From 055d4911acee6ab9d989f5a1574bbe9a9ade4404 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Jun 2016 15:35:13 +0200
Subject: fix a request validation problem in eIDAS endpoint

---
 .../moa/id/protocols/eidas/EIDASProtocol.java        | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 379a16a96..85fb1626f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -196,23 +196,33 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			samlReq.setPersonalAttributeList(pendingReq.getEidasRequestedAttributes()); // circumvent non-serializable eidas personal attribute list
 			pendingReq.setEidasRequest(samlReq);
 			
-			//validate destination against metadata 
+			//validate Destination against MOA-ID-Auth configuration
 			String reqDestination = samlReq.getDestination();
-			if (MiscUtil.isNotEmpty(reqDestination)) {
+			if (MiscUtil.isEmpty(reqDestination) || 
+					!reqDestination.startsWith(pendingReq.getAuthURL())) {
+				Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+				throw new eIDASAuthnRequestValidationException("stork.01", 
+						new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+				
+			}
+							
+			//validate AssertionConsumerServiceURL against metadata 
+			String reqAssertionConsumerServiceURL = samlReq.getAssertionConsumerServiceURL();			
+			if (MiscUtil.isNotEmpty(reqAssertionConsumerServiceURL)) {
 				boolean isValid = false;
 				List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)
 						.getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices();
 				
 				for (AssertionConsumerService el : allowedAssertionConsumerUrl) {
-					if (reqDestination.equals(el.getLocation()))
+					if (reqAssertionConsumerServiceURL.equals(el.getLocation()))
 						isValid = true;
 					
 				}
 				
 				if (!isValid) {
-					Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+					Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
 					throw new eIDASAuthnRequestValidationException("stork.01", 
-							new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+							new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
 				}
 				
 			}
-- 
cgit v1.2.3