From ecf9de84e76dde785ced8c1632c7909d1d57f94a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 30 May 2018 14:36:39 +0200 Subject: add error handling and some more validation to SL2.0 module --- .../pvp2x/utils/AssertionAttributeExtractor.java | 6 ++++++ .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 21 +++++++++++++++++++++ .../metadata/SchemaValidationFilter.java | 11 ++--------- .../resources/properties/id_messages_de.properties | 3 ++- .../protocol_response_statuscodes_de.properties | 4 ++++ 5 files changed, 35 insertions(+), 10 deletions(-) (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 05bb16d0d..5b1d952ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -196,6 +196,12 @@ public class AssertionAttributeExtractor { // } + public String getAssertionID() { + return assertion.getID(); + + } + + public String getNameID() throws AssertionAttributeExtractorExeption { if (assertion.getSubject() != null) { Subject subject = assertion.getSubject(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 28a85b4af..da4b54a5a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -31,9 +31,13 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; +import javax.xml.transform.dom.DOMSource; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; import org.opensaml.Configuration; import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.core.Status; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.metadata.AssertionConsumerService; @@ -47,6 +51,7 @@ import org.opensaml.xml.io.MarshallingException; import org.w3c.dom.Document; import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; public class SAML2Utils { @@ -142,4 +147,20 @@ public class SAML2Utils { return envelope; } + + public static void schemeValidation(XMLObject xmlObject) throws Exception { + try { + Schema test = SAMLSchemaBuilder.getSAML11Schema(); + Validator val = test.newValidator(); + DOMSource source = new DOMSource(xmlObject.getDOM()); + val.validate(source); + Logger.debug("SAML2 Scheme validation successful"); + return; + + } catch (Exception e) { + Logger.warn("SAML2 scheme validation FAILED.", e); + throw e; + + } + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 83a2b61d2..489d2fb4a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,11 +22,6 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import org.opensaml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.xml.sax.SAXException; @@ -34,6 +29,7 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; /** @@ -71,10 +67,7 @@ public class SchemaValidationFilter implements MetadataFilter { if (isActive) { try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - DOMSource source = new DOMSource(arg0.getDOM()); - val.validate(source); + SAML2Utils.schemeValidation(arg0); Logger.info("Metadata Schema validation check done OK"); return; diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 9cc4b0b5e..84fd93773 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -344,4 +344,5 @@ sl20.03=Fehlende Konfiguration im SL2.0 Modul. Msg: {0} sl20.04=Http request enth\u00e4lt keinen SL2.0 Transportcontainer. sl20.05=Fehler beim Validieren eines JWS oder JWE Tokens. Reason: {0}. sl20.06=Http transport-binding error. Reason: {0} - +sl20.07=Fehler beim Validieren der eID information. Type: {0} Reason: {1} +sl20.08=SL2.0 Teilnehmer antwortet mit einem Fehler. Code: {0} Reason: {1} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 6de581cae..d77ea437b 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -258,6 +258,10 @@ sl20.01=14000 sl20.02=14001 sl20.03=14800 sl20.04=14001 +sl20.05=xxxxx +sl20.06=xxxxx +sl20.07=xxxxx +sl20.08=xxxxx ##Map MIS/BKU statuscodes to MOA-ID-Auth statuscodes mis.301=1005 -- cgit v1.2.3