From 782b159ec4050a459f8aadf85b68fb2b15fbf1b2 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 17 Jul 2017 10:25:31 +0200
Subject: refactor MOA eIDAS metadata provider

---
 .../moa/id/auth/modules/eidas/Constants.java       |   1 -
 .../engine/MOAeIDASChainingMetadataProvider.java   | 122 ++++-----------------
 2 files changed, 22 insertions(+), 101 deletions(-)

(limited to 'id/server/modules/moa-id-module-eIDAS/src/main')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 36323f3a5..01b202a88 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -71,7 +71,6 @@ public class Constants {
 	
 	//timeouts and clock skews
 	public static final int CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  			//2 minutes skew time for response validation
-	public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000;  	//20 seconds metadata socked timeout
 	public static final long CONFIG_PROPS_METADATA_GARBAGE_TIMEOUT = 7 * 24 * 60 * 60 * 1000;	//remove unused eIDAS metadata after 7 days
 
 	//eIDAS request parameters
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 75d57e615..a0330903b 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -9,11 +9,8 @@ import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Timer;
 
-import javax.net.ssl.SSLHandshakeException;
 import javax.xml.namespace.QName;
 
-import org.apache.commons.httpclient.MOAHttpClient;
-import org.apache.commons.httpclient.params.HttpClientParams;
 import org.opensaml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
@@ -29,13 +26,8 @@ import org.springframework.stereotype.Service;
 import at.gv.egovernment.moa.id.auth.IDestroyableObject;
 import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
-import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
-import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
-import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
-import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
 import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
 import at.gv.egovernment.moa.logging.Logger;
@@ -43,11 +35,10 @@ import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.engine.AbstractProtocolEngine;
 
 @Service("eIDASMetadataProvider")
-public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, 
+public class MOAeIDASChainingMetadataProvider extends SimpleMOAMetadataProvider implements ObservableMetadataProvider, 
 	IGarbageCollectorProcessing, IDestroyableObject, IMOARefreshableMetadataProvider {
 
-//	private static MOAeIDASChainingMetadataProvider instance = null;
-	private static Object mutex = new Object();
+	private Timer timer = null;
 	
 	private MetadataProvider internalProvider;
 	private Map<String, Date> lastAccess = null;
@@ -77,6 +68,10 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 	 */
 	@Override
 	public void fullyDestroy() {
+		
+		if (timer != null)
+			timer.cancel();
+		
 		Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders();
 		if (loadedproviders != null) {
 			for (Entry<String, HTTPMetadataProvider> el : loadedproviders.entrySet()) {
@@ -188,94 +183,20 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 		}					
 	}
 	
-	
-	
-	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
-		HTTPMetadataProvider httpProvider = null;
-		Timer timer= null;
-		MOAHttpClient httpClient = null;
-		try {
-			AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
-			
-			httpClient = new MOAHttpClient();
-			
-			HttpClientParams httpClientParams = new HttpClientParams();
-			httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
-			httpClient.setParams(httpClientParams);
-			
-			if (metadataURL.startsWith("https:")) {
-				try {
-					//FIX: change hostname validation default flag to true when httpClient is updated to > 4.4
-					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
-							Constants.SSLSOCKETFACTORYNAME, 
-							authConfig.getTrustedCACertificates(),
-							null,
-							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
-							authConfig.isTrustmanagerrevoationchecking(),
-							authConfig.getRevocationMethodOrder(),
-							authConfig.getBasicMOAIDConfigurationBoolean(
-									AuthConfiguration.PROP_KEY_SSL_HOSTNAME_VALIDATION, false));
-					
-					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
-
-				} catch (MOAHttpProtocolSocketFactoryException e) {
-					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
-					
-				}
-			}
-			
+		
+	private MetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {		
+		if (timer == null)
 			timer = new Timer(true);
-			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
-					metadataURL);
-			httpProvider.setParserPool(AbstractProtocolEngine.getSecuredParserPool());
-			httpProvider.setRequireValidMetadata(true);
-			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
-			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
-			//httpProvider.setRefreshDelayFactor(0.1F);
-			
-			//add Metadata filters
-			MetadataFilterChain filter = new MetadataFilterChain();
-			filter.addFilter(new MOASPMetadataSignatureFilter(
-					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
-			httpProvider.setMetadataFilter(filter);
-			
-			httpProvider.initialize();
-			
-			return httpProvider;
-						
-		} catch (Throwable e) {			
-			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
-				Logger.warn("SSL-Server certificate for metadata " 
-						+ metadataURL + " not trusted.", e);
-				
-			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
-				Logger.warn("Signature verification for metadata" 
-						+ metadataURL + " FAILED.", e);
-			
-			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
-				Logger.warn("Schema validation for metadata " 
-						+ metadataURL + " FAILED.", e);								
-			}
-			
-			Logger.error(
-					"Failed to add Metadata file for "
-							+ metadataURL + "[ "
-							+ e.getMessage() + " ]", e);
-						
-			if (httpProvider != null) {
-				Logger.debug("Destroy failed Metadata provider");
-				httpProvider.destroy();
-			}
-			
-			if (timer != null) {
-				Logger.debug("Destroy Timer.");
-				timer.cancel();
-			}
-
-			
-		}
 		
-		return null;	
+		//add Metadata filters
+		MetadataFilterChain filter = new MetadataFilterChain();
+		filter.addFilter(new MOASPMetadataSignatureFilter(
+				authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+		
+		return createNewMoaMetadataProvider(metadataURL, filter, 
+					"eIDAS metadata-provider", 
+					timer, AbstractProtocolEngine.getSecuredParserPool());
+			
 	}
 
 	private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
@@ -310,7 +231,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 				} else {
 					//load new Metadata Provider				
 					ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
-					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);	
+					MetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);	
 					
 					if (newMetadataProvider != null) {
 						chainProvider.addMetadataProvider(newMetadataProvider);
@@ -320,7 +241,8 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 								+ metadataURL + " is added.");
 						return true;
 						
-					}										
+					} else
+						Logger.warn("Can not load eIDAS metadata from URL: " + metadataURL);
 				}
 														
 			} else
-- 
cgit v1.2.3