From 82ac1e7f41182a976d2c734a898936767c987cc8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 6 Jul 2020 21:07:07 +0200 Subject: update SP-Identifier for Applikation-Register communication to combination of MOA EntityID and PublicUrlPrefix to make applications unique on AppReg side --- .../eidproxyauth/EIDProxyAuthConstants.java | 4 + .../EidAppRegIdentifierGenerationController.java | 113 +++++++++++++++++++++ .../eidproxyauth/tasks/CreateAuthnRequestTask.java | 3 +- .../id/auth/modules/eidproxyauth/utils/Utils.java | 18 ++++ 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EidAppRegIdentifierGenerationController.java (limited to 'id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java index b057ecaf8..1791c1caf 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java @@ -45,6 +45,7 @@ public class EIDProxyAuthConstants { public static final String ENDPOINT_POST = "/sp/eid/post"; public static final String ENDPOINT_REDIRECT = "/sp/eid/redirect"; public static final String ENDPOINT_METADATA = "/sp/eid/metadata"; + public static final String ENDPOINT_APPREG_INFO = "/eid/getappregid"; public static final String CONFIG_PROPS_PREFIX = "modules.eidproxyauth."; public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path"; @@ -61,6 +62,9 @@ public class EIDProxyAuthConstants { public static final String CONFIG_PROPS_REQUIRED_PVP_ATTRIBUTES_LIST = CONFIG_PROPS_PREFIX + "required.additional.attributes"; public static final String CONFIG_PROPS_DISABLE_PROCESS_ENFORCEMENT = CONFIG_PROPS_PREFIX + "enforce.process.disabled"; + public static final String CONFIG_PROPS_ENABLE_APPREG_IDENTIFIER_GENERATION_ENDPOINT = + CONFIG_PROPS_PREFIX + "endpoint.appreginfo.enable"; + public static final String CONFIG_DEFAULT_LOA_EIDAS_LEVEL = EAAFConstants.EIDAS_LOA_HIGH; public static final List> DEFAULT_REQUIRED_PVP_ATTRIBUTES = Collections.unmodifiableList(new ArrayList>() { diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EidAppRegIdentifierGenerationController.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EidAppRegIdentifierGenerationController.java new file mode 100644 index 000000000..091feb7fc --- /dev/null +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/controller/EidAppRegIdentifierGenerationController.java @@ -0,0 +1,113 @@ +package at.gv.egovernment.moa.id.auth.modules.eidproxyauth.controller; + +import java.io.IOException; +import java.net.URL; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.gv.egiz.eaaf.core.api.gui.IGUIFormBuilder; +import at.gv.egiz.eaaf.core.exceptions.EAAFException; +import at.gv.egiz.eaaf.core.exceptions.GUIBuildException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.idp.controller.AbstractController; +import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.EIDProxyAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.eidproxyauth.utils.Utils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +@Controller +public class EidAppRegIdentifierGenerationController extends AbstractController { + + private static final String GUI_TEMPLATE_APPREG_ID = "appreg_id_generator.html"; + + @Autowired IGUIFormBuilder guiBuilder; + + + @RequestMapping(value = EIDProxyAuthConstants.ENDPOINT_APPREG_INFO, + method = {RequestMethod.GET}) + public void getAppRegSpId(HttpServletRequest req, HttpServletResponse resp) throws IOException, EAAFException { + if (!authConfig.getBasicConfigurationBoolean( + EIDProxyAuthConstants.CONFIG_PROPS_ENABLE_APPREG_IDENTIFIER_GENERATION_ENDPOINT, true)) { + Logger.info("Endpoint: " + EIDProxyAuthConstants.ENDPOINT_APPREG_INFO + " DISABLED!"); + resp.setStatus(HttpStatus.FORBIDDEN.value()); + return; + + } + + String authUrl; + DefaultGUIFormBuilderConfiguration config; + try { + String authUrlString = HTTPUtils.extractAuthURLFromRequest(req); + URL authReqURL = new URL(authUrlString); + authUrl = authConfig.validateIDPURL(authReqURL); + config = new DefaultGUIFormBuilderConfiguration( + authUrl, + GUI_TEMPLATE_APPREG_ID, + null); + + } catch (Exception e) { + Logger.warn("Bad request on: " + EIDProxyAuthConstants.ENDPOINT_APPREG_INFO, e); + resp.setStatus(HttpStatus.BAD_REQUEST.value()); + resp.getWriter().write(e.getMessage()); + return; + + } + + + try { + String oaURL = req.getParameter(MOAIDAuthConstants.PARAM_OA); + if (MiscUtil.isEmpty(oaURL)) { + Logger.info("Receive OA parameter in SAML1 like request. Can not generate AppReg Identifier"); + throw new WrongParametersException(EIDProxyAuthConstants.ENDPOINT_APPREG_INFO, MOAIDAuthConstants.PARAM_OA, + "auth.12"); + + } + + if (!ParamValidatorUtils.isValidOA(oaURL)) + throw new WrongParametersException(EIDProxyAuthConstants.ENDPOINT_APPREG_INFO, MOAIDAuthConstants.PARAM_OA, + "auth.12"); + + IOAAuthParameters oaParam = authConfig.getServiceProviderConfiguration(oaURL, IOAAuthParameters.class); + if (oaParam == null) { + Logger.info("No configuration for application with ID: " + oaURL); + throw new InvalidProtocolRequestException("auth.00",new Object[] { null }); + + } + + String appRegId = Utils.getEidSystemApplicationId(oaParam, authUrl); + config.putCustomParameterWithOutEscaption(null, "appregId", appRegId); + guiBuilder.build(req, resp, config, "AppReg Id generation GUI"); + + + } catch (Exception e) { + Logger.warn("Can not build AppReg Identifier", e); + config.putCustomParameterWithOutEscaption(null, "error", e.getMessage()); + try { + guiBuilder.build(req, resp, config, "AppReg Id generation GUI"); + + } catch (GUIBuildException e1) { + Logger.error("Internal server error", e); + resp.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value()); + + } + + } + + + } + + +} diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java index 38a7c4add..177103051 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/tasks/CreateAuthnRequestTask.java @@ -112,7 +112,8 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { authnReqConfig.setPassive(false); authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential()); authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + EIDProxyAuthConstants.ENDPOINT_METADATA); - authnReqConfig.setScopeRequesterId(pendingReq.getServiceProviderConfiguration().getUniqueIdentifier()); + authnReqConfig.setScopeRequesterId( + Utils.getEidSystemApplicationId(pendingReq.getServiceProviderConfiguration(), pendingReq.getAuthURL())); //build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java index cd578d373..fefd3ec73 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java @@ -14,6 +14,24 @@ import at.gv.egovernment.moa.logging.Logger; public class Utils { + public static final String PARAM_APPREG_SP_ID = "?sp="; + + public static String getEidSystemApplicationId(ISPConfiguration spConfiguration, String authUrl) { + StringBuilder builder = new StringBuilder(); + if (authUrl.endsWith("/")) { + builder.append(authUrl.substring(0, authUrl.length() - 1)); + + } else { + builder.append(authUrl); + + } + builder.append(EIDProxyAuthConstants.ENDPOINT_METADATA); + builder.append(PARAM_APPREG_SP_ID); + builder.append(spConfiguration.getUniqueIdentifier()); + return builder.toString(); + + } + public static String getEIDSystemEntityId(ISPConfiguration spConfiguration, IConfiguration authConfig) { //load from service-provider configuration String msNodeEntityID = spConfiguration.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_EXTERNAL_EID_SYSTEM_SERVICE_URL); -- cgit v1.2.3 From b1bcb88694e7c389ebd1693ac2b47cd260f184e8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Jul 2020 10:33:38 +0200 Subject: extend valid-until of E-ID client metadata, because metadata has to be registered in ApplicationRegister an dynamic loading is not required --- .../moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java index 1791c1caf..7fcabca1e 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/EIDProxyAuthConstants.java @@ -38,7 +38,7 @@ public class EIDProxyAuthConstants { public static final String MODULE_NAME_FOR_LOGGING = "E-ID proxy authentication"; - public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24 * 365 * 10; public static final String HTTP_PARAM_EIDPROXY_AUTH_SELECTION = "forwardToEID"; -- cgit v1.2.3 From 855c5cc1b46a83a2fa24e4a1f1a02268f5931104 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 7 Jul 2020 14:47:40 +0200 Subject: use shorter form of unique AppReg identifier to prohibit problems with max length --- .../at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java | 1 - 1 file changed, 1 deletion(-) (limited to 'id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java index fefd3ec73..0de1a9df2 100644 --- a/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java +++ b/id/server/modules/moa-id-module-E-ID_connector/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidproxyauth/utils/Utils.java @@ -25,7 +25,6 @@ public class Utils { builder.append(authUrl); } - builder.append(EIDProxyAuthConstants.ENDPOINT_METADATA); builder.append(PARAM_APPREG_SP_ID); builder.append(spConfiguration.getUniqueIdentifier()); return builder.toString(); -- cgit v1.2.3