From 154338abc9ba998bf589b9ab12882ddffa78cf53 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 13 Oct 2017 15:00:25 +0200
Subject: enforce eiDAS legal-person MDS if citizen uses mandates and no
 legal-person attributes are requested

---
 .../eidas/eIDASAuthenticationRequest.java          | 63 +++++++++++++++-------
 1 file changed, 44 insertions(+), 19 deletions(-)

(limited to 'id/server/modules/moa-id-module-eIDAS')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index d0cda38c7..b91bbde9e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -77,6 +77,8 @@ public class eIDASAuthenticationRequest implements IAction {
 	@Autowired protected MOAReversionLogger revisionsLogger;
 	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
 	
+
+	
 	@Override
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
 		EIDASData eidasRequest;
@@ -91,29 +93,32 @@ public class eIDASAuthenticationRequest implements IAction {
 		//gather attributes
 		ImmutableAttributeMap reqAttributeList = (ImmutableAttributeMap) eidasRequest.getEidasRequestedAttributes();		
 		ImmutableAttributeMap.Builder attrMapBuilder = ImmutableAttributeMap.builder();
-
-		//generate eIDAS attributes
-		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions()) {
-			Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
-					attr, req.getOnlineApplicationConfiguration(), authData);
-						
-			if(eIDASAttr == null) {				
-				if (attr.isRequired()) {
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
-					throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
-										
-				} else
-					Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
 				
-			} else {
-				//add attribute to Map
-				attrMapBuilder.put(
-						(AttributeDefinition)eIDASAttr.getFirst(), 
-						(ImmutableSet)eIDASAttr.getSecond());
+		//generate eIDAS attributes
+		for(AttributeDefinition<?> attr : reqAttributeList.getDefinitions())
+			buildAndAddAttribute(attrMapBuilder, attr, eidasRequest, authData);
+
+		
+		//Check if Mandate attributes are requested if mandates was used
+		if (authData.isUseMandate()) { 
+			if (reqAttributeList.getDefinitionByNameUri(
+						eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER.getNameUri()) == null) {
+			Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_PERSON_IDENTIFIER'");
+			buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_PERSON_IDENTIFIER, eidasRequest, authData);
+					
+			}
+			
+			if (reqAttributeList.getDefinitionByNameUri(
+					eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME.getNameUri()) == null) {
+				Logger.info("Citzen perfom authentication with mandates but no mandate attribute are included. --> Add mandate attribute 'LEGAL_NAME'");
+				buildAndAddAttribute(attrMapBuilder, eu.eidas.auth.engine.core.eidas.spec.LegalPersonSpec.Definitions.LEGAL_NAME, eidasRequest, authData);
 				
 			}
 		}
 		
+		//build final attibute set
+		ImmutableAttributeMap eIDASAttrbutMap = attrMapBuilder.build();
+		
 		// construct eIDaS response
 		AuthenticationResponse.Builder responseBuilder = new AuthenticationResponse.Builder();
 		
@@ -127,7 +132,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		responseBuilder.levelOfAssurance(authData.getEIDASQAALevel());
 		
 		//add attributes
-		responseBuilder.attributes(attrMapBuilder.build());
+		responseBuilder.attributes(eIDASAttrbutMap);
 		
 		//set success statuscode
 		responseBuilder.statusCode(StatusCode.SUCCESS_URI);
@@ -221,6 +226,26 @@ public class eIDASAuthenticationRequest implements IAction {
 		return "eIDAS_AuthnRequest";
 	}
 
+	private void buildAndAddAttribute(ImmutableAttributeMap.Builder attrMapBuilder, AttributeDefinition<?> attr, IRequest req, IAuthData authData) throws MOAIDException {
+		Pair<AttributeDefinition<?>, ImmutableSet<AttributeValue<?>>> eIDASAttr = eIDASAttributeBuilder.buildAttribute(
+				attr, req.getOnlineApplicationConfiguration(), authData);
+					
+		if(eIDASAttr == null) {				
+			if (attr.isRequired()) {
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is marked as 'Required' but not available.");
+				throw new MOAIDException("eIDAS.15", new Object[]{attr.getFriendlyName()});
+									
+			} else
+				Logger.info("eIDAS Attr:" + attr.getNameUri() + " is not available.");	
+			
+		} else {
+			//add attribute to Map
+			attrMapBuilder.put(
+					(AttributeDefinition)eIDASAttr.getFirst(), 
+					(ImmutableSet)eIDASAttr.getSecond());
+			
+		}			
+	}
 
 	
 	
-- 
cgit v1.2.3