From a06f94c9da130af5cf755b7d6465c8905d37d75b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 5 Jun 2018 15:05:50 +0200
Subject: add one method to AssertionAttributeExtractor and add some log
 messages

---
 .../sl20_auth/tasks/ReceiveQualeIDTask.java        | 44 +++++++++++++++-------
 1 file changed, 30 insertions(+), 14 deletions(-)

(limited to 'id/server/modules/moa-id-module-sl20_authentication/src/main/java')

diff --git a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
index 9262e43e9..03db52695 100644
--- a/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
+++ b/id/server/modules/moa-id-module-sl20_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/sl20_auth/tasks/ReceiveQualeIDTask.java
@@ -49,15 +49,16 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
-			throws TaskExecutionException {
+			throws TaskExecutionException {		
+		String sl20Result = null;
 		
 		try {
 			Logger.debug("Receiving SL2.0 response process .... ");
-			JsonObject sl20ReqObj = null;
+			JsonObject sl20ReqObj = null;			
 			try {
 				//get SL2.0 command or result from HTTP request
 				Map<String, String> reqParams = getParameters(request);
-				String sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+				sl20Result = reqParams.get(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
 				
 				if (MiscUtil.isEmpty(sl20Result)) {
 					
@@ -103,10 +104,15 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools, 
 						authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true));
 				
-				if (payLoadContainer.isValidSigned() == null || 
-						!payLoadContainer.isValidSigned()) {
-					Logger.info("SL20 result from VDA was not valid signed");
-					throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+				if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) {
+					if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_FORCE_EID_SIGNED_RESULT, true)) {
+						Logger.info("SL20 result from VDA was not valid signed");
+						throw new SL20SecurityException(new Object[]{"Signature on SL20 result NOT valid."});
+						
+					} else {
+						Logger.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!");
+						
+					}
 					
 				}
 				
@@ -158,6 +164,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				
 			} catch (MOAIDException  e) {
 				Logger.warn("SL2.0 processing error:", e);
+				if (sl20Result != null)
+					Logger.debug("Received SL2.0 result: " + sl20Result);
 				pendingReq.setGenericDataToSession(
 						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
 						new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e));
@@ -165,6 +173,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			} catch (Exception e) {
 				Logger.warn("ERROR:", e);
 				Logger.warn("SL2.0 Authentication FAILED with a generic error.", e);
+				if (sl20Result != null)
+					Logger.debug("Received SL2.0 result: " + sl20Result);
 				pendingReq.setGenericDataToSession(
 						Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, 
 						new TaskExecutionException(pendingReq, e.getMessage(), e));
@@ -182,8 +192,10 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 			}
 		
 		} catch (Exception e) {
-			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding
+			//write internal server errror 500 according to SL2.0 specification, chapter https transport binding			
 			Logger.warn("Can NOT build SL2.0 response. Reason: " + e.getMessage(), e);
+			if (sl20Result != null)
+				Logger.debug("Received SL2.0 result: " + sl20Result);
 			try {
 				response.sendError(500, "Internal Server Error.");
 				
@@ -207,7 +219,8 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				error , 
 				null);
 			
-		Logger.debug("Client request containts 'native client' header ... ");												
+		Logger.debug("Client request containts 'native client' header ... ");	
+		Logger.trace("SL20 response to VDA: " + respContainer);
 		StringWriter writer = new StringWriter();
 		writer.write(respContainer.toString());						
 		final byte[] content = writer.toString().getBytes("UTF-8");
@@ -230,13 +243,14 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 		JsonObject callCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_CALL, callReqParams);
 		
 		//build first redirect command for app
-		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", callCommand, null, true);
+		JsonObject redirectOneParams = SL20JSONBuilderUtils.createRedirectCommandParameters("", 
+				callCommand, null, true);
 		JsonObject redirectOneCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectOneParams);
 						
 		//build second redirect command for IDP
 		JsonObject redirectTwoParams = SL20JSONBuilderUtils.createRedirectCommandParameters(
 				new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), Constants.HTTP_ENDPOINT_RESUME, null), 
-				redirectOneCommand, null, true);
+				redirectOneCommand, null, false);
 		JsonObject redirectTwoCommand = SL20JSONBuilderUtils.createCommand(SL20Constants.SL20_COMMAND_IDENTIFIER_REDIRECT, redirectTwoParams);
 		
 		//build generic SL2.0 response container								
@@ -247,10 +261,12 @@ public class ReceiveQualeIDTask extends AbstractAuthServletTask {
 				redirectTwoCommand, 
 				null); 
 		
-		//workaround for SIC VDA
+		//workaround for A-Trust
 		if (request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE) != null && 
-				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)) {					
-			Logger.debug("Client request containts 'native client' header ... ");												
+				request.getHeader(SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE).equals(SL20Constants.HTTP_HEADER_VALUE_NATIVE)
+					|| true) {					
+			Logger.debug("Client request containts 'native client' header ... ");
+			Logger.trace("SL20 response to VDA: " + respContainer);
 			StringWriter writer = new StringWriter();
 			writer.write(respContainer.toString());						
 			final byte[] content = writer.toString().getBytes("UTF-8");
-- 
cgit v1.2.3