From b76b6e6212784d622ca79bd258fa3e529b353346 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 28 Sep 2018 14:19:50 +0200 Subject: add first code for eID4U --- .../modules/eidas/engine/MOAProtocolEngine.java | 14 +++++---- .../eidas/tasks/ReceiveAuthnResponseTask.java | 5 +++- .../auth/modules/eidas/utils/SAMLEngineUtils.java | 11 ++++++++ .../moa/id/protocols/eidas/EIDASProtocol.java | 3 +- .../builder/eid4u/IdTypeAttrBuilder.java | 33 ++++++++++++++++++++++ .../eidas/eIDASAuthenticationRequest.java | 24 +++++++++++++--- .../at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder | 2 +- 7 files changed, 79 insertions(+), 13 deletions(-) create mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/IdTypeAttrBuilder.java (limited to 'id/server/modules/moa-id-module-eIDAS/src') diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java index f347022b8..d5b1a9e4e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAProtocolEngine.java @@ -1,5 +1,7 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.engine; +import java.util.Collection; + import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.Response; import org.w3c.dom.Document; @@ -26,9 +28,9 @@ public class MOAProtocolEngine extends ProtocolEngine { * */ @Override - public Correlated unmarshallResponse(byte[] responseBytes) throws EIDASSAMLEngineException { + public Correlated unmarshallResponse(byte[] responseBytes, Collection metadataWhitelist, boolean checkWhitelist) throws EIDASSAMLEngineException { try { - return super.unmarshallResponse(responseBytes); + return super.unmarshallResponse(responseBytes, metadataWhitelist, checkWhitelist); } catch (EIDASSAMLEngineException e) { if (responseBytes != null ) { @@ -45,7 +47,7 @@ public class MOAProtocolEngine extends ProtocolEngine { if (startInternalMetadataRefesh(entityID)) { Logger.debug("Metadata refresh success. Revalidate eIDAS Response ..."); - return super.unmarshallResponse(responseBytes); + return super.unmarshallResponse(responseBytes, metadataWhitelist, checkWhitelist); } Logger.info("eIDAS metadata refresh not possible or not successful."); @@ -61,9 +63,9 @@ public class MOAProtocolEngine extends ProtocolEngine { * */ @Override - public AuthnRequest unmarshallRequest(byte[] requestBytes) throws EIDASSAMLEngineException { + public AuthnRequest unmarshallRequest(byte[] requestBytes, Collection whitelistMetadata, boolean checkWhitelist) throws EIDASSAMLEngineException { try { - return super.unmarshallRequest(requestBytes); + return super.unmarshallRequest(requestBytes, whitelistMetadata, checkWhitelist); } catch (EIDASSAMLEngineException e) { @@ -81,7 +83,7 @@ public class MOAProtocolEngine extends ProtocolEngine { if (startInternalMetadataRefesh(entityID)) { Logger.debug("Metadata refresh success. Revalidate eIDAS Authn. Request ..."); - return super.unmarshallRequest(requestBytes); + return super.unmarshallRequest(requestBytes, whitelistMetadata, checkWhitelist); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index 1788facf0..274a23674 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -57,11 +57,14 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { ProtocolEngineI engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); //validate SAML token + //TODO: maybe add whitelist IAuthenticationResponse samlResp = engine.unmarshallResponseAndValidate(decSamlToken, request.getRemoteHost(), Constants.CONFIG_PROPS_SKEWTIME_BEFORE, Constants.CONFIG_PROPS_SKEWTIME_AFTER, - pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA); + pendingReq.getAuthURL() + Constants.eIDAS_HTTP_ENDPOINT_METADATA, + null, + false); if (samlResp.isEncrypted()) { Logger.info("Received encrypted eIDAS SAML-Response."); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java index 6d20caa4b..b000c317e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java @@ -33,6 +33,7 @@ import org.opensaml.xml.ConfigurationException; import org.opensaml.xml.XMLConfigurator; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; +import at.gv.egiz.eid4u.api.attributes.Definitions; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAExtendedSWSigner; import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl; @@ -112,6 +113,16 @@ public class SAMLEngineUtils { SAMLSchemaBuilder.addExtensionSchema( at.gv.egovernment.moa.util.Constants.SAML2_eIDAS_EXTENSIONS_SCHEMA_LOCATION); + //add eID4U schemes + SAMLSchemaBuilder.addExtensionSchema( + Definitions.SAML2_eID4U_CORE_EXTENSIONS_SCHEMA_LOCATION); + SAMLSchemaBuilder.addExtensionSchema( + Definitions.SAML2_eID4U_PERSON_EXTENSIONS_SCHEMA_LOCATION); + SAMLSchemaBuilder.addExtensionSchema( + Definitions.SAML2_eID4U_STUDIES_EXTENSIONS_SCHEMA_LOCATION); + SAMLSchemaBuilder.addExtensionSchema( + Definitions.SAML2_eID4U_EXT_EUROPASS3_EXTENSIONS_SCHEMA_LOCATION); + eIDASEngine = engine; } catch (EIDASSAMLEngineException | ConfigurationException e) { diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index d268dd2f6..7c9e66ba0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -203,7 +203,8 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController implement //***** validate eIDAS request ********* //**************************************** //validate SAML token - IAuthenticationRequest samlReq = engine.unmarshallRequestAndValidate(decSamlToken, cititzenCountryCode ); + //TODO: maybe add whitelist feature + IAuthenticationRequest samlReq = engine.unmarshallRequestAndValidate(decSamlToken, cititzenCountryCode, null, false); //validate internal JAVA class type if (!(samlReq instanceof IEidasAuthenticationRequest)) { diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/IdTypeAttrBuilder.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/IdTypeAttrBuilder.java new file mode 100644 index 000000000..278347970 --- /dev/null +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/attributes/builder/eid4u/IdTypeAttrBuilder.java @@ -0,0 +1,33 @@ +package at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eid4u; + +import at.gv.egiz.eaaf.core.api.idp.IAttributeGenerator; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration; +import at.gv.egiz.eaaf.core.exceptions.AttributeBuilderException; +import at.gv.egiz.eid4u.api.attributes.Definitions; +import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.IeIDASAttribute; +import at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASMetadata; + +@eIDASMetadata +public class IdTypeAttrBuilder implements IeIDASAttribute { + + @Override + public ATT build(ISPConfiguration oaParam, IAuthData authData, IAttributeGenerator g) + throws AttributeBuilderException { + return g.buildStringAttribute(Definitions.IDTYPE_FRIENDLYNAME, getName(), "Passport"); + + } + + @Override + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(Definitions.IDTYPE_FRIENDLYNAME, getName()); + } + + @Override + public String getName() { + return Definitions.IDTYPE_NAME; + + } + +} + \ No newline at end of file diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index f6a67db9d..f8ac1e291 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -44,6 +44,7 @@ import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.SLOInformationImpl; import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; +import at.gv.egiz.eid4u.api.attributes.Definitions; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.eIDASAttributeBuilder; @@ -87,7 +88,9 @@ public class eIDASAuthenticationRequest implements IAction { else throw new MOAIDException("got wrong IRequest type. is: {}, should be: {}", new String[] {req.getClass().toString(), EIDASData.class.toString()}); - + + ProtocolEngineI engine = at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); + String subjectNameID = null; //gather attributes @@ -129,6 +132,21 @@ public class eIDASAuthenticationRequest implements IAction { Logger.trace("eIDAS requsted attr. update process finished"); } + + + + //TODO: eID4U testcode + //************************************************************************** + Builder reqAttrWitheID4U = ImmutableAttributeMap.builder(reqAttributeList); + AttributeDefinition attrDef = + engine.getProtocolProcessor().getAttributeDefinitionNullable( + Definitions.IDTYPE_NAME); + reqAttrWitheID4U.put(AttributeDefinition.builder(attrDef).required(false).build()); + + reqAttributeList = reqAttrWitheID4U.build(); + + //************************************************************************** + Logger.trace("Starting eIDAS response generation ...."); @@ -164,9 +182,7 @@ public class eIDASAuthenticationRequest implements IAction { String token = null; IResponseMessage eIDASRespMsg = null; - try { - ProtocolEngineI engine = at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider); - + try { // encryption is done by the SamlEngine, i.e. by the module we provide in the config // but we need to set the appropriate request issuer //engine.setRequestIssuer(eidasRequest.getEidasRequest().getIssuer()); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder index 3c11c725d..e8232ad68 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder +++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/META-INF/services/at.gv.egiz.eaaf.core.api.idp.IAttributeBuilder @@ -2,10 +2,10 @@ at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrDateOfBirth at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrFamilyName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrGivenName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier -at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrNaturalPersonalIdentifier at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeDateOfBirth at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeFamilyName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeGivenName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalName at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeLegalPersonIdentifier at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eIDASAttrRepresentativeNaturalPersonalIdentifier +at.gv.egovernment.moa.id.protocols.eidas.attributes.builder.eid4u.IdTypeAttrBuilder \ No newline at end of file -- cgit v1.2.3