From ac531e30d13d6714e2ac61f7329e6adc130aa288 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 24 May 2019 12:23:41 +0200 Subject: untested switch to EAAF-components 1.0.7 --- .../controller/EidasCentralAuthMetadataController.java | 5 +++-- .../controller/EidasCentralAuthSignalController.java | 3 ++- .../eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java index 4898c8f1e..b80e995ed 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java @@ -37,6 +37,7 @@ import org.springframework.web.bind.annotation.RequestMethod; import com.google.common.net.MediaType; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; @@ -72,7 +73,7 @@ public class EidasCentralAuthMetadataController extends AbstractController { @RequestMapping(value = EidasCentralAuthConstants.ENDPOINT_METADATA, method = {RequestMethod.GET}) - public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { //check PublicURL prefix try { String authURL = HTTPUtils.extractAuthURLFromRequest(req); @@ -101,7 +102,7 @@ public class EidasCentralAuthMetadataController extends AbstractController { } catch (Exception e) { Logger.warn("Build federated-authentication PVP metadata FAILED.", e); - handleErrorNoRedirect(e, req, resp, false); + protAuthService.handleErrorNoRedirect(e, req, resp, false); } diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java index 1486ef841..60a98213e 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthSignalController.java @@ -32,6 +32,7 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController; import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; import at.gv.egovernment.moa.logging.Logger; @@ -55,7 +56,7 @@ public class EidasCentralAuthSignalController extends AbstractProcessEngineSigna EidasCentralAuthConstants.ENDPOINT_REDIRECT }, method = {RequestMethod.POST, RequestMethod.GET}) - public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { signalProcessManagement(req, resp); } diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java index cd3f1f788..3a4bcdc48 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java @@ -44,7 +44,7 @@ import org.opensaml.xml.parse.BasicParserPool; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egiz.eaaf.core.api.IDestroyableObject; +import at.gv.egiz.components.spring.api.IDestroyableObject; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.MetadataFilterChain; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.SimpleMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata.SchemaValidationFilter; -- cgit v1.2.3 From 66859cd53d4181350525e91c4d35071932675ca7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 29 May 2019 14:04:44 +0200 Subject: refactoring from MOA-ID 3.4.x to MOA E-ID Proxy 4.0.x --- .../controller/EidasCentralAuthMetadataController.java | 2 +- .../eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java index b80e995ed..a6a7084f5 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java @@ -109,7 +109,7 @@ public class EidasCentralAuthMetadataController extends AbstractController { } private List> getAdditonalRequiredAttributes() { - Map addReqAttributes = authConfig.getBasicMOAIDConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); + Map addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); if (addReqAttributes != null) { List> result = new ArrayList>(); for (String el : addReqAttributes.values()) { diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java index 3a4bcdc48..5c3bf0d27 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/utils/EidasCentralAuthMetadataProvider.java @@ -323,14 +323,14 @@ public class EidasCentralAuthMetadataProvider extends SimpleMetadataProvider //FIX: change hostname validation default flag to true when httpClient is updated to > 4.4 MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( PVPConstants.SSLSOCKETFACTORYNAME, - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_USE_JVM_TRUSTSTORE, false), moaAuthConfig.getTrustedCACertificates(), null, AuthConfiguration.DEFAULT_X509_CHAININGMODE, moaAuthConfig.isTrustmanagerrevoationchecking(), moaAuthConfig.getRevocationMethodOrder(), - moaAuthConfig.getBasicMOAIDConfigurationBoolean( + moaAuthConfig.getBasicConfigurationBoolean( AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false)); httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); -- cgit v1.2.3 From e4fa532f93f10115e1f39c97cc96e5950a048884 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 11 Dec 2019 16:01:38 +0100 Subject: update to EAAF-Components 1.0.13.1 Enforce E-ID authentication based on Service-Provider configuration --- .../id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java index 821a200c7..53b3f3e1a 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthModuleImpl.java @@ -29,6 +29,7 @@ import javax.annotation.PostConstruct; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; +import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.moduls.AuthenticationManager; @@ -64,7 +65,7 @@ public class EidasCentralAuthModuleImpl implements AuthModule { * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) */ @Override - public String selectProcess(ExecutionContext context) { + public String selectProcess(ExecutionContext context, IRequest pendingReq) { Serializable paramObj = context.get(EidasCentralAuthConstants.HTTP_PARAM_CENTRAL_EIDAS_AUTH_SELECTION); if (paramObj != null ) { if (paramObj instanceof String) { -- cgit v1.2.3 From 38f60c2385cd47c320942fdc7c9eb158f0e320e0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Dec 2019 08:54:02 +0100 Subject: add code for SEMPER eIDAS extensions --- .../EidasCentralAuthConstants.java | 19 +++ .../EidasCentralAuthMetadataConfiguration.java | 2 +- .../EidasCentralAuthMetadataController.java | 22 ++- .../semper/AuthnRequestSemperProcessor.java | 151 +++++++++++++++++++++ .../tasks/ReceiveAuthnResponseTask.java | 24 +++- 5 files changed, 209 insertions(+), 9 deletions(-) create mode 100644 id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java index 19950a078..96c78abb4 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/EidasCentralAuthConstants.java @@ -27,6 +27,7 @@ import java.util.Collections; import java.util.List; import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.Trible; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -60,6 +61,8 @@ public class EidasCentralAuthConstants { public static final String CONFIG_PROPS_NODE_METADATAURL = CONFIG_PROPS_PREFIX + "node.metadataUrl"; public static final String CONFIG_PROPS_NODE_TRUSTPROFILEID = CONFIG_PROPS_PREFIX + "node.trustprofileID"; + public static final String CONFIG_PROPS_SEMPER_MANDATES_ACTIVE = CONFIG_PROPS_PREFIX + "semper.mandates.active"; + public static final String CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST = CONFIG_PROPS_PREFIX + "semper.msproxy.list"; public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH; public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES = @@ -81,6 +84,22 @@ public class EidasCentralAuthConstants { } }); + public static final List> DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList>() { + private static final long serialVersionUID = 1L; + { + //request entity information + add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_TYPE_OID_NAME, false)); + + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, false)); + add(Pair.newInstance(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, false)); + + + } + }); + public static final List DEFAULT_REQUIRED_PVP_ATTRIBUTE_NAMES = Collections.unmodifiableList(new ArrayList() { private static final long serialVersionUID = 1L; diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java index aad1244f1..2bb384c74 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/config/EidasCentralAuthMetadataConfiguration.java @@ -334,7 +334,7 @@ public class EidasCentralAuthMetadataConfiguration implements IPVPMetadataBuilde * @param additionalAttr List of PVP attribute name and isRequired flag */ public void setAdditionalRequiredAttributes(List> additionalAttr) { - if (additionalAttr != null) { + if (additionalAttr != null && !additionalAttr.isEmpty()) { additionalAttributes = new ArrayList(); for (Pair el : additionalAttr) { Attribute attributBuilder = PVPAttributeBuilder.buildEmptyAttribute(el.getFirst()); diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java index a6a7084f5..a0c1fa30b 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/controller/EidasCentralAuthMetadataController.java @@ -109,9 +109,17 @@ public class EidasCentralAuthMetadataController extends AbstractController { } private List> getAdditonalRequiredAttributes() { - Map addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); - if (addReqAttributes != null) { - List> result = new ArrayList>(); + List> result = new ArrayList>(); + + //load SEMPER attributes if required + if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { + result.addAll(EidasCentralAuthConstants.DEFAULT_SEMPER_MANDATE_PVP_ATTRIBUTES); + + } + + //load attributes from configuration + Map addReqAttributes = authConfig.getBasicConfigurationWithPrefix(EidasCentralAuthConstants.CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST); + if (addReqAttributes != null) { for (String el : addReqAttributes.values()) { if (MiscUtil.isNotEmpty(el)) { Logger.trace("Parse additional attr. definition: " + el); @@ -123,12 +131,12 @@ public class EidasCentralAuthMetadataController extends AbstractController { Logger.info("IGNORE additional attr. definition: " + el + " Reason: Format not valid"); } - } - - return result; + } } - return null; + return result; + + } } diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java new file mode 100644 index 000000000..222ba812c --- /dev/null +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/semper/AuthnRequestSemperProcessor.java @@ -0,0 +1,151 @@ +package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.semper; + +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.xml.XMLObject; +import org.springframework.beans.factory.annotation.Autowired; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EAAFConstants; +import at.gv.egiz.eaaf.core.api.data.ExtendedPVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.data.PVPAttributeDefinitions; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; +import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EAAFRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor; +import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.EidasCentralAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDConstants; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.logging.Logger; + +public class AuthnRequestSemperProcessor implements IAuthnRequestPostProcessor { + + @Autowired IConfiguration authConfig; + + @Override + public void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq, + SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException { + if (authConfig.getBasicConfigurationBoolean( + EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false) + && isSpAllowed(authReq)) { + + Logger.debug("SEMPER mode detected. Starting SP-Info extraction from requested attributes ..."); + extractRequestedAttributeInformation(authReq, pendingReq); + + } else { + Logger.trace("Skip: " + AuthnRequestSemperProcessor.class.getSimpleName() + " because is's not active or not allowed"); + + } + + } + + private boolean isSpAllowed(AuthnRequest authReq) { + String csvOfAllowedProxies = authConfig.getBasicConfiguration(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_MS_PROXY_LIST); + List allowedProxies = KeyValueUtils.getListOfCSVValues(csvOfAllowedProxies); + Logger.trace("Validate SP-EntityId: " + authReq.getIssuer().getValue() + + " with allowed MS-Proxies: [" + StringUtils.join(allowedProxies, ", ") + "]"); + return allowedProxies.contains(authReq.getIssuer().getValue()); + + } + + + private void extractRequestedAttributeInformation(AuthnRequest authnReq, IRequest pendingReq) throws AuthnRequestValidatorException { + // validate and process requested attributes + boolean hasValidBpkTarget = false; + if (authnReq.getExtensions() != null) { + final List requestedAttributes = authnReq.getExtensions().getUnknownXMLObjects(); + for (final XMLObject reqAttrObj : requestedAttributes) { + if (reqAttrObj instanceof EAAFRequestedAttributes) { + final EAAFRequestedAttributes reqAttr = (EAAFRequestedAttributes) reqAttrObj; + if (reqAttr.getAttributes() != null && reqAttr.getAttributes().size() != 0) { + for (final EAAFRequestedAttribute el : reqAttr.getAttributes()) { + Logger.trace("Processing req. attribute '" + el.getName() + "' ... "); + if (el.getName().equals(PVPAttributeDefinitions.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + hasValidBpkTarget = extractBpkTarget(el, pendingReq); + + } else if (el.getName().equals(ExtendedPVPAttributeDefinitions.SP_USESMANDATES_NAME )) { + extractMandateProfiles(el, pendingReq); + + } else { + Logger.debug("Ignore req. attribute: " + el.getName()); + } + + } + + } else { + Logger.debug("No requested Attributes in Authn. Request"); + } + + } else { + Logger.info("Ignore unknown requested attribute: " + reqAttrObj.getElementQName().toString()); + } + + } + } + + if (!hasValidBpkTarget) { + Logger.info("Authn.Req validation FAILED. Reason: Contains NO or NO VALID target-sector information."); + throw new AuthnRequestValidatorException("pvp2.22", new Object[] { + "NO or NO VALID target-sector information" }); + + } + + } + + private void extractMandateProfiles(EAAFRequestedAttribute el, IRequest pendingReq) { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String profiles = el.getAttributeValues().get(0).getDOM().getTextContent(); + Map configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration(); + Logger.debug("Set MandateProfiles to: " + profiles); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE, + String.valueOf(true)); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES, + profiles); + + } else { + Logger.info("Req. attribute '" + el.getName() + + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); + } + + } + + + private boolean extractBpkTarget(final EAAFRequestedAttribute el, IRequest pendingReq) { + if (el.getAttributeValues() != null && el.getAttributeValues().size() == 1) { + final String sectorId = el.getAttributeValues().get(0).getDOM().getTextContent(); + Map configProps = pendingReq.getServiceProviderConfiguration().getFullConfiguration(); + if (sectorId.startsWith(EAAFConstants.URN_PREFIX_EIDAS)) { + Logger.debug("Set eIDAS target to: " + sectorId); + configProps.put( + MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE, + MOAIDConstants.IDENIFICATIONTYPE_EIDAS); + configProps.put(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, + sectorId.substring(EAAFConstants.URN_PREFIX_EIDAS.length())); + return true; + + } else { + Logger.info("Requested sector: " + sectorId + " DOES NOT match to allowed sectors for SP: " + + pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + + } + + } else { + Logger.info("Req. attribute '" + el.getName() + + "' contains NO or MORE THEN ONE attribute-values. Ignore full req. attribute"); + } + + return false; + + } + +} diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java index f3eaff11a..7f44c4deb 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.tasks; import java.io.IOException; +import java.util.Arrays; import java.util.Set; import javax.servlet.http.HttpServletRequest; @@ -64,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.EidasCentral import at.gv.egovernment.moa.id.auth.modules.eIDAScentralAuth.utils.Utils; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -194,7 +196,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING}); } - + //copy attributes into MOASession AuthenticationSessionWrapper session = pendingReq.getSessionData(AuthenticationSessionWrapper.class); Set includedAttrNames = extractor.getAllIncludeAttributeNames(); @@ -207,12 +209,32 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //set foreigner flag session.setForeigner(true); + + //set CCE URL if (extractor.getFullAssertion().getIssuer() != null && StringUtils.isNotEmpty(extractor.getFullAssertion().getIssuer().getValue())) session.setBkuURL(extractor.getFullAssertion().getIssuer().getValue()); else session.setBkuURL("eIDAS_Authentication"); + if (authConfig.getBasicConfigurationBoolean(EidasCentralAuthConstants.CONFIG_PROPS_SEMPER_MANDATES_ACTIVE, false)) { + if (extractor.containsAttribute(PVPConstants.MANDATE_TYPE_NAME)) { + Logger.trace("Check attributes in SEMPER eIDAS mode."); + if (!extractor.containsAllRequiredAttributes(Arrays.asList( + PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, + PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, + PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME))) { + Logger.warn("PVP Response from 'ms-specific eIDAS node' contains not all required attributes for eIDAS SEMPER process."); + throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{EidasCentralAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + Logger.info("SEMPER mode is active and mandates are found. Activing mandates for eIDAS login ... "); + session.setUseMandates(true); + + } + } + } catch (AssertionValidationExeption e) { throw new BuildException("builder.06", null, e); -- cgit v1.2.3 From 1292f854aa98b167a849dc0f202a1957a5ce2514 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 13 Dec 2019 09:56:15 +0100 Subject: set NeedConsentFlag to 'false' if authentication was done without SSO --- .../auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java') diff --git a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java index 7f44c4deb..eeef68c3e 100644 --- a/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-AT_eIDAS_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eIDAScentralAuth/tasks/ReceiveAuthnResponseTask.java @@ -150,6 +150,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class)); + //set NeedConsent to false, because user gives consont during authentication + pendingReq.setNeedUserConsent(false); + //store pending-request requestStoreage.storePendingRequest(pendingReq); -- cgit v1.2.3