputs().getAny()) { - signResponse.getOptionalOutputs().getAny().remove(o); - signResponse.getOptionalOutputs().getAny().add(documentWithSignature); - break; + if(o instanceof DocumentWithSignature) + { + signResponse.getOptionalOutputs().getAny().remove(o); + signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + break; + } } } + else + { + AnyType anytype = new AnyType(); + anytype.getAny().add(documentWithSignature); + signResponse.setOptionalOutputs(anytype ); + } + + // System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); + InputStream istr = ApiUtils.marshalToInputStream(signResponse); + StringWriter writer = new StringWriter(); + IOUtils.copy(istr, writer, "UTF-8"); + signResponseString = writer.toString(); + Logger.info("SignResponse overwritten:"+signResponseString); } else { - AnyType anytype = new AnyType(); - anytype.getAny().add(documentWithSignature); - signResponse.setOptionalOutputs(anytype ); - } - -// System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); - InputStream istr = ApiUtils.marshalToInputStream(signResponse); - StringWriter writer = new StringWriter(); - IOUtils.copy(istr, writer, "UTF-8"); - signResponseString = writer.toString(); - Logger.info("SignResponse overwritten:"+signResponseString); - } - else - { - //No document service used? - // do nothing.... - //TODO temporary fix because document is deleted after fetching => SP can't download Doc - //Add doc to Signresponse - - DocumentWithSignature documentWithSignature = new DocumentWithSignature(); - DocumentType value = new DocumentType(); - if(signResponse.getProfile().toLowerCase().contains("xades")) - { - value.setBase64XML(data); - } - else - { - Base64Data base64data = new Base64Data(); - base64data.setValue(data); - base64data.setMimeType(dataSource.getContentType()); - value.setBase64Data(base64data); - } - documentWithSignature.setDocument(value); - if(signResponse.getOptionalOutputs()!=null) - { - //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); - for(Object o :signResponse.getOptionalOutputs().getAny()) + //No document service used? + // do nothing.... + //TODO temporary fix because document is deleted after fetching => SP can't download Doc + //Add doc to Signresponse + + DocumentWithSignature documentWithSignature = new DocumentWithSignature(); + DocumentType value = new DocumentType(); + if(signResponse.getProfile().toLowerCase().contains("xades")) + { + value.setBase64XML(data); + } + else { - if(o instanceof DocumentWithSignature) + Base64Data base64data = new Base64Data(); + base64data.setValue(data); + base64data.setMimeType(dataSource.getContentType()); + value.setBase64Data(base64data); + } + documentWithSignature.setDocument(value); + if(signResponse.getOptionalOutputs()!=null) + { + //signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + for(Object o :signResponse.getOptionalOutputs().getAny()) { - signResponse.getOptionalOutputs().getAny().remove(o); - signResponse.getOptionalOutputs().getAny().add(documentWithSignature); - break; + if(o instanceof DocumentWithSignature) + { + signResponse.getOptionalOutputs().getAny().remove(o); + signResponse.getOptionalOutputs().getAny().add(documentWithSignature); + break; + } } } + else + { + AnyType anytype = new AnyType(); + anytype.getAny().add(documentWithSignature); + signResponse.setOptionalOutputs(anytype ); + } + + // System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); + InputStream istr = ApiUtils.marshalToInputStream(signResponse); + StringWriter writer = new StringWriter(); + IOUtils.copy(istr, writer, "UTF-8"); + signResponseString = writer.toString(); + Logger.info("SignResponse overwritten:"+signResponseString); } - else - { - AnyType anytype = new AnyType(); - anytype.getAny().add(documentWithSignature); - signResponse.setOptionalOutputs(anytype ); - } - -// System.out.println("overwriting:"+signResponse.getResult().getResultMessage()+" with DTL url:"+dtlUrl); - InputStream istr = ApiUtils.marshalToInputStream(signResponse); - StringWriter writer = new StringWriter(); - IOUtils.copy(istr, writer, "UTF-8"); - signResponseString = writer.toString(); - Logger.info("SignResponse overwritten:"+signResponseString); - } + } + else + throw new Exception("No DSS id found."); } - else - throw new Exception("No DSS id found."); - //alter signresponse //done @@ -319,7 +333,7 @@ public class SignedDocAttributeRequestProvider extends AttributeProvider { try { Logger.trace("Initialize VelocityEngine..."); - + Logger.info("performRedirect url:"+url); VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); Template template = velocityEngine.getTemplate("/resources/templates/oasis_dss_webform_binding.vm"); VelocityContext context = new VelocityContext(); -- cgit v1.2.3 From 72e6c6c36bcbbedf073758299acca4ad9673ba9e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:35:14 +0100 Subject: add PVP SecClass to STORK QAA mapping --- .../id/auth/builder/AuthenticationDataBuilder.java | 37 +++++++- .../id/protocols/stork2/MOAAttributeProvider.java | 10 +- .../egovernment/moa/id/util/PVPtoSTORKMapper.java | 105 +++++++++++++++++++++ .../moa/id/util/PVPtoSTORKRoleMapper.java | 83 ---------------- 4 files changed, 141 insertions(+), 94 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 5c0e497a3..52488c3cb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -96,6 +96,7 @@ import at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData; import at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; @@ -526,10 +527,40 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants { } - if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + try { + String qaaLevel = extractor.getQAALevel(); + if (MiscUtil.isNotEmpty(qaaLevel) && + qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(qaaLevel); + + } else { + Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); + String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel); + if (MiscUtil.isNotEmpty(mappedQAA)) + authData.setQAALevel(mappedQAA); + + else + throw new AssertionAttributeExtractorExeption("PVP SecClass not mappable"); + + } + + } catch (AssertionAttributeExtractorExeption e) { + Logger.warn("No QAA level found in element of interfederated assertion. " + + "(ErrorHeader=" + e.getMessage() + ")"); + if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) { + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + + extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); + + } else { + Logger.info("No QAA level found. Set to default level " + + PVPConstants.STORK_QAA_PREFIX + "1"); + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + + } + + } + if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { try { byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java index aaded0ce6..993514ec7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOAAttributeProvider.java @@ -23,11 +23,10 @@ package at.gv.egovernment.moa.id.protocols.stork2; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.data.AuthenticationRole; import at.gv.egovernment.moa.id.data.IAuthData; -import at.gv.egovernment.moa.id.util.PVPtoSTORKRoleMapper; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.stork.peps.auth.commons.PersonalAttribute; @@ -44,11 +43,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import org.joda.time.format.DateTimeFormat; -import org.joda.time.format.DateTimeFormatter; - -import javassist.expr.Instanceof; - /** * @author bsuzic * Date: 2/19/14, Time: 4:42 PM @@ -125,7 +119,7 @@ public class MOAAttributeProvider { && authData.getAuthenticationRoles().size() > 0) { storkRoles = new ArrayList(); - PVPtoSTORKRoleMapper mapper = PVPtoSTORKRoleMapper.getInstance(); + PVPtoSTORKMapper mapper = PVPtoSTORKMapper.getInstance(); for (AuthenticationRole el : authData.getAuthenticationRoles()) { String storkRole = mapper.map(el); if (MiscUtil.isNotEmpty(storkRole)) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java new file mode 100644 index 000000000..0ea03e29d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java @@ -0,0 +1,105 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.util; + +import java.io.IOException; +import java.util.Properties; + +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class PVPtoSTORKMapper { + + private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/"; + + private static final String MAPPING_RESOURCE = + "resources/properties/pvp-stork_mapping.properties"; + + private Properties mapping = null; + + private static PVPtoSTORKMapper instance = null; + + public static PVPtoSTORKMapper getInstance() { + if (instance == null) { + instance = new PVPtoSTORKMapper(); + } + + return instance; + } + + private PVPtoSTORKMapper() { + try { + mapping = new Properties(); + mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); + Logger.debug("PVP -> STORK Role mapping initialisation finished."); + + } catch (IOException e) { + Logger.error("PVP -> STORK Role mapping initialisation FAILED." , e); + mapping = null; + + } + + + } + + /**Map a PVP SecClass to STORK QAA level + * + * @param PVP SecClass pvpQAALevel + * @return STORK-QAA level + */ + public String mapQAALevel(String pvpQAALevel) { + if (mapping != null) { + String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length()); + String mappedQAA = mapping.getProperty(input); + if (MiscUtil.isNotEmpty(mappedQAA)) { + Logger.info("Map PVP SecClass " + pvpQAALevel + " to STORK-QAA " + mappedQAA); + return mappedQAA; + + } + } + Logger.warn("No mapping for PVP SecClass " + pvpQAALevel +" !"); + return null; + } + + /**Map a PVP Role attribute to STORK ECAuthenticationRole attribute values + * + * @param PVP Role attribute + * @return STORK ECAuthenticationRole attribute value + */ + public String map(AuthenticationRole el) { + if (mapping != null) { + String ecRole = mapping.getProperty(el.getRawRoleString()); + if (MiscUtil.isNotEmpty(ecRole)) { + Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); + return ecRole; + } + } + Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); + return null; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java deleted file mode 100644 index 20f541a1a..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKRoleMapper.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.util; - -import java.io.IOException; -import java.util.Properties; - -import at.gv.egovernment.moa.id.data.AuthenticationRole; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -public class PVPtoSTORKRoleMapper { - - private static final String MAPPING_RESOURCE = - "resources/properties/pvp-stork_role_mapping.properties"; - - private Properties mapping = null; - - private static PVPtoSTORKRoleMapper instance = null; - - public static PVPtoSTORKRoleMapper getInstance() { - if (instance == null) { - instance = new PVPtoSTORKRoleMapper(); - } - - return instance; - } - - private PVPtoSTORKRoleMapper() { - try { - mapping = new Properties(); - mapping.load(this.getClass().getClassLoader().getResourceAsStream(MAPPING_RESOURCE)); - Logger.debug("PVP -> STORK Role mapping initialisation finished."); - - } catch (IOException e) { - Logger.error("PVP -> STORK Role mapping initialisation FAILED." , e); - mapping = null; - - } - - - } - - /** - * @param el - * @return - */ - public String map(AuthenticationRole el) { - if (mapping != null) { - String ecRole = mapping.getProperty(el.getRawRoleString()); - if (MiscUtil.isNotEmpty(ecRole)) { - Logger.info("Map PVPRole " + el.getRawRoleString() + " to ECRole " + ecRole); - return ecRole; - } - } - Logger.warn("NO mapping for PVPRole "+ el.getRawRoleString() + " !"); - return null; - } -} -- cgit v1.2.3 From bc1de58de93532b7f819a7feabc57961baef41ba Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:36:07 +0100 Subject: fix problems with list access --- .../protocols/pvp2x/verification/SAMLVerificationEngine.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 3be5df917..4ba93f8fe 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -170,6 +170,7 @@ public class SAMLVerificationEngine { } + List validatedassertions = new ArrayList(); for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { Conditions conditions = saml2assertion.getConditions(); @@ -177,19 +178,21 @@ public class SAMLVerificationEngine { DateTime notafter = conditions.getNotOnOrAfter(); if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { Logger.warn("PVP2 Assertion is out of Date"); - saml2assertions.remove(saml2assertion); + + } else { + validatedassertions.add(saml2assertion); - } + } } - if (saml2assertions.isEmpty()) { + if (validatedassertions.isEmpty()) { Logger.info("No valid PVP 2.1 assertion received."); throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); } samlResp.getAssertions().clear(); samlResp.getEncryptedAssertions().clear(); - samlResp.getAssertions().addAll(saml2assertions); + samlResp.getAssertions().addAll(validatedassertions); } else { Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " -- cgit v1.2.3 From db040cc2832f845db0919d1c4e2b034b8737ef24 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:37:02 +0100 Subject: add check if requested STORK-QAA level matches auth QAA level --- .../id/protocols/stork2/AuthenticationRequest.java | 37 ++++++++++++++++++++-- .../PVPAuthenticationProvider.java | 6 ++-- 2 files changed, 36 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index aa018d5a3..d59191c08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction { // Get personal attributtes from MOA/IdentityLink //build STORK attributes from local authentication information - if (authData != null) + if (authData != null) { + int reqQaa = -1; + int authQaa = -1; + try { + reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa(); + authQaa = Integer.valueOf( + authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length())); + + if (reqQaa > authQaa) { + Logger.warn("Requested QAA level does not match to authenticated QAA level"); + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + + } catch (MOAIDException e) { + throw e; + + } catch (Exception e) { + if (Logger.isDebugEnabled()) + Logger.warn("STORK QAA Level evaluation error", e); + + else + Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" + + e.getMessage() + ")"); + + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam)); + + } } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); - + // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest); @@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction { Logger.error("Exception, attributes: " + e.getMessage()); } - Logger.debug("AUTHBLOCK " + authData.getAuthBlock()); + Logger.trace("AUTHBLOCK " + authData.getAuthBlock()); Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier()); return attributeList; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index 88c59ccf9..96aa55bcf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider { authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList()); authRequest.setCitizenCountryCode("AT"); - authRequest.setQaa(oaParam.getQaaLevel()); + //authRequest.setQaa(oaParam.getQaaLevel()); + authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa()); - if (authRequest.getQaa() == 0 ) { - authRequest.setQaa(4); // workaround - } -- cgit v1.2.3 From 1fbff5f5a86733bc6a75c8ae901153baa0963441 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 10:36:47 +0100 Subject: change loglevel to trace --- .../moa/id/protocols/stork2/AuthenticationRequest.java | 10 +++++----- .../egovernment/moa/id/protocols/stork2/ConsentEvaluator.java | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index d59191c08..859f4900b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -401,15 +401,15 @@ public class AuthenticationRequest implements IAction { Logger.debug("Putting assertion consumer url as action: " + request.getAssertionConsumerServiceURL()); context.put("action", request.getAssertionConsumerServiceURL()); - Logger.debug("Starting template merge"); + Logger.trace("Starting template merge"); StringWriter writer = new StringWriter(); - Logger.debug("Doing template merge"); + Logger.trace("Doing template merge"); template.merge(context, writer); - Logger.debug("Template merge done"); + Logger.trace("Template merge done"); - Logger.debug("Sending html content: " + writer.getBuffer().toString()); - Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); + Logger.trace("Sending html content: " + writer.getBuffer().toString()); + Logger.trace("Sending html content2 : " + new String(writer.getBuffer())); httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java index 3159574fe..de7d5d6dd 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/ConsentEvaluator.java @@ -199,15 +199,15 @@ public class ConsentEvaluator implements IAction { Logger.debug("Putting assertion consumer url as action: " + request.getAssertionConsumerServiceURL()); context.put("action", request.getAssertionConsumerServiceURL()); - Logger.debug("Starting template merge"); + Logger.trace("Starting template merge"); StringWriter writer = new StringWriter(); - Logger.debug("Doing template merge"); + Logger.trace("Doing template merge"); template.merge(context, writer); - Logger.debug("Template merge done"); + Logger.trace("Template merge done"); - Logger.debug("Sending html content: " + writer.getBuffer().toString()); - Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); + Logger.trace("Sending html content: " + writer.getBuffer().toString()); + Logger.trace("Sending html content2 : " + new String(writer.getBuffer())); httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8")); -- cgit v1.2.3