From 3535ae9500b29d0b2d0f317ea7f47a6c25c6f70e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 10 Jul 2018 16:53:03 +0200 Subject: some small updates and handbook update --- .../EidasCentralAuthConstants.java | 2 +- ...idasCentralAuthRequestBuilderConfiguration.java | 12 ++++++- .../tasks/CreateAuthnRequestTask.java | 10 ++++++ .../tasks/ReceiveAuthnResponseTask.java | 39 +++++----------------- 4 files changed, 30 insertions(+), 33 deletions(-) (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java index 55864f3c9..0f4f81122 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java @@ -55,7 +55,7 @@ public class EidasCentralAuthConstants { public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias"; public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password"; public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; - public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additinal.attributes"; + public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes"; public static final String CONFIG_PROPS_NODE_ENTITYID = CONFIG_PROPS_PREFIX + "node.entityId"; public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java index ebbe08588..8376f3aad 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthRequestBuilderConfiguration.java @@ -48,6 +48,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq private String scopeRequesterId; private String providerName; private List requestedAttributes; + private String reqId; /* (non-Javadoc) @@ -186,7 +187,7 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq */ @Override public String getRequestID() { - return null; + return this.reqId; } /* (non-Javadoc) @@ -256,6 +257,15 @@ public class EidasCentralAuthRequestBuilderConfiguration implements IPVPAuthnReq this.requestedAttributes = requestedAttributes; } + /** + * Set a RequestId for this Authn. Request + * + * @param reqId + */ + public void setRequestId(String reqId) { + this.reqId = reqId; + } + diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java index 08ae845cb..e312299f8 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/CreateAuthnRequestTask.java @@ -29,6 +29,7 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.MetadataProviderException; @@ -45,6 +46,7 @@ import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.impl.PVPAuthnRequestBuilder; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.config.EidasCentralAuthRequestBuilderConfiguration; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider; @@ -76,6 +78,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { try{ + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_SELECTED); + //check if eIDAS authentication is enabled for this SP if (!Boolean.parseBoolean(pendingReq.getServiceProviderConfiguration().getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_STORK_ENABLED, String.valueOf(false)))) { Logger.info("eIDAS authentication is NOT enabled for OA: " + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); @@ -114,6 +118,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { //setup AuthnRequestBuilder configuration EidasCentralAuthRequestBuilderConfiguration authnReqConfig = new EidasCentralAuthRequestBuilderConfiguration(); + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authnReqConfig.setRequestId(gen.generateIdentifier()); authnReqConfig.setIdpEntity(entityDesc); authnReqConfig.setPassive(false); authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential()); @@ -130,6 +136,10 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { //build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_REQUESTED, + authnReqConfig.getRequestID()); + } catch (MOAIDException e) { throw new TaskExecutionException(pendingReq, e.getMessage(), e); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java index f9686029f..214a23f88 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java @@ -59,7 +59,6 @@ import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthCredentialProvider; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentralAuthMetadataProvider; -import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; @@ -112,7 +111,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { msg = (InboundMessage) decoder.decode( request, response, metadataProvider, true, comperator); - + if (MiscUtil.isEmpty(msg.getEntityID())) { throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING}, @@ -126,9 +125,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { msg.setVerified(true); } - - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE); - + //validate assertion PVPSProfileResponse processedMsg = preProcessAuthResponse((PVPSProfileResponse) msg); @@ -153,7 +150,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { requestStoreage.storePendingRequest(pendingReq); //write log entries - revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_MDS_VALID); Logger.info("Receive a valid assertion from IDP " + msg.getEntityID()); } catch (MessageDecodingException | SecurityException e) { @@ -208,32 +205,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } } - - /** - * @param executionContext - * @param idpConfig - * @param message - * @param objects - * @throws TaskExecutionException - * @throws Throwable - */ - private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException { - - if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) { - Logger.info("Switch to local authentication on this IDP ... "); - - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true); - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true); - executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH); - - } else { - throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); - - } - - } - /** * PreProcess AuthResponse and Assertion * @param msg @@ -257,11 +229,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING); msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED, + samlResp.getID()); return msg; } else { Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + " from 'ms-specific eIDAS node'."); + revisionsLogger.logEvent(pendingReq, + MOAIDEventConstants.AUTHPROCESS_EIDAS_AT_CONNECTOR_RECEIVED_ERROR); throw new AuthnResponseValidationException("sp.pvp2.05", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()}); -- cgit v1.2.3