From 9d1cbc894680a3b93f98e1f173e6ffa27ffbca96 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 17 Apr 2014 08:01:12 +0200
Subject: + preProcess inbound PVP2.1 assertion + add inbound PVP2.1 assertion
 to IReqeust

---
 .../at/gv/egovernment/moa/id/moduls/IRequest.java  |   3 +
 .../gv/egovernment/moa/id/moduls/RequestImpl.java  |  20 ++++
 .../moa/id/protocols/pvp2x/PVP2XProtocol.java      | 115 ++++++++++++++++++++-
 .../id/protocols/pvp2x/PVPTargetConfiguration.java |   4 +-
 .../moa/id/protocols/stork2/MOASTORKRequest.java   |  10 ++
 5 files changed, 147 insertions(+), 5 deletions(-)

(limited to 'id/server/idserverlib')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
index a33d39ba7..c29c3a1b3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java
@@ -22,6 +22,8 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.moduls;
 
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+
 public interface IRequest {
 	public String getOAURL();
 	public boolean isPassiv();
@@ -35,6 +37,7 @@ public interface IRequest {
 	public void setRequestID(String id);
 	public String getRequestID();	
 	public String getRequestedIDP();
+	public MOAResponse getInterfederationResponse();
 	
 	//public void setTarget();
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
index d3ab640f1..94851ee8f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java
@@ -24,6 +24,8 @@ package at.gv.egovernment.moa.id.moduls;
 
 import java.io.Serializable;
 
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+
 public class RequestImpl implements IRequest, Serializable{
 
 	private static final long serialVersionUID = 1L;
@@ -36,7 +38,10 @@ public class RequestImpl implements IRequest, Serializable{
 	private String action = null;
 	private String target = null;
 	private String requestID;
+	
+	//MOA-ID interfederation
 	private String requestedIDP = null;
+	private MOAResponse response = null;
 	
 	
 	public void setOAURL(String value) {
@@ -118,6 +123,21 @@ public class RequestImpl implements IRequest, Serializable{
 	public void setRequestedIDP(String requestedIDP) {
 		this.requestedIDP = requestedIDP;
 	}
+
+	/**
+	 * @return the response
+	 */
+	public MOAResponse getInterfederationResponse() {
+		return response;
+	}
+
+	/**
+	 * @param response the response to set
+	 */
+	public void setInterfederationResponse(MOAResponse response) {
+		this.response = response;
+	}
+	
 	
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index e7b64be6a..3ab4dd74c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -33,18 +33,29 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusMessage;
 import org.opensaml.saml2.core.impl.AuthnRequestImpl;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.DecryptionException;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
+import org.opensaml.xml.security.x509.X509Credential;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -54,22 +65,23 @@ import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
-import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestValidatorException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
 import at.gv.egovernment.moa.id.util.VelocityLogAdapter;
@@ -171,6 +183,28 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 				return preProcessAuthRequest(request, response, (MOARequest) msg);
 			
 			else if (msg instanceof MOAResponse) {
+				//load service provider AuthRequest from session
+											
+				IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState());
+				if (obj instanceof RequestImpl) {
+					RequestImpl iReq = (RequestImpl) obj;
+
+					MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
+					
+					if ( processedMsg != null ) {
+						iReq.setInterfederationResponse((MOAResponse) msg);						
+												
+					} else {
+						Logger.info("Receive NO valid SSO session from " + msg.getEntityID() 
+								+". Switch to local authentication process ...");
+						iReq.setRequestedIDP(null);
+					}
+									
+					return iReq;
+					
+				}
+
+				Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type.");
 				return null;
 				
 			}
@@ -362,4 +396,79 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants {
 		
 		return config;
 	}
+	
+	/**
+	 * @param msg
+	 */
+	private MOAResponse preProcessAuthResponse(MOAResponse msg) {
+		Logger.debug("Start PVP21 assertion processing... ");
+		Response samlResp = msg.getResponse();
+		
+		try {
+			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+				
+				//check encrypted Assertion
+				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
+				if (encryAssertionList != null && encryAssertionList.size() > 0) {
+					//decrypt assertions
+					
+					Logger.debug("Found encryped assertion. Start decryption ...");
+									
+					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
+									
+					StaticKeyInfoCredentialResolver skicr =
+							  new StaticKeyInfoCredentialResolver(authDecCredential);
+					
+					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+					
+					Decrypter samlDecrypter =
+							  new Decrypter(null, skicr, encryptedKeyResolver);
+					
+					for (EncryptedAssertion encAssertion : encryAssertionList) {							
+						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+	
+					}
+					
+					Logger.debug("Assertion decryption finished. ");
+					
+				} else {
+					saml2assertions = samlResp.getAssertions();
+			
+				}
+				
+				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+					
+					Conditions conditions = saml2assertion.getConditions();
+					DateTime notbefore = conditions.getNotBefore();
+					DateTime notafter = conditions.getNotOnOrAfter();
+					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+						Logger.warn("PVP2 Assertion is out of Date");
+						return null;
+						
+					}
+					
+					samlResp.getAssertions().clear();
+					samlResp.getEncryptedAssertions().clear();
+					samlResp.getAssertions().addAll(saml2assertions);
+										
+					msg.setSAMLMessage(samlResp.getDOM());
+					return msg;
+					
+				}							
+			}
+			
+		} catch (CredentialsNotAvailableException e) {
+			Logger.warn("Assertion decrypt FAILED - No Credentials", e);
+			
+		} catch (DecryptionException e) {
+			Logger.warn("Assertion decrypt FAILED.", e);
+			
+		}
+		
+		return null;
+	}
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
index 03b65bc7e..6e749aaf0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x;
 
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 
 public class PVPTargetConfiguration extends RequestImpl {
 
@@ -55,6 +56,5 @@ public class PVPTargetConfiguration extends RequestImpl {
 
 	public void setConsumerURL(String consumerURL) {
 		this.consumerURL = consumerURL;
-	}
-	
+	}	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
index 23b8b3f7a..0eb1b83ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/MOASTORKRequest.java
@@ -3,6 +3,7 @@ package at.gv.egovernment.moa.id.protocols.stork2;
 import java.io.Serializable;
 
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.logging.Logger;
 import eu.stork.peps.auth.commons.IPersonalAttributeList;
 import eu.stork.peps.auth.commons.STORKAttrQueryRequest;
@@ -219,4 +220,13 @@ public class MOASTORKRequest implements IRequest, Serializable {
 		// TODO Auto-generated method stub
 		return null;
 	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.IRequest#getInterfederationResponse()
+	 */
+	@Override
+	public MOAResponse getInterfederationResponse() {
+		// TODO Auto-generated method stub
+		return null;
+	}
 }
-- 
cgit v1.2.3