From 0247b654a6278acff55999e8b6318a6db4354510 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 13 Jan 2016 14:05:48 +0100
Subject: reimplement eIDAS metadata provider which use MOA-SP to verify
 metadata

---
 .../engine/MOAeIDASSimpleMetadataProvider.java     | 184 ++++++++++++++++++---
 1 file changed, 165 insertions(+), 19 deletions(-)

(limited to 'id/server/modules/moa-id-module-eIDAS/src/main/java/at')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
index 2aec81db5..a8099f42e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
@@ -1,50 +1,196 @@
 package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
 
 import java.security.KeyStore;
+import java.util.Timer;
 
+import javax.net.ssl.SSLHandshakeException;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.apache.commons.lang.StringUtils;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.parse.BasicParserPool;
 
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
 import at.gv.egovernment.moa.logging.Logger;
 import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor;
+import eu.eidas.auth.engine.metadata.MetadataProcessorI;
 import eu.eidas.engine.exceptions.SAMLEngineException;
 
-public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor {
+public class MOAeIDASSimpleMetadataProvider implements MetadataProcessorI {
 
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+	 */
 	@Override
-	public EntityDescriptor getEntityDescriptor(String url) {
-        EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url);
-        
-        if(Logger.isDebugEnabled()){
-            Logger.debug("got entityDescriptor: " + entityDescriptor);
+	public EntityDescriptor getEntityDescriptor(String url)
+			throws SAMLEngineException {
+		EntityDescriptor entityDescriptor=null;
+        try {
+        	if (StringUtils.isNotEmpty(url)) {        	
+        		HTTPMetadataProvider provider = createNewHTTPMetaDataProvider(url);            
+                entityDescriptor = provider.getEntityDescriptor(url);
+                
+            } else {
+                throw new MetadataProviderException("the metadata url parameter is null or empty");
+                
+            }
+        } catch (MetadataProviderException mpe) {
+            Logger.error("error getting a metadataprovider {}", mpe);
+            
         }
         return entityDescriptor;
+        
 	}
 
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String)
+	 */
 	@Override
-	public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException {
+	public SPSSODescriptor getSPSSODescriptor(String url)
+			throws SAMLEngineException {
 		return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
 		
 	}
 
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String)
+	 */
 	@Override
-	public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException {
+	public IDPSSODescriptor getIDPSSODescriptor(String url)
+			throws SAMLEngineException {
 		return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
 		
 	}
 
-    @Override
-    public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException {
-        //TODO: implement Metadata signature validation
-        Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata");
-   
-    }
-    @Override
-    public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException {
-        //not implemented
-    	
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine)
+	 */
+	@Override
+	public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine)
+			throws SAMLEngineException {
+		//Do nothing, because metadata signature is already validated during 
+		//metadata provider initialization 
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore)
+	 */
+	@Override
+	public void checkValidMetadataSignature(String url, KeyStore trustStore)
+			throws SAMLEngineException {
+		//Do nothing, because metadata signature is already validated during 
+		//metadata provider initialization 
+		
+	}
+
+    protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){
+        for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){
+            if(clazz.isInstance(rd)){
+                return (T)rd;
+            }
+        }
+        return null;
     }
+    
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+		HTTPMetadataProvider httpProvider = null;
+		Timer timer= null;
+		MOAHttpClient httpClient = null;
+		try {
+			AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
+			
+			httpClient = new MOAHttpClient();
+			
+			HttpClientParams httpClientParams = new HttpClientParams();
+			httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+			httpClient.setParams(httpClientParams);
+			
+			if (metadataURL.startsWith("https:")) {
+				try {
+					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+							PVPConstants.SSLSOCKETFACTORYNAME, 
+							authConfig.getCertstoreDirectory(), 
+							authConfig.getTrustedCACertificates(),
+							null,
+							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
+							authConfig.isTrustmanagerrevoationchecking());
+					
+					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+				} catch (MOAHttpProtocolSocketFactoryException e) {
+					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+					
+				}
+			}
+			
+			timer = new Timer();
+			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
+					metadataURL);
+			httpProvider.setParserPool(new BasicParserPool());
+			httpProvider.setRequireValidMetadata(true);
+			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+			//httpProvider.setRefreshDelayFactor(0.1F);
+			
+			//add Metadata filters
+			MetadataFilterChain filter = new MetadataFilterChain();
+			filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+			httpProvider.setMetadataFilter(filter);
+			
+			httpProvider.initialize();
+			
+						
+			return httpProvider;
+						
+		} catch (Throwable e) {			
+			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+				Logger.warn("SSL-Server certificate for metadata " 
+						+ metadataURL + " not trusted.", e);
+				
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
+				Logger.warn("Signature verification for metadata" 
+						+ metadataURL + " FAILED.", e);
+			
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+				Logger.warn("Schema validation for metadata " 
+						+ metadataURL + " FAILED.", e);								
+			}
+			
+			Logger.error(
+					"Failed to add Metadata file for "
+							+ metadataURL + "[ "
+							+ e.getMessage() + " ]", e);
+						
+			if (httpProvider != null) {
+				Logger.debug("Destroy failed Metadata provider");
+				httpProvider.destroy();
+			}
+			
+			if (timer != null) {
+				Logger.debug("Destroy Timer.");
+				timer.cancel();
+			}
+
+			
+		}
+		
+		return null;	
+	}
 	
 }
-- 
cgit v1.2.3