From 8cdac4252e1ea43aada04b71ee95d2509c4a75f3 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 21 Jan 2014 16:02:14 +0100 Subject: respect global mandatory state of attributes --- .../moa/id/auth/AuthenticationServer.java | 354 ++++++++++----------- .../moa/id/config/stork/STORKConfig.java | 126 ++++---- 2 files changed, 239 insertions(+), 241 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 3857cd15c..0fbcc97b2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -106,6 +106,7 @@ import at.gv.egovernment.moa.id.client.SZRGWClient; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; +import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConnectionParameter; @@ -118,7 +119,6 @@ import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -138,23 +138,14 @@ import eu.stork.peps.auth.commons.PEPSUtil; import eu.stork.peps.auth.commons.PersonalAttribute; import eu.stork.peps.auth.commons.PersonalAttributeList; import eu.stork.peps.auth.commons.STORKAuthnRequest; -import eu.stork.peps.auth.engine.SAMLEngine; import eu.stork.peps.auth.engine.STORKSAMLEngine; -import eu.stork.peps.auth.engine.core.QAAAttribute; -import eu.stork.peps.auth.engine.core.RequestedAttribute; -import eu.stork.peps.auth.engine.core.RequestedAttributes; -import eu.stork.peps.auth.engine.core.impl.QAAAttributeBuilder; -import eu.stork.peps.auth.engine.core.impl.RequestedAttributeBuilder; -import eu.stork.peps.auth.engine.core.impl.RequestedAttributesBuilder; -import eu.stork.peps.exceptions.SAMLEngineException; import eu.stork.peps.exceptions.STORKSAMLEngineException; -import eu.stork.vidp.messages.builder.STORKMessagesBuilder; import eu.stork.vidp.messages.util.XMLUtil; /** * API for MOA ID Authentication Service.
{@link AuthenticationSession} is * stored in a session store and retrieved by giving the session ID. - * + * * @author Paul Ivancsics * @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher * $ @@ -177,7 +168,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Returns the single instance of AuthenticationServer. - * + * * @return the single instance of AuthenticationServer */ public static AuthenticationServer getInstance() { @@ -208,7 +199,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * response to * * - * + * * @param authURL * URL of the servlet to be used as data URL * @param target @@ -243,13 +234,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (session == null) { throw new AuthenticationException("auth.18", new Object[] { }); } - + //load OnlineApplication configuration OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix()); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { session.getPublicOAURLPrefix() }); - + //load Template String template = null; if (session.getTemplateURL() != null) { @@ -262,7 +253,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } String infoboxReadRequest = ""; - + if (session.isSsoRequested()) { //load identityLink with SSO Target boolean isbuisness = false; @@ -272,50 +263,50 @@ public class AuthenticationServer implements MOAIDAuthConstants { isbuisness = true; domainIdentifier = ssobusiness.getValue(); } - + //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( isbuisness, domainIdentifier); - + } else { //build ReadInfobox request infoboxReadRequest = new InfoboxReadRequestBuilder().build( oaParam.getBusinessService(), oaParam .getIdentityLinkDomainIdentifier()); } - + String dataURL = new DataURLBuilder().buildDataURL( session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session .getSessionID()); - + //removed in MOAID 2.0 String pushInfobox = ""; - + // VerifyInfoboxParameters verifyInfoboxParameters = oaParam // .getVerifyInfoboxParameters(); // if (verifyInfoboxParameters != null) { // pushInfobox = verifyInfoboxParameters.getPushInfobox(); // session.setPushInfobox(pushInfobox); // } - + //build CertInfo request String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder() .build(); String certInfoDataURL = new DataURLBuilder() .buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION, session.getSessionID()); - + //get Applet Parameters String appletwidth = req.getParameter(PARAM_APPLET_WIDTH); String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH); appletheigth = StringEscapeUtils.escapeHtml(appletheigth); appletwidth = StringEscapeUtils.escapeHtml(appletwidth); - + String htmlForm = new GetIdentityLinkFormBuilder().build(template, session.getBkuURL(), infoboxReadRequest, dataURL, certInfoRequest, certInfoDataURL, pushInfobox, oaParam, appletheigth, appletwidth); - + return htmlForm; } @@ -335,7 +326,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * containg the authentication block, meant to be returned to the security * layer implementation * - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -343,7 +334,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * including the <InfoboxReadResponse> * @return String representation of the * <CreateXMLSignatureRequest> - * @throws BKUException + * @throws BKUException */ public String verifyIdentityLink(AuthenticationSession session, Map infoboxReadResponseParameters) throws AuthenticationException, @@ -360,7 +351,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (isEmpty(xmlInfoboxReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE }); - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); @@ -420,7 +411,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { session.setIdentityLink(identityLink); // now validate the extended infoboxes - + //Removed in MOA-ID 2.0 //verifyInfoboxes(session, infoboxReadResponseParameters, false); @@ -443,7 +434,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * containg the authentication block, meant to be returned to the security * layer implementation * - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -468,14 +459,14 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (certificate.getExtension(OWid) != null) { session.setOW(true); } - + } - + } catch (X509ExtensionInitException e) { Logger.warn("Certificate extension is not readable."); session.setOW(false); } - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); @@ -484,10 +475,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam); - + return returnvalue; } - + /** * Processes an Mandate sent by the MIS.
* - * + * * @param sessionID * ID of associated authentication session data * @param infoboxReadResponseParameters @@ -522,10 +513,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { // sets the extended SAML attributes for OID (Organwalter) setExtendedSAMLAttributeForMandatesOID(session, mandate, oaParam .getBusinessService()); - + validateExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService()); - - + + } catch (SAXException e) { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }, e); @@ -539,11 +530,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }, e); } - + } /** - * + * * @param session * @param authConf * @param oaParam @@ -588,7 +579,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * - * + * * @param sessionID * ID of associated authentication session data * @param cert @@ -610,7 +601,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter(session.getPublicOAURLPrefix()); - + return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam, cert); } @@ -648,13 +639,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Verifies signature by calling the MOA SP component
  • *
  • Returns the signer certificate
  • * - * + * * @param sessionID * ID of associated authentication session data * @param createXMLSignatureResponseParameters * The parameters from the response returned from the BKU * including the <CreateXMLSignatureResponse> - * @throws BKUException + * @throws BKUException */ public X509Certificate verifyXMLSignature(String sessionID, Map createXMLSignatureResponseParameters) @@ -708,13 +699,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Verifies signature by calling the MOA SP component
  • *
  • Returns the signer certificate
  • * - * + * * @param sessionID * ID of associated authentication session data * @param readInfoboxResponseParameters * The parameters from the response returned from the BKU * including the <ReadInfoboxResponse> - * @throws BKUException + * @throws BKUException */ public X509Certificate getCertificate(String sessionID, Map readInfoboxResponseParameters) throws AuthenticationException, @@ -744,80 +735,80 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds an authentication block <saml:Assertion> from * given session data. - * + * * @param session * authentication session - * + * * @return <saml:Assertion> as a String - * + * * @throws BuildException * If an error occurs on serializing an extended SAML attribute * to be appended to the AUTH-Block. */ private String buildAuthenticationBlock(AuthenticationSession session, OAAuthParameter oaParam) throws BuildException { - + IdentityLink identityLink = session.getIdentityLink(); String issuer = identityLink.getName(); String gebDat = identityLink.getDateOfBirth(); String identificationValue = null; String identificationType = null; - + //set empty AuthBlock BPK in case of OW or SSO or bpk is not requested if (session.isOW() || session.isSsoRequested() || oaParam.isRemovePBKFromAuthBlock()) { identificationType = ""; identificationValue = ""; - + } else if (identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { if (oaParam.getBusinessService()) { - + String bpkBase64 = new BPKBuilder().buildWBPK(identityLink .getIdentificationValue(), oaParam.getIdentityLinkDomainIdentifier()); identificationValue = bpkBase64; - + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK + "+" )) identificationType = oaParam.getIdentityLinkDomainIdentifier(); else identificationType = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); - + } else { String bpkBase64 = new BPKBuilder().buildBPK(identityLink .getIdentificationValue(), session.getTarget()); identificationValue = bpkBase64; identificationType = Constants.URN_PREFIX_CDID + "+" + session.getTarget(); } - + } else { identificationValue = identityLink.getIdentificationValue(); identificationType = identityLink.getIdentificationType(); - + } - + String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar .getInstance()); session.setIssueInstant(issueInstant); String authURL = session.getAuthURL(); String target = session.getTarget(); String targetFriendlyName = session.getTargetFriendlyName(); - + // Bug #485 // (https://egovlabs.gv.at/tracker/index.php?func=detail&aid=485&group_id=6&atid=105) // String oaURL = session.getPublicOAURLPrefix(); - + List extendedSAMLAttributes = session.getExtendedSAMLAttributesAUTH(); - - + + if (session.isSsoRequested()) { String oaURL =new String(); try { oaURL = AuthConfigurationProvider.getInstance().getSSOPublicUrl(); - + if (MiscUtil.isNotEmpty(oaURL)) oaURL = oaURL.replaceAll("&", "&"); - + } catch (ConfigurationException e) { } String authBlock = new AuthenticationBlockAssertionBuilder() @@ -826,7 +817,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, extendedSAMLAttributes, session, oaParam); return authBlock; - + } else { String oaURL = session.getPublicOAURLPrefix().replaceAll("&", "&"); String authBlock = new AuthenticationBlockAssertionBuilder() @@ -835,20 +826,20 @@ public class AuthenticationServer implements MOAIDAuthConstants { identificationType, oaURL, gebDat, extendedSAMLAttributes, session, oaParam); return authBlock; - } + } } - + /** * Verifies the infoboxes (except of the identity link infobox) returned by * the BKU by calling appropriate validator classes. - * + * * @param session * The actual authentication session. * @param mandate * The Mandate from the MIS - * + * * @throws AuthenticationException * @throws ConfigurationException * @throws TransformerException @@ -871,19 +862,19 @@ public class AuthenticationServer implements MOAIDAuthConstants { verifySAMLAttribute(samlAttribute, i, "MISService", "MISService"); - + } } /** * Verifies the infoboxes (except of the identity link infobox) returned by * the BKU by calling appropriate validator classes. - * + * * @param session * The actual authentication session. * @param mandate * The Mandate from the MIS - * + * * @throws AuthenticationException * @throws ConfigurationException * @throws TransformerException @@ -908,7 +899,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds given SAML Attributes to the current session. They will be appended * to the final SAML Assertion or the AUTH block. If the attributes are * already in the list, they will be replaced. - * + * * @param session * The current session * @param extendedSAMLAttributes @@ -979,7 +970,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds the AUTH block related SAML attributes to the validation result. * This is needed always before the AUTH block is to be signed, because the * name of the mandator has to be set - * + * * @throws ParserConfigurationException * @throws IOException * @throws SAXException @@ -1046,7 +1037,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { * Adds the AUTH block related SAML attributes to the validation result. * This is needed always before the AUTH block is to be signed, because the * name of the mandator has to be set - * + * * @throws ParserConfigurationException * @throws IOException * @throws SAXException @@ -1091,7 +1082,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { } /** - * + * * @param mandate * @return * @throws ParserConfigurationException @@ -1143,7 +1134,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Deletes authentication session
  • *
  • Returns the SAML artifact, encoded BASE64
  • * - * + * * @param sessionID * session ID of the running authentication session * @param xmlCreateXMLSignatureReadResponse @@ -1151,20 +1142,20 @@ public class AuthenticationServer implements MOAIDAuthConstants { * <CreateXMLSignatureResponse> * @return SAML artifact needed for retrieving authentication data, encoded * BASE64 - * @throws BKUException + * @throws BKUException */ public String verifyAuthenticationBlock(AuthenticationSession session, String xmlCreateXMLSignatureReadResponse) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException, BKUException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); if (isEmpty(xmlCreateXMLSignatureReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE }); - + AuthConfigurationProvider authConf = AuthConfigurationProvider .getInstance(); // parses @@ -1187,7 +1178,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { new CreateXMLSignatureResponseValidator().validateSSO(csresp, session); else new CreateXMLSignatureResponseValidator().validate(csresp, session); - + // builds a for a MOA-SPSS call List vtids = authConf.getMoaSpAuthBlockVerifyTransformsInfoIDs(); String tpid = authConf.getMoaSpAuthBlockTrustProfileID(); @@ -1226,7 +1217,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { // Compare AuthBlock Data with information stored in session, especially // date and time CreateXMLSignatureResponseValidator.getInstance().validateSigningDateTime(csresp); - + // compares the public keys from the identityLink with the AuthBlock VerifyXMLSignatureResponseValidator.getInstance().validateCertificate( vsresp, session.getIdentityLink()); @@ -1269,29 +1260,29 @@ public class AuthenticationServer implements MOAIDAuthConstants { } } } - + session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); vsresp.setX509certificate(null); session.setForeigner(false); - + if (session.getUseMandate()) { // mandate mode return null; - + } else { - + session.setAuthenticatedUsed(false); session.setAuthenticated(true); - + String oldsessionID = session.getSessionID(); - + //Session is implicte stored in changeSessionID!!! String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session); - + Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID); Logger.info("Daten angelegt zu MOASession " + newMOASessionID); - + return newMOASessionID; } } @@ -1313,7 +1304,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Deletes authentication session
  • *
  • Returns the SAML artifact, encoded BASE64
  • * - * + * * @param sessionID * session ID of the running authentication session * @param xmlCreateXMLSignatureReadResponse @@ -1374,7 +1365,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { *
  • Deletes authentication session
  • *
  • Returns the SAML artifact, encoded BASE64
  • * - * + * * @param sessionID * session ID of the running authentication session * @return SAML artifact needed for retrieving authentication data, encoded @@ -1383,11 +1374,11 @@ public class AuthenticationServer implements MOAIDAuthConstants { public String getForeignAuthenticationData(AuthenticationSession session) throws AuthenticationException, BuildException, ParseException, ConfigurationException, ServiceException, ValidateException { - + if (session == null) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); - + // post processing of the infoboxes Iterator iter = session.getInfoboxValidatorIterator(); boolean formpending = false; @@ -1430,10 +1421,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse(); X509Certificate cert = session.getSignerCertificate(); vsresp.setX509certificate(cert); - + session.setAuthenticatedUsed(false); session.setAuthenticated(true); - + session.setXMLVerifySignatureResponse(vsresp); session.setSignerCertificate(vsresp.getX509certificate()); @@ -1447,7 +1438,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Builds the AuthenticationData object together with the corresponding * <saml:Assertion> - * + * * @param session * authentication session * @param verifyXMLSigResp @@ -1467,23 +1458,23 @@ public class AuthenticationServer implements MOAIDAuthConstants { IdentityLink identityLink = session.getIdentityLink(); AuthenticationData authData = new AuthenticationData(); - + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - + boolean businessService = oaParam.getBusinessService(); - + authData.setMajorVersion(1); authData.setMinorVersion(0); authData.setAssertionID(Random.nextRandom()); authData.setIssuer(session.getAuthURL()); - + authData.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar .getInstance())); - + //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO authData.setIdentificationValue(identityLink.getIdentificationValue()); authData.setIdentificationType(identityLink.getIdentificationType()); - + authData.setGivenName(identityLink.getGivenName()); authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); @@ -1493,25 +1484,25 @@ public class AuthenticationServer implements MOAIDAuthConstants { authData.setPublicAuthorityCode(verifyXMLSigResp .getPublicAuthorityCode()); authData.setBkuURL(session.getBkuURL()); - + try { - + if (session.getUseMandate() && session.isOW()) { MISMandate mandate = session.getMISMandate(); authData.setBPK(mandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); authData.setIdentityLink(identityLink); - + Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - + } else { - + if (businessService) { //since we have foreigner, wbPK is not calculated in BKU if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { - + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - + if (registerAndOrdNr.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) { // If domainIdentifier starts with prefix // "urn:publicid:gv.at:wbpk+"; remove this prefix @@ -1519,47 +1510,47 @@ public class AuthenticationServer implements MOAIDAuthConstants { .substring(AuthenticationSession.REGISTERANDORDNR_PREFIX_.length()); Logger.debug("Register and ordernumber prefix stripped off; resulting register string: " + registerAndOrdNr); - } - + } + String wbpkBase64 = new BPKBuilder().buildWBPK(identityLink.getIdentificationValue(), registerAndOrdNr); authData.setBPK(wbpkBase64); authData.setBPKType( Constants.URN_PREFIX_WBPK + "+" + registerAndOrdNr); - + } else { authData.setBPK(identityLink.getIdentificationValue()); authData.setBPKType(identityLink.getIdentificationType()); - + } - + Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - + Element idlassertion = session.getIdentityLink().getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); prIdentification.getFirstChild().setNodeValue(authData.getBPK()); - //set bkp/wpbk type + //set bkp/wpbk type Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); - + IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); IdentityLink idl = idlparser.parseIdentityLink(); authData.setIdentityLink(idl); - + } else { - - if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + + if(identityLink.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { // only compute bPK if online application is a public service and we have the Stammzahl String bpkBase64 = new BPKBuilder().buildBPK(identityLink.getIdentificationValue(), target); authData.setBPK(bpkBase64); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } - + Logger.trace("Authenticate user with bPK " + authData.getBPK()); - + authData.setIdentityLink(identityLink); } } - + return authData; } catch (Throwable ex) { @@ -1570,7 +1561,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Retrieves a session from the session store. - * + * * @param id * session ID * @return AuthenticationSession stored with given session ID, @@ -1578,7 +1569,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public static AuthenticationSession getSession(String id) throws AuthenticationException { - + AuthenticationSession session; try { session = AuthenticationSessionStoreage.getSession(id); @@ -1586,10 +1577,10 @@ public class AuthenticationServer implements MOAIDAuthConstants { if (session == null) throw new AuthenticationException("auth.02", new Object[] { id }); return session; - + } catch (MOADatabaseException e) { throw new AuthenticationException("parser.04", new Object[] { id }); - } + } } /** @@ -1597,38 +1588,38 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public void cleanup() { long now = new Date().getTime(); - - //clean AuthenticationSessionStore - + + //clean AuthenticationSessionStore + AuthenticationSessionStoreage.clean(now, sessionTimeOutCreated, sessionTimeOutUpdated); - + //clean AssertionStore AssertionStorage assertionstore = AssertionStorage.getInstance(); assertionstore.clean(now, authDataTimeOut); - - //clean ExeptionStore + + //clean ExeptionStore DBExceptionStoreImpl exstore = DBExceptionStoreImpl.getStore(); exstore.clean(now, authDataTimeOut); - + } /** * Sets the sessionTimeOut. - * + * * @param seconds * Time out of the session in seconds */ public void setSecondsSessionTimeOutCreated(long seconds) { sessionTimeOutCreated = seconds * 1000; } - + public void setSecondsSessionTimeOutUpdated(long seconds) { sessionTimeOutUpdated = seconds * 1000; } /** * Sets the authDataTimeOut. - * + * * @param seconds * Time out for signing AuthData in seconds */ @@ -1638,7 +1629,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Checks a parameter. - * + * * @param param * parameter * @return true if the parameter is null or empty @@ -1649,7 +1640,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { /** * Checks the correctness of SAML attributes and returns its value. - * + * * @param param * samlAttribute * @param i @@ -1698,7 +1689,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { return value; } - + /** * Does the request to the SZR-GW * @param signature XMLDSIG signature @@ -1779,13 +1770,13 @@ public class AuthenticationServer implements MOAIDAuthConstants { return null; } - + /** * Starts a MOA-ID authentication process using STORK * @param req HttpServletRequest * @param resp HttpServletResponse * @param ccc Citizen country code - * @param oaURL URL of the online application + * @param oaURL URL of the online application * @param target Target parameter * @param targetFriendlyName Friendly Name of Target * @param authURL Authentication URL @@ -1797,36 +1788,34 @@ public class AuthenticationServer implements MOAIDAuthConstants { */ public static void startSTORKAuthentication( HttpServletRequest req, - HttpServletResponse resp, + HttpServletResponse resp, AuthenticationSession moasession) throws MOAIDException, AuthenticationException, WrongParametersException, ConfigurationException { - + if (moasession == null) { throw new AuthenticationException("auth.18", new Object[] { }); } - + //read configuration paramters of OA OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moasession.getPublicOAURLPrefix()); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { moasession.getPublicOAURLPrefix() }); - - //Start of STORK Processing + + //Start of STORK Processing STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig(); - + CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc()); - - Logger.debug("Preparing to assemble STORK AuthnRequest witht the following values:"); - String destination = cpeps.getPepsURL().toExternalForm(); + + Logger.debug("Preparing to assemble STORK AuthnRequest witt the following values:"); + String destination = cpeps.getPepsURL().toExternalForm(); Logger.debug("C-PEPS URL: " + destination); - + String acsURL = HTTPUtils.getBaseURL(req) + PEPSConnectorServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN; Logger.debug("MOA Assertion Consumer URL (PEPSConnctor): " + acsURL); - + String providerName= oaParam.getFriendlyName(); String issuerValue = HTTPUtils.getBaseURL(req); Logger.debug("Issuer value: " + issuerValue); - - // prepare collection of required attributes // - attributes for online application List attributesFromConfig = oaParam.getRequestedAttributes(); @@ -1838,7 +1827,15 @@ public class AuthenticationServer implements MOAIDAuthConstants { for(OAStorkAttribute current : attributesFromConfig) { PersonalAttribute newAttribute = new PersonalAttribute(); newAttribute.setName(current.getName()); - newAttribute.setIsRequired(current.isMandatory()); + + boolean globallyMandatory = false; + for(StorkAttribute currentGlobalAttribute : storkConfig.getStorkAttributes()) + if(current.getName().equals(currentGlobalAttribute.getName())) { + globallyMandatory = currentGlobalAttribute.isMandatory(); + break; + } + + newAttribute.setIsRequired(current.isMandatory() || globallyMandatory); attributeList.add(newAttribute); } @@ -1867,32 +1864,23 @@ public class AuthenticationServer implements MOAIDAuthConstants { authnRequest.setSpSector(spSector); authnRequest.setPersonalAttributeList(attributeList); -// STORKAuthnRequestProcessor.generateSTORKAuthnRequest( -// destination, -// acsURL, -// providerName, -// issuerValue, -// qaaLevel, -// spInstitution, -// spApplication, -// spCountry, -// spSector, -// requestedAttributes, - -// textToBeSigned, -// "application/xhtml+xml"); + authnRequest.setEIDCrossBorderShare(true); + authnRequest.setEIDCrossSectorShare(true); + authnRequest.setEIDSectorShare(true); + + authnRequest.setCitizenCountryCode("LOCAL"); + Logger.debug("STORK AuthnRequest succesfully assembled."); STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("CONF0"); try { authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); -// authnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(authnRequest, keyStorePath, keyStorePassword, keyName, keyPassword); } catch (STORKSAMLEngineException e) { Logger.error("Could not sign STORK SAML AuthnRequest.", e); throw new MOAIDException("stork.00", null); } - + Logger.info("STORK AuthnRequest successfully signed!"); //validate AuthnRequest @@ -1936,7 +1924,7 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); } - + /** * Extracts an X509 Certificate out of an XML signagture element * @param signedXML XML signature element @@ -1944,27 +1932,27 @@ public class AuthenticationServer implements MOAIDAuthConstants { * @throws CertificateException */ public static X509Certificate getCertificateFromXML(Element signedXML) throws CertificateException { - + NodeList nList = signedXML.getElementsByTagNameNS(Constants.DSIG_NS_URI, "X509Certificate"); - + String base64CertString = XMLUtil.getFirstTextValueFromNodeList(nList); - - if (StringUtils.isEmpty(base64CertString)) { + + if (StringUtils.isEmpty(base64CertString)) { String msg = "XML does not contain a X509Certificate element."; Logger.error(msg); throw new CertificateException(msg); } - + InputStream is = new ByteArrayInputStream(Base64.decode(base64CertString)); - + X509Certificate cert; try { cert = new X509Certificate(is); return cert; - + } catch (Throwable e) { throw new CertificateException(e); } } - + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 25f12af62..e388b39e7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -1,5 +1,5 @@ /** - * + * */ package at.gv.egovernment.moa.id.config.stork; @@ -25,119 +25,129 @@ import eu.stork.vidp.messages.util.XMLUtil; import at.gv.egovernment.moa.id.commons.db.dao.config.SAMLSigningParameter; import at.gv.egovernment.moa.id.commons.db.dao.config.STORK; import at.gv.egovernment.moa.id.commons.db.dao.config.SignatureVerificationParameterType; +import at.gv.egovernment.moa.id.commons.db.dao.config.StorkAttribute; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.StringUtils; /** * Encapsulates several STORK configuration parameters according MOA configuration - * + * * @author bzwattendorfer * */ public class STORKConfig { - + /** STORK SAML signature creation parameters */ private Properties props = null; private Map cpepsMap = null; private String basedirectory = null; private SignatureVerificationParameter sigverifyparam = null; - - + private List attr = null; + + public STORKConfig(STORK stork, Properties props, String basedirectory) { this.basedirectory = basedirectory; this.props = props; - + //create CPEPS map List cpeps = stork.getCPEPS(); cpepsMap = new HashMap(); - + for(at.gv.egovernment.moa.id.commons.db.dao.config.CPEPS cpep : cpeps) { - + try { CPEPS moacpep = new CPEPS(cpep.getCountryCode(), new URL(cpep.getURL())); - - List attr = cpep.getAttributeValue(); - - ArrayList requestedAttributes = new ArrayList(); - - for (String e1 : attr) { - Element element = XMLUtil.stringToDOM(e1); - RequestedAttribute requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(element); - requestedAttributes.add(requestedAttribute); - } - moacpep.setCountrySpecificRequestedAttributes(requestedAttributes); - + + + +// List attr = cpep.getAttributeValue(); +// +// ArrayList requestedAttributes = new ArrayList(); +// +// for (String e1 : attr) { +// Element element = XMLUtil.stringToDOM(e1); +// RequestedAttribute requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(element); +// requestedAttributes.add(requestedAttribute); +// } +// moacpep.setCountrySpecificRequestedAttributes(requestedAttributes); + cpepsMap.put(cpep.getCountryCode(), moacpep); - + } catch (MalformedURLException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " + Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " + cpep.getCountryCode() + " has an invalid URL and is ignored."); - } catch (ParserConfigurationException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " - + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); - } catch (SAXException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " - + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); - } catch (IOException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " - + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); - } catch (MessageEncodingException e) { - Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " - + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); +// } catch (ParserConfigurationException e) { +// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " +// + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); +// } catch (SAXException e) { +// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " +// + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); +// } catch (IOException e) { +// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " +// + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); +// } catch (MessageEncodingException e) { +// Logger.warn("Error in MOA-ID Configuration. CPEP entry for country " +// + cpep.getCountryCode() + " has an invalid Attribute and is ignored."); } - } - - SAMLSigningParameter samlsign = stork.getSAMLSigningParameter(); - if (samlsign == null) { - Logger.warn("Error in MOA-ID Configuration. No STORK->SAMLSigningParameter configuration found."); - } else { - SignatureVerificationParameterType sigverify = samlsign.getSignatureVerificationParameter(); - - if (sigverify == null) { - Logger.warn("Error in MOA-ID Configuration. No STORK->SignatureVerificationParameter configuration found."); - - } else { - sigverifyparam = new SignatureVerificationParameter(sigverify.getTrustProfileID()); - } +// SAMLSigningParameter samlsign = stork.getSAMLSigningParameter(); // TODO Fix nullpointerexception when nothing is configured +// +// if (samlsign == null) { +// Logger.warn("Error in MOA-ID Configuration. No STORK->SAMLSigningParameter configuration found."); +// +// } else { +// SignatureVerificationParameterType sigverify = samlsign.getSignatureVerificationParameter(); +// +// if (sigverify == null) { +// Logger.warn("Error in MOA-ID Configuration. No STORK->SignatureVerificationParameter configuration found."); +// +// } else { +// sigverifyparam = new SignatureVerificationParameter(sigverify.getTrustProfileID()); +// } +// } + attr = new ArrayList(); + for(StorkAttribute current : stork.getAttributes()) { + attr.add(current); } - + } public SignatureCreationParameter getSignatureCreationParameter() { - + return new SignatureCreationParameter(props, basedirectory); } public SignatureVerificationParameter getSignatureVerificationParameter() { - - return sigverifyparam; + + return sigverifyparam; } public Map getCpepsMap() { return cpepsMap; } - + public boolean isSTORKAuthentication(String ccc) { - + if (StringUtils.isEmpty(ccc) || this.cpepsMap.isEmpty()) return false; - + if (this.cpepsMap.containsKey(ccc.toUpperCase())) return true; else return false; - + } - + public CPEPS getCPEPS(String ccc) { if (isSTORKAuthentication(ccc)) return this.cpepsMap.get(ccc); else return null; } - + public List getStorkAttributes() { + return attr; + } } -- cgit v1.2.3