From a184de09bda4327441c214aa84d77e57500b28ca Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 18 Apr 2014 09:56:19 +0200 Subject: Finish PVP21 interfederation assertion preprocessing --- .../gv/egovernment/moa/id/config/OAParameter.java | 15 +++ .../moa/id/entrypoints/DispatcherServlet.java | 8 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 8 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 111 +++++++++++++++++++++ .../protocols/pvp2x/utils/AttributeExtractor.java | 85 ---------------- .../id/storage/AuthenticationSessionStoreage.java | 50 ++++++++++ 6 files changed, 186 insertions(+), 91 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java index 31b88263b..b2bcd443f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/OAParameter.java @@ -68,6 +68,7 @@ public class OAParameter { this.oAuth20Config = oa.getAuthComponentOA().getOAOAUTH20(); + this.isInderfederationIDP = oa.isIsInterfederationIDP(); } @@ -104,6 +105,8 @@ public class OAParameter { private boolean removePBKFromAuthblock; + private Boolean isInderfederationIDP; + /** * Contains the oAuth 2.0 configuration (client id, secret and redirect uri) */ @@ -141,4 +144,16 @@ public class OAParameter { return oAuth20Config; } + /** + * @return the isInderfederationIDP + */ + public boolean isInderfederationIDP() { + if (isInderfederationIDP == null) + return false; + + return isInderfederationIDP; + } + + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 31e19ee46..2f4bbbcf4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; @@ -262,9 +263,12 @@ public class DispatcherServlet extends AuthServlet{ Logger.debug(DispatcherServlet.class.getName()+": Create PendingRequest with ID " + protocolRequestID + "."); } else if (protocolRequest != null && - protocolRequest.getInterfederationResponse() != null ) { + protocolRequest.getInterfederationResponse() != null ) { + Logger.debug("Create new interfederated MOA-Session and add to HTTPRequest"); + String sessionID = AuthenticationSessionStoreage.createInterfederatedSession(protocolRequest, true); + req.getParameterMap().put(PARAM_SESSIONID, sessionID); Logger.info("PreProcessing of SSO interfederation response complete. "); - + } else { Logger.error("Failed to generate a valid protocol request!"); resp.setContentType("text/html;charset=UTF-8"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 3ab4dd74c..639b8672b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -187,20 +187,20 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); if (obj instanceof RequestImpl) { - RequestImpl iReq = (RequestImpl) obj; + RequestImpl iReqSP = (RequestImpl) obj; MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); if ( processedMsg != null ) { - iReq.setInterfederationResponse((MOAResponse) msg); + iReqSP.setInterfederationResponse((MOAResponse) msg); } else { Logger.info("Receive NO valid SSO session from " + msg.getEntityID() +". Switch to local authentication process ..."); - iReq.setRequestedIDP(null); + iReqSP.setRequestedIDP(null); } - return iReq; + return iReqSP; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java new file mode 100644 index 000000000..61b481447 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -0,0 +1,111 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.util.List; + +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.Subject; + +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +public class AssertionAttributeExtractor { + + private Assertion assertion = null; + + public AssertionAttributeExtractor(Response samlResponse) throws AssertionAttributeExtractorExeption { + if (samlResponse != null) { + if (samlResponse.getAssertions().size() == 0) + throw new AssertionAttributeExtractorExeption("Assertion"); + + else if (samlResponse.getAssertions().size() > 1) + Logger.warn("Found more then ONE PVP2.1 assertions. Only the First is used."); + + assertion = samlResponse.getAssertions().get(0); + + } else + throw new AssertionAttributeExtractorExeption(); + } + + public String getNameID() throws AssertionAttributeExtractorExeption { + if (assertion.getSubject() != null) { + Subject subject = assertion.getSubject(); + + if (subject.getNameID() != null) { + if (MiscUtil.isNotEmpty(subject.getNameID().getValue())) + return subject.getNameID().getValue(); + + else + Logger.error("SAML2 NameID Element is empty."); + } + } + + throw new AssertionAttributeExtractorExeption("nameID"); + } + + public String getSessionIndex() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + + if (MiscUtil.isNotEmpty(authn.getSessionIndex())) + return authn.getSessionIndex(); + + else + throw new AssertionAttributeExtractorExeption("SessionIndex"); + } + + /** + * @return + * @throws AssertionAttributeExtractorExeption + */ + public String getQAALevel() throws AssertionAttributeExtractorExeption { + AuthnStatement authn = getAuthnStatement(); + if (authn.getAuthnContext() != null && authn.getAuthnContext().getAuthnContextClassRef() != null) { + AuthnContextClassRef qaaClass = authn.getAuthnContext().getAuthnContextClassRef(); + + if (MiscUtil.isNotEmpty(qaaClass.getAuthnContextClassRef())) + return qaaClass.getAuthnContextClassRef(); + + else + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef (QAALevel)"); + } + + throw new AssertionAttributeExtractorExeption("AuthnContextClassRef"); + } + + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { + List authnList = assertion.getAuthnStatements(); + if (authnList.size() == 0) + throw new AssertionAttributeExtractorExeption("AuthnStatement"); + + else if (authnList.size() > 1) + Logger.warn("Found more then ONE AuthnStatements in PVP2.1 assertions. Only the First is used."); + + return authnList.get(0); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java deleted file mode 100644 index 666bfab3c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AttributeExtractor.java +++ /dev/null @@ -1,85 +0,0 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -package at.gv.egovernment.moa.id.protocols.pvp2x.utils; - -import java.util.Iterator; -import java.util.List; - -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; - -public class AttributeExtractor { - - public static String extractSAMLAttributeOA(String name, - AuthenticationSession authSession) { - List extAttributes = authSession.getExtendedSAMLAttributesOA(); - if(extAttributes == null) { - return null; - } - Iterator extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeAUTH(String name, - AuthenticationSession authSession) { - List extAttributes = authSession.getExtendedSAMLAttributesAUTH(); - if(extAttributes == null) { - return null; - } - Iterator extAttributesIt = extAttributes.iterator(); - while(extAttributesIt.hasNext()) { - Object attr = extAttributesIt.next(); - if(attr instanceof ExtendedSAMLAttribute) { - ExtendedSAMLAttribute extAttribute = (ExtendedSAMLAttribute) attr; - if(extAttribute.getName().equals(name)) { - if(extAttribute.getValue() instanceof String) { - return extAttribute.getValue().toString(); - } - break; - } - } - } - return null; - } - - public static String extractSAMLAttributeBOTH(String name, - AuthenticationSession authSession) { - String value = extractSAMLAttributeOA(name, authSession); - if(value == null) { - value = extractSAMLAttributeAUTH(name, authSession); - } - return value; - } -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java index ca5cb9226..69167c75d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java @@ -22,6 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.storage; +import java.util.ArrayList; import java.util.Date; import java.util.List; @@ -36,11 +37,15 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AuthenticatedSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; import at.gv.egovernment.moa.logging.Logger; @@ -105,6 +110,51 @@ public class AuthenticationSessionStoreage { return session; } + public static String createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption { + String id = Random.nextRandom(); + AuthenticationSession session = new AuthenticationSession(id); + + AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore(); + dbsession.setSessionid(id); + dbsession.setAuthenticated(isAuthenticated); + + //set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 + Date now = new Date(); + dbsession.setCreated(now); + dbsession.setUpdated(now); + + dbsession.setSession(SerializationUtils.serialize(session)); + + //add interfederation information + List idpList = dbsession.getInderfederation(); + if (idpList == null) + idpList = new ArrayList(); + + InterfederationSessionStore idp = new InterfederationSessionStore(); + idp.setCreated(now); + idp.setIdpurlprefix(req.getInterfederationResponse().getEntityID()); + + AssertionAttributeExtractor extract = new AssertionAttributeExtractor(req.getInterfederationResponse().getResponse()); + idp.setSessionIndex(extract.getSessionIndex()); + idp.setUserNameID(extract.getNameID()); + idp.setAttributesRequested(false); + idp.setQAALevel(extract.getQAALevel()); + idpList.add(idp); + + //store AssertionStore element to Database + try { + MOASessionDBUtils.saveOrUpdate(dbsession); + Logger.info("MOASession with sessionID=" + id + " is stored in Database"); + + } catch (MOADatabaseException e) { + Logger.warn("MOASession could not be created."); + throw new MOADatabaseException(e); + } + + return id; + } + + public static void storeSession(AuthenticationSession session) throws MOADatabaseException, BuildException { try { -- cgit v1.2.3