From 3536b99c17250772f253ea5925da72a29e327c58 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 11 Sep 2015 18:23:33 +0200 Subject: move authentication protocol implementation to separate modules. authentication protocol modules are loaded by SPI now. --- .../id/protocols/oauth20/OAuth20Configuration.java | 76 ++++++ .../moa/id/protocols/oauth20/OAuth20Constants.java | 70 ++++++ .../id/protocols/oauth20/OAuth20SessionObject.java | 74 ++++++ .../moa/id/protocols/oauth20/OAuth20Util.java | 111 +++++++++ .../egovernment/moa/id/protocols/oauth20/Pair.java | 45 ++++ .../attributes/OAuth20AttributeBuilder.java | 267 +++++++++++++++++++++ .../attributes/OpenIdAudiencesAttribute.java | 47 ++++ .../OpenIdAuthenticationTimeAttribute.java | 46 ++++ .../attributes/OpenIdExpirationTimeAttribute.java | 50 ++++ .../attributes/OpenIdIssueInstantAttribute.java | 48 ++++ .../oauth20/attributes/OpenIdIssuerAttribute.java | 46 ++++ .../oauth20/attributes/OpenIdNonceAttribute.java | 57 +++++ .../OpenIdSubjectIdentifierAttribute.java | 46 ++++ .../attributes/ProfileDateOfBirthAttribute.java | 46 ++++ .../attributes/ProfileFamilyNameAttribute.java | 46 ++++ .../attributes/ProfileGivenNameAttribute.java | 46 ++++ .../exceptions/OAuth20AccessDeniedException.java | 34 +++ .../OAuth20CertificateErrorException.java | 34 +++ .../oauth20/exceptions/OAuth20Exception.java | 71 ++++++ .../exceptions/OAuth20InvalidClientException.java | 34 +++ .../exceptions/OAuth20InvalidGrantException.java | 34 +++ .../exceptions/OAuth20InvalidRequestException.java | 35 +++ .../exceptions/OAuth20OANotSupportedException.java | 44 ++++ .../exceptions/OAuth20ResponseTypeException.java | 34 +++ .../exceptions/OAuth20ServerErrorException.java | 34 +++ .../OAuth20UnauthorizedClientException.java | 34 +++ .../exceptions/OAuth20WrongParameterException.java | 34 +++ .../oauth20/json/OAuth20SHA256Signer.java | 121 ++++++++++ .../oauth20/json/OAuth20SHA256Verifier.java | 84 +++++++ .../oauth20/json/OAuth20SignatureUtil.java | 116 +++++++++ .../id/protocols/oauth20/json/OAuthJsonToken.java | 49 ++++ .../oauth20/json/OAuthSignatureAlgorithm.java | 63 +++++ .../moa/id/protocols/oauth20/json/OAuthSigner.java | 29 +++ .../oauth20/protocol/OAuth20AuthAction.java | 213 ++++++++++++++++ .../oauth20/protocol/OAuth20AuthRequest.java | 234 ++++++++++++++++++ .../oauth20/protocol/OAuth20BaseRequest.java | 144 +++++++++++ .../oauth20/protocol/OAuth20Protocol.java | 215 +++++++++++++++++ .../oauth20/protocol/OAuth20TokenAction.java | 124 ++++++++++ .../oauth20/protocol/OAuth20TokenRequest.java | 157 ++++++++++++ 39 files changed, 3092 insertions(+) create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java create mode 100644 id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java (limited to 'id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20') diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java new file mode 100644 index 000000000..e2ac97535 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java @@ -0,0 +1,76 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.util.Properties; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.util.FileUtils; + +public class OAuth20Configuration { + + private static OAuth20Configuration instance; + + public static OAuth20Configuration getInstance() { + if (instance == null) { + instance = new OAuth20Configuration(); + } + return instance; + } + + public static final String JWT_KEYSTORE = "jwt.ks.file"; + public static final String JWT_KEYSTORE_PASSWORD = "jwt.ks.password"; + public static final String JWT_KEY_NAME = "jwt.ks.key.name"; + public static final String JWT_KEY_PASSWORD = "jwt.ks.key.password"; + + private Properties props; + private String rootDir = null; + + private OAuth20Configuration() { + try { + props = AuthConfigurationProviderFactory.getInstance().getGeneralOAuth20ProperiesConfig(); + rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); + } + catch (ConfigurationException e) { + e.printStackTrace(); + } + } + + public String getJWTKeyStore() { + return FileUtils.makeAbsoluteURL(props.getProperty(JWT_KEYSTORE), rootDir); + } + + public String getJWTKeyStorePassword() { + return props.getProperty(JWT_KEYSTORE_PASSWORD).trim(); + } + + public String getJWTKeyName() { + return props.getProperty(JWT_KEY_NAME).trim(); + } + + public String getJWTKeyPassword() { + return props.getProperty(JWT_KEY_PASSWORD).trim(); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java new file mode 100644 index 000000000..b0736ff2e --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java @@ -0,0 +1,70 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20; + +public final class OAuth20Constants { + + private OAuth20Constants() { + throw new InstantiationError(); + } + + public static final String ERRORPAGE = "moa_errorcodes.html"; + + // error parameters and error codes + public static final String PARAM_ERROR = "error"; + public static final String PARAM_ERROR_DESCRIPTION = "error_description"; + public static final String PARAM_ERROR_URI = "error_uri"; + + public static final String ERROR_INVALID_REQUEST = "invalid_request"; + public static final String ERROR_UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type"; + public static final String ERROR_INVALID_CLIENT = "invalid_client"; + public static final String ERROR_ACCESS_DENIED = "access_denied"; + public static final String ERROR_SERVER_ERROR = "server_error"; + public static final String ERROR_INVALID_GRANT = "invalid_grant"; + public static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client"; + + // request parameters + //public static final String PARAM_OA_URL = "oaURL"; + public static final String PARAM_RESPONSE_TYPE = "response_type"; + public static final String PARAM_REDIRECT_URI = "redirect_uri"; + public static final String PARAM_STATE = "state"; + public static final String PARAM_NONCE = "nonce"; + public static final String PARAM_GRANT_TYPE = "grant_type"; + public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code"; + public static final String PARAM_CLIENT_ID = "client_id"; + public static final String PARAM_CLIENT_SECRET = "client_secret"; + public static final String PARAM_SCOPE = "scope"; + public static final String PARAM_MOA_MOD = "mod"; + public static final String PARAM_MOA_ACTION = "action"; + + + // reponse parameters + public static final String RESPONSE_CODE = "code"; + public static final String RESPONSE_TOKEN = "token"; + public static final String RESPONSE_ACCESS_TOKEN = "access_token"; + public static final String RESPONSE_ID_TOKEN = "id_token"; + public static final String RESPONSE_EXPIRES_IN = "expires_in"; + public static final String RESPONSE_TOKEN_TYPE = "token_type"; + public static final String RESPONSE_TOKEN_TYPE_VALUE_BEARER = "Bearer"; + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java new file mode 100644 index 000000000..4a33a44b7 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java @@ -0,0 +1,74 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.io.Serializable; +import java.util.Map; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; + +public class OAuth20SessionObject implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 1L; + + private String scope; + + private String code; + + private Map authDataSession; + + public String getScope() { + return scope; + } + + public void setScope(String scope) { + this.scope = scope; + } + + /** + * @return the code + */ + public String getCode() { + return code; + } + + /** + * @param code + * the code to set + */ + public void setCode(String code) { + this.code = code; + } + + public Map getAuthDataSession() { + return authDataSession; + } + + public void setAuthDataSession(Map idToken) { + this.authDataSession = idToken; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java new file mode 100644 index 000000000..912060949 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java @@ -0,0 +1,111 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20; + +import java.io.UnsupportedEncodingException; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.apache.commons.lang.StringUtils; + +import com.google.gson.JsonObject; + +public final class OAuth20Util { + + public static final String REGEX_HTTPS = "^(https?)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]"; + public static final String REGEX_FILE = "^(file):/.[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]"; + + private OAuth20Util() { + throw new InstantiationError(); + } + + /** + * Simple helper function to add parameter to a url + * + * @param url + * @param name + * @param value + * @throws UnsupportedEncodingException + */ + public static void addParameterToURL(final StringBuilder url, final String name, final String value) + throws UnsupportedEncodingException { + if (url.indexOf("?") < 0) { + url.append("?"); + } else { + url.append("&"); + } + // URLEncoder.encode(value, "UTF-8") + url.append(name).append("=").append(value); + } + + public static boolean isUrl(final String url) { + Pattern urlPattern; + if (url.startsWith("file")) { + urlPattern = Pattern.compile(REGEX_FILE, Pattern.CASE_INSENSITIVE); + } else { + urlPattern = Pattern.compile(REGEX_HTTPS, Pattern.CASE_INSENSITIVE); + } + + Matcher matcher = urlPattern.matcher(url); + return matcher.find(); + } + + public static boolean isValidStateValue(String state) { + Pattern urlPattern = Pattern.compile("javascript|<|>|&|;", Pattern.CASE_INSENSITIVE); + Matcher matcher = urlPattern.matcher(state); + return !matcher.find(); + } + + public static void addProperytiesToJsonObject(JsonObject jsonObject, Map params) { + for (Map.Entry param : params.entrySet()) { + + if (!StringUtils.isEmpty(param.getKey()) && param.getValue() != null) { + + // check for integer + try { + int i = Integer.parseInt(String.valueOf(param.getValue())); + jsonObject.addProperty(param.getKey(), i); + continue; + } + catch (NumberFormatException e) { + } + + // check for long + try { + long l = Long.parseLong(String.valueOf(param.getValue())); + jsonObject.addProperty(param.getKey(), l); + continue; + } + catch (NumberFormatException e) { + } + + // string + if (param.getValue() instanceof String) { + jsonObject.addProperty(param.getKey(), String.valueOf(param.getValue())); + } + } + } + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java new file mode 100644 index 000000000..eb3cfcccb --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java @@ -0,0 +1,45 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20; + +public class Pair { + private final P1 first; + private final P2 second; + + private Pair(final P1 newFirst, final P2 newSecond) { + this.first = newFirst; + this.second = newSecond; + } + + public P1 getFirst() { + return this.first; + } + + public P2 getSecond() { + return this.second; + } + + public static Pair newInstance(final P1 newFirst, final P2 newSecond) { + return new Pair(newFirst, newSecond); + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java new file mode 100644 index 000000000..439d08e0b --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -0,0 +1,267 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.lang.StringUtils; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.oauth20.Pair; +import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCcsURL; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCitizenQAALevelAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIdentityLinkBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIssuingNationAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSTORKTOKEN; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSectorForIDAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSignerCertificate; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSourcePIN; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSourcePINType; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonFullNameAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonSourcePinTypeAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonBPKAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinTypeAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepDescAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepOIDAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateReferenceValueAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateTypeAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKAdoptedFamilyNameAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKAgeAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKCanonicalResidenceAddressAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKCountryCodeOfBirthAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKFiscalNumberAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKGenderAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKInhertedFamilyNameAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKIsAgeOverAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKMaritalStatusAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKNationalityCodeAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKPseudonymAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKResidencePermitAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKTextResidenceAddressAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKTitleAttributBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.logging.Logger; + +import com.google.gson.JsonObject; +import com.google.gson.JsonPrimitive; + +public final class OAuth20AttributeBuilder { + + private OAuth20AttributeBuilder() { + throw new InstantiationError(); + } + + private static IAttributeGenerator> generator = new IAttributeGenerator>() { + + public Pair buildStringAttribute(final String friendlyName, final String name, final String value) { + return Pair.newInstance(friendlyName, new JsonPrimitive(value)); + } + + public Pair buildIntegerAttribute(final String friendlyName, final String name, final int value) { + return Pair.newInstance(friendlyName, new JsonPrimitive(value)); + } + + public Pair buildLongAttribute(final String friendlyName, final String name, final long value) { + return Pair.newInstance(friendlyName, new JsonPrimitive(value)); + } + + public Pair buildEmptyAttribute(final String friendlyName, final String name) { + return Pair.newInstance(friendlyName, new JsonPrimitive("")); + } + + }; + + private static final List buildersOpenId = new ArrayList(); + private static final List buildersProfile = new ArrayList(); + private static final List buildersEID = new ArrayList(); + private static final List buildersEIDGov = new ArrayList(); + private static final List buildersMandate = new ArrayList(); + private static final List buildersSTORK = new ArrayList(); + static { + // openId + buildersOpenId.add(new OpenIdIssuerAttribute()); + buildersOpenId.add(new OpenIdSubjectIdentifierAttribute()); + buildersOpenId.add(new OpenIdExpirationTimeAttribute()); + buildersOpenId.add(new OpenIdIssueInstantAttribute()); + buildersOpenId.add(new OpenIdAuthenticationTimeAttribute()); + buildersOpenId.add(new OpenIdAudiencesAttribute()); + buildersOpenId.add(new OpenIdNonceAttribute()); + + // profile + buildersProfile.add(new ProfileGivenNameAttribute()); + buildersProfile.add(new ProfileFamilyNameAttribute()); + buildersProfile.add(new ProfileDateOfBirthAttribute()); + + // EID + buildersEID.add(new EIDCcsURL()); + buildersEID.add(new EIDCitizenQAALevelAttributeBuilder()); + buildersEID.add(new EIDIssuingNationAttributeBuilder()); + buildersEID.add(new EIDSectorForIDAttributeBuilder()); + buildersEID.add(new EIDAuthBlock()); + buildersEID.add(new EIDSignerCertificate()); + buildersEID.add(new BPKAttributeBuilder()); + + // eID_gov + buildersEIDGov.add(new EIDSourcePIN()); + buildersEIDGov.add(new EIDSourcePINType()); + buildersEIDGov.add(new EIDIdentityLinkBuilder()); + + // mandate + buildersMandate.add(new MandateTypeAttributeBuilder()); + buildersMandate.add(new MandateReferenceValueAttributeBuilder()); + + buildersMandate.add(new MandateNaturalPersonSourcePinAttributeBuilder()); + buildersMandate.add(new MandateNaturalPersonSourcePinTypeAttributeBuilder()); + buildersMandate.add(new MandateNaturalPersonBPKAttributeBuilder()); + buildersMandate.add(new MandateNaturalPersonFamilyNameAttributeBuilder()); + buildersMandate.add(new MandateNaturalPersonGivenNameAttributeBuilder()); + buildersMandate.add(new MandateNaturalPersonBirthDateAttributeBuilder()); + + buildersMandate.add(new MandateLegalPersonSourcePinAttributeBuilder()); + buildersMandate.add(new MandateLegalPersonSourcePinTypeAttributeBuilder()); + buildersMandate.add(new MandateLegalPersonFullNameAttributeBuilder()); + + buildersMandate.add(new MandateProfRepOIDAttributeBuilder()); + buildersMandate.add(new MandateProfRepDescAttributeBuilder()); + + // STORK + buildersSTORK.add(new EIDSTORKTOKEN()); + buildersSTORK.add(new STORKAdoptedFamilyNameAttributBuilder()); + buildersSTORK.add(new STORKAgeAttributBuilder()); + buildersSTORK.add(new STORKCanonicalResidenceAddressAttributBuilder()); + buildersSTORK.add(new STORKCountryCodeOfBirthAttributBuilder()); + buildersSTORK.add(new STORKFiscalNumberAttributBuilder()); + buildersSTORK.add(new STORKGenderAttributBuilder()); + buildersSTORK.add(new STORKInhertedFamilyNameAttributBuilder()); + buildersSTORK.add(new STORKIsAgeOverAttributBuilder()); + buildersSTORK.add(new STORKMaritalStatusAttributBuilder()); + buildersSTORK.add(new STORKNationalityCodeAttributBuilder()); + buildersSTORK.add(new STORKPseudonymAttributBuilder()); + buildersSTORK.add(new STORKResidencePermitAttributBuilder()); + buildersSTORK.add(new STORKTextResidenceAddressAttributBuilder()); + buildersSTORK.add(new STORKTitleAttributBuilder()); + } + + private static void addAttibutes(final List builders, final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData, OAuth20AuthRequest oAuthRequest) { + for (IAttributeBuilder b : builders) { + try { + //TODO: better solution requires more refactoring :( + Pair attribute = null; + if (b instanceof OpenIdNonceAttribute) { + OpenIdNonceAttribute nonceBuilder = (OpenIdNonceAttribute) b; + attribute = nonceBuilder.build(oaParam, authData, oAuthRequest, generator); + + } else + attribute = b.build(oaParam, authData, generator); + + if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) { + jsonObject.add(attribute.getFirst(), attribute.getSecond()); + } + } + catch (AttributeException e) { + Logger.info("Cannot add attribute " + b.getName()); + } + } + } + + public static void addScopeOpenId(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData, + final OAuth20AuthRequest oAuthRequest) { + addAttibutes(buildersOpenId, jsonObject, oaParam, authData, oAuthRequest); + } + + public static void addScopeProfile(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersProfile, jsonObject, oaParam, authData, null); + } + + public static void addScopeEID(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEID, jsonObject, oaParam, authData, null); + } + + public static void addScopeEIDGov(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersEIDGov, jsonObject, oaParam, authData, null); + } + + public static void addScopeMandate(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersMandate, jsonObject, oaParam, authData, null); + } + + public static void addScopeSTORK(final JsonObject jsonObject, + final OAAuthParameter oaParam, final IAuthData authData) { + addAttibutes(buildersSTORK, jsonObject, oaParam, authData, null); + } + + /** + * @return the buildersprofile + */ + public static List getBuildersprofile() { + return buildersProfile; + } + + /** + * @return the builderseid + */ + public static List getBuilderseid() { + return buildersEID; + } + + /** + * @return the builderseidgov + */ + public static List getBuilderseidgov() { + return buildersEIDGov; + } + + /** + * @return the buildersmandate + */ + public static List getBuildersmandate() { + return buildersMandate; + } + + /** + * @return the buildersstork + */ + public static List getBuildersstork() { + return buildersSTORK; + } + + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java new file mode 100644 index 000000000..404eb1b44 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java @@ -0,0 +1,47 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdAudiencesAttribute implements IAttributeBuilder { + + public String getName() { + return "aud"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", oaParam.getPublicURLPrefix()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} + diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java new file mode 100644 index 000000000..121648499 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdAuthenticationTimeAttribute implements IAttributeBuilder { + + public String getName() { + return "auth_time"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildLongAttribute(this.getName(), "", ((long) (authData.getIssueInstant().getTime() / 1000))); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java new file mode 100644 index 000000000..9230c0105 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java @@ -0,0 +1,50 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import java.util.Date; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdExpirationTimeAttribute implements IAttributeBuilder { + + public static final int expirationTime = 5 * 60; // in seconds + + public String getName() { + return "exp"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000 + expirationTime)); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java new file mode 100644 index 000000000..3bdda5c2a --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java @@ -0,0 +1,48 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import java.util.Date; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdIssueInstantAttribute implements IAttributeBuilder { + + public String getName() { + return "iat"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000)); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java new file mode 100644 index 000000000..85c46d5b2 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdIssuerAttribute implements IAttributeBuilder { + + public String getName() { + return "iss"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", authData.getIssuer()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java new file mode 100644 index 000000000..6baa69b1e --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java @@ -0,0 +1,57 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.util.MiscUtil; + +public class OpenIdNonceAttribute implements IAttributeBuilder { + + public String getName() { + return "nonce"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", null); + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, OAuth20AuthRequest oAuthRequest, + IAttributeGenerator g) throws AttributeException { + if (MiscUtil.isNotEmpty(oAuthRequest.getNonce())) + return g.buildStringAttribute(this.getName(), "", oAuthRequest.getNonce()); + else + return null; + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} + diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java new file mode 100644 index 000000000..d5bda0dba --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class OpenIdSubjectIdentifierAttribute implements IAttributeBuilder { + + public String getName() { + return "sub"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", authData.getBPK()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java new file mode 100644 index 000000000..dd84536ed --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class ProfileDateOfBirthAttribute implements IAttributeBuilder { + + public String getName() { + return "birthdate"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", authData.getFormatedDateOfBirth()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java new file mode 100644 index 000000000..02cc66e4b --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class ProfileFamilyNameAttribute implements IAttributeBuilder { + + public String getName() { + return "family_name"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", authData.getFamilyName()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java new file mode 100644 index 000000000..302ce8105 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java @@ -0,0 +1,46 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; + +public class ProfileGivenNameAttribute implements IAttributeBuilder { + + public String getName() { + return "given_name"; + } + + public ATT build(OAAuthParameter oaParam, IAuthData authData, + IAttributeGenerator g) throws AttributeException { + return g.buildStringAttribute(this.getName(), "", authData.getGivenName()); + } + + public ATT buildEmpty(IAttributeGenerator g) { + return g.buildEmptyAttribute(this.getName(), ""); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java new file mode 100644 index 000000000..25a30bfcf --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20AccessDeniedException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20AccessDeniedException() { + super(OAuth20Constants.ERROR_ACCESS_DENIED, "oauth20.05", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java new file mode 100644 index 000000000..a938d1544 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20CertificateErrorException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20CertificateErrorException(final String name) { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.09", new Object[] { name }); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java new file mode 100644 index 000000000..307615fbd --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java @@ -0,0 +1,71 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; + +public class OAuth20Exception extends RuntimeException { + + private static final long serialVersionUID = 1L; + + private String messageId; + + private String errorCode; + + public OAuth20Exception(final String errorCode, final String messageId, final Object[] parameters) { + super(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters)); + this.errorCode = errorCode; + this.messageId = messageId; + } + + /** + * @return the messageId + */ + public String getMessageId() { + return messageId; + } + + /** + * @param messageId + * the messageId to set + */ + public void setMessageId(String messageId) { + this.messageId = messageId; + } + + /** + * @return the errorCode + */ + public String getErrorCode() { + return errorCode; + } + + /** + * @param errorCode + * the errorCode to set + */ + public void setErrorCode(String errorCode) { + this.errorCode = errorCode; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java new file mode 100644 index 000000000..9c2875cef --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidClientException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidClientException() { + super(OAuth20Constants.ERROR_INVALID_CLIENT, "oauth20.05", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java new file mode 100644 index 000000000..c0f03c735 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidGrantException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidGrantException() { + super(OAuth20Constants.ERROR_INVALID_GRANT, "oauth20.07", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java new file mode 100644 index 000000000..b980840c2 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java @@ -0,0 +1,35 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20InvalidRequestException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20InvalidRequestException() { + super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.04", new Object[] {}); + + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java new file mode 100644 index 000000000..0edeb89bc --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java @@ -0,0 +1,44 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +/** + * @author tlenz + * + */ +public class OAuth20OANotSupportedException extends OAuth20Exception { + + private static final long serialVersionUID = -8713091674236329339L; + + /** + * @param errorCode + * @param messageId + * @param parameters + */ + public OAuth20OANotSupportedException() { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.06", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java new file mode 100644 index 000000000..8de854821 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20ResponseTypeException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20ResponseTypeException() { + super(OAuth20Constants.ERROR_UNSUPPORTED_RESPONSE_TYPE, "oauth20.03", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java new file mode 100644 index 000000000..470507f08 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20ServerErrorException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20ServerErrorException() { + super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.10", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java new file mode 100644 index 000000000..ee7b4d7d6 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20UnauthorizedClientException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20UnauthorizedClientException() { + super(OAuth20Constants.ERROR_UNAUTHORIZED_CLIENT, "oauth20.08", new Object[] {}); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java new file mode 100644 index 000000000..48267d88c --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java @@ -0,0 +1,34 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; + +public class OAuth20WrongParameterException extends OAuth20Exception { + private static final long serialVersionUID = 1L; + + public OAuth20WrongParameterException(final String name) { + super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.02", new Object[] { name }); + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java new file mode 100644 index 000000000..50e57bdc1 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java @@ -0,0 +1,121 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/** + * Copyright 2010 Google Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + * + */ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.Signature; +import java.security.SignatureException; + +import net.oauth.jsontoken.crypto.AbstractSigner; +import net.oauth.jsontoken.crypto.RsaSHA256Signer; +import net.oauth.jsontoken.crypto.SignatureAlgorithm; + +/** + * Signer that can sign byte arrays using a {@link PrivateKey} and SHA-256.
+ * This is something like a copy of the {@link RsaSHA256Signer}. + * + */ +public class OAuth20SHA256Signer extends AbstractSigner implements OAuthSigner { + + private final Signature signature; + private final PrivateKey signingKey; + private final OAuthSignatureAlgorithm algorithm; + + /** + * Public constructor. + * + * @param issuer + * The id of this signer, to be included in the JSON Token's envelope. + * @param keyId + * The id of the key used by this signer, to be included in the JSON Token's + * envelope. + * @param key + * the private key to be used for signing. + * @throws InvalidKeyException + * if the key is unsuitable for RSA signing. + */ + public OAuth20SHA256Signer(final String issuer, final String keyId, final PrivateKey key) throws InvalidKeyException { + super(issuer, keyId); + + this.signingKey = key; + this.algorithm = OAuth20SignatureUtil.findSignature(key); + + try { + this.signature = this.algorithm.getSignatureInstance(); + this.signature.initSign(signingKey); + } + catch (NoSuchAlgorithmException e) { + throw new IllegalStateException("Cannot get algorithm for the given private key", e); + } + catch (NoSuchProviderException e) { + throw new IllegalStateException("Cannot get algorithm for the given private key", e); + } + } + + /* + * (non-Javadoc) + * @see net.oauth.jsontoken.crypto.Signer#getSignatureAlgorithm() + */ + public SignatureAlgorithm getSignatureAlgorithm() { + // it is fine to return RS256 because we overwrite the JsonToken for the algorithm name. But + // we need the internal SHA256 which is used. + return SignatureAlgorithm.RS256; + } + + /* + * (non-Javadoc) + * @see net.oauth.jsontoken.crypto.Signer#sign(byte[]) + */ + public byte[] sign(byte[] source) throws SignatureException { + try { + signature.initSign(signingKey); + } + catch (InvalidKeyException e) { + throw new RuntimeException("key somehow became invalid since calling the constructor"); + } + signature.update(source); + return signature.sign(); + } + + public OAuthSignatureAlgorithm getOAuthSignatureAlgorithm() { + return this.algorithm; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java new file mode 100644 index 000000000..374320a5a --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java @@ -0,0 +1,84 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Signature; +import java.security.SignatureException; + +import net.oauth.jsontoken.crypto.RsaSHA256Verifier; +import net.oauth.jsontoken.crypto.Verifier; + +/** + * A verifier that can verify signatures on byte arrays using a {@link PublicKey} and SHA-256.
+ * This is something like a copy of the {@link RsaSHA256Verifier}. + */ +public class OAuth20SHA256Verifier implements Verifier { + + private final PublicKey verificationKey; + private final Signature signer; + + /** + * Public Constructor. + * + * @param verificationKey + * the key used to verify the signature. + */ + public OAuth20SHA256Verifier(final PublicKey verificationKey) { + this.verificationKey = verificationKey; + + try { + this.signer = OAuth20SignatureUtil.findSignature(verificationKey).getSignatureInstance(); + this.signer.initVerify(verificationKey); + } + catch (InvalidKeyException e) { + throw new IllegalStateException("key is invalid", e); + } + catch (NoSuchAlgorithmException e) { + throw new IllegalStateException("Cannot get algorithm for the given private key", e); + } + catch (NoSuchProviderException e) { + throw new IllegalStateException("Cannot get algorithm for the given private key", e); + } + } + + /* + * (non-Javadoc) + * @see net.oauth.jsontoken.crypto.Verifier#verifySignature(byte[], byte[]) + */ + public void verifySignature(byte[] source, byte[] signature) throws SignatureException { + try { + signer.initVerify(verificationKey); + } + catch (InvalidKeyException e) { + throw new RuntimeException("key someone become invalid since calling the constructor"); + } + signer.update(source); + if (!signer.verify(signature)) { + throw new SignatureException("signature did not verify"); + } + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java new file mode 100644 index 000000000..9f20ee956 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java @@ -0,0 +1,116 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; + +import org.apache.commons.lang.StringUtils; +import org.opensaml.xml.security.x509.BasicX509Credential; + +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Configuration; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20CertificateErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.KeyStoreUtils; + +public final class OAuth20SignatureUtil { + + private OAuth20SignatureUtil() { + throw new InstantiationError(); + } + + static OAuthSignatureAlgorithm findSignature(final PrivateKey key) { + Logger.debug("OAuth - Looking for signature for key " + key.getClass()); + if (key instanceof RSAPrivateKey) { + Logger.debug("OAuth - going to uses SHA256withRSA signature"); + return OAuthSignatureAlgorithm.RS256; + } else if (key instanceof ECPrivateKey) { + Logger.debug("OAuth - going to uses SHA256withECDSA signature"); + return OAuthSignatureAlgorithm.ECDSA256; + } else if (key instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { + Logger.debug("OAuth - going to uses SHA256withECDSA signature with iaik"); + return OAuthSignatureAlgorithm.ECDSA256_IAKIK; + } else { + throw new IllegalStateException("Cannot find an alorithm for the given private key"); + } + } + + static OAuthSignatureAlgorithm findSignature(final PublicKey key) { + if (key instanceof RSAPublicKey) { + Logger.debug("OAuth - going to uses SHA256withRSA signature"); + return OAuthSignatureAlgorithm.RS256; + } else if (key instanceof ECPublicKey) { + Logger.debug("OAuth - going to uses SHA256withECDSA signature"); + return OAuthSignatureAlgorithm.ECDSA256; + } else if (key instanceof iaik.security.ecc.ecdsa.ECPublicKey) { + Logger.debug("OAuth - going to uses SHA256withECDSA signature with iaik"); + return OAuthSignatureAlgorithm.ECDSA256_IAKIK; + } else { + throw new IllegalStateException("Cannot find an alorithm for the given private key"); + } + } + + public static OAuthSigner loadSigner(String issuer) throws OAuth20Exception { + OAuth20Configuration globalConfig = OAuth20Configuration.getInstance(); + + if (StringUtils.isEmpty(globalConfig.getJWTKeyStore())) { + throw new OAuth20CertificateErrorException("keystore"); + } + + if (StringUtils.isEmpty(globalConfig.getJWTKeyName())) { + throw new OAuth20CertificateErrorException("key name"); + } + + try { + KeyStore ks = KeyStoreUtils.loadKeyStore(globalConfig.getJWTKeyStore(), globalConfig.getJWTKeyStorePassword()); + + X509Certificate certificate = (X509Certificate) ks.getCertificate(globalConfig.getJWTKeyName()); + + PrivateKey privateKey = (PrivateKey) ks.getKey(globalConfig.getJWTKeyName(), globalConfig.getJWTKeyPassword() + .toCharArray()); + BasicX509Credential credential = new BasicX509Credential(); + credential.setEntityCertificate(certificate); + credential.setPrivateKey(privateKey); + + // Logger.debug("Going to use X509Certificate:"); + // Logger.debug(certificate); + // Logger.debug("Going to use private key:"); + // Logger.debug(privateKey); + + return new OAuth20SHA256Signer(issuer, globalConfig.getJWTKeyName(), credential.getPrivateKey()); + + } + catch (Exception e) { + Logger.error(e.getMessage(), e); + throw new OAuth20CertificateErrorException("keystore"); + } + + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java new file mode 100644 index 000000000..af17825fd --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java @@ -0,0 +1,49 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import net.oauth.jsontoken.JsonToken; + +import com.google.gson.JsonObject; + +public class OAuthJsonToken extends JsonToken { + + private final OAuthSigner signer; + + public OAuthJsonToken(OAuthSigner signer) { + super(signer); + this.signer = signer; + } + + @Override + public JsonObject getHeader() { + JsonObject header = new JsonObject(); + header.addProperty(ALGORITHM_HEADER, signer.getOAuthSignatureAlgorithm().getAlgorithm()); + String keyId = getKeyId(); + if (keyId != null) { + header.addProperty(KEY_ID_HEADER, keyId); + } + return header; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java new file mode 100644 index 000000000..db15516e7 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java @@ -0,0 +1,63 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Signature; + +import org.apache.commons.lang.StringUtils; + +/** + * Enum of the signature algorithms supported by this package. + */ +public enum OAuthSignatureAlgorithm { + ECDSA256("SHA256withECDSA", "ECDSA256", null), RS256("SHA256withRSA", "RS256", null), ECDSA256_IAKIK("SHA1withECDSA", "ECDSA256", + "IAIK_ECC"); + + private final String signatureName; + private final String algorithm; + private final String providerName; + + private OAuthSignatureAlgorithm(final String signatureName, final String hashAlg, final String providerName) { + this.signatureName = signatureName; + this.algorithm = hashAlg; + this.providerName = providerName; + } + + /** + * What the signature algorithm is named in the "alg" parameter in a JSON Token's envelope. + */ + public String getAlgorithm() { + return this.algorithm; + } + + /** + * + * @return the signature name like SHA256withECDSA or SHA256withRSA + */ + public String getSignatureName() { + return this.signatureName; + } + + /** + * Calls {@link Signature#getInstance(String)} with the defined signature name + * + * @return + * @throws NoSuchAlgorithmException + * @throws NoSuchProviderException + */ + public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException { + if (!StringUtils.isEmpty(this.providerName)) { + //return Signature.getInstance(this.signatureName, this.providerName); + return Signature.getInstance(this.signatureName, this.providerName); + } else { + return Signature.getInstance(this.signatureName); + } + } + + /** + * Given the name of the algorithm in the envelope, returns the corresponding enum instance. + */ + public static OAuthSignatureAlgorithm getFromJsonName(String name) { + return OAuthSignatureAlgorithm.valueOf(name); + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java new file mode 100644 index 000000000..3904f8cef --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java @@ -0,0 +1,29 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.json; + +import net.oauth.jsontoken.crypto.Signer; + +public interface OAuthSigner extends Signer { + public abstract OAuthSignatureAlgorithm getOAuthSignatureAlgorithm(); +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java new file mode 100644 index 000000000..d90df51e7 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -0,0 +1,213 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + +import java.security.SignatureException; +import java.util.HashMap; +import java.util.Map; +import java.util.UUID; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationImpl; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; +import at.gv.egovernment.moa.id.protocols.oauth20.Pair; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken; +import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +class OAuth20AuthAction implements IAction { + + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req; + String responseType = oAuthRequest.getResponseType(); + + MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST); + + String code = Random.nextRandom(); + + try { + + String accessToken = UUID.randomUUID().toString(); + + Logger.debug("Stored session with id: " + code); + OAuth20SessionObject o = new OAuth20SessionObject(); + if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) { + o.setScope(oAuthRequest.getScope()); + o.setCode(code); + + //generate idToken from MOASession + Map idToken = generateIDToken(o, oAuthRequest, authData, accessToken); + o.setAuthDataSession(idToken); + + } else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) { + throw new OAuth20ResponseTypeException(); + } + + // store data in oath session + AssertionStorage.getInstance().put(code, o); + + Logger.debug("Saved OAuth20SessionObject in session with id: " + code); + + // add code and state to redirect url + httpResp.setStatus(HttpServletResponse.SC_FOUND); + String redirectURI = oAuthRequest.getRedirectUri(); + String state = oAuthRequest.getState(); + + redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.RESPONSE_CODE, code); + redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.PARAM_STATE, state); + + String finalUrl = redirectURI; + httpResp.addHeader("Location", finalUrl); + Logger.debug("REDIRECT TO: " + finalUrl.toString()); + + + //TODO: maybe add bPK / wbPK to SLO information + SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule()); + + return sloInformation; + } + catch (Exception e) { + + //remove OAuthSessionObject if it already exists + if (AssertionStorage.getInstance().containsKey(code)) { + AssertionStorage.getInstance().remove(code); + } + + if (e instanceof OAuth20Exception) { + throw (OAuth20Exception) e; + } + throw new OAuth20ServerErrorException(); + } + + } + + private Map generateIDToken(OAuth20SessionObject auth20SessionObject, + OAuth20AuthRequest oAuthRequest, IAuthData authData, String accessToken) throws SignatureException, MOAIDException { + + // create response + Map params = new HashMap(); + params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken); + params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER); + params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime); + // build id token and scope + Pair pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest, + authData); + Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst()); + params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst()); + Logger.debug("RESPONSE SCOPE: " + pair.getSecond()); + params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond()); + + return params; + + } + + private Pair buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, IAuthData authData) + throws MOAIDException, SignatureException { + OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL()); + + OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer()); + OAuthJsonToken token = new OAuthJsonToken(signer); + + StringBuilder resultScopes = new StringBuilder(); + // always fill with open id + OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest); + resultScopes.append("openId"); + + for (String s : scope.split(" ")) { + if (s.equalsIgnoreCase("profile")) { + OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), oaParam, authData); + resultScopes.append(" profile"); + } else if (s.equalsIgnoreCase("eID")) { + OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), oaParam, authData); + resultScopes.append(" eID"); + } else if (s.equalsIgnoreCase("eID_gov")) { + OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), oaParam, authData); + resultScopes.append(" eID_gov"); + } else if (s.equalsIgnoreCase("mandate")) { + OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), oaParam, authData); + resultScopes.append(" mandate"); + } else if (s.equalsIgnoreCase("stork")) { + OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), oaParam, authData); + resultScopes.append(" stork"); + } + } + + // add properties and sign + // HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id", + // "super_secure_pwd".getBytes()); + // Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config()); + + return Pair.newInstance(token.serializeAndSign(), resultScopes.toString()); + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls + * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + return true; + } + + private String addURLParameter(String url, String name, String value) { + String param = name + "=" + value; + if (url.indexOf("?") < 0) { + return url + "?" + param; + } else { + return url + "&" + param; + } + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + public String getDefaultActionName() { + return OAuth20Protocol.AUTH_ACTION; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java new file mode 100644 index 000000000..06509b333 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -0,0 +1,234 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.logging.Logger; + +public class OAuth20AuthRequest extends OAuth20BaseRequest { + + private static final long serialVersionUID = 1L; + + private String responseType; + private String state; + private String redirectUri; + private String scope; + private String clientID; + private String nonce; + + /** + * @return the responseType + */ + public String getResponseType() { + return responseType; + } + + /** + * @param responseType + * the responseType to set + */ + public void setResponseType(String responseType) { + this.responseType = responseType; + } + + /** + * @return the state + */ + public String getState() { + return state; + } + + /** + * @param state + * the state to set + */ + public void setState(String state) { + this.state = state; + } + + /** + * @return the redirectUri + */ + public String getRedirectUri() { + return redirectUri; + } + + /** + * @param redirectUri + * the redirectUri to set + */ + public void setRedirectUri(String redirectUri) { + this.redirectUri = redirectUri; + } + + /** + * @return the scope + */ + public String getScope() { + return scope; + } + + /** + * @param scope + * the scope to set + */ + public void setScope(String scope) { + this.scope = scope; + } + + /** + * @return the clientID + */ + public String getClientID() { + return clientID; + } + + /** + * @param clientID + * the clientID to set + */ + public void setClientID(String clientID) { + this.clientID = clientID; + } + + + + /** + * @return the nonce + */ + public String getNonce() { + return nonce; + } + + /** + * @param nonce the nonce to set + */ + public void setNonce(String nonce) { + this.nonce = nonce; + } + + @Override + protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception { + this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true)); + this.setState(this.getParam(request, OAuth20Constants.PARAM_STATE, true)); + this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true)); + this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false)); + this.setNonce(this.getParam(request, OAuth20Constants.PARAM_NONCE, false)); + + // check for response type + if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) { + throw new OAuth20ResponseTypeException(); + } + + // check state for invalid characters (like < > & ; ... javascript ... to prevent xss) + if (!OAuth20Util.isValidStateValue(this.getState())) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_STATE); + } + + // check if client id and redirect uri are ok + try { + // OAOAUTH20 cannot be null at this point. check was done in base request + OAAuthParameter oAuthConfig = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); + + + if (!this.getClientID().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID)) + || !this.getRedirectUri().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) { + throw new OAuth20AccessDeniedException(); + } + + this.setOnlineApplicationConfiguration(oAuthConfig); + Logger.info("Dispatch OpenIDConnect AuthRequest: ClientID=" + this.clientID); + + + } catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + Map reqAttr = new HashMap(); + for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION) + reqAttr.put(el, ""); + + try { + OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(getOAURL()); + + for (String s : scope.split(" ")) { + if (s.equalsIgnoreCase("profile")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersprofile()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseid()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("eID_gov")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseidgov()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("mandate")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersmandate()) + reqAttr.put(el.getName(), ""); + + } else if (s.equalsIgnoreCase("stork")) { + for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersstork()) + reqAttr.put(el.getName(), ""); + + } + } + + return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator()); + + } catch (ConfigurationException e) { + Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e); + return null; + } + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java new file mode 100644 index 000000000..bd3fdb3e8 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java @@ -0,0 +1,144 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang.StringUtils; + +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidRequestException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; + +abstract class OAuth20BaseRequest extends RequestImpl { + + private static final long serialVersionUID = 1L; + + protected Set allowedParameters = new HashSet(); + + protected OAuth20BaseRequest() { + + } + + protected String getParam(final HttpServletRequest request, final String name, final boolean isNeeded) throws OAuth20Exception { + String param = request.getParameter(name); + Logger.debug("Reading param " + name + " from HttpServletRequest with value " + param); + + if (isNeeded && StringUtils.isEmpty(param)) { + throw new OAuth20WrongParameterException(name); + } + + this.allowedParameters.add(name); + + return param; + } + + protected void populateParameters(final HttpServletRequest request) throws OAuth20Exception { + + // moa id - load oa with client id! + try { + String oaURL = StringEscapeUtils.escapeHtml(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + if (!ParamValidatorUtils.isValidOA(oaURL)) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + this.setOAURL(oaURL); + OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL); + + if (oaParam == null) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + this.setTarget(oaParam.getTarget()); + + if (StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET)) + || StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID)) + || StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) { + throw new OAuth20OANotSupportedException(); + } + } + catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + // oAuth + this.populateSpecialParameters(request); + + // cleanup parameters + this.checkAllowedParameters(request); + } + + private void checkAllowedParameters(final HttpServletRequest request) { + Logger.debug("Going to check for allowed parameters"); + this.allowedParameters.add(OAuth20Constants.PARAM_MOA_ACTION); + this.allowedParameters.add(OAuth20Constants.PARAM_MOA_MOD); + + @SuppressWarnings("rawtypes") + Iterator iter = request.getParameterMap().keySet().iterator(); + while (iter.hasNext()) { + String name = (String) iter.next(); + if (!this.allowedParameters.contains(name)) { + + Logger.debug("Found wrong parameter: " + name); + throw new OAuth20WrongParameterException(name); + } + } + + } + + protected abstract void populateSpecialParameters(final HttpServletRequest request) throws OAuth20Exception; + + public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request, String sessionId, String transactionId) throws OAuth20Exception { + OAuth20BaseRequest res; + + if (action.equals(OAuth20Protocol.AUTH_ACTION)) { + res = new OAuth20AuthRequest(); + + } else if (action.equals(OAuth20Protocol.TOKEN_ACTION)) { + res = new OAuth20TokenRequest(); + + } else { + throw new OAuth20InvalidRequestException(); + } + + res.setAction(action); + res.setModule(OAuth20Protocol.NAME); + + res.populateParameters(request); + return res; + } +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java new file mode 100644 index 000000000..56d86df72 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -0,0 +1,215 @@ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + +import java.net.URLEncoder; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; + +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IModulInfo; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.util.ErrorResponseUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +import com.google.gson.JsonObject; + +import java.util.Arrays; + +public class OAuth20Protocol implements IModulInfo { + + public static final String NAME = OAuth20Protocol.class.getName(); + public static final String PATH = "id_oauth20"; + + public static final String AUTH_ACTION = "AUTH"; + public static final String TOKEN_ACTION = "TOKEN"; + + public static final List DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList( + new String[] { + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, + PVPConstants.BPK_NAME + }); + + private static HashMap actions = new HashMap(); + + static { + actions.put(AUTH_ACTION, new OAuth20AuthAction()); + actions.put(TOKEN_ACTION, new OAuth20TokenAction()); + } + + public String getName() { + return NAME; + } + + public String getPath() { + return PATH; + } + + public IAction getAction(String action) { + return actions.get(action); + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#preProcess(javax.servlet.http.HttpServletRequest, + * javax.servlet.http.HttpServletResponse, java.lang.String) + */ + public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action, + String sessionId, String transactionId) throws MOAIDException { + // validation is done inside creation + OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request, sessionId, transactionId); + Logger.debug("Created: " + res); + return res; + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#canHandleRequest(javax.servlet.http.HttpServletRequest + * , javax.servlet.http.HttpServletResponse) + */ + public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) { + if (!StringUtils.isEmpty(request.getParameter("action"))) { + if (request.getParameter("action").equals(AUTH_ACTION)) { + return getAction(AUTH_ACTION); + } else if (request.getParameter("action").equals(TOKEN_ACTION)) { + return getAction(TOKEN_ACTION); + } + } + + return null;// getAction(AUTH_ACTION); + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IModulInfo#generateErrorMessage(java.lang.Throwable, + * javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, + * at.gv.egovernment.moa.id.moduls.IRequest) + */ + public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) + throws Throwable { + + // get error code and description + String errorCode; + String errorDescription; + String errorUri = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + +"/" + OAuth20Constants.ERRORPAGE; + String moaError = null; + + ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance(); + + if (e instanceof OAuth20Exception) { + errorCode = ((OAuth20Exception) e).getErrorCode(); + errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8"); + moaError = errorUtils.mapInternalErrorToExternalError(((OAuth20Exception) e).getMessageId()); + + } else { + errorCode = OAuth20Constants.ERROR_SERVER_ERROR; + errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8"); + moaError = errorUtils.getResponseErrorCode(e); + } + + String paramRedirect = null; + String state = null; + boolean isAuthRequest = false; + if (protocolRequest != null) { + if (protocolRequest instanceof OAuth20AuthRequest) { + isAuthRequest = true; + + paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri(); + state = ((OAuth20AuthRequest) protocolRequest).getState(); + } else { + isAuthRequest = false; + } + } else { + String action = request.getParameter("action"); + if (MiscUtil.isNotEmpty(action)) { + if (action.equals(AUTH_ACTION)) { + + paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + state = request.getParameter(OAuth20Constants.PARAM_STATE); + isAuthRequest = true; + } + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); + } + } + + // if (action.equals(AUTH_ACTION)) { + if (isAuthRequest) { + Logger.debug("Going to throw O OAuth20Exception for auth request"); + + StringBuilder url = new StringBuilder(); + + // check if given redirect url is ok + if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { + url.append(paramRedirect); + + // otherwise throw an + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); + } + + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + if (MiscUtil.isNotEmpty(moaError)) + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); + + response.setContentType("text/html"); + response.setStatus(HttpServletResponse.SC_FOUND); + response.addHeader("Location", url.toString()); + Logger.debug("REDIRECT TO: " + url.toString()); + return true; + + } else { + Logger.debug("Going to throw O OAuth20Exception for token request"); + + Map params = new HashMap(); + params.put(OAuth20Constants.PARAM_ERROR, errorCode); + params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError); + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + response.setContentType("application/json"); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.getOutputStream().print(jsonResponse); + response.getOutputStream().close(); + + return true; + } + + // return false; + + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IModulInfo#validate(javax.servlet.http.HttpServletRequest, + * javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.moduls.IRequest) + */ + public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) { + // we validate in the preProcess + return true; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java new file mode 100644 index 000000000..2238a25e1 --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -0,0 +1,124 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.moduls.IAction; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.logging.Logger; + +import com.google.gson.JsonObject; + +class OAuth20TokenAction implements IAction { + + public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, + IAuthData authData) throws MOAIDException { + + + OAuth20SessionObject auth20SessionObject = null; + try { + OAuth20TokenRequest oAuthRequest = (OAuth20TokenRequest) req; + + MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_TOKENREQUEST); + + try { + Logger.debug("Loaded OAuth20SessionObject from session: " + oAuthRequest.getCode()); + + auth20SessionObject = + AssertionStorage.getInstance().get(oAuthRequest.getCode(), OAuth20SessionObject.class); + + } catch (MOADatabaseException e) { + throw new OAuth20UnauthorizedClientException(); + + } + + // do checking for different grant types and code + if (auth20SessionObject == null || !auth20SessionObject.getCode().equals(oAuthRequest.getCode())) { + throw new OAuth20UnauthorizedClientException(); + } else { + Logger.debug("Loaded of OAuth20SessionObject was successful"); + } + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession()); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + httpResp.setContentType("application/json"); + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.getOutputStream().print(jsonResponse); + httpResp.getOutputStream().close(); + + return null; + } + catch (Exception e) { + Logger.error(e.getMessage(), e); + throw new OAuth20ServerErrorException(); + } + + finally { + if (auth20SessionObject != null) { + // destroy session for clean up + + Logger.debug("Going to destroy session: " + auth20SessionObject.getCode()); + AssertionStorage.getInstance().remove(auth20SessionObject.getCode()); + + } + } + } + + /* + * (non-Javadoc) + * @see + * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls + * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + return false; + } + + /* + * (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() + */ + public String getDefaultActionName() { + return OAuth20Protocol.TOKEN_ACTION; + } + +} diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java new file mode 100644 index 000000000..6bebe5a6a --- /dev/null +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java @@ -0,0 +1,157 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.protocol; + +import java.util.List; + +import javax.servlet.http.HttpServletRequest; + +import org.opensaml.saml2.core.Attribute; + +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidGrantException; +import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException; +import at.gv.egovernment.moa.logging.Logger; + +class OAuth20TokenRequest extends OAuth20BaseRequest { + + private static final long serialVersionUID = 1L; + + private String code; + private String grantType; + private String clientID; + private String clientSecret; + + /** + * @return the code + */ + public String getCode() { + return code; + } + + /** + * @param code + * the code to set + */ + public void setCode(String code) { + this.code = code; + } + + /** + * @return the grantType + */ + public String getGrantType() { + return grantType; + } + + /** + * @param grantType + * the grantType to set + */ + public void setGrantType(String grantType) { + this.grantType = grantType; + } + + /** + * @return the clientID + */ + public String getClientID() { + return clientID; + } + + /** + * @param clientID + * the clientID to set + */ + public void setClientID(String clientID) { + this.clientID = clientID; + } + + /** + * @return the clientSecret + */ + public String getClientSecret() { + return clientSecret; + } + + /** + * @param clientSecret + * the clientSecret to set + */ + public void setClientSecret(String clientSecret) { + this.clientSecret = clientSecret; + } + + @Override + protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception { + this.setCode(this.getParam(request, OAuth20Constants.RESPONSE_CODE, true)); + this.setGrantType(this.getParam(request, OAuth20Constants.PARAM_GRANT_TYPE, true)); + this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true)); + this.setClientSecret(this.getParam(request, OAuth20Constants.PARAM_CLIENT_SECRET, true)); + + // check for grant type + if (!this.getGrantType().equals(OAuth20Constants.PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE)) { + throw new OAuth20InvalidGrantException(); + } + + // check if client id and secret are ok + try { + // OAOAUTH20 cannot be null at this point. check was done in base request + OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); + + if (!this.getClientID().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))) { + throw new OAuth20AccessDeniedException(); + } + + if (!this.getClientSecret().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))) { + throw new OAuth20AccessDeniedException(); + } + + this.setOnlineApplicationConfiguration(oaParam); + + } + catch (ConfigurationException e) { + throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); + } + + Logger.info("Dispatch OpenIDConnect TokenRequest: ClientID=" + this.clientID); + + //add valid parameters + this.allowedParameters.add(OAuth20Constants.PARAM_SCOPE); + this.allowedParameters.add(OAuth20Constants.PARAM_REDIRECT_URI); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes() + */ + @Override + public List getRequestedAttributes() { + return null; + } +} -- cgit v1.2.3