From a6cadad81df2b44a99ca452ea1737abf1fa7d3e8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Mar 2016 12:31:38 +0100 Subject: add additional PVP response validation --- .../elgamandates/ELGAMandatesAuthConstants.java | 3 +++ .../tasks/ReceiveElgaMandateResponseTask.java | 23 +++++++++++++++++++++- .../elgamandates/tasks/RequestELGAMandateTask.java | 9 ++++++++- 3 files changed, 33 insertions(+), 2 deletions(-) (limited to 'id/server/modules/moa-id-module-elga_mandate_service') diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java index e4eaa5ee7..b50d1cf4e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java @@ -75,6 +75,9 @@ public class ELGAMandatesAuthConstants { Collections.unmodifiableList(new ArrayList>() { private static final long serialVersionUID = 1L; { + //add PVP Version attribute + add(Pair.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME)); + //request mandate type add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME)); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java index 0688e7c64..f976793b8 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -142,6 +143,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { } + + //load MOASession object defaultTaskInitialization(request, executionContext); @@ -216,10 +219,28 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { Logger.debug("Start PVP-2.1 assertion processing... "); Response samlResp = (Response) msg.getResponse(); + //validate 'inResponseTo' attribute + String authnReqID = pendingReq.getGenericData( + PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, String.class); + String inResponseTo = samlResp.getInResponseTo(); + + if (MiscUtil.isEmpty(authnReqID) || MiscUtil.isEmpty(inResponseTo) || + !authnReqID.equals(inResponseTo)) { + Logger.info("Validation of request/response IDs FAILED." + + " ReqID:" + authnReqID + " InRespTo:" + inResponseTo); + throw new AuthnResponseValidationException("sp.pvp2.07", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, + "'InResponseTo'"}); + + } + // check SAML2 response status-code if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { //validate PVP 2.1 assertion - samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential()); + samlVerificationEngine.validateAssertion(samlResp, true, + credentialProvider.getIDPAssertionEncryptionCredential(), + pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA, + ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING); msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); return msg; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index 2a3e72640..d25921167 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -137,7 +138,13 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { //set MandateReferenceValue as RequestID authnReqConfig.setRequestID(moasession.getMandateReferenceValue()); - + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, + authnReqConfig.getRequestID()); + + //store pending-request + requestStoreage.storePendingRequest(pendingReq); + //build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); -- cgit v1.2.3