From db040cc2832f845db0919d1c4e2b034b8737ef24 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Nov 2014 09:37:02 +0100 Subject: add check if requested STORK-QAA level matches auth QAA level --- .../id/protocols/stork2/AuthenticationRequest.java | 37 ++++++++++++++++++++-- .../PVPAuthenticationProvider.java | 6 ++-- .../resources/properties/id_messages_de.properties | 1 + .../protocol_response_statuscodes_de.properties | 1 + 4 files changed, 38 insertions(+), 7 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index aa018d5a3..d59191c08 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; @@ -110,8 +111,38 @@ public class AuthenticationRequest implements IAction { // Get personal attributtes from MOA/IdentityLink //build STORK attributes from local authentication information - if (authData != null) + if (authData != null) { + int reqQaa = -1; + int authQaa = -1; + try { + reqQaa = moaStorkRequest.getStorkAuthnRequest().getQaa(); + authQaa = Integer.valueOf( + authData.getQAALevel().substring(PVPConstants.STORK_QAA_PREFIX.length())); + + if (reqQaa > authQaa) { + Logger.warn("Requested QAA level does not match to authenticated QAA level"); + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + + } catch (MOAIDException e) { + throw e; + + } catch (Exception e) { + if (Logger.isDebugEnabled()) + Logger.warn("STORK QAA Level evaluation error", e); + + else + Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" + + e.getMessage() + ")"); + + throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa}); + + } + moaStorkResponse.setPersonalAttributeList(populateAttributes(authData, oaParam)); + + } } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -452,7 +483,7 @@ public class AuthenticationRequest implements IAction { IPersonalAttributeList attrLst = moaStorkRequest.getStorkAuthnRequest().getPersonalAttributeList(); Logger.info("Found " + attrLst.size() + " personal attributes in the request."); - + // Define attribute list to be populated PersonalAttributeList attributeList = new PersonalAttributeList(); MOAAttributeProvider moaAttributeProvider = new MOAAttributeProvider(authData, moaStorkRequest); @@ -470,7 +501,7 @@ public class AuthenticationRequest implements IAction { Logger.error("Exception, attributes: " + e.getMessage()); } - Logger.debug("AUTHBLOCK " + authData.getAuthBlock()); + Logger.trace("AUTHBLOCK " + authData.getAuthBlock()); Logger.debug("SESSION IDENTIFIER " + authData.getCcc() + " " + oaParam.getIdentityLinkDomainIdentifier()); return attributeList; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java index 88c59ccf9..96aa55bcf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/attributeproviders/PVPAuthenticationProvider.java @@ -134,11 +134,9 @@ public class PVPAuthenticationProvider extends AttributeProvider { authRequest.setPersonalAttributeList(moastorkRequest.getPersonalAttributeList()); authRequest.setCitizenCountryCode("AT"); - authRequest.setQaa(oaParam.getQaaLevel()); + //authRequest.setQaa(oaParam.getQaaLevel()); + authRequest.setQaa(moastorkRequest.getStorkAuthnRequest().getQaa()); - if (authRequest.getQaa() == 0 ) { - authRequest.setQaa(4); // workaround - } diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 848866090..8fda4566c 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -228,6 +228,7 @@ stork.17=Fehler beim Einholen der Zustimmung f\uFFFDr Attribut\u00FCbertragung d stork.18=STORK-SAML Engine konnte nicht initialisiert werden. stork.19=Das erforderliche Attribut ist f\u00FCr naturliche Personen nicht vorhanden\: {0} stork.20=Fehler bei der Datenkonversion - eingegebens Datum fehlerhaft +stork.21=Der angeforderte QAA-level {0} ist h\u00F6her als der QAA-level der Authentifizierung {1} pvp2.00={0} ist kein gueltiger consumer service index pvp2.01=Fehler beim kodieren der PVP2 Antwort diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 27f735028..eeacdc627 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -172,6 +172,7 @@ stork.17=1203 stork.18=9004 stork.19=1203 stork.20=1204 +stork.21=1205 pvp2.01=6100 pvp2.06=6100 -- cgit v1.2.3