From 99b46131e3ef3753af9f1d17516cf900fd095b4d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 4 Nov 2014 10:43:51 +0100
Subject: add STORK-QAA to PVP SecClass mapping

---
 .../id/auth/builder/AuthenticationDataBuilder.java |  2 +-
 .../moa/id/moduls/AuthenticationManager.java       | 58 +++++++++++++++++++---
 .../egovernment/moa/id/util/PVPtoSTORKMapper.java  | 22 +++++++-
 .../properties/pvp-stork_mapping.properties        | 10 +++-
 4 files changed, 82 insertions(+), 10 deletions(-)

(limited to 'id/server/idserverlib/src')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 52488c3cb..7aa4cd1f7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -536,7 +536,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 				
 			} else {
 				Logger.debug("Found PVP QAA level. QAA mapping process starts ... ");				
-				String mappedQAA = PVPtoSTORKMapper.getInstance().mapQAALevel(qaaLevel);
+				String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel);
 				if (MiscUtil.isNotEmpty(mappedQAA))
 					authData.setQAALevel(mappedQAA);
 				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
index dab89b7c3..333bd35f1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java
@@ -77,6 +77,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.SLOInformationContainer;
 import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -87,9 +88,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
@@ -381,6 +384,7 @@ public class AuthenticationManager extends AuthServlet {
 		//get IDP metadata
 		try {
 			OAAuthParameter idp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getRequestedIDP());
+			OAAuthParameter sp = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(target.getOAURL());
 			
 			if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) {
 				Logger.info("Requested interfederation IDP " + target.getRequestedIDP() + " is not valid for interfederation.");
@@ -389,7 +393,7 @@ public class AuthenticationManager extends AuthServlet {
 				return;
 				
 			} 
-						
+			
 			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
 					getEntityDescriptor(target.getRequestedIDP());
 			
@@ -409,7 +413,7 @@ public class AuthenticationManager extends AuthServlet {
 							redirectEndpoint == null )
 						redirectEndpoint = sss;
 				}
-				
+								
 				if (redirectEndpoint != null) {
 					
 					AuthnRequest authReq = SAML2Utils
@@ -440,13 +444,55 @@ public class AuthenticationManager extends AuthServlet {
 							SAML2Utils.createSAMLObject(RequestedAuthnContext.class);
 					
 					AuthnContextClassRef authnClassRef = 
-							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);					
-					authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+							SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
+					
+					if (sp != null && sp.isSTORKPVPGateway()){
+						//use PVP SecClass instead of STORK QAA level
+						String secClass = null;
+						if (target instanceof MOASTORKRequest) {
+							
+							try {
+								MOASTORKRequest storkReq = (MOASTORKRequest) target;	
+								secClass = PVPtoSTORKMapper.getInstance().mapToSecClass(
+										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+							
+							} catch (Exception e) {
+								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+
+							}							
+						}
+						
+						if (MiscUtil.isNotEmpty(secClass))
+							authnClassRef.setAuthnContextClassRef(secClass);
+						else
+							authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3");
+											
+					} else {
+						if (target instanceof MOASTORKRequest) {
+							//use requested QAA level from STORK request
+							try {
+								MOASTORKRequest storkReq = (MOASTORKRequest) target;
+								authnClassRef.setAuthnContextClassRef(
+										PVPConstants.STORK_QAA_PREFIX + storkReq.getStorkAuthnRequest().getQaa());
+								Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef() 
+										+ " from STORK request");
+								
+							} catch (Exception e) {
+								Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e);
+								
+							}
+							
+						}
+						
+						if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef()))						
+							authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4");
+						
+					}
+					
 					reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);					
 					reqAuthContext.getAuthnContextClassRefs().add(authnClassRef);					
 					authReq.setRequestedAuthnContext(reqAuthContext);
-					
-					
+										
 					IEncoder binding = null;
 					if (redirectEndpoint.getBinding().equals(
 							SAMLConstants.SAML2_REDIRECT_BINDING_URI)) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
index 0ea03e29d..fe3b780fb 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/PVPtoSTORKMapper.java
@@ -36,6 +36,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
 public class PVPtoSTORKMapper {
 
 	private static final String PVP_SECCLASS_PREFIX = "http://www.ref.gv.at/ns/names/agiz/pvp/";
+	private static final String STORK_QAA_PREFIX = "http://www.stork.gov.eu/1.0/";
 	
 	private static final String MAPPING_RESOURCE = 
 			"resources/properties/pvp-stork_mapping.properties";
@@ -67,12 +68,31 @@ public class PVPtoSTORKMapper {
 		
 	}
 
+	/**Map a STORK QAA level to PVP SecClass
+	 * 
+	 * @param STORK-QAA level
+	 * @return PVP SecClass pvpQAALevel
+	 */	
+	public String mapToSecClass(String storkQAALevel) {
+		if (mapping != null) {
+			String input = storkQAALevel.substring(STORK_QAA_PREFIX.length());			
+			String mappedQAA = mapping.getProperty(input);
+			if (MiscUtil.isNotEmpty(mappedQAA)) {
+				Logger.info("Map STORK-QAA " + storkQAALevel + " to PVP SecClass " + mappedQAA);
+				return mappedQAA;
+				
+			}						
+		}		
+		Logger.warn("No mapping for STORK-QAA " + storkQAALevel +" !");
+		return null;
+	}
+	
 	/**Map a PVP SecClass to STORK QAA level
 	 * 
 	 * @param PVP SecClass pvpQAALevel
 	 * @return STORK-QAA level
 	 */	
-	public String mapQAALevel(String pvpQAALevel) {
+	public String mapToQAALevel(String pvpQAALevel) {
 		if (mapping != null) {
 			String input = pvpQAALevel.substring(PVP_SECCLASS_PREFIX.length());			
 			String mappedQAA = mapping.getProperty(input);
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
index 63745f826..1a8d8db58 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/pvp-stork_mapping.properties
@@ -2,8 +2,14 @@
 viewer=CIRCABC/viewer
 CIRCABC-viewer=CIRCABC/viewer
 
-##PVP SecClass mapping
+##PVP SecClass to STORK-QAA mapping
 secclass/0=http://www.stork.gov.eu/1.0/citizenQAALevel/1
 secclass/0-1=http://www.stork.gov.eu/1.0/citizenQAALevel/2
 secclass/0-2=http://www.stork.gov.eu/1.0/citizenQAALevel/3
-secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
\ No newline at end of file
+secclass/0-3=http://www.stork.gov.eu/1.0/citizenQAALevel/4
+
+##STORK-QAA to PVP SecClass mapping
+citizenQAALevel/1=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0
+citizenQAALevel/2=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-1
+citizenQAALevel/3=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-2
+citizenQAALevel/4=http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3
\ No newline at end of file
-- 
cgit v1.2.3